All Products
Search
Document Center

Object Storage Service:Grant the same permissions on multiple buckets by using a resource group

Last Updated:Nov 14, 2024

A resource group is a resource-based access control method. You can add the buckets to which you want to grant the same permissions to the same resource group and then grant permissions to the resource group. This improves the efficiency of authorization.

Background information

Enterprise users may create multiple Alibaba Cloud accounts to isolate resources for different projects, subsidiaries, and departments. However, this makes it difficult for enterprise users to manage, monitor, and audit the resources that reside in these Alibaba Cloud accounts in a centralized manner.

account

Object Storage Service (OSS) allows users to create resource groups to classify resources in an Alibaba Cloud account based on business scenarios. This way, the users within an enterprise can use resource groups to efficiently manage resources in their projects.

rg

Usage notes

  • Resource groups are supported for buckets in the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), US (Silicon Valley), US (Virginia), Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Germany (Frankfurt), UK (London), and UAE (Dubai).

  • A resource group can contain buckets in different regions. A bucket can belong only to one resource group.

  • Buckets can be transferred only between resource groups that are created by the same owner.

Procedure

Use the OSS console

In the following example, test data of different departments in your company is stored in 20 buckets. You want to allow all your employees to write and read data stored in 10 of the buckets and only read data stored in other 10 buckets. If you do not use resource groups, you must separately configure required permissions for each bucket. If you use resource groups, you can add buckets that require the same permissions to a resource group and configure the required permissions for the resource group.

You also need to create user groups to grant the same permissions to multiple RAM users (your employees). A user group functions similarly to a resource group.

  1. Create a user group and add RAM users to the user group.

    Create a user group and name the group UserGroup1 in the RAM console. For more information, see Create a RAM user group. After you create the user group, add all the RAM users that need to access data in your buckets to the user group. For more information, see Add a RAM user to a RAM user group.

  2. Create resource groups.

    1. Log on to the Resource Management console.

    2. In the left-side navigation pane, choose Resource Group > Resource Group.

    3. On the Resource Group page, click Create Resource Group.

    4. In the Create Resource Group panel, configure the Resource Group Name and Resource Group Identifier parameters. In this example, Resource Group Name is set to ResourcegroupA and Resource Group Identifier is set to Group1.

    5. Click OK.

      The status of the resource group becomes Creating. Wait for approximately 3 seconds and click the 资源组_刷新列表 icon. If the status of the resource group becomes Available, ResourcegroupA is created.

    6. Repeat the preceding steps to create a resource group named ResourcegroupB.

  3. Select resource groups for your buckets.

    1. Log on to the OSS console.

    2. Click Buckets, and then click the examplebucket1 bucket.

    3. Choose Bucket Settings > Resource Group.

    4. On the Resource Group page, click Settings.

    5. Select ResourcegroupA for Resource Group and click Save.

    6. Repeat the preceding steps to select ResourcegroupA for the buckets that you want to authorize all your employees only to read and select ResourcegroupB for the buckets that you want to authorize all your employees to read and write.

  4. Configure the required permissions to access resource groups.

    1. Log on to the Resource Management console. In the left-side navigation pane, choose Resource Group > Resource Group.

    2. Find the resource group in the list and click Manage Permission in the Actions column.

    3. On the Permissions tab, click Grant Permission.

    4. In the Grant Permission panel, configure the parameters. The following table describes the parameters.

      Parameter

      Description

      Authorized Scope

      Select Specific Resource Group. Then, select ResourcegroupA from the drop-down list.

      Principal

      Enter UserGroup1.

      Select Policy

      Select System Policy. In the Authorization Policy Name column, click AliyunOSSReadOnlyAccess to authorize RAM users in UserGroup1 to only read objects in buckets in ResourcegroupA.

    5. Click OK.

    6. Click Complete.

    7. Repeat the preceding steps to attach the AliyunOSSFullAccess policy to RAM users in UserGroup1 to authorize the RAM users to read and write objects in buckets in ResourcegroupB.

Use OSS SDKs

If you use OSS SDKs to configure resource groups, you can use only OSS SDK for Java and OSS SDK for Python.

import com.aliyun.oss.*;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.model.SetBucketResourceGroupRequest;

public class Demo {
    public static void main(String[] args) throws Throwable {
        // In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
        String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
        // Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
        EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
        // Specify the name of the bucket. Example: examplebucket. 
        String bucketName = "examplebucket";
        // Specify the ID of the resource group. If you do not specify a resource group ID, the bucket belongs to the default resource group. 
        String rgId = "rg-aekz****";
        // Specify the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the region to cn-hangzhou.
        String region = "cn-hangzhou";
        
        // Create an OSSClient instance. 
        ClientBuilderConfiguration clientBuilderConfiguration = new ClientBuilderConfiguration();
        clientBuilderConfiguration.setSignatureVersion(SignVersion.V4);        
        OSS ossClient = OSSClientBuilder.create()
        .endpoint(endpoint)
        .credentialsProvider(credentialsProvider)
        .clientConfiguration(clientBuilderConfiguration)
        .region(region)               
        .build();

        try {
            // Create a setBucketResourceGroupRequest object. 
            SetBucketResourceGroupRequest setBucketResourceGroupRequest = new SetBucketResourceGroupRequest(bucketName,rgId);
            // Configure the resource group to which the bucket belongs. 
            ossClient.setBucketResourceGroup(setBucketResourceGroupRequest);
        } catch (OSSException oe) {
            System.out.println("Caught an OSSException, which means your request made it to OSS, "
                    + "but was rejected with an error response for some reason.");
            System.out.println("Error Message:" + oe.getErrorMessage());
            System.out.println("Error Code:" + oe.getErrorCode());
            System.out.println("Request ID:" + oe.getRequestId());
            System.out.println("Host ID:" + oe.getHostId());
        } catch (ClientException ce) {
            System.out.println("Caught an ClientException, which means the client encountered "
                    + "a serious internal problem while trying to communicate with OSS, "
                    + "such as not being able to access the network.");
            System.out.println("Error Message:" + ce.getMessage());
        } finally {
            if (ossClient != null) {
                ossClient.shutdown();
            }
        }
    }
}
# -*- coding: utf-8 -*-
import oss2
from oss2.credentials import EnvironmentVariableCredentialsProvider

# Obtain access credentials from the environment variables. Before you run this sample code, make sure that you have configured environment variables OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET. 
auth = oss2.ProviderAuth(EnvironmentVariableCredentialsProvider())

# Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. 
endpoint = "https://oss-cn-hangzhou.aliyuncs.com"

# Specify the ID of the region that maps to the endpoint. Example: cn-hangzhou. This parameter is required if you use the signature algorithm V4.
region = "cn-hangzhou"

# Specify the name of your bucket.
bucket = oss2.Bucket(auth, endpoint, "yourBucketName", region=region)

# Specify the ID of the resource group. If you do not specify the ID of the resource group, the bucket belongs to the default resource group. 
resource_group_id = 'rg-aek27tc****'

# Configure the resource group to which the bucket belongs. 
result = bucket.put_bucket_resource_group(resource_group_id)
print ('Resource group configuration is successful. Returned status: ' + str(result.status))

Use the OSS API

If your business requires a high level of customization, you can directly call RESTful APIs. To directly call an API, you must include the signature calculation in your code. For more information, see PutBucketResourceGroup.