设置对象访问权限
与桶访问权限类似,对象访问权限设置方式具有 Canned ACL与 AccessControlPolicy两种。需要注意的是,对象的访问优先级要高于桶访问权限。比如桶访问权限是 private,但是对象访问权限是 public read,则所有用户都可以访问该对象。默认情况下,只有对象的拥有者才能访问该对象,即对象的访问权限默认是 private。使用canned ACL设置桶的访问权限示例代码如下:
var params = {
Bucket: "<your-bucket-name>",
Key: "<your-key-name>",
ACL: private | public-read | public-read-write | authenticated-read | aws-exec-read | bucket-owner-read | bucket-owner-full-control,
};
s3.putObjectAcl(params, function(err, data) {
if (err)
console.log(err, err.stack);
else
console.log(data);
});
使用ACL对象授予权限,指定显式访问权限和被授权用户 。这些参数映射到s3Client在ACL中支持的权限集。使用 AccessControlList 设置桶访问权限时,可以设置特定用户对桶的访问权限:
var params = {
Bucket: 'STRING_VALUE', /* required */
Key: 'STRING_VALUE', /* required */
// Contains the elements that set the ACL permissions for an object per grantee.
AccessControlPolicy: {
Grants: [
{
// The person being granted permissions.
Grantee: {
Type: CanonicalUser | AmazonCustomerByEmail | Group, /* required */
DisplayName: 'STRING_VALUE',
EmailAddress: 'STRING_VALUE',
ID: 'STRING_VALUE',
URI: 'STRING_VALUE'
},
Permission: FULL_CONTROL | WRITE | WRITE_ACP | READ | READ_ACP
},
/* more items */
],
Owner: {
DisplayName: 'STRING_VALUE',
ID: 'STRING_VALUE'
}
},
ContentMD5: 'STRING_VALUE',
ExpectedBucketOwner: 'STRING_VALUE',
// Allows grantee the read, write, read ACP, and write ACP permissions on the bucket.
GrantFullControl: 'STRING_VALUE',
GrantRead: 'STRING_VALUE',
GrantReadACP: 'STRING_VALUE',
GrantWrite: 'STRING_VALUE',
GrantWriteACP: 'STRING_VALUE',
RequestPayer: requester,
VersionId: 'STRING_VALUE'
};
s3.putObjectAcl(params, function (err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});