About Access Control Lists
The ability to read and write objects in a container is governed by the Access Control Lists (ACLs) assigned to the container. These ACLs are written to two metadata fields: X-Container-Read
and X-Container-Write
.
Users with roles assigned to these metadata fields can perform the following actions:
X-Container-Read
: Users can read objects and associated metadata in the given container.X-Container-Write
: Users can create and delete objects and associated metadata in the given container.
The metadata field values are a comma-separated list of identity domain ID and role pairs. This allows service administrators to grant read or write access to users in other identity domains. Users with the Storage_Administrator
role may define their own roles in the Users page in Infrastructure Classic Console and assign them to the X-Container-Read
and X-Container-Write
headers on containers, as required.
For creating custom roles for a traditional Cloud account. See Adding a Custom Role in Managing and Monitoring Oracle Cloud.
For creating custom roles for accounts with Identity Cloud Service, see Create a Custom Role for Cloud Accounts with Identity Cloud Service.
Users with the Storage_Administrator
role will always have read and write access to all containers in their service instance.
All non-administrator users are subject to the ACLs for a given container.
The service instance root path is an exception to this, because it does not have ACLs associated with it. For this path, all users can obtain a list of containers, but only users with the Storage_Administrator
role can create or delete containers.
By default, when a container is created in the Oracle Cloud Infrastructure Object Storage Classic, the following ACLs are assigned:
X-Container-Read
:identity_domain_ID.storage_service.
Storage_ReadOnlyGroup,
identity_domain_ID.storage_service
.Storage_ReadWriteGroup
X-Container-Write
:identity_domain_ID.storage_service
.Storage_ReadWriteGroup
Example:
The following are the newly created container ACL values for a service instance named Storage
in an identity domain named myIdentity3
.
X-Container-Read: myIdentityDomainID.Storage.Storage_ReadOnlyGroup, myIdentityDomainID.Storage.Storage_ReadWriteGroup
X-Container-Write: myIdentityDomainID.Storage.Storage_ReadWriteGroup
To learn how to restrict read and write access to containers by using ACLs, see Setting Container ACLs.