< Previous | Contents | Next >

Access control lists

HCP supports access control lists (ACLs) for both buckets and objects. An ACL grants specified users or groups of users permissions to perform specific operations. An ACL can also be used to change the owner of a bucket or object.

A bucket ACL grants permissions to perform operations on a bucket and on all objects in the bucket. For example, an ACL for a bucket could give all users read permission for that bucket. All users in that group would then be able to retrieve all the objects in that bucket.

An object ACL grants permissions to perform operations on an individual object. For example, an ACL for an object could give a specified user write ACL permission for that object. That user would then be able to change the ACL for that object regardless of whether the user had write ACL permission for the bucket that contained the object.

You can add an ACL to a bucket when you create the bucket or in a separate operation. You can add an ACL to an object when you create or copy the object or in a separate operation. When you add an ACL to an existing bucket or object that already has an ACL, the new ACL replaces the old one in its in entirety.

ACLs can be added to buckets and objects through other HCP interfaces. However, regardless of how they are added, they apply to all HCP interfaces that provide access to objects.

An ACL added through the HS3 API can include at most one hundred permission grants. ACLs added through other HCP interfaces can include more than that. If you retrieve an ACL with more than one hundred grants, HCP returns only the first hundred.

Chapter 2: Bucket and object properties 25

Access control lists

Whether objects in a bucket can have ACLs and whether those ACLs are enforced depend on bucket settings. When you use HS3 to create a bucket, the use of ACLs is automatically enabled. This setting cannot be disabled through any HCP interface.

Also when you use HS3 to create a bucket, ACLs are automatically set to be enforced. When enforcing ACLs, HCP honors the permission grants in object ACLs. When ACLs are not enforced, HCP ignores those grants. HCP always honors permission grants in bucket ACLs.

You cannot use the HS3 API to change the ACL enforcement setting. However, tenant administrators can use other HCP interfaces to change this setting.


ACL permissionsACL granteesCanned ACLsSpecifying ACLsSpecifying an ACL with headersUsing a canned ACLUsing individual grant headersSpecifying an ACL in the request bodyRemoving an ACL