Amazon Simple Storage Service
开发人员指南 (API 版本 2006-03-01)
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 Amazon AWS 入门

使用AWS SDK for Java管理 ACL

本节提供了有关如何在存储桶和对象上配置访问控制列表 (ACL) 授予的示例。第一个示例将创建具有标准 ACL (请参阅标准 ACL) 的存储桶,创建自定义权限授予列表,然后将标准 ACL 替换为包含自定义授予的 ACL。第二个示例演示如何使用 AccessControlList.grantPermission() 方法修改 ACL。

设置 ACL 授予

此示例将创建一个存储桶。在请求中,此示例指定了一个标准 ACL,该 ACL 向日志传输组授予将日志写入到存储桶的权限。

import java.io.IOException; import java.util.ArrayList; import java.util.Collection; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.CannedAccessControlList; import com.amazonaws.services.s3.model.CanonicalGrantee; import com.amazonaws.services.s3.model.CreateBucketRequest; import com.amazonaws.services.s3.model.Grant; import com.amazonaws.services.s3.model.GroupGrantee; import com.amazonaws.services.s3.model.Permission; public class CreateBucketWithACL { public static void main(String[] args) throws IOException { String clientRegion = "*** Client region ***"; String bucketName = "*** Bucket name ***"; try { AmazonS3 s3Client = AmazonS3ClientBuilder.standard() .withCredentials(new ProfileCredentialsProvider()) .withRegion(clientRegion) .build(); // Create a bucket with a canned ACL. This ACL will be deleted by the // getGrantsAsList().clear() call below. It is here for demonstration // purposes. CreateBucketRequest createBucketRequest = new CreateBucketRequest(bucketName, clientRegion) .withCannedAcl(CannedAccessControlList.LogDeliveryWrite); s3Client.createBucket(createBucketRequest); // Create a collection of grants to add to the bucket. Collection<Grant> grantCollection = new ArrayList<Grant>(); // Grant the account owner full control. Grant grant1 = new Grant(new CanonicalGrantee(s3Client.getS3AccountOwner().getId()), Permission.FullControl); grantCollection.add(grant1); // Grant the LogDelivery group permission to write to the bucket. Grant grant2 = new Grant(GroupGrantee.LogDelivery, Permission.Write); grantCollection.add(grant2); // Save (replace) grants by deleting all current ACL grants and replacing // them with the two we just created. AccessControlList bucketAcl = s3Client.getBucketAcl(bucketName); bucketAcl.getGrantsAsList().clear(); bucketAcl.getGrantsAsList().addAll(grantCollection); s3Client.setBucketAcl(bucketName, bucketAcl); } catch(AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch(SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } }

在现有对象上配置 ACL 授予

此示例将更新对象上的 ACL。该示例执行以下任务:

  • 检索对象的 ACL

  • 通过删除所有现有权限来清除该 ACL

  • 添加两个权限:对所有者的完全访问权限以及对通过电子邮件地址标识的用户的 WRITE_ACP 权限 (请参阅我能授予哪些许可?)。

  • 将 ACL 保存到对象

import java.io.IOException; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.CanonicalGrantee; import com.amazonaws.services.s3.model.EmailAddressGrantee; import com.amazonaws.services.s3.model.Permission; public class ModifyACLExistingObject { public static void main(String[] args) throws IOException { String clientRegion = "*** Client region ***"; String bucketName = "*** Bucket name ***"; String keyName = "*** Key name ***"; String emailGrantee = "*** user@example.com ***"; try { AmazonS3 s3Client = AmazonS3ClientBuilder.standard() .withCredentials(new ProfileCredentialsProvider()) .withRegion(clientRegion) .build(); // Get the existing object ACL that we want to modify. AccessControlList acl = s3Client.getObjectAcl(bucketName, keyName); // Clear the existing list of grants. acl.getGrantsAsList().clear(); // Grant a sample set of permissions, using the existing ACL owner for Full Control permissions. acl.grantPermission(new CanonicalGrantee(acl.getOwner().getId()), Permission.FullControl); acl.grantPermission(new EmailAddressGrantee(emailGrantee), Permission.WriteAcp); // Save the modified ACL back to the object. s3Client.setObjectAcl(bucketName, keyName, acl); } catch(AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it, so it returned an error response. e.printStackTrace(); } catch(SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } }