Amazon Simple Storage Service
开发人员指南 (API Version 2006-03-01)
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。点 击 Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

使用AWS SDK for Java管理 ACL

在创建资源时设置 ACL

在创建资源 (存储桶和对象) 时,您可以通过在请求中添加 访问控制列表 (ACL) 概述 来授予许可 (请参阅AccessControlList)。您可以显式地为每个许可指定被授权者和许可。

例如,下面的 Java 代码段将发送一个上传对象的 PutObject 请求。在请求中,代码段会将权限指定给两个 AWS 账户和 Amazon S3 AllUsers 组。PutObject 调用包括请求正文中的对象数据和请求标头 (参阅 PUT Object) 中的 ACL 授权。

Copy
String bucketName = "bucket-name"; String keyName = "object-key"; String uploadFileName = "file-name"; AmazonS3 s3client = new AmazonS3Client(new ProfileCredentialsProvider()); AccessControlList acl = new AccessControlList(); acl.grantPermission(new CanonicalGrantee("d25639fbe9c19cd30a4c0f43fbf00e2d3f96400a9aa8dabfbbebe1906Example"), Permission.ReadAcp); acl.grantPermission(GroupGrantee.AllUsers, Permission.Read); acl.grantPermission(new EmailAddressGrantee("user@email.com"), Permission.WriteAcp); File file = new File(uploadFileName); s3client.putObject(new PutObjectRequest(bucketName, keyName, file).withAccessControlList(acl));

有关上传对象的更多信息,请参阅 使用 Amazon S3 对象

在上述代码段中,在授予每个许可时,您显式地识别了被授权者和许可。或者,您也可以在创建资源时,在请求中指定标准 (预定义的) ACL (参阅 标准 ACL )。下面的 Java 代码段在请求中创建一个存储桶并指定一个 LogDeliveryWrite 标准 ACL,以将写入权限授予 Amazon S3 LogDelivery 组。

Copy
String bucketName = "bucket-name"; AmazonS3 s3client = new AmazonS3Client(new ProfileCredentialsProvider()); s3client.createBucket(new CreateBucketRequest (bucketName).withCannedAcl(CannedAccessControlList.LogDeliveryWrite));

有关底层 REST API 的信息,请参阅 PUT Bucket

更新现有资源上的 ACL

您可以设置现有对象或存储桶上的 ACL。您可以创建 AccessControlList 类的实例、授予许可,以及调用合适的设置 ACL 方法。下面的 Java 代码段调用 setObjectAcl 方法来设置现有对象上的 ACL。

Copy
String bucketName = "bucket-name"; String keyName = "object-key"; AmazonS3 s3client = new AmazonS3Client(new ProfileCredentialsProvider()); AccessControlList acl = new AccessControlList(); acl.grantPermission(new CanonicalGrantee("d25639fbe9c19cd30a4c0f43fbf00e2d3f96400a9aa8dabfbbebe1906Example"), Permission.ReadAcp); acl.grantPermission(GroupGrantee.AuthenticatedUsers, Permission.Read); acl.grantPermission(new EmailAddressGrantee("user@email.com"), Permission.WriteAcp); Owner owner = new Owner(); owner.setId("852b113e7a2f25102679df27bb0ae12b3f85be6f290b936c4393484beExample"); owner.setDisplayName("display-name"); acl.setOwner(owner); s3client.setObjectAcl(bucketName, keyName, acl);

注意

在上述代码段中,您可以选择通过调用 getObjectAcl 方法,为其添加新的授权,然后在资源上设置已修改的 ACL,来首先读取现有的 ACL。

您也可以在请求中指定标准 ACL,而不是通过显式地指定被授权者和许可来授予许可。下面的 Java 代码段在现有对象上设置 ACL。在请求中,代码段指定标准 ACL AuthenticatedRead,以将读取访问权限授予 Amazon S3 Authenticated Users 组。

Copy
String bucketName = "bucket-name"; String keyName = "object-key"; AmazonS3 s3client = new AmazonS3Client(new ProfileCredentialsProvider()); s3client.setObjectAcl(bucketName, keyName, CannedAccessControlList.AuthenticatedRead);

示例

下面的 Java 代码示例将首先创建一个存储桶。在创建请求时,它将指定一个 public-read 标准 ACL。接下来,它将检索 AccessControlList 实例中的 ACL、清除授权并将新的授权添加到 AccessControlList。最后,它将保存更新的 AccessControlList,即它将替换存储桶 ACL 子资源。

下面的 Java 代码示例将执行以下任务:

  • 创建存储桶。在请求中,它将指定一个 log-delivery-write 标准 ACL,以将写入权限授予 LogDelivery Amazon S3 组。

  • 读取存储桶上的 ACL。

  • 清除现有许可并将新的许可添加到 ACL。

  • 调用 setBucketAcl 以将新的 ACL 添加到存储桶。

注意

要测试下面的代码示例,您必须更新代码、提供您的凭证、规范用户 ID 以及您要授予许可的账户的电子邮件地址。

Copy
import java.io.IOException; import java.util.ArrayList; import java.util.Collection; import com.amazonaws.AmazonClientException; import com.amazonaws.AmazonServiceException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3Client; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.Bucket; import com.amazonaws.services.s3.model.CannedAccessControlList; import com.amazonaws.services.s3.model.CanonicalGrantee; import com.amazonaws.services.s3.model.CreateBucketRequest; import com.amazonaws.services.s3.model.Grant; import com.amazonaws.services.s3.model.GroupGrantee; import com.amazonaws.services.s3.model.Permission; import com.amazonaws.services.s3.model.Region; public class ACLExample { private static String bucketName = "*** Provide bucket name ***"; public static void main(String[] args) throws IOException { AmazonS3 s3Client = new AmazonS3Client(new ProfileCredentialsProvider()); Collection<Grant> grantCollection = new ArrayList<Grant>(); try { // 1. Create bucket with Canned ACL. CreateBucketRequest createBucketRequest = new CreateBucketRequest(bucketName, Region.US_Standard).withCannedAcl(CannedAccessControlList.LogDeliveryWrite); Bucket resp = s3Client.createBucket(createBucketRequest); // 2. Update ACL on the existing bucket. AccessControlList bucketAcl = s3Client.getBucketAcl(bucketName); // (Optional) delete all grants. bucketAcl.getGrants().clear(); // Add grant - owner. Grant grant0 = new Grant( new CanonicalGrantee("852b113e7a2f25102679df27bb0ae12b3f85be6f290b936c4393484beExample"), Permission.FullControl); grantCollection.add(grant0); // Add grant using canonical user id. Grant grant1 = new Grant( new CanonicalGrantee("d25639fbe9c19cd30a4c0f43fbf00e2d3f96400a9aa8dabfbbebe1906Example"), Permission.Write); grantCollection.add(grant1); // Grant LogDelivery group permission to write to the bucket. Grant grant3 = new Grant(GroupGrantee.LogDelivery, Permission.Write); grantCollection.add(grant3); bucketAcl.getGrants().addAll(grantCollection); // Save (replace) ACL. s3Client.setBucketAcl(bucketName, bucketAcl); } catch (AmazonServiceException ase) { System.out.println("Caught an AmazonServiceException, which" + " means your request made it " + "to Amazon S3, but was rejected with an error response" + " for some reason."); System.out.println("Error Message: " + ase.getMessage()); System.out.println("HTTP Status Code: " + ase.getStatusCode()); System.out.println("AWS Error Code: " + ase.getErrorCode()); System.out.println("Error Type: " + ase.getErrorType()); System.out.println("Request ID: " + ase.getRequestId()); } catch (AmazonClientException ace) { System.out.println("Caught an AmazonClientException, which means"+ " the client encountered " + "a serious internal problem while trying to " + "communicate with S3, " + "such as not being able to access the network."); System.out.println("Error Message: " + ace.getMessage()); } } }