本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 管理 Amazon S3 存取許可
Amazon S3 儲存貯體或物件的存取許可是在存取控制清單 (ACL) 中定義。ACL 會指定儲存貯體/物件的擁有者,以及授予清單。每個授予都會指定使用者 (或承授者) 和使用者存取儲存貯體/物件的許可,例如讀取或寫入存取。
## 先決條件
開始之前,建議您先閱讀[開始使用 適用於 C\$1\$1 的 AWS SDK](getting-started.md)。
下載範例程式碼並建置解決方案,如中所述[程式碼範例入門](getting-started-code-examples.md)。
若要執行範例,您的程式碼用來提出請求的使用者描述檔必須具有 AWS (針對 服務和 動作) 的適當許可。如需詳細資訊,請參閱[提供 AWS 登入](credentials.md)資料。
## 管理物件的存取控制清單
您可以透過呼叫`S3Client`方法 來擷取物件的存取控制清單`GetObjectAcl`。方法接受物件的名稱及其儲存貯體。傳回值包含 ACL 的 `Owner`和 清單`Grants`。
```
bool AwsDoc::S3::getObjectAcl(const Aws::String &bucketName,
const Aws::String &objectKey,
const Aws::S3::S3ClientConfiguration &clientConfig) {
Aws::S3::S3Client s3Client(clientConfig);
Aws::S3::Model::GetObjectAclRequest request;
request.SetBucket(bucketName);
request.SetKey(objectKey);
Aws::S3::Model::GetObjectAclOutcome outcome =
s3Client.GetObjectAcl(request);
if (!outcome.IsSuccess()) {
const Aws::S3::S3Error &err = outcome.GetError();
std::cerr << "Error: getObjectAcl: "
<< err.GetExceptionName() << ": " << err.GetMessage() << std::endl;
} else {
Aws::Vector grants =
outcome.GetResult().GetGrants();
for (auto it = grants.begin(); it != grants.end(); it++) {
std::cout << "For object " << objectKey << ": "
<< std::endl << std::endl;
Aws::S3::Model::Grant grant = *it;
Aws::S3::Model::Grantee grantee = grant.GetGrantee();
if (grantee.TypeHasBeenSet()) {
std::cout << "Type: "
<< getGranteeTypeString(grantee.GetType()) << std::endl;
}
if (grantee.DisplayNameHasBeenSet()) {
std::cout << "Display name: "
<< grantee.GetDisplayName() << std::endl;
}
if (grantee.EmailAddressHasBeenSet()) {
std::cout << "Email address: "
<< grantee.GetEmailAddress() << std::endl;
}
if (grantee.IDHasBeenSet()) {
std::cout << "ID: "
<< grantee.GetID() << std::endl;
}
if (grantee.URIHasBeenSet()) {
std::cout << "URI: "
<< grantee.GetURI() << std::endl;
}
std::cout << "Permission: " <<
getPermissionString(grant.GetPermission()) <<
std::endl << std::endl;
}
}
return outcome.IsSuccess();
}
//! Routine which converts a built-in type enumeration to a human-readable string.
/*!
\param type: Type enumeration.
\return String: Human-readable string
*/
Aws::String getGranteeTypeString(const Aws::S3::Model::Type &type) {
switch (type) {
case Aws::S3::Model::Type::AmazonCustomerByEmail:
return "Email address of an AWS account";
case Aws::S3::Model::Type::CanonicalUser:
return "Canonical user ID of an AWS account";
case Aws::S3::Model::Type::Group:
return "Predefined Amazon S3 group";
case Aws::S3::Model::Type::NOT_SET:
return "Not set";
default:
return "Type unknown";
}
}
//! Routine which converts a built-in type enumeration to a human-readable string.
/*!
\param permission: Permission enumeration.
\return String: Human-readable string
*/
Aws::String getPermissionString(const Aws::S3::Model::Permission &permission) {
switch (permission) {
case Aws::S3::Model::Permission::FULL_CONTROL:
return "Can read this object's data and its metadata, "
"and read/write this object's permissions";
case Aws::S3::Model::Permission::NOT_SET:
return "Permission not set";
case Aws::S3::Model::Permission::READ:
return "Can read this object's data and its metadata";
case Aws::S3::Model::Permission::READ_ACP:
return "Can read this object's permissions";
// case Aws::S3::Model::Permission::WRITE // Not applicable.
case Aws::S3::Model::Permission::WRITE_ACP:
return "Can write this object's permissions";
default:
return "Permission unknown";
}
}
```
您可以透過建立新的 ACL 或變更目前 ACL 中指定的授予來修改 ACL。更新的 ACL 透過將其傳遞至 `PutObjectAcl`方法,成為新的目前 ACL。
下列程式碼使用 擷取的 ACL,`GetObjectAcl`並為其新增新的授權。使用者或承授者會獲得物件的 READ 許可。修改後的 ACL 會傳遞至 `PutObjectAcl`,使其成為新的目前 ACL。
```
bool AwsDoc::S3::putObjectAcl(const Aws::String &bucketName, const Aws::String &objectKey, const Aws::String &ownerID,
const Aws::String &granteePermission, const Aws::String &granteeType,
const Aws::String &granteeID, const Aws::String &granteeEmailAddress,
const Aws::String &granteeURI, const Aws::S3::S3ClientConfiguration &clientConfig) {
Aws::S3::S3Client s3Client(clientConfig);
Aws::S3::Model::Owner owner;
owner.SetID(ownerID);
Aws::S3::Model::Grantee grantee;
grantee.SetType(setGranteeType(granteeType));
if (!granteeEmailAddress.empty()) {
grantee.SetEmailAddress(granteeEmailAddress);
}
if (!granteeID.empty()) {
grantee.SetID(granteeID);
}
if (!granteeURI.empty()) {
grantee.SetURI(granteeURI);
}
Aws::S3::Model::Grant grant;
grant.SetGrantee(grantee);
grant.SetPermission(setGranteePermission(granteePermission));
Aws::Vector grants;
grants.push_back(grant);
Aws::S3::Model::AccessControlPolicy acp;
acp.SetOwner(owner);
acp.SetGrants(grants);
Aws::S3::Model::PutObjectAclRequest request;
request.SetAccessControlPolicy(acp);
request.SetBucket(bucketName);
request.SetKey(objectKey);
Aws::S3::Model::PutObjectAclOutcome outcome =
s3Client.PutObjectAcl(request);
if (!outcome.IsSuccess()) {
auto error = outcome.GetError();
std::cerr << "Error: putObjectAcl: " << error.GetExceptionName()
<< " - " << error.GetMessage() << std::endl;
} else {
std::cout << "Successfully added an ACL to the object '" << objectKey
<< "' in the bucket '" << bucketName << "'." << std::endl;
}
return outcome.IsSuccess();
}
//! Routine which converts a human-readable string to a built-in type enumeration.
/*!
\param access: Human readable string.
\return Permission: Permission enumeration.
*/
Aws::S3::Model::Permission setGranteePermission(const Aws::String &access) {
if (access == "FULL_CONTROL")
return Aws::S3::Model::Permission::FULL_CONTROL;
if (access == "WRITE")
return Aws::S3::Model::Permission::WRITE;
if (access == "READ")
return Aws::S3::Model::Permission::READ;
if (access == "WRITE_ACP")
return Aws::S3::Model::Permission::WRITE_ACP;
if (access == "READ_ACP")
return Aws::S3::Model::Permission::READ_ACP;
return Aws::S3::Model::Permission::NOT_SET;
}
//! Routine which converts a human-readable string to a built-in type enumeration.
/*!
\param type: Human readable string.
\return Type: Type enumeration.
*/
Aws::S3::Model::Type setGranteeType(const Aws::String &type) {
if (type == "Amazon customer by email")
return Aws::S3::Model::Type::AmazonCustomerByEmail;
if (type == "Canonical user")
return Aws::S3::Model::Type::CanonicalUser;
if (type == "Group")
return Aws::S3::Model::Type::Group;
return Aws::S3::Model::Type::NOT_SET;
}
```
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/s3/get_put_object_acl.cpp)。
## 管理儲存貯體的存取控制清單
在大多數情況下,設定儲存貯體存取許可的偏好方法是定義儲存貯體政策。不過,儲存貯體也支援希望使用它們的使用者的存取控制清單。
儲存貯體存取控制清單的管理與用於物件的存取控制清單相同。`GetBucketAcl` 方法會擷取儲存貯體目前的 ACL,並將新的 ACL `PutBucketAcl`套用至儲存貯體。
下列程式碼示範取得和設定儲存貯體 ACL。
```
//! Routine which demonstrates setting the ACL for an S3 bucket.
/*!
\param bucketName: Name of a bucket.
\param ownerID: The canonical ID of the bucket owner.
See https://docs.aws.amazon.com/AmazonS3/latest/userguide/finding-canonical-user-id.html for more information.
\param granteePermission: The access level to enable for the grantee.
\param granteeType: The type of grantee.
\param granteeID: The canonical ID of the grantee.
\param granteeEmailAddress: The email address associated with the grantee's AWS account.
\param granteeURI: The URI of a built-in access group.
\param clientConfig: Aws client configuration.
\return bool: Function succeeded.
*/
bool AwsDoc::S3::getPutBucketAcl(const Aws::String &bucketName,
const Aws::String &ownerID,
const Aws::String &granteePermission,
const Aws::String &granteeType,
const Aws::String &granteeID,
const Aws::String &granteeEmailAddress,
const Aws::String &granteeURI,
const Aws::S3::S3ClientConfiguration &clientConfig) {
bool result = ::putBucketAcl(bucketName, ownerID, granteePermission, granteeType,
granteeID,
granteeEmailAddress,
granteeURI,
clientConfig);
if (result) {
result = ::getBucketAcl(bucketName, clientConfig);
}
return result;
}
//! Routine which demonstrates setting the ACL for an S3 bucket.
/*!
\param bucketName: Name of from bucket.
\param ownerID: The canonical ID of the bucket owner.
See https://docs.aws.amazon.com/AmazonS3/latest/userguide/finding-canonical-user-id.html for more information.
\param granteePermission: The access level to enable for the grantee.
\param granteeType: The type of grantee.
\param granteeID: The canonical ID of the grantee.
\param granteeEmailAddress: The email address associated with the grantee's AWS account.
\param granteeURI: The URI of a built-in access group.
\param clientConfig: Aws client configuration.
\return bool: Function succeeded.
*/
bool putBucketAcl(const Aws::String &bucketName,
const Aws::String &ownerID,
const Aws::String &granteePermission,
const Aws::String &granteeType,
const Aws::String &granteeID,
const Aws::String &granteeEmailAddress,
const Aws::String &granteeURI,
const Aws::S3::S3ClientConfiguration &clientConfig) {
Aws::S3::S3Client s3Client(clientConfig);
Aws::S3::Model::Owner owner;
owner.SetID(ownerID);
Aws::S3::Model::Grantee grantee;
grantee.SetType(setGranteeType(granteeType));
if (!granteeEmailAddress.empty()) {
grantee.SetEmailAddress(granteeEmailAddress);
}
if (!granteeID.empty()) {
grantee.SetID(granteeID);
}
if (!granteeURI.empty()) {
grantee.SetURI(granteeURI);
}
Aws::S3::Model::Grant grant;
grant.SetGrantee(grantee);
grant.SetPermission(setGranteePermission(granteePermission));
Aws::Vector grants;
grants.push_back(grant);
Aws::S3::Model::AccessControlPolicy acp;
acp.SetOwner(owner);
acp.SetGrants(grants);
Aws::S3::Model::PutBucketAclRequest request;
request.SetAccessControlPolicy(acp);
request.SetBucket(bucketName);
Aws::S3::Model::PutBucketAclOutcome outcome =
s3Client.PutBucketAcl(request);
if (!outcome.IsSuccess()) {
const Aws::S3::S3Error &error = outcome.GetError();
std::cerr << "Error: putBucketAcl: " << error.GetExceptionName()
<< " - " << error.GetMessage() << std::endl;
} else {
std::cout << "Successfully added an ACL to the bucket '" << bucketName
<< "'." << std::endl;
}
return outcome.IsSuccess();
}
//! Routine which demonstrates getting the ACL for an S3 bucket.
/*!
\param bucketName: Name of the s3 bucket.
\param clientConfig: Aws client configuration.
\return bool: Function succeeded.
*/
bool getBucketAcl(const Aws::String &bucketName,
const Aws::S3::S3ClientConfiguration &clientConfig) {
Aws::S3::S3Client s3Client(clientConfig);
Aws::S3::Model::GetBucketAclRequest request;
request.SetBucket(bucketName);
Aws::S3::Model::GetBucketAclOutcome outcome =
s3Client.GetBucketAcl(request);
if (!outcome.IsSuccess()) {
const Aws::S3::S3Error &err = outcome.GetError();
std::cerr << "Error: getBucketAcl: "
<< err.GetExceptionName() << ": " << err.GetMessage() << std::endl;
} else {
const Aws::Vector &grants =
outcome.GetResult().GetGrants();
for (const Aws::S3::Model::Grant &grant: grants) {
const Aws::S3::Model::Grantee &grantee = grant.GetGrantee();
std::cout << "For bucket " << bucketName << ": "
<< std::endl << std::endl;
if (grantee.TypeHasBeenSet()) {
std::cout << "Type: "
<< getGranteeTypeString(grantee.GetType()) << std::endl;
}
if (grantee.DisplayNameHasBeenSet()) {
std::cout << "Display name: "
<< grantee.GetDisplayName() << std::endl;
}
if (grantee.EmailAddressHasBeenSet()) {
std::cout << "Email address: "
<< grantee.GetEmailAddress() << std::endl;
}
if (grantee.IDHasBeenSet()) {
std::cout << "ID: "
<< grantee.GetID() << std::endl;
}
if (grantee.URIHasBeenSet()) {
std::cout << "URI: "
<< grantee.GetURI() << std::endl;
}
std::cout << "Permission: " <<
getPermissionString(grant.GetPermission()) <<
std::endl << std::endl;
}
}
return outcome.IsSuccess();
}
//! Routine which converts a built-in type enumeration to a human-readable string.
/*!
\param permission: Permission enumeration.
\return String: Human-readable string.
*/
Aws::String getPermissionString(const Aws::S3::Model::Permission &permission) {
switch (permission) {
case Aws::S3::Model::Permission::FULL_CONTROL:
return "Can list objects in this bucket, create/overwrite/delete "
"objects in this bucket, and read/write this "
"bucket's permissions";
case Aws::S3::Model::Permission::NOT_SET:
return "Permission not set";
case Aws::S3::Model::Permission::READ:
return "Can list objects in this bucket";
case Aws::S3::Model::Permission::READ_ACP:
return "Can read this bucket's permissions";
case Aws::S3::Model::Permission::WRITE:
return "Can create, overwrite, and delete objects in this bucket";
case Aws::S3::Model::Permission::WRITE_ACP:
return "Can write this bucket's permissions";
default:
return "Permission unknown";
}
}
//! Routine which converts a human-readable string to a built-in type enumeration
/*!
\param access: Human readable string.
\return Permission: Permission enumeration.
*/
Aws::S3::Model::Permission setGranteePermission(const Aws::String &access) {
if (access == "FULL_CONTROL")
return Aws::S3::Model::Permission::FULL_CONTROL;
if (access == "WRITE")
return Aws::S3::Model::Permission::WRITE;
if (access == "READ")
return Aws::S3::Model::Permission::READ;
if (access == "WRITE_ACP")
return Aws::S3::Model::Permission::WRITE_ACP;
if (access == "READ_ACP")
return Aws::S3::Model::Permission::READ_ACP;
return Aws::S3::Model::Permission::NOT_SET;
}
//! Routine which converts a built-in type enumeration to a human-readable string.
/*!
\param type: Type enumeration.
\return bool: Human-readable string.
*/
Aws::String getGranteeTypeString(const Aws::S3::Model::Type &type) {
switch (type) {
case Aws::S3::Model::Type::AmazonCustomerByEmail:
return "Email address of an AWS account";
case Aws::S3::Model::Type::CanonicalUser:
return "Canonical user ID of an AWS account";
case Aws::S3::Model::Type::Group:
return "Predefined Amazon S3 group";
case Aws::S3::Model::Type::NOT_SET:
return "Not set";
default:
return "Type unknown";
}
}
Aws::S3::Model::Type setGranteeType(const Aws::String &type) {
if (type == "Amazon customer by email")
return Aws::S3::Model::Type::AmazonCustomerByEmail;
if (type == "Canonical user")
return Aws::S3::Model::Type::CanonicalUser;
if (type == "Group")
return Aws::S3::Model::Type::Group;
return Aws::S3::Model::Type::NOT_SET;
}
```
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/s3/get_put_bucket_acl.cpp)。