Riak CS PUT Bucket ACL
The PUT Bucket acl
operation uses the acl
subresource to set the permissions on an existing bucket using an access control list (ACL).
Note: You must have WRITE_ACP access to the bucket to use this operation.
PUT Bucket acl
offers two methods for setting a bucket’s permissions:
- Specify the ACL in the request body
- Specify permissions using request headers
Note: You can specify an ACL in the request body or with request headers, not both.
Requests
Request Syntax
This example shows the syntax for setting the ACL in the request body. The Request Headers section contain a list of headers you can use instead.
PUT /?acl HTTP/1.1
Host: bucketname.data.riak.com
Date: date
Authorization: signatureValue
<AccessControlPolicy>
<Owner>
<ID>ID</ID>
<DisplayName>EmailAddress</DisplayName>
</Owner>
<AccessControlList>
<Grant>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
<ID>ID</ID>
<DisplayName>EmailAddress</DisplayName>
</Grantee>
<Permission>Permission</Permission>
</Grant>
...
</AccessControlList>
</AccessControlPolicy>
Request Parameters
This operation does not use request parameters.
Request Headers
PUT Bucket acl
offers the following request headers in addition to the request headers common to all operations.
x-amz-acl - This request header specifies a predefined ACL to apply to the bucket being created. A predefined ACL grants specific permissions to individual accounts or predefined groups.
- Type: String
- Valid Values: private | public-read | public-read-write | authenticated-read | bucket-owner-read | bucket-owner-full-control
- Default: private
Request Elements
If you specify the ACL using the request body, you must use the following elements:
AccessControlList - Container for ACL information (Grant, Grantee, and Permission).
- Type: Container
- Ancestors: AccessControlPolicy
AccessControlPolicy - Contains the elements that set the ACL permissions for each grantee.
- Type: Container
- Ancestors: None
DisplayName - Bucket owner’s display name.
- Type: String
- Ancestors: AccessControlPolicy.Owner
Grant - Container for Grantee
and Permission
.
- Type: Container
- Ancestors: AccessControlPolicy.AccessControlList
Grantee - The ID
, Emailaddress
, or uri
of the subject who is being granted permissions.
- Type: String
- Ancestors: AccessControlPolicy.AccessControlList.Grant
ID - Bucket owner’s ID.
- Type: String
- Ancestors: AccessControlPolicy.Owner|AccessControlPolicy.AccessControlList.Grant
Owner - Container for bucket owner information.
- Type: Container
- Ancestors: AccessControlPolicy
Permission - Permission granted to the Grantee
for bucket.
- Type: String
- Valid Values: FULL_CONTROL|WRITE|WRITE_ACP|READ|READ_ACP
- Ancestors: AccessControlPolicy.AccessControlList.Grant
In request elements, you can specify the grantee to whom you are granting permissions in the following ways:
- emailAddress: The email address of an account
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CustomerByEmail">
<EmailAddress>user1@riak.com</EmailAddress>
</Grantee>
From the email address, the grantee is resolved to the CanonicalUser. The response to a GET Object acl
request displays the grantee as the CanonicalUser.
- id: The user ID of an account
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
<ID>ID</ID>
<DisplayName>GranteesEmail</DisplayName>
</Grantee>
For the id method, DisplayName is optional and ignored in the request.
- uri: The uri that defines a group
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
<URI>http://data.riak.com/groups/AuthenticatedUsers<URI>
</Grantee>
Response Elements
PUT Bucket acl does not return response elements.
Examples
Sample Request with Access Permission Specified in the Request Body
This sample request grants access permission to an existing bucket, named basho_docs, by specifying the ACL in the request body. In addition to granting full control to the bucket owner, the request specifies the following grants:
- Grant AllUsers group READ permission on the bucket.
- Grant the Dev group WRITE permission on the bucket.
- Grant an account, which is identified by email address, WRITE_ACP permission.
- Grant an account, which is identified by canonical user ID, READ_ACP permission.
PUT /?acl HTTP/1.1
Host: basho_docs.data.riak.com
Content-Length: 1660202
x-amz-date: Fri, 01 Jun 2012 12:00:00 GMT
Authorization: AWS AKIAIOSFODNN7EXAMPLE:xQE0diMbLRepdf3YB+FIEXAMPLE=
<AccessControlPolicy xmlns="http://data.riak.com/doc/2012-04-05/">
<Owner>
<ID>BucketOwnerCanonicalUserID</ID>
<DisplayName>OwnerDisplayName</DisplayName>
</Owner>
<AccessControlList>
<Grant>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
<ID>852b113e7a2f25102679df27bb0ae12b3f85be6BucketOwnerCanonicalUserID</ID>
<DisplayName>OwnerDisplayName</DisplayName>
</Grantee>
<Permission>FULL_CONTROL</Permission>
</Grant>
<Grant>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
<URI xmlns="">http://acs.data.riak.com/groups/global/AllUsers</URI>
</Grantee>
<Permission xmlns="">READ</Permission>
</Grant>
<Grant>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
<URI xmlns="">http://acs.data.riak.com/groups/global/Dev</URI>
</Grantee>
<Permission xmlns="">WRITE</Permission>
</Grant>
<Grant>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AmazonCustomerByEmail">
<EmailAddress xmlns="">user1@riak.com</EmailAddress>
</Grantee>
<Permission xmlns="">WRITE_ACP</Permission>
</Grant>
<Grant>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
<ID xmlns="">f30716ab7115dcb44a5ef76e9d74b8e20567f63TestAccountCanonicalUserID</ID>
</Grantee>
<Permission xmlns="">READ_ACP</Permission>
</Grant>
</AccessControlList>
</AccessControlPolicy>
Sample Response
HTTP/1.1 200 OK
Date: Fri, 01 Jun 2012 12:00:00 GMT
Content-Length: 0
Server: MochiWeb/1.1 WebMachine/1.9.0 (someone had painted it blue)