Riak CS PUT Object ACL
The PUT Object acl
operation uses the acl
subresource to set the access control list (ACL) permissions for an existing object in a bucket.
Note: You must have WRITE_ACP access to the object to use this operation.
PUT Object acl
offers two methods for setting an object’s permissions:
- Specify the ACL in the request body
- Specify permissions using request headers
Note: You can specify an ACL in the request body or with request headers, not both.
Requests
Request Syntax
This example shows the syntax for setting the ACL in the request body. The Request Headers section contain a list of headers you can use instead.
PUT /ObjectName?acl HTTP/1.1
Host: bucketname.data.riak.com
Date: date
Authorization: signatureValue
<AccessControlPolicy>
<Owner>
<ID>ID</ID>
<DisplayName>EmailAddress</DisplayName>
</Owner>
<AccessControlList>
<Grant>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
<ID>ID</ID>
<DisplayName>EmailAddress</DisplayName>
</Grantee>
<Permission>Permission</Permission>
</Grant>
...
</AccessControlList>
</AccessControlPolicy>
Request Parameters
This operation does not use request parameters.
Request Headers
PUT Object acl
offers the following request headers in addition to the request headers common to all operations.
x-amz-acl - This request header specifies a predefined ACL to apply to the object being created. A predefined ACL grants specific permissions to individual accounts or predefined groups.
- Type: String
- Valid Values: private | public-read | public-read-write | authenticated-read | bucket-owner-read | bucket-owner-full-control
- Default: private
Request Elements
If you specify the ACL using the request body, you must use the following elements:
AccessControlList - Container for ACL information (Grant, Grantee, and Permission).
- Type: Container
- Ancestors: AccessControlPolicy
AccessControlPolicy - Contains the elements that set the ACL permissions for each grantee.
- Type: Container
- Ancestors: None
DisplayName - Object owner’s display name.
- Type: String
- Ancestors: AccessControlPolicy.Owner
Grant - Container for Grantee
and Permission
.
- Type: Container
- Ancestors: AccessControlPolicy.AccessControlList
Grantee - The subject who is being granted permissions.
- Type: String
- Valid Values: DisplayName|EmailAddress|AuthenticatedUser
- Ancestors: AccessControlPolicy.AccessControlList.Grant
ID - Object owner’s ID.
- Type: String
- Ancestors: AccessControlPolicy.Owner|AccessControlPolicy.AccessControlList.Grant
Owner - Container for object owner information.
- Type: Container
- Ancestors: AccessControlPolicy
Permission - Permission granted to the Grantee
.
- Type: String
- Valid Values: FULL_CONTROL|WRITE_ACP|READ|READ_ACP
- Ancestors: AccessControlPolicy.AccessControlList.Grant
In request elements, you can specify the grantee to whom you are granting permissions in the following ways:
- emailAddress: The email address of an account
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CustomerByEmail">
<EmailAddress>user1@riak.com</EmailAddress>
</Grantee>
From the email address, the grantee is resolved to the CanonicalUser. The response to a GET Object acl
request displays the grantee as the CanonicalUser.
- id: The user ID of an account
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
<ID>ID</ID>
<DisplayName>GranteesEmail</DisplayName>
</Grantee>
For the id method, DisplayName is optional and ignored in the request.
- uri: The uri that defines a group
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
<URI>http://data.riak.com/groups/AuthenticatedUsers<URI>
</Grantee>
Response Elements
PUT Bucket acl does not return response elements.
Examples
Sample Request with Access Permission Specified in Request Body
This sample request grants access permission to an existing object, named basho-process.jpg
, by specifying the ACL in the request body. In addition to granting full control to the bucket owner, grant full control to an account identified by its canonical user ID.
PUT /basho-process.jpg?acl HTTP/1.1
Host: basho_docs.data.riak.com
Date: Fri, 01 Jun 2012 12:00:00 GMT
Authorization: AWS AKIAIOSFODNN7EXAMPLE:xQE0diMbLRepdf3YB+FIEXAMPLE=
Content-Length: 124
<AccessControlPolicy>
<Owner>
<ID>75aa57f09aa0c8caeab4f8c24e99d10f8e7faeebf76c078efc7c6caea54ba06a</ID>
<DisplayName>user1@riak.com</DisplayName>
</Owner>
<AccessControlList>
<Grant>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
<ID>75aa57f09aa0c8caeab4f8c24e99d10f8e7faeeExampleCanonicalUserID</ID>
<DisplayName>user2@riak.com</DisplayName>
</Grantee>
<Permission>FULL_CONTROL</Permission>
</Grant>
</AccessControlList>
</AccessControlPolicy>
Sample Response
This is the sample response when versioning is enabled.
HTTP/1.1 200 OK
Date: Fri, 01 Jun 2012 12:00:00 GMT
Last-Modified:Fri, 01 Jun 2012 10:30:15 GMT
Content-Length: 0
Connection: close
Server: MochiWeb/1.1 WebMachine/1.9.0 (someone had painted it blue)
Sample Request Setting Access Permissions with Headers
The following request uses ACL-specific request headers, x-amz-acl, and specifies a predefined ACL (public_read) to grant object read access to everyone.
PUT basho-process.jpg?acl HTTP/1.1
Host: examplebucket.data.riak.com
x-amz-acl: public-read
Accept: */*
Authorization: AWS AKIAIOSFODNN7EXAMPLE:xQE0diMbLRepdf3YB+FIEXAMPLE=
Host: data.riak.com
Connection: Keep-Alive
Sample Response to Setting Permissions with Headers
HTTP/1.1 200 OK
x-amz-id-2: ZDsjJI9E3ke4WK56w5YegkbG6RWPxNQHIQ0CjrjyRVFZhEbabXnBO9w5G7Dmxsgk
x-amz-request-id: 827BD84C13B255B1
Date: Fri, 01 Jun 2012 12:00:00 GMT
Content-Length: 0
Server: MochiWeb/1.1 WebMachine/1.9.0 (someone had painted it blue)