As traduções são geradas por tradução automática. Em caso de conflito entre o conteúdo da tradução e da versão original em inglês, a versão em inglês prevalecerá.
Gerenciar permissões de acesso do Amazon S3
As permissões de acesso para um bucket ou objeto do Amazon S3 são definidas em uma lista de controle de acesso (ACL). A ACL especifica o proprietário do bucket/objeto e uma lista de concessões. Cada concessão especifica um usuário (ou beneficiário) e as permissões do usuário para acessar o bucket/objeto, como acesso READ ou WRITE.
Pré-requisitos
Antes de começar, recomendamos que você leia Getting started using the AWS SDK para C++.
Baixe o exemplo código de código e crie a solução conforme descrito em Conceitos básicos dos exemplos de código.
Para executar os exemplos, o perfil de usuário que seu código usa para fazer as solicitações deve ter as permissões adequadas na AWS (para o serviço e a ação). Para acessar mais informações, consulte Fornecer credenciais da AWS.
Gerenciar a lista de controle de acesso de um objeto
A lista de controle de acesso de um objeto pode ser recuperada chamando o método GetObjectAcl do S3Client. O método aceita os nomes do objeto e do respectivo bucket. O valor de retorno inclui o Owner da ACL e a lista de Grants.
bool AwsDoc::S3::getObjectAcl(const Aws::String &bucketName, const Aws::String &objectKey, const Aws::S3::S3ClientConfiguration &clientConfig) { Aws::S3::S3Client s3Client(clientConfig); Aws::S3::Model::GetObjectAclRequest request; request.SetBucket(bucketName); request.SetKey(objectKey); Aws::S3::Model::GetObjectAclOutcome outcome = s3Client.GetObjectAcl(request); if (!outcome.IsSuccess()) { const Aws::S3::S3Error &err = outcome.GetError(); std::cerr << "Error: getObjectAcl: " << err.GetExceptionName() << ": " << err.GetMessage() << std::endl; } else { Aws::Vector<Aws::S3::Model::Grant> grants = outcome.GetResult().GetGrants(); for (auto it = grants.begin(); it != grants.end(); it++) { std::cout << "For object " << objectKey << ": " << std::endl << std::endl; Aws::S3::Model::Grant grant = *it; Aws::S3::Model::Grantee grantee = grant.GetGrantee(); if (grantee.TypeHasBeenSet()) { std::cout << "Type: " << getGranteeTypeString(grantee.GetType()) << std::endl; } if (grantee.DisplayNameHasBeenSet()) { std::cout << "Display name: " << grantee.GetDisplayName() << std::endl; } if (grantee.EmailAddressHasBeenSet()) { std::cout << "Email address: " << grantee.GetEmailAddress() << std::endl; } if (grantee.IDHasBeenSet()) { std::cout << "ID: " << grantee.GetID() << std::endl; } if (grantee.URIHasBeenSet()) { std::cout << "URI: " << grantee.GetURI() << std::endl; } std::cout << "Permission: " << getPermissionString(grant.GetPermission()) << std::endl << std::endl; } } return outcome.IsSuccess(); } //! Routine which converts a built-in type enumeration to a human-readable string. /*! \param type: Type enumeration. \return String: Human-readable string */ Aws::String getGranteeTypeString(const Aws::S3::Model::Type &type) { switch (type) { case Aws::S3::Model::Type::AmazonCustomerByEmail: return "Email address of an AWS account"; case Aws::S3::Model::Type::CanonicalUser: return "Canonical user ID of an AWS account"; case Aws::S3::Model::Type::Group: return "Predefined Amazon S3 group"; case Aws::S3::Model::Type::NOT_SET: return "Not set"; default: return "Type unknown"; } } //! Routine which converts a built-in type enumeration to a human-readable string. /*! \param permission: Permission enumeration. \return String: Human-readable string */ Aws::String getPermissionString(const Aws::S3::Model::Permission &permission) { switch (permission) { case Aws::S3::Model::Permission::FULL_CONTROL: return "Can read this object's data and its metadata, " "and read/write this object's permissions"; case Aws::S3::Model::Permission::NOT_SET: return "Permission not set"; case Aws::S3::Model::Permission::READ: return "Can read this object's data and its metadata"; case Aws::S3::Model::Permission::READ_ACP: return "Can read this object's permissions"; // case Aws::S3::Model::Permission::WRITE // Not applicable. case Aws::S3::Model::Permission::WRITE_ACP: return "Can write this object's permissions"; default: return "Permission unknown"; } }
A ACL pode ser modificada criando outra ACL ou alterando as concessões especificadas na ACL atual. A ACL atualizada se torna a nova ACL atual transmitindo-a para o método PutObjectAcl.
O código a seguir usa a ACL recuperada por GetObjectAcl e adiciona uma nova concessão a ela. O usuário ou o beneficiário recebe a permissão READ para o objeto. A ACL modificada é transmitida ao PutObjectAcl, tornando-se a nova ACL atual.
bool AwsDoc::S3::putObjectAcl(const Aws::String &bucketName, const Aws::String &objectKey, const Aws::String &ownerID, const Aws::String &granteePermission, const Aws::String &granteeType, const Aws::String &granteeID, const Aws::String &granteeEmailAddress, const Aws::String &granteeURI, const Aws::S3::S3ClientConfiguration &clientConfig) { Aws::S3::S3Client s3Client(clientConfig); Aws::S3::Model::Owner owner; owner.SetID(ownerID); Aws::S3::Model::Grantee grantee; grantee.SetType(setGranteeType(granteeType)); if (!granteeEmailAddress.empty()) { grantee.SetEmailAddress(granteeEmailAddress); } if (!granteeID.empty()) { grantee.SetID(granteeID); } if (!granteeURI.empty()) { grantee.SetURI(granteeURI); } Aws::S3::Model::Grant grant; grant.SetGrantee(grantee); grant.SetPermission(setGranteePermission(granteePermission)); Aws::Vector<Aws::S3::Model::Grant> grants; grants.push_back(grant); Aws::S3::Model::AccessControlPolicy acp; acp.SetOwner(owner); acp.SetGrants(grants); Aws::S3::Model::PutObjectAclRequest request; request.SetAccessControlPolicy(acp); request.SetBucket(bucketName); request.SetKey(objectKey); Aws::S3::Model::PutObjectAclOutcome outcome = s3Client.PutObjectAcl(request); if (!outcome.IsSuccess()) { auto error = outcome.GetError(); std::cerr << "Error: putObjectAcl: " << error.GetExceptionName() << " - " << error.GetMessage() << std::endl; } else { std::cout << "Successfully added an ACL to the object '" << objectKey << "' in the bucket '" << bucketName << "'." << std::endl; } return outcome.IsSuccess(); } //! Routine which converts a human-readable string to a built-in type enumeration. /*! \param access: Human readable string. \return Permission: Permission enumeration. */ Aws::S3::Model::Permission setGranteePermission(const Aws::String &access) { if (access == "FULL_CONTROL") return Aws::S3::Model::Permission::FULL_CONTROL; if (access == "WRITE") return Aws::S3::Model::Permission::WRITE; if (access == "READ") return Aws::S3::Model::Permission::READ; if (access == "WRITE_ACP") return Aws::S3::Model::Permission::WRITE_ACP; if (access == "READ_ACP") return Aws::S3::Model::Permission::READ_ACP; return Aws::S3::Model::Permission::NOT_SET; } //! Routine which converts a human-readable string to a built-in type enumeration. /*! \param type: Human readable string. \return Type: Type enumeration. */ Aws::S3::Model::Type setGranteeType(const Aws::String &type) { if (type == "Amazon customer by email") return Aws::S3::Model::Type::AmazonCustomerByEmail; if (type == "Canonical user") return Aws::S3::Model::Type::CanonicalUser; if (type == "Group") return Aws::S3::Model::Type::Group; return Aws::S3::Model::Type::NOT_SET; }
Veja o exemplo completo no GitHub
Gerenciar a lista de controle de acesso de um bucket
Na maioria dos casos, o método preferido para definir as permissões de acesso de um bucket é definir uma política de bucket. No entanto, os buckets também comportam listas de controle de acesso para usuários que desejam usá-las.
O gerenciamento de uma lista de controle de acesso para um bucket é idêntico ao usado para um objeto. O método GetBucketAcl recupera a ACL atual de um bucket e o PutBucketAcl aplica uma nova ACL a ele.
O código a seguir demonstra como recuperar e definir uma ACL de bucket.
//! Routine which demonstrates setting the ACL for an S3 bucket. /*! \param bucketName: Name of a bucket. \param ownerID: The canonical ID of the bucket owner. See https://docs.aws.amazon.com/AmazonS3/latest/userguide/finding-canonical-user-id.html for more information. \param granteePermission: The access level to enable for the grantee. \param granteeType: The type of grantee. \param granteeID: The canonical ID of the grantee. \param granteeEmailAddress: The email address associated with the grantee's AWS account. \param granteeURI: The URI of a built-in access group. \param clientConfig: Aws client configuration. \return bool: Function succeeded. */ bool AwsDoc::S3::getPutBucketAcl(const Aws::String &bucketName, const Aws::String &ownerID, const Aws::String &granteePermission, const Aws::String &granteeType, const Aws::String &granteeID, const Aws::String &granteeEmailAddress, const Aws::String &granteeURI, const Aws::S3::S3ClientConfiguration &clientConfig) { bool result = ::putBucketAcl(bucketName, ownerID, granteePermission, granteeType, granteeID, granteeEmailAddress, granteeURI, clientConfig); if (result) { result = ::getBucketAcl(bucketName, clientConfig); } return result; } //! Routine which demonstrates setting the ACL for an S3 bucket. /*! \param bucketName: Name of from bucket. \param ownerID: The canonical ID of the bucket owner. See https://docs.aws.amazon.com/AmazonS3/latest/userguide/finding-canonical-user-id.html for more information. \param granteePermission: The access level to enable for the grantee. \param granteeType: The type of grantee. \param granteeID: The canonical ID of the grantee. \param granteeEmailAddress: The email address associated with the grantee's AWS account. \param granteeURI: The URI of a built-in access group. \param clientConfig: Aws client configuration. \return bool: Function succeeded. */ bool putBucketAcl(const Aws::String &bucketName, const Aws::String &ownerID, const Aws::String &granteePermission, const Aws::String &granteeType, const Aws::String &granteeID, const Aws::String &granteeEmailAddress, const Aws::String &granteeURI, const Aws::S3::S3ClientConfiguration &clientConfig) { Aws::S3::S3Client s3Client(clientConfig); Aws::S3::Model::Owner owner; owner.SetID(ownerID); Aws::S3::Model::Grantee grantee; grantee.SetType(setGranteeType(granteeType)); if (!granteeEmailAddress.empty()) { grantee.SetEmailAddress(granteeEmailAddress); } if (!granteeID.empty()) { grantee.SetID(granteeID); } if (!granteeURI.empty()) { grantee.SetURI(granteeURI); } Aws::S3::Model::Grant grant; grant.SetGrantee(grantee); grant.SetPermission(setGranteePermission(granteePermission)); Aws::Vector<Aws::S3::Model::Grant> grants; grants.push_back(grant); Aws::S3::Model::AccessControlPolicy acp; acp.SetOwner(owner); acp.SetGrants(grants); Aws::S3::Model::PutBucketAclRequest request; request.SetAccessControlPolicy(acp); request.SetBucket(bucketName); Aws::S3::Model::PutBucketAclOutcome outcome = s3Client.PutBucketAcl(request); if (!outcome.IsSuccess()) { const Aws::S3::S3Error &error = outcome.GetError(); std::cerr << "Error: putBucketAcl: " << error.GetExceptionName() << " - " << error.GetMessage() << std::endl; } else { std::cout << "Successfully added an ACL to the bucket '" << bucketName << "'." << std::endl; } return outcome.IsSuccess(); } //! Routine which demonstrates getting the ACL for an S3 bucket. /*! \param bucketName: Name of the s3 bucket. \param clientConfig: Aws client configuration. \return bool: Function succeeded. */ bool getBucketAcl(const Aws::String &bucketName, const Aws::S3::S3ClientConfiguration &clientConfig) { Aws::S3::S3Client s3Client(clientConfig); Aws::S3::Model::GetBucketAclRequest request; request.SetBucket(bucketName); Aws::S3::Model::GetBucketAclOutcome outcome = s3Client.GetBucketAcl(request); if (!outcome.IsSuccess()) { const Aws::S3::S3Error &err = outcome.GetError(); std::cerr << "Error: getBucketAcl: " << err.GetExceptionName() << ": " << err.GetMessage() << std::endl; } else { const Aws::Vector<Aws::S3::Model::Grant> &grants = outcome.GetResult().GetGrants(); for (const Aws::S3::Model::Grant &grant: grants) { const Aws::S3::Model::Grantee &grantee = grant.GetGrantee(); std::cout << "For bucket " << bucketName << ": " << std::endl << std::endl; if (grantee.TypeHasBeenSet()) { std::cout << "Type: " << getGranteeTypeString(grantee.GetType()) << std::endl; } if (grantee.DisplayNameHasBeenSet()) { std::cout << "Display name: " << grantee.GetDisplayName() << std::endl; } if (grantee.EmailAddressHasBeenSet()) { std::cout << "Email address: " << grantee.GetEmailAddress() << std::endl; } if (grantee.IDHasBeenSet()) { std::cout << "ID: " << grantee.GetID() << std::endl; } if (grantee.URIHasBeenSet()) { std::cout << "URI: " << grantee.GetURI() << std::endl; } std::cout << "Permission: " << getPermissionString(grant.GetPermission()) << std::endl << std::endl; } } return outcome.IsSuccess(); } //! Routine which converts a built-in type enumeration to a human-readable string. /*! \param permission: Permission enumeration. \return String: Human-readable string. */ Aws::String getPermissionString(const Aws::S3::Model::Permission &permission) { switch (permission) { case Aws::S3::Model::Permission::FULL_CONTROL: return "Can list objects in this bucket, create/overwrite/delete " "objects in this bucket, and read/write this " "bucket's permissions"; case Aws::S3::Model::Permission::NOT_SET: return "Permission not set"; case Aws::S3::Model::Permission::READ: return "Can list objects in this bucket"; case Aws::S3::Model::Permission::READ_ACP: return "Can read this bucket's permissions"; case Aws::S3::Model::Permission::WRITE: return "Can create, overwrite, and delete objects in this bucket"; case Aws::S3::Model::Permission::WRITE_ACP: return "Can write this bucket's permissions"; default: return "Permission unknown"; } } //! Routine which converts a human-readable string to a built-in type enumeration /*! \param access: Human readable string. \return Permission: Permission enumeration. */ Aws::S3::Model::Permission setGranteePermission(const Aws::String &access) { if (access == "FULL_CONTROL") return Aws::S3::Model::Permission::FULL_CONTROL; if (access == "WRITE") return Aws::S3::Model::Permission::WRITE; if (access == "READ") return Aws::S3::Model::Permission::READ; if (access == "WRITE_ACP") return Aws::S3::Model::Permission::WRITE_ACP; if (access == "READ_ACP") return Aws::S3::Model::Permission::READ_ACP; return Aws::S3::Model::Permission::NOT_SET; } //! Routine which converts a built-in type enumeration to a human-readable string. /*! \param type: Type enumeration. \return bool: Human-readable string. */ Aws::String getGranteeTypeString(const Aws::S3::Model::Type &type) { switch (type) { case Aws::S3::Model::Type::AmazonCustomerByEmail: return "Email address of an AWS account"; case Aws::S3::Model::Type::CanonicalUser: return "Canonical user ID of an AWS account"; case Aws::S3::Model::Type::Group: return "Predefined Amazon S3 group"; case Aws::S3::Model::Type::NOT_SET: return "Not set"; default: return "Type unknown"; } } Aws::S3::Model::Type setGranteeType(const Aws::String &type) { if (type == "Amazon customer by email") return Aws::S3::Model::Type::AmazonCustomerByEmail; if (type == "Canonical user") return Aws::S3::Model::Type::CanonicalUser; if (type == "Group") return Aws::S3::Model::Type::Group; return Aws::S3::Model::Type::NOT_SET; }
Veja o exemplo completo no GitHub
