AWS SDK for Java を使用した ACL の管理 - Amazon Simple Storage Service

AWS SDK for Java を使用した ACL の管理

このセクションでは、バケットやオブジェクトでアクセスコントロールリスト (ACL) の付与を設定する方法の例を示します。最初の例では、既定 ACL を使用するバケット (「既定 ACL」を参照) を作成します。次に、カスタムアクセス許可の付与のリストを作成して、既定の ACL をカスタム付与を含む ACL で置き換えます。2 番目の例では、AccessControlList.grantPermission() メソッドを使用して ACL を変更する方法を示します。

ACL 付与の設定

この例では、バケットを作成します。リクエストで既定の ACL を指定し、バケットにログを書き込むアクセス許可をログ配信グループに付与します。

import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.regions.Regions; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.services.s3.model.*; import java.io.IOException; import java.util.ArrayList; public class CreateBucketWithACL { public static void main(String[] args) throws IOException { Regions clientRegion = Regions.DEFAULT_REGION; String bucketName = "*** Bucket name ***"; String userEmailForReadPermission = "*** user@example.com ***"; try { AmazonS3 s3Client = AmazonS3ClientBuilder.standard() .withRegion(clientRegion) .build(); // Create a bucket with a canned ACL. This ACL will be replaced by the setBucketAcl() // calls below. It is included here for demonstration purposes. CreateBucketRequest createBucketRequest = new CreateBucketRequest(bucketName, clientRegion.getName()) .withCannedAcl(CannedAccessControlList.LogDeliveryWrite); s3Client.createBucket(createBucketRequest); // Create a collection of grants to add to the bucket. ArrayList<Grant> grantCollection = new ArrayList<Grant>(); // Grant the account owner full control. Grant grant1 = new Grant(new CanonicalGrantee(s3Client.getS3AccountOwner().getId()), Permission.FullControl); grantCollection.add(grant1); // Grant the LogDelivery group permission to write to the bucket. Grant grant2 = new Grant(GroupGrantee.LogDelivery, Permission.Write); grantCollection.add(grant2); // Save grants by replacing all current ACL grants with the two we just created. AccessControlList bucketAcl = new AccessControlList(); bucketAcl.grantAllPermissions(grantCollection.toArray(new Grant[0])); s3Client.setBucketAcl(bucketName, bucketAcl); // Retrieve the bucket's ACL, add another grant, and then save the new ACL. AccessControlList newBucketAcl = s3Client.getBucketAcl(bucketName); Grant grant3 = new Grant(new EmailAddressGrantee(userEmailForReadPermission), Permission.Read); newBucketAcl.grantAllPermissions(grant3); s3Client.setBucketAcl(bucketName, newBucketAcl); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } }

既存のオブジェクトでの ACL 付与の設定

この例では、オブジェクトの ACL を更新します。この例では次のタスクを実行しています。

  • オブジェクトの ACL を取得する

  • すべての既存のアクセス許可を削除して ACL をクリアする

  • 2 つのアクセス許可として、所有者へのフルアクセスと、メールアドレスで識別されたユーザーへの WRITE_ACP (付与できるアクセス許可 を参照) を追加する

  • ACL をオブジェクトに保存する

import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.regions.Regions; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.CanonicalGrantee; import com.amazonaws.services.s3.model.EmailAddressGrantee; import com.amazonaws.services.s3.model.Permission; import java.io.IOException; public class ModifyACLExistingObject { public static void main(String[] args) throws IOException { Regions clientRegion = Regions.DEFAULT_REGION; String bucketName = "*** Bucket name ***"; String keyName = "*** Key name ***"; String emailGrantee = "*** user@example.com ***"; try { AmazonS3 s3Client = AmazonS3ClientBuilder.standard() .withCredentials(new ProfileCredentialsProvider()) .withRegion(clientRegion) .build(); // Get the existing object ACL that we want to modify. AccessControlList acl = s3Client.getObjectAcl(bucketName, keyName); // Clear the existing list of grants. acl.getGrantsAsList().clear(); // Grant a sample set of permissions, using the existing ACL owner for Full Control permissions. acl.grantPermission(new CanonicalGrantee(acl.getOwner().getId()), Permission.FullControl); acl.grantPermission(new EmailAddressGrantee(emailGrantee), Permission.WriteAcp); // Save the modified ACL back to the object. s3Client.setObjectAcl(bucketName, keyName, acl); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it, so it returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } }