メニュー
Amazon Simple Storage Service
開発者ガイド (API バージョン 2006-03-01)

AWS SDK for Java を使用した ACL の管理

このセクションでは、バケットやオブジェクトでアクセスコントロールリスト (ACL) の付与を設定する方法の例を示します。最初の例では、既定 ACL を使用するバケット (「既定 ACL」を参照) を作成します。次に、カスタムアクセス許可の付与のリストを作成して、既定の ACL をカスタム付与を含む ACL で置き換えます。2 番目の例では、AccessControlList.grantPermission() メソッドを使用して ACL を変更する方法を示します。

ACL 付与の設定

この例では、バケットを作成します。リクエストで既定の ACL を指定し、バケットにログを書き込むアクセス許可をログ配信グループに付与します。

import java.io.IOException; import java.util.ArrayList; import java.util.Collection; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.CannedAccessControlList; import com.amazonaws.services.s3.model.CanonicalGrantee; import com.amazonaws.services.s3.model.CreateBucketRequest; import com.amazonaws.services.s3.model.Grant; import com.amazonaws.services.s3.model.GroupGrantee; import com.amazonaws.services.s3.model.Permission; public class CreateBucketWithACL { public static void main(String[] args) throws IOException { String clientRegion = "*** Client region ***"; String bucketName = "*** Bucket name ***"; try { AmazonS3 s3Client = AmazonS3ClientBuilder.standard() .withCredentials(new ProfileCredentialsProvider()) .withRegion(clientRegion) .build(); // Create a bucket with a canned ACL. This ACL will be deleted by the // getGrantsAsList().clear() call below. It is here for demonstration // purposes. CreateBucketRequest createBucketRequest = new CreateBucketRequest(bucketName, clientRegion) .withCannedAcl(CannedAccessControlList.LogDeliveryWrite); s3Client.createBucket(createBucketRequest); // Create a collection of grants to add to the bucket. Collection<Grant> grantCollection = new ArrayList<Grant>(); // Grant the account owner full control. Grant grant1 = new Grant(new CanonicalGrantee(s3Client.getS3AccountOwner().getId()), Permission.FullControl); grantCollection.add(grant1); // Grant the LogDelivery group permission to write to the bucket. Grant grant2 = new Grant(GroupGrantee.LogDelivery, Permission.Write); grantCollection.add(grant2); // Save (replace) grants by deleting all current ACL grants and replacing // them with the two we just created. AccessControlList bucketAcl = s3Client.getBucketAcl(bucketName); bucketAcl.getGrantsAsList().clear(); bucketAcl.getGrantsAsList().addAll(grantCollection); s3Client.setBucketAcl(bucketName, bucketAcl); } catch(AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch(SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } }

既存のオブジェクトでの ACL 付与の設定

この例では、オブジェクトの ACL を更新します。以下のタスクを実行します。

  • オブジェクトの ACL を取得する

  • すべての既存のアクセス許可を削除して ACL をクリアする

  • 2 つのアクセス許可として、所有者へのフルアクセスと、メールアドレスで識別されたユーザーへの WRITE_ACP (付与できるアクセス許可 を参照) を追加する

  • ACL をオブジェクトに保存する

import java.io.IOException; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.CanonicalGrantee; import com.amazonaws.services.s3.model.EmailAddressGrantee; import com.amazonaws.services.s3.model.Permission; public class ModifyACLExistingObject { public static void main(String[] args) throws IOException { String clientRegion = "*** Client region ***"; String bucketName = "*** Bucket name ***"; String keyName = "*** Key name ***"; String emailGrantee = "*** user@example.com ***"; try { AmazonS3 s3Client = AmazonS3ClientBuilder.standard() .withCredentials(new ProfileCredentialsProvider()) .withRegion(clientRegion) .build(); // Get the existing object ACL that we want to modify. AccessControlList acl = s3Client.getObjectAcl(bucketName, keyName); // Clear the existing list of grants. acl.getGrantsAsList().clear(); // Grant a sample set of permissions, using the existing ACL owner for Full Control permissions. acl.grantPermission(new CanonicalGrantee(acl.getOwner().getId()), Permission.FullControl); acl.grantPermission(new EmailAddressGrantee(emailGrantee), Permission.WriteAcp); // Save the modified ACL back to the object. s3Client.setObjectAcl(bucketName, keyName, acl); } catch(AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it, so it returned an error response. e.printStackTrace(); } catch(SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } }