Amazon Simple Storage Service
개발자 안내서 (API 버전 2006-03-01)

AWS SDK for Java을 사용한 ACL 관리

이 섹션에서는 버킷 및 객체에 대한 ACL(액세스 제어 목록) 권한 부여를 구성하는 방법을 보여주는 예제를 제공합니다. 첫 번째 예제에서는 준비된 ACL을 사용하여 버킷을 생성하고(미리 제공된 ACL 단원 참조), 사용자 지정 권한 부여 목록을 생성한 다음 사용자 지정 권한 부여가 포함된 ACL로 준비된 ACL을 대체합니다. 두 번째 예제에서는 AccessControlList.grantPermission() 메서드를 사용하여 ACL을 수정하는 방법을 보여줍니다.

ACL 권한 부여 설정

이 예제에서는 버킷을 생성합니다. 요청 시 이 예제는 로그 전달 그룹 권한을 부여하는 준비된 ACL을 지정하여 버킷에 로그를 기록합니다.

import java.io.IOException; import java.util.ArrayList; import java.util.Collection; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.CannedAccessControlList; import com.amazonaws.services.s3.model.CanonicalGrantee; import com.amazonaws.services.s3.model.CreateBucketRequest; import com.amazonaws.services.s3.model.Grant; import com.amazonaws.services.s3.model.GroupGrantee; import com.amazonaws.services.s3.model.Permission; public class CreateBucketWithACL { public static void main(String[] args) throws IOException { String clientRegion = "*** Client region ***"; String bucketName = "*** Bucket name ***"; try { AmazonS3 s3Client = AmazonS3ClientBuilder.standard() .withCredentials(new ProfileCredentialsProvider()) .withRegion(clientRegion) .build(); // Create a bucket with a canned ACL. This ACL will be deleted by the // getGrantsAsList().clear() call below. It is here for demonstration // purposes. CreateBucketRequest createBucketRequest = new CreateBucketRequest(bucketName, clientRegion) .withCannedAcl(CannedAccessControlList.LogDeliveryWrite); s3Client.createBucket(createBucketRequest); // Create a collection of grants to add to the bucket. Collection<Grant> grantCollection = new ArrayList<Grant>(); // Grant the account owner full control. Grant grant1 = new Grant(new CanonicalGrantee(s3Client.getS3AccountOwner().getId()), Permission.FullControl); grantCollection.add(grant1); // Grant the LogDelivery group permission to write to the bucket. Grant grant2 = new Grant(GroupGrantee.LogDelivery, Permission.Write); grantCollection.add(grant2); // Save (replace) grants by deleting all current ACL grants and replacing // them with the two we just created. AccessControlList bucketAcl = s3Client.getBucketAcl(bucketName); bucketAcl.getGrantsAsList().clear(); bucketAcl.getGrantsAsList().addAll(grantCollection); s3Client.setBucketAcl(bucketName, bucketAcl); } catch(AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch(SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } }

기존 객체에 대한 ACL 권한 부여 구성

이 예제에서는 객체에 대한 ACL을 업데이트합니다. 이 예에서는 다음과 같은 작업을 수행합니다.

  • 객체의 ACL 가져오기

  • 기존 권한을 모두 제거하여 ACL 지우기

  • 두 가지 권한 추가: 소유자의 경우 모든 액세스 권한 및 이메일 주소로 식별되는 사용자의 경우 WRITE_ACP(부여할 수 있는 권한 단원 참조)

  • 객체에 대한 ACL 저장

import java.io.IOException; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.CanonicalGrantee; import com.amazonaws.services.s3.model.EmailAddressGrantee; import com.amazonaws.services.s3.model.Permission; public class ModifyACLExistingObject { public static void main(String[] args) throws IOException { String clientRegion = "*** Client region ***"; String bucketName = "*** Bucket name ***"; String keyName = "*** Key name ***"; String emailGrantee = "*** user@example.com ***"; try { AmazonS3 s3Client = AmazonS3ClientBuilder.standard() .withCredentials(new ProfileCredentialsProvider()) .withRegion(clientRegion) .build(); // Get the existing object ACL that we want to modify. AccessControlList acl = s3Client.getObjectAcl(bucketName, keyName); // Clear the existing list of grants. acl.getGrantsAsList().clear(); // Grant a sample set of permissions, using the existing ACL owner for Full Control permissions. acl.grantPermission(new CanonicalGrantee(acl.getOwner().getId()), Permission.FullControl); acl.grantPermission(new EmailAddressGrantee(emailGrantee), Permission.WriteAcp); // Save the modified ACL back to the object. s3Client.setObjectAcl(bucketName, keyName, acl); } catch(AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it, so it returned an error response. e.printStackTrace(); } catch(SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } }