Adding an ACL to an object

Content Platform Tenant Management Help

Version
9.7.x
File Size
4269 KB
Audience
anonymous
Part Number
MK-95HCPH002-19

You use the HTTP PUT method with the acl query parameter to add an ACL to an existing object. Adding an ACL to an object replaces any existing ACL in its entirety. You cannot modify an existing ACL in place.

To add an ACL to an object, you need write ACL permission for the bucket containing the object or for the object itself.

You can add an ACL only to the current version of an object. However, the ACL you add applies to all versions of the object.

To add an ACL to an object, you can use either request headers or an ACL request body. You cannot use ACL headers and an ACL request body in the same request.

With ACL headers, you can specify either a canned ACL or individual x-amz-grant- headers. You cannot specify both a canned ACL and an x-amz-grant- header in the same request.

You can use an ACL request body to change the owner of an object. You cannot use ACL headers to do this. To change the owner of an object, you need both write ACL permission for the bucket or object and change owner permission for the bucket.

If you try to add an ACL that specifies a user account that does not exist, HCP returns a 400 (Bad Request) status code and does not add the ACL to the object.

Request line

Depending on whether the bucket name is included in the hostname in the S3 compatible request, a request to add an ACL to an object has either of these formats:

  • With the bucket name included in the hostname:
    PUT /object-name?acl HTTP/1.1
  • With the bucket name following the hostname:
    PUT /bucket-name/object-name?acl HTTP/1.1

The acl query parameter is not case sensitive.

Required headers

The list below describes the headers you can use in a request to add an ACL to an object.

Authorization
Specifies user credentials or requests anonymous access.
Date
Specifies the date and time when the request is being made according to the requester. Normally, this is the current date and time.
The date and time must always be specified using Greenwich Mean Time (GMT).
To specify the date and time, use this format:
DDD, dd MMM yyyy HH:mm:ss (+0000|GMT)
In this format:
DDD
The three-letter abbreviation for the day of the week, with an uppercase first letter (for example, Mon).
dd
The two-digit day of the month.
MMM
The three-letter abbreviation for the month, with an uppercase first letter (for example, Feb).
yyyy
The four-digit year.
HH
The hour on a 24-hour clock.
mm
The number of minutes.
ss
The number of seconds.
For example:
Thu, 23 Mar 2017 14:27:05 +0000
All S3 compatible requests must include either a Date header or an x-amz-date header. If a request includes both headers, HCP uses the date and time in the x-amz-date header.
Host
Specifies the hostname for the request. The host name identifies either a tenant or a bucket.
For a tenant, use this format:
tenant-name.hcp-domain-name
For a bucket, use this format:
bucket-name.tenant-name.hcp-domain-name
x-amz-date
Specifies the date and time at which the request is being made according to the requester. Normally, this is the current date and time.
For the valid values for this header, see the description of the Date header above.

Optional headers

Content-Length
Specifies the size, in bytes, of the request body.
This header is required when you’re using an ACL request body to add an ACL to an object. If you’re using ACL headers to add the ACL, the Content-Length header is invalid.
Content-Type
Specifies the Internet media type of the request body. This header is valid only when the ACL is specified in the request body. The only valid values are application/xml and text/xml.
x-amz-acl
Adds a canned ACL to the bucket.
This header is used only to add a canned ACL to a bucket. If you’re using individual x-amz-grant- headers to add the ACL, the x-amz-acl header is invalid.
x-amz-grant-full-control
Grants full control over the bucket to one or more specified grantees.
If you’re using a canned ACL to add an ACL to a bucket, the x-amz-grant-full-control header is invalid.
x-amz-grant-read
Grants the browse and read data access permissions for the bucket to one or more specified grantees.
If you’re using a canned ACL to add an ACL to a bucket, the x-amz-grant-read header is invalid.
x-amz-grant-read-acp
Grants the read ACL data access permission for the bucket to one or more specified grantees.
If you’re using a canned ACL to add an ACL to a bucket, the x-amz-grant-read-acp header is invalid.
x-amz-grant-write
Grants the write and delete data access permissions for the bucket to one or more specified grantees.
If you’re using a canned ACL to add an ACL to a bucket, the x-amz-grant-write header is invalid.
x-amz-grant-write-acp
Grants the write ACL data access permission for the bucket to one or more specified grantees.
If you’re using a canned ACL to add an ACL to a bucket, the x-amz-grant-write-acp header is invalid.

Response headers

The list below describes the headers returned in response to a successful request to add an ACL to an object.

Content-length
Specifies the size, in bytes, of the response body. In response to a successful request to add an ACL to an object, the value of this header is always 0 (zero).
Date
The date and time when HCP responded to the request, in Greenwich Mean Time (GMT). The date and time are returned in this format:
DDD dd MMM yyyy HH:mm:ss GMT
For example:
Fri, 18 Sep 2020 14:27:05 GMT

Status codes

The table below describes HTTP status codes that can be returned in response to a request to add an ACL to an object.

Code Meaning Description
200 OK HCP successfully added the ACL to the object.
400 Bad Request

Possible reasons include:

  • You are trying to add an ACL that contains more than one hundred permission grants.
  • A specified grantee does not exist.
  • The specified owner does not exist.
  • Two grants of the same permission specify the same grantee.
  • The x-amz-acl header specifies an invalid value.
  • An x-amz-grant- header specifies an invalid identifier type.
  • The XML in the ACL request body is malformed or contains an invalid value.
403 Forbidden

Possible reasons include:

  • The credentials provided with the request are invalid.
  • You do not have permission to add an ACL to the object.
  • The specified bucket does not currently support the requested operation.
  • The S3 compatible API is currently disabled for the specified bucket.
404 Not Found

One of these:

  • The specified object does not exist.
  • The specified bucket does not exist.
409 Conflict Possible reasons include that the object data is currently being written to HCP.
500 Internal Server Error

An internal error occurred.

If this error persists, contact your tenant administrator.

503 Service Unavailable

HCP is temporarily unable to handle the request, probably due to system overload, maintenance, or upgrade. Try the request again, gradually increasing the delay between each successive attempt.

If this error persists, contact your tenant administrator.

Example: Adding an ACL to an object by using a canned ACL

Here’s a sample PUT request that adds a canned ACL to the object named AcctgBestPractices.doc. The ACL grants read permission to all users.

Request with s3curl command line

./s3curl.pl --id=lgreen --put ~ -- -k
     "https:// finance.europe.hcp.example.com/AcctgBestPractices.doc?acl"
     -H "x-amz-acl: public-read"

Request headers

PUT /AcctgBestPractices.doc?acl HTTP/1.1
Host: finance.europe.hcp.example.com
Date: Fri, 07 February 2020 17:19:26 +0000
Authorization: AWS bGdyZWVu:C8KpGuK62B7j2US0kN0Bl0Wx48k=
x-amz-acl: public-read

Response headers

HTTP/1.1 200 OK
Date: Fri, 07 February 2020 17:19:26 GMT
Content-Length: 0

Example: Adding an ACL to an object by using an ACL request body

Here’s a sample PUT request that uses an ACL request body to add an ACL to the object named mktg/budget_proposals/BudgProp-2020. The ACL grants read access to all authenticated users and full control user pblack. It makes no change to the object owner. The ACL request body is in a file named acl-3.xml.

Request body

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
     <AccessControlList>
          <Grant>
               <Grantee xsi:type="Group"
                       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                    <URI>http://acs.amazonaws.com/groups/global/AuthenticatedUsers</URI>
               </Grantee>
               <Permission>READ</Permission>
          </Grant>
          <Grant>
               <Grantee xsi:type="CanonicalUser"
                       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                    <ID>b9d39144-a081-4761-b0e8-b8fb51e10192</ID>
                    <DisplayName>pblack</DisplayName>
               </Grantee>
               <Permission>FULL_CONTROL</Permission>
          </Grant>
     </AccessControlList>
</AccessControlPolicy>

Request with s3curl command line

./s3curl.pl --id=lgreen --put=acl-3.xml -- -k
     "https://finance.europe.hcp.example.com/mktg/budget_proposals/
     BudgProp-2020?acl"

Request headers

PUT /mktg/budget_proposals/BudgProp-2020?acl HTTP/1.1
Host: finance.europe.hcp.example.com
Date: Fri, 07 February 2020 17:19:26 +0000
Authorization: AWS bGdyZWVu:mRqVstjwWxvfEFr8JajjrPcd8eY=
Content-Length: 632

Response headers

HTTP/1.1 200 OK
Date: Fri, 07 February 2020 17:19:26 GMT
Content-Length: 0