| # -*- coding: utf-8 -*- |
| # Copyright 2012 Google Inc. All Rights Reserved. |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| """Additional help about Access Control Lists.""" |
| |
| from __future__ import absolute_import |
| |
| from gslib.help_provider import HelpProvider |
| |
| _DETAILED_HELP_TEXT = (""" |
| <B>OVERVIEW</B> |
| Access Control Lists (ACLs) allow you to control who can read and write |
| your data, and who can read and write the ACLs themselves. |
| |
| If not specified at the time an object is uploaded (e.g., via the gsutil cp |
| -a option), objects will be created with a default object ACL set on the |
| bucket (see "gsutil help defacl"). You can replace the ACL on an object |
| or bucket using the "gsutil acl set" command, or |
| modify the existing ACL using the "gsutil acl ch" command (see "gsutil help |
| acl"). |
| |
| |
| <B>BUCKET VS OBJECT ACLS</B> |
| In Google Cloud Storage, the bucket ACL works as follows: |
| |
| - Users granted READ access are allowed to list the bucket contents and read |
| bucket metadata other than its ACL. |
| |
| - Users granted WRITE access are allowed READ access and also are allowed to |
| write and delete objects in that bucket, including overwriting previously |
| written objects. |
| |
| - Users granted OWNER access are allowed WRITE access and also are allowed to |
| read and write the bucket's ACL. |
| |
| The object ACL works as follows: |
| |
| - Users granted READ access are allowed to read the object's data and |
| metadata. |
| |
| - Users granted OWNER access are allowed READ access and also are allowed to |
| read and write the object's ACL. |
| |
| A couple of points are worth noting, that sometimes surprise users: |
| |
| 1. There is no WRITE access for objects; attempting to set an ACL with WRITE |
| permission for an object will result in an error. |
| |
| 2. The bucket ACL plays no role in determining who can read objects; only the |
| object ACL matters for that purpose. This is different from how things |
| work in Linux file systems, where both the file and directory permission |
| control file read access. It also means, for example, that someone with |
| OWNER over the bucket may not have read access to objects in the bucket. |
| This is by design, and supports useful cases. For example, you might want |
| to set up bucket ownership so that a small group of administrators have |
| OWNER on the bucket (with the ability to delete data to control storage |
| costs), but not grant those users read access to the object data (which |
| might be sensitive data that should only be accessed by a different |
| specific group of users). |
| |
| |
| <B>CANNED ACLS</B> |
| The simplest way to set an ACL on a bucket or object is using a "canned |
| ACL". The available canned ACLs are: |
| |
| project-private |
| Gives permission to the project team based on their roles. Anyone who is |
| part of the team has READ permission, and project owners and project editors |
| have OWNER permission. This is the default ACL for newly created |
| buckets. This is also the default ACL for newly created objects unless the |
| default object ACL for that bucket has been changed. For more details see |
| "gsutil help projects". |
| |
| private |
| Gives the requester (and only the requester) OWNER permission for a |
| bucket or object. |
| |
| public-read |
| Gives all users (whether logged in or anonymous) READ permission. When |
| you apply this to an object, anyone on the Internet can read the object |
| without authenticating. |
| |
| NOTE: By default, publicly readable objects are served with a Cache-Control |
| header allowing such objects to be cached for 3600 seconds. If you need to |
| ensure that updates become visible immediately, you should set a |
| Cache-Control header of "Cache-Control:private, max-age=0, no-transform" on |
| such objects. For help doing this, see 'gsutil help setmeta'. |
| |
| NOTE: Setting a bucket ACL to public-read will remove all OWNER and WRITE |
| permissions from everyone except the project owner group. Setting an object |
| ACL to public-read will remove all OWNER and WRITE permissions from |
| everyone except the object owner. For this reason, we recommend using |
| the "acl ch" command to make these changes; see "gsutil help acl ch" for |
| details. |
| |
| public-read-write |
| Gives all users READ and WRITE permission. This ACL applies only to buckets. |
| NOTE: Setting a bucket to public-read-write will allow anyone on the |
| Internet to upload anything to your bucket. You will be responsible for this |
| content. |
| |
| NOTE: Setting a bucket ACL to public-read-write will remove all OWNER |
| permissions from everyone except the project owner group. Setting an object |
| ACL to public-read-write will remove all OWNER permissions from |
| everyone except the object owner. For this reason, we recommend using |
| the "acl ch" command to make these changes; see "gsutil help acl ch" for |
| details. |
| |
| authenticated-read |
| Gives the requester OWNER permission and gives all authenticated |
| Google account holders READ permission. |
| |
| bucket-owner-read |
| Gives the requester OWNER permission and gives the bucket owner READ |
| permission. This is used only with objects. |
| |
| bucket-owner-full-control |
| Gives the requester OWNER permission and gives the bucket owner |
| OWNER permission. This is used only with objects. |
| |
| |
| <B>ACL JSON</B> |
| When you use a canned ACL, it is translated into an JSON representation |
| that can later be retrieved and edited to specify more fine-grained |
| detail about who can read and write buckets and objects. By running |
| the "gsutil acl get" command you can retrieve the ACL JSON, and edit it to |
| customize the permissions. |
| |
| As an example, if you create an object in a bucket that has no default |
| object ACL set and then retrieve the ACL on the object, it will look |
| something like this: |
| |
| [ |
| { |
| "entity": "group-00b4903a9740e42c29800f53bd5a9a62a2f96eb3f64a4313a115df3f3a776bf7", |
| "entityId": "00b4903a9740e42c29800f53bd5a9a62a2f96eb3f64a4313a115df3f3a776bf7", |
| "role": "OWNER" |
| }, |
| { |
| "entity": "group-00b4903a977fd817e9da167bc81306489181a110456bb635f466d71cf90a0d51", |
| "entityId": "00b4903a977fd817e9da167bc81306489181a110456bb635f466d71cf90a0d51", |
| "role": "OWNER" |
| }, |
| { |
| "entity": "00b4903a974898cc8fc309f2f2835308ba3d3df1b889d3fc7e33e187d52d8e71", |
| "entityId": "00b4903a974898cc8fc309f2f2835308ba3d3df1b889d3fc7e33e187d52d8e71", |
| "role": "READER" |
| } |
| ] |
| |
| The ACL consists collection of elements, each of which specifies an Entity |
| and a Role. Entities are the way you specify an individual or group of |
| individuals, and Roles specify what access they're permitted. |
| |
| This particular ACL grants OWNER to two groups (which means members |
| of those groups are allowed to read the object and read and write the ACL), |
| and READ permission to a third group. The project groups are (in order) |
| the project owners group, editors group, and viewers group. |
| |
| The 64 digit hex identifiers (following any prefixes like "group-") used in |
| this ACL are called canonical IDs. They are used to identify predefined |
| groups associated with the project that owns the bucket: the Project Owners, |
| Project Editors, and All Project Team Members groups. For more information |
| the permissions and roles of these project groups, see "gsutil help projects". |
| |
| Here's an example of an ACL specified using the group-by-email and |
| group-by-domain entities: |
| |
| [ |
| { |
| "entity": "group-travel-companion-owners@googlegroups.com" |
| "email": "travel-companion-owners@googlegroups.com", |
| "role": "OWNER", |
| } |
| { |
| "domain": "example.com", |
| "entity": "domain-example.com" |
| "role": "READER", |
| }, |
| ] |
| |
| This ACL grants members of an email group OWNER, and grants READ |
| access to any user in a domain (which must be a Google Apps for Business |
| domain). By applying email group grants to a collection of objects |
| you can edit access control for large numbers of objects at once via |
| http://groups.google.com. That way, for example, you can easily and quickly |
| change access to a group of company objects when employees join and leave |
| your company (i.e., without having to individually change ACLs across |
| potentially millions of objects). |
| |
| |
| <B>SHARING SCENARIOS</B> |
| For more detailed examples how to achieve various useful sharing use |
| cases see https://developers.google.com/storage/docs/collaboration |
| """) |
| |
| |
| class CommandOptions(HelpProvider): |
| """Additional help about Access Control Lists.""" |
| |
| # Help specification. See help_provider.py for documentation. |
| help_spec = HelpProvider.HelpSpec( |
| help_name='acls', |
| help_name_aliases=[ |
| 'ACL', 'access control', 'access control list', 'authorization', |
| 'canned', 'canned acl'], |
| help_type='additional_help', |
| help_one_line_summary='Working With Access Control Lists', |
| help_text=_DETAILED_HELP_TEXT, |
| subcommand_help_text={}, |
| ) |
