# -*- coding: utf-8 -*-
# Copyright 2012 Google Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Additional help about Access Control Lists."""
from __future__ import absolute_import
from gslib.help_provider import HelpProvider
_DETAILED_HELP_TEXT = ("""
OVERVIEW
Access Control Lists (ACLs) allow you to control who can read and write
your data, and who can read and write the ACLs themselves.
If not specified at the time an object is uploaded (e.g., via the gsutil cp
-a option), objects will be created with a default object ACL set on the
bucket (see "gsutil help defacl"). You can replace the ACL on an object
or bucket using the "gsutil acl set" command, or
modify the existing ACL using the "gsutil acl ch" command (see "gsutil help
acl").
BUCKET VS OBJECT ACLS
In Google Cloud Storage, the bucket ACL works as follows:
- Users granted READ access are allowed to list the bucket contents and read
bucket metadata other than its ACL.
- Users granted WRITE access are allowed READ access and also are allowed to
write and delete objects in that bucket, including overwriting previously
written objects.
- Users granted OWNER access are allowed WRITE access and also are allowed to
read and write the bucket's ACL.
The object ACL works as follows:
- Users granted READ access are allowed to read the object's data and
metadata.
- Users granted OWNER access are allowed READ access and also are allowed to
read and write the object's ACL.
A couple of points are worth noting, that sometimes surprise users:
1. There is no WRITE access for objects; attempting to set an ACL with WRITE
permission for an object will result in an error.
2. The bucket ACL plays no role in determining who can read objects; only the
object ACL matters for that purpose. This is different from how things
work in Linux file systems, where both the file and directory permission
control file read access. It also means, for example, that someone with
OWNER over the bucket may not have read access to objects in the bucket.
This is by design, and supports useful cases. For example, you might want
to set up bucket ownership so that a small group of administrators have
OWNER on the bucket (with the ability to delete data to control storage
costs), but not grant those users read access to the object data (which
might be sensitive data that should only be accessed by a different
specific group of users).
CANNED ACLS
The simplest way to set an ACL on a bucket or object is using a "canned
ACL". The available canned ACLs are:
project-private
Gives permission to the project team based on their roles. Anyone who is
part of the team has READ permission, and project owners and project editors
have OWNER permission. This is the default ACL for newly created
buckets. This is also the default ACL for newly created objects unless the
default object ACL for that bucket has been changed. For more details see
"gsutil help projects".
private
Gives the requester (and only the requester) OWNER permission for a
bucket or object.
public-read
Gives all users (whether logged in or anonymous) READ permission. When
you apply this to an object, anyone on the Internet can read the object
without authenticating.
NOTE: By default, publicly readable objects are served with a Cache-Control
header allowing such objects to be cached for 3600 seconds. If you need to
ensure that updates become visible immediately, you should set a
Cache-Control header of "Cache-Control:private, max-age=0, no-transform" on
such objects. For help doing this, see 'gsutil help setmeta'.
NOTE: Setting a bucket ACL to public-read will remove all OWNER and WRITE
permissions from everyone except the project owner group. Setting an object
ACL to public-read will remove all OWNER and WRITE permissions from
everyone except the object owner. For this reason, we recommend using
the "acl ch" command to make these changes; see "gsutil help acl ch" for
details.
public-read-write
Gives all users READ and WRITE permission. This ACL applies only to buckets.
NOTE: Setting a bucket to public-read-write will allow anyone on the
Internet to upload anything to your bucket. You will be responsible for this
content.
NOTE: Setting a bucket ACL to public-read-write will remove all OWNER
permissions from everyone except the project owner group. Setting an object
ACL to public-read-write will remove all OWNER permissions from
everyone except the object owner. For this reason, we recommend using
the "acl ch" command to make these changes; see "gsutil help acl ch" for
details.
authenticated-read
Gives the requester OWNER permission and gives all authenticated
Google account holders READ permission.
bucket-owner-read
Gives the requester OWNER permission and gives the bucket owner READ
permission. This is used only with objects.
bucket-owner-full-control
Gives the requester OWNER permission and gives the bucket owner
OWNER permission. This is used only with objects.
ACL JSON
When you use a canned ACL, it is translated into an JSON representation
that can later be retrieved and edited to specify more fine-grained
detail about who can read and write buckets and objects. By running
the "gsutil acl get" command you can retrieve the ACL JSON, and edit it to
customize the permissions.
As an example, if you create an object in a bucket that has no default
object ACL set and then retrieve the ACL on the object, it will look
something like this:
[
{
"entity": "group-00b4903a9740e42c29800f53bd5a9a62a2f96eb3f64a4313a115df3f3a776bf7",
"entityId": "00b4903a9740e42c29800f53bd5a9a62a2f96eb3f64a4313a115df3f3a776bf7",
"role": "OWNER"
},
{
"entity": "group-00b4903a977fd817e9da167bc81306489181a110456bb635f466d71cf90a0d51",
"entityId": "00b4903a977fd817e9da167bc81306489181a110456bb635f466d71cf90a0d51",
"role": "OWNER"
},
{
"entity": "00b4903a974898cc8fc309f2f2835308ba3d3df1b889d3fc7e33e187d52d8e71",
"entityId": "00b4903a974898cc8fc309f2f2835308ba3d3df1b889d3fc7e33e187d52d8e71",
"role": "READER"
}
]
The ACL consists collection of elements, each of which specifies an Entity
and a Role. Entities are the way you specify an individual or group of
individuals, and Roles specify what access they're permitted.
This particular ACL grants OWNER to two groups (which means members
of those groups are allowed to read the object and read and write the ACL),
and READ permission to a third group. The project groups are (in order)
the project owners group, editors group, and viewers group.
The 64 digit hex identifiers (following any prefixes like "group-") used in
this ACL are called canonical IDs. They are used to identify predefined
groups associated with the project that owns the bucket: the Project Owners,
Project Editors, and All Project Team Members groups. For more information
the permissions and roles of these project groups, see "gsutil help projects".
Here's an example of an ACL specified using the group-by-email and
group-by-domain entities:
[
{
"entity": "group-travel-companion-owners@googlegroups.com"
"email": "travel-companion-owners@googlegroups.com",
"role": "OWNER",
}
{
"domain": "example.com",
"entity": "domain-example.com"
"role": "READER",
},
]
This ACL grants members of an email group OWNER, and grants READ
access to any user in a domain (which must be a Google Apps for Business
domain). By applying email group grants to a collection of objects
you can edit access control for large numbers of objects at once via
http://groups.google.com. That way, for example, you can easily and quickly
change access to a group of company objects when employees join and leave
your company (i.e., without having to individually change ACLs across
potentially millions of objects).
SHARING SCENARIOS
For more detailed examples how to achieve various useful sharing use
cases see https://developers.google.com/storage/docs/collaboration
""")
class CommandOptions(HelpProvider):
"""Additional help about Access Control Lists."""
# Help specification. See help_provider.py for documentation.
help_spec = HelpProvider.HelpSpec(
help_name='acls',
help_name_aliases=[
'ACL', 'access control', 'access control list', 'authorization',
'canned', 'canned acl'],
help_type='additional_help',
help_one_line_summary='Working With Access Control Lists',
help_text=_DETAILED_HELP_TEXT,
subcommand_help_text={},
)