# -*- coding: utf-8 -*- # Copyright 2012 Google Inc. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. """Additional help about Access Control Lists.""" from __future__ import absolute_import from gslib.help_provider import HelpProvider _DETAILED_HELP_TEXT = (""" OVERVIEW Access Control Lists (ACLs) allow you to control who can read and write your data, and who can read and write the ACLs themselves. If not specified at the time an object is uploaded (e.g., via the gsutil cp -a option), objects will be created with a default object ACL set on the bucket (see "gsutil help defacl"). You can replace the ACL on an object or bucket using the "gsutil acl set" command, or modify the existing ACL using the "gsutil acl ch" command (see "gsutil help acl"). BUCKET VS OBJECT ACLS In Google Cloud Storage, the bucket ACL works as follows: - Users granted READ access are allowed to list the bucket contents and read bucket metadata other than its ACL. - Users granted WRITE access are allowed READ access and also are allowed to write and delete objects in that bucket, including overwriting previously written objects. - Users granted OWNER access are allowed WRITE access and also are allowed to read and write the bucket's ACL. The object ACL works as follows: - Users granted READ access are allowed to read the object's data and metadata. - Users granted OWNER access are allowed READ access and also are allowed to read and write the object's ACL. A couple of points are worth noting, that sometimes surprise users: 1. There is no WRITE access for objects; attempting to set an ACL with WRITE permission for an object will result in an error. 2. The bucket ACL plays no role in determining who can read objects; only the object ACL matters for that purpose. This is different from how things work in Linux file systems, where both the file and directory permission control file read access. It also means, for example, that someone with OWNER over the bucket may not have read access to objects in the bucket. This is by design, and supports useful cases. For example, you might want to set up bucket ownership so that a small group of administrators have OWNER on the bucket (with the ability to delete data to control storage costs), but not grant those users read access to the object data (which might be sensitive data that should only be accessed by a different specific group of users). CANNED ACLS The simplest way to set an ACL on a bucket or object is using a "canned ACL". The available canned ACLs are: project-private Gives permission to the project team based on their roles. Anyone who is part of the team has READ permission, and project owners and project editors have OWNER permission. This is the default ACL for newly created buckets. This is also the default ACL for newly created objects unless the default object ACL for that bucket has been changed. For more details see "gsutil help projects". private Gives the requester (and only the requester) OWNER permission for a bucket or object. public-read Gives all users (whether logged in or anonymous) READ permission. When you apply this to an object, anyone on the Internet can read the object without authenticating. NOTE: By default, publicly readable objects are served with a Cache-Control header allowing such objects to be cached for 3600 seconds. If you need to ensure that updates become visible immediately, you should set a Cache-Control header of "Cache-Control:private, max-age=0, no-transform" on such objects. For help doing this, see 'gsutil help setmeta'. NOTE: Setting a bucket ACL to public-read will remove all OWNER and WRITE permissions from everyone except the project owner group. Setting an object ACL to public-read will remove all OWNER and WRITE permissions from everyone except the object owner. For this reason, we recommend using the "acl ch" command to make these changes; see "gsutil help acl ch" for details. public-read-write Gives all users READ and WRITE permission. This ACL applies only to buckets. NOTE: Setting a bucket to public-read-write will allow anyone on the Internet to upload anything to your bucket. You will be responsible for this content. NOTE: Setting a bucket ACL to public-read-write will remove all OWNER permissions from everyone except the project owner group. Setting an object ACL to public-read-write will remove all OWNER permissions from everyone except the object owner. For this reason, we recommend using the "acl ch" command to make these changes; see "gsutil help acl ch" for details. authenticated-read Gives the requester OWNER permission and gives all authenticated Google account holders READ permission. bucket-owner-read Gives the requester OWNER permission and gives the bucket owner READ permission. This is used only with objects. bucket-owner-full-control Gives the requester OWNER permission and gives the bucket owner OWNER permission. This is used only with objects. ACL JSON When you use a canned ACL, it is translated into an JSON representation that can later be retrieved and edited to specify more fine-grained detail about who can read and write buckets and objects. By running the "gsutil acl get" command you can retrieve the ACL JSON, and edit it to customize the permissions. As an example, if you create an object in a bucket that has no default object ACL set and then retrieve the ACL on the object, it will look something like this: [ { "entity": "group-00b4903a9740e42c29800f53bd5a9a62a2f96eb3f64a4313a115df3f3a776bf7", "entityId": "00b4903a9740e42c29800f53bd5a9a62a2f96eb3f64a4313a115df3f3a776bf7", "role": "OWNER" }, { "entity": "group-00b4903a977fd817e9da167bc81306489181a110456bb635f466d71cf90a0d51", "entityId": "00b4903a977fd817e9da167bc81306489181a110456bb635f466d71cf90a0d51", "role": "OWNER" }, { "entity": "00b4903a974898cc8fc309f2f2835308ba3d3df1b889d3fc7e33e187d52d8e71", "entityId": "00b4903a974898cc8fc309f2f2835308ba3d3df1b889d3fc7e33e187d52d8e71", "role": "READER" } ] The ACL consists collection of elements, each of which specifies an Entity and a Role. Entities are the way you specify an individual or group of individuals, and Roles specify what access they're permitted. This particular ACL grants OWNER to two groups (which means members of those groups are allowed to read the object and read and write the ACL), and READ permission to a third group. The project groups are (in order) the project owners group, editors group, and viewers group. The 64 digit hex identifiers (following any prefixes like "group-") used in this ACL are called canonical IDs. They are used to identify predefined groups associated with the project that owns the bucket: the Project Owners, Project Editors, and All Project Team Members groups. For more information the permissions and roles of these project groups, see "gsutil help projects". Here's an example of an ACL specified using the group-by-email and group-by-domain entities: [ { "entity": "group-travel-companion-owners@googlegroups.com" "email": "travel-companion-owners@googlegroups.com", "role": "OWNER", } { "domain": "example.com", "entity": "domain-example.com" "role": "READER", }, ] This ACL grants members of an email group OWNER, and grants READ access to any user in a domain (which must be a Google Apps for Business domain). By applying email group grants to a collection of objects you can edit access control for large numbers of objects at once via http://groups.google.com. That way, for example, you can easily and quickly change access to a group of company objects when employees join and leave your company (i.e., without having to individually change ACLs across potentially millions of objects). SHARING SCENARIOS For more detailed examples how to achieve various useful sharing use cases see https://developers.google.com/storage/docs/collaboration """) class CommandOptions(HelpProvider): """Additional help about Access Control Lists.""" # Help specification. See help_provider.py for documentation. help_spec = HelpProvider.HelpSpec( help_name='acls', help_name_aliases=[ 'ACL', 'access control', 'access control list', 'authorization', 'canned', 'canned acl'], help_type='additional_help', help_one_line_summary='Working With Access Control Lists', help_text=_DETAILED_HELP_TEXT, subcommand_help_text={}, )