| Index: third_party/gsutil/gslib/commands/chacl.py
|
| diff --git a/third_party/gsutil/gslib/commands/chacl.py b/third_party/gsutil/gslib/commands/chacl.py
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..25d8d3e25fd4be83bcc707b7672c5064527bba26
|
| --- /dev/null
|
| +++ b/third_party/gsutil/gslib/commands/chacl.py
|
| @@ -0,0 +1,523 @@
|
| +# Copyright 2013 Google Inc. All Rights Reserved.
|
| +#
|
| +# Licensed under the Apache License, Version 2.0 (the "License");
|
| +# you may not use this file except in compliance with the License.
|
| +# You may obtain a copy of the License at
|
| +#
|
| +# http://www.apache.org/licenses/LICENSE-2.0
|
| +#
|
| +# Unless required by applicable law or agreed to in writing, software
|
| +# distributed under the License is distributed on an "AS IS" BASIS,
|
| +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
| +# See the License for the specific language governing permissions and
|
| +# limitations under the License.
|
| +"""
|
| +This module provides the chacl command to gsutil.
|
| +
|
| +This command allows users to easily specify changes to access control lists.
|
| +"""
|
| +
|
| +import random
|
| +import re
|
| +import time
|
| +from xml.dom import minidom
|
| +from boto.exception import GSResponseError
|
| +from boto.gs import acl
|
| +from gslib import name_expansion
|
| +from gslib.command import Command
|
| +from gslib.command import COMMAND_NAME
|
| +from gslib.command import COMMAND_NAME_ALIASES
|
| +from gslib.command import CONFIG_REQUIRED
|
| +from gslib.command import FILE_URIS_OK
|
| +from gslib.command import MAX_ARGS
|
| +from gslib.command import MIN_ARGS
|
| +from gslib.command import PROVIDER_URIS_OK
|
| +from gslib.command import SUPPORTED_SUB_ARGS
|
| +from gslib.command import URIS_START_ARG
|
| +from gslib.exception import CommandException
|
| +from gslib.help_provider import HELP_NAME
|
| +from gslib.help_provider import HELP_NAME_ALIASES
|
| +from gslib.help_provider import HELP_ONE_LINE_SUMMARY
|
| +from gslib.help_provider import HELP_TEXT
|
| +from gslib.help_provider import HELP_TYPE
|
| +from gslib.help_provider import HelpType
|
| +from gslib.util import NO_MAX
|
| +from gslib.util import Retry
|
| +
|
| +
|
| +class ChangeType(object):
|
| + USER = 'User'
|
| + GROUP = 'Group'
|
| +
|
| +
|
| +class AclChange(object):
|
| + """Represents a logical change to an access control list."""
|
| + public_scopes = ['AllAuthenticatedUsers', 'AllUsers']
|
| + id_scopes = ['UserById', 'GroupById']
|
| + email_scopes = ['UserByEmail', 'GroupByEmail']
|
| + domain_scopes = ['GroupByDomain']
|
| + scope_types = public_scopes + id_scopes + email_scopes + domain_scopes
|
| +
|
| + permission_shorthand_mapping = {
|
| + 'R': 'READ',
|
| + 'W': 'WRITE',
|
| + 'FC': 'FULL_CONTROL',
|
| + }
|
| +
|
| + def __init__(self, acl_change_descriptor, scope_type, logger):
|
| + """Creates an AclChange object.
|
| +
|
| + acl_change_descriptor: An acl change as described in chacl help.
|
| + scope_type: Either ChangeType.USER or ChangeType.GROUP, specifying the
|
| + extent of the scope.
|
| + logger: An instance of ThreadedLogger.
|
| + """
|
| + self.logger = logger
|
| + self.identifier = ''
|
| +
|
| + self.raw_descriptor = acl_change_descriptor
|
| + self._Parse(acl_change_descriptor, scope_type)
|
| + self._Validate()
|
| +
|
| + def __str__(self):
|
| + return 'AclChange<{0}|{1}|{2}>'.format(self.scope_type, self.perm,
|
| + self.identifier)
|
| +
|
| + def _Parse(self, change_descriptor, scope_type):
|
| + """Parses an ACL Change descriptor."""
|
| +
|
| + def _ClassifyScopeIdentifier(text):
|
| + re_map = {
|
| + 'AllAuthenticatedUsers': r'^(AllAuthenticatedUsers|AllAuth)$',
|
| + 'AllUsers': '^(AllUsers|All)$',
|
| + 'Email': r'^.+@.+\..+$',
|
| + 'Id': r'^[0-9A-Fa-f]{64}$',
|
| + 'Domain': r'^[^@]+\..+$',
|
| + }
|
| + for type_string, regex in re_map.items():
|
| + if re.match(regex, text, re.IGNORECASE):
|
| + return type_string
|
| +
|
| + if change_descriptor.count(':') != 1:
|
| + raise CommandException('{0} is an invalid change description.'
|
| + .format(change_descriptor))
|
| +
|
| + scope_string, perm_token = change_descriptor.split(':')
|
| +
|
| + perm_token = perm_token.upper()
|
| + if perm_token in self.permission_shorthand_mapping:
|
| + self.perm = self.permission_shorthand_mapping[perm_token]
|
| + else:
|
| + self.perm = perm_token
|
| +
|
| + scope_class = _ClassifyScopeIdentifier(scope_string)
|
| + if scope_class == 'Domain':
|
| + # This may produce an invalid UserByDomain scope,
|
| + # which is good because then validate can complain.
|
| + self.scope_type = '{0}ByDomain'.format(scope_type)
|
| + self.identifier = scope_string
|
| + elif scope_class in ['Email', 'Id']:
|
| + self.scope_type = '{0}By{1}'.format(scope_type, scope_class)
|
| + self.identifier = scope_string
|
| + elif scope_class == 'AllAuthenticatedUsers':
|
| + self.scope_type = 'AllAuthenticatedUsers'
|
| + elif scope_class == 'AllUsers':
|
| + self.scope_type = 'AllUsers'
|
| + else:
|
| + # This is just a fallback, so we set it to something
|
| + # and the validate step has something to go on.
|
| + self.scope_type = scope_string
|
| +
|
| + def _Validate(self):
|
| + """Validates a parsed AclChange object."""
|
| +
|
| + def _ThrowError(msg):
|
| + raise CommandException('{0} is not a valid ACL change\n{1}'
|
| + .format(self.raw_descriptor, msg))
|
| +
|
| + if self.scope_type not in self.scope_types:
|
| + _ThrowError('{0} is not a valid scope type'.format(self.scope_type))
|
| +
|
| + if self.scope_type in self.public_scopes and self.identifier:
|
| + _ThrowError('{0} requires no arguments'.format(self.scope_type))
|
| +
|
| + if self.scope_type in self.id_scopes and not self.identifier:
|
| + _ThrowError('{0} requires an id'.format(self.scope_type))
|
| +
|
| + if self.scope_type in self.email_scopes and not self.identifier:
|
| + _ThrowError('{0} requires an email address'.format(self.scope_type))
|
| +
|
| + if self.scope_type in self.domain_scopes and not self.identifier:
|
| + _ThrowError('{0} requires domain'.format(self.scope_type))
|
| +
|
| + if self.perm not in self.permission_shorthand_mapping.values():
|
| + perms = ', '.join(self.permission_shorthand_mapping.values())
|
| + _ThrowError('Allowed permissions are {0}'.format(perms))
|
| +
|
| + def _YieldMatchingEntries(self, current_acl):
|
| + """Generator that yields entries that match the change descriptor.
|
| +
|
| + current_acl: An instance of bogo.gs.acl.ACL which will be searched
|
| + for matching entries.
|
| + """
|
| + for entry in current_acl.entries.entry_list:
|
| + if entry.scope.type == self.scope_type:
|
| + if self.scope_type in ['UserById', 'GroupById']:
|
| + if self.identifier == entry.scope.id:
|
| + yield entry
|
| + elif self.scope_type in ['UserByEmail', 'GroupByEmail']:
|
| + if self.identifier == entry.scope.email_address:
|
| + yield entry
|
| + elif self.scope_type == 'GroupByDomain':
|
| + if self.identifier == entry.scope.domain:
|
| + yield entry
|
| + elif self.scope_type in ['AllUsers', 'AllAuthenticatedUsers']:
|
| + yield entry
|
| + else:
|
| + raise CommandException('Found an unrecognized ACL '
|
| + 'entry type, aborting.')
|
| +
|
| + def _AddEntry(self, current_acl):
|
| + """Adds an entry to an ACL."""
|
| + if self.scope_type in ['UserById', 'UserById', 'GroupById']:
|
| + entry = acl.Entry(type=self.scope_type, permission=self.perm,
|
| + id=self.identifier)
|
| + elif self.scope_type in ['UserByEmail', 'GroupByEmail']:
|
| + entry = acl.Entry(type=self.scope_type, permission=self.perm,
|
| + email_address=self.identifier)
|
| + elif self.scope_type == 'GroupByDomain':
|
| + entry = acl.Entry(type=self.scope_type, permission=self.perm,
|
| + domain=self.identifier)
|
| + else:
|
| + entry = acl.Entry(type=self.scope_type, permission=self.perm)
|
| +
|
| + current_acl.entries.entry_list.append(entry)
|
| +
|
| + def Execute(self, uri, current_acl):
|
| + """Executes the described change on an ACL.
|
| +
|
| + uri: The URI object to change.
|
| + current_acl: An instance of boto.gs.acl.ACL to permute.
|
| + """
|
| + self.logger.debug('Executing {0} on {1}'
|
| + .format(self.raw_descriptor, uri))
|
| +
|
| + if self.perm == 'WRITE' and uri.names_object():
|
| + self.logger.warn(
|
| + 'Skipping {0} on {1}, as WRITE does not apply to objects'
|
| + .format(self.raw_descriptor, uri))
|
| + return 0
|
| +
|
| + matching_entries = list(self._YieldMatchingEntries(current_acl))
|
| + change_count = 0
|
| + if matching_entries:
|
| + for entry in matching_entries:
|
| + if entry.permission != self.perm:
|
| + entry.permission = self.perm
|
| + change_count += 1
|
| + else:
|
| + self._AddEntry(current_acl)
|
| + change_count = 1
|
| +
|
| + parsed_acl = minidom.parseString(current_acl.to_xml())
|
| + self.logger.debug('New Acl:\n{0}'.format(parsed_acl.toprettyxml()))
|
| + return change_count
|
| +
|
| +
|
| +class AclDel(AclChange):
|
| + """Represents a logical change from an access control list."""
|
| + scope_regexes = {
|
| + r'All(Users)?': 'AllUsers',
|
| + r'AllAuth(enticatedUsers)?': 'AllAuthenticatedUsers',
|
| + }
|
| +
|
| + def __init__(self, identifier, logger):
|
| + self.raw_descriptor = '-d {0}'.format(identifier)
|
| + self.logger = logger
|
| + self.identifier = identifier
|
| + for regex, scope in self.scope_regexes.items():
|
| + if re.match(regex, self.identifier, re.IGNORECASE):
|
| + self.identifier = scope
|
| + self.scope_type = 'Any'
|
| + self.perm = 'NONE'
|
| +
|
| + def _YieldMatchingEntries(self, current_acl):
|
| + for entry in current_acl.entries.entry_list:
|
| + if self.identifier == entry.scope.id:
|
| + yield entry
|
| + elif self.identifier == entry.scope.email_address:
|
| + yield entry
|
| + elif self.identifier == entry.scope.domain:
|
| + yield entry
|
| + elif self.identifier == 'AllUsers' and entry.scope.type == 'AllUsers':
|
| + yield entry
|
| + elif (self.identifier == 'AllAuthenticatedUsers'
|
| + and entry.scope.type == 'AllAuthenticatedUsers'):
|
| + yield entry
|
| +
|
| + def Execute(self, uri, current_acl):
|
| + self.logger.debug('Executing {0} on {1}'
|
| + .format(self.raw_descriptor, uri))
|
| + matching_entries = list(self._YieldMatchingEntries(current_acl))
|
| + for entry in matching_entries:
|
| + current_acl.entries.entry_list.remove(entry)
|
| + parsed_acl = minidom.parseString(current_acl.to_xml())
|
| + self.logger.debug('New Acl:\n{0}'.format(parsed_acl.toprettyxml()))
|
| + return len(matching_entries)
|
| +
|
| +
|
| +_detailed_help_text = ("""
|
| +<B>SYNOPSIS</B>
|
| + gsutil chacl [-R] -u|-g|-d <grant>... uri...
|
| +
|
| + where each <grant> is one of the following forms:
|
| + -u <id|email>:<perm>
|
| + -g <id|email|domain|All|AllAuth>:<perm>
|
| + -d <id|email|domain|All|AllAuth>
|
| +
|
| +<B>DESCRIPTION</B>
|
| + The chacl command updates access control lists, similar in spirit to the Linux
|
| + chmod command. You can specify multiple access grant additions and deletions
|
| + in a single command run; all changes will be made atomically to each object in
|
| + turn. For example, if the command requests deleting one grant and adding a
|
| + different grant, the ACLs being updated will never be left in an intermediate
|
| + state where one grant has been deleted but the second grant not yet added.
|
| + Each change specifies a user or group grant to add or delete, and for grant
|
| + additions, one of R, W, FC (for the permission to be granted). A more formal
|
| + description is provided in a later section; below we provide examples.
|
| +
|
| + Note: If you want to set a simple "canned" ACL on each object (such as
|
| + project-private or public), or if you prefer to edit the XML representation
|
| + for ACLs, you can do that with the setacl command (see 'gsutil help setacl').
|
| +
|
| +
|
| +<B>EXAMPLES</B>
|
| +
|
| + Grant the user john.doe@example.com WRITE access to the bucket
|
| + example-bucket:
|
| +
|
| + gsutil chacl -u john.doe@example.com:WRITE gs://example-bucket
|
| +
|
| + Grant the group admins@example.com FULL_CONTROL access to all jpg files in
|
| + the top level of example-bucket:
|
| +
|
| + gsutil chacl -g admins@example.com:FC gs://example-bucket/*.jpg
|
| +
|
| + Grant the user with the specified canonical ID READ access to all objects in
|
| + example-bucket that begin with folder/:
|
| +
|
| + gsutil chacl -R \\
|
| + -u 84fac329bceSAMPLE777d5d22b8SAMPLE77d85ac2SAMPLE2dfcf7c4adf34da46:R \\
|
| + gs://example-bucket/folder/
|
| +
|
| + Grant all users from my-domain.org READ access to the bucket
|
| + gcs.my-domain.org:
|
| +
|
| + gsutil chacl -g my-domain.org:R gs://gcs.my-domain.org
|
| +
|
| + Remove any current access by john.doe@example.com from the bucket
|
| + example-bucket:
|
| +
|
| + gsutil chacl -d john.doe@example.com gs://example-bucket
|
| +
|
| + If you have a large number of objects to update, enabling multi-threading with
|
| + the gsutil -m flag can significantly improve performance. The following
|
| + command adds FULL_CONTROL for admin@example.org using multi-threading:
|
| +
|
| + gsutil -m chacl -R -u admin@example.org:FC gs://example-bucket
|
| +
|
| + Grant READ access to everyone from my-domain.org and to all authenticated
|
| + users, and grant FULL_CONTROL to admin@mydomain.org, for the buckets
|
| + my-bucket and my-other-bucket, with multi-threading enabled:
|
| +
|
| + gsutil -m chacl -R -g my-domain.org:R -g AllAuth:R \\
|
| + -u admin@mydomain.org:FC gs://my-bucket/ gs://my-other-bucket
|
| +
|
| +
|
| +<B>SCOPES</B>
|
| + There are four different scopes: Users, Groups, All Authenticated Users, and
|
| + All Users.
|
| +
|
| + Users are added with -u and a plain ID or email address, as in
|
| + "-u john-doe@gmail.com:r"
|
| +
|
| + Groups are like users, but specified with the -g flag, as in
|
| + "-g power-users@example.com:fc". Groups may also be specified as a full
|
| + domain, as in "-g my-company.com:r".
|
| +
|
| + AllAuthenticatedUsers and AllUsers are specified directly, as
|
| + in "-g AllUsers:R" or "-g AllAuthenticatedUsers:FC". These are case
|
| + insensitive, and may be shortened to "all" and "allauth", respectively.
|
| +
|
| + Removing permissions is specified with the -d flag and an ID, email
|
| + address, domain, or one of AllUsers or AllAuthenticatedUsers.
|
| +
|
| + Many scopes can be specified on the same command line, allowing bundled
|
| + changes to be executed in a single run. This will reduce the number of
|
| + requests made to the server.
|
| +
|
| +
|
| +<B>PERMISSIONS</B>
|
| + You may specify the following permissions with either their shorthand or
|
| + their full name:
|
| +
|
| + R: READ
|
| + W: WRITE
|
| + FC: FULL_CONTROL
|
| +
|
| +
|
| +<B>OPTIONS</B>
|
| + -R, -r Performs chacl request recursively, to all objects under the
|
| + specified URI.
|
| +
|
| + -u Add or modify a user permission as specified in the SCOPES
|
| + and PERMISSIONS sections.
|
| +
|
| + -g Add or modify a group permission as specified in the SCOPES
|
| + and PERMISSIONS sections.
|
| +
|
| + -d Remove all permissions associated with the matching argument, as
|
| + specified in the SCOPES and PERMISSIONS sections.
|
| +""")
|
| +
|
| +
|
| +class ChAclCommand(Command):
|
| + """Implementation of gsutil chacl command."""
|
| +
|
| + # Command specification (processed by parent class).
|
| + command_spec = {
|
| + # Name of command.
|
| + COMMAND_NAME : 'chacl',
|
| + # List of command name aliases.
|
| + COMMAND_NAME_ALIASES : [],
|
| + # Min number of args required by this command.
|
| + MIN_ARGS : 1,
|
| + # Max number of args required by this command, or NO_MAX.
|
| + MAX_ARGS : NO_MAX,
|
| + # Getopt-style string specifying acceptable sub args.
|
| + SUPPORTED_SUB_ARGS : 'Rrfg:u:d:',
|
| + # True if file URIs acceptable for this command.
|
| + FILE_URIS_OK : False,
|
| + # True if provider-only URIs acceptable for this command.
|
| + PROVIDER_URIS_OK : False,
|
| + # Index in args of first URI arg.
|
| + URIS_START_ARG : 1,
|
| + # True if must configure gsutil before running command.
|
| + CONFIG_REQUIRED : True,
|
| + }
|
| + help_spec = {
|
| + # Name of command or auxiliary help info for which this help applies.
|
| + HELP_NAME : 'chacl',
|
| + # List of help name aliases.
|
| + HELP_NAME_ALIASES : ['chmod'],
|
| + # Type of help:
|
| + HELP_TYPE : HelpType.COMMAND_HELP,
|
| + # One line summary of this help.
|
| + HELP_ONE_LINE_SUMMARY : 'Add / remove entries on bucket and/or object ACLs',
|
| + # The full help text.
|
| + HELP_TEXT : _detailed_help_text,
|
| + }
|
| +
|
| + # Command entry point.
|
| + def RunCommand(self):
|
| + """This is the point of entry for the chacl command."""
|
| + self.parse_versions = True
|
| + self.changes = []
|
| +
|
| + if self.sub_opts:
|
| + for o, a in self.sub_opts:
|
| + if o == '-g':
|
| + self.changes.append(AclChange(a, scope_type=ChangeType.GROUP,
|
| + logger=self.THREADED_LOGGER))
|
| + if o == '-u':
|
| + self.changes.append(AclChange(a, scope_type=ChangeType.USER,
|
| + logger=self.THREADED_LOGGER))
|
| + if o == '-d':
|
| + self.changes.append(AclDel(a, logger=self.THREADED_LOGGER))
|
| +
|
| + if not self.changes:
|
| + raise CommandException(
|
| + 'Please specify at least one access change '
|
| + 'with the -g, -u, or -d flags')
|
| +
|
| + storage_uri = self.UrisAreForSingleProvider(self.args)
|
| + if not (storage_uri and storage_uri.get_provider().name == 'google'):
|
| + raise CommandException('The "{0}" command can only be used with gs:// URIs'
|
| + .format(self.command_name))
|
| +
|
| + bulk_uris = set()
|
| + for uri_arg in self.args:
|
| + for result in self.WildcardIterator(uri_arg):
|
| + uri = result.uri
|
| + if uri.names_bucket():
|
| + if self.recursion_requested:
|
| + bulk_uris.add(uri.clone_replace_name('*').uri)
|
| + else:
|
| + # If applying to a bucket directly, the threading machinery will
|
| + # break, so we have to apply now, in the main thread.
|
| + self.ApplyAclChanges(uri)
|
| + else:
|
| + bulk_uris.add(uri_arg)
|
| +
|
| + try:
|
| + name_expansion_iterator = name_expansion.NameExpansionIterator(
|
| + self.command_name, self.proj_id_handler, self.headers, self.debug,
|
| + self.bucket_storage_uri_class, bulk_uris, self.recursion_requested)
|
| + except CommandException as e:
|
| + # NameExpansionIterator will complain if there are no URIs, but we don't
|
| + # want to throw an error if we handled bucket URIs.
|
| + if e.reason == 'No URIs matched':
|
| + return 0
|
| + else:
|
| + raise e
|
| +
|
| + self.everything_set_okay = True
|
| + self.Apply(self.ApplyAclChanges,
|
| + name_expansion_iterator,
|
| + self._ApplyExceptionHandler)
|
| + if not self.everything_set_okay:
|
| + raise CommandException('ACLs for some objects could not be set.')
|
| +
|
| + return 0
|
| +
|
| + def _ApplyExceptionHandler(self, exception):
|
| + self.THREADED_LOGGER.error('Encountered a problem: {0}'.format(exception))
|
| + self.everything_set_okay = False
|
| +
|
| + @Retry(GSResponseError, tries=3, delay=1, backoff=2)
|
| + def ApplyAclChanges(self, uri_or_expansion_result):
|
| + """Applies the changes in self.changes to the provided URI."""
|
| + if isinstance(uri_or_expansion_result, name_expansion.NameExpansionResult):
|
| + uri = self.suri_builder.StorageUri(
|
| + uri_or_expansion_result.expanded_uri_str)
|
| + else:
|
| + uri = uri_or_expansion_result
|
| +
|
| + try:
|
| + current_acl = uri.get_acl()
|
| + except GSResponseError as e:
|
| + self.THREADED_LOGGER.warning('Failed to set acl for {0}: {1}'
|
| + .format(uri, e.reason))
|
| + return
|
| +
|
| + modification_count = 0
|
| + for change in self.changes:
|
| + modification_count += change.Execute(uri, current_acl)
|
| + if modification_count == 0:
|
| + self.THREADED_LOGGER.info('No changes to {0}'.format(uri))
|
| + return
|
| +
|
| + # TODO: Remove the concept of forcing when boto provides access to
|
| + # bucket generation and meta_generation.
|
| + headers = dict(self.headers)
|
| + force = uri.names_bucket()
|
| + if not force:
|
| + key = uri.get_key()
|
| + headers['x-goog-if-generation-match'] = key.generation
|
| + headers['x-goog-if-metageneration-match'] = key.meta_generation
|
| +
|
| + # If this fails because of a precondition, it will raise a
|
| + # GSResponseError for @Retry to handle.
|
| + uri.set_acl(current_acl, uri.object_name, False, headers)
|
| + self.THREADED_LOGGER.info('Updated ACL on {0}'.format(uri))
|
| +
|
|
|
Chromium Code Reviews
Issue 12317103:
Added gsutil to depot tools (Closed)
Base URL: https://chromium.googlesource.com/chromium/tools/depot_tools.git@master