| Index: third_party/gsutil/gslib/addlhelp/acls.py
|
| diff --git a/third_party/gsutil/gslib/addlhelp/acls.py b/third_party/gsutil/gslib/addlhelp/acls.py
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..64788e72ba49bcd4d989a42a499efbb13a52e541
|
| --- /dev/null
|
| +++ b/third_party/gsutil/gslib/addlhelp/acls.py
|
| @@ -0,0 +1,234 @@
|
| +# Copyright 2012 Google Inc. All Rights Reserved.
|
| +#
|
| +# Licensed under the Apache License, Version 2.0 (the "License");
|
| +# you may not use this file except in compliance with the License.
|
| +# You may obtain a copy of the License at
|
| +#
|
| +# http://www.apache.org/licenses/LICENSE-2.0
|
| +#
|
| +# Unless required by applicable law or agreed to in writing, software
|
| +# distributed under the License is distributed on an "AS IS" BASIS,
|
| +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
| +# See the License for the specific language governing permissions and
|
| +# limitations under the License.
|
| +
|
| +from gslib.help_provider import HELP_NAME
|
| +from gslib.help_provider import HELP_NAME_ALIASES
|
| +from gslib.help_provider import HELP_ONE_LINE_SUMMARY
|
| +from gslib.help_provider import HelpProvider
|
| +from gslib.help_provider import HELP_TEXT
|
| +from gslib.help_provider import HelpType
|
| +from gslib.help_provider import HELP_TYPE
|
| +
|
| +_detailed_help_text = ("""
|
| +<B>OVERVIEW</B>
|
| + Access Control Lists (ACLs) allow you to control who can read and write
|
| + your data, and who can read and write the ACLs themselves.
|
| +
|
| + If not specified at the time an object is uploaded (e.g., via the gsutil cp
|
| + -a option), objects will be created with a default object ACL set on the
|
| + bucket (see "gsutil help setdefacl"). You can replace the ACL on an object
|
| + or bucket using the gsutil setacl command (see "gsutil help setacl"), or
|
| + modify the existing ACL using the gsutil chacl command (see "gsutil help
|
| + chacl").
|
| +
|
| +
|
| +<B>BUCKET VS OBJECT ACLS</B>
|
| + In Google Cloud Storage, the bucket ACL works as follows:
|
| +
|
| + - Users granted READ access are allowed to list the bucket contents.
|
| +
|
| + - Users granted WRITE access are allowed READ access and also are
|
| + allowed to write and delete objects in that bucket -- including
|
| + overwriting previously written objects.
|
| +
|
| + - Users granted FULL_CONTROL access are allowed WRITE access and also
|
| + are allowed to read and write the bucket's ACL.
|
| +
|
| + The object ACL works as follows:
|
| +
|
| + - Users granted READ access are allowed to read the object's data and
|
| + metadata.
|
| +
|
| + - Users granted FULL_CONTROL access are allowed READ access and also
|
| + are allowed to read and write the object's ACL.
|
| +
|
| + A couple of points are worth noting, that sometimes surprise users:
|
| +
|
| + 1. There is no WRITE access for objects; attempting to set an ACL with WRITE
|
| + permission for an object will result in an error.
|
| +
|
| + 2. The bucket ACL plays no role in determining who can read objects; only the
|
| + object ACL matters for that purpose. This is different from how things
|
| + work in Linux file systems, where both the file and directory permission
|
| + control file read access. It also means, for example, that someone with
|
| + FULL_CONTROL over the bucket may not have read access to objects in
|
| + the bucket. This is by design, and supports useful cases. For example,
|
| + you might want to set up bucket ownership so that a small group of
|
| + administrators have FULL_CONTROL on the bucket (with the ability to
|
| + delete data to control storage costs), but not grant those users read
|
| + access to the object data (which might be sensitive data that should
|
| + only be accessed by a different specific group of users).
|
| +
|
| +
|
| +<B>CANNED ACLS</B>
|
| + The simplest way to set an ACL on a bucket or object is using a "canned
|
| + ACL". The available canned ACLs are:
|
| +
|
| + project-private Gives permission to the project team based on their
|
| + roles. Anyone who is part of the team has READ
|
| + permission, and project owners and project editors
|
| + have FULL_CONTROL permission. This is the default
|
| + ACL for newly created buckets. This is also the
|
| + default ACL for newly created objects unless the
|
| + default object ACL for that bucket has been
|
| + changed. For more details see
|
| + "gsutil help projects".
|
| +
|
| + private Gives the requester (and only the requester)
|
| + FULL_CONTROL permission for a bucket or object.
|
| +
|
| + public-read Gives the requester FULL_CONTROL permission and
|
| + gives all users READ permission. When you apply
|
| + this to an object, anyone on the Internet can
|
| + read the object without authenticating.
|
| +
|
| + public-read-write Gives the requester FULL_CONTROL permission and
|
| + gives all users READ and WRITE permission. This
|
| + ACL applies only to buckets.
|
| +
|
| + authenticated-read Gives the requester FULL_CONTROL permission and
|
| + gives all authenticated Google account holders
|
| + READ permission.
|
| +
|
| + bucket-owner-read Gives the requester FULL_CONTROL permission and
|
| + gives the bucket owner READ permission. This is
|
| + used only with objects.
|
| +
|
| + bucket-owner-full-control Gives the requester FULL_CONTROL permission and
|
| + gives the bucket owner FULL_CONTROL
|
| + permission. This is used only with objects.
|
| +
|
| +
|
| +<B>ACL XML</B>
|
| + When you use a canned ACL, it is translated into an XML representation
|
| + that can later be retrieved and edited to specify more fine-grained
|
| + detail about who can read and write buckets and objects. By running
|
| + the gsutil getacl command you can retrieve the ACL XML, and edit it to
|
| + customize the permissions.
|
| +
|
| + As an example, if you create an object in a bucket that has no default
|
| + object ACL set and then retrieve the ACL on the object, it will look
|
| + something like this:
|
| +
|
| + <AccessControlList>
|
| + <Owner>
|
| + <ID>
|
| + 00b4903a9740e42c29800f53bd5a9a62a2f96eb3f64a4313a115df3f3a776bf7
|
| + </ID>
|
| + </Owner>
|
| + <Entries>
|
| + <Entry>
|
| + <Scope type="GroupById">
|
| + <ID>
|
| + 00b4903a9740e42c29800f53bd5a9a62a2f96eb3f64a4313a115df3f3a776bf7
|
| + </ID>
|
| + </Scope>
|
| + <Permission>
|
| + FULL_CONTROL
|
| + </Permission>
|
| + </Entry>
|
| + <Entry>
|
| + <Scope type="GroupById">
|
| + <ID>
|
| + 00b4903a977fd817e9da167bc81306489181a110456bb635f466d71cf90a0d51
|
| + </ID>
|
| + </Scope>
|
| + <Permission>
|
| + FULL_CONTROL
|
| + </Permission>
|
| + </Entry>
|
| + <Entry>
|
| + <Scope type="GroupById">
|
| + <ID>
|
| + 00b4903a974898cc8fc309f2f2835308ba3d3df1b889d3fc7e33e187d52d8e71
|
| + </ID>
|
| + </Scope>
|
| + <Permission>
|
| + READ
|
| + </Permission>
|
| + </Entry>
|
| + </Entries>
|
| + </AccessControlList>
|
| +
|
| + The ACL consists of an Owner element and a collection of Entry elements,
|
| + each of which specifies a Scope and a Permission. Scopes are the way you
|
| + specify an individual or group of individuals, and Permissions specify what
|
| + access they're permitted.
|
| +
|
| + This particular ACL grants FULL_CONTROL to two groups (which means members
|
| + of those groups are allowed to read the object and read and write the ACL),
|
| + and READ permission to a third group. The project groups are (in order)
|
| + the owners group, editors group, and viewers group.
|
| +
|
| + The 64 digit hex identifiers used in this ACL are called canonical IDs,
|
| + and are used to identify predefined groups associated with the project that
|
| + owns the bucket. For more information about project groups, see "gsutil
|
| + help projects".
|
| +
|
| + Here's an example of an ACL specified using the GroupByEmail and GroupByDomain
|
| + scopes:
|
| +
|
| + <AccessControlList>
|
| + <Entries>
|
| + <Entry>
|
| + <Permission>
|
| + FULL_CONTROL
|
| + </Permission>
|
| + <Scope type="GroupByEmail">
|
| + <EmailAddress>travel-companion-owners@googlegroups.com</EmailAddress>
|
| + </Scope>
|
| + </Entry>
|
| + <Entry>
|
| + <Permission>
|
| + READ
|
| + </Permission>
|
| + <Scope type="GroupByDomain">
|
| + <Domain>example.com</Domain>
|
| + </Scope>
|
| + </Entry>
|
| + </Entries>
|
| + </AccessControlList>
|
| +
|
| + This ACL grants members of an email group FULL_CONTROL, and grants READ
|
| + access to any user in a domain (which must be a Google Apps for Business
|
| + domain). By applying email group grants to a collection of objects
|
| + you can edit access control for large numbers of objects at once via
|
| + http://groups.google.com. That way, for example, you can easily and quickly
|
| + change access to a group of company objects when employees join and leave
|
| + your company (i.e., without having to individually change ACLs across
|
| + potentially millions of objects).
|
| +
|
| +
|
| +<B>SHARING SCENARIOS</B>
|
| + For more detailed examples how to achieve various useful sharing use
|
| + cases see https://developers.google.com/storage/docs/collaboration
|
| +""")
|
| +
|
| +
|
| +class CommandOptions(HelpProvider):
|
| + """Additional help about Access Control Lists."""
|
| +
|
| + help_spec = {
|
| + # Name of command or auxiliary help info for which this help applies.
|
| + HELP_NAME : 'acls',
|
| + # List of help name aliases.
|
| + HELP_NAME_ALIASES : ['acl', 'ACL', 'access control', 'access control list',
|
| + 'authorization', 'canned', 'canned acl'],
|
| + # Type of help:
|
| + HELP_TYPE : HelpType.ADDITIONAL_HELP,
|
| + # One line summary of this help.
|
| + HELP_ONE_LINE_SUMMARY : 'Working with Access Control Lists',
|
| + # The full help text.
|
| + HELP_TEXT : _detailed_help_text,
|
| + }
|
|
|
Chromium Code Reviews
Issue 12317103:
Added gsutil to depot tools (Closed)
Base URL: https://chromium.googlesource.com/chromium/tools/depot_tools.git@master