| OLD | NEW |
|---|
| (Empty) | |
| 1 # Copyright 2012 Google Inc. |
| 2 # |
| 3 # Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 # you may not use this file except in compliance with the License. |
| 5 # You may obtain a copy of the License at |
| 6 # |
| 7 # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 # |
| 9 # Unless required by applicable law or agreed to in writing, software |
| 10 # distributed under the License is distributed on an "AS IS" BASIS, |
| 11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 # See the License for the specific language governing permissions and |
| 13 # limitations under the License. |
| 14 |
| 15 from gslib.help_provider import HELP_NAME |
| 16 from gslib.help_provider import HELP_NAME_ALIASES |
| 17 from gslib.help_provider import HELP_ONE_LINE_SUMMARY |
| 18 from gslib.help_provider import HelpProvider |
| 19 from gslib.help_provider import HELP_TEXT |
| 20 from gslib.help_provider import HelpType |
| 21 from gslib.help_provider import HELP_TYPE |
| 22 |
| 23 _detailed_help_text = (""" |
| 24 <B>OVERVIEW</B> |
| 25 Access Control Lists (ACLs) allow you to control who can read and write |
| 26 your data, and who can read and write the ACLs themselves. |
| 27 |
| 28 If not specified at the time an object is uploaded (e.g., via the gsutil cp |
| 29 -a option), objects will be created with a default object ACL set on the |
| 30 bucket (see "gsutil help setdefacl"). You can change the ACL on an object |
| 31 or bucket using the gsutil setacl command (see "gsutil help setacl"). |
| 32 |
| 33 |
| 34 <B>BUCKET VS OBJECT ACLS</B> |
| 35 In Google Cloud Storage, the bucket ACL works as follows: |
| 36 |
| 37 - Users granted READ access are allowed to list the bucket contents. |
| 38 |
| 39 - Users granted WRITE access are allowed READ access and also are |
| 40 allowed to write and delete objects in that bucket -- including |
| 41 overwriting previously written objects. |
| 42 |
| 43 - Users granted FULL_CONTROL access are allowed WRITE access and also |
| 44 are allowed to read and write the bucket's ACL. |
| 45 |
| 46 The object ACL works as follows: |
| 47 |
| 48 - Users granted READ access are allowed to read the object's data and |
| 49 metadata. |
| 50 |
| 51 - Users granted FULL_CONTROL access are allowed READ access and also |
| 52 are allowed to read and write the object's ACL. |
| 53 |
| 54 A couple of points are worth noting, that sometimes surprise users: |
| 55 |
| 56 1. There is no WRITE access for objects; attempting to set an ACL with WRITE |
| 57 permission for an object will result in an error. |
| 58 |
| 59 2. The bucket ACL plays no role in determining who can read objects; only the |
| 60 object ACL matters for that purpose. This is different from how things |
| 61 work in Linux file systems, where both the file and directory permission |
| 62 control file read access. It also means, for example, that someone with |
| 63 FULL_CONTROL over the bucket may not have read access to objects in |
| 64 the bucket. This is by design, and supports useful cases. For example, |
| 65 you might want to set up bucket ownership so that a small group of |
| 66 administrators have FULL_CONTROL on the bucket (with the ability to |
| 67 delete data to control storage costs), but not grant those users read |
| 68 access to the object data (which might be sensitive data that should |
| 69 only be accessed by a different specific group of users). |
| 70 |
| 71 |
| 72 <B>CANNED ACLS</B> |
| 73 The simplest way to set an ACL on a bucket or object is using a "canned |
| 74 ACL". The available canned ACLs are: |
| 75 |
| 76 project-private Gives permission to the project team based on their |
| 77 roles. Anyone who is part of the team has READ |
| 78 permission, and project owners and project editors |
| 79 have FULL_CONTROL permission. This is the default |
| 80 ACL for newly created buckets. This is also the |
| 81 default ACL for newly created objects unless the |
| 82 default object ACL for that bucket has been |
| 83 changed. For more details see |
| 84 "gsutil help projects". |
| 85 |
| 86 private Gives the requester (and only the requester) |
| 87 FULL_CONTROL permission for a bucket or object. |
| 88 |
| 89 public-read Gives the requester FULL_CONTROL permission and |
| 90 gives all users READ permission. When you apply |
| 91 this to an object, anyone on the Internet can |
| 92 read the object without authenticating. |
| 93 |
| 94 public-read-write Gives the requester FULL_CONTROL permission and |
| 95 gives all users READ and WRITE permission. This |
| 96 ACL applies only to buckets. |
| 97 |
| 98 authenticated-read Gives the requester FULL_CONTROL permission and |
| 99 gives all authenticated Google account holders |
| 100 READ permission. |
| 101 |
| 102 bucket-owner-read Gives the requester FULL_CONTROL permission and |
| 103 gives the bucket owner READ permission. This is |
| 104 used only with objects. |
| 105 |
| 106 bucket-owner-full-control Gives the requester FULL_CONTROL permission and |
| 107 gives the bucket owner FULL_CONTROL |
| 108 permission. This is used only with objects. |
| 109 |
| 110 |
| 111 <B>ACL XML</B> |
| 112 When you use a canned ACL, it is translated into an XML representation |
| 113 that can later be retrieved and edited to specify more fine-grained |
| 114 detail about who can read and write buckets and objects. By running |
| 115 the gsutil getacl command you can retrieve the ACL XML, and edit it to |
| 116 customize the permissions. |
| 117 |
| 118 As an example, if you create an object in a bucket that has no default |
| 119 object ACL set and then retrieve the ACL on the object, it will look |
| 120 something like this: |
| 121 |
| 122 <AccessControlList> |
| 123 <Owner> |
| 124 <ID> |
| 125 00b4903a9740e42c29800f53bd5a9a62a2f96eb3f64a4313a115df3f3a776bf7 |
| 126 </ID> |
| 127 </Owner> |
| 128 <Entries> |
| 129 <Entry> |
| 130 <Scope type="GroupById"> |
| 131 <ID> |
| 132 00b4903a9740e42c29800f53bd5a9a62a2f96eb3f64a4313a115df3f3a776bf7 |
| 133 </ID> |
| 134 </Scope> |
| 135 <Permission> |
| 136 FULL_CONTROL |
| 137 </Permission> |
| 138 </Entry> |
| 139 <Entry> |
| 140 <Scope type="GroupById"> |
| 141 <ID> |
| 142 00b4903a977fd817e9da167bc81306489181a110456bb635f466d71cf90a0d51 |
| 143 </ID> |
| 144 </Scope> |
| 145 <Permission> |
| 146 FULL_CONTROL |
| 147 </Permission> |
| 148 </Entry> |
| 149 <Entry> |
| 150 <Scope type="GroupById"> |
| 151 <ID> |
| 152 00b4903a974898cc8fc309f2f2835308ba3d3df1b889d3fc7e33e187d52d8e71 |
| 153 </ID> |
| 154 </Scope> |
| 155 <Permission> |
| 156 READ |
| 157 </Permission> |
| 158 </Entry> |
| 159 </Entries> |
| 160 </AccessControlList> |
| 161 |
| 162 The ACL consists of an Owner element and a collection of Entry elements, |
| 163 each of which specifies a Scope and a Permission. Scopes are the way you |
| 164 specify an individual or group of individuals, and Permissions specify what |
| 165 access they're permitted. |
| 166 |
| 167 This particular ACL grants FULL_CONTROL to two groups (which means members |
| 168 of those groups are allowed to read the object and read and write the ACL), |
| 169 and READ permission to a third group. The project groups are (in order) |
| 170 the owners group, editors group, and viewers group. |
| 171 |
| 172 The 64 digit hex identifiers used in this ACL are called canonical IDs, |
| 173 and are used to identify predefined groups associated with the project that |
| 174 owns the bucket. For more information about project groups, see "gsutil |
| 175 help projects". |
| 176 |
| 177 Here's an example of an ACL specified using the GroupByEmail and GroupByDomain |
| 178 scopes: |
| 179 |
| 180 <AccessControlList> |
| 181 <Entries> |
| 182 <Entry> |
| 183 <Permission> |
| 184 FULL_CONTROL |
| 185 </Permission> |
| 186 <Scope type="GroupByEmail"> |
| 187 <EmailAddress>travel-companion-owners@googlegroups.com</EmailAddress> |
| 188 </Scope> |
| 189 </Entry> |
| 190 <Entry> |
| 191 <Permission> |
| 192 READ |
| 193 </Permission> |
| 194 <Scope type="GroupByDomain"> |
| 195 <Domain>example.com</Domain> |
| 196 </Scope> |
| 197 </Entry> |
| 198 </Entries> |
| 199 </AccessControlList> |
| 200 |
| 201 This ACL grants members of an email group FULL_CONTROL, and grants READ |
| 202 access to any user in a domain (which must be a Google Apps for Business |
| 203 domain). By applying email group grants to a collection of objects |
| 204 you can edit access control for large numbers of objects at once via |
| 205 http://groups.google.com. That way, for example, you can easily and quickly |
| 206 change access to a group of company objects when employees join and leave |
| 207 your company (i.e., without having to individually change ACLs across |
| 208 potentially millions of objects). |
| 209 |
| 210 |
| 211 <B>SHARING SCENARIOS</B> |
| 212 For more detailed examples how to achieve various useful sharing use |
| 213 cases see https://developers.google.com/storage/docs/collaboration |
| 214 """) |
| 215 |
| 216 |
| 217 class CommandOptions(HelpProvider): |
| 218 """Additional help about Access Control Lists.""" |
| 219 |
| 220 help_spec = { |
| 221 # Name of command or auxiliary help info for which this help applies. |
| 222 HELP_NAME : 'acls', |
| 223 # List of help name aliases. |
| 224 HELP_NAME_ALIASES : ['acl', 'ACL', 'access control', 'access control list', |
| 225 'authorization', 'canned', 'canned acl'], |
| 226 # Type of help: |
| 227 HELP_TYPE : HelpType.ADDITIONAL_HELP, |
| 228 # One line summary of this help. |
| 229 HELP_ONE_LINE_SUMMARY : 'Working with Access Control Lists', |
| 230 # The full help text. |
| 231 HELP_TEXT : _detailed_help_text, |
| 232 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 12042069:
Scripts to download files from google storage based on sha1 sums (Closed)
Base URL: https://chromium.googlesource.com/chromium/tools/depot_tools.git@master