depot_tools/third_party/gsutil/gslib/addlhelp/acls.py

# Copyright 2012 Google Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

from gslib.help_provider import HELP_NAME
from gslib.help_provider import HELP_NAME_ALIASES
from gslib.help_provider import HELP_ONE_LINE_SUMMARY
from gslib.help_provider import HelpProvider
from gslib.help_provider import HELP_TEXT
from gslib.help_provider import HelpType
from gslib.help_provider import HELP_TYPE

_detailed_help_text = ("""
<B>OVERVIEW</B>
  Access Control Lists (ACLs) allow you to control who can read and write
  your data, and who can read and write the ACLs themselves.

  If not specified at the time an object is uploaded (e.g., via the gsutil cp
  -a option), objects will be created with a default object ACL set on the
  bucket (see "gsutil help setdefacl"). You can replace the ACL on an object
  or bucket using the gsutil setacl command (see "gsutil help setacl"), or
  modify the existing ACL using the gsutil chacl command (see "gsutil help
  chacl").


<B>BUCKET VS OBJECT ACLS</B>
  In Google Cloud Storage, the bucket ACL works as follows:

    - Users granted READ access are allowed to list the bucket contents.

    - Users granted WRITE access are allowed READ access and also are
      allowed to write and delete objects in that bucket -- including
      overwriting previously written objects.

    - Users granted FULL_CONTROL access are allowed WRITE access and also
      are allowed to read and write the bucket's ACL.

  The object ACL works as follows:

    - Users granted READ access are allowed to read the object's data and
      metadata.

    - Users granted FULL_CONTROL access are allowed READ access and also
      are allowed to read and write the object's ACL.

  A couple of points are worth noting, that sometimes surprise users:

  1. There is no WRITE access for objects; attempting to set an ACL with WRITE
     permission for an object will result in an error.

  2. The bucket ACL plays no role in determining who can read objects; only the
     object ACL matters for that purpose. This is different from how things
     work in Linux file systems, where both the file and directory permission
     control file read access. It also means, for example, that someone with
     FULL_CONTROL over the bucket may not have read access to objects in
     the bucket.  This is by design, and supports useful cases. For example,
     you might want to set up bucket ownership so that a small group of
     administrators have FULL_CONTROL on the bucket (with the ability to
     delete data to control storage costs), but not grant those users read
     access to the object data (which might be sensitive data that should
     only be accessed by a different specific group of users).


<B>CANNED ACLS</B>
  The simplest way to set an ACL on a bucket or object is using a "canned
  ACL". The available canned ACLs are:

  project-private            Gives permission to the project team based on their
                             roles. Anyone who is part of the team has READ
                             permission, and project owners and project editors
                             have FULL_CONTROL permission. This is the default
                             ACL for newly created buckets. This is also the
                             default ACL for newly created objects unless the
                             default object ACL for that bucket has been
                             changed. For more details see
                             "gsutil help projects".

  private                    Gives the requester (and only the requester)
                             FULL_CONTROL permission for a bucket or object.

  public-read                Gives the requester FULL_CONTROL permission and
                             gives all users READ permission. When you apply
                             this to an object, anyone on the Internet can
                             read the object without authenticating.

  public-read-write          Gives the requester FULL_CONTROL permission and
                             gives all users READ and WRITE permission. This
                             ACL applies only to buckets.

  authenticated-read         Gives the requester FULL_CONTROL permission and
                             gives all authenticated Google account holders
                             READ permission.

  bucket-owner-read          Gives the requester FULL_CONTROL permission and
                             gives the bucket owner READ permission. This is
                             used only with objects.

  bucket-owner-full-control  Gives the requester FULL_CONTROL permission and
                             gives the bucket owner FULL_CONTROL
                             permission. This is used only with objects.


<B>ACL XML</B>
  When you use a canned ACL, it is translated into an XML representation
  that can later be retrieved and edited to specify more fine-grained
  detail about who can read and write buckets and objects. By running
  the gsutil getacl command you can retrieve the ACL XML, and edit it to
  customize the permissions.

  As an example, if you create an object in a bucket that has no default
  object ACL set and then retrieve the ACL on the object, it will look
  something like this:

  <AccessControlList>
    <Owner>
      <ID>
        00b4903a9740e42c29800f53bd5a9a62a2f96eb3f64a4313a115df3f3a776bf7
      </ID>
    </Owner>
    <Entries>
      <Entry>
        <Scope type="GroupById">
          <ID>
            00b4903a9740e42c29800f53bd5a9a62a2f96eb3f64a4313a115df3f3a776bf7
          </ID>
        </Scope>
        <Permission>
          FULL_CONTROL
        </Permission>
      </Entry>
      <Entry>
        <Scope type="GroupById">
          <ID>
            00b4903a977fd817e9da167bc81306489181a110456bb635f466d71cf90a0d51
          </ID>
        </Scope>
        <Permission>
          FULL_CONTROL
        </Permission>
      </Entry>
      <Entry>
        <Scope type="GroupById">
          <ID>
            00b4903a974898cc8fc309f2f2835308ba3d3df1b889d3fc7e33e187d52d8e71
          </ID>
        </Scope>
        <Permission>
          READ
        </Permission>
      </Entry>
    </Entries>
  </AccessControlList>

  The ACL consists of an Owner element and a collection of Entry elements,
  each of which specifies a Scope and a Permission. Scopes are the way you
  specify an individual or group of individuals, and Permissions specify what
  access they're permitted.

  This particular ACL grants FULL_CONTROL to two groups (which means members
  of those groups are allowed to read the object and read and write the ACL),
  and READ permission to a third group. The project groups are (in order)
  the owners group, editors group, and viewers group.

  The 64 digit hex identifiers used in this ACL are called canonical IDs,
  and are used to identify predefined groups associated with the project that
  owns the bucket. For more information about project groups, see "gsutil
  help projects".

  Here's an example of an ACL specified using the GroupByEmail and GroupByDomain
  scopes:

  <AccessControlList>
    <Entries>
      <Entry>
        <Permission>
          FULL_CONTROL
        </Permission>
        <Scope type="GroupByEmail">
          <EmailAddress>travel-companion-owners@googlegroups.com</EmailAddress>
        </Scope>
      </Entry>
      <Entry>
        <Permission>
          READ
        </Permission>
        <Scope type="GroupByDomain">
          <Domain>example.com</Domain>
        </Scope>
      </Entry>
    </Entries>
  </AccessControlList>

  This ACL grants members of an email group FULL_CONTROL, and grants READ
  access to any user in a domain (which must be a Google Apps for Business
  domain). By applying email group grants to a collection of objects
  you can edit access control for large numbers of objects at once via
  http://groups.google.com. That way, for example, you can easily and quickly
  change access to a group of company objects when employees join and leave
  your company (i.e., without having to individually change ACLs across
  potentially millions of objects).


<B>SHARING SCENARIOS</B>
  For more detailed examples how to achieve various useful sharing use
  cases see https://developers.google.com/storage/docs/collaboration
""")


class CommandOptions(HelpProvider):
  """Additional help about Access Control Lists."""

  help_spec = {
    # Name of command or auxiliary help info for which this help applies.
    HELP_NAME : 'acls',
    # List of help name aliases.
    HELP_NAME_ALIASES : ['acl', 'ACL', 'access control', 'access control list',
                         'authorization', 'canned', 'canned acl'],
    # Type of help:
    HELP_TYPE : HelpType.ADDITIONAL_HELP,
    # One line summary of this help.
    HELP_ONE_LINE_SUMMARY : 'Working with Access Control Lists',
    # The full help text.
    HELP_TEXT : _detailed_help_text,
  }