#_fSrSSKJr SSKJr SSKJr SSKJr SSKrSSKJr SSK J r SS K J r SS K J r SS K Jr SS K Jr SS K Jr SSK Jr SSKJr SSKJr SSKJr SSKJr SSKJr SSKJr SSKJr SSKJr SSKJ r SSKJ!r! SSK"J#r$ SSK%J&r& SSK'J(r( SSK)J*r* SSK+J,r, SSK+J-r- Sr.S r/S!r0S"r1S#r2S$r3\.\/RiS%5-\0RiS%5-S&-r5S'S%Rm\1\2\3/5-r7\"\5\75r8\"\/\15r9\"\.\25r:\"\0\35r;S(rg)-z:Implementation of acl command for cloud storage providers.)absolute_import)print_function)division)unicode_literalsN)encoding)metrics) gcs_json_api)AccessDeniedException)BadRequestException)PreconditionException) Preconditions)ServiceException)Command)SetAclExceptionHandler)SetAclFuncWrapper)CommandArgument) ApiSelector)CommandException)CreateHelpText)StorageUrlFromString)UrlsAreForSingleProvider))RaiseErrorIfUrlsAreMixOfBucketsAndObjects)storage_v1_messages) acl_helper)NO_MAX)Retry)GcloudStorageFlag)GcloudStorageMapzG gsutil acl set [-f] [-r] [-a] (|) url... z gsutil acl get url aK gsutil acl ch [-f] [-r] ... url... where each is one of the following forms: -u |: -g |||All|AllAuth: -p (viewers|editors|owners)-: -d |||All|AllAuth|(viewers|editors|owners)- z GET The ``acl get`` command gets the ACL text for a bucket or object, which you can save and edit for the acl set command. aU SET The ``acl set`` command allows you to set an Access Control List on one or more buckets and objects. As part of the command, you must specify either a predefined ACL or the path to a file that contains ACL text. The simplest way to use the ``acl set`` command is to specify one of the predefined ACLs, e.g.,: gsutil acl set private gs://example-bucket/example-object If you want to make an object or bucket publicly readable or writable, it is recommended to use ``acl ch``, to avoid accidentally removing OWNER permissions. See the ``acl ch`` section for details. See `Predefined ACLs `_ for a list of predefined ACLs. If you want to define more fine-grained control over your data, you can retrieve an ACL using the ``acl get`` command, save the output to a file, edit the file, and then use the ``acl set`` command to set that ACL on the buckets and/or objects. For example: gsutil acl get gs://bucket/file.txt > acl.txt Make changes to acl.txt such as adding an additional grant, then: gsutil acl set acl.txt gs://cats/file.txt Note that you can set an ACL on multiple buckets or objects at once. For example, to set ACLs on all .jpg files found in a bucket: gsutil acl set acl.txt gs://bucket/**.jpg If you have a large number of ACLs to update you might want to use the gsutil -m option, to perform a parallel (multi-threaded/multi-processing) update: gsutil -m acl set acl.txt gs://bucket/**.jpg Note that multi-threading/multi-processing is only done when the named URLs refer to objects, which happens either if you name specific objects or if you enumerate objects by using an object wildcard or specifying the acl -r flag. SET OPTIONS The "set" sub-command has the following options -R, -r Performs "acl set" request recursively, to all objects under the specified URL. -a Performs "acl set" request on all object versions. -f Normally gsutil stops at the first error. The -f option causes it to continue when it encounters errors. If some of the ACLs couldn't be set, gsutil's exit status will be non-zero even if this flag is set. This option is implicitly set when running "gsutil -m acl...". a CH The "acl ch" (or "acl change") command updates access control lists, similar in spirit to the Linux chmod command. You can specify multiple access grant additions and deletions in a single command run; all changes will be made atomically to each object in turn. For example, if the command requests deleting one grant and adding a different grant, the ACLs being updated will never be left in an intermediate state where one grant has been deleted but the second grant not yet added. Each change specifies a user or group grant to add or delete, and for grant additions, one of R, W, O (for the permission to be granted). A more formal description is provided in a later section; below we provide examples. CH EXAMPLES Examples for "ch" sub-command: Grant anyone on the internet READ access to the object example-object: gsutil acl ch -u allUsers:R gs://example-bucket/example-object NOTE: By default, publicly readable objects are served with a Cache-Control header allowing such objects to be cached for 3600 seconds. If you need to ensure that updates become visible immediately, you should set a Cache-Control header of "Cache-Control:private, max-age=0, no-transform" on such objects. For help doing this, see "gsutil help setmeta". Grant the user john.doe@example.com READ access to all objects in example-bucket that begin with folder/: gsutil acl ch -r -u john.doe@example.com:R gs://example-bucket/folder/ Grant the group admins@example.com OWNER access to all jpg files in example-bucket: gsutil acl ch -g admins@example.com:O gs://example-bucket/**.jpg Grant the owners of project example-project WRITE access to the bucket example-bucket: gsutil acl ch -p owners-example-project:W gs://example-bucket NOTE: You can replace 'owners' with 'viewers' or 'editors' to grant access to a project's viewers/editors respectively. Remove access to the bucket example-bucket for the viewers of project number 12345: gsutil acl ch -d viewers-12345 gs://example-bucket NOTE: You cannot remove the project owners group from ACLs of gs:// buckets in the given project. Attempts to do so will appear to succeed, but the service will add the project owners group into the new set of ACLs before applying it. Note that removing a project requires you to reference the project by its number (which you can see with the acl get command) as opposed to its project ID string. Grant the service account foo@developer.gserviceaccount.com WRITE access to the bucket example-bucket: gsutil acl ch -u foo@developer.gserviceaccount.com:W gs://example-bucket Grant all users from the `G Suite `_ domain my-domain.org READ access to the bucket gcs.my-domain.org: gsutil acl ch -g my-domain.org:R gs://gcs.my-domain.org Remove any current access by john.doe@example.com from the bucket example-bucket: gsutil acl ch -d john.doe@example.com gs://example-bucket If you have a large number of objects to update, enabling multi-threading with the gsutil -m flag can significantly improve performance. The following command adds OWNER for admin@example.org using multi-threading: gsutil -m acl ch -r -u admin@example.org:O gs://example-bucket Grant READ access to everyone from my-domain.org and to all authenticated users, and grant OWNER to admin@mydomain.org, for the buckets my-bucket and my-other-bucket, with multi-threading enabled: gsutil -m acl ch -r -g my-domain.org:R -g AllAuth:R \ -u admin@mydomain.org:O gs://my-bucket/ gs://my-other-bucket CH ROLES You may specify the following roles with either their shorthand or their full name: R: READ W: WRITE O: OWNER For more information on these roles and the access they grant, see the permissions section of the `Access Control Lists page `_. CH ENTITIES There are four different entity types: Users, Groups, All Authenticated Users, and All Users. Users are added with -u and a plain ID or email address, as in "-u john-doe@gmail.com:r". Note: Service Accounts are considered to be users. Groups are like users, but specified with the -g flag, as in "-g power-users@example.com:O". Groups may also be specified as a full domain, as in "-g my-company.com:r". allAuthenticatedUsers and allUsers are specified directly, as in "-g allUsers:R" or "-g allAuthenticatedUsers:O". These are case insensitive, and may be shortened to "all" and "allauth", respectively. Removing roles is specified with the -d flag and an ID, email address, domain, or one of allUsers or allAuthenticatedUsers. Many entities' roles can be specified on the same command line, allowing bundled changes to be executed in a single run. This will reduce the number of requests made to the server. CH OPTIONS The "ch" sub-command has the following options -d Remove all roles associated with the matching entity. -f Normally gsutil stops at the first error. The -f option causes it to continue when it encounters errors. With this option the gsutil exit status will be 0 even if some ACLs couldn't be changed. -g Add or modify a group entity's role. -p Add or modify a project viewers/editors/owners role. -R, -r Performs acl ch request recursively, to all objects under the specified URL. -u Add or modify a user entity's role.  z z+ The acl command has three sub-commands: cJURRSU5 SUlg)NzEncountered a problem: %sF)loggererroreverything_set_okay)cls exceptions %platform/gsutil/gslib/commands/acl.py_ApplyExceptionHandlerr'"s**. :!#c"URXS9 g)N) thread_state)ApplyAclChanges)r$url_or_expansion_resultr*s r&_ApplyAclChangesWrapperr-'s-Ir(c^\rSrSrSr\R "S/SQ\S\SSSS\ R\ R/\ R\ R"5\ R"5/\ R"S5/\ R"5/S .S 9 r\R""S/S QS S \\\\S.S9rSrU4SjrSrSrSrSr\"\SSS9SSj5r\"\ SSS9S5r!Sr"Sr#Sr$U=r%$) AclCommandi+z%Implementation of gsutil acl command.acl)getaclsetaclchaclz afRrg:u:d:p:F)setgetch) command_name_aliasesusage_synopsismin_argsmax_argssupported_sub_args file_url_okprovider_url_okurls_start_arggs_api_supportgs_default_apiargparse_arguments)r1r2chmodr3 command_helpz-Get, set, or change bucket and/or object ACLs)r7r6r8) help_namehelp_name_aliases help_typehelp_one_line_summary help_textsubcommand_help_textcURVs/sHn[U5PM nnSnURHupEUS;dM Sn O [X#5 USR 5(aU(dggs snf)NF)-r-RTrbucketsobjects)argsrsub_optsrIsBucket)selfurlobject_or_bucket_urlsrecurseflag_key_s r&_get_shim_command_group"AclCommand._get_shim_command_groupQssBF))L)31#6)LG  \ ! '..CMQ((**7  MsA3c >URRS5nUS:Xa@[URS5R5(aSnOSn[ SUSS/0S9nGO~US :XaUR 5 URRS5n[ RRU5(aS U-nO/U[R;a[RUnOUnS U-nUR5n[ SUS /U/-[S 5[S5[S5[S5S.S9nOUS:XaUR 5 [R"UR5UlUR5n[ SUS /[S5[S5[S5[S5[S 5[S5[S5[S5S.S9n[ TU]EW5$)Nrr7rPrOstoragedescribez--format=multi(acl:format=json))gcloud_commandflag_mapr6z --acl-file=z--predefined-acl=updatez--all-versionsz--continue-on-errorz --recursive)-a-frNrMr8z--add-acl-grantz--remove-acl-grant)-g-p-u-drbrcrNrM)rQpoprIsObjectr ParseSubOptsospathisfiler +FULL_PREDEFINED_ACL_XML_TO_JSON_TRANSLATIONrZrrtranslate_sub_opts_for_shimrRsuperget_gcloud_storage_args)rT sub_command command_groupgcloud_storage_mapacl_file_or_predefined_aclacl_flagpredefined_acl __class__s r&rq"AclCommand.get_gcloud_storage_args_s))--"Ke diil + 4 4 6 6! ! + ]J +<68 9   #'99==#3 2 3 3 #== %  D D FFF,. 6.&7224m+#]H= J%&67%&;<%m4%m4       <>r(cUR(dUR5 URSR5S:XdURS:Xagg)Nrr6r2r5)rQ$RaiseWrongNumberOfArgumentsExceptionlowercommand_alias_used)rTs r&_CalculateUrlsStartArg!AclCommand._CalculateUrlsStartArgsA 99 //1 ! %4+B+Bh+N  r(cSUlUR(aXURHHupUS:Xa SUlMUS:Xa SUlM#US:XdUS:Xa SUlM8UR 5 MJ UR [ [5 UR(d [S5eg![anUR5 eSnAff=f) z>Parses options and sets ACLs on the specified buckets/objects.FrbTrcrMrNN'ACLs for some objects could not be set.) continue_on_errorrR all_versionsrecursion_requestedRaiseInvalidArgumentExceptionSetAclCommandHelperrrr _WarnServiceAccountsr#r)rTounused_aunused_es r&_SetAclAclCommand._SetAcls"D }}+! 9"$  $Y#'$ $Y!t)%)$ "  , , .'  02HI  # # F GG $ !  !  s2B)) C 3CC cSUl/UlSUlUR(GaURGHoupUS:Xa SUlMUS:XaYSU;a [ S5eURR [ R"U[ RRS95 MtUS:XaHURR [ R"U[ RRS95 MUS :XaIURR [ R"U[ RRS95 GMUS :Xa2URR [ R"U55 GMIUS :XdUS :Xa SUl GM_UR5 GMr UR(d [ S 5e[UR 5(a&[#UR S5R$S:wa$[ SR'UR(55eSUlUR-[.[0UR /SQS9 UR*(d [ S5eg)zAParses options and changes ACLs on the specified buckets/objects.TFrcrdzgserviceaccount.comznService accounts are considered users, not groups; please use "gsutil acl ch -u" instead of "gsutil acl ch -g") scope_typererfrgrMrNzFPlease specify at least one access change with the -g, -u, or -d flagsrgsz2The "{0}" command can only be used with gs:// URLsr0 generationmetageneration) object_fieldsrN)parse_versionschangesrrRrappendr AclChange ChangeTypeGROUPPROJECTUSERAclDelrrrrQrschemeformat command_namer# ApplyAclFuncr-r')rTras r&_ChAclAclCommand._ChAclsDDL"D }}}--$! 9#'$ $Y "a '"CD D ,,  ""11F1F1L1LM O $Y ,,  ""11F1F1N1NO Q $Y ,,  ""11F1F1K1KL N $Y ,,  j//2 3 $Y!t)%)$ "  , , .+ . << < == %TYY / /TYYq\*11T9  > E E ! "" $D-,ii$KM  # # F GG $r(c>UR5 [SU-5e)NzTFailed to set acl for %s. Please ensure you have OWNER-role access to this resource.)rr)rTrUs r&_RaiseForAccessDenied AclCommand._RaiseForAccessDenieds, ACFG HHr()tries timeout_secsc >U(aUnO URnURnUR5(a4URURUR SS/S9nUR nOPUR5(a;[R"[RUR5nUR nW(dURU5 URXF5S:XaURR!SU5 gUR5(aP[#WR$S9n[R&"US9n UR)URU UUR S /S 9 Oq[#WR*UR$S 9n[R"US9n UR-URUR.U UUR UR*S /S 9 URR!S U5 g![0an UR3XC5 Sn A N=Sn A ff=f![4an [7S[9U 5-5eSn A f[:a URU5 g[0a0n UR5(a[7[9U 55eU eSn A ff=f)zApplies the changes in self.changes to the provided URL. Args: name_expansion_result: NameExpansionResult describing the target object. thread_state: If present, gsutil Cloud API instance to apply the changes. r0rproviderfieldsrNo changes to %sN)meta_gen_matchr0id) preconditionsrr gen_matchrrrrrzUpdated ACL on %sz$Received bad request from server: %s) gsutil_apiexpanded_storage_urlrS GetBucket bucket_namerr0rir JsonToMessageapitools_messagesObjectexpanded_resultr$_ApplyAclChangesAndReturnChangeCountr!infor rBucket PatchBucketrPatchObjectMetadata object_namer (_RefetchObjectMetadataAndApplyAclChangesr rstrr ) rTname_expansion_resultr*rrUbucket current_acl gcs_objectrbucket_metadataobject_metadataes r&r+AclCommand.ApplyAclChangess@j??j  4 4C ||~~##COO-0ZZ,13C+D$FfJJk ))*;*B*B*?*O*OQjNNk    % 00BaG kk)3/ & %V5J5JK +22{Cs.-:(+ '+f  . & 0E0E5?5N5NP +22{C I  ( (),)87D25**47NN15 ) 8 kk*C0 % I  7 7 H H  I N Cc!fL MM &   %  s1v&& g sUBH">G:H": HHH"HH"" J,IJ# J,+JJc URURURUR/SQS9nURnUR X5S:XaUR RSU5 g[R"US9n[URURS9nURURURUUURURS/S 9 g) z,/JJ.8.C.C+/& #2r(cnSnURH"nX4RXSUR5- nM$ U$)Nrr0)rExecuter!)rT storage_url acl_messagemodification_countchanges r&r/AclCommand._ApplyAclChangesAndReturnChangeCountLs=,,NN;U+/;;88 r(cURRS5nURSS9 [R"UR S9 SUlUS:Xa4[R"U/S9 URURS5 gUS:Xa&[R"U/S9 UR5 gUS ;a&[R"U/S9 UR5 g[S U<S UR<S 35e) z(Command entry point for the acl command.rT) check_args)rRFr7) subcommandsr6)r8rzInvalid subcommand "z " for the z command. See "gsutil help acl".) rQrhrjrLogCommandParamsrRdef_aclGetAndPrintAclrrrr)rTaction_subcommands r& RunCommandAclCommand.RunCommandSs a(& dmm4DLE! ,=+>? $))A,'  e # ,=+>? lln  . . ,=+>? kkm (94;L;L N OOr()rrrrr#rrrRN)&__name__ __module__ __qualname____firstlineno____doc__rCreateCommandSpec _SYNOPSISrrXMLJSONrMakeFileURLOrCannedACLArgumentMakeZeroOrMoreCloudURLsArgumentMakeNCloudURLsArgument command_specHelpSpec_DETAILED_HELP_TEXT_get_help_text_set_help_text _ch_help_text help_specrZrqr~rrrrrr+r rrr__static_attributes__ __classcell__)rxs@r&r/r/+s4-** 8'!oo{'7'78 %%<<>==? "88;< @@BC  ,*>K# ) :?xH*.H`H  3C4CJ aa82920  r(r/r)?r __future__rrrrrkapitools.base.pyrgslibrr gslib.cloud_apir r r r r gslib.commandrrrgslib.command_argumentrgslib.cs_api_maprgslib.exceptionrgslib.help_providerrgslib.storage_urlrrr"gslib.third_party.storage_apitoolsrr gslib.utilsrgslib.utils.constantsrgslib.utils.retry_utilrgslib.utils.shim_utilrr _SET_SYNOPSIS _GET_SYNOPSIS _CH_SYNOPSIS_GET_DESCRIPTION_SET_DESCRIPTION_CH_DESCRIPTIONlstriprjoin _DESCRIPTIONrrrrr'r-r/r(r&rs3A&%' %1/1),!0+2(,.26GW"((32     ;zKZ]11$7 7   &')/0  ii!#3_EFG %Y = /?@ /?@|_= " J  r(