fSrSSKJr SSKJr SSKJr SSKJr SSKrSSKrSSKrSSK J r SSK J r SS K Jr SS KJr SS KJr SS KJr SS KJr SSKJr SSKJr SSKJr SSKJr SSKJr SSK!J"r" SSK#J$r$ SSK%J&r& SSK%J'r' SSK(J)r) SSK(J*r* SSK(J+r+ SSK(J,r, SSK-J.r. SSK-J/r/ SSK0J1r1 SSK2J3r3 SSK2J4r4 SS K5J6r6 SS!K7J8r8 S"r9S#r:S$\:-S%-r;S&r"S)S*\?5r@"S+S,\5rAS-rBg)/zIImplementation of rewrite command (in-place cloud object transformation).)absolute_import)print_function)division)unicode_literalsN)encoding)config)EncryptionException)Command)CommandArgument) ApiSelector)CommandException)NameExpansionIterator)SeekAheadNameExpansionIterator)FileProgressCallbackHandler)StorageUrlFromString)storage_v1_messages) FileMessage)GetCloudApiInstance)NO_MAX)UTF8) CryptoKeyType)CryptoKeyWrapperFromKey)GetEncryptionKeyWrapper)MAX_DECRYPTION_KEYS)GcloudStorageFlag)GcloudStorageMap) StdinIterator)ConvertRecursiveToFlatWildcard)NormalizeStorageClass) text_util)PreconditionsFromHeadersAz gsutil rewrite -k [-O] [-f] [-r] [-s] url... gsutil rewrite -k [-O] [-f] [-r] [-s] -I gsutil rewrite -s [-k] [-O] [-f] [-r] url... gsutil rewrite -s [-k] [-O] [-f] [-r] -I z SYNOPSIS a DESCRIPTION The gsutil rewrite command rewrites cloud objects, applying the specified transformations to them. The transformation(s) are atomic for each affected object and applied based on the input transformation flags. Object metadata values are preserved unless altered by a transformation. At least one transformation flag, -k or -s, must be included in the command. The -k flag is supported to add, rotate, or remove encryption keys on objects. For example, the command: gsutil rewrite -k -r gs://bucket updates all objects in gs://bucket with the current encryption key from your boto config file, which may either be a base64-encoded CSEK or the fully-qualified name of a Cloud KMS key. The rewrite command acts only on live object versions, so specifying a URL with a generation number fails. If you want to rewrite a noncurrent version, first copy it to the live version, then rewrite it, for example: gsutil cp gs://bucket/object#123 gs://bucket/object gsutil rewrite -k gs://bucket/object You can use the -s option to specify a new storage class for objects. For example, the command: gsutil rewrite -s nearline gs://bucket/foo rewrites the object, changing its storage class to nearline. If you specify the -k option and you have an encryption key set in your boto configuration file, the rewrite command skips objects that are already encrypted with the specified key. For example, if you run: gsutil rewrite -k -r gs://bucket and gs://bucket contains objects encrypted with the key specified in your boto configuration file, gsutil skips rewriting those objects and only rewrites objects that are not encrypted with the specified key. This avoids the cost of performing redundant rewrite operations. If you specify the -k option and you do not have an encryption key set in your boto configuration file, gsutil always rewrites each object, without explicitly specifying an encryption key. This results in rewritten objects being encrypted with either the bucket's default KMS key (if one is set) or Google-managed encryption (no CSEK or CMEK). Gsutil does not attempt to determine whether the operation is redundant (and thus skippable) because gsutil cannot be sure how the object is encrypted after the rewrite. Note that if your goal is to encrypt objects with a bucket's default KMS key, you can avoid redundant rewrite costs by specifying the bucket's default KMS key in your boto configuration file; this allows gsutil to perform an accurate comparison of the objects' current and desired encryption configurations and skip rewrites for objects already encrypted with that key. If have an encryption key set in your boto configuration file and specify multiple transformations, gsutil only skips those that would not change the object's state. For example, if you run: gsutil rewrite -s nearline -k -r gs://bucket and gs://bucket contains objects that already match the encryption configuration but have a storage class of standard, the only transformation applied to those objects would be the change in storage class. You can pass a list of URLs (one per line) to rewrite on stdin instead of as command line arguments by using the -I option. This allows you to use gsutil in a pipeline to rewrite objects identified by a program, such as: some_program | gsutil -m rewrite -k -I The contents of stdin can name cloud URLs and wildcards of cloud URLs. The rewrite command requires OWNER permissions on each object to preserve object ACLs. You can bypass this by using the -O flag, which causes gsutil not to read the object's ACL and instead apply the default object ACL to the rewritten object: gsutil rewrite -k -O -r gs://bucket OPTIONS -f Continues silently (without printing error messages) despite errors when rewriting multiple objects. If some of the objects could not be rewritten, gsutil's exit status is non-zero even if this flag is set. This option is implicitly set when running "gsutil -m rewrite ...". -I Causes gsutil to read the list of objects to rewrite from stdin. This allows you to run a program that generates the list of objects to rewrite. -k Rewrite objects with the current encryption key specified in your boto configuration file. The value for encryption_key may be either a base64-encoded CSEK or a fully-qualified KMS key name. If no value is specified for encryption_key, gsutil ignores this flag. Instead, rewritten objects are encrypted with the bucket's default KMS key, if one is set, or Google-managed encryption, if no default KMS key is set. -O When a bucket has uniform bucket-level access (UBLA) enabled, the -O flag is required and skips all ACL checks. When a bucket has UBLA disabled, the -O flag rewrites objects with the bucket's default object ACL instead of the existing object ACL. This is needed if you do not have OWNER permission on the object. -R, -r The -R and -r options are synonymous. Causes bucket or bucket subdirectory contents to be rewritten recursively. -s Rewrite objects using the specified storage class. cUR(d$URR[U55 U=RS- slg)z9Simple exception handler to allow post-completion status.N)continue_on_errorloggererrorstrop_failure_count)clses )platform/gsutil/gslib/commands/rewrite.py_RewriteExceptionHandlerr-s2  JJSV!c"URXS9 g)N thread_state) RewriteFunc)r*name_expansion_resultr1s r,_RewriteFuncWrapperr4s//'/Cr.c#n# UH+n[U5Rb[SU-5eUv M- g7f)zAGenerator function that ensures generation-less (live) arguments.Nz-"rewrite" called on URL with generation (%s).)r generationr )url_strsurl_strs r,GenerationCheckGeneratorr9s=gG$//; L$% && M s35c \rSrSrSrSrSrSrg)_TransformTypesz Enum class for valid transforms. crypto_key storage_classN)__name__ __module__ __qualname____firstlineno____doc__ CRYPTO_KEY STORAGE_CLASS__static_attributes__r?r.r,r;r;s(*!-r.r;c\rSrSrSr\R "S/\S\SSSS\ R/\ R\ R"5/S9 r \R"SSS /S S \0S 9r\"/S Q\"S5\"S5\R("SSS5(aSO\"S5\"S5\"S5\"S5\"S5S.S9rSrSrSSjrSrg)RewriteCommandz)Implementation of gsutil rewrite command.rewriterzfkIrROs:F) command_name_aliasesusage_synopsismin_argsmax_argssupported_sub_args file_url_okprovider_url_okurls_start_arggs_api_supportgs_default_apiargparse_argumentsrekeyrotate command_helpzRewrite objects) help_namehelp_name_aliases help_typehelp_one_line_summary help_textsubcommand_help_text)storageobjectsupdate-Iz--continue-on-errorGSUtilencryption_keyNz--clear-encryption-keyz--no-preserve-acl-r-s)rc-f-k-Orf-Rrg)gcloud_commandflag_mapcRURS:wa[S[U5-5eg)Ngsz5"rewrite" called on URL with unsupported provider: %s)schemer r()selfurls r, CheckProviderRewriteCommand.CheckProviders. zzT  ACH L NNr.c  URUl0UlSUlSUlSUlSS/Ul[5UlSUl [[5Ul UR(aURROSUlUR(aURHupUS:Xa SUlMUS:Xa+URR!["R$5 MEUS:Xa SUlMTUS :Xa SUlMcUS :XdUS :XaSUlSUlMUS:XdMURR!["R*5 [-U5UlM UR (a'UR.(a [1S 5e[35nO(UR.(d [1S 5eUR.nUR(d[1SUR -5e[5UR6=(d 05Ul[;U5nUR&(a [=U5n[?UR@URBURDURFUUR&URHUR=(d URSS/S9 nSnUR (dZ[=U5n[KUR@URBURM5UUR&UR(URHS9n[OS[P5HrnUS-n [S[RT"SS[WU 5-S55n U c ONOTE: No encryption_key was specified in the boto configuration file, so gsutil will not provide an encryption key in its rewrite API requests. This will decrypt the objects unless they are in buckets with a default KMS key set, in which case the service will automatically encrypt the rewritten objects with that key.z%s )filer)) fail_on_error shared_attrsseek_ahead_iteratorsz*%d file%s/object%s could not be rewritten.)8parallel_operationsr%csek_hash_to_keywrapperdest_storage_classno_preserve_aclread_args_from_stdinsupported_transformation_flagssettransform_typesr)rrboto_file_encryption_keywrappercrypto_key_sha256boto_file_encryption_sha256sub_optsaddr;rErecursion_requestedrzrFrargsr rr!headers preconditionsr9rr command_namedebugr& gsutil_apirxrGetSeekAheadGsutilApirangerrgetr( crypto_typerCSEKjointextwrapwrapprintsysstderrApplyr4r-) rqoar7url_strs_generatorname_expansion_iteratorrseek_ahead_url_strsi key_number keywrappermsg plural_strs r, RunCommandRewriteCommand.RunCommands!55D#%D "D D %D+/,D'5DD+B6+JD(  / / ,,>>59 $ }}--$! 9#'$ $Y    " "?#=#= > $Y&*$ # $Y!%$  $Y!t)%)$ ""$  $Y    " "?#@#@ A$9!$<$ !    GHHh YY 01 1h     9  - - . // 2$,,2D"ED1(; 9:LM4       ??00LD4L4L%v. 0  $ $;8D:    **  $ $ &   " "((__&1) *q5j* **X1C OCT JLj     =#5#5 5EO$$Z%A%AB+ ''3  . . ""4#C#CD ++3 II --P Q c FSLszz* JJ"&'"&"8"88/0#6 8 //3Rj I"33ZLM NN r.c  [XS9nURnURU5 URURUR UR URS9nUR(a/Ul OUR(d[SU-5eUR(a UROSnSnUR(aBURR(a'URRnURS5nUSL=(d USLnSn URb>URR ["R$:XaURR&n Sn URb>URR ["R(:XaURR*n URSLn Xz:H=(a Xi:Hn [,R.UR0;aU (d[3SU<SU<S35e/n [,R4UR0;a4UR6[9UR:5:XaU R=S5 [,R.UR0;aU (aU (aU R=S 5 [?U 5[?UR05:Xa$UR@RCS U<S U <35 g[DRF"[HRJ[DRL"U55nSUlSUl'SUl SUl [,R4UR0;aUR6UlU bXl SnUb2XpRP;aURPUnO[3S U<S U<35eSn[,R.UR0;a9U(aU (a U (dSnO!U(a U (dSnOU(d U (aSn[RRTRW[YUURZ55 [RRTR]5 UR^Ra[cUS[dRd"5SURf[bRhS95 [kUR^UUS9RlnURoUUUR URpUUURUR/S9 UR^Ra[cUS[dRd"5SURf[bRhS95 g)Nr0)r6provideraNo OWNER permission found for object %s. If your bucket has uniform bucket-level access (UBLA) enabled, include the -O option in your command to avoid this error. If your bucket does not use UBLA, you can use the -O option to apply the bucket's default object ACL when rewriting.asciizThe "-k" flag was not passed to the rewrite command, but the encryption_key value in your boto config file did not match the key used to encrypt the object "z " (hash: zO). To encrypt the object using a different key, you must specify the "-k" flag.z storage classzencryption keyz Skipping z&, all transformations were redundant: z(Missing decryption key with SHA256 hash z#. No decryption key matches object RewritingRotating Decrypting EncryptingF)finishedrw message_type)src_urloperation_name)src_generationrprogress_callbackdecryption_tupleencryption_tuplerfieldsT)9rexpanded_storage_urlrsGetObjectMetadata bucket_name object_namer6rpraclr kmsKeyNamecustomerEncryption keySha256encoderrrCMEKr=rrr;rErr rFrr storageClassappendlenr&inforPyValueToMessageapitools_messagesObjectMessageToPyValueidrrrwrite_ConstructAnnounceText url_stringflush status_queueputrtimerw FILE_REWRITErcall CopyObjectr)rqr3r1r transform_url src_metadatasrc_encryption_kms_keysrc_encryption_sha256src_was_encrypteddest_encryption_kms_keydest_encryption_sha256should_encrypt_destencryption_unchangedredundant_transforms dest_metadatadecryption_keywrapperrrs r,r2RewriteCommand.RewriteFuncs$TEJ)>>M}%//!!!! ++%% 0'L  l     ,  , --".!8!8+55>B!''''11*==GG3::7C.d:</t;# ,,8 ,,88M>dJ1KN2M ""$*>*>>  /  1 22 %%)=)== #8  % %$' '!!/2 ""d&:&:: 4!!"23  C(<(<$== kk%';=> --  (";";L"IKM $MM(,M$#M $$(<(<<#'#:#:m *!8!( ">"> >  ( ()> ? "#8- IJ J!N!!T%9%99 2#%. %8% %8%JJ~}/G/GHJJJMIIK"%**!,!9!9  ;<4%'(,t ,')6)A)A(,(:(:,=+@+/+O+O#0#7#7!#%MIIK!%**!,!9!9  ;J)K'L'MNNJ"5zB99*   - ..r.r)CrD __future__rrrrrrrapitools.base.pyrbotorgslib.cloud_apir gslib.commandr gslib.command_argumentr gslib.cs_api_mapr gslib.exceptionr gslib.name_expansionrrgslib.progress_callbackrgslib.storage_urlr"gslib.third_party.storage_apitoolsrrgslib.thread_messagergslib.utils.cloud_api_helperrgslib.utils.constantsrrgslib.utils.encryption_helperrrrrgslib.utils.shim_utilrrgslib.utils.system_utilrgslib.utils.text_utilrr gslib.utilsr gslib.utils.translation_helperr!rrrr-r4r9objectr;rIrr?r.r,rsP&%'  %/!2(,6??2W,<(&7AA=321@7!C!#  qslD"f" r