third_party/gsutil/gslib/addlhelp/acls.py - depot_tools - Git at Google

 # Copyright 2012 Google Inc. All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.

 from gslib.help_provider import HELP_NAME
 from gslib.help_provider import HELP_NAME_ALIASES
 from gslib.help_provider import HELP_ONE_LINE_SUMMARY
 from gslib.help_provider import HelpProvider
 from gslib.help_provider import HELP_TEXT
 from gslib.help_provider import HelpType
 from gslib.help_provider import HELP_TYPE

 _detailed_help_text = ("""
 <B>OVERVIEW</B>
   Access Control Lists (ACLs) allow you to control who can read and write
   your data, and who can read and write the ACLs themselves.

   If not specified at the time an object is uploaded (e.g., via the gsutil cp
   -a option), objects will be created with a default object ACL set on the
   bucket (see "gsutil help setdefacl"). You can replace the ACL on an object
   or bucket using the gsutil setacl command (see "gsutil help setacl"), or
   modify the existing ACL using the gsutil chacl command (see "gsutil help
   chacl").


 <B>BUCKET VS OBJECT ACLS</B>
   In Google Cloud Storage, the bucket ACL works as follows:

     - Users granted READ access are allowed to list the bucket contents.

     - Users granted WRITE access are allowed READ access and also are
       allowed to write and delete objects in that bucket -- including
       overwriting previously written objects.

     - Users granted FULL_CONTROL access are allowed WRITE access and also
       are allowed to read and write the bucket's ACL.

   The object ACL works as follows:

     - Users granted READ access are allowed to read the object's data and
       metadata.

     - Users granted FULL_CONTROL access are allowed READ access and also
       are allowed to read and write the object's ACL.

   A couple of points are worth noting, that sometimes surprise users:

   1. There is no WRITE access for objects; attempting to set an ACL with WRITE
      permission for an object will result in an error.

   2. The bucket ACL plays no role in determining who can read objects; only the
      object ACL matters for that purpose. This is different from how things
      work in Linux file systems, where both the file and directory permission
      control file read access. It also means, for example, that someone with
      FULL_CONTROL over the bucket may not have read access to objects in
      the bucket.  This is by design, and supports useful cases. For example,
      you might want to set up bucket ownership so that a small group of
      administrators have FULL_CONTROL on the bucket (with the ability to
      delete data to control storage costs), but not grant those users read
      access to the object data (which might be sensitive data that should
      only be accessed by a different specific group of users).


 <B>CANNED ACLS</B>
   The simplest way to set an ACL on a bucket or object is using a "canned
   ACL". The available canned ACLs are:

   project-private            Gives permission to the project team based on their
                              roles. Anyone who is part of the team has READ
                              permission, and project owners and project editors
                              have FULL_CONTROL permission. This is the default
                              ACL for newly created buckets. This is also the
                              default ACL for newly created objects unless the
                              default object ACL for that bucket has been
                              changed. For more details see
                              "gsutil help projects".

   private                    Gives the requester (and only the requester)
                              FULL_CONTROL permission for a bucket or object.

   public-read                Gives the requester FULL_CONTROL permission and
                              gives all users READ permission. When you apply
                              this to an object, anyone on the Internet can
                              read the object without authenticating.

   public-read-write          Gives the requester FULL_CONTROL permission and
                              gives all users READ and WRITE permission. This
                              ACL applies only to buckets.

   authenticated-read         Gives the requester FULL_CONTROL permission and
                              gives all authenticated Google account holders
                              READ permission.

   bucket-owner-read          Gives the requester FULL_CONTROL permission and
                              gives the bucket owner READ permission. This is
                              used only with objects.

   bucket-owner-full-control  Gives the requester FULL_CONTROL permission and
                              gives the bucket owner FULL_CONTROL
                              permission. This is used only with objects.


 <B>ACL XML</B>
   When you use a canned ACL, it is translated into an XML representation
   that can later be retrieved and edited to specify more fine-grained
   detail about who can read and write buckets and objects. By running
   the gsutil getacl command you can retrieve the ACL XML, and edit it to
   customize the permissions.

   As an example, if you create an object in a bucket that has no default
   object ACL set and then retrieve the ACL on the object, it will look
   something like this:

   <AccessControlList>
     <Owner>
       <ID>
         00b4903a9740e42c29800f53bd5a9a62a2f96eb3f64a4313a115df3f3a776bf7
       </ID>
     </Owner>
     <Entries>
       <Entry>
         <Scope type="GroupById">
           <ID>
             00b4903a9740e42c29800f53bd5a9a62a2f96eb3f64a4313a115df3f3a776bf7
           </ID>
         </Scope>
         <Permission>
           FULL_CONTROL
         </Permission>
       </Entry>
       <Entry>
         <Scope type="GroupById">
           <ID>
             00b4903a977fd817e9da167bc81306489181a110456bb635f466d71cf90a0d51
           </ID>
         </Scope>
         <Permission>
           FULL_CONTROL
         </Permission>
       </Entry>
       <Entry>
         <Scope type="GroupById">
           <ID>
             00b4903a974898cc8fc309f2f2835308ba3d3df1b889d3fc7e33e187d52d8e71
           </ID>
         </Scope>
         <Permission>
           READ
         </Permission>
       </Entry>
     </Entries>
   </AccessControlList>

   The ACL consists of an Owner element and a collection of Entry elements,
   each of which specifies a Scope and a Permission. Scopes are the way you
   specify an individual or group of individuals, and Permissions specify what
   access they're permitted.

   This particular ACL grants FULL_CONTROL to two groups (which means members
   of those groups are allowed to read the object and read and write the ACL),
   and READ permission to a third group. The project groups are (in order)
   the owners group, editors group, and viewers group.

   The 64 digit hex identifiers used in this ACL are called canonical IDs,
   and are used to identify predefined groups associated with the project that
   owns the bucket. For more information about project groups, see "gsutil
   help projects".

   Here's an example of an ACL specified using the GroupByEmail and GroupByDomain
   scopes:

   <AccessControlList>
     <Entries>
       <Entry>
         <Permission>
           FULL_CONTROL
         </Permission>
         <Scope type="GroupByEmail">
           <EmailAddress>travel-companion-owners@googlegroups.com</EmailAddress>
         </Scope>
       </Entry>
       <Entry>
         <Permission>
           READ
         </Permission>
         <Scope type="GroupByDomain">
           <Domain>example.com</Domain>
         </Scope>
       </Entry>
     </Entries>
   </AccessControlList>

   This ACL grants members of an email group FULL_CONTROL, and grants READ
   access to any user in a domain (which must be a Google Apps for Business
   domain). By applying email group grants to a collection of objects
   you can edit access control for large numbers of objects at once via
   http://groups.google.com. That way, for example, you can easily and quickly
   change access to a group of company objects when employees join and leave
   your company (i.e., without having to individually change ACLs across
   potentially millions of objects).


 <B>SHARING SCENARIOS</B>
   For more detailed examples how to achieve various useful sharing use
   cases see https://developers.google.com/storage/docs/collaboration
 """)


 class CommandOptions(HelpProvider):
   """Additional help about Access Control Lists."""

   help_spec = {
     # Name of command or auxiliary help info for which this help applies.
     HELP_NAME : 'acls',
     # List of help name aliases.
     HELP_NAME_ALIASES : ['acl', 'ACL', 'access control', 'access control list',
                          'authorization', 'canned', 'canned acl'],
     # Type of help:
     HELP_TYPE : HelpType.ADDITIONAL_HELP,
     # One line summary of this help.
     HELP_ONE_LINE_SUMMARY : 'Working with Access Control Lists',
     # The full help text.
     HELP_TEXT : _detailed_help_text,
   }
	# Copyright 2012 Google Inc. All Rights Reserved.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	from gslib.help_provider import HELP_NAME
	from gslib.help_provider import HELP_NAME_ALIASES
	from gslib.help_provider import HELP_ONE_LINE_SUMMARY
	from gslib.help_provider import HelpProvider
	from gslib.help_provider import HELP_TEXT
	from gslib.help_provider import HelpType
	from gslib.help_provider import HELP_TYPE

	_detailed_help_text = ("""
	<B>OVERVIEW</B>
	Access Control Lists (ACLs) allow you to control who can read and write
	your data, and who can read and write the ACLs themselves.

	If not specified at the time an object is uploaded (e.g., via the gsutil cp
	-a option), objects will be created with a default object ACL set on the
	bucket (see "gsutil help setdefacl"). You can replace the ACL on an object
	or bucket using the gsutil setacl command (see "gsutil help setacl"), or
	modify the existing ACL using the gsutil chacl command (see "gsutil help
	chacl").


	<B>BUCKET VS OBJECT ACLS</B>
	In Google Cloud Storage, the bucket ACL works as follows:

	- Users granted READ access are allowed to list the bucket contents.

	- Users granted WRITE access are allowed READ access and also are
	allowed to write and delete objects in that bucket -- including
	overwriting previously written objects.

	- Users granted FULL_CONTROL access are allowed WRITE access and also
	are allowed to read and write the bucket's ACL.

	The object ACL works as follows:

	- Users granted READ access are allowed to read the object's data and
	metadata.

	- Users granted FULL_CONTROL access are allowed READ access and also
	are allowed to read and write the object's ACL.

	A couple of points are worth noting, that sometimes surprise users:

	1. There is no WRITE access for objects; attempting to set an ACL with WRITE
	permission for an object will result in an error.

	2. The bucket ACL plays no role in determining who can read objects; only the
	object ACL matters for that purpose. This is different from how things
	work in Linux file systems, where both the file and directory permission
	control file read access. It also means, for example, that someone with
	FULL_CONTROL over the bucket may not have read access to objects in
	the bucket. This is by design, and supports useful cases. For example,
	you might want to set up bucket ownership so that a small group of
	administrators have FULL_CONTROL on the bucket (with the ability to
	delete data to control storage costs), but not grant those users read
	access to the object data (which might be sensitive data that should
	only be accessed by a different specific group of users).


	<B>CANNED ACLS</B>
	The simplest way to set an ACL on a bucket or object is using a "canned
	ACL". The available canned ACLs are:

	project-private Gives permission to the project team based on their
	roles. Anyone who is part of the team has READ
	permission, and project owners and project editors
	have FULL_CONTROL permission. This is the default
	ACL for newly created buckets. This is also the
	default ACL for newly created objects unless the
	default object ACL for that bucket has been
	changed. For more details see
	"gsutil help projects".

	private Gives the requester (and only the requester)
	FULL_CONTROL permission for a bucket or object.

	public-read Gives the requester FULL_CONTROL permission and
	gives all users READ permission. When you apply
	this to an object, anyone on the Internet can
	read the object without authenticating.

	public-read-write Gives the requester FULL_CONTROL permission and
	gives all users READ and WRITE permission. This
	ACL applies only to buckets.

	authenticated-read Gives the requester FULL_CONTROL permission and
	gives all authenticated Google account holders
	READ permission.

	bucket-owner-read Gives the requester FULL_CONTROL permission and
	gives the bucket owner READ permission. This is
	used only with objects.

	bucket-owner-full-control Gives the requester FULL_CONTROL permission and
	gives the bucket owner FULL_CONTROL
	permission. This is used only with objects.


	<B>ACL XML</B>
	When you use a canned ACL, it is translated into an XML representation
	that can later be retrieved and edited to specify more fine-grained
	detail about who can read and write buckets and objects. By running
	the gsutil getacl command you can retrieve the ACL XML, and edit it to
	customize the permissions.

	As an example, if you create an object in a bucket that has no default
	object ACL set and then retrieve the ACL on the object, it will look
	something like this:

	<AccessControlList>
	<Owner>
	<ID>
	00b4903a9740e42c29800f53bd5a9a62a2f96eb3f64a4313a115df3f3a776bf7
	</ID>
	</Owner>
	<Entries>
	<Entry>
	<Scope type="GroupById">
	<ID>
	00b4903a9740e42c29800f53bd5a9a62a2f96eb3f64a4313a115df3f3a776bf7
	</ID>
	</Scope>
	<Permission>
	FULL_CONTROL
	</Permission>
	</Entry>
	<Entry>
	<Scope type="GroupById">
	<ID>
	00b4903a977fd817e9da167bc81306489181a110456bb635f466d71cf90a0d51
	</ID>
	</Scope>
	<Permission>
	FULL_CONTROL
	</Permission>
	</Entry>
	<Entry>
	<Scope type="GroupById">
	<ID>
	00b4903a974898cc8fc309f2f2835308ba3d3df1b889d3fc7e33e187d52d8e71
	</ID>
	</Scope>
	<Permission>
	READ
	</Permission>
	</Entry>
	</Entries>
	</AccessControlList>

	The ACL consists of an Owner element and a collection of Entry elements,
	each of which specifies a Scope and a Permission. Scopes are the way you
	specify an individual or group of individuals, and Permissions specify what
	access they're permitted.

	This particular ACL grants FULL_CONTROL to two groups (which means members
	of those groups are allowed to read the object and read and write the ACL),
	and READ permission to a third group. The project groups are (in order)
	the owners group, editors group, and viewers group.

	The 64 digit hex identifiers used in this ACL are called canonical IDs,
	and are used to identify predefined groups associated with the project that
	owns the bucket. For more information about project groups, see "gsutil
	help projects".

	Here's an example of an ACL specified using the GroupByEmail and GroupByDomain
	scopes:

	<AccessControlList>
	<Entries>
	<Entry>
	<Permission>
	FULL_CONTROL
	</Permission>
	<Scope type="GroupByEmail">
	<EmailAddress>travel-companion-owners@googlegroups.com</EmailAddress>
	</Scope>
	</Entry>
	<Entry>
	<Permission>
	READ
	</Permission>
	<Scope type="GroupByDomain">
	<Domain>example.com</Domain>
	</Scope>
	</Entry>
	</Entries>
	</AccessControlList>

	This ACL grants members of an email group FULL_CONTROL, and grants READ
	access to any user in a domain (which must be a Google Apps for Business
	domain). By applying email group grants to a collection of objects
	you can edit access control for large numbers of objects at once via
	http://groups.google.com. That way, for example, you can easily and quickly
	change access to a group of company objects when employees join and leave
	your company (i.e., without having to individually change ACLs across
	potentially millions of objects).


	<B>SHARING SCENARIOS</B>
	For more detailed examples how to achieve various useful sharing use
	cases see https://developers.google.com/storage/docs/collaboration
	""")


	class CommandOptions(HelpProvider):
	"""Additional help about Access Control Lists."""

	help_spec = {
	# Name of command or auxiliary help info for which this help applies.
	HELP_NAME : 'acls',
	# List of help name aliases.
	HELP_NAME_ALIASES : ['acl', 'ACL', 'access control', 'access control list',
	'authorization', 'canned', 'canned acl'],
	# Type of help:
	HELP_TYPE : HelpType.ADDITIONAL_HELP,
	# One line summary of this help.
	HELP_ONE_LINE_SUMMARY : 'Working with Access Control Lists',
	# The full help text.
	HELP_TEXT : _detailed_help_text,
	}