def adjust_bucket_acl(s3_conn, bucket_name, users_whose_grant_to_remove):
"""
Adjust the ACL on given bucket and remove grants for all the mentioned users.
:type s3_conn: boto.s3.connection.S3Connection
:param s3_conn: Established boto connection to S3 that has access to bucket_name
:type bucket_name: string
:param bucket_name: Name of the bucket for which to adjust the ACL
:type users_whose_grant_to_remove: list
:param users_whose_grant_to_remove: List of user names (as defined in bucket's
initial ACL, e.g., ['afgane', 'cloud']) whose grant is to be revoked.
"""
bucket = get_bucket(s3_conn, bucket_name)
if bucket:
try:
grants_to_keep = []
# log.debug("All grants on bucket '%s' are following" % bucket_name)
# Compose list of grants on the bucket that are to be kept, i.e., siphon
# through the list of grants for bucket's users and the list of users
# whose grant to remove and create a list of bucket grants to keep
for g in bucket.get_acl().acl.grants:
# log.debug("Grant -> permission: %s, user name: %s, grant type: %s" % (g.permission, g.display_name, g.type))
# Public (i.e., group) permissions are kept under 'type' field
# so check that first
if g.type == 'Group' and 'Group' in users_whose_grant_to_remove:
pass
elif g.display_name not in users_whose_grant_to_remove:
grants_to_keep.append(g)
# Manipulate bucket's ACL now
bucket_policy = bucket.get_acl(
) # Object for bucket's current policy (which holds the ACL)
acl = ACL() # Object for bucket's to-be ACL
# Add all of the exiting (i.e., grants_to_keep) grants to the new
# ACL object
for gtk in grants_to_keep:
acl.add_grant(gtk)
# Update the policy and set bucket's ACL
bucket_policy.acl = acl
bucket.set_acl(bucket_policy)
# log.debug("List of kept grants for bucket '%s'" % bucket_name)
# for g in bucket_policy.acl.grants:
# log.debug("Grant -> permission: %s, user name: %s, grant type:
# %s" % (g.permission, g.display_name, g.type))
log.debug("Removed grants on bucket '%s' for these users: %s" %
(bucket_name, users_whose_grant_to_remove))
return True
except S3ResponseError as e:
log.error(
"Error adjusting ACL for bucket '%s': %s" % (bucket_name, e))
return False
def get_canned_acl(self, canned_acl=None, bucket_owner_id=None, bucket_owner_display_name=None):
'''
Returns an acl object that can be applied to a bucket or key. It is intended to be used to verify
results that the service returns. To set a canned-acl you can simply set it on the bucket directly without
this method.
bucket_owner_id Account id of the owner of the bucket. Required
canned_acl Canned acl to implement. Required.
Options: ['private','public-read', 'public-read-write', 'authenticated-read', 'log-delivery-write', 'bucket-owner-full-control', 'bucket-owner-full-control']
bucket_owner_display_name Required. The account display name for the bucket owner, so that the correct permission can be generated fully
'''
if bucket_owner_id == None or canned_acl == None or bucket_owner_display_name == None :
raise S3opsException( "No user_id or canned_acl passed to get_canned_acl()" )
built_acl = ACL()
built_acl.add_user_grant(permission='FULL_CONTROL',user_id=bucket_owner_id, display_name=bucket_owner_display_name)
if canned_acl == "public-read":
built_acl.add_grant(Grant(permission="READ",type='Group',uri=self.s3_groups["all_users"]))
elif canned_acl == "public-read-write":
built_acl.add_grant(Grant(permission="READ",type='Group',uri=self.s3_groups["all_users"]))
built_acl.add_grant(Grant(permission="WRITE",type='Group',uri=self.s3_groups["all_users"]))
elif canned_acl == "authenticated-read":
built_acl.add_grant(Grant(permission="READ",type='Group',uri=self.s3_groups["authenticated_users"]))
elif canned_acl == "log-delivery-write":
built_acl.add_grant(Grant(permission="WRITE",type='Group',uri=self.s3_groups["log_delivery"]))
elif canned_acl == "bucket-owner-read":
if bucket_owner_id is None:
raise Exception("No bucket_owner_id passed when trying to create bucket-owner-read canned acl ")
built_acl.add_grant(Grant(permission="READ",id=bucket_owner_id))
elif canned_acl == "bucket-owner-full-control":
if bucket_owner_id is None:
raise Exception("No bucket_owner_id passed when trying to create bucket-owner-full-control canned acl ")
built_acl.add_grant(Grant(permission="FULL_CONTROL",id=bucket_owner_id))
return built_acl
def get_canned_acl(self,
canned_acl=None,
bucket_owner_id=None,
bucket_owner_display_name=None):
'''
Returns an acl object that can be applied to a bucket or key. It is intended to be used to verify
results that the service returns. To set a canned-acl you can simply set it on the bucket directly without
this method.
bucket_owner_id Account id of the owner of the bucket. Required
canned_acl Canned acl to implement. Required.
Options: ['private','public-read', 'public-read-write', 'authenticated-read', 'log-delivery-write', 'bucket-owner-full-control', 'bucket-owner-full-control']
bucket_owner_display_name Required. The account display name for the bucket owner, so that the correct permission can be generated fully
'''
if bucket_owner_id == None or canned_acl == None or bucket_owner_display_name == None:
raise S3opsException(
"No user_id or canned_acl passed to get_canned_acl()")
built_acl = ACL()
built_acl.add_user_grant(permission='FULL_CONTROL',
user_id=bucket_owner_id,
display_name=bucket_owner_display_name)
if canned_acl == "public-read":
built_acl.add_grant(
Grant(permission="READ",
type='Group',
uri=self.s3_groups["all_users"]))
elif canned_acl == "public-read-write":
built_acl.add_grant(
Grant(permission="READ",
type='Group',
uri=self.s3_groups["all_users"]))
built_acl.add_grant(
Grant(permission="WRITE",
type='Group',
uri=self.s3_groups["all_users"]))
elif canned_acl == "authenticated-read":
built_acl.add_grant(
Grant(permission="READ",
type='Group',
uri=self.s3_groups["authenticated_users"]))
elif canned_acl == "log-delivery-write":
built_acl.add_grant(
Grant(permission="WRITE",
type='Group',
uri=self.s3_groups["log_delivery"]))
elif canned_acl == "bucket-owner-read":
if bucket_owner_id is None:
raise Exception(
"No bucket_owner_id passed when trying to create bucket-owner-read canned acl "
)
built_acl.add_grant(Grant(permission="READ", id=bucket_owner_id))
elif canned_acl == "bucket-owner-full-control":
if bucket_owner_id is None:
raise Exception(
"No bucket_owner_id passed when trying to create bucket-owner-full-control canned acl "
)
built_acl.add_grant(
Grant(permission="FULL_CONTROL", id=bucket_owner_id))
return built_acl
def get_canned_acl(owner_id=None,canned_acl=None,bucket_owner_id=None):
'''
Returns an acl object that can be applied to a bucket or key
owner_id Account id of the owner of the bucket. Required
canned_acl Canned acl to implement. Required.
Options: ['public-read', 'public-read-write', 'authenticated-read', 'log-delivery-write', 'bucket-owner-full-control', 'bucket-owner-full-control']
bucket_owner_id Required for bucket-owner-full-control and bucket-owner-full-control acls to be created
'''
if owner_id == None or canned_acl == None:
raise S3opsException( "No owner_id or canned_acl passed to get_canned_acl()" )
owner_fc_grant = Grant(permission="FULL_CONTROL", id=owner_id)
built_acl = ACL()
built_acl.add_grant(owner_fc_grant)
if canned_acl == "public-read":
built_acl.add_grant(Grant(permission="READ",uri=s3_groups["all_users"]))
elif canned_acl == "public-read-write":
built_acl.add_grant(Grant(permission="READ",uri=s3_groups["all_users"]))
built_acl.add_grant(Grant(permission="WRITE",uri=s3_groups["all_users"]))
elif canned_acl == "authenticated-read":
built_acl.add_grant(Grant(permission="READ",uri=s3_groups["authenticated_users"]))
elif canned_acl == "log-delivery-write":
built_acl.add_grant(Grant(permission="WRITE",uri=s3_groups["log_delivery"]))
elif canned_acl == "bucket-owner-read":
if bucket_owner_id is None:
raise Exception("No bucket_owner_id passed when trying to create bucket-owner-read canned acl ")
built_acl.add_grant(Grant(permission="READ",user_id=bucket_owner_id))
elif canned_acl == "bucket-owner-full-control":
if bucket_owner_id is None:
raise Exception("No bucket_owner_id passed when trying to create bucket-owner-full-control canned acl ")
built_acl.add_grant(Grant(permission="FULL_CONTROL",user_id=bucket_owner_id))
return built_acl
def get_canned_acl(owner_id=None, canned_acl=None, bucket_owner_id=None):
if owner_id == None or canned_acl == None:
return None
owner_fc_grant = Grant(permission="FULL_CONTROL", user_id=owner_id)
built_acl = ACL()
built_acl.add_grant(owner_fc_grant)
if canned_acl == "public-read":
built_acl.add_grant(
Grant(permission="READ", uri=s3_groups["all_users"]))
elif canned_acl == "public-read-write":
built_acl.add_grant(
Grant(permission="READ", uri=s3_groups["all_users"]))
built_acl.add_grant(
Grant(permission="WRITE", uri=s3_groups["all_users"]))
elif canned_acl == "authenticated-read":
built_acl.add_grant(
Grant(permission="READ", uri=s3_groups["authenticated_users"]))
elif canned_acl == "log-delivery-write":
built_acl.add_grant(
Grant(permission="WRITE", uri=s3_groups["log_delivery"]))
elif canned_acl == "bucket-owner-read":
built_acl.add_grant(Grant(permission="READ", user_id=bucket_owner_id))
elif canned_acl == "bucket-owner-full-control":
built_acl.add_grant(
Grant(permission="FULL_CONTROL", user_id=bucket_owner_id))
else:
#No canned-acl value found
return None
return built_acl
def get_canned_acl(owner_id=None,canned_acl=None,bucket_owner_id=None):
if owner_id == None or canned_acl == None:
return None
owner_fc_grant = Grant(permission="FULL_CONTROL",user_id=owner_id)
built_acl = ACL()
built_acl.add_grant(owner_fc_grant)
if canned_acl == "public-read":
built_acl.add_grant(Grant(permission="READ",uri=s3_groups["all_users"]))
elif canned_acl == "public-read-write":
built_acl.add_grant(Grant(permission="READ",uri=s3_groups["all_users"]))
built_acl.add_grant(Grant(permission="WRITE",uri=s3_groups["all_users"]))
elif canned_acl == "authenticated-read":
built_acl.add_grant(Grant(permission="READ",uri=s3_groups["authenticated_users"]))
elif canned_acl == "log-delivery-write":
built_acl.add_grant(Grant(permission="WRITE",uri=s3_groups["log_delivery"]))
elif canned_acl == "bucket-owner-read":
built_acl.add_grant(Grant(permission="READ",user_id=bucket_owner_id))
elif canned_acl == "bucket-owner-full-control":
built_acl.add_grant(Grant(permission="FULL_CONTROL",user_id=bucket_owner_id))
else:
#No canned-acl value found
return None
return built_acl
