def set_permissions(self, object, replace=False):
"""
Sets the S3 ACL grants for the given object to the appropriate
value based on the type of Distribution. If the Distribution
is serving private content the ACL will be set to include the
Origin Access Identity associated with the Distribution. If
the Distribution is serving public content the content will
be set up with "public-read".
:type object: :class:`boto.cloudfront.object.Object`
:param enabled: The Object whose ACL is being set
:type replace: bool
:param replace: If False, the Origin Access Identity will be
appended to the existing ACL for the object.
If True, the ACL for the object will be
completely replaced with one that grants
READ permission to the Origin Access Identity.
"""
if isinstance(self.config.origin, S3Origin):
if self.config.origin.origin_access_identity:
id = self.config.origin.origin_access_identity.split('/')[-1]
oai = self.connection.get_origin_access_identity_info(id)
policy = object.get_acl()
if replace:
policy.acl = ACL()
policy.acl.add_user_grant('READ', oai.s3_user_id)
object.set_acl(policy)
else:
object.set_canned_acl('public-read')
def get_canned_acl(owner_id=None,canned_acl=None,bucket_owner_id=None):
'''
Returns an acl object that can be applied to a bucket or key
owner_id Account id of the owner of the bucket. Required
canned_acl Canned acl to implement. Required.
Options: ['public-read', 'public-read-write', 'authenticated-read', 'log-delivery-write', 'bucket-owner-full-control', 'bucket-owner-full-control']
bucket_owner_id Required for bucket-owner-full-control and bucket-owner-full-control acls to be created
'''
if owner_id == None or canned_acl == None:
raise S3opsException( "No owner_id or canned_acl passed to get_canned_acl()" )
owner_fc_grant = Grant(permission="FULL_CONTROL", id=owner_id)
built_acl = ACL()
built_acl.add_grant(owner_fc_grant)
if canned_acl == "public-read":
built_acl.add_grant(Grant(permission="READ",uri=s3_groups["all_users"]))
elif canned_acl == "public-read-write":
built_acl.add_grant(Grant(permission="READ",uri=s3_groups["all_users"]))
built_acl.add_grant(Grant(permission="WRITE",uri=s3_groups["all_users"]))
elif canned_acl == "authenticated-read":
built_acl.add_grant(Grant(permission="READ",uri=s3_groups["authenticated_users"]))
elif canned_acl == "log-delivery-write":
built_acl.add_grant(Grant(permission="WRITE",uri=s3_groups["log_delivery"]))
elif canned_acl == "bucket-owner-read":
if bucket_owner_id is None:
raise Exception("No bucket_owner_id passed when trying to create bucket-owner-read canned acl ")
built_acl.add_grant(Grant(permission="READ",user_id=bucket_owner_id))
elif canned_acl == "bucket-owner-full-control":
if bucket_owner_id is None:
raise Exception("No bucket_owner_id passed when trying to create bucket-owner-full-control canned acl ")
built_acl.add_grant(Grant(permission="FULL_CONTROL",user_id=bucket_owner_id))
return built_acl
def get_canned_acl(owner_id=None, canned_acl=None, bucket_owner_id=None):
if owner_id == None or canned_acl == None:
return None
owner_fc_grant = Grant(permission="FULL_CONTROL", user_id=owner_id)
built_acl = ACL()
built_acl.add_grant(owner_fc_grant)
if canned_acl == "public-read":
built_acl.add_grant(
Grant(permission="READ", uri=s3_groups["all_users"]))
elif canned_acl == "public-read-write":
built_acl.add_grant(
Grant(permission="READ", uri=s3_groups["all_users"]))
built_acl.add_grant(
Grant(permission="WRITE", uri=s3_groups["all_users"]))
elif canned_acl == "authenticated-read":
built_acl.add_grant(
Grant(permission="READ", uri=s3_groups["authenticated_users"]))
elif canned_acl == "log-delivery-write":
built_acl.add_grant(
Grant(permission="WRITE", uri=s3_groups["log_delivery"]))
elif canned_acl == "bucket-owner-read":
built_acl.add_grant(Grant(permission="READ", user_id=bucket_owner_id))
elif canned_acl == "bucket-owner-full-control":
built_acl.add_grant(
Grant(permission="FULL_CONTROL", user_id=bucket_owner_id))
else:
#No canned-acl value found
return None
return built_acl
def make_bucket(name='test_bucket', policy=None, owner_id=None):
s3_conn = boto.connect_s3()
policy = policy or Policy()
owner_id = owner_id or 'test_owner_id'
policy.owner = User(id=owner_id)
acl = ACL()
acl.grants = []
policy.acl = acl
bucket = s3_conn.create_bucket(name)
bucket.policy = policy
return bucket, policy
def get_canned_acl(self,
canned_acl=None,
bucket_owner_id=None,
bucket_owner_display_name=None):
'''
Returns an acl object that can be applied to a bucket or key. It is intended to be used to verify
results that the service returns. To set a canned-acl you can simply set it on the bucket directly without
this method.
bucket_owner_id Account id of the owner of the bucket. Required
canned_acl Canned acl to implement. Required.
Options: ['private','public-read', 'public-read-write', 'authenticated-read', 'log-delivery-write', 'bucket-owner-full-control', 'bucket-owner-full-control']
bucket_owner_display_name Required. The account display name for the bucket owner, so that the correct permission can be generated fully
'''
if bucket_owner_id == None or canned_acl == None or bucket_owner_display_name == None:
raise S3opsException(
"No user_id or canned_acl passed to get_canned_acl()")
built_acl = ACL()
built_acl.add_user_grant(permission='FULL_CONTROL',
user_id=bucket_owner_id,
display_name=bucket_owner_display_name)
if canned_acl == "public-read":
built_acl.add_grant(
Grant(permission="READ",
type='Group',
uri=self.s3_groups["all_users"]))
elif canned_acl == "public-read-write":
built_acl.add_grant(
Grant(permission="READ",
type='Group',
uri=self.s3_groups["all_users"]))
built_acl.add_grant(
Grant(permission="WRITE",
type='Group',
uri=self.s3_groups["all_users"]))
elif canned_acl == "authenticated-read":
built_acl.add_grant(
Grant(permission="READ",
type='Group',
uri=self.s3_groups["authenticated_users"]))
elif canned_acl == "log-delivery-write":
built_acl.add_grant(
Grant(permission="WRITE",
type='Group',
uri=self.s3_groups["log_delivery"]))
elif canned_acl == "bucket-owner-read":
if bucket_owner_id is None:
raise Exception(
"No bucket_owner_id passed when trying to create bucket-owner-read canned acl "
)
built_acl.add_grant(Grant(permission="READ", id=bucket_owner_id))
elif canned_acl == "bucket-owner-full-control":
if bucket_owner_id is None:
raise Exception(
"No bucket_owner_id passed when trying to create bucket-owner-full-control canned acl "
)
built_acl.add_grant(
Grant(permission="FULL_CONTROL", id=bucket_owner_id))
return built_acl
