def set_permissions(self, object, replace=False): """ Sets the S3 ACL grants for the given object to the appropriate value based on the type of Distribution. If the Distribution is serving private content the ACL will be set to include the Origin Access Identity associated with the Distribution. If the Distribution is serving public content the content will be set up with "public-read". :type object: :class:`boto.cloudfront.object.Object` :param enabled: The Object whose ACL is being set :type replace: bool :param replace: If False, the Origin Access Identity will be appended to the existing ACL for the object. If True, the ACL for the object will be completely replaced with one that grants READ permission to the Origin Access Identity. """ if isinstance(self.config.origin, S3Origin): if self.config.origin.origin_access_identity: id = self.config.origin.origin_access_identity.split('/')[-1] oai = self.connection.get_origin_access_identity_info(id) policy = object.get_acl() if replace: policy.acl = ACL() policy.acl.add_user_grant('READ', oai.s3_user_id) object.set_acl(policy) else: object.set_canned_acl('public-read')
def get_canned_acl(owner_id=None,canned_acl=None,bucket_owner_id=None): ''' Returns an acl object that can be applied to a bucket or key owner_id Account id of the owner of the bucket. Required canned_acl Canned acl to implement. Required. Options: ['public-read', 'public-read-write', 'authenticated-read', 'log-delivery-write', 'bucket-owner-full-control', 'bucket-owner-full-control'] bucket_owner_id Required for bucket-owner-full-control and bucket-owner-full-control acls to be created ''' if owner_id == None or canned_acl == None: raise S3opsException( "No owner_id or canned_acl passed to get_canned_acl()" ) owner_fc_grant = Grant(permission="FULL_CONTROL", id=owner_id) built_acl = ACL() built_acl.add_grant(owner_fc_grant) if canned_acl == "public-read": built_acl.add_grant(Grant(permission="READ",uri=s3_groups["all_users"])) elif canned_acl == "public-read-write": built_acl.add_grant(Grant(permission="READ",uri=s3_groups["all_users"])) built_acl.add_grant(Grant(permission="WRITE",uri=s3_groups["all_users"])) elif canned_acl == "authenticated-read": built_acl.add_grant(Grant(permission="READ",uri=s3_groups["authenticated_users"])) elif canned_acl == "log-delivery-write": built_acl.add_grant(Grant(permission="WRITE",uri=s3_groups["log_delivery"])) elif canned_acl == "bucket-owner-read": if bucket_owner_id is None: raise Exception("No bucket_owner_id passed when trying to create bucket-owner-read canned acl ") built_acl.add_grant(Grant(permission="READ",user_id=bucket_owner_id)) elif canned_acl == "bucket-owner-full-control": if bucket_owner_id is None: raise Exception("No bucket_owner_id passed when trying to create bucket-owner-full-control canned acl ") built_acl.add_grant(Grant(permission="FULL_CONTROL",user_id=bucket_owner_id)) return built_acl
def get_canned_acl(owner_id=None, canned_acl=None, bucket_owner_id=None): if owner_id == None or canned_acl == None: return None owner_fc_grant = Grant(permission="FULL_CONTROL", user_id=owner_id) built_acl = ACL() built_acl.add_grant(owner_fc_grant) if canned_acl == "public-read": built_acl.add_grant( Grant(permission="READ", uri=s3_groups["all_users"])) elif canned_acl == "public-read-write": built_acl.add_grant( Grant(permission="READ", uri=s3_groups["all_users"])) built_acl.add_grant( Grant(permission="WRITE", uri=s3_groups["all_users"])) elif canned_acl == "authenticated-read": built_acl.add_grant( Grant(permission="READ", uri=s3_groups["authenticated_users"])) elif canned_acl == "log-delivery-write": built_acl.add_grant( Grant(permission="WRITE", uri=s3_groups["log_delivery"])) elif canned_acl == "bucket-owner-read": built_acl.add_grant(Grant(permission="READ", user_id=bucket_owner_id)) elif canned_acl == "bucket-owner-full-control": built_acl.add_grant( Grant(permission="FULL_CONTROL", user_id=bucket_owner_id)) else: #No canned-acl value found return None return built_acl
def make_bucket(name='test_bucket', policy=None, owner_id=None): s3_conn = boto.connect_s3() policy = policy or Policy() owner_id = owner_id or 'test_owner_id' policy.owner = User(id=owner_id) acl = ACL() acl.grants = [] policy.acl = acl bucket = s3_conn.create_bucket(name) bucket.policy = policy return bucket, policy
def get_canned_acl(self, canned_acl=None, bucket_owner_id=None, bucket_owner_display_name=None): ''' Returns an acl object that can be applied to a bucket or key. It is intended to be used to verify results that the service returns. To set a canned-acl you can simply set it on the bucket directly without this method. bucket_owner_id Account id of the owner of the bucket. Required canned_acl Canned acl to implement. Required. Options: ['private','public-read', 'public-read-write', 'authenticated-read', 'log-delivery-write', 'bucket-owner-full-control', 'bucket-owner-full-control'] bucket_owner_display_name Required. The account display name for the bucket owner, so that the correct permission can be generated fully ''' if bucket_owner_id == None or canned_acl == None or bucket_owner_display_name == None: raise S3opsException( "No user_id or canned_acl passed to get_canned_acl()") built_acl = ACL() built_acl.add_user_grant(permission='FULL_CONTROL', user_id=bucket_owner_id, display_name=bucket_owner_display_name) if canned_acl == "public-read": built_acl.add_grant( Grant(permission="READ", type='Group', uri=self.s3_groups["all_users"])) elif canned_acl == "public-read-write": built_acl.add_grant( Grant(permission="READ", type='Group', uri=self.s3_groups["all_users"])) built_acl.add_grant( Grant(permission="WRITE", type='Group', uri=self.s3_groups["all_users"])) elif canned_acl == "authenticated-read": built_acl.add_grant( Grant(permission="READ", type='Group', uri=self.s3_groups["authenticated_users"])) elif canned_acl == "log-delivery-write": built_acl.add_grant( Grant(permission="WRITE", type='Group', uri=self.s3_groups["log_delivery"])) elif canned_acl == "bucket-owner-read": if bucket_owner_id is None: raise Exception( "No bucket_owner_id passed when trying to create bucket-owner-read canned acl " ) built_acl.add_grant(Grant(permission="READ", id=bucket_owner_id)) elif canned_acl == "bucket-owner-full-control": if bucket_owner_id is None: raise Exception( "No bucket_owner_id passed when trying to create bucket-owner-full-control canned acl " ) built_acl.add_grant( Grant(permission="FULL_CONTROL", id=bucket_owner_id)) return built_acl