def adjust_bucket_acl(s3_conn, bucket_name, users_whose_grant_to_remove): """ Adjust the ACL on given bucket and remove grants for all the mentioned users. :type s3_conn: boto.s3.connection.S3Connection :param s3_conn: Established boto connection to S3 that has access to bucket_name :type bucket_name: string :param bucket_name: Name of the bucket for which to adjust the ACL :type users_whose_grant_to_remove: list :param users_whose_grant_to_remove: List of user names (as defined in bucket's initial ACL, e.g., ['afgane', 'cloud']) whose grant is to be revoked. """ bucket = get_bucket(s3_conn, bucket_name) if bucket: try: grants_to_keep = [] # log.debug("All grants on bucket '%s' are following" % bucket_name) # Compose list of grants on the bucket that are to be kept, i.e., siphon # through the list of grants for bucket's users and the list of users # whose grant to remove and create a list of bucket grants to keep for g in bucket.get_acl().acl.grants: # log.debug("Grant -> permission: %s, user name: %s, grant type: %s" % (g.permission, g.display_name, g.type)) # Public (i.e., group) permissions are kept under 'type' field # so check that first if g.type == 'Group' and 'Group' in users_whose_grant_to_remove: pass elif g.display_name not in users_whose_grant_to_remove: grants_to_keep.append(g) # Manipulate bucket's ACL now bucket_policy = bucket.get_acl( ) # Object for bucket's current policy (which holds the ACL) acl = ACL() # Object for bucket's to-be ACL # Add all of the exiting (i.e., grants_to_keep) grants to the new # ACL object for gtk in grants_to_keep: acl.add_grant(gtk) # Update the policy and set bucket's ACL bucket_policy.acl = acl bucket.set_acl(bucket_policy) # log.debug("List of kept grants for bucket '%s'" % bucket_name) # for g in bucket_policy.acl.grants: # log.debug("Grant -> permission: %s, user name: %s, grant type: # %s" % (g.permission, g.display_name, g.type)) log.debug("Removed grants on bucket '%s' for these users: %s" % (bucket_name, users_whose_grant_to_remove)) return True except S3ResponseError as e: log.error( "Error adjusting ACL for bucket '%s': %s" % (bucket_name, e)) return False
def get_canned_acl(self, canned_acl=None, bucket_owner_id=None, bucket_owner_display_name=None): ''' Returns an acl object that can be applied to a bucket or key. It is intended to be used to verify results that the service returns. To set a canned-acl you can simply set it on the bucket directly without this method. bucket_owner_id Account id of the owner of the bucket. Required canned_acl Canned acl to implement. Required. Options: ['private','public-read', 'public-read-write', 'authenticated-read', 'log-delivery-write', 'bucket-owner-full-control', 'bucket-owner-full-control'] bucket_owner_display_name Required. The account display name for the bucket owner, so that the correct permission can be generated fully ''' if bucket_owner_id == None or canned_acl == None or bucket_owner_display_name == None : raise S3opsException( "No user_id or canned_acl passed to get_canned_acl()" ) built_acl = ACL() built_acl.add_user_grant(permission='FULL_CONTROL',user_id=bucket_owner_id, display_name=bucket_owner_display_name) if canned_acl == "public-read": built_acl.add_grant(Grant(permission="READ",type='Group',uri=self.s3_groups["all_users"])) elif canned_acl == "public-read-write": built_acl.add_grant(Grant(permission="READ",type='Group',uri=self.s3_groups["all_users"])) built_acl.add_grant(Grant(permission="WRITE",type='Group',uri=self.s3_groups["all_users"])) elif canned_acl == "authenticated-read": built_acl.add_grant(Grant(permission="READ",type='Group',uri=self.s3_groups["authenticated_users"])) elif canned_acl == "log-delivery-write": built_acl.add_grant(Grant(permission="WRITE",type='Group',uri=self.s3_groups["log_delivery"])) elif canned_acl == "bucket-owner-read": if bucket_owner_id is None: raise Exception("No bucket_owner_id passed when trying to create bucket-owner-read canned acl ") built_acl.add_grant(Grant(permission="READ",id=bucket_owner_id)) elif canned_acl == "bucket-owner-full-control": if bucket_owner_id is None: raise Exception("No bucket_owner_id passed when trying to create bucket-owner-full-control canned acl ") built_acl.add_grant(Grant(permission="FULL_CONTROL",id=bucket_owner_id)) return built_acl
def get_canned_acl(self, canned_acl=None, bucket_owner_id=None, bucket_owner_display_name=None): ''' Returns an acl object that can be applied to a bucket or key. It is intended to be used to verify results that the service returns. To set a canned-acl you can simply set it on the bucket directly without this method. bucket_owner_id Account id of the owner of the bucket. Required canned_acl Canned acl to implement. Required. Options: ['private','public-read', 'public-read-write', 'authenticated-read', 'log-delivery-write', 'bucket-owner-full-control', 'bucket-owner-full-control'] bucket_owner_display_name Required. The account display name for the bucket owner, so that the correct permission can be generated fully ''' if bucket_owner_id == None or canned_acl == None or bucket_owner_display_name == None: raise S3opsException( "No user_id or canned_acl passed to get_canned_acl()") built_acl = ACL() built_acl.add_user_grant(permission='FULL_CONTROL', user_id=bucket_owner_id, display_name=bucket_owner_display_name) if canned_acl == "public-read": built_acl.add_grant( Grant(permission="READ", type='Group', uri=self.s3_groups["all_users"])) elif canned_acl == "public-read-write": built_acl.add_grant( Grant(permission="READ", type='Group', uri=self.s3_groups["all_users"])) built_acl.add_grant( Grant(permission="WRITE", type='Group', uri=self.s3_groups["all_users"])) elif canned_acl == "authenticated-read": built_acl.add_grant( Grant(permission="READ", type='Group', uri=self.s3_groups["authenticated_users"])) elif canned_acl == "log-delivery-write": built_acl.add_grant( Grant(permission="WRITE", type='Group', uri=self.s3_groups["log_delivery"])) elif canned_acl == "bucket-owner-read": if bucket_owner_id is None: raise Exception( "No bucket_owner_id passed when trying to create bucket-owner-read canned acl " ) built_acl.add_grant(Grant(permission="READ", id=bucket_owner_id)) elif canned_acl == "bucket-owner-full-control": if bucket_owner_id is None: raise Exception( "No bucket_owner_id passed when trying to create bucket-owner-full-control canned acl " ) built_acl.add_grant( Grant(permission="FULL_CONTROL", id=bucket_owner_id)) return built_acl
def get_canned_acl(owner_id=None,canned_acl=None,bucket_owner_id=None): ''' Returns an acl object that can be applied to a bucket or key owner_id Account id of the owner of the bucket. Required canned_acl Canned acl to implement. Required. Options: ['public-read', 'public-read-write', 'authenticated-read', 'log-delivery-write', 'bucket-owner-full-control', 'bucket-owner-full-control'] bucket_owner_id Required for bucket-owner-full-control and bucket-owner-full-control acls to be created ''' if owner_id == None or canned_acl == None: raise S3opsException( "No owner_id or canned_acl passed to get_canned_acl()" ) owner_fc_grant = Grant(permission="FULL_CONTROL", id=owner_id) built_acl = ACL() built_acl.add_grant(owner_fc_grant) if canned_acl == "public-read": built_acl.add_grant(Grant(permission="READ",uri=s3_groups["all_users"])) elif canned_acl == "public-read-write": built_acl.add_grant(Grant(permission="READ",uri=s3_groups["all_users"])) built_acl.add_grant(Grant(permission="WRITE",uri=s3_groups["all_users"])) elif canned_acl == "authenticated-read": built_acl.add_grant(Grant(permission="READ",uri=s3_groups["authenticated_users"])) elif canned_acl == "log-delivery-write": built_acl.add_grant(Grant(permission="WRITE",uri=s3_groups["log_delivery"])) elif canned_acl == "bucket-owner-read": if bucket_owner_id is None: raise Exception("No bucket_owner_id passed when trying to create bucket-owner-read canned acl ") built_acl.add_grant(Grant(permission="READ",user_id=bucket_owner_id)) elif canned_acl == "bucket-owner-full-control": if bucket_owner_id is None: raise Exception("No bucket_owner_id passed when trying to create bucket-owner-full-control canned acl ") built_acl.add_grant(Grant(permission="FULL_CONTROL",user_id=bucket_owner_id)) return built_acl
def get_canned_acl(owner_id=None, canned_acl=None, bucket_owner_id=None): if owner_id == None or canned_acl == None: return None owner_fc_grant = Grant(permission="FULL_CONTROL", user_id=owner_id) built_acl = ACL() built_acl.add_grant(owner_fc_grant) if canned_acl == "public-read": built_acl.add_grant( Grant(permission="READ", uri=s3_groups["all_users"])) elif canned_acl == "public-read-write": built_acl.add_grant( Grant(permission="READ", uri=s3_groups["all_users"])) built_acl.add_grant( Grant(permission="WRITE", uri=s3_groups["all_users"])) elif canned_acl == "authenticated-read": built_acl.add_grant( Grant(permission="READ", uri=s3_groups["authenticated_users"])) elif canned_acl == "log-delivery-write": built_acl.add_grant( Grant(permission="WRITE", uri=s3_groups["log_delivery"])) elif canned_acl == "bucket-owner-read": built_acl.add_grant(Grant(permission="READ", user_id=bucket_owner_id)) elif canned_acl == "bucket-owner-full-control": built_acl.add_grant( Grant(permission="FULL_CONTROL", user_id=bucket_owner_id)) else: #No canned-acl value found return None return built_acl
def get_canned_acl(owner_id=None,canned_acl=None,bucket_owner_id=None): if owner_id == None or canned_acl == None: return None owner_fc_grant = Grant(permission="FULL_CONTROL",user_id=owner_id) built_acl = ACL() built_acl.add_grant(owner_fc_grant) if canned_acl == "public-read": built_acl.add_grant(Grant(permission="READ",uri=s3_groups["all_users"])) elif canned_acl == "public-read-write": built_acl.add_grant(Grant(permission="READ",uri=s3_groups["all_users"])) built_acl.add_grant(Grant(permission="WRITE",uri=s3_groups["all_users"])) elif canned_acl == "authenticated-read": built_acl.add_grant(Grant(permission="READ",uri=s3_groups["authenticated_users"])) elif canned_acl == "log-delivery-write": built_acl.add_grant(Grant(permission="WRITE",uri=s3_groups["log_delivery"])) elif canned_acl == "bucket-owner-read": built_acl.add_grant(Grant(permission="READ",user_id=bucket_owner_id)) elif canned_acl == "bucket-owner-full-control": built_acl.add_grant(Grant(permission="FULL_CONTROL",user_id=bucket_owner_id)) else: #No canned-acl value found return None return built_acl