def make_bucket(name='test_bucket', policy=None, owner_id=None):
s3_conn = boto.connect_s3()
policy = policy or Policy()
owner_id = owner_id or 'test_owner_id'
policy.owner = User(id=owner_id)
acl = ACL()
acl.grants = []
policy.acl = acl
bucket = s3_conn.create_bucket(name)
bucket.policy = policy
return bucket, policy
def adjust_bucket_acl(s3_conn, bucket_name, users_whose_grant_to_remove):
"""
Adjust the ACL on given bucket and remove grants for all the mentioned users.
:type s3_conn: boto.s3.connection.S3Connection
:param s3_conn: Established boto connection to S3 that has access to bucket_name
:type bucket_name: string
:param bucket_name: Name of the bucket for which to adjust the ACL
:type users_whose_grant_to_remove: list
:param users_whose_grant_to_remove: List of user names (as defined in bucket's
initial ACL, e.g., ['afgane', 'cloud']) whose grant is to be revoked.
"""
bucket = get_bucket(s3_conn, bucket_name)
if bucket:
try:
grants_to_keep = []
# log.debug("All grants on bucket '%s' are following" % bucket_name)
# Compose list of grants on the bucket that are to be kept, i.e., siphon
# through the list of grants for bucket's users and the list of users
# whose grant to remove and create a list of bucket grants to keep
for g in bucket.get_acl().acl.grants:
# log.debug("Grant -> permission: %s, user name: %s, grant type: %s" % (g.permission, g.display_name, g.type))
# Public (i.e., group) permissions are kept under 'type' field
# so check that first
if g.type == 'Group' and 'Group' in users_whose_grant_to_remove:
pass
elif g.display_name not in users_whose_grant_to_remove:
grants_to_keep.append(g)
# Manipulate bucket's ACL now
bucket_policy = bucket.get_acl(
) # Object for bucket's current policy (which holds the ACL)
acl = ACL() # Object for bucket's to-be ACL
# Add all of the exiting (i.e., grants_to_keep) grants to the new
# ACL object
for gtk in grants_to_keep:
acl.add_grant(gtk)
# Update the policy and set bucket's ACL
bucket_policy.acl = acl
bucket.set_acl(bucket_policy)
# log.debug("List of kept grants for bucket '%s'" % bucket_name)
# for g in bucket_policy.acl.grants:
# log.debug("Grant -> permission: %s, user name: %s, grant type:
# %s" % (g.permission, g.display_name, g.type))
log.debug("Removed grants on bucket '%s' for these users: %s" %
(bucket_name, users_whose_grant_to_remove))
return True
except S3ResponseError as e:
log.error(
"Error adjusting ACL for bucket '%s': %s" % (bucket_name, e))
return False
def set_permissions(self, object, replace=False):
"""
Sets the S3 ACL grants for the given object to the appropriate
value based on the type of Distribution. If the Distribution
is serving private content the ACL will be set to include the
Origin Access Identity associated with the Distribution. If
the Distribution is serving public content the content will
be set up with "public-read".
:type object: :class:`boto.cloudfront.object.Object`
:param enabled: The Object whose ACL is being set
:type replace: bool
:param replace: If False, the Origin Access Identity will be
appended to the existing ACL for the object.
If True, the ACL for the object will be
completely replaced with one that grants
READ permission to the Origin Access Identity.
"""
if self.config.origin_access_identity:
id = self.config.origin_access_identity.split('/')[-1]
oai = self.connection.get_origin_access_identity_info(id)
policy = object.get_acl()
if replace:
policy.acl = ACL()
policy.acl.add_user_grant('READ', oai.s3_user_id)
object.set_acl(policy)
else:
object.set_canned_acl('public-read')
def get_canned_acl(self, canned_acl=None, bucket_owner_id=None, bucket_owner_display_name=None):
'''
Returns an acl object that can be applied to a bucket or key. It is intended to be used to verify
results that the service returns. To set a canned-acl you can simply set it on the bucket directly without
this method.
bucket_owner_id Account id of the owner of the bucket. Required
canned_acl Canned acl to implement. Required.
Options: ['private','public-read', 'public-read-write', 'authenticated-read', 'log-delivery-write', 'bucket-owner-full-control', 'bucket-owner-full-control']
bucket_owner_display_name Required. The account display name for the bucket owner, so that the correct permission can be generated fully
'''
if bucket_owner_id == None or canned_acl == None or bucket_owner_display_name == None :
raise S3opsException( "No user_id or canned_acl passed to get_canned_acl()" )
built_acl = ACL()
built_acl.add_user_grant(permission='FULL_CONTROL',user_id=bucket_owner_id, display_name=bucket_owner_display_name)
if canned_acl == "public-read":
built_acl.add_grant(Grant(permission="READ",type='Group',uri=self.s3_groups["all_users"]))
elif canned_acl == "public-read-write":
built_acl.add_grant(Grant(permission="READ",type='Group',uri=self.s3_groups["all_users"]))
built_acl.add_grant(Grant(permission="WRITE",type='Group',uri=self.s3_groups["all_users"]))
elif canned_acl == "authenticated-read":
built_acl.add_grant(Grant(permission="READ",type='Group',uri=self.s3_groups["authenticated_users"]))
elif canned_acl == "log-delivery-write":
built_acl.add_grant(Grant(permission="WRITE",type='Group',uri=self.s3_groups["log_delivery"]))
elif canned_acl == "bucket-owner-read":
if bucket_owner_id is None:
raise Exception("No bucket_owner_id passed when trying to create bucket-owner-read canned acl ")
built_acl.add_grant(Grant(permission="READ",id=bucket_owner_id))
elif canned_acl == "bucket-owner-full-control":
if bucket_owner_id is None:
raise Exception("No bucket_owner_id passed when trying to create bucket-owner-full-control canned acl ")
built_acl.add_grant(Grant(permission="FULL_CONTROL",id=bucket_owner_id))
return built_acl
def get_canned_acl(self,
canned_acl=None,
bucket_owner_id=None,
bucket_owner_display_name=None):
'''
Returns an acl object that can be applied to a bucket or key. It is intended to be used to verify
results that the service returns. To set a canned-acl you can simply set it on the bucket directly without
this method.
bucket_owner_id Account id of the owner of the bucket. Required
canned_acl Canned acl to implement. Required.
Options: ['private','public-read', 'public-read-write', 'authenticated-read', 'log-delivery-write', 'bucket-owner-full-control', 'bucket-owner-full-control']
bucket_owner_display_name Required. The account display name for the bucket owner, so that the correct permission can be generated fully
'''
if bucket_owner_id == None or canned_acl == None or bucket_owner_display_name == None:
raise S3opsException(
"No user_id or canned_acl passed to get_canned_acl()")
built_acl = ACL()
built_acl.add_user_grant(permission='FULL_CONTROL',
user_id=bucket_owner_id,
display_name=bucket_owner_display_name)
if canned_acl == "public-read":
built_acl.add_grant(
Grant(permission="READ",
type='Group',
uri=self.s3_groups["all_users"]))
elif canned_acl == "public-read-write":
built_acl.add_grant(
Grant(permission="READ",
type='Group',
uri=self.s3_groups["all_users"]))
built_acl.add_grant(
Grant(permission="WRITE",
type='Group',
uri=self.s3_groups["all_users"]))
elif canned_acl == "authenticated-read":
built_acl.add_grant(
Grant(permission="READ",
type='Group',
uri=self.s3_groups["authenticated_users"]))
elif canned_acl == "log-delivery-write":
built_acl.add_grant(
Grant(permission="WRITE",
type='Group',
uri=self.s3_groups["log_delivery"]))
elif canned_acl == "bucket-owner-read":
if bucket_owner_id is None:
raise Exception(
"No bucket_owner_id passed when trying to create bucket-owner-read canned acl "
)
built_acl.add_grant(Grant(permission="READ", id=bucket_owner_id))
elif canned_acl == "bucket-owner-full-control":
if bucket_owner_id is None:
raise Exception(
"No bucket_owner_id passed when trying to create bucket-owner-full-control canned acl "
)
built_acl.add_grant(
Grant(permission="FULL_CONTROL", id=bucket_owner_id))
return built_acl
def get_canned_acl(owner_id=None,canned_acl=None,bucket_owner_id=None):
'''
Returns an acl object that can be applied to a bucket or key
owner_id Account id of the owner of the bucket. Required
canned_acl Canned acl to implement. Required.
Options: ['public-read', 'public-read-write', 'authenticated-read', 'log-delivery-write', 'bucket-owner-full-control', 'bucket-owner-full-control']
bucket_owner_id Required for bucket-owner-full-control and bucket-owner-full-control acls to be created
'''
if owner_id == None or canned_acl == None:
raise S3opsException( "No owner_id or canned_acl passed to get_canned_acl()" )
owner_fc_grant = Grant(permission="FULL_CONTROL", id=owner_id)
built_acl = ACL()
built_acl.add_grant(owner_fc_grant)
if canned_acl == "public-read":
built_acl.add_grant(Grant(permission="READ",uri=s3_groups["all_users"]))
elif canned_acl == "public-read-write":
built_acl.add_grant(Grant(permission="READ",uri=s3_groups["all_users"]))
built_acl.add_grant(Grant(permission="WRITE",uri=s3_groups["all_users"]))
elif canned_acl == "authenticated-read":
built_acl.add_grant(Grant(permission="READ",uri=s3_groups["authenticated_users"]))
elif canned_acl == "log-delivery-write":
built_acl.add_grant(Grant(permission="WRITE",uri=s3_groups["log_delivery"]))
elif canned_acl == "bucket-owner-read":
if bucket_owner_id is None:
raise Exception("No bucket_owner_id passed when trying to create bucket-owner-read canned acl ")
built_acl.add_grant(Grant(permission="READ",user_id=bucket_owner_id))
elif canned_acl == "bucket-owner-full-control":
if bucket_owner_id is None:
raise Exception("No bucket_owner_id passed when trying to create bucket-owner-full-control canned acl ")
built_acl.add_grant(Grant(permission="FULL_CONTROL",user_id=bucket_owner_id))
return built_acl
def get_canned_acl(owner_id=None, canned_acl=None, bucket_owner_id=None):
if owner_id == None or canned_acl == None:
return None
owner_fc_grant = Grant(permission="FULL_CONTROL", user_id=owner_id)
built_acl = ACL()
built_acl.add_grant(owner_fc_grant)
if canned_acl == "public-read":
built_acl.add_grant(
Grant(permission="READ", uri=s3_groups["all_users"]))
elif canned_acl == "public-read-write":
built_acl.add_grant(
Grant(permission="READ", uri=s3_groups["all_users"]))
built_acl.add_grant(
Grant(permission="WRITE", uri=s3_groups["all_users"]))
elif canned_acl == "authenticated-read":
built_acl.add_grant(
Grant(permission="READ", uri=s3_groups["authenticated_users"]))
elif canned_acl == "log-delivery-write":
built_acl.add_grant(
Grant(permission="WRITE", uri=s3_groups["log_delivery"]))
elif canned_acl == "bucket-owner-read":
built_acl.add_grant(Grant(permission="READ", user_id=bucket_owner_id))
elif canned_acl == "bucket-owner-full-control":
built_acl.add_grant(
Grant(permission="FULL_CONTROL", user_id=bucket_owner_id))
else:
#No canned-acl value found
return None
return built_acl
def get_canned_acl(owner_id=None,canned_acl=None,bucket_owner_id=None):
if owner_id == None or canned_acl == None:
return None
owner_fc_grant = Grant(permission="FULL_CONTROL",user_id=owner_id)
built_acl = ACL()
built_acl.add_grant(owner_fc_grant)
if canned_acl == "public-read":
built_acl.add_grant(Grant(permission="READ",uri=s3_groups["all_users"]))
elif canned_acl == "public-read-write":
built_acl.add_grant(Grant(permission="READ",uri=s3_groups["all_users"]))
built_acl.add_grant(Grant(permission="WRITE",uri=s3_groups["all_users"]))
elif canned_acl == "authenticated-read":
built_acl.add_grant(Grant(permission="READ",uri=s3_groups["authenticated_users"]))
elif canned_acl == "log-delivery-write":
built_acl.add_grant(Grant(permission="WRITE",uri=s3_groups["log_delivery"]))
elif canned_acl == "bucket-owner-read":
built_acl.add_grant(Grant(permission="READ",user_id=bucket_owner_id))
elif canned_acl == "bucket-owner-full-control":
built_acl.add_grant(Grant(permission="FULL_CONTROL",user_id=bucket_owner_id))
else:
#No canned-acl value found
return None
return built_acl
