|
| 1 | +ACL |
| 2 | +=== |
| 3 | + |
| 4 | +Cloud Storage uses access control lists (ACLs) to manage object and bucket access. |
| 5 | +ACLs are the mechanism you use to share files with other users and allow |
| 6 | +other users to access your buckets and files. |
| 7 | + |
| 8 | +ACLs are suitable for fine-grained control, but you may prefer using IAM to |
| 9 | +control access at the project level. See also: |
| 10 | +`Cloud Storage Control Access to Data <https://cloud.google.com/storage/docs/access-control>`_ |
| 11 | + |
| 12 | + |
| 13 | +:class:`google.cloud.storage.bucket.Bucket` has a getting method that creates |
| 14 | +an ACL object under the hood, and you can interact with that using |
| 15 | +:func:`google.cloud.storage.bucket.Bucket.acl`: |
| 16 | + |
| 17 | +.. code-block:: python |
| 18 | +
|
| 19 | + client = storage.Client() |
| 20 | + bucket = client.get_bucket(bucket_name) |
| 21 | + acl = bucket.acl |
| 22 | +
|
| 23 | +Adding and removing permissions can be done with the following methods |
| 24 | +(in increasing order of granularity): |
| 25 | + |
| 26 | +- :func:`ACL.all` |
| 27 | + corresponds to access for all users. |
| 28 | +- :func:`ACL.all_authenticated` corresponds |
| 29 | + to access for all users that are signed into a Google account. |
| 30 | +- :func:`ACL.domain` corresponds to access on a |
| 31 | + per Google Apps domain (ie, ``example.com``). |
| 32 | +- :func:`ACL.group` corresponds to access on a |
| 33 | + per group basis (either by ID or e-mail address). |
| 34 | +- :func:`ACL.user` corresponds to access on a |
| 35 | + per user basis (either by ID or e-mail address). |
| 36 | + |
| 37 | +And you are able to ``grant`` and ``revoke`` the following roles: |
| 38 | + |
| 39 | +- **Reading**: |
| 40 | + :func:`_ACLEntity.grant_read` and :func:`_ACLEntity.revoke_read` |
| 41 | +- **Writing**: |
| 42 | + :func:`_ACLEntity.grant_write` and :func:`_ACLEntity.revoke_write` |
| 43 | +- **Owning**: |
| 44 | + :func:`_ACLEntity.grant_owner` and :func:`_ACLEntity.revoke_owner` |
| 45 | + |
| 46 | +You can use any of these like any other factory method (these happen to |
| 47 | +be :class:`_ACLEntity` factories): |
| 48 | + |
| 49 | +.. code-block:: python |
| 50 | +
|
| 51 | + acl.user("[email protected]").grant_read() |
| 52 | + acl.all_authenticated().grant_write() |
| 53 | +
|
| 54 | +After that, you can save any changes you make with the |
| 55 | +:func:`google.cloud.storage.acl.ACL.save` method: |
| 56 | + |
| 57 | +.. code-block:: python |
| 58 | +
|
| 59 | + acl.save() |
| 60 | +
|
| 61 | +
|
| 62 | +You can alternatively save any existing :class:`google.cloud.storage.acl.ACL` |
| 63 | +object (whether it was created by a factory method or not) from a |
| 64 | +:class:`google.cloud.storage.bucket.Bucket`: |
| 65 | + |
| 66 | +.. code-block:: python |
| 67 | +
|
| 68 | + bucket.acl.save(acl=acl) |
| 69 | +
|
| 70 | +
|
| 71 | +To get the list of ``entity`` and ``role`` for each unique pair, the |
| 72 | +:class:`ACL` class is iterable: |
| 73 | + |
| 74 | +.. code-block:: python |
| 75 | +
|
| 76 | + print(list(acl)) |
| 77 | + # [{'role': 'OWNER', 'entity': 'allUsers'}, ...] |
| 78 | +
|
| 79 | +
|
| 80 | +This list of tuples can be used as the ``entity`` and ``role`` fields |
| 81 | +when sending metadata for ACLs to the API. |
| 82 | + |
| 83 | + |
| 84 | +ACL Module |
| 85 | +---------- |
| 86 | + |
| 87 | +.. automodule:: google.cloud.storage.acl |
| 88 | + :members: |
| 89 | + :show-inheritance: |
0 commit comments