Is it possible to change the ACLs of Google Cloud Storage objects(or buckets) using the appengine Api? I understand that this can be done using the REST API, but is there support for this in the Files Api in appengine? They can be set when creating a new object using GSFileObject, however can you change on existing objects??
Asked
Active
Viewed 1,375 times
2 Answers
9
You can use urlfetch.fetch and app_identity.get_access_token to easily send an authenticated request to the REST api.
Python:
from google.appengine.api import app_identity
from google.appengine.api import urlfetch
acl_xml = """
<AccessControlList><Entries>
<Entry>
<Scope type="UserByEmail">foo@example.com</Scope>
<Permission>READ</Permission>
</Entry>
</Entries></AccessControlList>
"""
scope = 'https://www.googleapis.com/auth/devstorage.full_control'
token = app_identity.get_access_token(scope)
response = urlfetch.fetch(
'http://storage.googleapis.com/bucket/obj?acl',
method=urlfetch.PUT,
payload=acl_xml,
headers={'Authorization': 'OAuth %s' % token})
Java:
import com.google.appengine.api.appidentity.AppIdentityService;
import com.google.appengine.api.appidentity.AppIdentityServiceFactory;
import java.io.OutputStreamWriter;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.ArrayList;
public String setAcl() throws Exception {
// Change foo@example.com to a valid email.
// Repeat <Entry/> as many times as necessary.
String xmlString = "";
xmlString += "<AccessControlList><Entries>";
xmlString += " <Entry>";
xmlString += " <Scope type=\"UserByEmail\">foo@example.com</Scope>";
xmlString += " <Permission>READ</Permission>";
xmlString += " </Entry>";
xmlString += "</Entries></AccessControlList>";
ArrayList scopes = new ArrayList();
scopes.add("https://www.googleapis.com/auth/devstorage.full_control");
AppIdentityService.GetAccessTokenResult accessToken =
AppIdentityServiceFactory.getAppIdentityService().getAccessToken(scopes);
// Change bucket and obj to the bucket and object of interest.
URL url = new URL("https://storage.googleapis.com/bucket/obj?acl");
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
connection.setDoOutput(true);
connection.setRequestMethod("PUT");
connection.addRequestProperty(
"Authorization", "OAuth " + accessToken.getAccessToken());
OutputStreamWriter writer = new OutputStreamWriter(connection.getOutputStream());
writer.write(xmlString);
writer.close();
if (connection.getResponseCode() != HttpURLConnection.HTTP_OK) {
throw new Exception();
}
}
More info:
fejta
- 3,061
- 2
- 17
- 22
-
Since there is not yet an implementation in the Api, I choose your answer. Easy than I thought to make an authenticated request. I had no idea about the identity Api. thnks! – Patrick Jackson Nov 29 '12 at 00:27
-
So jealous of Python programmers right now...been messing with the Java version of this for several hours with no luck! – Patrick Jackson Nov 29 '12 at 04:11
-
I revoked the answer because I have not been able to do a working example in JAVA – Patrick Jackson Nov 29 '12 at 04:26
-
Added a java example. Sorry for missing that originally. – fejta Nov 29 '12 at 06:23
-
Thanks for adding the java example, it worked with a few modifications. BTW, do you know if you can ADD an ACL to an object? When I use this method, the acls were replaced with the acl provided in the xml. – Patrick Jackson Nov 30 '12 at 02:06
-
I think you just posted another question on this right? I answered there :) – fejta Nov 30 '12 at 02:29
-
The XML api does not allow you to add/remove acls -- just replace all of them. The JSON api does support add/remove semantics. – fejta Nov 30 '12 at 08:26
-
holy crud. i didn't know that's how you can get an OAuth token. so easy!!! thank you!!! – David T. Aug 20 '14 at 01:49
1
Modifying ACLs on existing objects is not supported via the App Engine Google Cloud Storage API, however, I've just written a feature request asking to add that capability.
Marc Cohen
- 3,742
- 2
- 19
- 19
-
Btw, if you're creating objects with similar ACLs, using a default bucket or object acl might help (details: https://developers.google.com/storage/docs/accesscontrol#default). – Marc Cohen Nov 29 '12 at 00:05