Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

File Acl permissions #804

Closed
lafama opened this issue Aug 17, 2015 · 21 comments
Closed

File Acl permissions #804

lafama opened this issue Aug 17, 2015 · 21 comments
Assignees
Labels
api: storage Issues related to the Cloud Storage API. type: question Request for information or clarification. Not an issue.

Comments

@lafama
Copy link

lafama commented Aug 17, 2015

Is it possible to add permissions (allUsers:readers) to a file during uploading

var myBucket = gcs.bucket('testbucket');
var file = myBucket.file('test.png');
file.createWriteStream({
    gzip: true,
set permission to allUsers:readers
})
@stephenplusplus stephenplusplus added api: storage Issues related to the Cloud Storage API. type: question Request for information or clarification. Not an issue. labels Aug 17, 2015
@stephenplusplus
Copy link
Contributor

There is, though it's a little more wordy than our API is usually:

file.createWriteStream({
    metadata: {
      acl: [
        {
          entity: 'allUsers',
          role: gcloud.storage.acl.READER_ROLE
        }
      ]
    }
  });

I'm struggling to think of a clean way to make that easier, but if you have any ideas, we will gladly try to accommodate!

@lafama
Copy link
Author

lafama commented Aug 17, 2015

I have tried that, but the file gets uploaded and no permissions are set. Here is my modified code

fs.createReadStream('test.png')
              .pipe(file.createWriteStream({
                metadata:{
                    acl:[
                    {
                        entity:'allUsers',
                        role:gcs.acl.READER_ROLE
                    }
                    ]
                }
              }
              ))
              .on('error', function(err) {
                done();
              })
              .on('complete', function(metadata) {
                    done();

              });

am i missing something

@stephenplusplus
Copy link
Contributor

I don't think so, that looks right to me. Can you paste what metadata returns in the complete callback?

Also, what version of gcloud are you running?

@lafama
Copy link
Author

lafama commented Aug 17, 2015

{ kind: 'storage#object',
  id: 'xxxx/temp/test.png/1439816836081000',
  selfLink: 'https://www.googleapis.com/storage/v1/b/xxxx/o/temp%2Ftest.png',
  name: 'temp/test.png',
  bucket: 'xxxx',
  generation: '1439816836081000',
  metageneration: '1',
  contentType: 'image/png',
  updated: '2015-08-17T13:07:16.080Z',
  storageClass: 'STANDARD',
  size: '53844',
  md5Hash: 'zAp5LEFzw2l',
  mediaLink: 'https://www.googleapis.com/download/storage/v1/b/xxx/o/temp%2Ftest.png?generation=1439816836081000&alt=media',
  acl: 
   [ { kind: 'storage#objectAccessControl',
       id: 'xxx/temp/test.png/1439816836081000/allUsers',
       selfLink: 'https://www.googleapis.com/storage/v1/b/xxxx/o/temp%2Ftest.png/acl/allUsers',
       bucket: 'xxxx',
       object: 'temp/test.png',
       generation: '1439816836081000',
       entity: 'allUsers',
       role: 'READER',
       etag: 'COjKEAE=' },
     { kind: 'storage#objectAccessControl',
       id: 'xxx/temp/test.png/1439816836081000/user-00b4903770f8e313045586eab55',
       selfLink: 'https://www.googleapis.com/storage/v1/b/xxxx/o/temp%2Ftest.png/acl/user-00b4903770f8e313045586eab55',
       bucket: 'xxx',
       object: 'temp/test.png',
       generation: '1439816836081000',
       entity: 'user-00b4903770f8e313045586eab55',
       role: 'OWNER',
       entityId: '00b4903770f8e313045586eab55',
       etag: 'COjKudiXsMcCEAE=' } ],
  owner: 
   { entity: 'user-00b4903770f8e313045586eab55',
     entityId: '00b4903770f8e313045586eab55' },
  crc32c: 'LOOQ==',
  etag: 'COjcCEAE=' }

@lafama
Copy link
Author

lafama commented Aug 17, 2015

Am using version 0.18.0

@stephenplusplus
Copy link
Contributor

It looks like the right permissions were added:

metadata.acl[0] = {
  // ...
  entity: 'allUsers',
  role: 'READER'
}

How are you verifying the file is not being given the right permissions?

@lafama
Copy link
Author

lafama commented Aug 17, 2015

I was accessing it using the console.developers.google.com UI, and i cant set any permissions using it
am getting

Please include at least one owner's permission

However i have tested the actual url and its accessible to the public.

@stephenplusplus
Copy link
Contributor

I get the "Please include at least one owner's permission" if I try to remove the owner permission.

screen shot 2015-08-17 at 2 42 38 pm

After clicking the X next to the owner's permission:

screen shot 2015-08-17 at 2 42 55 pm

Does your permissions dialog look different than mine?

@lafama
Copy link
Author

lafama commented Aug 17, 2015

This is what i get on the permissions dialog (no permissions are listed)
screen shot 2015-08-17 at 10 06 22 pm
and on the bucket list view
screen shot 2015-08-17 at 10 06 07 pm

@stephenplusplus
Copy link
Contributor

@jgeewax I think you're the resident expert at ACLs. Is there any reason a file would say it uploaded would have this metadata, but then list nothing (see above screenshot)?

@lafama
Copy link
Author

lafama commented Aug 20, 2015

Anyone with leads on this issue?

@jgeewax
Copy link
Contributor

jgeewax commented Aug 20, 2015

Hmm weird. Is it possible that somehow we're overriding the owner (which should be the service account that uploaded the object) which leads to a weird situation in the UI?

@lafama
Copy link
Author

lafama commented Aug 20, 2015

How can I test this case

@stephenplusplus
Copy link
Contributor

// @jgeewax

We're passing this metadata with the upload:

metadata.acl = [
  {
    entity: 'allUsers',
    role: 'READER'
  }
]

@jgeewax
Copy link
Contributor

jgeewax commented Nov 30, 2015

/cc @Capstan : Any idea what's going on here? Apparently the metadata response says it has an owner, but the UI disagrees.... ?

@Capstan
Copy link

Capstan commented Dec 1, 2015

You cannot change the owner of an object. You can only overwrite an object and become the new owner. The UI is being a little simplistic in that being the owner implies having OWNER permission. You can grant other ACL entities OWNER permission, but you cannot remove the owner from the ACL list.

If you provide an ACL list on creation, we will naturally add the current user or service account creating the object to the ACLs.

FTR, use of predefined ACLs works as well.

@Capstan
Copy link

Capstan commented Dec 1, 2015

If you had, for instance, added another entity owner permission, the dialog would have happily allowed you to save. However, GCS would then quietly re-add the original owner back into the ACL. I've filed a bug against the UI for this behavior.

@jgeewax
Copy link
Contributor

jgeewax commented Dec 1, 2015 via email

@Capstan
Copy link

Capstan commented Dec 1, 2015

No, I think you are set. If the user tries to remove the OWNER permission, the service will correct them; no need for fancy validation client-side.

@stephenplusplus
Copy link
Contributor

Thanks @Capstan!

@lafama was that information helpful? Are you still having an issue?

@stephenplusplus
Copy link
Contributor

@lafama please re-open if this is still an issue.

sofisl pushed a commit that referenced this issue Jan 17, 2023
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [@types/mocha](https://togithub.com/DefinitelyTyped/DefinitelyTyped) | devDependencies | major | [`^7.0.1` -> `^8.0.0`](https://renovatebot.com/diffs/npm/@types%2fmocha/7.0.2/8.0.0) |

---

### Renovate configuration

:date: **Schedule**: "after 9am and before 3pm" (UTC).

:vertical_traffic_light: **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

:recycle: **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

:no_bell: **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [WhiteSource Renovate](https://renovate.whitesourcesoftware.com). View repository job log [here](https://app.renovatebot.com/dashboard#googleapis/nodejs-vision).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
api: storage Issues related to the Cloud Storage API. type: question Request for information or clarification. Not an issue.
Projects
None yet
Development

No branches or pull requests

4 participants