284 lines
10 KiB
Python
284 lines
10 KiB
Python
# -*- coding: utf-8 -*-
|
|
# Copyright 2018 Google Inc. All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
"""This module provides the command to gsutil."""
|
|
|
|
from __future__ import absolute_import
|
|
from __future__ import print_function
|
|
|
|
import getopt
|
|
import textwrap
|
|
|
|
from gslib import metrics
|
|
from gslib.command import Command
|
|
from gslib.command_argument import CommandArgument
|
|
from gslib.cs_api_map import ApiSelector
|
|
from gslib.exception import CommandException
|
|
from gslib.exception import NO_URLS_MATCHED_TARGET
|
|
from gslib.help_provider import CreateHelpText
|
|
from gslib.third_party.storage_apitools import storage_v1_messages as apitools_messages
|
|
from gslib.utils.constants import NO_MAX
|
|
from gslib.utils.shim_util import GcloudStorageMap
|
|
from gslib.utils.text_util import InsistOnOrOff
|
|
from gslib.utils import shim_util
|
|
|
|
_SET_SYNOPSIS = """
|
|
gsutil ubla set (on|off) gs://<bucket_name>...
|
|
"""
|
|
|
|
_GET_SYNOPSIS = """
|
|
gsutil ubla get bucket_url...
|
|
"""
|
|
|
|
_SYNOPSIS = _SET_SYNOPSIS + _GET_SYNOPSIS.lstrip('\n')
|
|
|
|
_SET_DESCRIPTION = """
|
|
<B>SET</B>
|
|
The ``ubla set`` command enables or disables uniform
|
|
bucket-level access for Google Cloud Storage buckets.
|
|
|
|
<B>SET EXAMPLES</B>
|
|
Configure your buckets to use uniform bucket-level access:
|
|
|
|
gsutil ubla set on gs://redbucket gs://bluebucket
|
|
|
|
Configure your buckets to NOT use uniform bucket-level access:
|
|
|
|
gsutil ubla set off gs://redbucket gs://bluebucket
|
|
"""
|
|
|
|
_GET_DESCRIPTION = """
|
|
<B>GET</B>
|
|
The ``ubla get`` command shows whether uniform bucket-level access is enabled
|
|
for the specified Cloud Storage bucket(s).
|
|
|
|
<B>GET EXAMPLES</B>
|
|
Check if your buckets are using uniform bucket-level access:
|
|
|
|
gsutil ubla get gs://redbucket gs://bluebucket
|
|
"""
|
|
|
|
_DESCRIPTION = """
|
|
The ``ubla`` command is used to retrieve or configure the
|
|
`uniform bucket-level access
|
|
<https://cloud.google.com/storage/docs/bucket-policy-only>`_ setting of
|
|
Cloud Storage bucket(s). This command has two sub-commands, ``get`` and
|
|
``set``.
|
|
""" + _GET_DESCRIPTION + _SET_DESCRIPTION
|
|
|
|
_DETAILED_HELP_TEXT = CreateHelpText(_SYNOPSIS, _DESCRIPTION)
|
|
_set_help_text = CreateHelpText(_SET_SYNOPSIS, _SET_DESCRIPTION)
|
|
_get_help_text = CreateHelpText(_GET_SYNOPSIS, _GET_DESCRIPTION)
|
|
|
|
# Aliases to make these more likely to fit on one line.
|
|
IamConfigurationValue = apitools_messages.Bucket.IamConfigurationValue
|
|
uniformBucketLevelAccessValue = IamConfigurationValue.BucketPolicyOnlyValue
|
|
|
|
_GCLOUD_FORMAT_STRING = (
|
|
'--format=' + 'multi[terminator="' + shim_util.get_format_flag_newline() +
|
|
'"](name:format="value(format(\'Uniform bucket-level' +
|
|
' access setting for gs://{}:\'))",' +
|
|
' iamConfiguration.uniformBucketLevelAccess.enabled.yesno(no="False")' +
|
|
':format="value[terminator=\'' + shim_util.get_format_flag_newline() +
|
|
'\'](format(\' Enabled: {}\'))",' +
|
|
' iamConfiguration.uniformBucketLevelAccess.lockedTime.sub("T", " ")' +
|
|
':format="value(format(\' LockedTime: {}\'))")')
|
|
|
|
|
|
class UblaCommand(Command):
|
|
"""Implements the gsutil ubla command."""
|
|
|
|
command_spec = Command.CreateCommandSpec(
|
|
'ubla',
|
|
command_name_aliases=['uniformbucketlevelaccess'],
|
|
usage_synopsis=_SYNOPSIS,
|
|
min_args=2,
|
|
max_args=NO_MAX,
|
|
supported_sub_args='',
|
|
file_url_ok=False,
|
|
provider_url_ok=False,
|
|
urls_start_arg=2,
|
|
gs_api_support=[ApiSelector.JSON],
|
|
gs_default_api=ApiSelector.JSON,
|
|
argparse_arguments={
|
|
'get': [CommandArgument.MakeNCloudURLsArgument(1),],
|
|
'set': [
|
|
CommandArgument('mode', choices=['on', 'off']),
|
|
CommandArgument.MakeZeroOrMoreCloudBucketURLsArgument()
|
|
],
|
|
})
|
|
# Help specification. See help_provider.py for documentation.
|
|
help_spec = Command.HelpSpec(
|
|
help_name='ubla',
|
|
help_name_aliases=['uniformbucketlevelaccess'],
|
|
help_type='command_help',
|
|
help_one_line_summary='Configure Uniform bucket-level access',
|
|
help_text=_DETAILED_HELP_TEXT,
|
|
subcommand_help_text={
|
|
'get': _get_help_text,
|
|
'set': _set_help_text,
|
|
},
|
|
)
|
|
|
|
gcloud_storage_map = GcloudStorageMap(
|
|
gcloud_command={
|
|
'get':
|
|
GcloudStorageMap(
|
|
gcloud_command=[
|
|
'storage', 'buckets', 'list', _GCLOUD_FORMAT_STRING,
|
|
'--raw'
|
|
],
|
|
flag_map={},
|
|
),
|
|
'set':
|
|
GcloudStorageMap(
|
|
gcloud_command={
|
|
'on':
|
|
GcloudStorageMap(
|
|
gcloud_command=[
|
|
'storage',
|
|
'buckets',
|
|
'update',
|
|
'--uniform-bucket-level-access',
|
|
],
|
|
flag_map={},
|
|
),
|
|
'off':
|
|
GcloudStorageMap(
|
|
gcloud_command=[
|
|
'storage',
|
|
'buckets',
|
|
'update',
|
|
'--no-uniform-bucket-level-access',
|
|
],
|
|
flag_map={},
|
|
),
|
|
},
|
|
flag_map={},
|
|
)
|
|
},
|
|
flag_map={},
|
|
)
|
|
|
|
def _ValidateBucketListingRefAndReturnBucketName(self, blr):
|
|
if blr.storage_url.scheme != 'gs':
|
|
raise CommandException(
|
|
'The %s command can only be used with gs:// bucket URLs.' %
|
|
self.command_name)
|
|
|
|
def _GetUbla(self, blr):
|
|
"""Gets the Uniform bucket-level access setting for a bucket."""
|
|
self._ValidateBucketListingRefAndReturnBucketName(blr)
|
|
bucket_url = blr.storage_url
|
|
|
|
bucket_metadata = self.gsutil_api.GetBucket(bucket_url.bucket_name,
|
|
fields=['iamConfiguration'],
|
|
provider=bucket_url.scheme)
|
|
iam_config = bucket_metadata.iamConfiguration
|
|
# TODO(mynameisrafe): Replace bucketPolicyOnly with uniformBucketLevelAccess
|
|
# when the property is live.
|
|
uniform_bucket_level_access = iam_config.bucketPolicyOnly
|
|
|
|
fields = {
|
|
'bucket': str(bucket_url).rstrip('/'),
|
|
'enabled': uniform_bucket_level_access.enabled
|
|
}
|
|
|
|
locked_time_line = ''
|
|
if uniform_bucket_level_access.lockedTime:
|
|
fields['locked_time'] = uniform_bucket_level_access.lockedTime
|
|
locked_time_line = ' LockedTime: {locked_time}\n'
|
|
|
|
if uniform_bucket_level_access:
|
|
print(('Uniform bucket-level access setting for {bucket}:\n'
|
|
' Enabled: {enabled}\n' + locked_time_line).format(**fields))
|
|
|
|
def _SetUbla(self, blr, setting_arg):
|
|
"""Sets the Uniform bucket-level access setting for a bucket on or off."""
|
|
self._ValidateBucketListingRefAndReturnBucketName(blr)
|
|
bucket_url = blr.storage_url
|
|
|
|
iam_config = IamConfigurationValue()
|
|
# TODO(mynameisrafe): Replace bucketPolicyOnly with uniformBucketLevelAccess
|
|
# when the property is live.
|
|
iam_config.bucketPolicyOnly = uniformBucketLevelAccessValue()
|
|
iam_config.bucketPolicyOnly.enabled = (setting_arg == 'on')
|
|
|
|
bucket_metadata = apitools_messages.Bucket(iamConfiguration=iam_config)
|
|
|
|
setting_verb = 'Enabling' if setting_arg == 'on' else 'Disabling'
|
|
print('%s Uniform bucket-level access for %s...' %
|
|
(setting_verb, str(bucket_url).rstrip('/')))
|
|
|
|
self.gsutil_api.PatchBucket(bucket_url.bucket_name,
|
|
bucket_metadata,
|
|
fields=['iamConfiguration'],
|
|
provider=bucket_url.scheme)
|
|
return 0
|
|
|
|
def _Ubla(self):
|
|
"""Handles ubla command on a Cloud Storage bucket."""
|
|
subcommand = self.args.pop(0)
|
|
|
|
if subcommand not in ('get', 'set'):
|
|
raise CommandException('ubla only supports get|set')
|
|
|
|
subcommand_func = None
|
|
subcommand_args = []
|
|
setting_arg = None
|
|
|
|
if subcommand == 'get':
|
|
subcommand_func = self._GetUbla
|
|
elif subcommand == 'set':
|
|
subcommand_func = self._SetUbla
|
|
setting_arg = self.args.pop(0)
|
|
InsistOnOrOff(setting_arg,
|
|
'Only on and off values allowed for set option')
|
|
subcommand_args.append(setting_arg)
|
|
|
|
# Iterate over bucket args, performing the specified subsubcommand.
|
|
some_matched = False
|
|
url_args = self.args
|
|
if not url_args:
|
|
self.RaiseWrongNumberOfArgumentsException()
|
|
for url_str in url_args:
|
|
# Throws a CommandException if the argument is not a bucket.
|
|
bucket_iter = self.GetBucketUrlIterFromArg(url_str)
|
|
for bucket_listing_ref in bucket_iter:
|
|
some_matched = True
|
|
subcommand_func(bucket_listing_ref, *subcommand_args)
|
|
|
|
if not some_matched:
|
|
raise CommandException(NO_URLS_MATCHED_TARGET % list(url_args))
|
|
return 0
|
|
|
|
def RunCommand(self):
|
|
"""Command entry point for the ubla command."""
|
|
if self.gsutil_api.GetApiSelector(provider='gs') != ApiSelector.JSON:
|
|
raise CommandException('\n'.join(
|
|
textwrap.wrap(
|
|
'The "%s" command can only be used with the Cloud Storage JSON API.'
|
|
% self.command_name)))
|
|
|
|
action_subcommand = self.args[0]
|
|
self.ParseSubOpts(check_args=True)
|
|
|
|
if action_subcommand == 'get' or action_subcommand == 'set':
|
|
metrics.LogCommandParams(sub_opts=self.sub_opts)
|
|
metrics.LogCommandParams(subcommands=[action_subcommand])
|
|
self._Ubla()
|
|
else:
|
|
raise CommandException('Invalid subcommand "%s", use get|set instead.' %
|
|
action_subcommand)
|