User-configurable Amazon S3 ACL

fixes #413
2025-01-06 07:46:25 +01:00 · 2016-08-22 14:59:03 +02:00 · 2016-08-22 14:59:03 +02:00 · 2003ba356b
commit 2003ba356b
parent 037a000cc8
2 changed files with 50 additions and 9 deletions
--- a/docs/content/s3.md
+++ b/docs/content/s3.md
@ -121,6 +121,25 @@ Choose a number from below, or type in your own value
 9 / South America (Sao Paulo) Region.
   \ "sa-east-1"
 location_constraint> 1
+Canned ACL used when creating buckets and/or storing objects in S3.
+For more info visit http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl
+Choose a number from below, or type in your own value
+ 1 / Owner gets FULL_CONTROL. No one else has access rights (default).
+   \ "private"
+ 2 / Owner gets FULL_CONTROL. The AllUsers group gets READ access.
+   \ "public-read"
+   / Owner gets FULL_CONTROL. The AllUsers group gets READ and WRITE access.
+ 3 | Granting this on a bucket is generally not recommended.
+   \ "public-read-write"
+ 4 / Owner gets FULL_CONTROL. The AuthenticatedUsers group gets READ access.
+   \ "authenticated-read"
+   / Object owner gets FULL_CONTROL. Bucket owner gets READ access.
+ 5 | If you specify this canned ACL when creating a bucket, Amazon S3 ignores it.
+   \ "bucket-owner-read"
+   / Both the object owner and the bucket owner get FULL_CONTROL over the object.
+ 6 | If you specify this canned ACL when creating a bucket, Amazon S3 ignores it.
+   \ "bucket-owner-full-control"
+acl> private
 The server-side encryption algorithm used when storing this object in S3.
 Choose a number from below, or type in your own value
 1 / None
--- a/s3/s3.go
+++ b/s3/s3.go
@ -146,6 +146,28 @@ func init() {
 				Value: "sa-east-1",
 				Help:  "South America (Sao Paulo) Region.",
 			}},
+		}, {
+			Name: "acl",
+			Help: "Canned ACL used when creating buckets and/or storing objects in S3.\nFor more info visit http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl",
+			Examples: []fs.OptionExample{{
+				Value: "private",
+				Help:  "Owner gets FULL_CONTROL. No one else has access rights (default).",
+			}, {
+				Value: "public-read",
+				Help:  "Owner gets FULL_CONTROL. The AllUsers group gets READ access.",
+			}, {
+				Value: "public-read-write",
+				Help:  "Owner gets FULL_CONTROL. The AllUsers group gets READ and WRITE access.\nGranting this on a bucket is generally not recommended.",
+			}, {
+				Value: "authenticated-read",
+				Help:  "Owner gets FULL_CONTROL. The AuthenticatedUsers group gets READ access.",
+			}, {
+				Value: "bucket-owner-read",
+				Help:  "Object owner gets FULL_CONTROL. Bucket owner gets READ access.\nIf you specify this canned ACL when creating a bucket, Amazon S3 ignores it.",
+			}, {
+				Value: "bucket-owner-full-control",
+				Help:  "Both the object owner and the bucket owner get FULL_CONTROL over the object.\nIf you specify this canned ACL when creating a bucket, Amazon S3 ignores it.",
+			}},
 		}, {
 			Name: "server_side_encryption",
 			Help: "The server-side encryption algorithm used when storing this object in S3.",
@ -174,7 +196,7 @@ type Fs struct {
 	c                  *s3.S3           // the connection to the s3 server
 	ses                *session.Session // the s3 session
 	bucket             string           // the bucket we are working on
-	perm               string           // permissions for new buckets / objects
+	acl                string           // ACL for new buckets / objects
 	root               string           // root of the bucket - ignore all objects above this
 	locationConstraint string           // location constraint of new buckets
 	sse                string           // the type of server-side encryption
@ -320,11 +342,11 @@ func NewFs(name, root string) (fs.Fs, error) {
 		return nil, err
 	}
 	f := &Fs{
-		name:   name,
-		c:      c,
-		bucket: bucket,
-		ses:    ses,
-		// FIXME perm:   s3.Private, // FIXME need user to specify
+		name:               name,
+		c:                  c,
+		bucket:             bucket,
+		ses:                ses,
+		acl:                fs.ConfigFile.MustValue(name, "acl"),
 		root:               directory,
 		locationConstraint: fs.ConfigFile.MustValue(name, "location_constraint"),
 		sse:                fs.ConfigFile.MustValue(name, "server_side_encryption"),
@ -583,7 +605,7 @@ func (f *Fs) Mkdir() error {
 	}
 	req := s3.CreateBucketInput{
 		Bucket: &f.bucket,
-		ACL:    &f.perm,
+		ACL:    &f.acl,
 	}
 	if f.locationConstraint != "" {
 		req.CreateBucketConfiguration = &s3.CreateBucketConfiguration{
@ -780,7 +802,7 @@ func (o *Object) SetModTime(modTime time.Time) error {
 	directive := s3.MetadataDirectiveReplace // replace metadata with that passed in
 	req := s3.CopyObjectInput{
 		Bucket:            &o.fs.bucket,
-		ACL:               &o.fs.perm,
+		ACL:               &o.fs.acl,
 		Key:               &key,
 		ContentType:       &contentType,
 		CopySource:        aws.String(url.QueryEscape(sourceKey)),
@ -839,7 +861,7 @@ func (o *Object) Update(in io.Reader, src fs.ObjectInfo) error {
 	key := o.fs.root + o.remote
 	req := s3manager.UploadInput{
 		Bucket:      &o.fs.bucket,
-		ACL:         &o.fs.perm,
+		ACL:         &o.fs.acl,
 		Key:         &key,
 		Body:        in,
 		ContentType: &contentType,