I'm trying to make a bucket with Read/Write permissions for bucket/objects for particular users and Read permissions for objects only for AllUsers.
I've:
created a bucket,
added this to default acl list:
<Entry>
<Scope type="AllUsers"/>
<Permission>
READ
</Permission>
</Entry>
via: gsutil setdefacl <f> gs://bucket
added an object (test.png)
Now I'm trying to access this from browser with the url http[s]://storage.cloud.google.com/bucket/test.png but it takes me to the google account sign in page. When I signing in with another google acc (not that I've used to create project/bucket/object), which has no explicit rights set, it shows the pic.
gsutil getacl on the new object shows that READ permission is in place for AllUsers, but it works like AllAuthenticatedUsers.
Any ideas on what to do with permissions to work as expected?
When you say you added that Entry to the default ACL, you mean you added it as an element within AccessControlList.Entries, correct?
It's somewhat difficult to know what happened without seeing the full ACL text.
But also, since you're making objects publicly readable (READ permission grated for scope AllUsers), you don't need additional scopes in the bucket's default object ACL; you could simply do:
gsutil setdefacl public-read gs://bucket
and then upload objects to the bucket.
I realize you want to grant read/write permission for particular users, but write permission is controlled by the bucket ACL, not the object ACL (and thus also not by the default object ACL on the bucket).
Please try the above and let us know if you're still unable to access objects via a browser without first authenticating.
Mike Schwartz,
Google Cloud Storage team
Related
In the docs, it shows how to create a table, but I see no parameter for setting the collection paths for custom logs (ex: /etc/log/nginx/error.log) the way you can in the portal.
az monitor log-analytics workspace table create --name
--resource-group
--workspace-name
[--columns]
[--description]
[--no-wait]
[--plan {Analytics, Basic}]
[--retention-time]
[--total-retention-time]
When I use show on a current table, I also don't see any collection path parameters or links to other objects where that might be stored.
As far as I know and as per this Git Hub document, adding custom logs using Azure CLI is still a feature request.
#LawrenceLLo AFAIK, Azure CLI currently doesn't support the above scenario. If this is something you would like to see supported, kindly share the feedback directly with the feature owner using this link.
Looks like there is already a feature request is in place, I would suggest you to Upvote and make a comment. Engineering will monitor this product feedback actively.
https://feedback.azure.com/d365community/idea/579dea67-2125-ec11-b6e6-000d3a4f09d0
I want to create an access rule in Linux so that only files with a certain eXtended attribute can be moved, copied or created in a certain directory regardless of my priviledges in that directory.
The xattr should be created in system or security Namespace, so that I cannot change it as a user.
To my understanding, almost all ACL systems are focused around "subject to object" access control (i.e user/process to file/directory), but what I want is "object to object" (i.e file to directory) access control.
Perhaps SELinux?
Is this even possible?
Cheers,
Kalle
We are using PloneFormGen's SaveDataAdapter, and would like users who are not site admins to be able to download the CSV. The normal permissions don't seem to allow this. Is this possible in PloneFormGen?
You're right, there is a custom permission made for the download-view named "PloneFormGen: Download Saved Input", and Products/PloneFormGen/config.py defines that Managers, Owners and Site-admins get this permission by default.
In one of your add-on's profile-folder add a file named rolemap.xml to additionally assign roles (the default-roles will remain untouched, as they are assigned via a Python-script, not a GenericSetup-file):
<?xml version="1.0"?>
<rolemap>
<permissions>
<permission name="PloneFormGen: Download Saved Input" acquire="True">
<role name="Member" />
</permission>
</permissions>
</rolemap>
Note: This will set the permission globally, meaning you cannot restrict it to locations. For finer control per location, create a role "Downloaders", assign the download-permission to it in rolemap.xml and make the permission assignable locally via the sharing-tab of an item. For the last step one could give https://pypi.org/project/collective.sharingroles/ a try.
An alternative solution for the case that exactly one user needs to get the additional privilege for downloading the content of a save-adapter:
Append /ownership_form to the URL of the save adapter, choose new owner and save.
Sorry for my english...
In my project I use ACL with SonataAdminBundle, but I can not understand why they did so, you need to have to create a record in the database, even when I want to use only Class-scope without Object-scope.
Also, when you create, for example, comments, SonataAdminBundle automatically creates an entry in acl_object_identities, it clutters up this action database.
I created a role that has the right to full access to all records in a table, regardless of who created the records, but SonataAdminBundle only displays them and prohibits editing.
The documentation for SonataAdminBundle reads:
because the object ACL permission is checked, the ACL for the object
must have been created, otherwise the AclVoter will deny EDIT access
for a non super admin user trying to edit another non super admin
user. This is automatically done when the object is created using the
Admin. If objects are also created outside the Admin, have a look at
the createSecurityObject method in the AclSecurityHandler.
But why? How to avoid this?
Do not want to write hooks.
Thank you in advance for any comments and help on this.
You can generate the object ACLs with php app/console sonata:admin:generate-object-acl
mercurial-server manages user database under keys folder. Users and groups are represented by files and folders.
AclExtension relies on linux user group through ssh.
they don't seem to match. or did I miss something?
I have managed to make mercurial-server work. but just don't see how to integrate AclExtension with it so I may have finer grained access control.
Unfortunately, the AclExtension does key its access off of usernames. If you are creating separate UNIX user accounts for each using with hg-ssh you've got everything you need, but if all of your ssh users are using the same Unix user account then the AclExtension isn't going to work for you.
Unless...
I did just look into the acl.py file and it looks like it uses the getpass.py module's getuser which checks the environment for the user name using this code:
for name in ('LOGNAME', 'USER', 'LNAME', 'USERNAME'):
user = os.environ.get(name)
if user:
return user
so it might be possible to fake that out by setting an environment variable in the hg-ssh user's authorized_keys file like this:
command="hg-ssh path/to/repo" environment="LOGNAME=fakeusername" ssh-dss ...
where then you could put fakeusername in ACL rules, and could have a different fakeusername for each key, all running under the same UNIX account.
BTW: Everyone seems to just use hg-ssh alone, I never see the (non-official) mercurial-server app used anymore.
The environment trick doesn't seem to work on my Solaris box; my solution was to pass in the fakeusername as a parameter to hg-ssh and have that set os.environ['LOGNAME'] so that getpass sees it.
command="hg-ssh fakeusername" ssh-dss ...