Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Storage: pass predefinedDefaultObjectAcl on bucket creation #9295

Closed
thoutenbos opened this issue Sep 25, 2019 · 4 comments · Fixed by #9334
Closed

Storage: pass predefinedDefaultObjectAcl on bucket creation #9295

thoutenbos opened this issue Sep 25, 2019 · 4 comments · Fixed by #9334
Assignees
@frankyn
Labels
api: storage Issues related to the Cloud Storage API. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@thoutenbos
Copy link

Is your feature request related to a problem? Please describe.
In the Bucket creation API it's allowed to pass a query parameter "predefinedDefaultObjectAcl" to set the default object ACL in the creation call of the bucket. In the current implementation of this library it's not possible to set this query parameter as it is hardcoded to only the (required) project.

https://github.com/googleapis/google-cloud-python/blob/master/storage/google/cloud/storage/bucket.py#L637

Describe the solution you'd like
Expose the optional query parameters in this library.

Describe alternatives you've considered
Updating the predefinedDefaultObjectAcl after bucket creation requires additional permissions on the bucket that should not be needed when setting this value directly on bucket creation.

Additional context
API Reference for bucket/insert
https://cloud.google.com/storage/docs/json_api/v1/buckets/insert
@tseaver tseaver added api: storage Issues related to the Cloud Storage API. type: question Request for information or clarification. Not an issue. labels Sep 25, 2019
@tseaver
Copy link
Contributor

tseaver commented Sep 25, 2019

@thoutenbos

Updating the predefinedDefaultObjectAcl after bucket creation requires additional permissions on the bucket that should not be needed when setting this value directly on bucket creation.

Can you please clarify? I'm unaware of any case where creating a bucket would leave the creating owner without the storage.buckets.update permission required to update the default object ACL.

@tseaver tseaver added type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. and removed type: question Request for information or clarification. Not an issue. labels Sep 25, 2019
@tseaver
Copy link
Contributor

tseaver commented Sep 25, 2019

FWIW, if we do support passing the predeinfedDefaultObjectAcl query parameter, we should also support passing predefinedAcl.

@thoutenbos
Copy link
Author

Using a custom IAM role for a service account granting only the storage.buckets.create permission to create regular, time based, new buckets. If all needed bucket settings can be passed in the creation call then no additional permissions are needed for this service account. In the current implementation of this library the service account would need additional permissions to allow update to this (and other) buckets after creation.

The extra permissions needed to update this setting after bucket creation are:

  • storage.buckets.update
  • storage.buckets.getIamPolicy
  • storage.buckets.setIamPolicy

From the least privilege principles granting these additional permissions is undesired when it can be avoided.

@tseaver tseaver mentioned this issue Sep 27, 2019
Merged
frankyn pushed a commit that referenced this issue Oct 15, 2019
@tseaver @frankyn
feat(storage): support predefined ACLs in 'Bucket.create' (#9334)
a79d98d 
Closes #9295.
@thoutenbos
Copy link
Author

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@frankyn frankyn

Labels
api: storage Issues related to the Cloud Storage API. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(storage): support predefined ACLs in 'Bucket.create'
3 participants
@tseaver @frankyn @thoutenbos