====== [HOWTO] Using ACLs ======

^  Documentation  ^|
^Name:|[HOWTO] Using ACLs |
^Description:| Howto setup bucket and object ACLs |
^Modification date :| 18/09/2019|
^Owner:|dodger|
^Notify changes to:|Owner |
^Tags:|ceph, object storage |
^Scalate to:|The_fucking_bofh|



====== Official documentation ======

===== For Objects =====

  * [[https://docs.ceph.com/docs/nautilus/radosgw/s3/csharp/?highlight=acl#change-an-object-s-acl|Object ACL with c#]]
  * [[https://docs.ceph.com/docs/nautilus/radosgw/s3/authentication/?highlight=acl#access-control-lists-acls|Complete CEPH ACL API methods]]

===== For Buckets =====

  * [[https://docs.ceph.com/docs/nautilus/radosgw/s3/bucketops/?highlight=acl|Ceph bucket operations]]
  * [[https://docs.ceph.com/docs/nautilus/radosgw/bucketpolicy/?highlight=acl|Ceph bucket policies]]
  * 

===== For both =====

  * [[https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-using-rest-api.html|Amazon's Managing ACLs Using the REST API]]
  * [[https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-using-dot-net-sdk.html|Amazon S3 C# acl examples]]
  * [[https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html|Amazon ACL overview]]




====== Real life ======

===== Object to public+url =====
Python example:
<code python>
def set_public(FileName):
    filekey = bucket.get_key(FileName)
    filekey.set_canned_acl('public-read')
    fileUrl = filekey.generate_url(0, query_auth=False, force_http=True)
    print(fileUrl)
</code>

This piece of code will make an object public and print the resulting URL, for example:
[[http://clover.ciberterminal.net/monguitest/david_hasselhoff_dog.jpg]]


===== Object to private =====
Python example:
<code python>
def set_private(FileName):
    filekey = bucket.get_key(FileName)
    filekey.set_canned_acl('private')
</code>

This piece of code will make an object private

===== Signed URL for object download (timestamped) =====
Python example:
<code python>
def get_signed_url(FileName):
    filekey = bucket.get_key(FileName)
    fileUrl = filekey.generate_url(3600, query_auth=True, force_http=True)
    print(fileUrl)
</code>

This piece will generate a download url for an object (it can be a **private object**) and print it:
<code bash>
bofher@avmlm-salt-001 ~/scripts/ceph :( $ python s3_wrapper_v2.py --put secret.txt 
secret.txt
bofher@avmlm-salt-001 ~/scripts/ceph $ python s3_wrapper_v2.py --onehourlink secret.txt                                                                                                                          
http://clover.ciberterminal.net/monguitest/secret.txt?Signature=3gaNKewt3tM1DdgyA3ap%2BlneLeU%3D&Expires=1568794738&AWSAccessKeyId=W45IHOZ15VWDTEHHV01C
</code>