Google Cloud Storage Client Library - set acl to both “public-read” and “bucket-owner-full-control”

7
votes

For appengine created files in google cloud storage, the bucket owner doesn't have full control permission.

I cannot set the acl this way: ( to have both public read and owner full control )

GcsFileOptions options = new GcsFileOptions.Builder().acl("bucket-owner-full-control;public-read").build();

What is the solution here?

1
google-app-enginegoogle-cloud-storage
Is your intention to give the bucket owner full control of the file and make the file readable by anyone on the internet? I don't believe you can mix predefined ACLs to accomplish this, so you will have to manually construct the ACL. If you want this behavior for all objects in the bucket, setting the default object ACL on the bucket (see developers.google.com/storage/docs/…) will help. - Travis Hobrla

1 Answers

7
votes

Unfortunately you can't use multiple canned ACLs at once. There is no canned ACL that means "give the bucket owner full control of the object and also make it publicly readable." Also unfortunately, I don't believe GcsFileOptions provides an easy way to specify custom ACLs (although I might've missed it, anybody who knows of one should feel free to edit this).

One possibility would be to change the default ACL for new objects in your bucket and then not to set ACLs explicitly at all. You can add a default read permission for anonymous users pretty easily with gsutil:

$> gsutil defacl ch -g AllUsers:R gs://mybucket

(Note: there's a similar command, gsutil acl, that controls a bucket or object ACL and not the default ACL for newly created objects in a bucket. It's easy to confuse the two)

N.B. This will affect all objects created in this bucket that don't specify an ACL, which may not be appropriate if you're also creating other objects in this bucket for other purposes and are relying on a specific default ACL.