Changing ACL for Google Cloud Storage from Appengine (JAVA)

Question

Is it possible to change the ACLs of Google Cloud Storage objects(or buckets) using the appengine Api? I understand that this can be done using the REST API, but is there support for this in the Files Api in appengine? They can be set when creating a new object using GSFileObject, however can you change on existing objects??

Answer 1

You can use urlfetch.fetch and app_identity.get_access_token to easily send an authenticated request to the REST api.

Python:

from google.appengine.api import app_identity
from google.appengine.api import urlfetch

acl_xml = """
<AccessControlList><Entries>
  <Entry>
    <Scope type="UserByEmail">[email protected]</Scope>
    <Permission>READ</Permission>
  </Entry>
</Entries></AccessControlList>
"""
scope = 'https://www.googleapis.com/auth/devstorage.full_control'
token = app_identity.get_access_token(scope)
response = urlfetch.fetch(
    'http://storage.googleapis.com/bucket/obj?acl',
    method=urlfetch.PUT,
    payload=acl_xml,
    headers={'Authorization': 'OAuth %s' % token})

Java:

import com.google.appengine.api.appidentity.AppIdentityService;    
import com.google.appengine.api.appidentity.AppIdentityServiceFactory;
import java.io.OutputStreamWriter;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.ArrayList;

public String setAcl() throws Exception {
  // Change [email protected] to a valid email.
  // Repeat <Entry/> as many times as necessary.
  String xmlString = "";
  xmlString += "<AccessControlList><Entries>";
  xmlString += "  <Entry>";
  xmlString += "    <Scope type=\"UserByEmail\">[email protected]</Scope>";
  xmlString += "    <Permission>READ</Permission>";
  xmlString += "  </Entry>";
  xmlString += "</Entries></AccessControlList>";

  ArrayList scopes = new ArrayList();
  scopes.add("https://www.googleapis.com/auth/devstorage.full_control");

  AppIdentityService.GetAccessTokenResult accessToken =
      AppIdentityServiceFactory.getAppIdentityService().getAccessToken(scopes);

  // Change bucket and obj to the bucket and object of interest.
  URL url = new URL("https://storage.googleapis.com/bucket/obj?acl");
  HttpURLConnection connection = (HttpURLConnection) url.openConnection();
  connection.setDoOutput(true);
  connection.setRequestMethod("PUT");
  connection.addRequestProperty(
      "Authorization", "OAuth " + accessToken.getAccessToken());

  OutputStreamWriter writer = new OutputStreamWriter(connection.getOutputStream());
  writer.write(xmlString);
  writer.close();

  if (connection.getResponseCode() != HttpURLConnection.HTTP_OK) {
    throw new Exception();
  }
}

More info:

• Python: https://developers.google.com/appengine/docs/python/appidentity/overview
• Java: https://developers.google.com/appengine/docs/java/appidentity/overview
• Relevant oauth scopes: https://developers.google.com/storage/docs/authentication#oauth

Answer 2

Modifying ACLs on existing objects is not supported via the App Engine Google Cloud Storage API, however, I've just written a feature request asking to add that capability.