Storage: When moving a file, allow keeping old ACL

[lukesneeringer]

From @SimenB on May 3, 2017 13:59

Environment details

• OS: macOS
• Node.js version: 6.10.2
• npm version: yarn 0.23.3
• google-cloud-node version: @google-cloud/storage@1.1.0

Steps to reproduce

1. require @google-cloud/storage
2. Instantiate it, and get a bucket
3. call const file = await bucket.upload(filePath, { public: true })
4. Verify file is publicly available from https://storage.googleapis.com/
5. call file.move(somewhere)
6. Try to access file from https://storage.googleapis.com/, get 403

What I want is either:

• some way to pass equivalent of gsutil mv -p flag, which "Causes ACLs to be preserved when copying in the cloud."
  • file.move(newName, { keepAcl: true }) or something like that
  • https://cloud.google.com/storage/docs/gsutil/commands/cp#options
• allow me to pass destinationPredefinedAcl to the move method
  • https://cloud.google.com/storage/docs/json_api/v1/objects/rewrite

Copied from original issue: googleapis/google-cloud-node#2274

[lukesneeringer]

From @SimenB on May 3, 2017 14:8

I suppose a workaround is to change the ACL after moving the file. The code doing the rename lives in a project which tries to just pass through options to the storage api though. So passing some custom predefined ACL (which defeats the purpose of the nice public: true option) is something I'd really like to avoid. It also adds the extra ACL step to that lib.

The thing we do to avoid it is setting the default ACL of the entire bucket public. Which is fine (in our case), but not ideal.

[lukesneeringer]

From @stephenplusplus on May 3, 2017 14:8

Adding the keepAcl option sounds good to me. For a quick fix, something like this should work:

file.interceptors.push({
  request: function(reqOpts) {
    if (reqOpts.uri.includes('rewriteTo')) {
      reqOpts.qs.destinationPredefinedAcl = '{{predefined acl value}}'
    }
    return reqOpts
  }
})

The incoming reqOpts that you'd be modifying are defined here in the this.request() call.

[stephenplusplus]

Could anyone suggest how we should implement this? After the file is copied, do we call https://cloud.google.com/storage/docs/json_api/v1/objectAccessControls/list and then make as many calls as necessary to https://cloud.google.com/storage/docs/json_api/v1/objectAccessControls/insert on the new file?

Or is there a way to determine the correct value for destinationPredefinedAcl on the new file?

[frankyn]

This came up in Python GCS client library and after speaking with a GCS team member. I decided to close the feature request for the following two reasons: (ref)

• Operation isn't supported by the API and follow-up operations to reset ACL may fail in between leaving the object in a bad state. No guarantees.
• It's recommended that developers should use bucket-level IAM policies over ACL to prevent inadvertent data exposures. Bad states may cause inadvertent exposures.