Storage example should show how to set ACL

[volgin]

ACLs are not even mentioned in the examples. Example needs to show both how to set a specific ACL and how to set a PredefinedAcl.

When I use this this code, the console Cloud Storage viewer does not show items as shared publicly:

storage.create(coverBlob, coverImage,
    BlobTargetOption.predefinedAcl(PredefinedAcl.PUBLIC_READ));

So it's not clear what this code is supposed to do.

Am I right to assume that ACL should be set on BlobInfo like this?

    .acl(Arrays.asList(Acl.of(User.ofAllUsers(), Role.READER)))

If this is correct, is it enough, or should be used together with BlobTargetOption.predefinedAcl(PredefinedAcl.PUBLIC_READ)?

[mziccard]

ACLs and predefined ACLs are concepts of Cloud Storage with a dedicated documentation page that should help you understand the different between ACLs and predefined ACLs. We kept the same name so that users familiar with Storage concepts should feel quite at home.

The following code:

storage.create(coverBlob, coverImage,
    BlobTargetOption.predefinedAcl(PredefinedAcl.PUBLIC_READ));

Sets the predefined ACL to PUBLIC_READ, predefined ACLs are documented by the service here. The PUBLIC_READ predefined ACL corresponds to setting the following permissions:

• Object owner gets OWNER access
• allUsers get READER access

I just tried the code and the created blob is correctly shown in the web Console as "Shared publicly".

This other code:

.acl(Arrays.asList(Acl.of(User.ofAllUsers(), Role.READER)))

Sets the ACL for the blob (a much finer control is possible, when compared to the sole predefined ACLs). In your code you are just setting following permission:

• allUsers get READER access

Even in this second case the web Console correctly marks the blob as "Shared publicly".

If your goal is to make a blob publicly available both codes will do it.

[volgin]

This is how objects look in my bucket when I upload them with the PredefinedAcl:

As you can see, Share Publicly checkbox is missing. Selecting objects and pressing "Share Publicly" button has no effect.

[mziccard]

As I said previously I tried this code (and several other combinations):

storage.create(BlobInfo.builder("my-bucket", "test-acl").build(),
    BlobTargetOption.predefinedAcl(PredefinedAcl.PUBLIC_READ));

storage.create(BlobInfo.builder("my-bucket", "test-acl-with-content").build(),
    "Hello, ACL!".getBytes(), BlobTargetOption.predefinedAcl(PredefinedAcl.PUBLIC_READ));

And it works just fine:

Are you sure you are using the code you shared to create the blobs? If you then get them with cloud-java what does blob.acl() contain?

[volgin]

1. Yes, I copied the exact code that I use. The only difference with your code is how I create BlobInfo - note contectType:

BlobInfo coverBlob = BlobInfo.builder("coverart", releaseId + ".jpg")
                    .contentType("image/jpeg")
                    .build();

1. I tried accessing these images from an unauthenticated browser, and they do show up. So missing checkboxes from the Cloud Storage viewer is the only problem/source of confusion. You can try to access these objects - the bucket name is "coverart", and all the objects inside are public.

Note that if I rename the object, the checkbox appears (unchecked, which is the expected behavior). Then I can check it as usual.

[aozarov]

Maybe @BrandonY has some insights why the Cloud Storage Viewer behaves that way.

[mziccard]

This is weird. Now I am experiencing the problem as well, and it seems not to be a problem with just the web console. If I create a blob:

storage.create(BlobInfo.builder("my-bucket", "test-acl").build(),
        BlobTargetOption.predefinedAcl(PredefinedAcl.PUBLIC_READ));

The HTTP response (to the uploading POST request) correctly has the expected ACLs:

{
 "kind": "storage#object",
 "id": "my-bucket/test-acl/1463505795940000",
 "selfLink": "https://www.googleapis.com/storage/v1/b/my-bucket/o/test-acl",
 "name": "test-acl",
 "bucket": "my-bucket",
 "generation": "1463505795940000",
 "metageneration": "1",
 "contentType": "text/plain",
 "timeCreated": "2016-05-17T17:23:15.931Z",
 "updated": "2016-05-17T17:23:15.931Z",
 "storageClass": "STANDARD",
 "size": "0",
 "md5Hash": "1B2M2Y8AsgTpgAmY7PhCfg==",
 "mediaLink": "https://www.googleapis.com/download/storage/v1/b/my-bucket/o/test-acl?generation=1463505795940000&alt=media",
 "acl": [
  {
   "kind": "storage#objectAccessControl",
   "id": "some-id",
   "selfLink": "some-link",
   "bucket": "my-bucket",
   "object": "test-acl",
   "generation": "1463505795940000",
   "entity": "some-entity",
   "role": "OWNER",
   "entityId": "some-entity-id",
   "etag": "some-tag"
  },
  {
   "kind": "storage#objectAccessControl",
   "id": "my-bucket/test-acl/1463505795940000/allUsers",
   "selfLink": "https://www.googleapis.com/storage/v1/b/my-bucket/o/test-acl/acl/allUsers",
   "bucket": "my-bucket",
   "object": "test-acl",
   "generation": "1463505795940000",
   "entity": "allUsers",
   "role": "READER",
   "etag": "CKD93/jP4cwCEAE="
  }
 ],
 "owner": {
  "entity": "my-entity",
  "entityId": "my-entity-id"
 },
 "crc32c": "AAAAAA==",
 "etag": "CKD93/jP4cwCEAE="
}

However if I GET the object the ACLs disappeared:

{
 "kind": "storage#object",
 "id": "empty-test-bucket/test-acl/1463505795940000",
 "selfLink": "https://www.googleapis.com/storage/v1/b/my-bucket/o/test-acl",
 "name": "test-acl",
 "bucket": "my-bucket",
 "generation": "1463505795940000",
 "metageneration": "1",
 "contentType": "text/plain",
 "timeCreated": "2016-05-17T17:23:15.931Z",
 "updated": "2016-05-17T17:23:15.931Z",
 "storageClass": "STANDARD",
 "size": "0",
 "md5Hash": "1B2M2Y8AsgTpgAmY7PhCfg==",
 "mediaLink": "https://www.googleapis.com/download/storage/v1/b/my-bucket/o/test-acl?generation=1463505795940000&alt=media",
 "crc32c": "AAAAAA==",
 "etag": "CKD93/jP4cwCEAE="
}

/cc @Capstan

[Capstan]

You need the full projection to get ACLs on normal gets. If you provide an ACL on create or update, you'll get an acl in the response, but otherwise you need to specify full there as well.

[mziccard]

@Capstan I am using full projection to get the blob.

What I believe is happening is that the blobs are being created with a service account while the console is being accessed with a different account and thus has no access to the ACL information (@volgin can you confirm you are running this scenario?)

For the console to show the "Shared publicly" mark I used:

storage.create(BlobInfo.builder("my-bucket", "test-acl")
    .acl(Arrays.asList(Acl.of(User.ofAllUsers(), Acl.Role.READER),
        Acl.of(new User("my@email.com"), Acl.Role.OWNER))).build());

Where "my@email.com" is the account I use to log to the web console. Or you could give owner access to all project owners:

storage.create(BlobInfo.builder("my-bucket", "test-acl")
    .acl(Arrays.asList(
        Acl.of(User.ofAllUsers(), Acl.Role.READER),
        Acl.of(
            new Acl.Project(Acl.Project.ProjectRole.OWNERS, "your-project"),
            Acl.Role.OWNER))).build());

@volgin regardless of the fact that you are not seeing the "Shared publicly" mark in the web console I believe they are being properly set.

[volgin]

@mziccard - You are correct.

It looks like a bug in web console: I can do anything I want with these objects (rename and delete), which indicates Owner access level, but I do not see the checkbox for "Share publicly".