forked from TrueCloudLab/rclone
gcs: add support for anonymous access
Currently credentials are required to download a public bucket file which is not really necessary and makes automated usage more complex. Add a new option "anonymous" which when enabled configures the gcs backend to use an anonymous HTTP client. This of course only works for read access and trying to write will lead to errors like that: "googleapi: Error 401: Anonymous caller does not not have storage.objects.create access to the Google Cloud Storage object.", as expected. By default the anonymous access option is disabled so that the GCS Application Default Credentials are still used by default as before and an error is given if they can't be found.
This commit is contained in:
parent
99c293a403
commit
54f2587c1e
2 changed files with 17 additions and 2 deletions
|
@ -79,7 +79,8 @@ func init() {
|
||||||
Config: func(name string, m configmap.Mapper) {
|
Config: func(name string, m configmap.Mapper) {
|
||||||
saFile, _ := m.Get("service_account_file")
|
saFile, _ := m.Get("service_account_file")
|
||||||
saCreds, _ := m.Get("service_account_credentials")
|
saCreds, _ := m.Get("service_account_credentials")
|
||||||
if saFile != "" || saCreds != "" {
|
anonymous, _ := m.Get("anonymous")
|
||||||
|
if saFile != "" || saCreds != "" || anonymous == "true" {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
err := oauthutil.Config("google cloud storage", name, m, storageConfig, nil)
|
err := oauthutil.Config("google cloud storage", name, m, storageConfig, nil)
|
||||||
|
@ -103,6 +104,10 @@ func init() {
|
||||||
Name: "service_account_credentials",
|
Name: "service_account_credentials",
|
||||||
Help: "Service Account Credentials JSON blob\nLeave blank normally.\nNeeded only if you want use SA instead of interactive login.",
|
Help: "Service Account Credentials JSON blob\nLeave blank normally.\nNeeded only if you want use SA instead of interactive login.",
|
||||||
Hide: fs.OptionHideBoth,
|
Hide: fs.OptionHideBoth,
|
||||||
|
}, {
|
||||||
|
Name: "anonymous",
|
||||||
|
Help: "Access public buckets and objects without credentials\nSet to 'true' if you just want to download files and don't configure credentials.",
|
||||||
|
Default: false,
|
||||||
}, {
|
}, {
|
||||||
Name: "object_acl",
|
Name: "object_acl",
|
||||||
Help: "Access Control List for new objects.",
|
Help: "Access Control List for new objects.",
|
||||||
|
@ -265,6 +270,7 @@ type Options struct {
|
||||||
ProjectNumber string `config:"project_number"`
|
ProjectNumber string `config:"project_number"`
|
||||||
ServiceAccountFile string `config:"service_account_file"`
|
ServiceAccountFile string `config:"service_account_file"`
|
||||||
ServiceAccountCredentials string `config:"service_account_credentials"`
|
ServiceAccountCredentials string `config:"service_account_credentials"`
|
||||||
|
Anonymous bool `config:"anonymous"`
|
||||||
ObjectACL string `config:"object_acl"`
|
ObjectACL string `config:"object_acl"`
|
||||||
BucketACL string `config:"bucket_acl"`
|
BucketACL string `config:"bucket_acl"`
|
||||||
BucketPolicyOnly bool `config:"bucket_policy_only"`
|
BucketPolicyOnly bool `config:"bucket_policy_only"`
|
||||||
|
@ -411,7 +417,9 @@ func NewFs(name, root string, m configmap.Mapper) (fs.Fs, error) {
|
||||||
}
|
}
|
||||||
opt.ServiceAccountCredentials = string(loadedCreds)
|
opt.ServiceAccountCredentials = string(loadedCreds)
|
||||||
}
|
}
|
||||||
if opt.ServiceAccountCredentials != "" {
|
if opt.Anonymous {
|
||||||
|
oAuthClient = &http.Client{}
|
||||||
|
} else if opt.ServiceAccountCredentials != "" {
|
||||||
oAuthClient, err = getServiceAccountClient([]byte(opt.ServiceAccountCredentials))
|
oAuthClient, err = getServiceAccountClient([]byte(opt.ServiceAccountCredentials))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, "failed configuring Google Cloud Storage Service Account")
|
return nil, errors.Wrap(err, "failed configuring Google Cloud Storage Service Account")
|
||||||
|
|
|
@ -194,6 +194,13 @@ the rclone config file, you can set `service_account_credentials` with
|
||||||
the actual contents of the file instead, or set the equivalent
|
the actual contents of the file instead, or set the equivalent
|
||||||
environment variable.
|
environment variable.
|
||||||
|
|
||||||
|
### Anonymous Access ###
|
||||||
|
|
||||||
|
For downloads of objects that permit public access you can configure rclone
|
||||||
|
to use anonymous access by setting `anonymous` to `true`.
|
||||||
|
With unauthorized access you can't write or create files but only read or list
|
||||||
|
those buckets and objects that have public read access.
|
||||||
|
|
||||||
### Application Default Credentials ###
|
### Application Default Credentials ###
|
||||||
|
|
||||||
If no other source of credentials is provided, rclone will fall back
|
If no other source of credentials is provided, rclone will fall back
|
||||||
|
|
Loading…
Reference in a new issue