From f5e650da59dabda8650107c1a3e83a4809c13686 Mon Sep 17 00:00:00 2001
From: Mike Morearty <mike@asana.com>
Date: Wed, 21 Jun 2017 15:52:34 -0700
Subject: [PATCH] Add --s3_full_control_userid

Add the ability to specify an S3 user who will have full control over
any objects that are uploaded to the S3-based remote cache.
---
 .../google/devtools/build/lib/remote/RemoteOptions.java  | 8 ++++++++
 .../google/devtools/build/lib/remote/S3ActionCache2.java | 9 +++++++++
 2 files changed, 17 insertions(+)

diff --git a/src/main/java/com/google/devtools/build/lib/remote/RemoteOptions.java b/src/main/java/com/google/devtools/build/lib/remote/RemoteOptions.java
index 785802904a8004..45637d3321879e 100644
--- a/src/main/java/com/google/devtools/build/lib/remote/RemoteOptions.java
+++ b/src/main/java/com/google/devtools/build/lib/remote/RemoteOptions.java
@@ -49,6 +49,14 @@ public final class RemoteOptions extends OptionsBase {
   )
   public String s3CacheBucket;
 
+  @Option(
+      name = "s3_full_control_userid",
+      defaultValue = "null",
+      category = "remote",
+      help = "An AWS canonical user id for a user who should have full control over uploaded objects"
+  )
+  public String s3FullControlUserId;
+
   @Option(name = "remote_fallback_strategy",
     allowMultiple = true,
     converter = AssignmentConverter.class,
diff --git a/src/main/java/com/google/devtools/build/lib/remote/S3ActionCache2.java b/src/main/java/com/google/devtools/build/lib/remote/S3ActionCache2.java
index b4589f27159b99..67bbefb99cbbb1 100644
--- a/src/main/java/com/google/devtools/build/lib/remote/S3ActionCache2.java
+++ b/src/main/java/com/google/devtools/build/lib/remote/S3ActionCache2.java
@@ -44,6 +44,7 @@
 @ThreadSafe
 public final class S3ActionCache2 {
     private final String bucketName;
+    private final String s3userId;
     private final boolean debug;
 
     private static volatile int numConsecutiveErrors;
@@ -57,6 +58,7 @@ public final class S3ActionCache2 {
      */
     public S3ActionCache2(RemoteOptions options) {
         this.bucketName = options.s3CacheBucket;
+        this.s3userId = options.s3FullControlUserId;
         this.debug = options.remoteCacheDebug;
     }
 
@@ -205,6 +207,13 @@ private void putObject(String key, PutObjectRequest object) {
 
         long t0 = System.currentTimeMillis();
         try {
+            if (s3userId != null) {
+                Grantee grantee = new CanonicalGrantee(s3userId);
+                AccessControlList acl = new AccessControlList();
+                acl.grantPermission(grantee, Permission.FullControl);
+                object = object.withAccessControlList(acl);
+            }
+
             client.putObject(object);
             if (debug) {
                 System.err.println("S3 Cache Upload: key:" + key + "  (" + (System.currentTimeMillis() - t0) + "ms)");