Provided by: tcllib_1.21+dfsg-1_all 
NAME
S3 - Amazon S3 Web Service Interface
SYNOPSIS
package require Tcl 8.5
package require S3 ?1.0.3?
package require sha1 1.0
package require md5 2.0
package require base64 2.3
package require xsxp 1.0
S3::Configure ?-reset boolean? ?-retries integer? ?-accesskeyid idstring?
?-secretaccesskey idstring? ?-service-access-point FQDN? ?-use-tls boolean? ?-default-
compare always|never|exists|missing|newer|date|checksum|different? ?-default-separator
string? ?-default-acl private|public-read|public-read-write|authenticated-read|keep|calc?
?-default-bucket bucketname?
S3::SuggestBucket ?name?
S3::REST dict
S3::ListAllMyBuckets ?-blocking boolean? ?-parse-xml xmlstring? ?-result-type
REST|xml|pxml|dict|names|owner?
S3::PutBucket ?-bucket bucketname? ?-blocking boolean? ?-acl {}|private|public-
read|public-read-write|authenticated-read?
S3::DeleteBucket ?-bucket bucketname? ?-blocking boolean?
S3::GetBucket ?-bucket bucketname? ?-blocking boolean? ?-parse-xml xmlstring? ?-max-count
integer? ?-prefix prefixstring? ?-delimiter delimiterstring? ?-result-type
REST|xml|pxml|names|dict?
S3::Put ?-bucket bucketname? -resource resourcename ?-blocking boolean? ?-file filename?
?-content contentstring? ?-acl private|public-read|public-read-write|authenticated-
read|calc|keep? ?-content-type contenttypestring? ?-x-amz-meta-* metadatatext? ?-compare
comparemode?
S3::Get ?-bucket bucketname? -resource resourcename ?-blocking boolean? ?-compare
comparemode? ?-file filename? ?-content contentvarname? ?-timestamp aws|now? ?-headers
headervarname?
S3::Head ?-bucket bucketname? -resource resourcename ?-blocking boolean? ?-dict
dictvarname? ?-headers headersvarname? ?-status statusvarname?
S3::GetAcl ?-blocking boolean? ?-bucket bucketname? -resource resourcename ?-result-type
REST|xml|pxml?
S3::PutAcl ?-blocking boolean? ?-bucket bucketname? -resource resourcename ?-acl new-acl?
S3::Delete ?-bucket bucketname? -resource resourcename ?-blocking boolean? ?-status
statusvar?
S3::Push ?-bucket bucketname? -directory directoryname ?-prefix prefixstring? ?-compare
comparemode? ?-x-amz-meta-* metastring? ?-acl aclcode? ?-delete boolean? ?-error
throw|break|continue? ?-progress scriptprefix?
S3::Pull ?-bucket bucketname? -directory directoryname ?-prefix prefixstring? ?-blocking
boolean? ?-compare comparemode? ?-delete boolean? ?-timestamp aws|now? ?-error
throw|break|continue? ?-progress scriptprefix?
S3::Toss ?-bucket bucketname? -prefix prefixstring ?-blocking boolean? ?-error
throw|break|continue? ?-progress scriptprefix?
_________________________________________________________________________________________________
DESCRIPTION
This package provides access to Amazon's Simple Storage Solution web service.
As a quick summary, Amazon Simple Storage Solution provides a for-fee web service allowing
the storage of arbitrary data as "resources" within "buckets" online. See
http://www.amazonaws.com/ for details on that system. Access to the service is via HTTP
(SOAP or REST). Much of this documentation will not make sense if you're not familiar
with the terms and functionality of the Amazon S3 service.
This package provides services for reading and writing the data items via the REST
interface. It also provides some higher-level operations. Other packages in the same
distribution provide for even more functionality.
Copyright 2006 Darren New. All Rights Reserved. NO WARRANTIES OF ANY TYPE ARE PROVIDED.
COPYING OR USE INDEMNIFIES THE AUTHOR IN ALL WAYS. This software is licensed under
essentially the same terms as Tcl. See LICENSE.txt for the terms.
ERROR REPORTING
The error reporting from this package makes use of $errorCode to provide more details on
what happened than simply throwing an error. Any error caught by the S3 package (and we
try to catch them all) will return with an $errorCode being a list having at least three
elements. In all cases, the first element will be "S3". The second element will take on
one of six values, with that element defining the value of the third and subsequent
elements. S3::REST does not throw an error, but rather returns a dictionary with the keys
"error", "errorInfo", and "errorCode" set. This allows for reliable background use. The
possible second elements are these:
usage The usage of the package is incorrect. For example, a command has been invoked
which requires the library to be configured before the library has been configured,
or an invalid combination of options has been specified. The third element of
$errorCode supplies the name of the parameter that was wrong. The fourth usually
provides the arguments that were actually supplied to the throwing proc, unless the
usage error isn't confined to a single proc.
local Something happened on the local system which threw an error. For example, a request
to upload or download a file was made and the file permissions denied that sort of
access. The third element of $errorCode is the original $errorCode.
socket Something happened with the socket. It closed prematurely, or some other condition
of failure-to-communicate-with-Amazon was detected. The third element of $errorCode
is the original $errorCode, or sometimes the message from fcopy, or ...?
remote The Amazon web service returned an error code outside the 2xx range in the HTTP
header. In other words, everything went as documented, except this particular case
was documented not to work. The third element is the dictionary returned from
::S3::REST. Note that S3::REST itself never throws this error, but just returns
the dictionary. Most of the higher-level commands throw for convenience, unless an
argument indicates they should not. If something is documented as "not throwing an
S3 remote error", it means a status return is set rather than throwing an error if
Amazon returns a non-2XX HTTP result code.
notyet The user obeyed the documentation, but the author has not yet gotten around to
implementing this feature. (Right now, only TLS support and sophisticated
permissions fall into this category, as well as the S3::Acl command.)
xml The service has returned invalid XML, or XML whose schema is unexpected. For the
high-level commands that accept service XML as input for parsing, this may also be
thrown.
COMMANDS
This package provides several separate levels of complexity.
• The lowest level simply takes arguments to be sent to the service, sends them,
retrieves the result, and provides it to the caller. Note: This layer allows both
synchronous and event-driven processing. It depends on the MD5 and SHA1 and base64
packages from Tcllib (available at http://core.tcl.tk/tcllib/). Note that
S3::Configure is required for S3::REST to work due to the authentication portion,
so we put that in the "lowest level."
• The next layer parses the results of calls, allowing for functionality such as
uploading only changed files, synchronizing directories, and so on. This layer
depends on the TclXML package as well as the included xsxp package. These packages
are package required when these more-sophisticated routines are called, so nothing
breaks if they are not correctly installed.
• Also included is a separate program that uses the library. It provides code to
parse $argv0 and $argv from the command line, allowing invocation as a tclkit, etc.
(Not yet implmented.)
• Another separate program provides a GUI interface allowing drag-and-drop and other
such functionality. (Not yet implemented.)
• Also built on this package is the OddJob program. It is a separate program designed
to allow distribution of computational work units over Amazon's Elastic Compute
Cloud web service.
The goal is to have at least the bottom-most layers implemented in pure Tcl using only
that which comes from widely-available sources, such as Tcllib.
LOW LEVEL COMMANDS
These commands do not require any packages not listed above. They talk directly to the
service, or they are utility or configuration routines. Note that the "xsxp" package was
written to support this package, so it should be available wherever you got this package.
S3::Configure ?-reset boolean? ?-retries integer? ?-accesskeyid idstring?
?-secretaccesskey idstring? ?-service-access-point FQDN? ?-use-tls boolean? ?-default-
compare always|never|exists|missing|newer|date|checksum|different? ?-default-separator
string? ?-default-acl private|public-read|public-read-write|authenticated-read|keep|calc?
?-default-bucket bucketname?
There is one command for configuration, and that is S3::Configure. If called with
no arguments, it returns a dictionary of key/value pairs listing all current
settings. If called with one argument, it returns the value of that single
argument. If called with two or more arguments, it must be called with pairs of
arguments, and it applies the changes in order. There is only one set of
configuration information per interpreter.
The following options are accepted:
-reset boolean
By default, false. If true, any previous changes and any changes on the
same call before the reset option will be returned to default values.
-retries integer
Default value is 3. If Amazon returns a 500 error, a retry after an
exponential backoff delay will be tried this many times before finally
throwing the 500 error. This applies to each call to S3::REST from the
higher-level commands, but not to S3::REST itself. That is, S3::REST will
always return httpstatus 500 if that's what it receives. Functions like
S3::Put will retry the PUT call, and will also retry the GET and HEAD calls
used to do content comparison. Changing this to 0 will prevent retries and
their associated delays. In addition, socket errors (i.e., errors whose
errorCode starts with "S3 socket") will be similarly retried after backoffs.
-accesskeyid idstring
-secretaccesskey idstring
Each defaults to an empty string. These must be set before any calls are
made. This is your S3 ID. Once you sign up for an account, go to
http://www.amazonaws.com/, sign in, go to the "Your Web Services Account"
button, pick "AWS Access Identifiers", and your access key ID and secret
access keys will be available. All S3::REST calls are authenticated. Blame
Amazon for the poor choice of names.
-service-access-point FQDN
Defaults to "s3.amazonaws.com". This is the fully-qualified domain name of
the server to contact for S3::REST calls. You should probably never need to
touch this, unless someone else implements a compatible service, or you wish
to test something by pointing the library at your own service.
-slop-seconds integer
When comparing dates between Amazon and the local machine, two dates within
this many seconds of each other are considered the same. Useful for clock
drift correction, processing overhead time, and so on.
-use-tls boolean
Defaults to false. This is not yet implemented. If true, S3::REST will
negotiate a TLS connection to Amazon. If false, unencrypted connections are
used.
-bucket-prefix string
Defaults to "TclS3". This string is used by S3::SuggestBucketName if that
command is passed an empty string as an argument. It is used to distinguish
different applications using the Amazon service. Your application should
always set this to keep from interfering with the buckets of other users of
Amazon S3 or with other buckets of the same user.
-default-compare always|never|exists|missing|newer|date|checksum|different
Defaults to "always." If no -compare is specified on S3::Put, S3::Get, or
S3::Delete, this comparison is used. See those commands for a description
of the meaning.
-default-separator string
Defaults to "/". This is currently unused. It might make sense to use this
for S3::Push and S3::Pull, but allowing resources to have slashes in their
names that aren't marking directories would be problematic. Hence, this
currently does nothing.
-default-acl private|public-read|public-read-write|authenticated-read|keep|calc
Defaults to an empty string. If no -acl argument is provided to S3::Put or
S3::Push, this string is used (given as the x-amz-acl header if not keep or
calc). If this is also empty, no x-amz-acl header is generated. This is not
used by S3::REST.
-default-bucket bucketname
If no bucket is given to S3::GetBucket, S3::PutBucket, S3::Get, S3::Put,
S3::Head, S3::Acl, S3::Delete, S3::Push, S3::Pull, or S3::Toss, and if this
configuration variable is not an empty string (and not simply "/"), then
this value will be used for the bucket. This is useful if one program does a
large amount of resource manipulation within a single bucket.
S3::SuggestBucket ?name?
The S3::SuggestBucket command accepts an optional string as a prefix and returns a
valid bucket containing the name argument and the Access Key ID. This makes the
name unique to the owner and to the application (assuming the application picks a
good name argument). If no name is provided, the name from S3::Configure -bucket-
prefix is used. If that too is empty (which is not the default), an error is
thrown.
S3::REST dict
The S3::REST command takes as an argument a dictionary and returns a dictionary.
The return dictionary has the same keys as the input dictionary, and includes
additional keys as the result. The presence or absence of keys in the input
dictionary can control the behavior of the routine. It never throws an error
directly, but includes keys "error", "errorInfo", and "errorCode" if necessary.
Some keys are required, some optional. The routine can run either in blocking or
non-blocking mode, based on the presense of resultvar in the input dictionary. This
requires the -accesskeyid and -secretaccesskey to be configured via S3::Configure
before being called.
The possible input keys are these:
verb GET|PUT|DELETE|HEAD
This required item indicates the verb to be used.
resource string
This required item indicates the resource to be accessed. A leading / is
added if not there already. It will be URL-encoded for you if necessary. Do
not supply a resource name that is already URL-encoded.
?rtype torrent|acl?
This indicates a torrent or acl resource is being manipulated. Do not
include this in the resource key, or the "?" separator will get URL-encoded.
?parameters dict?
This optional dictionary provides parameters added to the URL for the
transaction. The keys must be in the correct case (which is confusing in the
Amazon documentation) and the values must be valid. This can be an empty
dictionary or omitted entirely if no parameters are desired. No other error
checking on parameters is performed.
?headers dict?
This optional dictionary provides headers to be added to the HTTP request.
The keys must be in lower case for the authentication to work. The values
must not contain embedded newlines or carriage returns. This is primarily
useful for adding x-amz-* headers. Since authentication is calculated by
S3::REST, do not add that header here. Since content-type gets its own key,
also do not add that header here.
?inbody contentstring?
This optional item, if provided, gives the content that will be sent. It is
sent with a tranfer encoding of binary, and only the low bytes are used, so
use [encoding convertto utf-8] if the string is a utf-8 string. This is
written all in one blast, so if you are using non-blocking mode and the
inbody is especially large, you may wind up blocking on the write socket.
?infile filename?
This optional item, if provided, and if inbody is not provided, names the
file from which the body of the HTTP message will be constructed. The file
is opened for reading and sent progressively by [fcopy], so it should not
block in non-blocking mode even if the file is very large. The file is
transfered in binary mode, so the bytes on your disk will match the bytes in
your resource. Due to HTTP restrictions, it must be possible to use [file
size] on this file to determine the size at the start of the transaction.
?S3chan channel?
This optional item, if provided, indicates the already-open socket over
which the transaction should be conducted. If not provided, a connection is
made to the service access point specified via S3::Configure, which is
normally s3.amazonaws.com. If this is provided, the channel is not closed at
the end of the transaction.
?outchan channel?
This optional item, if provided, indicates the already-open channel to which
the body returned from S3 should be written. That is, to retrieve a large
resource, open a file, set the translation mode, and pass the channel as the
value of the key outchan. Output will be written to the channel in pieces so
memory does not fill up unnecessarily. The channel is not closed at the end
of the transaction.
?resultvar varname?
This optional item, if provided, indicates that S3::REST should run in non-
blocking mode. The varname should be fully qualified with respect to
namespaces and cannot be local to a proc. If provided, the result of the
S3::REST call is assigned to this variable once everything has completed;
use trace or vwait to know when this has happened. If this key is not
provided, the result is simply returned from the call to S3::REST and no
calls to the eventloop are invoked from within this call.
?throwsocket throw|return?
This optional item, if provided, indicates that S3::REST should throw an
error if throwmode is throw and a socket error is encountered. It indicates
that S3::REST should return the error code in the returned dictionary if a
socket error is encountered and this is set to return. If throwsocket is set
to return or if the call is not blocking, then a socket error (i.e., an
error whose error code starts with "S3 socket" will be returned in the
dictionary as error, errorInfo, and errorCode. If a foreground call is made
(i.e., resultvar is not provided), and this option is not provided or is set
to throw, then error will be invoked instead.
Once the call to S3::REST completes, a new dict is returned, either in the resultvar or as
the result of execution. This dict is a copy of the original dict with the results added
as new keys. The possible new keys are these:
error errorstring
errorInfo errorstring
errorCode errorstring
If an error is caught, these three keys will be set in the result. Note
that S3::REST does not consider a non-2XX HTTP return code as an error. The
errorCode value will be formatted according to the ERROR REPORTING
description. If these are present, other keys described here might not be.
httpstatus threedigits
The three-digit code from the HTTP transaction. 2XX for good, 5XX for server
error, etc.
httpmessage text
The textual result after the status code. "OK" or "Forbidden" or etc.
outbody contentstring
If outchan was not specified, this key will hold a reference to the
(unencoded) contents of the body returned. If Amazon returned an error (a
la the httpstatus not a 2XX value), the error message will be in outbody or
written to outchan as appropriate.
outheaders dict
This contains a dictionary of headers returned by Amazon. The keys are
always lower case. It's mainly useful for finding the x-amz-meta-* headers,
if any, although things like last-modified and content-type are also useful.
The keys of this dictionary are always lower case. Both keys and values are
trimmed of extraneous whitespace.
HIGH LEVEL COMMANDS
The routines in this section all make use of one or more calls to S3::REST to do their
work, then parse and manage the data in a convenient way. All these commands throw errors
as described in ERROR REPORTING unless otherwise noted.
In all these commands, all arguments are presented as name/value pairs, in any order. All
the argument names start with a hyphen.
There are a few options that are common to many of the commands, and those common options
are documented here.
-blocking boolean
If provided and specified as false, then any calls to S3:REST will be non-blocking,
and internally these routines will call [vwait] to get the results. In other words,
these routines will return the same value, but they'll have event loops running
while waiting for Amazon.
-parse-xml xmlstring
If provided, the routine skips actually communicating with Amazon, and instead
behaves as if the XML string provided was returned as the body of the call. Since
several of these routines allow the return of data in various formats, this
argument can be used to parse existing XML to extract the bits of information that
are needed. It's also helpful for testing.
-bucket bucketname
Almost every high-level command needs to know what bucket the resources are in.
This option specifies that. (Only the command to list available buckets does not
require this parameter.) This does not need to be URL-encoded, even if it contains
special or non-ASCII characters. May or may not contain leading or trailing spaces
- commands normalize the bucket. If this is not supplied, the value is taken from
S3::Configure -default-bucket if that string isn't empty. Note that spaces and
slashes are always trimmed from both ends and the rest must leave a valid bucket.
-resource resourcename
This specifies the resource of interest within the bucket. It may or may not start
with a slash - both cases are handled. This does not need to be URL-encoded, even
if it contains special or non-ASCII characters.
-compare always|never|exists|missing|newer|date|checksum|different
When commands copy resources to files or files to resources, the caller may specify
that the copy should be skipped if the contents are the same. This argument
specifies the conditions under which the files should be copied. If it is not
passed, the result of S3::Configure -default-compare is used, which in turn
defaults to "always." The meanings of the various values are these:
always Always copy the data. This is the default.
never Never copy the data. This is essentially a no-op, except in S3::Push and
S3::Pull where the -delete flag might make a difference.
exists Copy the data only if the destination already exists.
missing
Copy the data only if the destination does not already exist.
newer Copy the data if the destination is missing, or if the date on the source is
newer than the date on the destination by at least S3::Configure -slop-
seconds seconds. If the source is Amazon, the date is taken from the Last-
Modified header. If the source is local, it is taken as the mtime of the
file. If the source data is specified in a string rather than a file, it is
taken as right now, via [clock seconds].
date Like newer, except copy if the date is newer or older.
checksum
Calculate the MD5 checksum on the local file or string, ask Amazon for the
eTag of the resource, and copy the data if they're different. Copy the data
also if the destination is missing. Note that this can be slow with large
local files unless the C version of the MD5 support is available.
different
Copy the data if the destination does not exist. If the destination exists
and an actual file name was specified (rather than a content string), and
the date on the file differs from the date on the resource, copy the data.
If the data is provided as a content string, the "date" is treated as "right
now", so it will likely always differ unless slop-seconds is large. If the
dates are the same, the MD5 checksums are compared, and the data is copied
if the checksums differ.
Note that "newer" and "date" don't care about the contents, and "checksum" doesn't care
about the dates, but "different" checks both.
S3::ListAllMyBuckets ?-blocking boolean? ?-parse-xml xmlstring? ?-result-type
REST|xml|pxml|dict|names|owner?
This routine performs a GET on the Amazon S3 service, which is defined to return a
list of buckets owned by the account identified by the authorization header. (Blame
Amazon for the dumb names.)
-blocking boolean
See above for standard definition.
-parse-xml xmlstring
See above for standard definition.
-result-type REST
The dictionary returned by S3::REST is the return value of
S3::ListAllMyBuckets. In this case, a non-2XX httpstatus will not throw an
error. You may not combine this with -parse-xml.
-result-type xml
The raw XML of the body is returned as the result (with no encoding
applied).
-result-type pxml
The XML of the body as parsed by xsxp::parse is returned.
-result-type dict
A dictionary of interesting portions of the XML is returned. The dictionary
contains the following keys:
Owner/ID
The Amazon AWS ID (in hex) of the owner of the bucket.
Owner/DisplayName
The Amazon AWS ID's Display Name.
Bucket/Name
A list of names, one for each bucket.
Bucket/CreationDate
A list of dates, one for each bucket, in the same order as
Bucket/Name, in ISO format (as returned by Amazon).
-result-type names
A list of bucket names is returned with all other information stripped out.
This is the default result type for this command.
-result-type owner
A list containing two elements is returned. The first element is the owner's
ID, and the second is the owner's display name.
S3::PutBucket ?-bucket bucketname? ?-blocking boolean? ?-acl {}|private|public-
read|public-read-write|authenticated-read?
This command creates a bucket if it does not already exist. Bucket names are
globally unique, so you may get a "Forbidden" error from Amazon even if you cannot
see the bucket in S3::ListAllMyBuckets. See S3::SuggestBucket for ways to minimize
this risk. The x-amz-acl header comes from the -acl option, or from S3::Configure
-default-acl if not specified.
S3::DeleteBucket ?-bucket bucketname? ?-blocking boolean?
This command deletes a bucket if it is empty and you have such permission. Note
that Amazon's list of buckets is a global resource, requiring far-flung
synchronization. If you delete a bucket, it may be quite a few minutes (or hours)
before you can recreate it, yielding "Conflict" errors until then.
S3::GetBucket ?-bucket bucketname? ?-blocking boolean? ?-parse-xml xmlstring? ?-max-count
integer? ?-prefix prefixstring? ?-delimiter delimiterstring? ?-result-type
REST|xml|pxml|names|dict?
This lists the contents of a bucket. That is, it returns a directory listing of
resources within a bucket, rather than transfering any user data.
-bucket bucketname
The standard bucket argument.
-blocking boolean
The standard blocking argument.
-parse-xml xmlstring
The standard parse-xml argument.
-max-count integer
If supplied, this is the most number of records to be returned. If not
supplied, the code will iterate until all records have been found. Not
compatible with -parse-xml. Note that if this is supplied, only one call to
S3::REST will be made. Otherwise, enough calls will be made to exhaust the
listing, buffering results in memory, so take care if you may have huge
buckets.
-prefix prefixstring
If present, restricts listing to resources with a particular prefix. One
leading / is stripped if present.
-delimiter delimiterstring
If present, specifies a delimiter for the listing. The presence of this
will summarize multiple resources into one entry, as if S3 supported
directories. See the Amazon documentation for details.
-result-type REST|xml|pxml|names|dict
This indicates the format of the return result of the command.
REST If -max-count is specified, the dictionary returned from S3::REST is
returned. If -max-count is not specified, a list of all the
dictionaries returned from the one or more calls to S3::REST is
returned.
xml If -max-count is specified, the body returned from S3::REST is
returned. If -max-count is not specified, a list of all the bodies
returned from the one or more calls to S3::REST is returned.
pxml If -max-count is specified, the body returned from S3::REST is passed
throught xsxp::parse and then returned. If -max-count is not
specified, a list of all the bodies returned from the one or more
calls to S3::REST are each passed through xsxp::parse and then
returned.
names Returns a list of all names found in either the Contents/Key fields
or the CommonPrefixes/Prefix fields. If no -delimiter is specified
and no -max-count is specified, this returns a list of all resources
with the specified -prefix.
dict Returns a dictionary. (Returns only one dictionary even if -max-count
wasn't specified.) The keys of the dictionary are as follows:
Name The name of the bucket (from the final call to S3::REST).
Prefix From the final call to S3::REST.
Marker From the final call to S3::REST.
MaxKeys
From the final call to S3::REST.
IsTruncated
From the final call to S3::REST, so always false if -max-count
is not specified.
NextMarker
Always provided if IsTruncated is true, and calculated of
Amazon does not provide it. May be empty if IsTruncated is
false.
Key A list of names of resources in the bucket matching the
-prefix and -delimiter restrictions.
LastModified
A list of times of resources in the bucket, in the same order
as Key, in the format returned by Amazon. (I.e., it is not
parsed into a seconds-from-epoch.)
ETag A list of entity tags (a.k.a. MD5 checksums) in the same order
as Key.
Size A list of sizes in bytes of the resources, in the same order
as Key.
Owner/ID
A list of owners of the resources in the bucket, in the same
order as Key.
Owner/DisplayName
A list of owners of the resources in the bucket, in the same
order as Key. These are the display names.
CommonPrefixes/Prefix
A list of prefixes common to multiple entities. This is
present only if -delimiter was supplied.
S3::Put ?-bucket bucketname? -resource resourcename ?-blocking boolean? ?-file filename?
?-content contentstring? ?-acl private|public-read|public-read-write|authenticated-
read|calc|keep? ?-content-type contenttypestring? ?-x-amz-meta-* metadatatext? ?-compare
comparemode?
This command sends data to a resource on Amazon's servers for storage, using the
HTTP PUT command. It returns 0 if the -compare mode prevented the transfer, 1 if
the transfer worked, or throws an error if the transfer was attempted but failed.
Server 5XX errors and S3 socket errors are retried according to S3:Configure
-retries settings before throwing an error; other errors throw immediately.
-bucket
This specifies the bucket into which the resource will be written. Leading
and/or trailing slashes are removed for you, as are spaces.
-resource
This is the full name of the resource within the bucket. A single leading
slash is removed, but not a trailing slash. Spaces are not trimmed.
-blocking
The standard blocking flag.
-file If this is specified, the filename must exist, must be readable, and must
not be a special or directory file. [file size] must apply to it and must
not change for the lifetime of the call. The default content-type is
calculated based on the name and/or contents of the file. Specifying this is
an error if -content is also specified, but at least one of -file or
-content must be specified. (The file is allowed to not exist or not be
readable if -compare never is specified.)
-content
If this is specified, the contentstring is sent as the body of the resource.
The content-type defaults to "application/octet-string". Only the low bytes
are sent, so non-ASCII should use the appropriate encoding (such as
[encoding convertto utf-8]) before passing it to this routine, if necessary.
Specifying this is an error if -file is also specified, but at least one of
-file or -content must be specified.
-acl This defaults to S3::Configure -default-acl if not specified. It sets the
x-amz-acl header on the PUT operation. If the value provided is calc, the
x-amz-acl header is calculated based on the I/O permissions of the file to
be uploaded; it is an error to specify calc and -content. If the value
provided is keep, the acl of the resource is read before the PUT (or the
default is used if the resource does not exist), then set back to what it
was after the PUT (if it existed). An error will occur if the resource is
successfully written but the kept ACL cannot be then applied. This should
never happen. Note: calc is not currently fully implemented.
-x-amz-meta-*
If any header starts with "-x-amz-meta-", its contents are added to the PUT
command to be stored as metadata with the resource. Again, no encoding is
performed, and the metadata should not contain characters like newlines,
carriage returns, and so on. It is best to stick with simple ASCII strings,
or to fix the library in several places.
-content-type
This overrides the content-type calculated by -file or sets the content-type
for -content.
-compare
This is the standard compare mode argument. S3::Put returns 1 if the data
was copied or 0 if the data was skipped due to the comparison mode so
indicating it should be skipped.
S3::Get ?-bucket bucketname? -resource resourcename ?-blocking boolean? ?-compare
comparemode? ?-file filename? ?-content contentvarname? ?-timestamp aws|now? ?-headers
headervarname?
This command retrieves data from a resource on Amazon's S3 servers, using the HTTP
GET command. It returns 0 if the -compare mode prevented the transfer, 1 if the
transfer worked, or throws an error if the transfer was attempted but failed.
Server 5XX errors and S3 socket errors are are retried according to S3:Configure
settings before throwing an error; other errors throw immediately. Note that this
is always authenticated as the user configured in via S3::Configure -accesskeyid.
Use the Tcllib http for unauthenticated GETs.
-bucket
This specifies the bucket from which the resource will be read. Leading
and/or trailing slashes are removed for you, as are spaces.
-resource
This is the full name of the resource within the bucket. A single leading
slash is removed, but not a trailing slash. Spaces are not trimmed.
-blocking
The standard blocking flag.
-file If this is specified, the body of the resource will be read into this file,
incrementally without pulling it entirely into memory first. The parent
directory must already exist. If the file already exists, it must be
writable. If an error is thrown part-way through the process and the file
already existed, it may be clobbered. If an error is thrown part-way through
the process and the file did not already exist, any partial bits will be
deleted. Specifying this is an error if -content is also specified, but at
least one of -file or -content must be specified.
-timestamp
This is only valid in conjunction with -file. It may be specified as now or
aws. The default is now. If now, the file's modification date is left up to
the system. If aws, the file's mtime is set to match the Last-Modified
header on the resource, synchronizing the two appropriately for -compare
date or -compare newer.
-content
If this is specified, the contentvarname is a variable in the caller's scope
(not necessarily global) that receives the value of the body of the
resource. No encoding is done, so if the resource (for example) represents a
UTF-8 byte sequence, use [encoding convertfrom utf-8] to get a valid UTF-8
string. If this is specified, the -compare is ignored unless it is never, in
which case no assignment to contentvarname is performed. Specifying this is
an error if -file is also specified, but at least one of -file or -content
must be specified.
-compare
This is the standard compare mode argument. S3::Get returns 1 if the data
was copied or 0 if the data was skipped due to the comparison mode so
indicating it should be skipped.
-headers
If this is specified, the headers resulting from the fetch are stored in the
provided variable, as a dictionary. This will include content-type and x-
amz-meta-* headers, as well as the usual HTTP headers, the x-amz-id
debugging headers, and so on. If no file is fetched (due to -compare or
other errors), no assignment to this variable is performed.
S3::Head ?-bucket bucketname? -resource resourcename ?-blocking boolean? ?-dict
dictvarname? ?-headers headersvarname? ?-status statusvarname?
This command requests HEAD from the resource. It returns whether a 2XX code was
returned as a result of the request, never throwing an S3 remote error. That is,
if this returns 1, the resource exists and is accessible. If this returns 0,
something went wrong, and the -status result can be consulted for details.
-bucket
This specifies the bucket from which the resource will be read. Leading
and/or trailing slashes are removed for you, as are spaces.
-resource
This is the full name of the resource within the bucket. A single leading
slash is removed, but not a trailing slash. Spaces are not trimmed.
-blocking
The standard blocking flag.
-dict If specified, the resulting dictionary from the S3::REST call is assigned to
the indicated (not necessarily global) variable in the caller's scope.
-headers
If specified, the dictionary of headers from the result are assigned to the
indicated (not necessarily global) variable in the caller's scope.
-status
If specified, the indicated (not necessarily global) variable in the
caller's scope is assigned a 2-element list. The first element is the
3-digit HTTP status code, while the second element is the HTTP message (such
as "OK" or "Forbidden").
S3::GetAcl ?-blocking boolean? ?-bucket bucketname? -resource resourcename ?-result-type
REST|xml|pxml?
This command gets the ACL of the indicated resource or throws an error if it is
unavailable.
-blocking boolean
See above for standard definition.
-bucket
This specifies the bucket from which the resource will be read. Leading
and/or trailing slashes are removed for you, as are spaces.
-resource
This is the full name of the resource within the bucket. A single leading
slash is removed, but not a trailing slash. Spaces are not trimmed.
-parse-xml xml
The XML from a previous GetACL can be passed in to be parsed into dictionary
form. In this case, -result-type must be pxml or dict.
-result-type REST
The dictionary returned by S3::REST is the return value of S3::GetAcl. In
this case, a non-2XX httpstatus will not throw an error.
-result-type xml
The raw XML of the body is returned as the result (with no encoding
applied).
-result-type pxml
The XML of the body as parsed by xsxp::parse is returned.
-result-type dict
This fetches the ACL, parses it, and returns a dictionary of two elements.
The first element has the key "owner" whose value is the canonical ID of the
owner of the resource.
The second element has the key "acl" whose value is a dictionary. Each key
in the dictionary is one of Amazon's permissions, namely "READ", "WRITE",
"READ_ACP", "WRITE_ACP", or "FULL_CONTROL". Each value of each key is a
list of canonical IDs or group URLs that have that permission. Elements are
not in the list in any particular order, and not all keys are necessarily
present. Display names are not returned, as they are not especially useful;
use pxml to obtain them if necessary.
S3::PutAcl ?-blocking boolean? ?-bucket bucketname? -resource resourcename ?-acl new-acl?
This sets the ACL on the indicated resource. It returns the XML written to the ACL,
or throws an error if anything went wrong.
-blocking boolean
See above for standard definition.
-bucket
This specifies the bucket from which the resource will be read. Leading
and/or trailing slashes are removed for you, as are spaces.
-resource
This is the full name of the resource within the bucket. A single leading
slash is removed, but not a trailing slash. Spaces are not trimmed.
-owner If this is provided, it is assumed to match the owner of the resource.
Otherwise, a GET may need to be issued against the resource to find the
owner. If you already have the owner (such as from a call to S3::GetAcl, you
can pass the value of the "owner" key as the value of this option, and it
will be used in the construction of the XML.
-acl If this option is specified, it provides the ACL the caller wishes to write
to the resource. If this is not supplied or is empty, the value is taken
from S3::Configure -default-acl. The ACL is written with a PUT to the ?acl
resource.
If the value passed to this option starts with "<", it is taken to be a body
to be PUT to the ACL resource.
If the value matches one of the standard Amazon x-amz-acl headers (i.e., a
canned access policy), that header is translated to XML and then applied.
The canned access policies are private, public-read, public-read-write, and
authenticated-read (in lower case).
Otherwise, the value is assumed to be a dictionary formatted as the "acl"
sub-entry within the dict returns by S3::GetAcl -result-type dict. The
proper XML is generated and applied to the resource. Note that a value
containing "//" is assumed to be a group, a value containing "@" is assumed
to be an AmazonCustomerByEmail, and otherwise the value is assumed to be a
canonical Amazon ID.
Note that you cannot change the owner, so calling GetAcl on a resource owned
by one user and applying it via PutAcl on a resource owned by another user
may not do exactly what you expect.
S3::Delete ?-bucket bucketname? -resource resourcename ?-blocking boolean? ?-status
statusvar?
This command deletes the specified resource from the specified bucket. It returns
1 if the resource was deleted successfully, 0 otherwise. It returns 0 rather than
throwing an S3 remote error.
-bucket
This specifies the bucket from which the resource will be deleted. Leading
and/or trailing slashes are removed for you, as are spaces.
-resource
This is the full name of the resource within the bucket. A single leading
slash is removed, but not a trailing slash. Spaces are not trimmed.
-blocking
The standard blocking flag.
-status
If specified, the indicated (not necessarily global) variable in the
caller's scope is set to a two-element list. The first element is the
3-digit HTTP status code. The second element is the HTTP message (such as
"OK" or "Forbidden"). Note that Amazon's DELETE result is 204 on success,
that being the code indicating no content in the returned body.
S3::Push ?-bucket bucketname? -directory directoryname ?-prefix prefixstring? ?-compare
comparemode? ?-x-amz-meta-* metastring? ?-acl aclcode? ?-delete boolean? ?-error
throw|break|continue? ?-progress scriptprefix?
This synchronises a local directory with a remote bucket by pushing the differences
using S3::Put. Note that if something has changed in the bucket but not locally,
those changes could be lost. Thus, this is not a general two-way synchronization
primitive. (See S3::Sync for that.) Note too that resource names are case
sensitive, so changing the case of a file on a Windows machine may lead to
otherwise-unnecessary transfers. Note that only regular files are considered, so
devices, pipes, symlinks, and directories are not copied.
-bucket
This names the bucket into which data will be pushed.
-directory
This names the local directory from which files will be taken. It must
exist, be readable via [glob] and so on. If only some of the files therein
are readable, S3::Push will PUT those files that are readable and return in
its results the list of files that could not be opened.
-prefix
This names the prefix that will be added to all resources. That is, it is
the remote equivalent of -directory. If it is not specified, the root of
the bucket will be treated as the remote directory. An example may clarify.
S3::Push -bucket test -directory /tmp/xyz -prefix hello/world
In this example, /tmp/xyz/pdq.html will be stored as
http://s3.amazonaws.com/test/hello/world/pdq.html in Amazon's servers. Also,
/tmp/xyz/abc/def/Hello will be stored as
http://s3.amazonaws.com/test/hello/world/abc/def/Hello in Amazon's servers.
Without the -prefix option, /tmp/xyz/pdq.html would be stored as
http://s3.amazonaws.com/test/pdq.html.
-blocking
This is the standard blocking option.
-compare
If present, this is passed to each invocation of S3::Put. Naturally,
S3::Configure -default-compare is used if this is not specified.
-x-amz-meta-*
If present, this is passed to each invocation of S3::Put. All copied files
will have the same metadata.
-acl If present, this is passed to each invocation of S3::Put.
-delete
This defaults to false. If true, resources in the destination that are not
in the source directory are deleted with S3::Delete. Since only regular
files are considered, the existance of a symlink, pipe, device, or directory
in the local source will not prevent the deletion of a remote resource with
a corresponding name.
-error This controls the behavior of S3::Push in the event that S3::Put throws an
error. Note that errors encountered on the local file system or in reading
the list of resources in the remote bucket always throw errors. This option
allows control over "partial" errors, when some files were copied and some
were not. S3::Delete is always finished up, with errors simply recorded in
the return result.
throw The error is rethrown with the same errorCode.
break Processing stops without throwing an error, the error is recorded in
the return value, and the command returns with a normal return. The
calls to S3::Delete are not started.
continue
This is the default. Processing continues without throwing, recording
the error in the return result, and resuming with the next file in
the local directory to be copied.
-progress
If this is specified and the indicated script prefix is not empty, the
indicated script prefix will be invoked several times in the caller's
context with additional arguments at various points in the processing. This
allows progress reporting without backgrounding. The provided prefix will
be invoked with additional arguments, with the first additional argument
indicating what part of the process is being reported on. The prefix is
initially invoked with args as the first additional argument and a
dictionary representing the normalized arguments to the S3::Push call as the
second additional argument. Then the prefix is invoked with local as the
first additional argument and a list of suffixes of the files to be
considered as the second argument. Then the prefix is invoked with remote
as the first additional argument and a list of suffixes existing in the
remote bucket as the second additional argument. Then, for each file in the
local list, the prefix will be invoked with start as the first additional
argument and the common suffix as the second additional argument. When
S3::Put returns for that file, the prefix will be invoked with copy as the
first additional argument, the common suffix as the second additional
argument, and a third argument that will be "copied" (if S3::Put sent the
resource), "skipped" (if S3::Put decided not to based on -compare), or the
errorCode that S3::Put threw due to unexpected errors (in which case the
third argument is a list that starts with "S3"). When all files have been
transfered, the prefix may be invoked zero or more times with delete as the
first additional argument and the suffix of the resource being deleted as
the second additional argument, with a third argument being either an empty
string (if the delete worked) or the errorCode from S3::Delete if it failed.
Finally, the prefix will be invoked with finished as the first additional
argument and the return value as the second additional argument.
The return result from this command is a dictionary. They keys are the suffixes
(i.e., the common portion of the path after the -directory and -prefix), while the
values are either "copied", "skipped" (if -compare indicated not to copy the file),
or the errorCode thrown by S3::Put, as appropriate. If -delete was true, there may
also be entries for suffixes with the value "deleted" or "notdeleted", indicating
whether the attempted S3::Delete worked or not, respectively. There is one
additional pair in the return result, whose key is the empty string and whose value
is a nested dictionary. The keys of this nested dictionary include "filescopied"
(the number of files successfully copied), "bytescopied" (the number of data bytes
in the files copied, excluding headers, metadata, etc), "compareskipped" (the
number of files not copied due to -compare mode), "errorskipped" (the number of
files not copied due to thrown errors), "filesdeleted" (the number of resources
deleted due to not having corresponding files locally, or 0 if -delete is false),
and "filesnotdeleted" (the number of resources whose deletion was attempted but
failed).
Note that this is currently implemented somewhat inefficiently. It fetches the
bucket listing (including timestamps and eTags), then calls S3::Put, which uses
HEAD to find the timestamps and eTags again. Correcting this with no API change is
planned for a future upgrade.
S3::Pull ?-bucket bucketname? -directory directoryname ?-prefix prefixstring? ?-blocking
boolean? ?-compare comparemode? ?-delete boolean? ?-timestamp aws|now? ?-error
throw|break|continue? ?-progress scriptprefix?
This synchronises a remote bucket with a local directory by pulling the differences
using S3::Get If something has been changed locally but not in the bucket, those
difference may be lost. This is not a general two-way synchronization mechanism.
(See S3::Sync for that.) This creates directories if needed; new directories are
created with default permissions. Note that resource names are case sensitive, so
changing the case of a file on a Windows machine may lead to otherwise-unnecessary
transfers. Also, try not to store data in resources that end with a slash, or which
are prefixes of resources that otherwise would start with a slash; i.e., don't use
this if you store data in resources whose names have to be directories locally.
Note that this is currently implemented somewhat inefficiently. It fetches the
bucket listing (including timestamps and eTags), then calls S3::Get, which uses
HEAD to find the timestamps and eTags again. Correcting this with no API change is
planned for a future upgrade.
-bucket
This names the bucket from which data will be pulled.
-directory
This names the local directory into which files will be written It must
exist, be readable via [glob], writable for file creation, and so on. If
only some of the files therein are writable, S3::Pull will GET those files
that are writable and return in its results the list of files that could not
be opened.
-prefix
The prefix of resources that will be considered for retrieval. See S3::Push
for more details, examples, etc. (Of course, S3::Pull reads rather than
writes, but the prefix is treated similarly.)
-blocking
This is the standard blocking option.
-compare
This is passed to each invocation of S3::Get if provided. Naturally,
S3::Configure -default-compare is used if this is not provided.
-timestamp
This is passed to each invocation of S3::Get if provided.
-delete
If this is specified and true, files that exist in the -directory that are
not in the -prefix will be deleted after all resources have been copied. In
addition, empty directories (other than the top-level -directory) will be
deleted, as Amazon S3 has no concept of an empty directory.
-error See S3::Push for a description of this option.
-progress
See S3::Push for a description of this option. It differs slightly in that
local directories may be included with a trailing slash to indicate they are
directories.
The return value from this command is a dictionary. It is identical in form and
meaning to the description of the return result of S3::Push. It differs only in
that directories may be included, with a trailing slash in their name, if they are
empty and get deleted.
S3::Toss ?-bucket bucketname? -prefix prefixstring ?-blocking boolean? ?-error
throw|break|continue? ?-progress scriptprefix?
This deletes some or all resources within a bucket. It would be considered a
"recursive delete" had Amazon implemented actual directories.
-bucket
The bucket from which resources will be deleted.
-blocking
The standard blocking option.
-prefix
The prefix for resources to be deleted. Any resource that starts with this
string will be deleted. This is required. To delete everything in the
bucket, pass an empty string for the prefix.
-error If this is "throw", S3::Toss rethrows any errors it encounters. If this is
"break", S3::Toss returns with a normal return after the first error,
recording that error in the return result. If this is "continue", which is
the default, S3::Toss continues on and lists all errors in the return
result.
-progress
If this is specified and not an empty string, the script prefix will be
invoked several times in the context of the caller with additional arguments
appended. Initially, it will be invoked with the first additional argument
being args and the second being the processed list of arguments to S3::Toss.
Then it is invoked with remote as the first additional argument and the list
of suffixes in the bucket to be deleted as the second additional argument.
Then it is invoked with the first additional argument being delete and the
second additional argument being the suffix deleted and the third additional
argument being "deleted" or "notdeleted" depending on whether S3::Delete
threw an error. Finally, the script prefix is invoked with a first
additional argument of "finished" and a second additional argument of the
return value.
The return value is a dictionary. The keys are the suffixes of files that S3::Toss
attempted to delete, and whose values are either the string "deleted" or
"notdeleted". There is also one additional pair, whose key is the empty string and
whose value is an embedded dictionary. The keys of this embedded dictionary include
"filesdeleted" and "filesnotdeleted", each of which has integer values.
LIMITATIONS
• The pure-Tcl MD5 checking is slow. If you are processing files in the megabyte
range, consider ensuring binary support is available.
• The commands S3::Pull and S3::Push fetch a directory listing which includes
timestamps and MD5 hashes, then invoke S3::Get and S3::Put. If a complex -compare
mode is specified, S3::Get and S3::Put will invoke a HEAD operation for each file
to fetch timestamps and MD5 hashes of each resource again. It is expected that a
future release of this package will solve this without any API changes.
• The commands S3::Pull and S3::Push fetch a directory listing without using -max-
count. The entire directory is pulled into memory at once. For very large buckets,
this could be a performance problem. The author, at this time, does not plan to
change this behavior. Welcome to Open Source.
• S3::Sync is neither designed nor implemented yet. The intention would be to keep
changes synchronised, so changes could be made to both the bucket and the local
directory and be merged by S3::Sync.
• Nor is -compare calc fully implemented. This is primarily due to Windows not
providing a convenient method for distinguishing between local files that are
"public-read" or "public-read-write". Assistance figuring out TWAPI for this would
be appreciated. The U**X semantics are difficult to map directly as well. See the
source for details. Note that there are not tests for calc, since it isn't done
yet.
• The HTTP processing is implemented within the library, rather than using a "real"
HTTP package. Hence, multi-line headers are not (yet) handled correctly. Do not
include carriage returns or linefeeds in x-amz-meta-* headers, content-type values,
and so on. The author does not at this time expect to improve this.
• Internally, S3::Push and S3::Pull and S3::Toss are all very similar and should be
refactored.
• The idea of using -compare never -delete true to delete files that have been
deleted from one place but not the other yet not copying changed files is untested.
USAGE SUGGESTIONS
To fetch a "directory" out of a bucket, make changes, and store it back:
file mkdir ./tempfiles
S3::Pull -bucket sample -prefix of/interest -directory ./tempfiles \
-timestamp aws
do_my_process ./tempfiles other arguments
S3::Push -bucket sample -prefix of/interest -directory ./tempfiles \
-compare newer -delete true
To delete files locally that were deleted off of S3 but not otherwise update files:
S3::Pull -bucket sample -prefix of/interest -directory ./myfiles \
-compare never -delete true
FUTURE DEVELOPMENTS
The author intends to work on several additional projects related to this package, in
addition to finishing the unfinished features.
First, a command-line program allowing browsing of buckets and transfer of files from
shell scripts and command prompts is useful.
Second, a GUI-based program allowing visual manipulation of bucket and resource trees not
unlike Windows Explorer would be useful.
Third, a command-line (and perhaps a GUI-based) program called "OddJob" that will use S3
to synchronize computation amongst multiple servers running OddJob. An S3 bucket will be
set up with a number of scripts to run, and the OddJob program can be invoked on multiple
machines to run scripts on all the machines, each moving on to the next unstarted task as
it finishes each. This is still being designed, and it is intended primarily to be run on
Amazon's Elastic Compute Cloud.
TLS SECURITY CONSIDERATIONS
This package uses the TLS package to handle the security for https urls and other socket
connections.
Policy decisions like the set of protocols to support and what ciphers to use are not the
responsibility of TLS, nor of this package itself however. Such decisions are the
responsibility of whichever application is using the package, and are likely influenced by
the set of servers the application will talk to as well.
For example, in light of the recent POODLE attack
[http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-
ssl-30.html] discovered by Google many servers will disable support for the SSLv3
protocol. To handle this change the applications using TLS must be patched, and not this
package, nor TLS itself. Such a patch may be as simple as generally activating tls1
support, as shown in the example below.
package require tls
tls::init -tls1 1 ;# forcibly activate support for the TLS1 protocol
... your own application code ...
BUGS, IDEAS, FEEDBACK
This document, and the package it describes, will undoubtedly contain bugs and other
problems. Please report such in the category amazon-s3 of the Tcllib Trackers
[http://core.tcl.tk/tcllib/reportlist]. Please also report any ideas for enhancements you
may have for either package and/or documentation.
When proposing code changes, please provide unified diffs, i.e the output of diff -u.
Note further that attachments are strongly preferred over inlined patches. Attachments can
be made by going to the Edit form of the ticket immediately after its creation, and then
using the left-most button in the secondary navigation bar.
KEYWORDS
amazon, cloud, s3
CATEGORY
Networking
COPYRIGHT
2006,2008 Darren New. All Rights Reserved. See LICENSE.TXT for terms.