RADOSGW S3 api ACLs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Josef,

A co-maintainer of the radula project forwarded this message to me.

Our little project started specifically to address the handling of ACLs
of uploaded objects through the S3 api, but has since grown to include
other nice-to-haves.

We noted that it was possible to upload objects to a bucket that the
bucket owner could not control or even read. So we set about writing
an upload tool (similar to s3cmd, awscli) that took care of the extra
actions needed on our behalf.

For our clusters, we rely on bucket policies. The user that is the bucket
owner retains FULL_CONTROL, while optional read-only users may also be
present (with perms READ + READ_ACP). With newly uploaded objects,
radula synchronizes the object policy with the bucket policy, changing
ownership if need be.

We guard the write-enabled user closely, and typically issue keys to
the read-only user to research staff.

If you want to look at our implementation, the source is at
https://github.com/bibby/radula

But the short version is: after the upload, we set the object's ACL
to a copy of the bucket's ACL.

- bibby
CONFIDENTIALITY NOTICE
This e-mail message and any attachments are only for the use of the intended recipient and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient, any disclosure, distribution or other use of this e-mail message or attachments is prohibited. If you have received this e-mail message in error, please delete and notify the sender immediately. Thank you.


[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux