Hi Prasanna, See inline below.
On Wed, 2013-07-03 at 12:35 +0530, Prasanna Santhanam wrote: > On Wed, Jul 03, 2013 at 03:51:39PM +0900, Thomas O'Dowd wrote: > > Hi guys, > > > > I created a bug regarding the handling of the S3 secret key information. > > My opinion is that it should be treated more carefully like a password > > and not displayed in the UI at least. > > > > https://issues.apache.org/jira/browse/CLOUDSTACK-3342 > > > > Had a related question filed in CLOUDSTACK-3323 by Sanjeev > - > > The bucket permissions when a store is added by the admin to > cloudstack needs to be set to something specific? Or will all objects > put into the store have public read access? Is this something to be > documented prior to setting up objectstore? Cloudstack as far as I can see does not change the bucket permissions in any way. The owner of the bucket can leave it as the default permission which is usually private to that owner. To put/upload objects in that bucket cloudstack needs an access key (AK) and secret key (SK) pair for the S3 user and bucket owner.The cloudstack admin must know the AK&SK pair when the S3 Object store is first added as secondary storage. When Cloudstack uploads objects to the object store, they are all left private by default. No public access. I think this is correct. Cloudstack has full access because it has the AK&SK pair (assuming the AK&SK pair belong to the bucket owner). > AWS supports rich ACLs on its object store. So do other object store > solutions [1] > > In relation to this - I want to understand the HTTP download link > exposed when I click on download image (volume/template/iso). The link > has the access key in its url path. Is this okay in terms of security? Yes its ok security wise. This link uses query string authentication [2] The AK is needed to identify the S3 user to the Object Store (AWS, Cloudian, Riak, etc). The request is made up of the method 'GET', the URI and a timestamp when the request expires. All of this is then signed using the SK and the result is the signature query parameter. The specific URL allows any user with that URL access to GET that particular object as that user for a limited period of time. In the current case, the URL is valid for 1 hour. There is no server-side cost to these URLs. Hope that helps, Tom. [1] http://aws.amazon.com/articles/5050/ [2] http://docs.aws.amazon.com/AmazonS3/2006-03-01/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth -- Cloudian KK - http://www.cloudian.com/get-started.html Fancy 100TB of full featured S3 Storage? Checkout the Cloudian® Community Edition!
