Matthias Bach has proposed merging lp:~marix/duplicity/azure-storage-sas into
lp:duplicity.
Requested reviews:
duplicity-team (duplicity-team)
For more details, see:
https://code.launchpad.net/~marix/duplicity/azure-storage-sas/+merge/317175
This branch adds support for Shared Access Signature to the Azure backend which
allows to run Duplicity with a minimal set of permissions.
The currently supported access method, using an account key, grants Duplicity
full administrative permissions on that Azure storage account. However, there
is a fairly low limit on the number of storage account that can be used within
a single storage subscription, thus it is not necessarily optimal to create a
separate one for each single system that requires backup. In addition, this
also grants a lot of unnecessary powers to the system running Duplicity.
Share Access Signatures allow to grant a specific set of permissions of
permissions on a storage account, or a single container. To test you need to
create a shared access signature including read, write and deletion permissions
on the container. Then run duplicity passing the shared access signature in the
environment variable AZURE_SHARED_ACCESS_SIGNATURE. The AZURE_ACCOUNT_NAME is
also still required, but the AZURE_ACCOUNT_KEY is no longer necessary.
--
Your team duplicity-team is requested to review the proposed merge of
lp:~marix/duplicity/azure-storage-sas into lp:duplicity.
=== modified file 'bin/duplicity.1'
--- bin/duplicity.1 2017-01-30 21:46:37 +0000
+++ bin/duplicity.1 2017-02-14 09:50:31 +0000
@@ -1543,9 +1543,13 @@
.B REQUIREMENTS
above.
-It uses two environment variables for authentification:
+It uses environment variables for authentification:
.BR AZURE_ACCOUNT_NAME " (required),"
-.BR AZURE_ACCOUNT_KEY " (required)"
+.BR AZURE_ACCOUNT_KEY " (optional),
+.BR AZURE_SHARED_ACCESS_SIGNATURE " (optional)."
+One of
+.BR AZURE_ACCOUNT_KEY " or"
+.BR AZURE_SHARED_ACCESS_SIGNATURE " is required."
A container name must be a valid DNS name, conforming to the following naming
rules:
=== modified file 'duplicity/backends/azurebackend.py'
--- duplicity/backends/azurebackend.py 2016-05-11 21:07:04 +0000
+++ duplicity/backends/azurebackend.py 2017-02-14 09:50:31 +0000
@@ -51,15 +51,23 @@
raise BackendException('Azure backend requires Microsoft Azure Storage SDK for Python '
'(https://pypi.python.org/pypi/azure-storage/).')
+ # TODO: validate container name
+ self.container = parsed_url.path.lstrip('/')
+
if 'AZURE_ACCOUNT_NAME' not in os.environ:
raise BackendException('AZURE_ACCOUNT_NAME environment variable not set.')
- if 'AZURE_ACCOUNT_KEY' not in os.environ:
- raise BackendException('AZURE_ACCOUNT_KEY environment variable not set.')
- self.blob_service = BlobService(account_name=os.environ['AZURE_ACCOUNT_NAME'],
- account_key=os.environ['AZURE_ACCOUNT_KEY'])
-
- # TODO: validate container name
- self.container = parsed_url.path.lstrip('/')
+
+ if 'AZURE_ACCOUNT_KEY' in os.environ:
+ self.blob_service = BlobService(account_name=os.environ['AZURE_ACCOUNT_NAME'],
+ account_key=os.environ['AZURE_ACCOUNT_KEY'])
+ self._create_container()
+ elif 'AZURE_SHARED_ACCESS_SIGNATURE' in os.environ:
+ self.blob_service = BlobService(account_name=os.environ['AZURE_ACCOUNT_NAME'],
+ sas_token=os.environ['AZURE_SHARED_ACCESS_SIGNATURE'])
+ else:
+ raise BackendException('Neither AZURE_ACCOUNT_KEY nor AZURE_SHARED_ACCESS_SIGNATURE environment variable not set.')
+
+ def _create_container(self):
try:
self.blob_service.create_container(self.container, fail_on_exist=True)
except self.AzureConflictError:
_______________________________________________
Mailing list: https://launchpad.net/~duplicity-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~duplicity-team
More help : https://help.launchpad.net/ListHelp
