Re: OAK-6575 - Provide a secure external URL to a DataStore binary.
On 2017-08-23 13:39, Chetan Mehrotra wrote:
Below is one possible sketch of the proposed api. We introduce a new
AdaptableBinary which allows adapting a Binary to some other form.
API
===
public interface AdaptableBinary {
/**
* Adapts the binary to another type
*
* @param The generic type to which this binary is adapted
*to
* @param type The Class object of the target type
* @return The adapter target or null if the binary cannot
* adapt to the requested type
*/
AdapterType adaptTo(Class type);
}
Can we make that more generic, not relying on Binary?
Usage
=
Binary binProp = node.getProperty("jcr:data").getBinary();
//Check if Binary is of type AdaptableBinary
if (binProp instanceof AdaptableBinary){
AdaptableBinary adaptableBinary = (AdaptableBinary) binProp;
SignedBinary url = adaptableBinary.adaptTo(SignedBinary.class);
}
Where SignedBinary is one of the supported adaptables.
public interface SignedBinary {
URL getUrl(int ttl, TimeUnit unit)
}
Use URI, not URL.
...
Best regards, Julian
Re: OAK-6575 - Provide a secure external URL to a DataStore binary.
Below is one possible sketch of the proposed api. We introduce a new
AdaptableBinary which allows adapting a Binary to some other form.
API
===
public interface AdaptableBinary {
/**
* Adapts the binary to another type
*
* @param The generic type to which this binary is adapted
*to
* @param type The Class object of the target type
* @return The adapter target or null if the binary cannot
* adapt to the requested type
*/
AdapterType adaptTo(Class type);
}
Usage
=
Binary binProp = node.getProperty("jcr:data").getBinary();
//Check if Binary is of type AdaptableBinary
if (binProp instanceof AdaptableBinary){
AdaptableBinary adaptableBinary = (AdaptableBinary) binProp;
SignedBinary url = adaptableBinary.adaptTo(SignedBinary.class);
}
Where SignedBinary is one of the supported adaptables.
public interface SignedBinary {
URL getUrl(int ttl, TimeUnit unit)
}
The user can specify ttl. The implementation may enforce an upper
bound on the allowed ttl.
This proposal is meant to provide base. If we agree on the general
approach then we can decide further details like
1. Under which package to expose AdaptableBinary
Proposal 'org.apache.jackrabbit.oak.jcr.binary'. We would also later
possibly need an AdaptableBlob for Oak layer
2. Under which package to expose SignedBinary
Proposal 'org.apache.jackrabbit.oak.api.blob' in oak-api
Thoughts?
Chetan Mehrotra
On Wed, Aug 23, 2017 at 4:25 AM, Chetan Mehrotra
wrote:
> Recently we had internal discussion for Ian's requirement in OAK-6575.
> See issue for complete details. In brief
>
> 1. Need a way to provide a signed url [1] for Blobs stored in Oak if
> they are stored in S3
> 2. The url would only be created if the user can access the Binary.
> 3. The url would only be valid for certain time
>
> To meet this requirement various approaches were suggested like using
> Adaptable pattern in Sling, or having a new api in Binary object.
>
> Would follow up with a sketch for such an API
>
> Chetan Mehrotra
> [1]
> http://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html
OAK-6575 - Provide a secure external URL to a DataStore binary.
Recently we had internal discussion for Ian's requirement in OAK-6575. See issue for complete details. In brief 1. Need a way to provide a signed url [1] for Blobs stored in Oak if they are stored in S3 2. The url would only be created if the user can access the Binary. 3. The url would only be valid for certain time To meet this requirement various approaches were suggested like using Adaptable pattern in Sling, or having a new api in Binary object. Would follow up with a sketch for such an API Chetan Mehrotra [1] http://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html
