Why can't I download the manifest file without auth?

asked 2018-11-10 14:27:56 -0600

I was walking through Large Object Support documentation to create multiple files and concatenate them via a single file (manifest).

I easily uploaded some files, created a manifest file which is linked to those files using the snippet below:

# First, upload the segments
curl -X PUT -H 'X-Auth-Token: <token>' http://<storage_url>/container/myobject/00000001 --data-binary '1'
curl -X PUT -H 'X-Auth-Token: <token>' http://<storage_url>/container/myobject/00000002 --data-binary '2'
curl -X PUT -H 'X-Auth-Token: <token>' http://<storage_url>/container/myobject/00000003 --data-binary '3'

# Next, create the manifest file
curl -X PUT -H 'X-Auth-Token: <token>' -H 'X-Object-Manifest: container/myobject/' http://<storage_url>/container/myobject --data-binary ''

# And now we can download the segments as a single object
curl -H 'X-Auth-Token: <token>' http://<storage_url>/container/myobject

Nonetheless, the requirement of the Auth Token in the last line interested me. Why was I supposed to provide a token just to download file? Currently the server is able to offer single files without the need of a token. But when it comes to large objects with manifest files, it won't let me download without the token.

To clear this up, I first tried to set X-Container-Read: .r:*. Even this option is stated as to allow all attempts to read, it still didn't let me download. Afterwards, I corrected it to X-Container-Read: .r:*, .rlistings. With the latter, I was able to download it, but there was the trade-off for that it was listing all the files in the container when I jumped to the root directory of it.

Is there a way that I can use to download the large objects via manifest file without authenticating?

edit retag flag offensive close merge delete