Ask Your Question

What's the best method to let the users access the private files in Swift?

asked 2013-12-26 01:37:35 -0500

hawk gravatar image

We use Swift to store lots of files in cloud. And our users (the end-users) will access these files. If the files are public, then the end-users can directly visit the object URL in web or mobile applications. However, some of files are private. Each end-user can only access his own private files.

The end-user may have two methods to access his private files:

1. The end-user always sends requests to our server. And our server will get the files from Swift, and then send them to the user. In this method, Our server can be regarded as a file proxy. We have the authentication of Openstack, and the user has the authentication of our server. We should maintain our own user system.

One problem of this method is the scalability. Because each request will be sent to our server, then the server will be the bottleneck if many files are uploading or downloading at the same time. The high scalability feature of Swift can't be used if we don't have enough servers. Actually we really don't need lots of servers except file transferring.

2. The end-user directly sends requests to Swift. It may solve the huge file bandwidth problem. But he must have the authentication method of Openstack. So we need thousands of Openstack accounts for our users while we are only one of the user of Openstack! It seems strange and is not feasible.

Which method is better? It seems the first way is used by many people.

Are there any other methods to meet the requirement?

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2013-12-26 23:02:05 -0500

torgomatic gravatar image

TempURL sounds like what you're looking for.

Your application would generate a cryptographically-signed URL that grants access to one particular object until a particular time, and then send that URL to the client. The client can then access that URL and get at the object. Since the generated URL points at the Swift cluster, not your application, you can avoid that particular scaling problem.

There's a little setup involved to get started with TempURL, but it doesn't take much. Pick a secret key (any string will do) and set it on your account:

$ curl -H "X-Auth-Token: <token>" -H "X-Account-Meta-Temp-Url-Key: fez"

That's it. You can start generating tempurls now. To generate a tempurl, you need an object name (path only, e.g. /v1/MY_account/fishfingers/custard), an HTTP verb (GET, if your users are downloading files), an expiration time (Unix time, e.g. 1390712138), and the secret key. The signature is the HMAC-SHA1 of "GET\n1390712138\n/v1/MY_account/fishfingers/custard" with the secret key "fez".

If the signature was "abcdef", then you'd create an URL like https://swift.example/com/v1/MY_account/fishfingers/custard?temp_url_sig=abcdef&temp_url_expires=1390712138 and send that to the user. The user could then download that object until Jan 26, 2014.

However, if the user tries to change the object name or the expiration time, or use a different verb (like PUT to overwrite the object), then the signature won't match, and the user's request will be denied. This ensures that users can only access things that your application specifically allows. Users can't generate their own tempurls since they don't know the secret key.

Official TempURL docs:

edit flag offensive delete link more

answered 2013-12-26 04:03:39 -0500

koolhead17 gravatar image

Seems like its repeat of this question posted on stackoverflow

Hope it helps.

edit flag offensive delete link more


Yes, they are the same questions. Maybe I can get more professional advice here. Thanks!

hawk gravatar imagehawk ( 2013-12-26 04:07:12 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-12-26 01:37:35 -0500

Seen: 765 times

Last updated: Dec 26 '13