Documentation   Download   Purchase  Support  FAQs   Forum   Demo 

 
Register . Profile   . Log in to check your private messages   . Log in 
Support Forums

ACL Security

 
Post new topic  Reply to topic     Amazon S3 Forum Index -> Bucket Explorer & Amazon S3 - Active Support Forum
View previous topic :: View next topic  
Author Message
ispasic

Joined: 18 Jun 2008
Posts: 3
Location: Australia
PostPosted: Wed Jun 18, 2008 8:04 pm    Post subject: ACL Security Reply with quote -
This is about ACL security between a shared bucket and objects inside the bucket.
We have purchased 5 bucketexplorer licenses to use as our preferred Smile admin tool for Amazon S3. I then created a bucket called eg ...downloads-mycomp-com... and made changes to our DSN to point to our s3 account and made bucket shareable. This is all fine so I’ll move to the next point; within the bucket we created 5 folders for 5 administrators (eg Public, Marketing, Backup, RND, ETC,).

Now I need to limit their Write access only to their download/upload areas (eg ...downloads-mycomp-com/marketing/... where only the marketing admin should have write access).
Hence, all 5 administrators have their Amazon registered accounts and access to the shared bucket.

What ever scenario I tried I couldn’t get the ACL work correctly!!! Sad

Are there limitations with Amazon S3 AWS or something to do with Bucketexplorer functionality accessing S3 AWS ?

Hence, I'm trying to avoid (as a workaround) creating a separate buckets and CNAMEs for each of those 5 folders in attempt to limit write access other then to their own.

Thanks in advance,
Ivan
Back to top
View user's profile - Send private message -
Saurabh Dani
Administrator
Joined: 04 Nov 2006
Posts: 469
Location: Secaucus, NJ
PostPosted: Thu Jun 19, 2008 6:41 am    Post subject: Reply with quote -
I plan to post a detailed document answering these questions and the questions you asked in the email to our support team. It should be posted online before Monday.

In the meanwhile:
1) ACL on a Bucket and ACL on an object in that bucket are not related.
2) There is no concept of "folder" at Amazon S3. The folders that you see in Bucket Explorer are just files (objects) stores on Amazon S3 with a special name.

To restrict access in the example you have provided, I think the best way is to create 5 buckets and 5 CNAME entires for them. Also, if the 5 admins are using their own amazon.com accounts, it may be a better idea to create 5 "staging buckets" for them to work, and then "copy" (or move) the files in the target bucket using the new "copy" / "move" features of Bucket Explorer 2.0. This way, "you" will be the "owner" of the final files which are moved to production instead of making the other admins "owner" using their own IDs.

Another option is to use Bucket Explorer Team edition. We anticipate to start the beta next week.
Back to top
View user's profile - Send private message -
ispasic

Joined: 18 Jun 2008
Posts: 3
Location: Australia
PostPosted: Thu Jun 19, 2008 8:48 pm    Post subject: Reply with quote -
Thanks for a quick response,
I'll take your suggestions to the project team.
Though, creating staging environment will encourage an extra traffic and an extra overhead, but we have no much choice, we have to consider it.

Bucket Explorer Team Edition sounds interesting; I would like to evaulaute as soon as it becomes available.

Thanks again, Ivan
Back to top
View user's profile - Send private message -
Display posts from previous:   
Post new topic  Reply to topic     Amazon S3 Forum Index -> Bucket Explorer & Amazon S3 - Active Support Forum All times are GMT - 5 Hours
Page 1 of 1
 
Jump to:  
You can post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group, theme subLite