Restricting files as either public or private in object storage
Hi? I'm working on a linode application that would potentially store public files that would be accessible by all users like profile pictures and private files that should only be accessible by the server and served to authorized users only. How can I come up with a desirable design that would enforce this requirement? Do I need to create two buckets, i.e one for public and another for private? How do I go about this? Any assistance would be greatly appreciated.
Anything you upload to Object Storage can be either public or private. Object uploads are generally private by default; uploading an object as public requires an additional flag to be used, such as
-P when using s3cmd. Where this gets a bit tricky is how private objects are accessed. Generally, you would only access a private object from an S3-specific tool, such as s3cmd. If you plan to have your application’s users access some objects but not others, you would need to make use of access control lists or bucket policies. Use of ACLs and bucket policies requires that the user accessing the restricted objects has a canonical ID, which is currently only provided to each Linode account. This would work best if you plan to limit access to certain objects at the application level rather than at the user level. Alternatively, you may want to consider using an access key instead, as access keys can have limited permissions to certain buckets.
From what you’ve written here, it sounds like you want to have some public objects that anyone can access, and some private objects that only your application can access. If you handle serving the objects from the application rather than granting users access to the objects themselves, you should be able to use any of the above methods as you’re only granting permissions to restricted objects to a single “user” - your application.
Hi @jyoo. Thanks for the reply! By now i had realized that i could simply use the same bucket to store both private and public assets and that Access Control permissions were not tied to the entire bucket but to individual files. Initially i was trying to set a file's permission(from private to public, since they are private by default) via the GUI ACL in my Linode Manager and it seems like the permissions are not really enforced (which is rather strange). My intended use was to upload files from the server through some sought of an API and since Linode Object Storage is aws s3 compatible then i figured out i could just use an aws s3 package and set the permissions through the api, which i did. So long story short, the problem was solved just by digging enough through your documentations. Thanks!