Amazon S3 中的子账户(如 Nirvanix)(子账户、客户账户)
我们将从 Nirvanix 迁移到 Amazon S3。
我需要的是模拟 S3 存储的 Nirvanix 风格子帐户。
(简而言之,这些提供了具有预定义限制的隔离存储,以及每个子用户的单独身份验证,仍然由同一主帐户管理)。
我们将拥有超过 100 个用户,因此每个用户的存储桶将不起作用(仍然限制在 100 个,对吗?)。
存储直接从桌面应用程序使用(例如,不通过我们的服务器,尽管有一个中央服务器,如果有帮助的话)。
我们想要一个可以支付所有费用的单一 S3 计费帐户,但我们希望我们的客户对象彼此安全地隔离。
Nirvanix 提供了开箱即用的功能 (http://developer.nirvanix.com/sitefiles/1000/API.html#_TocCreatingChildAccounts) - 这本质上就是我试图用 S3 复制的内容。
我了解如何为每个子用户分段对象,例如使用对象的“前缀”表示法(例如“USER1/object1”、“USER2/something_else)。
我无法解决的问题:
1) 我如何设置权限,以便每个客户只能访问他的文件?
如果我授予“应用程序”访问 S3 存储的权限,那么这显然意味着该应用程序的每个用户都可以访问任何人的文件
。 意味着执行此操作的唯一方法是让我的客户每个人都有一个 AWS 帐户?
设置丰富的 ACL,但我不明白的是您可以针对“谁”设置权限?这是否 我可以代表他们创建帐户吗?例如通过 API 调用?
我们当然不能允许每个用户通过 AWS 网站创建帐户(哎呀!
2)有关最佳方法的任何想法 。管理每个客户的配额?
这让我担心,因为据我所知,我们必须限制桌面应用程序的这种情况,因为 S3 只会继续允许更多数据。
我想我们可能可以接受每天运行的脚本,该脚本可以检查“滥用”的存储限制,但只是想知道是否有更好的方法。
谢谢大家!
约翰
We're moving from Nirvanix to Amazon S3.
What I need is to simulate Nirvanix style child accounts for S3 storage.
(In a nutshell these provide isolated storage with predefined limit, and a separate authentication for each sub-user, still managed by the same master account).
We'll have more than 100 users so the bucket-per user won't work (that's still limited at 100 right?).
The storage is used directly from a desktop application (and not, for example, via our servers, though there is a central server if that helps).
We want a single S3 billing account that pays for everything, but we want our customers objects safely segmented from each other.
Nirvanix provides this out of the box (http://developer.nirvanix.com/sitefiles/1000/API.html#_TocCreatingChildAccounts) - this is essentially what I'm trying to replicate with S3.
I understand how to segment objects for each sub-user, e.g. using the "prefix" notation of Objects (E.g. "USER1/object1", "USER2/something_else).
What I can't work out:
1) How can I set permissions so that each customer can only access his files?
If I give "the app" access to the S3 storage, then that obviously means that every user of the app could access anyones files.
It seems like you can set rich ACLs, but what I can't understand is "who" you can set permissions against. Is it only AWS users? Does that mean the only way to do this is to have my customers each have an AWS account?
If so, can I create accounts on their behalf? E.g. through an API call?
What we certainly cannot allow is having every user create an account through the AWS website (yuck!).
2) Any ideas about the best way to manage quotas for each customer?
This concerns me because from what I can tell, we'd have to limit this from the desktop application. This is obviously ripe for abuse because S3 will just keep allowing more data.
I guess we could probably live with having a script we run daily which sanity checks the storage limits for "abuse", but just wondered if there was a better way.
Thanks all!
John
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
Amazon 有一项名为 AWS Identity and Access Management (IAM) 的新测试版服务这将允许您对您的存储桶进行分段。
在文档的 与 S3 一起使用 部分中,有是描述您的用例的示例:
不幸的是,我认为您目前无法使用 IAM 强制执行配额。
此外,根据您的平台,您可能希望使用可用的 SDK 之一来简化与这些平台的交互服务。
如果不采取一些认真的预防措施,您绝对不想在桌面应用程序中分发标准
密钥。拥有您的密钥的任何用户都可以完全访问您的所有 AWS 服务。Amazon has a new beta service called AWS Identity and Access Management (IAM) that will allow you to segment your buckets.
In the using with S3 section of the documentation, there are examples describing your use case:
Unfortunately I don't think you can currently enforce quotas using IAM.
Also, depending on your platform, you probably want to use one of the SDK's available to simplify your interactions with these services.
You absolutely don't want to distribute your standard
secret keyin a desktop application without taking some serious precautions. Any user with your secret key could have full access to all your AWS services.