jclouds-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexandra Horuszko (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (JCLOUDS-1428) Support for SAS token based Authentication for Azure Blob Storage
Date Tue, 12 Mar 2019 06:49:00 GMT

    [ https://issues.apache.org/jira/browse/JCLOUDS-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16790281#comment-16790281
] 

Alexandra Horuszko edited comment on JCLOUDS-1428 at 3/12/19 6:48 AM:
----------------------------------------------------------------------

[~roy.biswa] So, there is a check in the code, which defines, whether you use SAS or SharedKey
in the following manner: it checks for the presence of four 'tokens': "sig", "se", "sv", "sp".
In order to be classified as a SAS string, it needs to contain ALL tokens from this list.
Your SAS string does not include "se" and "sp", that is why the code classifies it as a SharedKey,
and then proceeds as if it was a SharedKey. And then it bumps into error, because it tries
to decode it, as if it was a SharedKey, but it is actually not, it's too long, it contains
wrong characters... 

Are you sure that such format of SAS will actually work on AzureBlobStorage? I can see that
you're using Service SAS. And for Service SAS not only "sv" and "sig" are required, but also
"se" and "sp". Please, take a look at the documentation here: [https://docs.microsoft.com/en-us/rest/api/storageservices/Constructing-a-Service-SAS?redirectedfrom=MSDN] . 

 

se - is the expiration timestamp, and sp is the permissions. 


was (Author: horuszko):
[~roy.biswa] So, there is a check in the code, which defines, whether you use SAS or SharedKey
in the following manner: it checks for the presence of four 'tokens': "sig", "se", "sv", "sp".
In order to be classified as a SAS string, it needs to contain ALL tokens from this list.
Your SAS string does not include "se" and "sp", that is why the code classifies it as a SharedKey,
and then proceeds as if it was a SharedKey. And then it bumps into error, because it tries
to decode it, as if it was a SharedKey, but it is actually not, it's too long, it contains
wrong characters... 

Are you sure that such format of SAS will actually work on AzureBlobStorage? I can see that
you're using Service SAS. And for Service SAS not only "sv" and "sig" are required, but also
"se" and "sp". Please, take a look at the documentation here: [https://docs.microsoft.com/en-us/rest/api/storageservices/Constructing-a-Service-SAS?redirectedfrom=MSDN] . 

> Support for SAS token based Authentication for Azure Blob Storage
> -----------------------------------------------------------------
>
>                 Key: JCLOUDS-1428
>                 URL: https://issues.apache.org/jira/browse/JCLOUDS-1428
>             Project: jclouds
>          Issue Type: Improvement
>          Components: jclouds-blobstore
>            Reporter: Himanshu Jain
>            Priority: Major
>              Labels: azureblob
>             Fix For: 2.2.0, 2.1.3
>
>         Attachments: azure_stacktrace.txt
>
>
> Hi,
> We have one use case where we want to provide limited access to objects in our storage
accounts. We figured that the best way to do  this is by using SAS token based authentication
mechanism to upload/download objects to Azure Blob Storage - [SAS based Authentication|https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1]
> We found that JClouds client library provides support for Azure Blob Storage using account
keys which might not fit our use case because of security reasons.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message