tags:

views:

63

answers:

3
+1  Q: 

Securing S3 via your own application

Imagine the following use case:

You have a basecamp style application hosting files with S3. Accounts all have their own files, but stored on S3.

How, therefore, would a developer go about securing files so users of account 1, couldn't somehow get to files of account 2?

We're talking Rails if that's a help.

A: 

If you want to restrict control of those remote resources you could proxy the files through your app. For something like S3 this may defeat the purpose of what you are trying to do, but it would still allow you to keep the data with amazon and restrict access.

You should be careful with an approach like this as it could cause your ruby thread to block while it is proxying the file, which could become a real problem with the application.

csexton  2010-03-23 18:42:50
It doesn't have to be proxied directly by the RoR. The HTTP server below may be configured to do the proxying and RoR would only provide some kind of security credentials (probably a cookie value to test). This setup may be quite complicated, depends on the HTTP server used, requires access to server configuration and may require extra helpers (like FastCGI authenticator app or some authentication hook). Though, the performance gain may be worth it in some cases.
Jacek Konieczny  2010-03-23 19:00:36
I wonder if a simple proxy -> server side redirect would provide enough to stop the vast majority of idle surfers rather than going the whole hog...
Neil Middleton  2010-03-23 20:24:21
A: 

Serve the files using an EC2 Instance

If you set your S3 bucket to private, then start up an EC2 instance, you could serve your files on S3 via EC2, using the EC2 instance to verify permissions based on your application's rules. Because there is no charge for EC2 to transfer to/from S3 (within the same region), you don't have to double up your bandwidth consumption costs at Amazon.

John Douthat  2010-03-23 18:52:36
I'm not really wanting to have a bucket per account as I think this won't scale particularly well...
Neil Middleton  2010-03-23 20:23:27
you can still keep all your objects in one S3 bucket.
John Douthat  2010-03-23 22:00:03
A: 

I haven't tackled this exact issue. But that doesn't stop me from having an opinion :)

Check out cancan:

It allows custom authorization schemes, without too much hassle.

Levi  2010-03-23 19:46:21

related questions

Best place to get Ruby on Vista up and running as dev environment
How can I encode xml files to xfdl (base64-gzip)?
What is the best way to learn Ruby?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a Class using the Singleton Design Pattern in Ruby?
How do I update Ruby Gems from behind a Proxy (ISA-NTLM)
Why Should I Learn Ruby?
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
How do I rake tasks within a ruby script?
Ruby On Rails with Windows Vista - Best Setup?
Mapping values from two array in Ruby
Reverse DNS in Ruby?
Text Editor For Linux (Besides Vi)?
What is good forum software to add to an existing Rails application?
Calling Bash Commands From Ruby
How can I modify .xfdl files? (Update #1)
How do I use (n)curses in Ruby?
Open Source Ruby Projects
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
When to use lambda, when to use Proc.new?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.
.NET Migrations Engine
How do I add existing comments to RDoc in Ruby?