cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Burwell <>
Subject Re: Query String Request Authentication(QSRA) support by S3 providers
Date Tue, 18 Jun 2013 02:38:09 GMT

Why are we mucking with ACLs at all?  The best security practice would be
to create a bucket for CloudStack's use and assign it a dedicated access
key and secret key pair with read/write access only to that bucket.
 Requiring an administrative account to an object store opens an
unnecessarily large attack surface.  Therefore, as implemented in 4.1, we
should defer bucket creation, ACL assignment, and credential creation to
the administrator/operator.


On Jun 17, 2013, at 1:15 PM, Min Chen <> wrote:

 Tom filed a very good bug for ACL setting change on S3 object when users
issue extractTemplate API (, and his
recommendation of using Query String Request Authentication (QSRA)
alternative sounds like a right approach to fix this bug. Before
implementing it, I would like to confirm if QSRA should be supported by all
S3 providers if they claim that they are AWS s3 compatible. If so, we will
make this assumption in our code. Based on Tom, Cloudian is supporting it.
How about RiakCS, John?


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message