Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 9

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version Current

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Find a preliminary comparison of authentication methods:

CapabilityAreaShared KeyShared Access Signature
Scope
  • uses a single Shared Key for access at container level or at blob level
  • allows a single SAS token to be used for access to any blobs in a container
  • allows individual SAS tokens to be used per blob and per file transfer operation 
Access Duration
  • enables unlimited access
  • makes use of expiration dates
Permissions
  • enables full access at container level or at blob level for any file transfer operations
  • offers permissions (read, write, delete, list) per resource type (container, object) and service (blob, queue, table, file)
  • allows a single SAS token to be used that includes any permissions and file transfer operations (get, put, list)
    • allows individual SAS tokens to be used specifying permissions per blob and per file transfer operation
Implementation
  • A signature is created by hashing blob resource parameters and by specifying the blob to be accessed.
  • Use of the HTTPS Authorization header for signature.
  • A signature is created by hashing blob resource parameters, the permissions that are assigned and the expiration date.
  • An SAS token is generated that specifies both the plain text values of the signature and the hashed value of the signature.
  • Use of HTTPS query parameters for SAS tokens. Such tokens specify the blob resource to be accessed, the permissions that are assigned, expiration period and signature.


  • From the above comparison Shared Access Signatures are superior concerning more fine-grained access to resources.
  • At the same time Shared Key authentication suggests ease of use as a single Shared Key can be used to authenticate any file transfer operations for an unlimited duration.
  • Technically a single Shared Access Signature can be applied in a similar way allowing any file transfer operation on any blobs in a given container for a longer period, e.g. the next 100 years.

...

Implementation

User Tasks: Manage Shared Keys and Shared Access Signatures

...

Creating Shared Keys and Shared Access Signatures

...

  • When using a single Shared Key or Shared Access Signature for all YADE file transfer jobs then
    • this could be added as a constant value to the JobScheduler configuration, e.g. with a parameter to the ./config/scheduler.xml file.
    • this could be added to a Credential Store that would be accessed by any YADE file transfer jobs.
  • When using individual Shared Keys or Shared Access Signatures per YADE file transfer job then a Monitor should be implemented that is assigned on a per job basis and that can be parameterized to use the key or signature specified by a job parameter or order parameter.
  • Should Shared Keys or Shared Access Signatures have to be renewed on a regular basis then this can be executed performed by a job, e.g. running daily, that is implemented by a user of JobScheduler.

...

  • Accept for both Shared Keys and Shared Access Signatures the respective configuration items:
    • Both For both authentication methods
      • Add to URL
        • Resources
        • container resource
        • blob resource
        • Example
          • https://<owner account specified by user>.blob.core.windows.net/<container specified by user>/<blob specified by user>
          • https://yade.blob.core.windows.net/yade/test.txt
      • Add HTTPS headers:
        • x-ms-blob-type : BlockBlob
        • x-ms-date : <date of request>
        • x-ms-version : <version as specified by user>
    • Shared Key
      • Add HTTPS authorization header:
        • Authorization : SharedKey <requester account specified by user>:<signature specified by user>`
    • Shared Access Signatures
      • Add query parameters to URL for list operationoperation to list blobs in a container
        • https://<owner account specified by user>.blob.core.windows.net/<container specified by user>/<blob specified by user>?<query parameters>
        • https://yade.blob.core.windows.net/yade/test.txt?restype=container&comp=list
      • Add SAS token to URL:
        • https://<blob storage owner account specified by user>.blob.core.windows.net/<container specified by user>/<blob specified by user>?<SAS token specified by user>
  • Adjust the YADE XSD Schema to allow configuration of any number of HTTP headers
    • at a global level 
    • per profile
    • on a per job basis by job/order parameters and when using the YADE standalone client by command line parameters.
  •  Delimitation
    • The implementation is about integrating the above configuration items into HTTPS headers and query parameters.
    • The implementation is not about developing a new data provider that is subject to a separate feature request.

...