Read Permissions
It is possible to permit operations for reading from containers.
- By setting permission for a specific referrer in a container, reading is possible if that referrer is included in requests.
- In addition, if all referrers are permitted, even requests that do not contain referrers will be permitted.
- Settings to permit referrers make it possible to read without performing authentication of tokens, lowering the level of security. Therefore this is not recommended.
The settings for permitting projects and users are specified in the following format.
When specifying multiple settings, separate them with a comma.
Setting Content | Description Method |
---|---|
Permit a project | {projId}:* |
Permit a user | {projId}:{userId} |
The settings for permitting referrers are specified in the following format.
When specifying multiple settings, separate them with a comma.
Setting Content | Description Method |
---|---|
Permit all referrers | .r:* |
Permit hosts of referrers | .r:{host} |
Permit domains of referrers (*1) | .r:.{domain} or .r:*.{domain} |
Reject hosts of referrers | .r:-{host} |
Reject domains of referrers (*2) | .r:-.{domain} or .r:-*.{domain} |
Permit retrieval of a list of objects (Only when ACL is set for referrers) | .rlistings |
Caution is necessary regarding conflicting settings, as only the latter setting will be enabled.
The following is an example of settings for referrers, in which a domain is permitted but requests from a specific host in that domain are rejected.
- Correct setting
.r:*.test.jp,.r:-server.test.jp
- Incorrect setting (The request will not be rejected even if the host of the referrer is "server.test.jp")
.r:-server.test.jp,.r:*.test.jp
(*1) If .r:*.{domain} is specified, it will be registered in .r:.{domain}
(*2) If .r:-*.{domain} is specified, it will be registered in .r:-.{domain}
When permitting a user
Example of Request
curl -i $publicURL/marktwain -X POST -H "X-Container-Read: 412b1ede9e4042d3b81fdb6728576199:ddf0902c56ef42fd9d6a3263b1bb686f" -H "X-Auth-Token: $token"
When permitting multiple users and permitting retrieval of a list of objects
Example of Request
curl -i $publicURL/marktwain -X POST -H "X-Container-Read: .r:server.test.jp,.r:*.co.jp,.rlistings" -H "X-Auth-Token: $token"
When rejecting the host of a referrer
Example of Request
curl -i $publicURL/marktwain -X POST -H "X-Container-Read: .r:*,.r:-server.test.jp" -H "X-Auth-Token: $token"