Here is my use case:
- Having a server, I want to
rclone DB dumps on the Storj bucket.
rclone on the server in question, with Read, Write access rights on the specified bucket.
What happens if a hacker takes over my server. He will be able to overwrite my backup files, because their names are easily predictable. Ideally there should be access right
Create and a separate
Write. Thus with
Create files once uploaded, can’t be overwritten.
Does that make sense?
All the best, great service!
Welcome to the forum! I recommend you read the section in our documentation about Access Grant management and how to use caveats with access grants to limit if people who the access has been shared with can download files in an unlimited manner or only certain files for limited time, or no file downloads at all.
See also Access Revocation and revoking Access to an Object
Access Restrictions and how to generate an access grant with restrictions and What kind of restrictions can you put on an Access Grant.
on the other hand, it is recommended you protect your Storj DCS account with multifactor authentication and a strong password, to prevent it from getting easily hacked.
I would suggest to create an access grant with write and perhaps list permissions, but not delete permissions, this will give you an immutable storage. If you would provide an expiration time during copy, these objects will be automatically deleted when expired.
You may also create an access grant with integrated TTL for objects with the
uplink share --max-object-ttl command.
Please note, you will not be able to overwrite an existing objects without delete permissions, so please use different names or prefixes (“subfolders”).
Thanks a ton @Alexey !
It is not obvious from the documentation that you actually need
Delete permission in order to overwrite a file. Perhaps you can add a sentence in the Documentation about this, and spare some answering on the forum. For the moment I don’t need TTL, will clear manually when full.
I really like Storj, thanks again!
In the objects storage there is no overwrite or modify per-se, you actually will delete an object then upload a new one, but many client programs just hides this under the hood.
I got it, thank you @Alexey . Although I am long time software developer, it is my first time working with Object Stores (no S3 experience), so I was trying to match Object operations onto HTTP method requests.
Actually we have documented this behavior: