I have a case of enterprise ready file systems where we need to have a custody system where customer uploads documents and the project would also need access because they are custodians.
How would that be possible in this case since we do not have authZ concept in this filesystem. In other words , can we share files between projects in an automated way,
Hello @nilaysaha ,
You can invite any other Storj DCS account to your project. The invited would have the same level of access as the owner.
Another way is to create access grants for more granular sharing, down to a single object: Sharing Your First Object - Storj DCS (you can also share buckets and prefixes).
Thanks Alexey. I have to appreciate this project. Lots of things taken care of. Now question is can we create a project using uplink cli ? Could not find that in the documentation.
No, there is no such functionality. You can create a project via satellite UI (see Project Dashboard - Storj DCS).
The number of projects have limits, for example, on free tier you can create up to three projects in total.
However, you can request to increase any limit: Usage Limits - Storj DCS
The requirement is that for each corporate customer i would need to provide a separate place to store their files. And since authentication is per project i am wondering how to protect the buckets from each other.
Are you trying to use the satellite interface as the end application for them?
If so, then the only way is to create separate accounts, because authentication is not per project, it’s per account.
If you use Storj DCS as a backend, then you can generate an access token and use it as API key to create a normal access grant with the encryption key provided by the customer. Then any object uploaded with that access grant will be available only to the customer.
The customer can share the object or prefix (it will generate an derived access grant under the hood) to others.
If you would manage an initial access, it would be simpler to create a bucket per customer, and allow them to generate an own access grant using the initial access token, satellite URL with SatelliteID and encryption phrase. You will not show to the customer the initial token and satellite URL with SatelliteID, but would request an encryption phrase from the customer, then generate an access grant for them using our libraries or even uplink CLI.
In such a case they will not be able to see other buckets or objects.
- Create buckets for two customers
uplink sj://first-customer uplink sj://second-customer
- Make sure you as an owner can see both buckets
uplink ls BKT 2021-06-05 21:38:35 first-customer BKT 2021-06-05 21:18:36 second-customer
- Create an access grant with full rights to the bucket
uplink share --readonly=false sj://first-customer
- Import the access grant as a named access (it simulates what your application should do for that first client)
uplink import first-customer 1oroifgrejvorvjgiortgjiotrjgojemriojgiojevjvierjivoejrv....
- Try to list as a first customer
uplink --access first-customer ls BKT 2021-06-05 21:38:35 first-customer
The same you can do for the second bucket. The second access grant will have an access to the second bucket only.
Then the customer can share the object or even prefix to anyone (anyone who have an access grant or URL with it can have an access to the shared object with specified caveats).
For example, to share an URL you can use a command
uplink --access first-customer share --url "sj://first-customer/Protected Documents/very important doc.odt"
and you would have a clickable link to download an object.
If you want to brand it (so that there is no storj in the url) this is also possible, see Host a Static Website - Storj DCS
It explains how to host a static site, but you can use the same technique to use your domain for these URLs.
I would recommend to read more about the access there: Access Management - Storj DCS
Keep in mind, even if you go with the projects way, and even if the customer will have a full access to the project, they can only access objects encrypted with an encryption phrase known to the customer. If it’s unknown for them or it’s different, all what they can see - only empty buckets. So basically you can have an own encryption phrase for each object. The prefixes (“subfolders”) are part of the object name.
Wow. that was a lot. I would love if this is available for all as a documentation.