I have created two buckets public and private in the WebGUI.
Then I set up uplink on my terminal.
Added folders and files to the public bucket using uplink
Set up Filezilla access to my node
Filezilla cannot see the folders or files created using uplink
WebGUI cannot see the folders or files created using uplink
My question is maybe related to how the service works. Am I missing something fundamental about how this works? Maybe I am not understanding how access tokens work?
Why does the CLI/uplink version of my storage node and the Filezilla/GUI versions not stay in sync?
You should use exactly the same encryption phrase used during upload, otherwise objects cannot be decrypted and your buckets will look like empty.
If you do not remember your encryption phrase, you can only remove these objects.
Using UI:
In your dashboard, navigate to Buckets
Click on three vertical dots on the right side of the bucket
To list objects which uses the current encryption phrase:
uplink ls sj://my-bucket
If list of objects is empty - there is no objects with current encryption phrase. If you lost the previous encryption passphrase, you can only delete the previous objects or even the buckets.
To remove buckets where you lost an encryption phrase:
uplink rb --force sj://my-bucket
There is no concept of “public”/“private” bucket. They all private by default.
But you can share any bucket(s)/prefix(es)/object(s): Sharing Your First Object | Storj Docs or with the linksharing service: share | Storj Docs
The bucket/prefix/object become “public” only when you give the generated access grant or URL to someone or publish somewhere.
I think I see your point. I was able to reconfigure uplink using the same access grant as I used in Filezilla and things look to be in sync. Just to be clear on how the juggling of access grants and encryption phrases work:
a single access grant is created from a unique encryption phrase
the access grant is similar to a hashed version of the encryption phrase
use the access grant as a password in uplink/Filezilla to access objects encrypted using the associated encryption passphrase
This means to me:
that I can have a bucket and grant access to various objects within that same bucket which are created/encrypted using various access grants coming from a unique encryption key
the encryption passphrase acts as the decrypting passphrase
in the online object browser I am browsing only objects in the bucket based on the unique encryption passphrase that I used to create them
theoretically there could be dozens of objects in a single bucket and users with various encryption phrases and access grants would only be able to see the objects created with the corresponding encryption phrase and no other
this works to control access to various objects as a kind
Could you please correct my understanding on these points as it would help me to understand how your technology works better? Thank you for your help!
I think I see your point. I was able to reconfigure uplink using uplink setup and use the same access grant that I used with Filezilla. Now everything looks to be in sync. I can even use the same encryption passphrase in the web object browser and see those same objects and buckets. Just to be clear on how this system works:
a unique encryption passphrase is used to generate a single access grant
multiple encryption passphrases can be used to control access to objects within the same bucket by creating multiple access grants
a user with one encryption passphrase cannot see the objects encrypted/created with separate encryption passphrases
Could you check my understanding on these points?
Also, how is the API key any different than the access grant? Is it recommended to use one over the other when simply managing the file system? Is the API key only used when using libraries such as libuplink for application development?
Your assumptions almost correct, except hashes of encryption phrase. The access grant is more complicated object - it’s macaroon and contains API key, SatelliteID@SatelliteURL, encryption key derived from the encryption phrase and caveats (permissions).
So, when you share your access grant you basically give a derived credentials with limited permissions. However, if you share your root access grant you will give full permissions to your project.
See Access Management | Storj Docs and Encryption Keys | Storj Docs
API key is a key to access to the satellite, but it’s not enough to get or put your objects, you also need an encryption key. The encryption key usually derived from your encryption phrase.
The access grant consist of API key, SatelliteID@Satellite URL, encryption key and caveats.
See API Key | Storj Docs
It is possible to create a web gui that uploads the data directly and publishes it if the user wants, something like a fansly but simpler and not for that purpose.