locked
Blobs, containers and security RRS feed

  • Question

  • Hi all,

    I got a requirement to store a number of files. Some of the files are private (require login and authorization) while others are public (do not require login and can be accessed through the browser). These files are handled through a file management API written in C#, which we migrated to support Azure Blobs. Files are now being stored in a container on Windows Azure.

    However, since some of the files might be private, the container must be marked as private. That means that for every file access, an SAS needs to be generated. Since the file management API stores all the files (independant of their permission requirement) in the same container, it also needs to generate an SAS for public files. Since over 80% of the files are public, and performance is an issue, I would like to avoid having to generate an SAS for every public file, but keep the SAS for private files (generated by a handler that checks security).

    My approach is to create TWO containers and store public files in one, and private files in the other. However, this entails that if a public file's security is changed to private, it would have to be moved to the private container. Since the application allows users to change the security settings of multiple files at once, a mass copy of multiple (potentially large) files would have to be moved between containers.

    Seeing that containers are just 'markers', I assumed that a blob move operation (from a container to another) would be instantaneous, and no physical copy of the blob is done. However, there doesn't seem to be the move operation in the REST API. The only solution seems to be a copy/delete operation (which definitely requires a physical copy operation which takes time).

    Am I on the right track?

    Is there a faster way to move blobs between containers of different permissions instead of copying and deleting each blob?

    Thanks!

    Monday, January 14, 2013 9:12 AM

Answers

  • Thanks for the reply.

    I cannot store both public and private blobs in the same container without having either private blobs accessible without an SAS, or having to generate SAS for every public blob.

    The public/private status is currently being stored in the database. Saving it with the blob does not affect whether it would need an SAS or not, so it's kinda useless.

    I think copy/delete is the way to go, if I opt to go through this route.

    Tuesday, January 15, 2013 8:43 AM

All replies

  • Hi,

    I think copy/delete is the right way to do such thing. You can do it through StorageClient library which is much easier:

    http://allcomputers.us/windows_azure/copying-blobs---copying-files-via-the-storageclient-library.aspx

    A workaround I think is you can create a talbe lists all file names and pathes of the Blob. In the table also lists all file status (public/private), then you can decide if it is open to user or not from this property. All files can be saved in one container now. For changing permission of file, just update the status property in the table.

    Thanks,


    QinDian Tang
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Tuesday, January 15, 2013 5:31 AM
  • Thanks for the reply.

    I cannot store both public and private blobs in the same container without having either private blobs accessible without an SAS, or having to generate SAS for every public blob.

    The public/private status is currently being stored in the database. Saving it with the blob does not affect whether it would need an SAS or not, so it's kinda useless.

    I think copy/delete is the way to go, if I opt to go through this route.

    Tuesday, January 15, 2013 8:43 AM