locked
How to create a Private Container ?? RRS feed

  • Question

  • Hi,

    I have tried my hand on some basic blob related programs.All the programs use public containers.I have used the following code :

        var 
    storageAccount = CloudStorageAccount
    .FromConfigurationSetting("DataConnectionString"
    );
      _BlobClient = storageAccount.CreateCloudBlobClient();   
      
    _BlobContainer = _BlobClient.GetContainerReference("publicfiles" ); _BlobContainer.CreateIfNotExist(); 
      
    var permissions = new BlobContainerPermissions (); permissions.PublicAccess = BlobContainerPublicAccessType .Container; _BlobContainer.SetPermissions(permissions);

    Now,I want to create a private container in the development storage itself.For that I have  assigned accountname as "devstoreaccount1" and accountkey as "Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==" and BlobEndpoint=http://127.0.0.1:10000/ in the settings template.And in the Default.aspx.cs I have used the following code snippet :

            string accountName = "devstoreaccount1";
            string sharedKey = "Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==";

            var storageAccount = new CloudStorageAccount(new StorageCredentialsAccountAndKey(accountName, sharedKey), true);

            _BlobClient = storageAccount.CreateCloudBlobClient();

             _BlobContainer = _BlobClient.GetContainerReference("privatefiles");
             _BlobContainer.CreateIfNotExist();

    I want that on running the code at first the program will ask for an account name and an account key and if the user provides the correct information(which is already saved in the settings) then only he/she can access the blob.

    But this code is not working for me.Can anybody tell me where I went wrong??

    -- Neil

    Thursday, September 9, 2010 10:25 AM

Answers

  • Additionally, the development storage has only one account and this is predefined.  To do your multi-account testing, the cloud service will be your best option.

    Let me know if this does not address your issue.

    Niranjan.

    • Marked as answer by Brad Calder Wednesday, April 6, 2011 5:37 AM
    Sunday, March 27, 2011 4:25 AM

All replies

  • for the private container... permissions.PublicAccess = BlobContainerPublicAccessType.Off

    It should be that way by default. So I'm curious if you could explain more about "code is not working".... Could you post the retrieval code snippit?

    Thursday, September 9, 2010 10:39 AM
  • The permissions on a container is by default private.That's why i have not used the permissions line in my new code.Now,as you suggested I used the above line too,but my problem is that the program is not asking for any acc name or key.Then again after submitting the file path,name and submitter name an exception is showing that " The remote name could not be resolved:'devstoreaccount1.blob.core.windows.net'".

    I have not written any separate method for retrieval.I have merged it with the method for uploading the files.The code snippet which I have used is :

                string extension = System.IO.Path.GetExtension(fileUploadControl.FileName);

                var blob = _BlobContainer.GetBlobReference(Guid.NewGuid().ToString() + extension);
                blob.UploadFromStream(fileUploadControl.FileContent);

                 blob.Metadata["FileName"] = fileNameBox.Text;
                blob.Metadata["Submitter"] = submitterBox.Text;
                blob.SetMetadata();

                blob.Properties.ContentType = fileUploadControl.PostedFile.ContentType;
                blob.SetProperties();

                UpdateFileList();
                fileNameBox.Text = "";
                statusMessage.Text = "";

    In the ideal case,while clicking the link for the file,it should want an acc key and name and then it should open that file.But this is not happening.I wonder what went wrong.


    Thursday, September 9, 2010 12:23 PM
  • I wish neil were hear, he's more of a Azure Storage expert then I am.

    Here's what I suspect is happening. The blog container you're using to serve up the object was created from the blob client which already has your credentials. As such, its already been authorizied to interact with the container which is private.

    As for serving up the blob from a private container, I'm not aware of Azure Storage automatically challenging the browser for credentials and thus the user being prompted to provide the key and password before they can download from the container. The key/password combo need to be used to help sign the request that is passed to azure storage. if you want to authenticate users, you're may need a service that proxies access to your azure storage account that can perform this type of action.

    Again, Neil should be back online soon, so if nobody else can answer it for you before then, he'll definately have an answer.

    Thursday, September 9, 2010 1:27 PM
  • Hi Neil,

    You may want to change this line:

    var storageAccount = new CloudStorageAccount(new StorageCredentialsAccountAndKey(accountName, sharedKey), true);

    to something like:

    var storageAccount = CloudStorageAccount.DevelopmentStorageAccount;

    Basically you're passing the development store credentials to a constructor which creates a connection to azure storage.

    Hope this helps.

    Thanks

    Gaurav Mantri

    Cerebrata Software

    http://www.cerebrata.com

    Thursday, September 9, 2010 2:31 PM
  • Neil -

    I did a post on access control for blobs that you might find helpful.

    I think there is some confusion with authentication going on here. If you are in possession of an Azure Storage account and key then you have full control of that storage - you can delete it all and you can pollute it with bad data. You should never share the key with anyone and you should never ask them to provide it as an authentication token to your service.

    If you want to provide multi-tenant access to your Azure Storage then you should do it by having users authenticate to a website which then handles multi-tenancted access to your Azure Storage. The website knows the account and key but your users never should. This is what Brent describes as "proxies."

    Thursday, September 9, 2010 3:34 PM
    Answerer
  • Thanks for all your replies.To avoid any confusion,I would again like to mention that I intend to make this blob in the development storage,not in the Windows Azure Storage.And I do not have any storage account in it.The acc name and key that I have mentioned are,I guess,for the authentication of any private container that is to be stored in the development storage.

    My real concern is that if we make a container private(that is stored in the development storage) is there any way to perform an authentication check so that only those users who have the correct acc name and key,can only access its contents??I mean ,is it possible that a container can be accessed by any person whoever has got the correct acc name and key which is stored in the settings template??

     

      -- Neil

    • Edited by Neil.Ganguly Friday, September 10, 2010 6:32 AM forgot to write 'for'
    Friday, September 10, 2010 6:31 AM
  • I mean ,is it possible that a container can be accessed by any person whoever has got the correct acc name and key which is stored in the settings template??

    Yes. It's a bad idea to store account name and key in settings template in plain text. Once a user has access to account name and key, they will have full control over the storage account and thus marking a container "Private" will not serve the purpose you're looking to fulfill.

    Hope this helps.

    Thanks

    Gaurav

     

     

    Friday, September 10, 2010 7:21 AM
  • Additionally, the development storage has only one account and this is predefined.  To do your multi-account testing, the cloud service will be your best option.

    Let me know if this does not address your issue.

    Niranjan.

    • Marked as answer by Brad Calder Wednesday, April 6, 2011 5:37 AM
    Sunday, March 27, 2011 4:25 AM