Dell DX6004S DX Object Storage Application Guide - Page 50
About Authorization Header Syntax
View all Dell DX6004S manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 50 highlights
the user list yet for a bucket, DX Storage returns a 401 (Unauthorized). These errors stop after the realm cache interval has passed. 12.3. About Authorization Header Syntax You set an authorization specification using the Castor-Authorization header, which has the following syntax: Castor-Authorization: authorization-specification[, authorizationspecification][...] where authorization-specification is defined as follows: {[realm-name,] | {view | change}[=realm] | {post | put | copy | append | get | head | delete}[=realm-name]} and view and change are referred to as generic operations and post, put, copy, append, get, head, and delete are referred to as method operations. The order in which you specify more than one authorization-specification is not important. realm-name is discussed in Section 12.3.1, "About Realm Names" The following table shows how generic operations map to method operations: Generic operation view change Method operation equivalents get, head put, delete, copy, append post is unique because it enables an authorized user to create a new object. It does not map to a generic operation and therefore must be granted explicitly. Note • Security privileges are not inherited from container objects to the objects contained by them. In other words, a realm that is authorized to create a bucket is not automatically authorized to create objects in the bucket. • A security privilege expressly granted for a particular object using privilege=realm is expressly denied to all other users. For example, Castor-Authorization: cluster.example.com, view=cluster.example.com/mybucket expressly grants view privileges to users in the cluster.example.com/mybucket realm and denies view privileges to users in the cluster.example.com realm. Any operation not specifically reserved to a realm can be performed by anyone. • If you delete a container object without first deleting the objects it contains, the objects are not deleted; however, the objects cannot be retrieved because their container is missing. For example, if you delete a bucket that contains objects, the objects cannot be retrieved. Your cluster administrator can work around this issue. • When accessing an unnamed object using the Castor-Authorization header, a URI ending with /uuid is a different URI from one ending with /uuid/. DX Storage compares the final segments of the URI named in the request (that is, the part of the URI after the last slash) and the one in the Castor-Authorization header to verify the resource being requested is authorized. Copyright © 2010 Caringo, Inc. All rights reserved 45 Version 5.0 December 2010