如何将数据存储在S3，并允许在轨API / iOS的客户端的安全方式的用户访问？ [英] How to store data in S3 and allow user access in a secure way with rails API / iOS client?

问题描述

我是新来写的Rails和API。我需要一些帮助，S3存储解决方案。这里是我的问题。

I am new to writing Rails and APIs. I need some help with S3 storage solution. Here's my problem.

我写一个API，用于iOS应用程序，其中用户的登录与iOS上Facebook的API。服务器验证对令牌Facebook的问题，iOS的用户的用户并发出临时会话令牌。从该点，用户需要下载存储在S3中的内容。这内容仅属于该用户和他的朋友的子集。这个用户可以添加更多的内容至S3可通过相同的一群人进行访问。我想这是类似于附加文件到Facebook群...

I am writing an API for an iOS app where the users login with the Facebook API on iOS. The server validates the user against the token Facebook issues to the iOS user and issues a temporary Session token. From this point the user needs to download content that is stored in S3. This content only belongs to the user and a subset of his friends. This user can add more content to S3 which can be accessed by the same bunch of people. I guess it is similar to attaching a file to a Facebook group...

有2种方式，用户可以与S3交互......离开它的服务器或获得服务器发放临时S3令牌（不知道这里的​​可能性），并且用户可以对内容的网址，直接撞了上去到S3。我发现这个问题讲的是方法，但是，它确实日期（2岁前）：<一href="http://stackoverflow.com/questions/4481311/architectural-and-design-question-about-uploading-photos-from-iphone-app-and-s3">Architectural大约从iPhone应用程序上传照片的设计问题和S3

There are 2 ways a user can interact with S3... leave it to the server or get the server to issue a temporary S3 token (not sure of the possibilities here) and the user can hit up on the content URLs directly to S3. I found this question talking about the approaches, however, it is really dated (2 yrs ago): Architectural and design question about uploading photos from iPhone app and S3

因此​​，问题：

• 有没有办法来限制用户发出临时令牌当S3仅访问某些内容？我怎样才能做到这一点？假设有...说10万以上的用户。
• 是不是让iOS设备直接拉此内容出一个好主意？
• 还是应该让服务器控件的所有内容传递（这当然解决了安全性）？这是否意味着我必须移交下来到所连​​接的用户之前下载所有的内容服务器？
• 如果您知道护栏......我可以用曲别针和AWS-SDK宝石来做到这一点还挺设置？

道歉多问题，我AP preciate任何洞察问题。感谢：）

Apologies for multiple questions and I appreciate any insight into the problem. Thanks :)

推荐答案

使用 AWS-SDK宝石，您可以通过调用<一个得到一个临时标识的URL任何S3对象href="http://docs.aws.amazon.com/AWSRubySDK/latest/AWS/S3/S3Object.html#url_for-instance_method"><$c$c>url_for:

Using the aws-sdk gem, you can get a temporary signed url for any S3 object by calling url_for:

s3 = AWS::S3.new(
  :access_key_id => 1234,
  :secret_access_key => abcd
)
object = s3.buckets['bucket'].objects['path/to/object']
object.url_for(:get, { :expires => 20.minutes.from_now, :secure => true }).to_s

这会给你一个签字，临时使用的URL在S3中仅对象。 20分钟后到期（在这个例子中），和它的唯一好的为一个对象。

This will give you a signed, temporary use URL for only that object in S3. It expires after 20 minutes (in this example), and it's only good for that one object.

如果你有大量的对象客户的需求，就需要发行大量签订的URL。

If you have lots of objects the client needs, you'll need to issue lots of signed URLs.

还是应该让服务器控件的所有内容传递（这当然解决了安全性）？这是否意味着我必须移交下来到所连​​接的用户之前下载所有的内容服务器？

Or should let the server control all content passing (this solves security of course)? Does this mean I have to download all content to server before handing it down to the connected users?

请注意，这并不意味着服务器需要下载每个对象，只需要身份验证和授权指定的客户端访问特定对象S3。

Note that this doesn't mean the server needs to download each object, it only needs to authenticate and authorize specific clients to access specific objects in S3.

API从亚马逊的文档： <一href="http://docs.amazonwebservices.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth">http://docs.amazonwebservices.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth

API docs from Amazon: http://docs.amazonwebservices.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth

这篇关于如何将数据存储在S3，并允许在轨API / iOS的客户端的安全方式的用户访问？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！