匿名读取与Amazon的SimpleDB [英] anonymous read with amazon simpledb

问题描述

我想直接使用JavaScript客户端查询SimpleDB的。我的应用程序是只读的，重的，我宁可不要将请求路由通过我的应用程序服务器。是否可以无需认证进行选择请求？

I would like to query simpledb directly from the client using javascript. My application is read-heavy and I rather not route the request through my application server. Is it possible to perform a select request without authentication?

我就可以建立一个认证服务器，但是这是相当不雅，因为它只会被说是每一个读请求，并会引入失败的另一个瓶颈/ speedbump /点。

I could set up an authentication server, but this is rather inelegant as it will just be saying yes to every read request and would introduce another bottleneck/speedbump/point of failure.

做其他的云计算解决方案分贝（微软，谷歌）具有此功能？

Do the other cloud db solutions (microsoft, google) have this functionality?

推荐答案

这是可以使用AWS IAM（身份和访问管理）和服务器端的令牌自动售货机。 AWS文档有一篇文章专门为用例鉴定的AWS移动应用程序用户令牌自动贩卖机和样品code服务器，内部监督办公室，并在GitHub上的Andr​​oid 。的一般技术可用于非移动和/或为JavaScript客户

This is possible using AWS IAM (Identity and Access Management) and a server side "token vending machine". AWS docs have an article specifically written for the use case Authenticating Users of AWS Mobile Applications with a Token Vending Machine and sample code for server, iOS, and Android in GitHub. The general technique can be used for non-mobile and/or for JavaScript clients.

注意：服务器组件仍然需要鬻出临时访问令牌。然而，这些请求的体积可以显著降低（最多每36小时一次）。其余的请求都来自不受信任的客户端SimpleDB的直接，无中介。

Note: a server component is still required to vend out the temporary access tokens. However, the volume of these requests can be significantly reduced (up to once every 36 hours). The remaining requests are from untrusted client to SimpleDB directly, no intermediary.

1. 在匿名客户端调用您的令牌自动贩卖机（服务器）
2. 标记自动售货机知道密钥，来电AWS生成一个临时令牌
   • 标记与只读访问策略（下面的示例）
   • 令牌持续最多36个小时，12个默认小时（<一href="http://docs.amazonwebservices.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/securitytoken/model/GetFederationTokenRequest.html#setDurationSeconds%28java.lang.Integer%29"相对=nofollow> API文档）

1. anonymous client calls your token vending machine (your server)
2. token vending machine knows the secret key, calls AWS to generate a temporary token
   • token is created with read-only access policy (example below)
   • token lasts for a maximum of 36 hours, default 12 hours (api docs)

从AWS样品code只读访问权限政策

{
  "Statement": [
    {
      "Action": ["sdb:GetAttributes", "sdb:List*", "sdb:Select*"],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

这超出了SimpleDB的。您可以设置一些其他AWS资源的访问策略（见完全访问策略的例子）

This extends beyond SimpleDB. You can set an access policy for several other AWS resources (see full access policy example).

尽管不能排除一个服务器组件，客户不必说话，直接自动售货机：

Although you cannot eliminate a server component, clients don't necessarily have to talk to the vending machine directly:

1. 计划作业产生标记每隔N秒，其中 N +软糖==令牌到期
2. 作业写标记公共S3桶（或任何其他静态资源）
   • 的基础上设置适当的最大生存周期Cache-Control头软糖

1. scheduled job generates token every N seconds where N + fudge == token expiry
2. job writes token to public S3 bucket (or any other static resource)
   • set appropriate maxAge cache-control header based on fudge

这篇关于匿名读取与Amazon的SimpleDB的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！