====== [CEPH] Public bucket basic knowledge ======

^  Documentation  ^|
^Name:| [CEPH] Public bucket basic knowledge |
^Description:| Basic information about publishing a bucket to the internet |
^Modification date :| 03/02/2020|
^Owner:|dodger|
^Notify changes to:|Owner |
^Tags:|ceph, object storage |
^Scalate to:|The_fucking_bofh|


====== Pre-Requirements ======

  * Know what are the [[https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Request_methods|HTTP verbs]]
  * Know the name of our ceph


====== What you should know ======

Our ceph/s3 object storage can be publicly accessed but is very restricted, the more restricted the higher security.\\
\\
So what is open?
  * HTTP verb GET
  * Any bucket that has been requested to be open to the internet (you still must give explicit access to the objects)

\\
\\
What is **NOT** open:
  * All the rest HTTP verbs (PUT/HEAD/DELETE/POST...)
  * All the rest of buckets that are not explicitly requested to be opened.
  * All the objects in a **published bucket** not explicitly published as public/timed/hashed.

\\


====== What you'll be able to do from internet ======


Just 1 thing:
<code bash>
curl http://larry.ciberterminal.net/monguitest/status.txt
</code>

That is:
  * you should know the name of the file that you want to access.
  * the file must be public or have //any// ACL setup that allow access to it without authentication (public, timed public, hash key based acces...)
\\


====== What we desire that you do with the objects ======
<graphviz>
digraph c{
	compound=true;
privatebucketobject [shape=cylinder,label="Private bucket\nPrivate Object",style=filled];
timedobject [shape=cylinder,label="Private bucket\nTimed access for Object (object still private)",style=filled,fillcolor=green];
publicobject [shape=cylinder,label="Private bucket\nPublic Object",style=filled,fillcolor=darkorange];
publicbucket [shape=cylinder,label="Public bucket\nPublic Object",style=filled,fillcolor=red];

avoid [shape=none,label="Never use!"];
avoidaspossible [shape=none,label="Limited use cases, should be avoided!"];
preferred [shape=none,label="Preferred use case!"];
default [shape=none,label="Default setup"];

{rank=same; publicbucket, avoid}
{rank=same; publicobject, avoidaspossible}
{rank=same; timedobject, preferred}
{rank=same; privatebucketobject, default}

privatebucketobject->timedobject;

timedobject->publicobject;
publicobject->publicbucket;
publicbucket->avoid [dir=back];
publicobject->avoidaspossible [dir=back];
timedobject->preferred [dir=back];
privatebucketobject->default [dir=back];

}
</graphviz>



====== Access explained Graphically ======
===== From Internet =====

<graphviz>
digraph c{
        compound=true;
	client [label="Client on internet"];
	clover [shape=hexagon,label="clover.ciberterminal.net\nPublic load balancers"];
	bucket [shape=cylinder,label="/bucketname\nhas been published?",style=filled,fillcolor=coral];
	denied [label="Access\nDenied",style=filled,fillcolor=red];
	object [shape=paralellogram,label="objectname\nhas been allowed to access?",style=filled,fillcolor=lightblue];
	allowed [label="Access\nALLOWED",style=filled,fillcolor=green];
	firewall [label="F5 Firewall & load balancer", style=filled, shape=box3d, fillcolor=chocolate];
	
	client-> firewall [label="GET /bucketname/objectname"];
	firewall -> clover;
	clover->bucket [label="checks"];
	bucket->denied [label="Not published"];
	bucket->object [label="Published"];
	object->denied [label="Not publish"];
	object->allowed [label="Access has been granted"] ;

}
</graphviz>


===== From ciberterminal =====
<graphviz>
digraph c{
        compound=true;
	client [label="Client on VOXEL"];
	clover [shape=hexagon,label="clover.ciberterminal.net\nPrivate load balancers"];
	bucket [shape=cylinder,label="/bucketname",style=filled,fillcolor=coral];
	denied [label="Access\nDenied",style=filled,fillcolor=red];
	allowed [label="Access\nALLOWED",style=filled,fillcolor=green];
	
	client-> clover [label="GET /bucketname/objectname
PUT /bucketname/objectname
POST /bucketname/objectname
DELETE /bucketname/objectname
HEAD /bucketname"];
	clover->bucket [label="Owner?"];
	bucket->denied [label="NO"];
	bucket->allowed [label="YES"];
}
</graphviz>

====== Remember ======

  * Only **GET** is available you won't be able to:
    * ''bucket.list'' as it uses HTTP/HEAD.
    * ''bucket.delete'' as it uses HTTP/DELETE.
    * Any other operation :-)
  * You'll still have to manage the object ACL so anyone can access it, by default all the objects inside the bucket are **private**.