Open kaapa opened 9 years ago
Here's an example of functioning AES256 encrypted S3 backend initialization under Refile 0.5.4:
aws = {
access_key_id: 'aws_access_key_id',
secret_access_key: 'aws_secret_access_key',
bucket: 'aws_bucket_name',
s3_server_side_encryption: :aes256
}
Refile.cache = Refile::Backend::S3.new(prefix: 'cache', **aws)
Refile.store = Refile::Backend::S3.new(prefix: 'store', **aws)
That's pretty annoying. We should probably still accept these options the same way and pass them through to the relevant library calls. A PR for this would be greatly appreciated!
Comments/advice on my approach would be nice before a PR.
Couple of notes:
Aws::S3::Errors::Forbidden
. Might be due to my S3 config or perhaps regression since upgrade to AWS SDK V2?Bucket#presigned_post
does not accept the same options as Object#copy_from
and Object#put
. Hence the two configuration options. This is bit nasty since eg. server_side_encryption needs to be set twice.@s3_options
and pass them to the three methods as per their API. I just felt that it would add an unnecessary layer of abstraction and maintenance burden to refile-s3
while simply delegating the user provided options relieves the library from that responsibility.And here's a configuration example:
aws = {
access_key_id: 'aws_access_key_id',
secret_access_key: 'aws_secret_access_key',
bucket: 'aws_bucket_name',
s3_object_operation_options: {
server_side_encryption: 'aes256'
},
s3_presigned_post_options: {
server_side_encryption: 'aes256'
}
}
Refile.cache = Refile::Backend::S3.new(prefix: 'cache', **aws)
Refile.store = Refile::Backend::S3.new(prefix: 'store', **aws)
Option | API |
---|---|
s3_object_operation_options |
Object#copy_from and Object#put |
s3_presigned_post_options |
Bucket#presigned_post |
PS. After a more through look at #copy_from
and #put
APIs it's obvious that they differ too, but at least their encryption options are the same, which is not the case with #presigned_post.
I got bit annoyed of my initial implementation and took a second stab at the problem.
This second take allows a flat configuration eg:
aws = {
access_key_id: 'aws_access_key_id',
secret_access_key: 'aws_secret_access_key',
bucket: 'aws_bucket_name',
server_side_encryption: 'aes256'
}
Refile.cache = Refile::Backend::S3.new(prefix: 'cache', **aws)
Refile.store = Refile::Backend::S3.new(prefix: 'store', **aws)
The downside is that S3_AVAILABLE_OPTIONS
must define valid options for S3 operations as per API of each method used from the AWS SDK. Also, current implementation only supports symbols as configuration keys.
Older Refile version, using AWS SDK V1, supported configuring server side encryption via the s3_options per S3 backend / bucket.
https://github.com/refile/refile/blob/bdc1fead72747a18f7120189d860f6368dbdc81e/lib/refile/backend/s3.rb#L37
AWS SDK V2 doesn't support configuring this option on the Aws::S3::Resource object.
https://github.com/refile/refile-s3/blob/master/lib/refile/s3.rb#L40
I think being able to define the encryption per bucket would be a rather essential feature. AWS SDK V2 requires this to be passed as part of the options argument for
copy_from
,put
andpresigned_post
methods (for exampleserver_side_encryption: 'aes256'
).https://github.com/refile/refile-s3/blob/master/lib/refile/s3.rb#L56 https://github.com/refile/refile-s3/blob/master/lib/refile/s3.rb#L58 https://github.com/refile/refile-s3/blob/master/lib/refile/s3.rb#L140
http://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Object.html#copy_from-instance_method http://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Object.html#put-instance_method http://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Object.html#presigned_post-instance_method
IMO these are some of the other "static" options that could be a deal breaker for some, but not relevant to my use case: