Reduct Storage v1.1.0 comes with a new Token API to create tokens with different permissions. This allows you to give different users or applications access to specific data or storage functions. For example, you could create a token that gives full access to all data, or one that only allows writes to a certain bucket. The Token API is simple to use and gives you a lot of flexibility in how you use Reduct Storage.
How to create a token with Web Console
You can manage the API tokens even with CURL, but the storage engine has an embedded Web Console which makes it easier.
To enable the Token API and authorisation, you should set the RS_API_TOKEN
environment variable with some initial token. For example, you can do it when you run the storage engine with Docker:
docker run -p 8383:8383 -v ${PWD}/data:/data --env RS_API_TOKEN=token reductstorage/engine:v1.1.0
The initial token has full access, so you can use it to create a new token to read data from a certain bucket. Open the Web Console in your browser and click on Security:
Then click on the +
button to open a form for a new token:
Let's create a token with can only write into a bucket. In my example, the bucket is called data
. Then you create the token you will see its hash. Copy it somewhere!
Now we can use it to write something into the bucket:
export API_TOKEN=<COPIED-TOKEN>
curl -d "some_data" \
-X POST \
--header "Authorization: Bearer ${API_TOKEN}" \
-a http://127.0.0.1:8383/api/v1/b/my_data/entry_1?ts=10000
It should work perfectly. However, if you try to read from the bucket you get an error:
curl --header "Authorization: Bearer ${API_TOKEN}" \
-a http://127.0.0.1:8383/api/v1/b/my_data/entry_1?ts=10000
{"detail":"Token doesn't have read access to bucket 'data'"}
Now, you know how to keep you data in a secure way.
Top comments (0)