• Cluster administrators: The chapter on managing tenants in the DX Object Storage Administration
Guide.
• Application developers:
• Domain managers:
12.2. Security Realm Overview
By default, domains, buckets, and objects are not secured so any user can perform any SCSP
operation on them. This section discusses concepts related to how to restrict the SCSP operations
that can be performed on buckets and objects.
12.2.1. Common Security Terminology
This section discusses terminology commonly used with security.
• Security realm: (Also referred to as a realm or a user list.) A list of user names and hashed
passwords. You associate the user list with a bucket or object to give other users privileges to
execute specific SCSP operations on the buckets or objects.
• Authorization specification: List of SCSP operations users in a realm are allowed to execute.
The authorization specification is specified by the Castor-Authorization header, as
discussed in more detail in
12.2.2. About Security Realms
A security realm (also referred to as a realm or user list) is an encoded list of user names,
passwords, and optionally the name of the realm, using the
To encode the realm, you can use a programming language or a utility like Apache htdigest or
md5sum as discussed in
Note
• Realm names cannot contain a colon character (:) or a comma character (,).
• The same users can belong to multiple realms.
For more information about realms, see:
•
Section 12.3.1, "About Realm Names"
•
Section 12.6, "Creating Realms"
12.2.3. About Realm Caching and Security
Your cluster administrator determines settings for realm cache, which determines the length of time
changes to buckets or domains are propagated to all nodes in the cluster. The default setting is five
minutes so at the default setting, it might take five minutes after an authorization change is made
before the node you are accessing is aware of the change.
DX Storage returns 401 (Unauthorized) or 404 (Not Found) responses if your client application
attempts to access a bucket or domain before the realm update has been propagated to the node
on which your client is attempting access. For example, if you authenticate as a user who is not in
Copyright © 2010 Caringo, Inc.
All rights reserved
Chapter 13, Managing Security for Application Developers
Chapter 14, Managing Security for Domain Managers
Section 12.3, "About Authorization Header
Section 12.6, "Creating
44
HTTP Digest
Realms".
Syntax".
authentication algorithm.
Version 5.0
December 2010