About Authorization Header Syntax - Dell DX6000 Application Manual

the user list yet for a bucket, DX Storage returns a 401 (Unauthorized). These errors stop after the
realm cache interval has passed.

12.3. About Authorization Header Syntax

You set an authorization specification using the Castor-Authorization header, which has the
following syntax:
Castor-Authorization: authorization-specification[, authorization-
specification][...]
where authorization-specification is defined as follows:
{[realm-name,] | {view | change}[=realm] | {post | put | copy | append |
get | head | delete}[=realm-name]}
and view and change are referred to as generic operations and post, put, copy, append, get,
head, and delete are referred to as method operations. The order in which you specify more than
one authorization-specification is not important.
realm-name is discussed in
The following table shows how generic operations map to method operations:
Generic operation
view
change
post is unique because it enables an authorized user to create a new object. It does not map to a
generic operation and therefore must be granted explicitly.
Note
• Security privileges are not inherited from container objects to the objects contained by
them. In other words, a realm that is authorized to create a bucket is not automatically
authorized to create objects in the bucket.
• A security privilege expressly granted for a particular object using privilege=realm
is expressly denied to all other users. For example, Castor-Authorization:
cluster.example.com, view=cluster.example.com/mybucket expressly
grants view privileges to users in the cluster.example.com/mybucket realm and
denies view privileges to users in the cluster.example.com realm.
Any operation not specifically reserved to a realm can be performed by anyone.
• If you delete a container object without first deleting the objects it contains, the objects
are not deleted; however, the objects cannot be retrieved because their container is
missing. For example, if you delete a bucket that contains objects, the objects cannot
be retrieved. Your cluster administrator can work around this issue.
• When accessing an unnamed object using the Castor-Authorization header, a
URI ending with /uuid is a different URI from one ending with /uuid/. DX Storage
compares the final segments of the URI named in the request (that is, the part of the
URI after the last slash) and the one in the Castor-Authorization header to verify
the resource being requested is authorized.
Copyright © 2010 Caringo, Inc.
All rights reserved
Section 12.3.1, "About Realm Names"
Method operation equivalents
get, head
put, delete, copy, append
45
Version 5.0
December 2010