Versions Compared

Old Version 22

changes.mady.by.user Nicole Deflaux

Saved on

compared with

New Version 23

changes.mady.by.user Nicole Deflaux

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • When the url has not yet expired, it is possible for others to use that same URL to download files. 
    • For example, if someone requests a download URL from the repository service (and remember that the repository service confirms that the user is authenticated and authorized before handing out that URL) and then that person emails the URL to his team, his whole team could start downloading the data layer as long as they all kick off their downloads within that one minute window of time.  
    • Of course, they could also download the data locally and then let their whole team have access to it.
  • If a user gets her download url, and somehow does not use it right away, she'll need to reload the web page to get another or re-do the R prompt command to get a fresh URL.
  • Regarding payments, we know when we vend a URL but it may not be possible to know whether that URL was actually used (no fee) or used more than once (multiple fees).

Open Questions:

...

  • Does this work with the new support for partial downloads for gigantic files? Currently assuming yes, and that the repository service would need to give out the URL a few times during the duration of the download (re-request the URL for each download chunk)
  • Does this work with torrent-style access? Currently assuming no.
  • Can we limit S3 access to HTTPS only? Currently assuming yes.

...

  • This isn't as simple for users as pre-signed URLs because they have to think about their credentials and provide them for signing.
  • This mechanism will not scale to grant access for tens of thousands of individuals therefore it will not be sufficient for "unrestricted data". It may scale sufficiently for "embargoed data" and "restricted data".
  • Users may not feel comfortable sharing their AWS credentials with Sage tools to assist them to make signing easier.
  • We are trusting users whose AWS accounts we have granted access to protect their own credentials.  (This is the same as trusting someone to protect their Sage username and password.)

Open Questions:

  • What is the upper limit on the number of grants?
  • What is the upper limit on the number of principals that can be listed in a single grant?
  • Is there a JavaScript library we can use to sign S3 URLs?

...

  • This will be helpful for managing access Sage system administrators and Sage employees.
  • Sage gives out credentials to users so that users can access Sage resources. We can put strict limitations on what capabilities these credentials give to users.
  • Users do not need to give us their AWS credentials for any reason.

Cons:

  • We are trusting users to protect the credentials we have given them.  (This is the same as trusting someone to protect their Sage username and password.)
  • This has not saved us any work for the download use case if we still need to proxy requests from Web clients.
  • This may be confusing for users. They will likely have their own AWS credentials plus separate credentials for each data set to which we have granted them access.
  • This is currently limited to 1,000 users. We may be able to ask Deepak to raise that limit for us. The limit will be raised within a year as AWS rolls out expanded support for federated access to AWS resources.

...

The Pacific Northwest Gigapop is the point of presence for the Internet2/Abilene network in the Pacific Northwest. The PNWGP is connected to the Abilene backbone via a 10 GbE link. In turn, the Abilene Seattle node is connected via OC-192                      192                       links to both Sunnyvale, California and Denver, Colorado.
PNWPG offers two types of Internet2/Abilene interconnects: Internet2/Abilene transit services and Internet2/Abilene peering at Pacific Wave International Peering Exchange. See Participant Services for more information.

...