We have encountered several cases where data providers want to make data available on Synapse but they restricted to hosting the data within their own data centers (see PLFM-3548). Currently, there are two Synapse features that were designed to address such cases:
Unfortunately both features have serious limitations. With both features, FileHandles are created in Synapse that point to data files within the data provider's data center. The resulting FileHandles are then associated with Synapse FileEntites. Synapse users are then able to download these files after passing two completely separate authentication/authorization layers. The first layer involves the Synapse security system that first authenticates the users (log in) and then makes an authorization check (ACL check) to determine if the users has permission to download the requested file. If the users passes this check their client is then provided with a URL that sends the the client to the final hosting data center. The client must then pass a second authorization/authentication check against the data center security system. The two layers of security makes gaining access to the files difficult and confusing. Data access is also brittle as two completely separate security systems must manually synchronized.
Therefore, we need a new solution that allows data to be stored in a 3rd party data center with authentication/authorization provided exclusively by Synapse.
The proposed solution is to provide a generic Download Proxy that can be deployed co-located to a data provider's data center. The Proxy would be configured with "services" level credentials that would grant the service read permission to select files within the data provider's data center. The proxy would also be configured with a shared secret key that will be used to validate pre-signed URLs. A user would then download data files via one of the Synapse client (Web, R, Python) through the proxy as follows:
Note: The Download HTTPS proxy is generic. It could be used to proxy multiple types of file transfer protocols including HTTPS, SFTP, FTP, local files, SSH.