Targeting storage availability

- As I pointed out earlier, one of the key advantages of Cloud Data storage is its global availability. Of course, that's also one of its greatest challenges as well. In this lesson, we'll take a closer look at the various ways you can access your storage securely and efficiently. Let's focus on accessing object storage. Now by default, all containers and objects are initially private and only accessable by the project administrator, often referred to as the owner. Now, only the owner can grant permissions to others to read or interact with a container and its objects.

Others, grantees, can include: people, individuals, identified by ID number or email, groups, like an email group, or domains, often expressed as a subnet range or an IP address. Collectively, these permissions are called access control lists, or ACL. Various services support ACLs written in a variety of languages, but the most common are XML and JSON. Let's go take a look at an example ACL from Google Cloud Storage.

I have the acl-example-gcs.xml file open from Chapter 2 > 02_03 > Start folder of the Exercise Files. Let's walk through the file, and explain a little bit about what's going on. So this is titled the AccessControlList, and right after the start of the AccessControlList, the owner is listed. Now these are not full, actual IDs, but they're just there to give you the idea of what you need. And then after the owner are a series of entries, and these are the list items that can't access it.

Each has a Scope, the first three are GroupById. And you can see along with the specified ID, after the Scope, like starting on line 11, is the Permission, and each of these first three entries have a different Permission. Full_Control is the owner's control. They can do anything that an owner can do. The second type of Permission you see on line 17 is Write. People who are granted the Write privilege do not have ownership, so they cannot delete objects, but they can create new ones.

And the third type of Permission you see on line 23, Read, is just for looking at the data or downloading it. Let's go down just a little bit more. The next entry starting on line 37 specifies a UserByEmail. The name parameter that you see there within the Scope is optional. You can also open up your Scope entirely like the entries found starting on line 44. There's a Scope type of AllUsers, and AllUsers in this case have Read permission.

Similarly, you could break it out with all authenticated users, the Scope defined on line 44, here again, Read permission. Now ACLs can be set as defaults for buckets or containers as well as objects, and of course, you can always modify those ACLs. One typical method is to use Curl to attach an XML payload, the ACL file to a bucket, or even a particular object. Let's take a look at the code that you would use to do something like that.

Another file from the Exercise Files for this lesson, acl-change-example-gcs, this is also from Google Cloud Storage. And up top in the comment, you can see the Curl command to be used. First, it sets the PUT operation in motion by specifying the ACL XML file, which here is called acls.xml, and then it passes the authorization token. Finally, it targets the particular object.

Here it's a JPG named ca-hotel that's being stored in the example-lynda bucket, and then it adds the argument ACL. In the XML file itself, again, the owner's ID is set, and this is a more realistic version of what the ID would look like, and the list of entries begin. I'm going to go ahead and scroll down just so you see the little bit of it here. So as you can see, this changes what the existing permissions are. Here the UserById is given full control in the entry starting on line 11, and in the next entry starting on line 17, Joe, who has a Scope of UserByEmail, his permissions have been upgraded from Read to Write.

And there's one more example in the entries starting on line 24 with a Scope type of GroupByEmail. Now once you're on the ACL, there is a meriad of ways you can accomplish your approved tasks. Standard HTTP requests can be used to put an object in a specific container, which can then be retrieved with a GET request. Almost all hosts have support for REST interfaces that grant the full slate of commands, managing containers, objects, and all their associated metadata.

And finally, it's quite common for the Cloud Data services to make APIs available in multiple languages, including Java, C++, PHP, Python, Node.js, Ruby, and others. We'll take a closer look at APIs in the next lesson. Now once you've established authorized authenticated user access, Cloud Data Storage give you full direct management capabilities, just as you would have over in house storage.