Introducing improvements to pre-authenticated requests

Oracle Cloud Infrastructure (OCI) makes it exceptionally easy to manage your Object Storage data using the Console, API, and SDK. The team cares deeply about removing friction from tools so that you can care about what’s important: Storing your data securely, durably, and accessing it on your own terms.

However, sometimes working in the Console, API, or SDK might not be the most practical, such as when you need to painlessly share data with a third party. Sharing API credentials with a third party seems like a recipe for a security nightmare!

For a long time, OCI has had the pre-authenticated requests (PAR) feature, which allows you to access a bucket or an object without credentials, as long as the request creator has permissions to access those objects.

The Object Storage team is happy to announce some much-requested improvements to pre-authenticated requests. They can better emulate public buckets without sharing the security pitfalls of a public bucket. These pre-authenticated request enhancements support our initiative of replacing public buckets with a more secure way for unauthenticated users to read objects.

What are pre-authenticated requests and who are they for?

With PARs, you can create a request that allows an operations support user to upload backups to a bucket without owning API keys. You can create a request that lets a business partner update shared data in a bucket without owning API keys. Think of PARs as a secure way for semi-trusted parties, such as people not part of your immediate organization or team, to access your object or bucket.

Pre-authenticated requests are an example of capability-based security. When you create a PAR, you get back a unique, unguessable, nonforgeable, nonrecoverable, revocable, time-limited, shareable token (the URL) that allows anyone with the token to perform a limited set of operations against specific objects as the creator. When you create a pre-authenticated request, a unique URL is generated. Anyone that you give this URL to can access the Object Storage resources identified in the pre-authenticated request, using standard HTTP tools like cURL and wget.

Consider using pre-authenticated requests if you have the following needs:

• Sharing object or bucket with a semi-trusted party but not wanting to share API credentials

• Managing write-read access of object or bucket and revoking access when needed

• Setting a time limit to object or bucket access

• Accessing using cURL or wget

OCI’s PAR implementation is entirely server-side, meaning that each PAR has an entry in the Object Storage metadata system. This feature has an advantage over competing solutions’ client-side implementations, which have major limitations in managing access. PARs can be managed long after creation. The bucket or object owner has complete control over the PAR they created. Deleting a PAR revokes the PAR user’s access to the object or bucket associated with the PAR. So, you can also create PARs in the Console, CLI, and SDK. Secure and convenient!

Another benefit of PARs is that if the user that created the PAR is deleted or has their authorization permissions changed, that PAR also reflects that change of user permissions.

Managing pre-authenticated requests for an object or bucket

To create and manage a PAR, you need the PAR_MANAGE permission to the targeted object or bucket. Then, you can create a PAR using the Console, CLI, and APIs.

This blog doesn’t go in-depth on how to create a PAR. These handy links to the OCI documentation are a great asset:

• Create PAR using the Console

• Create PAR using the CLI

• Create PAR using the API

The object or bucket owner can also list, get, or delete pre-authenticated requests metadata, not the URL, all within the Console, CLI, or API.

How to use pre-authenticated requests

To ensure secure access, permissions of the pre-authenticated request creator are checked each time you use a pre-authenticated request. If the PAR has expired or the permissions of the pre-authenticated request creator have changed, the PAR fails.

After a PAR is created, you can access the resource using a tool like cURL or wget.

To put an object, input the following command:

$ curl -X PUT --data-binary '@<local-filename>' <unique-PAR-URL>

To get an object, input the following command:

$ curl -X GET <unique-PAR-URL>

For full examples on how to use a PAR URL, read the OCI documentation for Working with PARs.

Enhancements to pre-authenticated requests

Today, we’re announcing some enhancements to pre-authenticated requests. These enhancements to PARs intend to give you the convenience of public buckets without having to share the pitfalls of actually using a public bucket—by using PARs with public bucket-like features!

Public buckets are a popular feature within OCI because they allow unauthenticated users to read objects. They’re convenient ways to share objects to anyone without having to manually update permissions to a bucket. However, using public buckets has security drawbacks, and we want to eventually replace public buckets with pre-authenticated requests by adding the ability to read and list the objects in a bucket.

We’ve added the following enhancements to this release:

• Read any: Allows GET of any object from a bucket

• Object prefixes: Adds restrictions to what a bucket-level PAR can do

• Object listing: Allows the listing of objects through a bucket-level PAR

As part of PAR enhancements, OCI Console and API also have changes for bucket- and object-level PARs for allowing object listing including prefixes.

For more information on these changes, see the documentation for pre-authenticated requests.

Read any

OCI pre-authenticated requests currently exist in four types: ObjectRead, ObjectWrite, ObjectReadWrite, and AnyObjectWrite.

As part of the enhancements, we’re adding the following PAR types:

• AnyObjectRead

• AnyObjectReadWrite

These enhancements support the GET of any object from a bucket. Without these enhancements, only bucket level PUT PARs are supported. So, if a customer wants to download 1,000 objects, they have to create 1,000 PARs, one per object.

These enhancements allow you to download all 1,000 objects with one PAR. Neat!

Object prefixes

Customers want to restrict object names by prefix. This enhancement allows them to expand their usage of PARs to multitenant situations. For example, while each untrusted host can upload log files, object prefixes allow upload only to a host-specific prefix, /foo/. If this PAR is given to you, you can upload an object named /foo/bar but not /other/bar.

Object listing

Currently, when you try to perform a GET on a bucket-level PAR without specifying an object name, the request fails. As part of the enhancements, performing the same GET to a bucket-level PAR returns a list of all objects in the bucket.

Conclusion

Pre-authenticated requests are a secure and convenient way for teams to share access of an object or bucket without sacrificing security. The enhancements in this release further improve security without sacrificing convenience for public bucket-like functionality.

This release is among the many ways that Oracle Cloud Infrastructure aims to reduce friction of data access without sacrificing security or utility for its customers.

For more reading on pre-authenticated requests, see the following resources:

• Using pre-authenticated requests

• Securing Object Storage