avatarHarjul Jobanputra

Summary

The Oracle Cloud Infrastructure (OCI) Object Storage service provides a scalable, high-performance storage solution with robust access control mechanisms for managing buckets and objects, including private and public access options.

Abstract

The OCI Object Storage service is designed to store vast amounts of unstructured data with durability and cost-efficiency. It operates on a hierarchical structure consisting of namespaces, buckets, and objects. By default, buckets are set to private visibility, ensuring that objects within them are not accessible over the public internet. The service offers various permission configurations, such as granting a group of users management rights over buckets or objects, and allowing specific users to access the OCI Console based on their IP addresses. Additionally, the service supports public access to objects by changing bucket visibility or creating Pre-authenticated Requests (PARs) for secure, temporary access without compromising the private status of the bucket.

Opinions

  • The author emphasizes the importance of the namespace as a unique, system-generated container for all buckets and objects within OCI Object Storage.
  • The author suggests that managing permissions is crucial for securely sharing access to buckets and objects, demonstrating the use of policies and network sources for user groups and specific IP addresses.
  • The author provides a disclaimer stating that the views expressed in the document are personal and may not reflect those of Oracle, indicating a professional perspective while maintaining a distinction from the employer's official stance.
  • The author encourages readers to subscribe or follow their Medium account for updates on future articles, indicating a commitment to ongoing education and community engagement in the field of cloud infrastructure and services.

Access mechanism for OCI Object Storage

The Oracle Cloud Infrastructure (OCI) Object Storage (OS) service is an internet-scale, high-performance storage platform that offers reliable and cost-efficient data durability. One can store an unlimited amount of unstructured data in object storage. You can safely and securely store or retrieve data directly from the internet or from within the OCI platform in object storage.

Here are the basic components of the OCI Object Storage service.

  • Namespace: It serves as the top-level container for all buckets and objects. Each tenancy is assigned one unique system-generated and immutable namespace name.
  • Bucket: It is a logical container for storing objects.
  • Object: It is any type of data (regardless of content type) and it is stored in a bucket as an object. An object is composed of the object itself and metadata about the object.

When you create a bucket in OCI Object storage service, by default the bucket is created with Private Visibility meaning objects residing within the bucket are not accessible over the public internet.

All the objects stored in the bucket will NOT be accessible over the internet as the bucket is Private.

This blog describes various ways to access the bucket and objects residing in the bucket.

We will start looking into the permission required to access the bucket as Oracle Cloud Infrastructure User.

Permission to Group of Users to Manage the Bucket

To demonstrate this, I have created a demogroup that consists of demouser who should be authorized to manage the bucket. To achieve this, I am creating a demo policy with the following policy statements.

Permission to Group of Users to Manage the Object

To demonstrate this, I have created a demogroup that consists of demouser who should be authorized to manage the objects residing in the bucket. To achieve this, I am creating a demo policy with the following policy statements.

Permission to Specific Users (IP based) to Manage the Bucket

To achieve this, I have considered a scenario wherein the set of users’ IP addresses is considered as a criterion to allow them to access the OCI Console. To achieve this, I created Network Source and added the IP address of these users. By doing so, only users with the IP address will be allowed to access the Oracle Cloud Infrastructure Console and then added the above-stated policy (Section — Permission to Group of Users to Manage the Bucket) statements to restrict their access to a specific bucket.

Please refer to the below blog to configure the network source.

Permission to Specific Users (IP based) to Manage the Object

To achieve this, I have considered a scenario wherein the set of users’ IP addresses is considered as a criterion to allow them to access the OCI Console. To achieve this, I created Network Source and added the IP address of these users. By doing so, only users with the IP address will be allowed to access the Oracle Cloud Infrastructure Console and then added the above-stated policy (Section — Permission to Group of Users to Manage the Object) statements to restrict their access to a specific bucket.

Please refer to the below blog to configure the network source.

Above all are various permissions set up to access at the bucket and object level for a set of OCI users.

By default, when you create a bucket in the OCI object storage, the bucket visibility is Private. So, you cannot access the object within the bucket over the internet.

Below are the ways to access the object within a bucket over the public internet.

Public Access

To access the object publically, that resided in the bucket, one option is to convert the bucket visibility from Private (by default) to Public. To convert the bucket visibility to Public, edit the bucket visibility.

In order to access the object, you can view the URL path of the object in Object details.

Private Access

To access the object publically, that resided in the Private bucket, another option is to create a Pre-authenticated Request (PAR) on the object or the entire bucket.

The PAR request generates a URL which can be used to read the object.

That’s it. Easy… Hope you found this article useful.

Please Subscribe or Follow me (https://medium.com/@harjulthakkar) on my medium account to receive notifications for upcoming articles.

Disclaimer: The views expressed on this document are my own and do not necessarily reflect the views of Oracle.

Oracle
Oraclecloudinfrastructure
Object Storage
Authorization
Authentication
Recommended from ReadMedium
avatarHarjul Jobanputra
DNS Peering among Virtual Cloud Networks (VCNs) across Oracle Cloud Regions

When you provision an instance in Oracle Cloud Infrastructure (OCI), you get public (optional) and private IP addresses along with their…

10 min read
avatarKarthic
Automation of OCI Event Rule using OpenTofu/Terraform

Oracle Cloud Infrastructure services emit events, which are structured messages that indicate changes in resources.

3 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarYagnik Gondaliya
OCI CLI: Simplifying Oracle Cloud Operations.

Welcome to our blog post dedicated to exploring the power and versatility of the Oracle Cloud Infrastructure Command Line Interface (OCI…

4 min read
avatarNicholas Toscano
Quick Guide to Managing Oracle Cloud

This guide will give you a quick introduction to performing administration on Oracle Cloud.

7 min read
avatarUriel Bitton
How To Upload Files Directly To S3 Using Presigned URLs

What are resigned URLs in S3 and what are they useful for?

4 min read