Can people access my source code when i create public access as object reader in order to host a static website in cloud object storage?
And what are all the risk of public access?
When you create an IBM Cloud Object Storage bucket and grant public access to it, then everyone with a link to the bucket and its files, can retrieve them. If the bucket has HTML, JS, CSS files for the website, they would be loaded from the browser of users accessing your website. If you consider the HTML and JavaScript as source code, it would be publicly available.
That is something for every website. You can look at the HTML, JavaScript, and CSS code for Stack Overflow for exactly this page. You probably have no access to the PHP, SQL, etc. code that generated it.
Related
Is there a way to do this via the admin SDK? I am able to do this via the client SDK. I am baffled as to why admin SDK seems to lack many features that clients have. How do I get storage reference using a download URL in admin?
The Firebase Admin SDK for Storage is a fairly thin wrapper around the Google Cloud Storage SDK for that platform, mostly providing auto-initialization of the default bucket that Firebase uses. It does not expose any Firebase-specific functionality, such as mapping from download URLs back to a path in the bucket.
It's a valid request though, so you could file a feature request.
I have a React app running on google cloud run, with user authentications and permissions.
Now I would like to write documents for the app. The documents will be a static site holding at google cloud storage.
In the app, users with different permissions can access different routes of the app, and it would be great if the permissions work for documents too.
My untested solution is to control user access to the app routes, and certain route renders a page, that containing an <Iframe> which retrieves the documents and then display it.
My question is: is it possible to restrict access to the static site, to allow only access from the react app holding at cloud run?
Or is there any suggestion about access control of app documents?
"documents" were supposed to be html files converted from markdown files. They're documentations about what the app is and how to use the app.
And I don't want the part of the documentation about "admin configuration of the app" to be seen by users with regular authorization.
Holding the documentation as a static site is simpler. I can use gitbook (or other tools) to render the markdown file. Managing & rendering the styles of the markdown files in React would be a little painful.
I'm still working on my English. Sry about the confusions.
You can restrict the access to a static website in Cloud Storage by creating a redirect.html like it is posted in the second answer of this question. The complete medium post is located here.
This will work considering that the authentication from the static website will be separated from the Cloud Run authentication. As it can be seen here the permissions a user has will need to be defined for every object. There you can control if a certain document can be viewed by a specific user email.
If the serving of the Cloud Storage documents needs to be dependent on the Cloud Run authentication, then creating short-lifetime signed urls is an option. This is a python sample program to create signed urls and here is the description of what a signed url does.
I have a REST api that list me all files in a bucket. I show this list in a webview on a ios device.
It's not possible to make this file public.
So to my question, how can i access the files in my ios app?
My idea is, i create a read stream in my api that open a read stream to the file in the gcloud bucket.
Is there a better way to do this?
The canonical way to expose a private file is to used signed URLs. Basically, your iOS app would request access to a file from your app. If your app decides to grant this access, it generates a URL, signs it with a private key, and then provides that signed URL to the iOS app. The app then fetches the URL provided like any other URL, the body of which will be the object's contents.
Signed URLs have some nice security advantages. They can only be used for exactly one thing, and they're only valid for a few minutes (you can configure exactly how long they're valid).
The signing logic is a little tricky, but the gcloud libraries have functions to sign URLs for you.
Documentation is here: https://cloud.google.com/storage/docs/access-control/signed-urls
I have a compute engine and google cloud storage work together.
The compute engine has a tomcat running allow browsers to load a page and get the images from the google cloud storage.
How could i allow the html page (generated by the servlet) to download several images from the google cloud storage where the images are not public shared??
What i expect is when the broswers downloaded the html page then it will request the images directly from the cloud storage, but how can i allow the broswer to do it without making the images public sharable?
Thanks
This is tricky but possible. If you want to manage some sort of authorization scheme for who can and cannot view GCS images, you'll need a service which can vend short-term, signed URLs to parties that your service decides are authorized. You then embed the URLs in the image tags of your dynamically-generated HTML pages, or you fetch the URLs from the server with JavaScript.
The gcloud-java library has a signURL method for generating such a URL.
Another option would be to simply obfuscate the image URLs to something unguessable and rotate them every so often.
I want to use the Google Analytics API to show analytics data in our CMS.
As every website runs the CMS under their own domain like domain.com/cms I do not want to use webapplication API access. I want to use a API Service Accounts, so there is no domain check using the API, in stead it uses a client id (different from webapplication access) and a private key.
So far, so good. I set up the connection with the API and I can read google analytics data.
But I would like to show some charts.
Easy Dashboard Javascript Library is very handy, but it uses webapplication API access, so it checks the URL where it is called from. And I don't want this. Is there a way to simply create charts (with this library or another), and using Service Account API access?
You can get the data from your Google Analytics Service Account and use the data to create charts using the many libraries available using javascript or jquery.
http://www.1stwebdesigner.com/css/top-jquery-chart-libraries-interactive-charts/