I am currently in the process of evaluating the usage of azure media services to store our product tutorial videos, bug reports etc. We encode and store the videos locally and are now able to upload them to azure media services, and then publish to get a SAS url that we can distribute out to our internal users and clients.
We want to be able to grant access to only specific users to these uploaded videos and also track these users, number of views etc. Also for internal users we would like to be able to use integrated windows authentication to access the videos.
Can someone please advise if this is possible? We are not that interested in encrypting of the content itself.
Thanks,
Ilias
If you don't want videos to be shared with unauthorized users you have to apply DRM or AES encryption policies. Without it any logged in user can leak video published uri or what is called "locator" in Azure Media Services. To read more about AES encryption see https://msdn.microsoft.com/en-us/library/azure/Dn783457.aspx.
In my blog post (http://gtrifonov.com/2015/01/24/mvc-owin-azure-media-services-ad-integration/) i showed how to integrate Azure AD with Azure Media Services AES capabilities. To allow playback for users belonging to certain azure AD user group.
If you don't wan't to utilize dynamic encryption, you can issue a unique locator per user session for an asset. But in this scenario you will be limited by 5 active locators per asset.
"because of a shared access policy restriction set by Azure storage services, you cannot have more than five unique Locators associated with a given Asset at one time" - https://msdn.microsoft.com/en-us/library/azure/hh974308.aspx
If you want to protect your training materials from unauthorized access and building solution which will have many users accessing same asset simultaneously, you need to use DRM or AES functionality.
Related
Hi i create application that is common to youtube and i`ve got some questions. I use google login(oAuth), so i keep in my database all things required to use google APIs for every user that wants to log in. The question is if i can use(is it possible and legal) google analytics to get info(like gender of people which shows his/her video or age or region) about every user that is loged in to my application and show it to another users which using my application ?
edit:
I do not know if you understood me well, user log in to my app with his google account, i have in my database his google token, etc. In my application all users have got youtube account and now what i want to do is that if you are log in, you can see user`s statistics from youtube(like the gender of people who watch his/her video and what is thier age) for any user registered in my app. There is a youtube analyse api, which alow you to get your account stats, and if i have access to someone`s google account(i keep toke in my datbase), i couldnt just use it to request that analyse api for every user and in that way get access to their stats. And another question is if i get data in the way that i described(of course if it is possibe), is it legall, if i can display such an info to other users not only to the owner of the account?
Thanks for help
Is it legall, if i can display such an info to other users not only to the owner of the account? Thanks for help
If you are authenticating a user to get access to their Private data. It is your responsibility as a developer to ensure that their data remains private. You should not be sharing data between your users without there express permission.
If the data you are accessing is public then you are allowed to display that data with anyone.
Remember when you created your google developer console account you agreed to this Google APIs Terms of Service
b. Compliance with Law, Third Party Rights, and Other Google Terms of Service
You will comply with all applicable law, regulation, and third party rights (including without limitation laws regarding the import or export of data or software, privacy, and local laws). You will not use the APIs to encourage or promote illegal activity or violation of third party rights. You will not violate any other terms of service with Google (or its affiliates).
d. User Privacy and API Clients
You will comply with all applicable privacy laws and regulations including those applying to PII. You will provide and adhere to a privacy policy for your API Client that clearly and accurately describes to users of your API Client what user information you collect and how you use and share such information (including for advertising) with Google and third parties.
You may also want to read Privacy policy
I need to store my service data in Google Storage and let my users download files depending on their (users) access rights.
I've already made service that connects to Google Storage using server-centric mechanism, and transfers them to client-side, but I need client-side to go to Storage and download file without server-side.
I've tried to use temporary links for files, but I can't check, if user downloaded file or not to properly delete temporary link.
I've tried to look for oauth2 support, but it seems Google doesn't support oauth in such way (When my service decides to allow access or no).
The best solution is to generate tokens for users and if Google Storage would call my service before every file download.
How can I achieve that?
I'm quite new to Cloud Storage solutions, and I'm currently researching options to upgrade our current solution (we currently just upload on a SVN server).
What I have is a native application running on client computers, which will upload data to the Cloud Storage. Afterwards, client should be able to download and browse their data (source is not set in stone, could be a website or from other applications). They should not be able to access other user's data.
I'm not sure how I'm supposed to proceed. As far as I understand, the native application will upload using a Native Application Credential, using JSON.
Do I need multiple credentials to track multiple users? That seems wrong to me. Besides when they come back as 'users' through the web interface, they wouldn't be using that authentification, would they?
Do I need to change the ACL of the uploaded files afterwards?
Should I just not give write/read access to any particular users and handle read requests through Signed URLs, dealing with permission details by myself using something else on the side? (not forcing a Google Account is probably a requirement)
Sorry if this is too many questions, and thanks!
Benjamin
The "individual credentials per instance of an app" question has come up before, and unfortunately there's not a great answer. If you want every user to have different permissions, you need every user to be associated with a different account.
Like you point out, the best current answer, other than requiring users to have Google accounts, is to have a centralized service that vends signed URLs to the end applications. That service would be the only owner of all of the objects and would give out permission to read or upload as needed.
I have an app where people login to our site, search for FB groups based on keyword, and then download a text file of UIDs (generated by the API, not by scraping), for the purpose of creating a custom audience in the Power Editor and uploading it back.
Is that allowed?
It is okay to do so, as long as it is strictly for the functionality for your app and your users that will be downloading the lists of ids have agreed to keep them confidential. These are the specific items from the Facebook platform policy which address what you cannot do with user ids:
II
6) You will not directly or indirectly transfer any data you receive from
us, including user data or Facebook User IDs, to (or use such data in
connection with) any ad network, ad exchange, data broker, or other
advertising or monetization related toolset, even if a user consents
to such transfer or use. By indirectly we mean you cannot, for
example, transfer data to a third party who then transfers the data to
an ad network. By any data we mean all data obtained through use of
the Facebook Platform (API, Social Plugins, etc.), including
aggregate, anonymous or derivative data.
7) User IDs for any purpose outside your application (e.g., your
infrastructure, code, or services necessary to build and run your
application). Facebook User IDs may be used with external services
that you use to build and run your application, such as a web
infrastructure service or a distributed computing platform, but only
if those services are necessary to running your application and the
service has a contractual obligation with you to keep Facebook User
IDs confidential.
Make sure that your app doesn't break either of those rules or any other rule in the Platform Policy.
I've uploaded and encoded several videos to windows Azure Media services. How can I provide secure streaming access to subscribers logged into my MVC 4 web site hosted as an Azure service? I basically don't want them to be able to watch a video if they are not signed in?
(I've been reading about Azure Media services and I can't find anything and that usually means I'm missing the obvious!?)
Now you could use AES or PlayReady content protection with Azure Media Services to encrypt your file over the wire. We provide token authentication on top of the key delivery, which ensure only your authorized user could get the content.
For more information, please read my blog post here: http://azure.microsoft.com/blog/2014/09/10/announcing-public-availability-of-azure-media-services-content-protection-services/
There are a couple of options for you. Currently you can encrypt the video using PlayReady DRM and then use a third party provider such as BuyDRM or EzDRM to handle authentication and DRM license delivery. EzDRM is currently available for purchase via the Azure store. This will provide you the highest degree of protection for your videos. Long term we are looking into more light weight approaches for authentication and video content protection for the cases where protection provided by DRM is not needed. We will post updates to http://social.msdn.microsoft.com/Forums/en-US/MediaServices/ when new capabilities are available in Azure Media Services.