Question: Is s3rver a s3 "private" / "public" or both?

Question

Question: Is s3rver a s3 "private" / "public" or both?

parajbs opened this issue 4 years ago · 1 comments

Is s3rver a s3 "private" / "public" or both?

When using the clients, I can only login with AccessKeyId / SecretAccessKey! It's OK! (safe)
But via the browser all data is publicly accessible without AccessKeyId / SecretAccessKey and can be downloaded (not safe)! Is this normal?

Answer 1 · 2021-05-15T20:48:01.000Z

S3rver runs as a public bucket as it's not intended to be used as a production service for secure storage. The scope of enforcing bucket+object ACLs on a useful scale would be a large undertaking.

The existing support for signatures is only intended as a useful data integrity measure in integration testing. It only performs a simplistic authentication step. All objects are essentially stored with wildcard ACLs as there's no authorization performed for data access.