Topics in this article
The S3 protocol, Simple Storage Service (S3), is a file hosting service that can theoretically store any amount of data. Data is no longer stored in classic files, but is referred to as objects. Access is via HTTP or HTTPS. Amazon first introduced the concept of buckets and objects, which is similar to folders and files and has established itself as a standard. Companies such as NetApp, OpenIO, and Microsoft are trying to comply with this interface.
A bucket is stored in one of many regions, whereby a certain region is to be preferred e.g. due to latency times. Each bucket has a unique identifier and is therefore unique in the entire S3 storage.
The programming interface of the S3 protocol is freely available. Users of S3 must authorize themselves. For user identification, the S3 protocol has an authorization header with an access key and signatures for requests.
DRACOON and S3
In this case, the DRACOON environment assumes the role of an S3 client, which stores the data in a bucket of the S3 storage.
- If the user wants to upload a file to a DRACOON server, e.g. via the DRACOON web app, an upload channel is first created on the DRACOON server.
- The DRACOON server generates a pre-signed URL for the client with the previously stored S3 access data. This specific URL contains a unique access token to the S3 bucket for uploading an object. In addition, it contains any tags defined for the DRACOON data room.
- The client uploads the file directly into the S3 bucket via the predefined URL.
- If special policies have been defined in the S3 Storage for the handling of special tags, this now results in a georedundant distribution of the object, for example.
- The client reports the successful upload of the file back to the server and thus completes the upload channel. The file is now visible to other users in the clients.
The download of a file is analogous to the upload process, only that the handling of the tags is omitted there.
In the following diagram, the steps described above are shown again graphically:
Configure S3 in DRACOON
It is very easy to implement a hybrid cloud solution with DRACOON. All you need to do is store an S3 configuration in DRACOON once. This forms the basis for communication between the DRACOON software and the external data storage devices on the customer side—no further steps are required.
The S3 endpoint is specified in DRACOON under Settings > Storage, along with the access key and secret key, the bucket name, and the region. The access key and secret key must have full access to the bucket.
Furthermore, the S3 tag feature can be activated. Afterward, S3 tags can be defined and assigned to data rooms. Mandatory tags are automatically appended to each S3 object in the data room and cannot be deactivated by room administrators.
- The S3 Object Storage must be publicly accessible over the Internet to be used with DRACOON.
- An existing DRACOON environment can be migrated to S3 storage at any time. As soon as S3 storage has been connected to DRACOON, all files already existing in DRACOON are moved automatically to the S3 storage. If the DRACOON environment already contains many files, this migration might take several days. During the migration, DRACOON can be used further without restrictions. When accessing files during the migration, DRACOON automatically recognizes which files were already migrated to the S3 storage and which still reside in the DRACOON storage.
- Note: If a DRACOON environment was migrated to S3 storage, this cannot be undone. DRACOON displays a corresponding warning before the final migration, which must be confirmed.
Additional flexibility through S3 object tags
Since version 4.10, DRACOON also supports S3 object tags. In combination with NetApp, for example, this allows unprecedented flexibility in data storage. In DRACOON, any object tags (keywords) that you have defined in the NetApp Policy Engine can be specified as well and assigned to specific data rooms. NetApp then applies the defined storage rules, depending on the assigned tags.
- For example, files from particularly sensitive data rooms can be automatically stored in a data center of the highest security level or at a special location on earth.
- Another possibility is the georedundant storage of data. The client is always offered the closest storage node for the download and upload of objects.
- Archiving guidelines can also be applied using S3 object tags. Thus, for example, S3 Objects can only be deleted after 10 years and are archived audit-proof until the deadline expires.