Skip to content

Access Control using APIs

Concepts in Access Management

For conceptual background, see How Access Management Works.

GCP

Google Cloud Storage (GCS) allows you to manage your buckets and the files/folders stored in them. Using Google APIs, you can provide access control on GCS service. Then you can create an access policy for the GCS service to allow/deny permissions to read, write, or delete files, folders or buckets.

Prerequisite

Ensure the following prerequisite is met:

  • GCP DataServer should be up and running. For more information, see Data Server.

Authentication

  1. Generate the access and secret token.

    1. In Privacera Portal, go to Launch Pad > Privacera Token on the left navigation, and click Generate Token. Its corresponding dialog box is displayed.

    2. In the dialog box, add the required details and click Generate Token. The dialog box displays the access and secret key. Now, you can copy the keys.

  2. SSH to the instance where Privacera GCP DataServer is installed or open a terminal on your local machine.

  3. Get the following details for the API. It will be used to access GCS using curl API.

    <DATASERVER_URL> - URL of the GCP DataServer. Based on your DataServer SSL configuration, your URL protocol and port will change. If SSL is enabled, then the default port is 8282, whereas for non-SSL, the default port is 8181.

    <GCP_PROJECT_NAME> - Enter the GCP project ID where the GCS application has been added.

    <ACCESS_TOKEN> - Copy the access token from step 1.

    <SECRET_TOKEN> - Copy the secret token from step 1.

  4. Run the following to authenticate.

    export PRIVACERA_TOKEN="<ACCESS_TOKEN>|<SECRET_TOKEN>"
    export GCP_PROJECT_NAME="<GCP_PROJECT_NAME>"
    export DATASERVER_URL="<DATASERVER_URL>"
    
    curl -k -o /tmp/cacerts "${DATASERVER_URL}/services/certificate"
    chmod 400 /tmp/cacerts
    

Read File

  1. SSH to the instance where Privacera GCP DataServer is installed or open a terminal on your local machine.

  2. Get the following details for the API:

    <BUCKET_NAME> - Enter the bucket name where the file is stored.

    <OBJECT_PATH> - Enter the object path of the file.

  3. Run the following commands to read the contents of a file.

    export BUCKET_NAME=<BUCKET_NAME>
    export OBJECT_PATH=<OBJECT_PATH>
    curl --cacert /tmp/cacerts -v -X GET -H "Authorization: Bearer ${PRIVACERA_TOKEN}" -H "p-request-type:GCP_GCS" "${DATASERVER_URL}/storage/v1/b/${BUCKET_NAME}/o/${OBJECT_PATH}?project=${GCP_PROJECT_NAME}&alt=media"
    

Upload File

  1. SSH to the instance where Privacera GCP DataServer is installed or open a terminal on your local machine.

  2. Get the following details for the API:

    <BUCKET_NAME> - Enter the bucket name where the file is stored.

    <FILE_NAME> - Enter the name to be given for the uploaded file.

    <FILE_TO_UPLOAD> - Enter the file to be uploaded.

    <FILE_CONTENT_TYPE> - Enter the type of the file being uploaded.

  3. Run the following commands to upload a file.

    export BUCKET_NAME=<BUCKET_NAME>
    export FILE_NAME=<FILE_NAME>
    export FILE_TO_UPLOAD=<FILE_TO_UPLOAD>
    export FILE_CONTENT_TYPE=<FILE_CONTENT_TYPE>
    
    curl -k --cacert /tmp/cacerts -v -X POST -H "Authorization: Bearer ${PRIVACERA_TOKEN}" -H "p-request-type:GCP_GCS" "${DATASERVER_URL}/upload/storage/v1/b/${BUCKET_NAME}/o?project=${GCP_PROJECT_NAME}&uploadType=media&name=${FILE_NAME}" --data "@${FILE_TO_UPLOAD}"  -H "Content-Type: ${FILE_CONTENT_TYPE}"
    

Delete File

  1. SSH to the instance where Privacera GCP DataServer is installed or open a terminal on your local machine.

  2. Get the following details for the API:

    <BUCKET_NAME> - Enter the bucket name where the file is stored.

    <FILE_NAME> - Enter the name of the file to be deleted.

  3. Run the following commands to delete a file.

    export BUCKET_NAME=<BUCKET_NAME>
    export FILE_NAME=<FILE_NAME>
    
    curl -k --cacert /tmp/cacerts -v -X DELETE -H "Authorization: Bearer ${PRIVACERA_TOKEN}" POST -H "p-request-type:GCP_GCS" "${DATASERVER_URL}/storage/v1/b/${BUCKET_NAME}/o/${FILE_NAME}?project=${GCP_PROJECT_NAME}"