The Filebase team has been gearing up for the holidays and is excited to release an update to end 2019 with features that many of our customers have been patiently waiting for.

Public Buckets and ACLs

Our number one requested feature by far has been support for public buckets. However, we wanted to take our time rolling this feature out, as it has important security implications. In practice, S3 is rather simple to use, but far too oftenbuckets are being left open to the public, exposing all types of important and sensitive data.

An important component of Filebase is our S3-Compatible API. It’s used by thousands of Filebase users and is responsible for 98% of the traffic we serve. With the S3 API, the visibility of buckets and objects are typically controlled using bucket policies and ACLs. Starting today, we have introduced ACL support for buckets. This will allow Filebase users to make buckets public.

But what about the objects? Misconfiguration in bucket and object ACLs are the number one cause for data leakage. Therefore, we have decided to group buckets and objects into the same access control list (ACL). A short overview:

  • Buckets are always private by default.
  • A bucket and its objects can be made fully public, or fully private — there is no in-between. The bucket ACL determines the ACL of its objects.
  • ACLs can be controlled via the UI or S3 API (PutBucketAcl).
  • If you call the S3 GetObjectAcl API, the response returned will match the response of GetBucketAcl.

Our goal here at Filebase is to create an easy to use object storage service, and we think the above policy strikes a great balance between security and usability. If you need a mix of private and public objects, simply create two different buckets.

The visibility of a bucket can also be changed with a simple toggle switch directly from the UI:

Private Access is the default status for all buckets. Individual object file sharing is not allowed while in this mode as authentication will be required.

When public access is enabled: Public is displayed under the Access column in the main Filebase UI Dashboard.

WARNING: BY MAKING A BUCKET PUBLIC ON FILEBASE THROUGH EITHER THE UI OR API, ANYONE ON THE INTERNET CAN SEE AND HAVE ACCESS TO YOUR FILES. YOU SHOULD BE 100% CERTAIN THAT THERE IS NO SENSITIVE DATA IN A BUCKET BEFORE MAKING IT PUBLIC.

If you enable and then disable public access, the status reverts back to Private.

File Sharing

Now that buckets can be made public, it’s very easy to generate a shareable link to an object. Simply click the Sharebutton under the Actions column and the object’s URL will be copied to your clipboard. If the bucket holding your object is public, this URL can be shared with and viewed by anyone.

File Sharing with object URLs on Filebase

Object Details

We have added a new overview screen for each object that includes various bits of information. From within your bucket, simply click on the objects name, and you will be taken to this overview page. If you’ve stored user-defined metadata along with your object using the S3 API, it will be displayed here as well.

Looking Forward

As the year comes to an end we want to thank all of our users. Your feedback has been invaluable for helping to make Filebase better each and every release. As we move forward into 2020, be sure to look out for even more features and improvements!