Duplicity

Merge lp:~marix/duplicity/azure-storage-sas into lp:~duplicity-team/duplicity/0.8-series

  1. azure-storage-sas
  2. Merge into 0.8-series
Proposed by Matthias Bach
Status: Merged
Merged at revision: 1179
Proposed branch: lp:~marix/duplicity/azure-storage-sas
Merge into: lp:~duplicity-team/duplicity/0.8-series
Diff against target: 54 lines (+21/-9)
2 files modified
bin/duplicity.1 (+6/-2)
duplicity/backends/azurebackend.py (+15/-7)
To merge this branch: bzr merge lp:~marix/duplicity/azure-storage-sas
Reviewer Review Type Date Requested Status
duplicity-team Pending
Review via email: mp+317175@code.launchpad.net

Description of the change

This branch adds support for Shared Access Signature to the Azure backend which allows to run Duplicity with a minimal set of permissions.

The currently supported access method, using an account key, grants Duplicity full administrative permissions on that Azure storage account. However, there is a fairly low limit on the number of storage account that can be used within a single storage subscription, thus it is not necessarily optimal to create a separate one for each single system that requires backup. In addition, this also grants a lot of unnecessary powers to the system running Duplicity.

Share Access Signatures allow to grant a specific set of permissions of permissions on a storage account, or a single container. To test you need to create a shared access signature including read, write and deletion permissions on the container. Then run duplicity passing the shared access signature in the environment variable AZURE_SHARED_ACCESS_SIGNATURE. The AZURE_ACCOUNT_NAME is also still required, but the AZURE_ACCOUNT_KEY is no longer necessary.

To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'bin/duplicity.1'
2--- bin/duplicity.1 2017-01-30 21:46:37 +0000
3+++ bin/duplicity.1 2017-02-14 09:50:31 +0000
4@@ -1543,9 +1543,13 @@
5 .B REQUIREMENTS
6 above.
7
8-It uses two environment variables for authentification:
9+It uses environment variables for authentification:
10 .BR AZURE_ACCOUNT_NAME " (required),"
11-.BR AZURE_ACCOUNT_KEY " (required)"
12+.BR AZURE_ACCOUNT_KEY " (optional),
13+.BR AZURE_SHARED_ACCESS_SIGNATURE " (optional)."
14+One of
15+.BR AZURE_ACCOUNT_KEY " or"
16+.BR AZURE_SHARED_ACCESS_SIGNATURE " is required."
17
18 A container name must be a valid DNS name, conforming to the following naming
19 rules:
20
21=== modified file 'duplicity/backends/azurebackend.py'
22--- duplicity/backends/azurebackend.py 2016-05-11 21:07:04 +0000
23+++ duplicity/backends/azurebackend.py 2017-02-14 09:50:31 +0000
24@@ -51,15 +51,23 @@
25 raise BackendException('Azure backend requires Microsoft Azure Storage SDK for Python '
26 '(https://pypi.python.org/pypi/azure-storage/).')
27
28+ # TODO: validate container name
29+ self.container = parsed_url.path.lstrip('/')
30+
31 if 'AZURE_ACCOUNT_NAME' not in os.environ:
32 raise BackendException('AZURE_ACCOUNT_NAME environment variable not set.')
33- if 'AZURE_ACCOUNT_KEY' not in os.environ:
34- raise BackendException('AZURE_ACCOUNT_KEY environment variable not set.')
35- self.blob_service = BlobService(account_name=os.environ['AZURE_ACCOUNT_NAME'],
36- account_key=os.environ['AZURE_ACCOUNT_KEY'])
37-
38- # TODO: validate container name
39- self.container = parsed_url.path.lstrip('/')
40+
41+ if 'AZURE_ACCOUNT_KEY' in os.environ:
42+ self.blob_service = BlobService(account_name=os.environ['AZURE_ACCOUNT_NAME'],
43+ account_key=os.environ['AZURE_ACCOUNT_KEY'])
44+ self._create_container()
45+ elif 'AZURE_SHARED_ACCESS_SIGNATURE' in os.environ:
46+ self.blob_service = BlobService(account_name=os.environ['AZURE_ACCOUNT_NAME'],
47+ sas_token=os.environ['AZURE_SHARED_ACCESS_SIGNATURE'])
48+ else:
49+ raise BackendException('Neither AZURE_ACCOUNT_KEY nor AZURE_SHARED_ACCESS_SIGNATURE environment variable not set.')
50+
51+ def _create_container(self):
52 try:
53 self.blob_service.create_container(self.container, fail_on_exist=True)
54 except self.AzureConflictError:

Subscribers

People subscribed via source and target branches