You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Talk:Wikimedia Cloud Services team/EnhancementProposals/cloudswift

From Wikitech-static
Jump to navigation Jump to search

Exposing the swift API to the public internet

Reading through the proposal, it seems intiutively quite dangerous to expose a read/write object storage API to the internet. I am aware that such setups exist, but those are typically managed as a service for paying customers who can upload and fetch files (so: an s3 alternative). I don't see such a use-case listed in the proposal.

The use cases I see here listed are:

  • docker-registry
  • static file serving
  • backups
  • internal openstack uses

And as far as I understand, none of them would need a public-facing api to operate. Can the use-cases that would make use of having the swift api be public-facing be made more explicit?

Giuseppe Lavagetto (talk) 11:53, 22 October 2021 (UTC)

Your point is very good. Thanks!

You mention "a managed setup as a service for paying customers", which fits really well with what Cloud VPS is. With the annotation that customers have to pay nothing in Cloud VPS, if (and only if) their use of the service is in benefit of the wikimedia movement. Any cloud offering, service, platform or API we have is in pursue of this greater goal. Open, free (freedom, freebeer), well supported, well engineered, etc.

That being said. I don't think we have short-term plans to open the swift API to be public-facing to the larger internet, as stated in the document. But we're pretty sure we will do at some point down the road. Selecting an architecture that can do this in the future is key for us.
Anyway, I made our plans more clear: https://wikitech.wikimedia.org/w/index.php?title=Wikimedia_Cloud_Services_team/EnhancementProposals/cloudswift&diff=1932640&oldid=1932638

Worth mentioning that, as of this writing, other openstack APIs we have aren't open to the internet at large. But we're definitely moving in that direction. We just recently enabled TLS/HTTPS on them, which was one of the pre-requisite we had set before moving forward.

Arturo Borrero Gonzalez (talk) 11:17, 16 November 2021 (UTC)