[Rt-commit] rt branch, 4.4/external-storage, updated. rt-4.2.11-80-gf57e298

Shawn Moore shawn at bestpractical.com
Wed May 27 18:40:31 EDT 2015

The branch, 4.4/external-storage has been updated
       via  f57e2980534d82d560837edcfde356e95f152b61 (commit)
       via  fa121bf704b45b016e8b334e286d93a3080242c6 (commit)
      from  fccaa3f3b775779c9864535b664ff86bd49f0b16 (commit)

Summary of changes:
 etc/RT_Config.pm.in                | 10 +++----
 lib/RT/ExternalStorage/AmazonS3.pm | 59 ++++++++++++++++++++++++++++++++++++--
 2 files changed, 62 insertions(+), 7 deletions(-)

- Log -----------------------------------------------------------------
commit fa121bf704b45b016e8b334e286d93a3080242c6
Author: Shawn M Moore <shawn at bestpractical.com>
Date:   Wed May 27 22:39:20 2015 +0000

    Turn off direct linking by default
        It requires config in S3 to make buckets public

diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 2076000..4ef0a6f 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -2577,20 +2577,20 @@ Set($ExternalStorageCutoffSize, 10*1024*1024);
 =item C<$ExternalStorageDirectLink>
 Certain ExternalStorage backends can serve files over HTTP.  For such
-backends, RT will link directly to those files in external storage. This
+backends, RT can link directly to those files in external storage. This
 cuts down download time and relieves resource pressure because RT's web
 server is no longer involved in retrieving and then immediately serving
 each attachment.
 Of the storage engines that RT ships, only
-L<RT::ExternalStorage::AmazonS3> supports this feature.
+L<RT::ExternalStorage::AmazonS3> supports this feature, and you must
+manually configure it to allow direct linking.
-If you prefer to have RT serve these files (perhaps to maintain an access
-log), you can set this option to false.
+Set this to 1 to link directly to files in external storage.
-Set($ExternalStorageDirectLink, 1);
+Set($ExternalStorageDirectLink, 0);

commit f57e2980534d82d560837edcfde356e95f152b61
Author: Shawn M Moore <shawn at bestpractical.com>
Date:   Wed May 27 22:40:10 2015 +0000

    Implement and document direct linking for S3

diff --git a/lib/RT/ExternalStorage/AmazonS3.pm b/lib/RT/ExternalStorage/AmazonS3.pm
index 4be9d71..8144df4 100644
--- a/lib/RT/ExternalStorage/AmazonS3.pm
+++ b/lib/RT/ExternalStorage/AmazonS3.pm
@@ -151,7 +151,16 @@ sub Store {
 sub DownloadURLFor {
-    return;
+    my $self = shift;
+    my $object = shift;
+    my $column = $object->isa('RT::Attachment') ? 'Content' : 'LargeContent';
+    my $digest = $object->__Value($column);
+    # "If you make a request to the http://BUCKET.s3.amazonaws.com
+    # endpoint, the DNS has sufficient information to route your request
+    # directly to the region where your bucket resides."
+    return "https://" . $self->Bucket . ".s3.amazonaws.com/" . $digest;
 =head1 NAME
@@ -181,7 +190,8 @@ bandwidth> needs.
 =head1 SETUP
-In order to use this storage type, 
+In order to use this storage type, you must grant RT access to your
+S3 account.
@@ -229,6 +239,51 @@ RT what bucket name to use in your F<RT_SiteConfig.pm> file:
+=head2 Direct Linking
+This storage engine supports direct linking. This means that RT can link
+I<directly> to S3 when listing attachments, showing image previews, etc.
+This relieves some bandwidth pressure from RT because ordinarily it would
+have to download each attachment from S3 to be able to serve it.
+To enable direct linking you must first make all content in your bucket
+publicly viewable.
+B<Beware that this could have serious implications for billing and
+privacy>. RT cannot enforce its access controls for content on S3. This
+is tempered somewhat by the fact that users must be able to guess the
+SHA-256 digest of the file to be able to access it. But there is nothing
+stopping someone from tweeting a URL to a file hosted on your S3. These
+concerns do not arise when using an RT-mediated link to S3, since RT
+uses an access key to upload to and download from S3.
+To make all content in an S3 bucket publicly viewable, navigate to
+the bucket in the S3 web UI. Select the "Properties" tab and inside
+"Permissions" there is a button to "Add bucket policy". Paste the
+following content in the provided textbox:
+    {
+        "Version": "2008-10-17",
+        "Statement": [
+            {
+                "Sid": "AllowPublicRead",
+                "Effect": "Allow",
+                "Principal": {
+                    "AWS": "*"
+                },
+                "Action": "s3:GetObject",
+                "Resource": "arn:aws:s3:::BUCKET/*"
+            }
+        ]
+    }
+Replace C<BUCKET> with the bucket name that is used by your RT instance.
+Finally, set C<$ExternalStorageDirectLink> to 1 in your
+F<RT_SiteConfig.pm> file:
+    Set($ExternalStorageDirectLink, 1);


More information about the rt-commit mailing list