-1

User delegated SAS tokens for having user only access blob files (iamges) on an individual basis. It is possible to have over 100,000 tokens in one large container and directory. Are there any limits to howmany blobs and related tokens ?? Are there any performance issues in this approach?

Have not generated 100,000 for test, but see the pattern and am trying to design best solution. Have considered Account, Container, and Directory tokens but need 1-1 User to image blob read access. Are there limits and performance issues on this solution of having all blobs in 1 directory? What are the performance and management considerations?

David Makogon
  • 69,407
  • 21
  • 141
  • 189
pluralcloud
  • 13
  • 1
  • This is a lot of questions (and mainly documentation-based and opinion-based). SAS token generation is fully documented. Which type you choose is really up to you. The topic of how to organize blobs is something completely different. Please edit your question to be specific, including relevant code, sample input, expected vs actual behavior, etc). Also, please limit the focus of your question (for example, remove the stuff about blob organization) – David Makogon Mar 09 '23 at 13:52
  • Thank you for yor prompt response. New to SAS tokens. The SAS token type approach selected is User Delegated SAS. The token generated on each Blob is different in the container/directory. I am concerned this approach may have performance and maintenance issues when several 100 thousand image-files are stored in 1 directory. In this case each blob would have a separate SAS Token. I am asking others for their advice. Hope this provides enough clarification; I have not yet tried the population of all the images and generated the tokens as yet. – pluralcloud Mar 09 '23 at 18:01
  • Like I said, this is still opinion-based, even with your clarification (by the way, clarifications should be edits to your question, not as lengthy comments). I don't understand the concern about SAS performance (aside from the mechanism you use to store and retrieve all your SAS tokens, if you're actually storing them). And it's still not clear why you need to track so many SAS tokens, especially given that the point of SAS tokens is to provide *temporary* access to private content. – David Makogon Mar 09 '23 at 18:51
  • As for performance: it's irrelevant, whether you store 1 blob or a million blobs in a single container, unless you need to list them and search through their names - see my answer [here](https://stackoverflow.com/a/8160317/272109). Note that enabling ADLS (hierarchical directories) changes the story... – David Makogon Mar 09 '23 at 18:53
  • @david-makogon -- saw your notes on earlier post you referenced-- that is an opinion I was looking for... here – pluralcloud Mar 10 '23 at 00:29
  • Without knowledge of how SAS tokens are stored and retrieved-- i thought maybe it may also have an impact on performance and management. Still don't know how/if anyone has addressed such detail. I see you have been following this topic for many years. Any guidelines you could point me to would be appreciated. Not great to get bashed...would appreciate guidance rather criticism. – pluralcloud Mar 10 '23 at 00:40
  • There's zero bashing here, and zero criticism. It's simply that discussion-style, opinion-style questions are off-topic here, and you still haven't shown any code or asked any specific question. At this point I suggest you post to [meta] if you have concerns with how this question is being moderated. – David Makogon Mar 10 '23 at 01:36

1 Answers1

0

The SAS tokens are generated by using a two inputs. A set of credentials and a querystring. In the querystring you can define the settings such as expiration date, permissions and more. Both of these inputs are thrown into an algorithm to generate a signature that's added to the querystring to create the SAS token.

Then when you use the SAS token the Storage Account server checks if your querystring and credentials can generate that same signature and if it matches it knows the token is valid. The information in the querystring is used for to determine if you are allowed to perform the action.

In short; the SAS tokens are created and validated using just the credentials and querystring. They are never saved to a database. In other words it doesn't matter if you generate 1, 1000 or a billion SAS tokens.

NotFound
  • 5,005
  • 2
  • 13
  • 33