{"__v":2,"_id":"57852b98fd4ee30e0007a605","category":{"project":"55faf11ba62ba1170021a9a7","version":"55faf11ba62ba1170021a9aa","_id":"5785191af3a10c0e009b75b0","__v":0,"sync":{"url":"","isSync":false},"reference":false,"createdAt":"2016-07-12T16:21:46.337Z","from_sync":false,"order":24,"slug":"connect-cloud-storage","title":"CONNECT CLOUD STORAGE"},"parentDoc":null,"project":"55faf11ba62ba1170021a9a7","user":"5613e4f8fdd08f2b00437620","version":{"__v":37,"_id":"55faf11ba62ba1170021a9aa","project":"55faf11ba62ba1170021a9a7","createdAt":"2015-09-17T16:58:03.490Z","releaseDate":"2015-09-17T16:58:03.490Z","categories":["55faf11ca62ba1170021a9ab","55faf8f4d0e22017005b8272","55faf91aa62ba1170021a9b5","55faf929a8a7770d00c2c0bd","55faf932a8a7770d00c2c0bf","55faf94b17b9d00d00969f47","55faf958d0e22017005b8274","55faf95fa8a7770d00c2c0c0","55faf96917b9d00d00969f48","55faf970a8a7770d00c2c0c1","55faf98c825d5f19001fa3a6","55faf99aa62ba1170021a9b8","55faf99fa62ba1170021a9b9","55faf9aa17b9d00d00969f49","55faf9b6a8a7770d00c2c0c3","55faf9bda62ba1170021a9ba","5604570090ee490d00440551","5637e8b2fbe1c50d008cb078","5649bb624fa1460d00780add","5671974d1b6b730d008b4823","5671979d60c8e70d006c9760","568e8eef70ca1f0d0035808e","56d0a2081ecc471500f1795e","56d4a0adde40c70b00823ea3","56d96b03dd90610b00270849","56fbb83d8f21c817002af880","573c811bee2b3b2200422be1","576bc92afb62dd20001cda85","5771811e27a5c20e00030dcd","5785191af3a10c0e009b75b0","57bdf84d5d48411900cd8dc0","57ff5c5dc135231700aed806","5804caf792398f0f00e77521","58458b4fba4f1c0f009692bb","586d3c287c6b5b2300c05055","58ef66d88646742f009a0216","58f5d52d7891630f00fe4e77"],"is_deprecated":false,"is_hidden":false,"is_beta":true,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"updates":[],"next":{"pages":[],"description":""},"createdAt":"2016-07-12T17:40:40.557Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":9,"body":"The CGC has taken measures to ensure that operations on volumes by the CGC are secure and compliant with the security standards governing medical data.\n[block:callout]\n{\n  \"type\": \"warning\",\n  \"title\": \"On this page:\",\n  \"body\": \"* [Restrictions on viewing volume details](#viewing-details)\\n * [Volume owner](#volume-owner)\\n * [Project members](#project-members)\\n* [Restrictions on volume operations](#volume-operations)\\n* [CGC access policy for volumes](#access-policy)\\n* [Viewing the content of an alias via the Web browser](#viewing-content)\"\n}\n[/block]\n<a name=\"viewing-details\"></a>\n##Restrictions on viewing volume details \n<a name=\"volume-owner\"></a>\n###Volume owner\n\nOnly the volume's owner (the user who created the volume) can obtain the full details of that volume, including its exact configuration to the cloud storage provider.\n\nThis information **never** contains authentication credentials such as passwords or access keys. These credentials are never communicated back via the API. The owner of a volume is, however, free to reconfigure these credentials as well as any of the volume's other parameters.\n\n<div align=\"right\"><a href=\"#top\">top</a></div>\n\n<a name=\"project-owner\"></a>\n###Project members\n\nIf your project on the CGC contains aliases referring to your volume, project members can obtain the file details of these aliases which contain a restricted set of information identifying the source volume. For example, a project member viewing the details of a file imported to a project will see the following:\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/0yWUVPj4SzaqVra2mNUF_Screen%20Shot%202016-06-15%20at%206.51.51%20PM.jpeg\",\n        \"Screen Shot 2016-06-15 at 6.51.51 PM.jpeg\",\n        \"1252\",\n        \"452\",\n        \"#475d72\",\n        \"\"\n      ]\n    }\n  ]\n}\n[/block]\nIn short, if a user has sufficient privileges to obtain the details of an alias, both the CGC's visual interface and the API will expose:\n\n* The volume identifier, consisting of owner's username and volume name. In the example above, the username is **markot** and the volume name is **my_import_volume**.\n* The key under which the object is stored on the cloud storage service. In the example above, the key is **243831_ATGTCA_L001_1P.fastq.gz**.\n[block:callout]\n{\n  \"type\": \"info\",\n  \"body\": \"CGC users who are not members of projects referring to your volume cannot obtain any information about your volume or any of its resources.\"\n}\n[/block]\n<div align=\"right\"><a href=\"#top\">top</a></div>\n\n<a name=\"volume-operations\"></a>\n##Restrictions on volume operations\n\nOnly the volume's owner can perform operations on that volume, including listing volume details, updating volume configuration, deleting a volume, invoking alias operations on it or checking those operations' status.\n\n<div align=\"right\"><a href=\"#top\">top</a></div>\n\n<a name=\"access-policy\"></a>\n##CGC access policy for volumes\n\nBy creating a volume, you authorize the CGC to access your cloud storage service and the resources you've specified on it on your behalf. You retain ownership of your cloud resources at all times – the CGC does not read volumes' contents independently of operations you perform on the volume via the [Volumes API](volumes-v2). The CGC will not copy the resources elsewhere or change their native metadata unless through an operation performed by you, the owner, or by an authorized user. Note that authorized users can only effect changes on aliases but not on the volume itself.\n\nThe owner of the resources in a volume can revoke CGC access at any time by:\n\n* [Deleting the volume](delete-a-volume-v2) from the CGC\n* [Reconfiguring the volume](update-a-volume-v2) to purge access credentials shared with the CGC\n* Changing or revoking the shared credentials on the storage service itself\n\nWhen the CGC's access to a volume is revoked (or a volume is removed), any resources that link to that volume's data objects may remain on the CGC (e.g. any [imported](start-an-import-job-v2) or [exported] (start-an-export-job-v2)files), but their content becomes unavailable until the volume is either recreated or reconfigured.\n\n<div align=\"right\"><a href=\"#top\">top</a></div>\n\n<a name=\"viewing-content\"></a>\n##Viewing the content of an alias via the Web browser\nMost cloud storage providers implement additional security measures limiting access to the contents of stored objects. This may prevent you from viewing the content of some aliases, even when the files are otherwise readable and can be used as inputs to computation.\n\nIf this is a problem, you can configure your cloud storage to allow viewing such content in a browser:\n* [Enabling cross-origin resource sharing (CORS) on AWS S3](enabling-cross-origin-resource-sharing-cors#aws)\n* [Enabling cross-origin resource sharing (CORS) on GCS](enabling-cross-origin-resource-sharing-cors#gcs)\n\n<div align=\"right\"><a href=\"#top\">top</a></div>","excerpt":"","slug":"security-concerns-when-working-with-volumes","type":"basic","title":"Security concerns when working with volumes"}

Security concerns when working with volumes


The CGC has taken measures to ensure that operations on volumes by the CGC are secure and compliant with the security standards governing medical data. [block:callout] { "type": "warning", "title": "On this page:", "body": "* [Restrictions on viewing volume details](#viewing-details)\n * [Volume owner](#volume-owner)\n * [Project members](#project-members)\n* [Restrictions on volume operations](#volume-operations)\n* [CGC access policy for volumes](#access-policy)\n* [Viewing the content of an alias via the Web browser](#viewing-content)" } [/block] <a name="viewing-details"></a> ##Restrictions on viewing volume details <a name="volume-owner"></a> ###Volume owner Only the volume's owner (the user who created the volume) can obtain the full details of that volume, including its exact configuration to the cloud storage provider. This information **never** contains authentication credentials such as passwords or access keys. These credentials are never communicated back via the API. The owner of a volume is, however, free to reconfigure these credentials as well as any of the volume's other parameters. <div align="right"><a href="#top">top</a></div> <a name="project-owner"></a> ###Project members If your project on the CGC contains aliases referring to your volume, project members can obtain the file details of these aliases which contain a restricted set of information identifying the source volume. For example, a project member viewing the details of a file imported to a project will see the following: [block:image] { "images": [ { "image": [ "https://files.readme.io/0yWUVPj4SzaqVra2mNUF_Screen%20Shot%202016-06-15%20at%206.51.51%20PM.jpeg", "Screen Shot 2016-06-15 at 6.51.51 PM.jpeg", "1252", "452", "#475d72", "" ] } ] } [/block] In short, if a user has sufficient privileges to obtain the details of an alias, both the CGC's visual interface and the API will expose: * The volume identifier, consisting of owner's username and volume name. In the example above, the username is **markot** and the volume name is **my_import_volume**. * The key under which the object is stored on the cloud storage service. In the example above, the key is **243831_ATGTCA_L001_1P.fastq.gz**. [block:callout] { "type": "info", "body": "CGC users who are not members of projects referring to your volume cannot obtain any information about your volume or any of its resources." } [/block] <div align="right"><a href="#top">top</a></div> <a name="volume-operations"></a> ##Restrictions on volume operations Only the volume's owner can perform operations on that volume, including listing volume details, updating volume configuration, deleting a volume, invoking alias operations on it or checking those operations' status. <div align="right"><a href="#top">top</a></div> <a name="access-policy"></a> ##CGC access policy for volumes By creating a volume, you authorize the CGC to access your cloud storage service and the resources you've specified on it on your behalf. You retain ownership of your cloud resources at all times – the CGC does not read volumes' contents independently of operations you perform on the volume via the [Volumes API](volumes-v2). The CGC will not copy the resources elsewhere or change their native metadata unless through an operation performed by you, the owner, or by an authorized user. Note that authorized users can only effect changes on aliases but not on the volume itself. The owner of the resources in a volume can revoke CGC access at any time by: * [Deleting the volume](delete-a-volume-v2) from the CGC * [Reconfiguring the volume](update-a-volume-v2) to purge access credentials shared with the CGC * Changing or revoking the shared credentials on the storage service itself When the CGC's access to a volume is revoked (or a volume is removed), any resources that link to that volume's data objects may remain on the CGC (e.g. any [imported](start-an-import-job-v2) or [exported] (start-an-export-job-v2)files), but their content becomes unavailable until the volume is either recreated or reconfigured. <div align="right"><a href="#top">top</a></div> <a name="viewing-content"></a> ##Viewing the content of an alias via the Web browser Most cloud storage providers implement additional security measures limiting access to the contents of stored objects. This may prevent you from viewing the content of some aliases, even when the files are otherwise readable and can be used as inputs to computation. If this is a problem, you can configure your cloud storage to allow viewing such content in a browser: * [Enabling cross-origin resource sharing (CORS) on AWS S3](enabling-cross-origin-resource-sharing-cors#aws) * [Enabling cross-origin resource sharing (CORS) on GCS](enabling-cross-origin-resource-sharing-cors#gcs) <div align="right"><a href="#top">top</a></div>