S3 桶签名 URL 以授予对图片的访问权限 [英] S3 Bucket Signed URLs to grant access to pictures
问题描述
关于如何让用户上传的图片仅供用户的朋友查看,我遇到了一个头脑风暴问题.
I'm having a brainstorming issue on how to get user uploaded pictures viewed by only the friends of the users.
所以到目前为止我想出的是:
So what I've come up with so far is:
为每个用户创建一个 DynamoDB 表,并添加朋友/新朋友的动态列表.
Create a DynamoDB table for each user, with a dynamic list of friends/new friends added.
为每个用户上传的图片生成一个签名 URL.
Generate a Signed URL for every user-uploaded picture.
允许 DynamoDB 表中列出的每个朋友访问签名 URL 以查看设置图片.
Allow access to the Signed URL to every friend listed in the DynamoDB table to view set picture/s.
这听起来正确吗?另外,从技术上讲,我是否只有一个存储桶用于所有用户上传的图片?我的设计听起来有些不对劲...
Does this sound correct? Also, would I technically have just one bucket for ALL user uploaded pictures? Something about my design sounds off...
谁能给我一个关于如何通过 Java 完成此操作的快速教程?
Can anyone give me a quick tutorial on how to accomplish this via Java?
推荐答案
有两种基本方法:
- Amazon S3 中的权限,或
- 应用程序控制的对 Amazon S3 中对象的访问
Amazon S3 中的权限
您可以提供凭证(通过 IAM 或 Amazon Cognito)以允许用户访问Amazon S3 存储桶中的特定路径.例如,每个用户都可以在存储桶中拥有自己的路径.
You can provide credentials (either via IAM or Amazon Cognito) that allow users to access a particular path within an Amazon S3 bucket. For example, each user could have their own path within the bucket.
您的应用程序将生成包含将其标识为该特定用户的签名的 URL,并且 Amazon S3 将授予对这些对象的访问权限.
Your application would generate URLs that include signatures that identify them as that particular user and Amazon S3 would grant access to the objects.
这种方法的一个好处是您可以向用户提供 AWS 凭证,他们可以直接与 AWS 交互,例如使用 AWS 命令行界面 (CLI) 来上传/下载文件,而不必总是通过您的应用程序.
One benefit of this approach is that you could provide the AWS credentials to the users and they could interact directly with AWS, such as using the AWS Command-Line Interface (CLI) to upload/download files without having to always go via your application.
应用程序控制的对 Amazon S3 中对象的访问
在这种情况下,用户在 Amazon S3 中没有权限.相反,每次您的应用程序希望生成指向 S3 中对象的 URL(例如在 标记中)时,您都会创建一个预签名 URL.这将授予在有限时间内访问对象的权限.只需几行代码,即可在应用程序内完成,无需与 AWS 通信即可生成 URL.
In this scenario, users have no permissions within Amazon S3. Instead, each time that your application wishes to generate a URL to an object in S3 (eg in an <img> tag), you created a pre-signed URL. This will grant access to the object for a limited time. It only takes a couple of lines of code and can be done within the application without communication with AWS to generate the URL.
无需存储预签名 URL.它们是即时生成的.
There is no need to store pre-signed URLs. They are generated on-the-fly.
这种方法的好处是您的应用程序可以完全控制它们可以访问哪些对象.朋友可以与其他用户共享图片,应用程序将授予访问权限,而第一种方法仅授予对用户特定路径内的对象的访问权限.
The benefit of this approach is that your application has full control over which objects they can access. Friends could share pictures with other users and the application would grant access, whereas the first method only grants access to objects within the user's specific path.
这篇关于S3 桶签名 URL 以授予对图片的访问权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
