ndb.BlobProperty vs BlobStore:更私密、更安全 [英] ndb.BlobProperty vs BlobStore: which is more private and more secure
问题描述
我一直在阅读有关用于存储和检索图像文件的数据存储与 blobstore 的 stackoverflow.一切都指向 blobstore,除了一个:隐私和安全.
I have been reading all over stackoverflow concerning datastore vs blobstore for storing and retrieving image files. Everything is pointing towards blobstore except one: privacy and security.
在数据存储中,我的用户的照片是私密的:我可以完全控制谁获得 blob.然而,在 blobstore 中,任何知道 url 的人都可以想象访问我的用户照片吗?这是真的吗?
In the datastore, the photos of my users are private: I have full control on who gets a blob. In the blobstore, however, anyone who knows the url can conceivable access my users photos? Is that true?
这是一个应该让我安心的报价,但仍然不清楚.所以任何拥有 blob 密钥的人仍然可以访问照片吗?(来自 存储照片在 Blobstore 中或作为 Datastore 中的 Blob - 哪个更好/更有效/更便宜?)
Here is a quote that is supposed to give me peace of mind, but it's still not clear. So anyone with the blob key can still access the photos? (from Store Photos in Blobstore or as Blobs in Datastore - Which is better/more efficient /cheaper?)
从 Blobstore 中提供值的方式是接受请求到应用程序,然后使用 X-AppEngine-BlobKey 标头响应钥匙.App Engine 拦截传出响应并替换正文使用直接从服务流式传输的 Blobstore 值.因为app逻辑首先设置header,app可以实现它想要的任何访问控制.没有提供的默认 URL值直接从 Blobstore 中取出,无需应用干预.
the way you serve a value out of the Blobstore is to accept a request to the app, then respond with the X-AppEngine-BlobKey header with the key. App Engine intercepts the outgoing response and replaces the body with the Blobstore value streamed directly from the service. Because app logic sets the header in the first place, the app can implement any access control it wants. There is no default URL that serves values directly out of the Blobstore without app intervention.
所有这些都是为了问:对于传输图像,哪个更私密、更安全,以及为什么:数据存储区还是 blob 存储区?或者,嘿,google-cloud-storage(我目前对此一无所知)
All of this is to ask: Which is more private and more secure for trafficking images, and why: datastore or blobstore? Or, hey, google-cloud-storage (which I know nothing about presently)
推荐答案
如果你使用 google.appengine.api.images.get_serving_url 那么是的,返回的 url 是公开的.然而,返回的 url 不能从 blob 的键中猜测,甚至在调用 get_serving_url 之前该 url 也不存在.(或者在调用 delete_serving_url 之后).
If you use google.appengine.api.images.get_serving_url then yes, the url returned is public. However the url returned is not guessable from a blob's key, nor does the url even exist before calling get_serving_url. (Or after calling delete_serving_url).
如果您需要对 blobstore 中的数据进行访问控制您可以编写自己的处理程序并在那里添加访问控制.
If you need access control on top of the data in the blobstore you can write your own handlers and add the access control there.
这篇关于ndb.BlobProperty vs BlobStore:更私密、更安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
