如何将GCP存储桶中的文件标记为“所有人"为只读? [英] How to mark files in a GCP storage bucket as Read Only for "everyone"?

问题描述

我们有一个存储桶，其中以JSON文件的形式存储了敏感数据.为了符合 PCI 的规定，我们必须将这些文件设置为只读.
版本将会在存储桶上启用，因此保留策略不能使用.
我尝试通过只读"访问权限仅将一个帐户保留在存储桶权限中，这(不是真的)部分地达到了目的.但是具有编辑者"或所有者"角色的任何用户都可以编辑文件许可权，然后将其更改回可编辑"并修改文件.
如何限制每个人都不能编辑或修改文件GCP?

We have a storage bucket which has sensitive data stored in it, in the form of JSON files. For a PCI compliance, we have to make these files read only.
Versioning will be enabled on the bucket so Retention policy can not be used.
I tried keeping only one account in the bucket permissions with Read Only access, that (not really) partially serves the purpose. But any user with Editor or Owner role can edit the file permissions and change it back to Editable and modify the file.
How to restrict anyone and everyone to not be able to edit or modify the file GCP?

从技术上讲，使用Google Cloud Platform可以吗?
如果没有，如何尽可能减少对文件的访问?

Is this technically possible with Google Cloud Platform?
If not, how to reduce access to a file as minimum as possible?

编辑
我不确定是否要强制启用版本控制，我将与团队讨论(一旦可用)，并在问题中提及相同的内容.
因此，考虑不会启用版本控制"或完全忽略版本控制的答案，也欢迎.

EDIT
I am not sure if we would compulsorily enable versioning, I will discuss this with the team (once they are available) and mention the same in the question.
So answers which consider "versioning will not be enabled" or ignore versioning completely, are also welcomed.

推荐答案

以下答案假定您将选择禁用版本控制，因为它与保留策略不兼容.

The following answer assumes that you will choose to disable versioning, as it is not compatible with retention policies.

您可能需要GCS的存储桶锁定功能.将保留策略放置在存储桶中可确保存储桶中的所有当前和将来对象都无法删除或覆盖，直到它们达到您在保留策略中定义的有效期限(听起来像您想要的)为止.启用它并验证它可以在工作流程中正常工作后，您可以将其锁定在适当的位置，以不可撤销地撤消在指定保留日期之前删除对象的功能.

You may want GCS's Bucket Lock feature. Placing a retention policy on a bucket ensures that all current and future objects in the bucket cannot be deleted or overwritten until they reach the age you define in the retention policy, which sounds like what you want. Once you have enabled it and verified that it works correctly with your workflow, you can lock the policy in place to irrevocably revoke your ability to remove objects before the specified retention date.

对于现有存储桶来说，这是一个严肃的决定，因此在打开之前，请仔细阅读以下内容: https://cloud.google.com/storage/docs/bucket-lock

This is a serious decision for an existing bucket, so I'd read up on it before turning it on: https://cloud.google.com/storage/docs/bucket-lock

一旦决定启用它，则可以从控制台或使用gsutil来启用它:

Once you've decided to enable it, you can do so from the console or by using gsutil:

gsutil retention set 1y gs://my-bucket-name  # 1y = 1 year

一旦您感到快乐并想使其永久存在:

Once you're happy and want to make it permanent:

gsutil retention lock gs://my-bucket-name

如顶部所述，此功能与另一个对象保留选项不兼容:版本控制.但是，这通常不是问题，因为版本控制的最常见用例是防止意外删除，并且如果您的目标是防止任何可能的删除，则不必进行版本控制.

As mentioned at the top, this feature is incompatible with another object preservation option: versioning. However, this is usually not a problem, as the most common use case of versioning is to prevent accidental deletion, and if your goal is to prevent any possibility of deletion, versioning is unnecessary.

这篇关于如何将GCP存储桶中的文件标记为“所有人"为只读?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！