Web应用程序通常如何与Amazon S3交互? [英] How do web applications typically interact with Amazon S3?

问题描述

我是S3的新手，我想知道现实世界中的Web应用程序通常如何与之交互，尤其是如何处理用户访问权限.

I'm new to S3 and I'm wondering how real-world web applications typically interact with it, in particular how user access permissions are handled.

例如，我设计了一个基本的项目管理Web应用程序，除其他功能外，该应用程序还允许用户将项目文件上传到其他项目成员可以访问的共享空间中.

Say, for instance, that I have designed a basic project management web application which, amongst other features, permits users to upload project files into a shared space which other project members can access.

因此，用户文件的上载/读取访问权限将取决于项目成员资格，也取决于项目角色.

So User file upload/read access would be determined by project membership but also by project roles.

使用S3，是否会简单地为一个具有所有权限的S3用户为整个应用程序创建一个存储桶，然后将用户权限的处理留给应用程序?还是我错过了什么?我无法在线找到许多实际使用S3的示例，尤其是在涉及访问权限的情况下.

Using S3, would one simply create a Bucket for the entire application with a single S3 user with all permissions and leave the handling of the user permissions to the application ? Or am I missing something ? I haven't been able to find many examples of real-world S3 usage online, in particular where access permissions are concerned.

推荐答案

典型的体系结构是将Amazon S3存储桶保留为完全私有.

The typical architecture is to keep the Amazon S3 buckets totally private.

当您的应用程序确定允许用户上传或下载文件时，它可以生成 预签名URL .这是一个有时间限制的URL，允许上载或下载对象.

When your application determines that a user is permitted to upload or download a file, it can generate a Presigned URL. This is a time-limited URL that allows an object to be uploaded or downloaded.

上传时，还可以创建POST策略对上传的内容施加一些限制，例如其长度，类型和存储位置.如果上传符合要求，则文件将被接受.

When uploading, it is also possible to Create a POST Policy to enforce some restrictions on the upload, such as its length, type and where it is being stored. If the upload meets the requirements, the file will be accepted.

您应该维护数据库，该数据库标识所有已上传的对象并将其映射到所有者"，权限组，共享等.所有这些都是特定于应用程序的.稍后，当用户请求下载特定对象时，您的应用程序可以生成一个预先签名的URL，该URL允许用户下载该对象，即使是私有对象也是如此.

You should maintain a database that identifies all objects that have been uploaded and maps it to the 'owner', permission groups, shares, etc. All of this is application-specific. Later, when a user requests a particular object for download, your app can generate a pre-signed URL that lets the user download the object even those it is a private object.

始终让您的应用程序确定访问对象的权限. 请勿将应用程序用户定义为IAM用户.

Always have your application determine permissions for accessing an object. Do not define application users as IAM Users.

如果存在直接权限模型(例如，一个用户的所有文件都在S3存储桶中的一个路径/文件夹中)，则可以使用 AWS安全令牌服务生成临时凭证，该凭证在给定路径上授予列表"和获取"权限.这对于可以直接调用Amazon S3 API来检索对象的移动应用程序很有用.但是，它不适用于基于Web的应用程序.

If there is a straight-forward permission model (eg all of one user's files are in one path/folder within an S3 bucket), you can generate temporary credentials using the AWS Security Token Service that grants List and Get permissions on the given path. This can be useful for mobile applications that could then directly call the Amazon S3 API to retrieve objects. However, it is not suitable for a web-based application.

这篇关于Web应用程序通常如何与Amazon S3交互?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！