谷歌存储桶文件链接可公开访问，即使不公开? [英] google storage bucket file link publicly accessible even though not public?

问题描述

我正在和Google bucket玩耍.该存储桶不是公开的.这些文件也不公开.

I was playing around with google bucket. The bucket is not public. The files are also not public.

上传.csv文件后.我单击它，它在谷歌浏览器的浏览器中显示带有复杂的URL链接的文件.

After i upload the .csv file. I click on it and it shows the file with a loooong complicated url link in the browser in google chrome.

现在，如果我采用该链接并在没有google帐户登录的IE之类的其他浏览器中打开.我可以获取数据.这是缺陷吗? Google小组说这是权限问题.我尝试通过删除所有权限来尝试此操作，但仍可访问该文件.您是否在使用存储桶时遇到了同样的问题?

Now if i take that link and open in another browser like IE where no google account is logged in. I am able to get to the data . Is this a flaw ? Google team says that it is permissions issue. I tried it by removing all permissions but the file is still accessible. Are you seeing the same issue with your buckets.

推荐答案

以下假定存储桶名称为xtest，对象名称为test.txt.

The following assumes the bucket name is xtest and the object name is test.txt.

这个冗长而复杂的URL包含一个签名，该签名提供了访问该对象的权限.

That long complicated URL contains a signature that provides permissions to access the object.

如果该URL看起来非常复杂并且看起来不是这样，则它可能包含签名作为URL的一部分.

If the URL looks very complicated and does not look like this, then it probably has a signature as part of the URL.

http://xtest.storage.googleapis.com/test.txt

OR

http://storage.googleapis.com/xtest/test.txt

如果URL不包含允许任何人访问存储桶对象的签名，那么下一步就是弄清楚已应用了哪些允许匿名访问的权限.

If the URL does not contain a signature that allows anyone to access the bucket object, then the next steps are to figure out what permissions have been applied that allow anonymous access.

找出要应用于存储桶和对象的权限.

我更喜欢使用CLI gsutil，以便使用精确的JSON描述所有权限.

I prefer to use the CLI gsutil so that I have precise JSON describing all permissions.

有两种方法可以授予对存储桶和对象的访问权限.值区ACL和值区IAM策略.

There are two methods to grant access to buckets and objects. Bucket ACLs and Bucket IAM Policies.

PART 1-存储段ACL

获取存储桶ACL.

gsutil acl get gs://xtest

这将返回JSON响应.如果存储桶acl包含以下条目之一，则您的存储桶已暴露.

This will return a JSON response. If the bucket acl contains either of the following entries, your bucket is exposed.

[
  {
    "entity": "allUsers",
    "role": "READER"
  },
  {
    "entity": "allAuthenticatedUsers",
    "role": "READER"
  }
]

删除公共权限.

allUsers实体允许任何人使用role指定的权限. allAuthenticatedUsers实体允许具有Google帐户的任何人获得role指定的权限.

The allUsers entity allows anyone the permissions specified by role. The allAuthenticatedUsers entity allows anyone with a Google Account the permissions specified by role.

此命令将从存储桶ACL中删除allUsers.

This command will remove allUsers from the bucket ACL.

gsutil acl ch -d allUsers gs:/xtest

此命令将从存储桶ACL中删除allAuthenticatedUsers.

This command will remove allAuthenticatedUsers from the bucket ACL.

gsutil acl ch -d allAuthenticatedUsers gs:/xtest

更改存储桶或文件上的ACL时，大约需要一分钟时间才能生效.

When changing ACLs on a bucket or file, it can take about a minute to take effect.

重复该对象的过程:

gsutil acl get gs://xtest/test.txt

使用类似的命令删除所有公共ACL:

gsutil acl ch -d allUsers gs://xtest/test.txt

gsutil acl ch -d allAuthenticatedUsers gs://xtest/test.txt

重复验证是否已删除公共ACL.

gsutil acl get gs://xtest

gsutil acl get gs://xtest/test.txt

第2部分-存储区IAM策略

获取存储区IAM策略.

gsutil iam get gs://xtest

这将返回JSON响应.如果存储区IAM策略包含以下任一条目，则显示您的存储区.

This will return a JSON response. If the bucket IAM policy contains either of the following entries, your bucket is exposed.

{
  "bindings": [
    {
      "members": [
        "allUsers"
      ],
      "role": "roles/storage.legacyBucketReader"
    },
    {
      "members": [
        "allAuthenticatedUsers"
      ],
      "role": "roles/storage.objectViewer"
    }
  ],
  "etag": "CBM="
}

删除公共权限.

allUsers实体允许任何人按角色指定权限. allAuthenticatedUsers实体允许具有Google帐户的任何人获得由角色指定的权限.

The allUsers entity allows anyone the permissions specified by role. The allAuthenticatedUsers entity allows anyone with a Google Account the permissions specified by role.

此命令将从存储区IAM策略中删除所有用户.

This command will remove allUsers from the bucket IAM policy.

gsutil iam ch -d allUsers gs://xtest

此命令将从存储区IAM策略中删除所有AuthenticatedUsers.

This command will remove allAuthenticatedUsers from the bucket IAM policy.

gsutil iam ch -d allAuthenticatedUsers gs://xtest

重复该对象的过程:

gsutil iam get gs://xtest/test.txt

使用类似的命令删除所有公共对象IAM策略:

gsutil iam ch -d allUsers gs://xtest/test.txt

gsutil iam ch -d allAuthenticatedUsers gs://xtest/test.txt

重复验证是否已删除公共IAM策略.

gsutil iam get gs://xtest

gsutil iam get gs://xtest/test.txt

这篇关于谷歌存储桶文件链接可公开访问，即使不公开?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！