谷歌存储桶文件链接可公开访问,即使不公开? [英] google storage bucket file link publicly accessible even though not public?
问题描述
我正在和Google bucket玩耍.该存储桶不是公开的.这些文件也不公开.
I was playing around with google bucket. The bucket is not public. The files are also not public.
上传.csv文件后.我单击它,它在谷歌浏览器的浏览器中显示带有复杂的URL链接的文件.
After i upload the .csv file. I click on it and it shows the file with a loooong complicated url link in the browser in google chrome.
现在,如果我采用该链接并在没有google帐户登录的IE之类的其他浏览器中打开.我可以获取数据.这是缺陷吗? Google小组说这是权限问题.我尝试通过删除所有权限来尝试此操作,但仍可访问该文件.您是否在使用存储桶时遇到了同样的问题?
Now if i take that link and open in another browser like IE where no google account is logged in. I am able to get to the data . Is this a flaw ? Google team says that it is permissions issue. I tried it by removing all permissions but the file is still accessible. Are you seeing the same issue with your buckets.
推荐答案
以下假定存储桶名称为xtest
,对象名称为test.txt
.
The following assumes the bucket name is xtest
and the object name is test.txt
.
这个冗长而复杂的URL包含一个签名,该签名提供了访问该对象的权限.
That long complicated URL contains a signature that provides permissions to access the object.
如果该URL看起来非常复杂并且看起来不是这样,则它可能包含签名作为URL的一部分.
If the URL looks very complicated and does not look like this, then it probably has a signature as part of the URL.
http://xtest.storage.googleapis.com/test.txt
OR
http://storage.googleapis.com/xtest/test.txt
如果URL不包含允许任何人访问存储桶对象的签名,那么下一步就是弄清楚已应用了哪些允许匿名访问的权限.
If the URL does not contain a signature that allows anyone to access the bucket object, then the next steps are to figure out what permissions have been applied that allow anonymous access.
找出要应用于存储桶和对象的权限.
我更喜欢使用CLI gsutil
,以便使用精确的JSON描述所有权限.
I prefer to use the CLI gsutil
so that I have precise JSON describing all permissions.
有两种方法可以授予对存储桶和对象的访问权限.值区ACL和值区IAM策略.
There are two methods to grant access to buckets and objects. Bucket ACLs and Bucket IAM Policies.
PART 1-存储段ACL
获取存储桶ACL.
gsutil acl get gs://xtest
这将返回JSON响应.如果存储桶acl包含以下条目之一,则您的存储桶已暴露.
This will return a JSON response. If the bucket acl contains either of the following entries, your bucket is exposed.
[
{
"entity": "allUsers",
"role": "READER"
},
{
"entity": "allAuthenticatedUsers",
"role": "READER"
}
]
删除公共权限.
allUsers
实体允许任何人使用role
指定的权限.
allAuthenticatedUsers
实体允许具有Google帐户的任何人获得role
指定的权限.
The allUsers
entity allows anyone the permissions specified by role
.
The allAuthenticatedUsers
entity allows anyone with a Google Account the permissions specified by role
.
此命令将从存储桶ACL中删除allUsers
.
This command will remove allUsers
from the bucket ACL.
gsutil acl ch -d allUsers gs:/xtest
此命令将从存储桶ACL中删除allAuthenticatedUsers
.
This command will remove allAuthenticatedUsers
from the bucket ACL.
gsutil acl ch -d allAuthenticatedUsers gs:/xtest
更改存储桶或文件上的ACL时,大约需要一分钟时间才能生效.
When changing ACLs on a bucket or file, it can take about a minute to take effect.
重复该对象的过程:
gsutil acl get gs://xtest/test.txt
使用类似的命令删除所有公共ACL:
gsutil acl ch -d allUsers gs://xtest/test.txt
gsutil acl ch -d allAuthenticatedUsers gs://xtest/test.txt
重复验证是否已删除公共ACL.
gsutil acl get gs://xtest
gsutil acl get gs://xtest/test.txt
第2部分-存储区IAM策略
获取存储区IAM策略.
gsutil iam get gs://xtest
这将返回JSON响应.如果存储区IAM策略包含以下任一条目,则显示您的存储区.
This will return a JSON response. If the bucket IAM policy contains either of the following entries, your bucket is exposed.
{
"bindings": [
{
"members": [
"allUsers"
],
"role": "roles/storage.legacyBucketReader"
},
{
"members": [
"allAuthenticatedUsers"
],
"role": "roles/storage.objectViewer"
}
],
"etag": "CBM="
}
删除公共权限.
allUsers实体允许任何人按角色指定权限. allAuthenticatedUsers实体允许具有Google帐户的任何人获得由角色指定的权限.
The allUsers entity allows anyone the permissions specified by role. The allAuthenticatedUsers entity allows anyone with a Google Account the permissions specified by role.
此命令将从存储区IAM策略中删除所有用户.
This command will remove allUsers from the bucket IAM policy.
gsutil iam ch -d allUsers gs://xtest
此命令将从存储区IAM策略中删除所有AuthenticatedUsers.
This command will remove allAuthenticatedUsers from the bucket IAM policy.
gsutil iam ch -d allAuthenticatedUsers gs://xtest
重复该对象的过程:
gsutil iam get gs://xtest/test.txt
使用类似的命令删除所有公共对象IAM策略:
gsutil iam ch -d allUsers gs://xtest/test.txt
gsutil iam ch -d allAuthenticatedUsers gs://xtest/test.txt
重复验证是否已删除公共IAM策略.
gsutil iam get gs://xtest
gsutil iam get gs://xtest/test.txt
这篇关于谷歌存储桶文件链接可公开访问,即使不公开?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!