即使不公开,谷歌存储桶文件链接也可以公开访问? [英] google storage bucket file link publicly accessible even though not public?
问题描述
我在玩谷歌存储桶.存储桶不是公开的.这些文件也不公开.
上传 .csv 文件后.我点击它,它会在 google chrome 的浏览器中显示带有 loooong 复杂 url 链接的文件.
现在,如果我使用该链接并在没有谷歌帐户登录的另一个浏览器(如 IE)中打开.我可以访问数据.这是一个缺陷吗?谷歌团队说这是权限问题.我通过删除所有权限进行了尝试,但该文件仍然可以访问.您是否看到与您的存储桶相同的问题.
以下假设bucket名称为xtest,object名称为test.txt.p>
那个长而复杂的 URL 包含一个签名,提供访问该对象的权限.
如果 URL 看起来很复杂并且看起来不像这样,那么它可能有一个签名作为 URL 的一部分.
http://xtest.storage.googleapis.com/test.txt或
http://storage.googleapis.com/xtest/test.txt如果 URL 不包含允许任何人访问存储桶对象的签名,那么接下来的步骤是确定已应用哪些允许匿名访问的权限.
弄清楚哪些权限应用于存储桶和对象.
我更喜欢使用 CLI gsutil,以便我有准确的 JSON 描述所有权限.
有两种方法可以授予对存储桶和对象的访问权限.存储桶 ACL 和存储桶 IAM 策略.
第 1 部分 - 存储桶 ACL
获取存储桶 ACL.
gsutil acl 获取 gs://xtest
这将返回一个 JSON 响应.如果存储桶 acl 包含以下任一条目,则表明您的存储桶已公开.
<代码>[{实体":所有用户",角色":读者"},{"entity": "allAuthenticatedUsers",角色":读者"}]删除公共权限.
allUsers 实体允许任何人获得 role 指定的权限.allAuthenticatedUsers 实体允许拥有 Google 帐户的任何人获得 role 指定的权限.
此命令将从存储桶 ACL 中删除 allUsers.
gsutil acl ch -d allUsers gs:/xtest此命令将从存储桶 ACL 中删除 allAuthenticatedUsers.
gsutil acl ch -d allAuthenticatedUsers gs:/xtest更改存储桶或文件的 ACL 时,可能需要大约一分钟才能生效.
对对象重复该过程:
gsutil acl 获取 gs://xtest/test.txt
使用类似命令删除任何公共 ACL:
gsutil acl ch -d allUsers gs://xtest/test.txt
gsutil acl ch -d allAuthenticatedUsers gs://xtest/test.txt
重复验证公共 ACL 已被删除.
gsutil acl 获取 gs://xtest
gsutil acl 获取 gs://xtest/test.txt
第 2 部分 - 存储桶 IAM 策略
获取存储桶 IAM 政策.
gsutil iam get gs://xtest这将返回一个 JSON 响应.如果存储桶 IAM 策略包含以下任一条目,则会公开您的存储桶.
<代码>{绑定":[{成员":[全部用户"],角色":角色/storage.legacyBucketReader"},{成员":[所有经过身份验证的用户"],角色":角色/storage.objectViewer"}],etag":煤层气="}删除公共权限.
allUsers 实体允许任何人获得角色指定的权限.allAuthenticatedUsers 实体允许拥有 Google 帐户的任何人获得由角色指定的权限.
此命令将从存储桶 IAM 策略中删除所有用户.
gsutil iam ch -d allUsers gs://xtest此命令将从存储桶 IAM 策略中删除 allAuthenticatedUsers.
gsutil iam ch -d allAuthenticatedUsers gs://xtest对对象重复该过程:
gsutil iam 获取 gs://xtest/test.txt
使用类似命令删除任何公共对象 IAM 策略:
gsutil iam ch -d allUsers gs://xtest/test.txt
gsutil iam ch -d allAuthenticatedUsers gs://xtest/test.txt
重复验证公共 IAM 政策是否已被删除.
gsutil iam 获取 gs://xtest
gsutil iam 获取 gs://xtest/test.txt
I was playing around with google bucket. The bucket is not public. The files are also not public.
After i upload the .csv file. I click on it and it shows the file with a loooong complicated url link in the browser in google chrome.
Now if i take that link and open in another browser like IE where no google account is logged in. I am able to get to the data . Is this a flaw ? Google team says that it is permissions issue. I tried it by removing all permissions but the file is still accessible. Are you seeing the same issue with your buckets.
The following assumes the bucket name is xtest and the object name is test.txt.
That long complicated URL contains a signature that provides permissions to access the object.
If the URL looks very complicated and does not look like this, then it probably has a signature as part of the URL.
http://xtest.storage.googleapis.com/test.txt
OR
http://storage.googleapis.com/xtest/test.txt
If the URL does not contain a signature that allows anyone to access the bucket object, then the next steps are to figure out what permissions have been applied that allow anonymous access.
Figure out what permissions are applied to the bucket and object.
I prefer to use the CLI gsutil so that I have precise JSON describing all permissions.
There are two methods to grant access to buckets and objects. Bucket ACLs and Bucket IAM Policies.
PART 1 - Bucket ACLs
Get the Bucket ACL.
gsutil acl get gs://xtest
This will return a JSON response. If the bucket acl contains either of the following entries, your bucket is exposed.
[
{
"entity": "allUsers",
"role": "READER"
},
{
"entity": "allAuthenticatedUsers",
"role": "READER"
}
]
Remove public permissions.
The allUsers entity allows anyone the permissions specified by role.
The allAuthenticatedUsers entity allows anyone with a Google Account the permissions specified by role.
This command will remove allUsers from the bucket ACL.
gsutil acl ch -d allUsers gs:/xtest
This command will remove allAuthenticatedUsers from the bucket ACL.
gsutil acl ch -d allAuthenticatedUsers gs:/xtest
When changing ACLs on a bucket or file, it can take about a minute to take effect.
Repeat the process for the object:
gsutil acl get gs://xtest/test.txt
Using similar commands to remove any public ACLs:
gsutil acl ch -d allUsers gs://xtest/test.txt
gsutil acl ch -d allAuthenticatedUsers gs://xtest/test.txt
Repeat verifying that public ACLs have been removed.
gsutil acl get gs://xtest
gsutil acl get gs://xtest/test.txt
Part 2 - Bucket IAM Policies
Get the Bucket IAM Policy.
gsutil iam get gs://xtest
This will return a JSON response. If the bucket IAM policy contains either of the following entries, your bucket is exposed.
{
"bindings": [
{
"members": [
"allUsers"
],
"role": "roles/storage.legacyBucketReader"
},
{
"members": [
"allAuthenticatedUsers"
],
"role": "roles/storage.objectViewer"
}
],
"etag": "CBM="
}
Remove public permissions.
The allUsers entity allows anyone the permissions specified by role. The allAuthenticatedUsers entity allows anyone with a Google Account the permissions specified by role.
This command will remove allUsers from the bucket IAM policy.
gsutil iam ch -d allUsers gs://xtest
This command will remove allAuthenticatedUsers from the bucket IAM policy.
gsutil iam ch -d allAuthenticatedUsers gs://xtest
Repeat the process for the object:
gsutil iam get gs://xtest/test.txt
Using similar commands to remove any public object IAM policies:
gsutil iam ch -d allUsers gs://xtest/test.txt
gsutil iam ch -d allAuthenticatedUsers gs://xtest/test.txt
Repeat verifying that public IAM policies have been removed.
gsutil iam get gs://xtest
gsutil iam get gs://xtest/test.txt
这篇关于即使不公开,谷歌存储桶文件链接也可以公开访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
