如何使用SAS限制azure blob容器创建 [英] How to restrict azure blob container creation using SAS
问题描述
如何设置不创建容器的权限,同时生成帐户SAS令牌?这是我的设置。
How to set permission to not create container, while generating Account SAS token? Here is my settings.
// Create a new access policy for the account.
SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy()
{
Permissions = SharedAccessAccountPermissions.Read | SharedAccessAccountPermissions.Write,
Services = SharedAccessAccountServices.Blob | SharedAccessAccountServices.Table,
ResourceTypes = SharedAccessAccountResourceTypes.Service | SharedAccessAccountResourceTypes.Container | SharedAccessAccountResourceTypes.Object,
SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(2),
Protocols = SharedAccessProtocol.HttpsOrHttp
};
推荐答案
更新答案:
由于您有多个容器,帐户SAS是一个不错的选择。
Given that you have multiple containers, the account SAS is a good option. You'll need one for the admin and one for the user.
以下是如何创建管理员SAS的示例:
Here's an example of how to create the admin SAS:
// Create a new access policy for the account.
SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy()
{
// SAS for Blob service only.
Services = SharedAccessAccountServices.Blob,
// Admin has read, write, list, and delete permissions on all containers.
// In order to write blobs, Object resource type must also be specified.
ResourceTypes = SharedAccessAccountResourceTypes.Container | SharedAccessAccountResourceTypes.Object,
Permissions = SharedAccessAccountPermissions.Read |
SharedAccessAccountPermissions.Write |
SharedAccessAccountPermissions.Create |
SharedAccessAccountPermissions.List |
SharedAccessAccountPermissions.Delete,
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
Protocols = SharedAccessProtocol.HttpsOnly
};
下面是如何创建用户SAS的示例:
And here's an example of how to create the user SAS:
// Create a new access policy for the account.
SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy()
{
// SAS for Blob service only.
Services = SharedAccessAccountServices.Blob,
// User has create, read, write, and delete permissions on blobs.
ResourceTypes = SharedAccessAccountResourceTypes.Object,
Permissions = SharedAccessAccountPermissions.Read |
SharedAccessAccountPermissions.Write |
SharedAccessAccountPermissions.Create |
SharedAccessAccountPermissions.Delete,
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
Protocols = SharedAccessProtocol.HttpsOnly
};
原始答案:
使用帐户SAS作为管理SAS,但您应该能够在用户SAS的容器上使用服务SAS,除非您需要一个帐户SAS,我不能从您的问题中了解。这可能是更好的使用服务SAS,当你可以使用你可以使用最不复杂的权限。此外,您可以使用存储的访问策略与服务SAS,我们建议作为最佳做法,以便它可以很容易撤销SAS,如果它被破坏。
You definitely need to use an account SAS for the admin SAS, but you should be able to use a service SAS on the container for the user SAS, unless you have a need for an account SAS that I am not understanding from your question. It's probably better to use the service SAS when you can so that you can use the least complicated permissions. Also, you can use a stored access policy with the service SAS, which we recommend as a best practice so that it's easy to revoke the SAS if it were ever compromised.
使用服务SAS,您不需要限制容器创建的权限,因为服务SAS不允许您首先创建容器。
With the service SAS, you don't need a permission to restrict container creation, because the service SAS doesn't allow you to create a container in the first place.
下面是在容器上创建服务SAS的代码,包括存储的访问策略:
Here's code to create the service SAS on the container, including the stored access policy:
// Create the storage account with the connection string.
CloudStorageAccount storageAccount = CloudStorageAccount.Parse(CloudConfigurationManager.GetSetting("StorageConnectionString"));
// Create the blob client object.
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
// Get a reference to the container for which shared access signature will be created.
CloudBlobContainer container = blobClient.GetContainerReference("mycontainer");
container.CreateIfNotExists();
// Create blob container permissions, consisting of a shared access policy
// and a public access setting.
BlobContainerPermissions containerPermissions = container.GetPermissions();
// Clear the container's shared access policies to avoid naming conflicts if you run this method more than once.
//blobPermissions.SharedAccessPolicies.Clear();
// The shared access policy provides
// read/write access to the container for 24 hours.
containerPermissions.SharedAccessPolicies.Add("mypolicy", new SharedAccessBlobPolicy()
{
// To ensure SAS is valid immediately, don’t set start time.
// This way, you can avoid failures caused by small clock differences.
// Note that the Create permission allows the user to create a new blob, as does Write.
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
Permissions = SharedAccessBlobPermissions.Write |
SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.Create | SharedAccessBlobPermissions.Delete
});
// The public access setting explicitly specifies that
// the container is private, so that it can't be accessed anonymously.
containerPermissions.PublicAccess = BlobContainerPublicAccessType.Off;
// Set the permission policy on the container.
container.SetPermissions(containerPermissions);
// Get the shared access signature to share with users.
string sasToken =
container.GetSharedAccessSignature(null, "mypolicy");
Take a look at the examples shown here: https://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/#examples-create-and-use-shared-access-signatures.
另请参阅 https:/ /msdn.microsoft.com/en-us/library/azure/dn140255.aspx 和 https://msdn.microsoft.com/en-us/library/azure/mt584140.aspx 。
让我们知道如果您有任何其他问题。
Let us know if you have any other questions.
这篇关于如何使用SAS限制azure blob容器创建的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!