ndb.BlobProperty与BlobStore:更私密,更安全 [英] ndb.BlobProperty vs BlobStore: which is more private and more secure
问题描述
我一直在阅读关于数据存储和blobstore的关于存储和检索图像文件的所有内容。一切都指向blobstore,除了一个:隐私和安全。
在数据存储中,我的用户照片是私人的:我完全控制谁获得blob。然而,在blobstore中,任何知道url的人都可以想象到访问我的用户照片?这是真的吗?
这是一段让我放心的引语,但仍然不清楚。那么任何拥有blob密钥的人都可以访问这些照片? (来自商店照片在Blobstore或数据存储区中的Blob - 哪个更好/更高效/更便宜?)
您为某个值服务的方式在Blobstore之外是接受一个请求
到应用程序,然后用
键与X-AppEngine-BlobKey标题进行响应。 App Engine拦截传出的响应,并将主体
替换为直接从服务传输的Blobstore值。由于
应用程序逻辑首先设置标题,应用程序可以实现
任何它想要的访问控制。没有默认网址直接在Blobstore中为
值提供服务,无需应用干预。
所有这些都是为了:针对广告投放管理图片更私密且更安全,以及为什么:datastore或blobstore?或者,嘿,google-cloud-storage(我现在一无所知)
解决方案如果使用google.appengine.api .images.get_serving_url then yes,返回的网址是公共。然而,在调用get_serving_url之前,返回的url不能从blob的键中猜出,也不存在url。 (或者在调用delete_serving_url之后)。
如果您需要对blobstore 您可以编写自己的处理程序并在其中添加访问控制。
I have been reading all over stackoverflow concerning datastore vs blobstore for storing and retrieving image files. Everything is pointing towards blobstore except one: privacy and security.
In the datastore, the photos of my users are private: I have full control on who gets a blob. In the blobstore, however, anyone who knows the url can conceivable access my users photos? Is that true?
Here is a quote that is supposed to give me peace of mind, but it's still not clear. So anyone with the blob key can still access the photos? (from Store Photos in Blobstore or as Blobs in Datastore - Which is better/more efficient /cheaper?)
the way you serve a value out of the Blobstore is to accept a request to the app, then respond with the X-AppEngine-BlobKey header with the key. App Engine intercepts the outgoing response and replaces the body with the Blobstore value streamed directly from the service. Because app logic sets the header in the first place, the app can implement any access control it wants. There is no default URL that serves values directly out of the Blobstore without app intervention.
All of this is to ask: Which is more private and more secure for trafficking images, and why: datastore or blobstore? Or, hey, google-cloud-storage (which I know nothing about presently)
If you use google.appengine.api.images.get_serving_url then yes, the url returned is public. However the url returned is not guessable from a blob's key, nor does the url even exist before calling get_serving_url. (Or after calling delete_serving_url).
If you need access control on top of the data in the blobstore you can write your own handlers and add the access control there.
这篇关于ndb.BlobProperty与BlobStore:更私密,更安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
