azure - 如何使用 SAS 限制 azure blob 容器创建

Question

如何设置权限以在生成帐户 SAS token 时不创建容器？这是我的设置。

    // Create a new access policy for the account.
    SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy()
    {
        Permissions = SharedAccessAccountPermissions.Read | SharedAccessAccountPermissions.Write,
        Services = SharedAccessAccountServices.Blob | SharedAccessAccountServices.Table,
        ResourceTypes = SharedAccessAccountResourceTypes.Service | SharedAccessAccountResourceTypes.Container | SharedAccessAccountResourceTypes.Object,
        SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(2),
        Protocols = SharedAccessProtocol.HttpsOrHttp
    };

Answer 1

更新的答案:

鉴于您有多个容器，帐户 SAS 是一个不错的选择。您需要一个用于管理员，一个用于用户。

以下是如何创建管理 SAS 的示例:

// Create a new access policy for the account.
SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy()
{
    // SAS for Blob service only.
    Services = SharedAccessAccountServices.Blob,

    // Admin has read, write, list, and delete permissions on all containers.
    // In order to write blobs, Object resource type must also be specified.
    ResourceTypes = SharedAccessAccountResourceTypes.Container | SharedAccessAccountResourceTypes.Object,

    Permissions = SharedAccessAccountPermissions.Read | 
        SharedAccessAccountPermissions.Write |
        SharedAccessAccountPermissions.Create | 
        SharedAccessAccountPermissions.List | 
        SharedAccessAccountPermissions.Delete,
    SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
    Protocols = SharedAccessProtocol.HttpsOnly
};

以下是如何创建用户 SAS 的示例:

// Create a new access policy for the account.
SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy()
{
    // SAS for Blob service only.
    Services = SharedAccessAccountServices.Blob,

    // User has create, read, write, and delete permissions on blobs.
    ResourceTypes = SharedAccessAccountResourceTypes.Object,

    Permissions = SharedAccessAccountPermissions.Read |
        SharedAccessAccountPermissions.Write |
        SharedAccessAccountPermissions.Create |
        SharedAccessAccountPermissions.Delete,
    SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
    Protocols = SharedAccessProtocol.HttpsOnly
};

原答案:

您肯定需要为管理 SAS 使用帐户 SAS，但您应该能够在容器上为用户 SAS 使用服务 SAS，除非您需要一个我无法从您的信息中了解的帐户 SAS问题。如果可以的话，最好使用 SAS 服务，这样您就可以使用最简单的权限。此外，您还可以将存储访问策略与服务 SAS 结合使用，我们建议将其作为最佳实践，以便在 SAS 受到威胁时可以轻松撤销该策略。

使用服务 SAS，您不需要限制容器创建的权限，因为服务 SAS 不允许您首先创建容器。

以下是在容器上创建服务 SAS 的代码，包括存储的访问策略:

        // Create the storage account with the connection string.
        CloudStorageAccount storageAccount = CloudStorageAccount.Parse(CloudConfigurationManager.GetSetting("StorageConnectionString"));

        // Create the blob client object.
        CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();

        // Get a reference to the container for which shared access signature will be created.
        CloudBlobContainer container = blobClient.GetContainerReference("mycontainer");
        container.CreateIfNotExists();

        // Create blob container permissions, consisting of a shared access policy 
        // and a public access setting. 
        BlobContainerPermissions containerPermissions = container.GetPermissions();

        // Clear the container's shared access policies to avoid naming conflicts if you run this method more than once.
        //blobPermissions.SharedAccessPolicies.Clear();

        // The shared access policy provides 
        // read/write access to the container for 24 hours.
        containerPermissions.SharedAccessPolicies.Add("mypolicy", new SharedAccessBlobPolicy()
        {
            // To ensure SAS is valid immediately, don’t set start time.
            // This way, you can avoid failures caused by small clock differences.
            // Note that the Create permission allows the user to create a new blob, as does Write.
            SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
            Permissions = SharedAccessBlobPermissions.Write |
               SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.Create | SharedAccessBlobPermissions.Delete
        });

        // The public access setting explicitly specifies that 
        // the container is private, so that it can't be accessed anonymously.
        containerPermissions.PublicAccess = BlobContainerPublicAccessType.Off;

        // Set the permission policy on the container.
        container.SetPermissions(containerPermissions);

        // Get the shared access signature to share with users.
        string sasToken =
           container.GetSharedAccessSignature(null, "mypolicy");

看一下此处显示的示例:https://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/#examples-create-and-use-shared-access-signatures .

另请参阅https://msdn.microsoft.com/en-us/library/azure/dn140255.aspx和 https://msdn.microsoft.com/en-us/library/azure/mt584140.aspx .

如果您有任何其他问题，请告诉我们。