堆栈内存溢出
  简体   繁体   English

我如何只为用户列出可访问的 S3 存储桶对象,而不是明确要求某些“前缀”?

[英]How do i list only accessible S3 bucket objects for a user, instead of explicitly asking for certain 'prefix'?

 原文  2017-10-05 07:24:42       amazon-web-services/ amazon-s3/ amazon-policy/ aws-resource-group

问题描述

This is how we make, S3 Bucket object listing request.这就是我们提出 S3 Bucket 对象列表请求的方式。

final ListObjectsV2Request req = new ListObjectsV2Request().withBucketName(bucketName)

Suppose we have attached the inline policy to the user, who is requesting the resource,假设我们已将内联策略附加到请求资源的用户,

{
         "Sid": "AllowRootAndHomeListingOfBucket",
         "Action": [
             "s3:ListBucket"
         ],
         "Effect": "Allow",
         "Resource": [
             "arn:aws:s3:::XXXX.XXXX",
             "arn:aws:s3:::XXXX.XXXXX/php_serialize.rb"
         ]
     },
     {
         "Sid": "AllowAllS3ActionsInUserFolder",
         "Effect": "Allow",
         "Action": [
             "s3:*"
         ],
         "Resource": [
             "arn:aws:s3:::XXXX.XXXX/php_serialize.rb"
         ]
     }

Effect of this policy is that, it lets the user to list all the root level objects including the resource to which user is given the permission.该策略的作用在于,它允许用户列出所有根级对象,包括授予用户权限的资源。

do {               
           result = s3client.listObjectsV2(req);

     for (S3ObjectSummary objectSummary : result.getObjectSummaries())      {

           }
           System.out.println("Next Continuation Token : " + result.getNextContinuationToken());
           req.setContinuationToken(result.getNextContinuationToken());
        } while(result.isTruncated() == true );

Result of this is:这样做的结果是:

text.rb
test/abc
php_serialize.rb
xyx/test.txt

I just want the php_serialize.rb , to get listed.我只想列出php_serialize.rb If the requesting user doesn't know about the prefix, to which he is given the permissions.如果请求用户不知道前缀,他将被授予权限。

Following Request, will not work in this case.遵循请求,在这种情况下将不起作用。

 final ListObjectsV2Request req = new ListObjectsV2Request().withBucketName(bucketName).withPrefix("php_serialize.rb");

1 个解决方案

解决方案1
 0 已采纳  2017-10-05 22:27:29

It isn't possible to ask S3 for a list of objects a specific user would be able to access.无法向 S3 询问特定用户能够访问的对象列表。

That would require evaluating all of the user's permissions against (potentially) every single object in the bucket, which would be computationally intensive at best and impossible at worst, depending on the specific policy constraints in effect against that user and properties that could be specific to the request that the user makes.这将需要针对(可能)存储桶中的每个对象评估所有用户的权限,这在最好的情况下是计算密集型的,在最坏的情况下是不可能的,具体取决于对该用户有效的特定策略约束和可能特定于的属性用户提出的请求。

The service does not support such a query.该服务不支持此类查询。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我的S3存储桶中的项目可公开访问。 如何限制访问权限,以便只能从我的应用程序内访问S3存储桶链接? - Items in my S3 bucket are publicly accessible. How do I restrict access so that the S3 Bucket link is only accessible from within my app? LIST的S3性能,前缀为单个桶中的数百万个对象 - S3 performance for LIST by prefix with millions of objects in a single bucket 如何在S3中以前缀列出所有对象 - How could I list all objects under a prefix in S3 如何只允许经过身份验证的用户(使用Cognito)访问他们自己的S3存储桶/密钥? - How do I only allow authenticated user (using cognito) access to their own S3 bucket/key specifically? s3 存储桶仅对某些对象进行公共访问 - s3 bucket public access to only certain objects 限制用户仅列出存储桶中的某些文件夹的 AWS S3 策略 - AWS S3 Policy to Restrict User to List Only Certain Folders in a Bucket 如何遍历 S3 存储桶以将某些文件夹列表从 S3 存储桶复制到本地服务器 - How to loop through an S3 bucket to copy certain list of folders from S3 bucket to local server AWS S3 Listing API-如何列出具有特定前缀的S3存储桶中的所有内容 - AWS S3 Listing API - How to list everything inside S3 Bucket with specific prefix 如何列出S3存储桶中具有特定标签的文件? - How to list files which has certain tag in S3 bucket? 只有1个IAM用户可以访问S3存储桶时,是否需要启用“公共访问”? - Do I need to enable Public Access when only 1 IAM user can access S3 Bucket?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM