[英]How do i list only accessible S3 bucket objects for a user, instead of explicitly asking for certain 'prefix'?
This is how we make, S3 Bucket object listing request.这就是我们提出 S3 Bucket 对象列表请求的方式。
final ListObjectsV2Request req = new ListObjectsV2Request().withBucketName(bucketName)
Suppose we have attached the inline policy to the user, who is requesting the resource,假设我们已将内联策略附加到请求资源的用户,
{
"Sid": "AllowRootAndHomeListingOfBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::XXXX.XXXX",
"arn:aws:s3:::XXXX.XXXXX/php_serialize.rb"
]
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::XXXX.XXXX/php_serialize.rb"
]
}
Effect of this policy is that, it lets the user to list all the root level objects including the resource to which user is given the permission.该策略的作用在于,它允许用户列出所有根级对象,包括授予用户权限的资源。
do {
result = s3client.listObjectsV2(req);
for (S3ObjectSummary objectSummary : result.getObjectSummaries()) {
}
System.out.println("Next Continuation Token : " + result.getNextContinuationToken());
req.setContinuationToken(result.getNextContinuationToken());
} while(result.isTruncated() == true );
Result of this is:这样做的结果是:
text.rb
test/abc
php_serialize.rb
xyx/test.txt
I just want the php_serialize.rb
, to get listed.我只想列出
php_serialize.rb
。 If the requesting user doesn't know about the prefix, to which he is given the permissions.如果请求用户不知道前缀,他将被授予权限。
Following Request, will not work in this case.遵循请求,在这种情况下将不起作用。
final ListObjectsV2Request req = new ListObjectsV2Request().withBucketName(bucketName).withPrefix("php_serialize.rb");
It isn't possible to ask S3 for a list of objects a specific user would be able to access.无法向 S3 询问特定用户能够访问的对象列表。
That would require evaluating all of the user's permissions against (potentially) every single object in the bucket, which would be computationally intensive at best and impossible at worst, depending on the specific policy constraints in effect against that user and properties that could be specific to the request that the user makes.这将需要针对(可能)存储桶中的每个对象评估所有用户的权限,这在最好的情况下是计算密集型的,在最坏的情况下是不可能的,具体取决于对该用户有效的特定策略约束和可能特定于的属性用户提出的请求。
The service does not support such a query.该服务不支持此类查询。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.