Azure Blob存储文件级安全
[英]Azure Blob Storage file level security
问题描述
i have an Azure Blob Storage with blobs that are pdf that are categorized by client number. 
我有一个Azure Blob存储,其中包含按客户编号分类的pdf blob。 So for each client, they have multiple pdf reports. 因此,对于每个客户,他们都有多个pdf报告。 I only want the client to be able to access the blobs for their client number. 我只希望客户端能够访问其客户端编号的Blob。 (There are hundreds of clients.) (有数百个客户。)
I've researched, but only see shared access signatures, but this doesn't look like what i need. 我已经研究过,但只看到共享访问签名,但这看起来不符合我的需求。
2 个解决方案
解决方案1
0 2017-10-13 21:26:30
Sounds like you already have the users authenticate, and you know which pdfs belong to them. 听起来您已经让用户进行了身份验证,并且您知道哪些pdf属于他们。 My suggestion is to add to your current application a simple proxy (for instance if you have an MVC application, you could add a new controller and action method that will retrieve the pdfs on behalf of the user). 我的建议是在当前应用程序中添加一个简单的代理(例如,如果您有MVC应用程序,则可以添加新的控制器和操作方法来代表用户检索pdf)。
This way you don't need to use shared access signature and can keep the blob container private. 这样,您就无需使用共享访问签名,并且可以将Blob容器保持私有状态。 Your controller/action method would simply use the storage SDK to retrieve the blob. 您的控制器/操作方法将仅使用存储SDK来检索Blob。 An added bonus is that you could check to make sure that they are requesting their own PDF file and reject the request if they guess the ID of someone else's file. 另外一个好处是,您可以检查以确保他们正在请求自己的PDF文件,如果他们猜测其他人的ID,则可以拒绝该请求。
解决方案2
0 2017-10-13 21:42:04
There is no user-level blob permissions, other than Shared Access Signatures (and Policies). 除了共享访问签名(和策略)以外,没有用户级别的Blob权限。
It's going to be up to you to manage access to specific user content (and how you manage that is really up to you and your app, and how you manage a user's content metadata). 管理对特定用户内容的访问权(以及如何管理真正取决于您和您的应用程序的方式以及如何管理用户的内容元数据)将取决于您。
When providing a link to a user's content: if you assume all content is always private, then simply create an on-demand SAS link when requested. 提供指向用户内容的链接时:如果您假定所有内容始终都是私有的,则只需在请求时创建按需SAS链接即可。 There's no way for the user to modify a SAS link to guess sequential numbers or neighboring blobs, since the SAS is for a specific URL. 用户无法修改SAS链接以猜测序列号或相邻的 Blob,因为SAS用于特定的URL。
As Andrés suggested, you could also use your app to stream blob content, and never worry about SAS. 正如Andrés所建议的那样,您还可以使用您的应用程序流blob内容,而不必担心SAS。 However, you will now be consuming resources of your web app (network, CPU, memory), and this will have an impact on your app's scale requirements. 但是,您现在将消耗Web应用程序的资源(网络,CPU,内存),这将对您应用程序的扩展要求产生影响。 You will no longer be able to offload this to the storage service. 您将不再能够将其卸载到存储服务。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.