[英]Amazon Web Service (AWS) Private Storage For Authenticated Users
My Project Flow:我的项目流程:
I already made the basis with Firebase ( Authentication
and Storage
).我已经使用 Firebase(
Authentication
和Storage
)打下了基础。 So in Firebase i made this Storage Rules
所以在 Firebase 我制定了这个
Storage Rules
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /assets/{userId}/{assetsId} {
allow read;
}
}
}
Ilustration storage:插图存储:
assets/
|----user01/
| |----user01.jpg
|----user02/
| |----user02.jpg
basically only that user01 can see user01.jpg & only that user02 can access see user02.jpg if he/she login基本上只有那个 user01 可以看到 user01.jpg 并且只有那个 user02 可以访问看到 user02.jpg 如果他/她登录
Problem:问题:
Now, I am currently want try to remake this project on Amazon Web Services (AWS).现在,我目前想尝试在 Amazon Web Services (AWS) 上重新制作这个项目。 I am currently using
AWS Cognito
which in my understanding is equal to Firebase Authentication
& AWS S3 Storage
which in my understanding is equal to Firebase Storage
.我目前正在使用
AWS Cognito
,据我所知,它等同于Firebase Authentication
& AWS S3 Storage
,据我所知,它等同于Firebase Storage
。
I am still confuse how to develop with AWS, but i think i already manage how to get the userId
(or sub
i think in AWS Cognito) if the user login我仍然对如何使用 AWS 进行开发感到困惑,但我认为如果用户登录,我认为我已经管理了如何获取
userId
(或者我认为在 AWS Cognito 中的sub
)
I try to recreate the Firabase Storage Rules
with https://awspolicygen.s3.amazonaws.com/policygen.html for S3 Bucket Policy
but there is no condition like only this userId
(or sub
i think in AWS Cognito) allow to READ his/her private files.我尝试使用https://awspolicygen.s3.amazonaws.com/policygen.html为
S3 Bucket Policy
重新创建Firabase Storage Rules
,但没有像只有这个userId
(或我认为在 AWS Cognito 中认为sub
)这样的条件允许阅读他的/她的私人文件。
I am new to this Firebase and very new to this AWS things.我是这个 Firebase 的新手,对 AWS 的东西也很陌生。 Please guide me throughly, much appreciated.
请指导我通过,非常感谢。
You should not use an Amazon S3 Bucket Policy, nor should you put S3 permissions on the user themselves.你不应该使用亚马逊S3斗政策,也不应该把S3权限的用户自己。
Instead, it should work as follows:相反,它应该按如下方式工作:
This way, it is the application that determines access and this is done on any page that references/links to a private object.这样,由应用程序确定访问权限,这在任何引用/链接到私有对象的页面上完成。 Generating a pre-signed URL only take a couple of lines of code and does not require an API call back to Amazon S3.
生成预签名URL只需要几行代码,并且不需要API回调到Amazon S3。
For example: Imagine a photo-sharing website .例如:想象一个照片共享网站。 Photos should be private by default (no access).
默认情况下,照片应该是私密的(无访问权限)。 If a user logs-in and wants to view a photo online, the application that generates the HTML page would use an
<img src=...>
tag, but the URL will be a pre-signed URL .如果用户登录并希望在线查看照片,则生成 HTML 页面的应用程序将使用
<img src=...>
标记,但 URL 将是预签名 URL 。 This means the web browser will display the image on the page.这意味着 Web 浏览器将在页面上显示图像。 Similarly, if there is a download link to the image, the URL should be a pre-signed URL.
同样,如果有图片的下载链接,则 URL 应该是预先签名的 URL。 Also, users might choose to share a picture with another user.
此外,用户可能会选择与其他用户共享图片。 Such information would be kept in a database.
此类信息将保存在数据库中。 When another user wants to view the shared image, the application would check the database, verify the permission, then provide a pre-signed URL.
当另一个用户想要查看共享图像时,应用程序会检查数据库,验证权限,然后提供一个预先签名的 URL。 This moves the "ownership" away from the path (where the image is stored) and into the database .
这将“所有权”从路径(存储图像的位置)移到数据库中。
I'm not a Firebase user, so I don't know what capabilities it has, but the above is the recommended way to manage user access to private files in S3.我不是 Firebase 用户,所以我不知道它有什么功能,但以上是在 S3 中管理用户对私有文件的访问的推荐方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.