I am having a blob container which ACL is set up to allow full public read access so anyone can read and list the blobs in that container.
我有一个blob容器,其ACL设置为允许完全公共读取访问权限,因此任何人都可以读取并列出该容器中的blob。
I store the files so the WPF client app my clients use could read them but I don't want to allow them to modify/delete/create files.
我存储文件,以便客户端使用的WPF客户端应用程序可以读取它们,但我不想让它们修改/删除/创建文件。
Does anyone knows what connection string should be used in this scenario?
有谁知道在这种情况下应该使用什么连接字符串?
I hoped to specify the connection string without the account key and/or shared access key due to the fact blobs are public but that didn't work - StorageAccount.Parse throws FormatException
我希望指定没有帐户密钥和/或共享访问密钥的连接字符串,因为blob是公共的但是不起作用--StorageAccount.Parse抛出FormatException
3 个解决方案
#1
0
As mentioned by the previous answers, the best practice is usually to control the access to your blob container using shared access signatures (SAS) or a stored access policy. These can be used to create an access token (string) you can pass to your client without revealing your account key.
如前面的答案所述,最佳做法通常是使用共享访问签名(SAS)或存储的访问策略来控制对blob容器的访问。这些可用于创建您可以传递给客户端的访问令牌(字符串),而不会泄露您的帐户密钥。
However, it is also possible to specify the level of public read access to the blobs and metadata saved in the container. Public access is the level of read permission automatically given an anonymous user that is in possession the public access url for the container or blob. You cannot use public access to give anonymous users write permissions to the container. If you need to give write permission to users that are not in possession of the account key of your Azure storage account, then you will need to provide those users with a token in the form of a url the references a shared access signature or a shared access policy. If the public access to the blob container is not currently off (private,) anonymous user will be able to read all blobs in the container using a public access url such as the following.
但是,也可以指定对blob的公共读取访问级别和容器中保存的元数据。对于拥有容器或blob的公共访问URL的匿名用户,公共访问是自动读取权限级别。您无法使用公共访问权限授予匿名用户对容器的写入权限。如果您需要向不具有Azure存储帐户的帐户密钥的用户授予写入权限,则需要以URL的形式向这些用户提供引用共享访问签名或共享的令牌访问政策。如果对blob容器的公共访问权限当前未关闭(私有),则匿名用户将能够使用公共访问URL(如下所示)读取容器中的所有blob。
http://grassy.blob.core.windows.net/container1/image2.jpg
When you create the container, you can set the value of the publicAccess property to the appropriate constant of the BlobContainerPublicAccessType enum. The value of the publicAccess property can be one of the following three constants which specify the level of public read access.
创建容器时,可以将publicAccess属性的值设置为BlobContainerPublicAccessType枚举的相应常量。 publicAccess属性的值可以是以下三个常量之一,它们指定公共读取访问的级别。
• BLOB – The public can read the content and metadata of blobs within this container, but cannot read container metadata or list the blobs within the container.
•BLOB - 公众可以读取此容器中blob的内容和元数据,但无法读取容器元数据或列出容器中的blob。
• CONTAINER – The public can read blob content and metadata and container metadata, and can list the blobs within the container.
•CONTAINER - 公众可以读取blob内容和元数据以及容器元数据,并可以列出容器中的blob。
• OFF – Specifies no public access. Only the account owner can read resources in this container.
•OFF - 指定无公共访问。只有帐户所有者才能读取此容器中的资源。
So in this case the public access level might be set to CONTAINER. For example:
因此,在这种情况下,公共访问级别可能设置为CONTAINER。例如:
public static void main(String[] args) throws InvalidKeyException, URISyntaxException, StorageException
{
Account creds = new Account();
final String storageConnectionString = creds.getstorageconnectionstring();
CloudStorageAccount storageAccount = CloudStorageAccount.parse(storageConnectionString);
CloudBlobClient blobClient = storageAccount.createCloudBlobClient();
CloudBlobContainer container = blobClient.getContainerReference("container1");
container.createIfNotExist();
BlobContainerPermissions containerPermissions = new BlobContainerPermissions();
containerPermissions.setPublicAccess(BlobContainerPublicAccessType.CONTAINER);
container.uploadPermissions(containerPermissions);
BlobContainerPublicAccessType access1 = containerPermissions.getPublicAccess();
System.out.println("Public access to " + container.getName() + " is set to:
" + access1);
}
If the public access level on container1 has been set to CONTAINER, an anonymous user should be able to list the blobs in container1 knowing only the storage account AccountName ("grassy") and the container name, but without needing to know the AccountKey. For example, an anonymous application might use java code similar to the following:
如果container1上的公共访问级别已设置为CONTAINER,则匿名用户应该能够在container1中列出blob,只知道存储帐户AccountName(“grassy”)和容器名称,但无需知道AccountKey。例如,匿名应用程序可能使用类似于以下内容的Java代码:
public static void main(String[] args) throws InvalidKeyException, URISyntaxException, StorageException, FileNotFoundException, IOException
{
URI baseuri = new URI("http://grassy.blob.core.windows.net");
CloudBlobClient blobclient = new CloudBlobClient(baseuri);
CloudBlobContainer container = blobclient.getContainerReference("container1");
for (ListBlobItem blobItem : container.listBlobs()){System.out.println(blobItem.getUri());}
}
However, as discussed, it is a better practice to avoid giving anonymous users access. Instead control access to the container using a SAS or policy and pass on the token to only known users.
但是,正如所讨论的,避免让匿名用户访问是一种更好的做法。而是使用SAS或策略控制对容器的访问,并将令牌传递给仅已知用户。
#2
1
StorageAccount is not meant to connect to public blobs as far as I know. You simply can get at the public blobs via public URL by using something like WebClient or any other tool that can download data over public http/https endpoint.
据我所知,StorageAccount并不意味着连接到公共blob。您可以通过使用WebClient或任何其他可以通过公共http / https端点下载数据的工具,通过公共URL获取公共blob。
#3
0
You could use shared access signature for that purpose. What you could do is create the SAS on a blob container which only allows list and read permissions on the blob container and then distribute that SAS URI to your clients. Your code could then create an instance of BlobContainer object using that SAS URI.
您可以为此目的使用共享访问签名。您可以做的是在Blob容器上创建SAS,该容器仅允许blob容器上的列表和读取权限,然后将该SAS URI分发给您的客户端。然后,您的代码可以使用该SAS URI创建BlobContainer对象的实例。
Here's the sample code for listing blobs in a blob container using SAS URI:
以下是使用SAS URI列出blob容器中blob的示例代码:
static void ListBlobsWithStorageClientLibrary(string blobContainerSasUri)
{
CloudBlobContainer blobContainer = new CloudBlobContainer(new Uri(blobContainerSasUri));
var blobs = blobContainer.ListBlobs(null, true);
foreach (var blob in blobs)
{
Console.WriteLine(blob.Uri);
}
}
Other alternative is to create an instance of StorageCredentials object using SAS token: http://msdn.microsoft.com/en-us/library/windowsazure/jj682529.aspx. Then you could create an instance of CloudStorageAccount object using that StorageCredentials object.
另一种方法是使用SAS令牌创建StorageCredentials对象的实例:http://msdn.microsoft.com/en-us/library/windowsazure/jj682529.aspx。然后,您可以使用该StorageCredentials对象创建CloudStorageAccount对象的实例。
I wrote a detailed post on using Shared Access Signatures with blob storage which you can read here: http://gauravmantri.com/2013/02/13/revisiting-windows-azure-shared-access-signature/
我写了一篇关于使用带有blob存储的共享访问签名的详细帖子,你可以在这里阅读:http://gauravmantri.com/2013/02/13/revisiting-windows-azure-shared-access-signature/
#1
0
As mentioned by the previous answers, the best practice is usually to control the access to your blob container using shared access signatures (SAS) or a stored access policy. These can be used to create an access token (string) you can pass to your client without revealing your account key.
如前面的答案所述,最佳做法通常是使用共享访问签名(SAS)或存储的访问策略来控制对blob容器的访问。这些可用于创建您可以传递给客户端的访问令牌(字符串),而不会泄露您的帐户密钥。
However, it is also possible to specify the level of public read access to the blobs and metadata saved in the container. Public access is the level of read permission automatically given an anonymous user that is in possession the public access url for the container or blob. You cannot use public access to give anonymous users write permissions to the container. If you need to give write permission to users that are not in possession of the account key of your Azure storage account, then you will need to provide those users with a token in the form of a url the references a shared access signature or a shared access policy. If the public access to the blob container is not currently off (private,) anonymous user will be able to read all blobs in the container using a public access url such as the following.
但是,也可以指定对blob的公共读取访问级别和容器中保存的元数据。对于拥有容器或blob的公共访问URL的匿名用户,公共访问是自动读取权限级别。您无法使用公共访问权限授予匿名用户对容器的写入权限。如果您需要向不具有Azure存储帐户的帐户密钥的用户授予写入权限,则需要以URL的形式向这些用户提供引用共享访问签名或共享的令牌访问政策。如果对blob容器的公共访问权限当前未关闭(私有),则匿名用户将能够使用公共访问URL(如下所示)读取容器中的所有blob。
http://grassy.blob.core.windows.net/container1/image2.jpg
When you create the container, you can set the value of the publicAccess property to the appropriate constant of the BlobContainerPublicAccessType enum. The value of the publicAccess property can be one of the following three constants which specify the level of public read access.
创建容器时,可以将publicAccess属性的值设置为BlobContainerPublicAccessType枚举的相应常量。 publicAccess属性的值可以是以下三个常量之一,它们指定公共读取访问的级别。
• BLOB – The public can read the content and metadata of blobs within this container, but cannot read container metadata or list the blobs within the container.
•BLOB - 公众可以读取此容器中blob的内容和元数据,但无法读取容器元数据或列出容器中的blob。
• CONTAINER – The public can read blob content and metadata and container metadata, and can list the blobs within the container.
•CONTAINER - 公众可以读取blob内容和元数据以及容器元数据,并可以列出容器中的blob。
• OFF – Specifies no public access. Only the account owner can read resources in this container.
•OFF - 指定无公共访问。只有帐户所有者才能读取此容器中的资源。
So in this case the public access level might be set to CONTAINER. For example:
因此,在这种情况下,公共访问级别可能设置为CONTAINER。例如:
public static void main(String[] args) throws InvalidKeyException, URISyntaxException, StorageException
{
Account creds = new Account();
final String storageConnectionString = creds.getstorageconnectionstring();
CloudStorageAccount storageAccount = CloudStorageAccount.parse(storageConnectionString);
CloudBlobClient blobClient = storageAccount.createCloudBlobClient();
CloudBlobContainer container = blobClient.getContainerReference("container1");
container.createIfNotExist();
BlobContainerPermissions containerPermissions = new BlobContainerPermissions();
containerPermissions.setPublicAccess(BlobContainerPublicAccessType.CONTAINER);
container.uploadPermissions(containerPermissions);
BlobContainerPublicAccessType access1 = containerPermissions.getPublicAccess();
System.out.println("Public access to " + container.getName() + " is set to:
" + access1);
}
If the public access level on container1 has been set to CONTAINER, an anonymous user should be able to list the blobs in container1 knowing only the storage account AccountName ("grassy") and the container name, but without needing to know the AccountKey. For example, an anonymous application might use java code similar to the following:
如果container1上的公共访问级别已设置为CONTAINER,则匿名用户应该能够在container1中列出blob,只知道存储帐户AccountName(“grassy”)和容器名称,但无需知道AccountKey。例如,匿名应用程序可能使用类似于以下内容的Java代码:
public static void main(String[] args) throws InvalidKeyException, URISyntaxException, StorageException, FileNotFoundException, IOException
{
URI baseuri = new URI("http://grassy.blob.core.windows.net");
CloudBlobClient blobclient = new CloudBlobClient(baseuri);
CloudBlobContainer container = blobclient.getContainerReference("container1");
for (ListBlobItem blobItem : container.listBlobs()){System.out.println(blobItem.getUri());}
}
However, as discussed, it is a better practice to avoid giving anonymous users access. Instead control access to the container using a SAS or policy and pass on the token to only known users.
但是,正如所讨论的,避免让匿名用户访问是一种更好的做法。而是使用SAS或策略控制对容器的访问,并将令牌传递给仅已知用户。
#2
1
StorageAccount is not meant to connect to public blobs as far as I know. You simply can get at the public blobs via public URL by using something like WebClient or any other tool that can download data over public http/https endpoint.
据我所知,StorageAccount并不意味着连接到公共blob。您可以通过使用WebClient或任何其他可以通过公共http / https端点下载数据的工具,通过公共URL获取公共blob。
#3
0
You could use shared access signature for that purpose. What you could do is create the SAS on a blob container which only allows list and read permissions on the blob container and then distribute that SAS URI to your clients. Your code could then create an instance of BlobContainer object using that SAS URI.
您可以为此目的使用共享访问签名。您可以做的是在Blob容器上创建SAS,该容器仅允许blob容器上的列表和读取权限,然后将该SAS URI分发给您的客户端。然后,您的代码可以使用该SAS URI创建BlobContainer对象的实例。
Here's the sample code for listing blobs in a blob container using SAS URI:
以下是使用SAS URI列出blob容器中blob的示例代码:
static void ListBlobsWithStorageClientLibrary(string blobContainerSasUri)
{
CloudBlobContainer blobContainer = new CloudBlobContainer(new Uri(blobContainerSasUri));
var blobs = blobContainer.ListBlobs(null, true);
foreach (var blob in blobs)
{
Console.WriteLine(blob.Uri);
}
}
Other alternative is to create an instance of StorageCredentials object using SAS token: http://msdn.microsoft.com/en-us/library/windowsazure/jj682529.aspx. Then you could create an instance of CloudStorageAccount object using that StorageCredentials object.
另一种方法是使用SAS令牌创建StorageCredentials对象的实例:http://msdn.microsoft.com/en-us/library/windowsazure/jj682529.aspx。然后,您可以使用该StorageCredentials对象创建CloudStorageAccount对象的实例。
I wrote a detailed post on using Shared Access Signatures with blob storage which you can read here: http://gauravmantri.com/2013/02/13/revisiting-windows-azure-shared-access-signature/
我写了一篇关于使用带有blob存储的共享访问签名的详细帖子,你可以在这里阅读:http://gauravmantri.com/2013/02/13/revisiting-windows-azure-shared-access-signature/