Windows Azure: Blob Container的访问权限与策略设置

在介绍Blob容器的访问权限与策略设置之前,我们先来明确一下两个概念。

第一,对容器的访问,指的是什么?简单来说,就是对容器的增删改查操作。其中增是指往容器里面写入数据,删是删除容器里头Blob文件,改与增类似,而查是指列出容器下所有的Blob文件。

第二,两个角色:

  1. 所有者(Owner of storage account)
  2. 匿名用户

所有者,即是通过账户名称与密钥来访问storage的人。

匿名用户,即是通过类似http://yourdomain.blob.core.windows.net/这样的Endpoint来访问storage的人。

(其中,账户名称、访问密钥、Endpoint地址都可以从Azure Management Portal中获取。)

Blob容器的权限设置,都是针对匿名用户来说的,所有者不存在权限问题,不管怎么设置,所有者都能够访问所有内容,做所有操作。

设置Blob容器的访问权限,包含两种方式,一种是通过设置Public Access,另外一种是比较细粒度的SharedAccessPolicies。

对于Public Access设置,比较简单,如下代码所示:

blobContainer.SetPermissions(new BlobContainerPermissions { PublicAccess = BlobContainerPublicAccessType.Container });

BlobContainerPublicAccessType枚举包含三项:

public enum BlobContainerPublicAccessType { Off, Container, Blob }

 Off:不允许匿名用户读取该容器中的Blob;

Container:匿名用户可以读取该容器的Blob;

Blob:匿名用户只能读取Blob,即只能根据Blob的URL来读取Blob,无法列出容器下所有的Blob。

我们发现,使用Public Access只能配置匿名用户的读取权限,如果希望匿名用户同样有增删的权限怎么办呢?

这个时候就需要用到SharedAccessPolicies。接下来重点介绍一下SharedAccessPolicies的使用。

在这个例子中,我将使用一个普通的Web应用程序,来访问位于云端的Blob Storage。我们先来看一下页面结构:

Windows Azure: Blob Container的访问权限与策略设置_第1张图片

页面非常简单,红框内模拟的是所有者给容器设置访问策略。填写设置信息后,点击Set Permission后,进行策略设置,并生成签名。
其中包含四个访问权限,Read表示是否能读取Blob,Write表示是否能往容器里面写入Blob,Delete表示能否删除Blob文件,List表示能否列出容器里的所有Blob文件。
Start Time表示多长时间以后设置的策略生效,Expiry Time表示策略多长时间以后失效,单位均是秒。
篮框内模拟匿名用户使用签名来访问容器。List Blob列出容器下所有Blob,Upload往容器里添加Blob,点击链接下载Blob,点击Delete删除Blob。
所有者设置访问策略代码如下:

CloudStorageAccount storageAccount = CloudStorageAccount.Parse(StorageConnectionString); CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient(); CloudBlobContainer blobContainer = blobClient.GetContainerReference("mycontainer"); blobContainer.CreateIfNotExists(); BlobContainerPermissions blobPermissions = new BlobContainerPermissions(); blobPermissions.PublicAccess = BlobContainerPublicAccessType.Off; SharedAccessBlobPolicy myPolicy = new SharedAccessBlobPolicy(); //Create permissions according to what you selected
SharedAccessBlobPermissions permissions = SharedAccessBlobPermissions.None; if (CanRead.Checked) { permissions = SharedAccessBlobPermissions.Read; } if (CanWrite.Checked) { if (permissions == SharedAccessBlobPermissions.None) { permissions = SharedAccessBlobPermissions.Write; } else { permissions = permissions | SharedAccessBlobPermissions.Write; } } if (CanDelete.Checked) { if (permissions == SharedAccessBlobPermissions.None) { permissions = SharedAccessBlobPermissions.Delete; } else { permissions = permissions | SharedAccessBlobPermissions.Delete; } } if (CanList.Checked) { if (permissions == SharedAccessBlobPermissions.None) { permissions = SharedAccessBlobPermissions.List; } else { permissions = permissions | SharedAccessBlobPermissions.List; } } myPolicy.Permissions = permissions; int accessStartSeconds = 0; if (int.TryParse(AccessStartTime.Text, out accessStartSeconds)) { myPolicy.SharedAccessStartTime = DateTimeOffset.UtcNow.AddSeconds(accessStartSeconds); } int accessExpirySeconds = 0; if (int.TryParse(AccessExpiryTime.Text, out accessExpirySeconds)) { myPolicy.SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddSeconds(accessExpirySeconds); } //Add the policy to Blob permissions' SharedAccessPolicies //You can add more than one policy
blobPermissions.SharedAccessPolicies.Add("mypolicy", myPolicy); //Set the container's permissions
blobContainer.SetPermissions(blobPermissions); //Get the Signature of "mypolicy"
string sasToken = blobContainer.GetSharedAccessSignature(myPolicy); Signature.Text = sasToken;

 

List Blob代码如下:

(注意到在创建CloudBlobClient时没有用到Storage账户名称与密钥,而是通过终结点与策略签名来创建,表明这是匿名用户访问。)

try { CloudStorageAccount storageAccount = CloudStorageAccount.Parse(StorageConnectionString); StorageCredentials credentials = new StorageCredentials(Signature.Text); CloudBlobClient blobClient = new CloudBlobClient(storageAccount.BlobEndpoint, credentials); CloudBlobContainer blobContainer = blobClient.GetContainerReference("mycontainer"); //blobContainer.CreateIfNotExists();
    IEnumerable<IListBlobItem> blobItems = blobContainer.ListBlobs(null, true, BlobListingDetails.None, null, null); List<CloudBlockBlob> blockBlobs = new List<CloudBlockBlob>(); foreach (IListBlobItem item in blobItems) { if (item.GetType() == typeof(CloudBlockBlob)) { blockBlobs.Add((CloudBlockBlob)item); } } BlobItemGridView.DataSource = blockBlobs; BlobItemGridView.DataBind(); ErrorMsg.Text = ""; } catch (Exception ex) { ErrorMsg.Text = ex.Message; }

Upload文件至容器:

try { if (FileUpload1.HasFile) { CloudStorageAccount storageAccount = CloudStorageAccount.Parse(StorageConnectionString); StorageCredentials credentials = new StorageCredentials(Signature.Text); CloudBlobClient blobClient = new CloudBlobClient(storageAccount.BlobEndpoint, credentials); CloudBlobContainer blobContainer = blobClient.GetContainerReference("mycontainer"); CloudBlockBlob blockBlob = blobContainer.GetBlockBlobReference(FileUpload1.FileName); blockBlob.UploadFromStream(FileUpload1.FileContent); ErrorMsg.Text = ""; } } catch (Exception ex) { ErrorMsg.Text = ex.Message; }

 

删除Blob文件:

 

try { Uri uri = e.Keys[0] as Uri; StorageCredentials credentials = new StorageCredentials(Signature.Text); CloudBlockBlob blob = new CloudBlockBlob(uri, credentials); blob.DeleteIfExists(DeleteSnapshotsOption.None); List_Click(null, null); ErrorMsg.Text = ""; } catch (Exception ex) { ErrorMsg.Text = ex.Message; }

 

下载Blob文件:

 

try { string uri = e.CommandArgument.ToString(); StorageCredentials credentials = new StorageCredentials(Signature.Text); CloudBlockBlob blockBlob = new CloudBlockBlob(new Uri(uri), credentials); var memoryStream = new MemoryStream(); if (blockBlob.Exists()) { blockBlob.DownloadToStream(memoryStream); HttpUtils.WriteFileToResponse(this, memoryStream, Path.GetFileName(uri), true, Path.GetExtension(uri)); ErrorMsg.Text = ""; } else { ErrorMsg.Text = "The Blob doesn't exist"; } } catch (Exception ex) { ErrorMsg.Text = ex.Message; }

 

我们只给Read与List的权限,然后尝试删除或者上传Blob文件,将会产生一个异常:

Windows Azure: Blob Container的访问权限与策略设置_第2张图片

同理,我们可以自己来做其他策略组合的测试。

在整个Windows Azure Storage中,包含了Queue, Table和Blob,这里只是以Blob做例子演示了访问权限和策略的配置,其实对于另外两个存储也类似。有兴趣的朋友可以自己尝试一下。

点击 这里 下载源码。

你可能感兴趣的:(windows)