如何为同一Azure blob容器创建多个存储访问策略?
我已经通读并使用了中的示例代码 然后我将其应用到我的场景中 我编写了一个工具,将数据从合作伙伴上传到Azure blob存储,然后它将被一些内部团队使用: YYYY-MM(集装箱) (DD-GUID)(前缀) File1.zip File2.zip 我为每个容器创建了2个策略: 1.只为合作伙伴编写,这样他们就只能编写blob而不能编写其他内容。 2.为我们的内部团队列出并阅读,以便他们可以列出并阅读(下载)容器中的所有blob 我的想法是,我可以简单地将正确的政策交给正确的接受者;然而,我的实现并没有像我预期的那样工作 我使用以下方法为每个容器创建了2个策略,当然每个策略具有正确的权限:如何为同一Azure blob容器创建多个存储访问策略?,azure,blob,azure-storage-blobs,Azure,Blob,Azure Storage Blobs,我已经通读并使用了中的示例代码 然后我将其应用到我的场景中 我编写了一个工具,将数据从合作伙伴上传到Azure blob存储,然后它将被一些内部团队使用: YYYY-MM(集装箱) (DD-GUID)(前缀) File1.zip File2.zip 我为每个容器创建了2个策略: 1.只为合作伙伴编写,这样他们就只能编写blob而不能编写其他内容。 2.为我们的内部团队列出并阅读,以便他们可以列出并阅读(下载)容器中的所有blob 我的想法是,我可以简单地将正确的政策交给正确的接受者;然而,我的
static void CreateSharedAccessPolicy(CloudBlobClient blobClient, CloudBlobContainer container, string policyName)
{
//Create a new stored access policy and define its constraints.
SharedAccessBlobPolicy sharedPolicy = new SharedAccessBlobPolicy()
{
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(10),
Permissions = SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.Write | SharedAccessBlobPermissions.List
};
//Get the container's existing permissions.
BlobContainerPermissions permissions = new BlobContainerPermissions();
//Add the new policy to the container's permissions.
permissions.SharedAccessPolicies.Clear();
permissions.SharedAccessPolicies.Add(policyName, sharedPolicy);
container.SetPermissions(permissions);
}
我首先创建了只写策略,然后创建了读和列表策略。我观察到的是,第一个策略似乎不起作用,所有的东西都返回403禁止,对于第二个策略,唯一起作用的是列表blob,但没有读取(我试图下载blob,但没有找到404)
我好像错过了一些基本的东西。你能帮我看看我的方法有什么问题吗
在我用来测试容器权限的代码中,我还注意到容器的读取权限并不像Azure文档中提到的那样有效。在这里,我试图找到一种简单的方法,为人们提供一个存储访问策略,以便他们可以列出并下载容器中的所有blob,而不是为每个blob文件提供签名:
静态void UseContainerSAS(字符串sas)
{
//尝试使用提供的SAS执行容器操作
//Return a reference to the container using the SAS URI.
CloudBlobContainer container = new CloudBlobContainer(new Uri(sas));
//Create a list to store blob URIs returned by a listing operation on the container.
List<Uri> blobUris = new List<Uri>();
try
{
//Write operation: write a new blob to the container.
CloudBlockBlob blob = container.GetBlockBlobReference("blobCreatedViaSAS.txt");
string blobContent = "This blob was created with a shared access signature granting write permissions to the container. ";
MemoryStream msWrite = new MemoryStream(Encoding.UTF8.GetBytes(blobContent));
msWrite.Position = 0;
using (msWrite)
{
blob.UploadFromStream(msWrite);
}
Console.WriteLine("Write operation succeeded for SAS " + sas);
Console.WriteLine();
}
catch (StorageException e)
{
Console.WriteLine("Write operation failed for SAS " + sas);
Console.WriteLine("Additional error information: " + e.Message);
Console.WriteLine();
}
try
{
//List operation: List the blobs in the container, including the one just added.
foreach (ICloudBlob blobListing in container.ListBlobs())
{
blobUris.Add(blobListing.Uri);
}
Console.WriteLine("List operation succeeded for SAS " + sas);
Console.WriteLine();
}
catch (StorageException e)
{
Console.WriteLine("List operation failed for SAS " + sas);
Console.WriteLine("Additional error information: " + e.Message);
Console.WriteLine();
}
try
{
CloudBlockBlob blob = container.GetBlockBlobReference(blobUris[0].ToString());
MemoryStream msRead = new MemoryStream();
msRead.Position = 0;
using (msRead)
{
blob.DownloadToStream(msRead);
Console.WriteLine(msRead.Length);
}
Console.WriteLine("Read operation succeeded for SAS " + sas);
Console.WriteLine();
}
catch (StorageException e)
{
Console.WriteLine("Read operation failed for SAS " + sas);
Console.WriteLine("Additional error information: " + e.Message);
Console.WriteLine();
}
Console.WriteLine();
try
{
//Delete operation: Delete a blob in the container.
CloudBlockBlob blob = container.GetBlockBlobReference(blobUris[0].ToString());
blob.Delete();
Console.WriteLine("Delete operation succeeded for SAS " + sas);
Console.WriteLine();
}
catch (StorageException e)
{
Console.WriteLine("Delete operation failed for SAS " + sas);
Console.WriteLine("Additional error information: " + e.Message);
Console.WriteLine();
}
}
//使用SAS URI返回对容器的引用。
CloudBlobContainer容器=新的CloudBlobContainer(新的Uri(sas));
//创建一个列表来存储容器上的列表操作返回的blob URI。
List blobUris=新列表();
尝试
{
//写入操作:将新blob写入容器。
CloudBlockBlob blob=container.GetBlockBlobReference(“blobCreatedViaSAS.txt”);
string blobContent=“此blob是使用共享访问签名创建的,该签名授予容器的写入权限。”;
MemoryStream msWrite=新的MemoryStream(Encoding.UTF8.GetBytes(blobContent));
msWrite.Position=0;
使用(msWrite)
{
blob.UploadFromStream(msWrite);
}
Console.WriteLine(“SAS的写入操作成功”+SAS);
Console.WriteLine();
}
捕获(存储异常)
{
Console.WriteLine(“SAS的写入操作失败”+SAS);
Console.WriteLine(“附加错误信息:+e.Message”);
Console.WriteLine();
}
尝试
{
//列表操作:列出容器中的blob,包括刚刚添加的blob。
foreach(容器中的ICloudBlob blobListing.ListBlobs())
{
添加(blobListing.Uri);
}
Console.WriteLine(“SAS的列表操作成功”+SAS);
Console.WriteLine();
}
捕获(存储异常)
{
Console.WriteLine(“SAS的列表操作失败”+SAS);
Console.WriteLine(“附加错误信息:+e.Message”);
Console.WriteLine();
}
尝试
{
CloudBlockBlob blob=container.GetBlockBlobReference(blobUris[0].ToString());
MemoryStream msRead=新的MemoryStream();
msRead.Position=0;
使用(msRead)
{
blob.DownloadToStream(msRead);
控制台写入线(msRead.Length);
}
Console.WriteLine(“SAS的读取操作成功”+SAS);
Console.WriteLine();
}
捕获(存储异常)
{
Console.WriteLine(“SAS的读取操作失败”+SAS);
Console.WriteLine(“附加错误信息:+e.Message”);
Console.WriteLine();
}
Console.WriteLine();
尝试
{
//删除操作:删除容器中的blob。
CloudBlockBlob blob=container.GetBlockBlobReference(blobUris[0].ToString());
blob.Delete();
Console.WriteLine(“SAS删除操作成功”+SAS);
Console.WriteLine();
}
捕获(存储异常)
{
Console.WriteLine(“SAS的删除操作失败”+SAS);
Console.WriteLine(“附加错误信息:+e.Message”);
Console.WriteLine();
}
}
实际上,后一个操作删除了第一个操作中所做的操作。为了避免这种情况,您应该读取容器的现有权限,添加新权限,然后将权限设置回容器
以下是正确的代码示例:
static void CreateSharedAccessPolicy(CloudBlobClient blobClient, CloudBlobContainer container, string policyName)
{
//Create a new stored access policy and define its constraints.
SharedAccessBlobPolicy sharedPolicy = new SharedAccessBlobPolicy()
{
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(10),
Permissions = SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.Write | SharedAccessBlobPermissions.List
};
//Get the container's existing permissions.
BlobContainerPermissions permissions = container.GetPermissions();
//Add the new policy to the container's permissions.
permissions.SharedAccessPolicies.Add(policyName, sharedPolicy);
container.SetPermissions(permissions);
}
由于您在读取blob时遇到404错误的原因,请分享您通过策略创建SAS的代码,以及您如何使用创建的SAS读取blob,以便我可以帮助解决问题
下面是一个创建SA并使用它读取BLOB的代码示例:(您可以将标准输出中的URL直接复制并粘贴到浏览器中进行尝试)
用于编程/数据库语言SAS,而不是用于此特定用途。我认为是正确的标签,但如果我错了,抱歉,请使用正确的标签。谢谢尝试将共享访问策略的开始时间设置为
DateTime.UtcNow.AddMinutes(-5)
。SAS是共享访问签名,Azur中使用的术语
var permissions = container.GetPermissions();
var policy = new SharedAccessBlobPolicy
{
Permissions = SharedAccessBlobPermissions.Read,
SharedAccessExpiryTime = DateTime.UtcNow.AddYears(1),
};
string policyName = "read";
permissions.SharedAccessPolicies.Add(policyName, policy);
container.SetPermissions(permissions);
string sas = container.GetSharedAccessSignature(null, policyName);
var blobs = container.ListBlobs(null, true);
Console.WriteLine("SAS = {0}", sas);
Console.WriteLine("Blobs URLs with SAS:");
foreach (var blob in blobs)
{
Console.WriteLine(blob.Uri.ToString() + sas);
}