在介紹Blob容器的訪問權限與策略設置之前,我們先來明確一下兩個概念。
第一,對容器的訪問,指的是什么?簡單來說,就是對容器的增刪改查操作。其中增是指往容器里面寫入數據,刪是刪除容器里頭Blob文件,改與增類似,而查是指列出容器下所有的Blob文件。
第二,兩個角色:
- 所有者(Owner of storage account)
- 匿名用戶
所有者,即是通過賬戶名稱與密鑰來訪問storage的人。
匿名用戶,即是通過類似http://yourdomain.blob.core.windows.net/這樣的Endpoint來訪問storage的人。
(其中,賬戶名稱、訪問密鑰、Endpoint地址都可以從Azure Management Portal中獲取。)
Blob容器的權限設置,都是針對匿名用戶來說的,所有者不存在權限問題,不管怎么設置,所有者都能夠訪問所有內容,做所有操作。
設置Blob容器的訪問權限,包含兩種方式,一種是通過設置Public Access,另外一種是比較細粒度的SharedAccessPolicies。
對於Public Access設置,比較簡單,如下代碼所示:
blobContainer.SetPermissions(new BlobContainerPermissions { PublicAccess = BlobContainerPublicAccessType.Container });
BlobContainerPublicAccessType枚舉包含三項:
public enum BlobContainerPublicAccessType { Off, Container, Blob }
Off:不允許匿名用戶讀取該容器中的Blob;
Container:匿名用戶可以讀取該容器的Blob;
Blob:匿名用戶只能讀取Blob,即只能根據Blob的URL來讀取Blob,無法列出容器下所有的Blob。
我們發現,使用Public Access只能配置匿名用戶的讀取權限,如果希望匿名用戶同樣有增刪的權限怎么辦呢?
這個時候就需要用到SharedAccessPolicies。接下來重點介紹一下SharedAccessPolicies的使用。
在這個例子中,我將使用一個普通的Web應用程序,來訪問位於雲端的Blob Storage。我們先來看一下頁面結構:
頁面非常簡單,紅框內模擬的是所有者給容器設置訪問策略。填寫設置信息后,點擊Set Permission后,進行策略設置,並生成簽名。
其中包含四個訪問權限,Read表示是否能讀取Blob,Write表示是否能往容器里面寫入Blob,Delete表示能否刪除Blob文件,List表示能否列出容器里的所有Blob文件。
Start Time表示多長時間以后設置的策略生效,Expiry Time表示策略多長時間以后失效,單位均是秒。
籃框內模擬匿名用戶使用簽名來訪問容器。List Blob列出容器下所有Blob,Upload往容器里添加Blob,點擊鏈接下載Blob,點擊Delete刪除Blob。
所有者設置訪問策略代碼如下:
CloudStorageAccount storageAccount = CloudStorageAccount.Parse(StorageConnectionString); CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient(); CloudBlobContainer blobContainer = blobClient.GetContainerReference("mycontainer"); blobContainer.CreateIfNotExists(); BlobContainerPermissions blobPermissions = new BlobContainerPermissions(); blobPermissions.PublicAccess = BlobContainerPublicAccessType.Off; SharedAccessBlobPolicy myPolicy = new SharedAccessBlobPolicy(); //Create permissions according to what you selected
SharedAccessBlobPermissions permissions = SharedAccessBlobPermissions.None; if (CanRead.Checked) { permissions = SharedAccessBlobPermissions.Read; } if (CanWrite.Checked) { if (permissions == SharedAccessBlobPermissions.None) { permissions = SharedAccessBlobPermissions.Write; } else { permissions = permissions | SharedAccessBlobPermissions.Write; } } if (CanDelete.Checked) { if (permissions == SharedAccessBlobPermissions.None) { permissions = SharedAccessBlobPermissions.Delete; } else { permissions = permissions | SharedAccessBlobPermissions.Delete; } } if (CanList.Checked) { if (permissions == SharedAccessBlobPermissions.None) { permissions = SharedAccessBlobPermissions.List; } else { permissions = permissions | SharedAccessBlobPermissions.List; } } myPolicy.Permissions = permissions; int accessStartSeconds = 0; if (int.TryParse(AccessStartTime.Text, out accessStartSeconds)) { myPolicy.SharedAccessStartTime = DateTimeOffset.UtcNow.AddSeconds(accessStartSeconds); } int accessExpirySeconds = 0; if (int.TryParse(AccessExpiryTime.Text, out accessExpirySeconds)) { myPolicy.SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddSeconds(accessExpirySeconds); } //Add the policy to Blob permissions' SharedAccessPolicies //You can add more than one policy
blobPermissions.SharedAccessPolicies.Add("mypolicy", myPolicy); //Set the container's permissions
blobContainer.SetPermissions(blobPermissions); //Get the Signature of "mypolicy"
string sasToken = blobContainer.GetSharedAccessSignature(myPolicy); Signature.Text = sasToken;
List Blob代碼如下:
(注意到在創建CloudBlobClient時沒有用到Storage賬戶名稱與密鑰,而是通過終結點與策略簽名來創建,表明這是匿名用戶訪問。)
try { CloudStorageAccount storageAccount = CloudStorageAccount.Parse(StorageConnectionString); StorageCredentials credentials = new StorageCredentials(Signature.Text); CloudBlobClient blobClient = new CloudBlobClient(storageAccount.BlobEndpoint, credentials); CloudBlobContainer blobContainer = blobClient.GetContainerReference("mycontainer"); //blobContainer.CreateIfNotExists();
IEnumerable<IListBlobItem> blobItems = blobContainer.ListBlobs(null, true, BlobListingDetails.None, null, null); List<CloudBlockBlob> blockBlobs = new List<CloudBlockBlob>(); foreach (IListBlobItem item in blobItems) { if (item.GetType() == typeof(CloudBlockBlob)) { blockBlobs.Add((CloudBlockBlob)item); } } BlobItemGridView.DataSource = blockBlobs; BlobItemGridView.DataBind(); ErrorMsg.Text = ""; } catch (Exception ex) { ErrorMsg.Text = ex.Message; }
Upload文件至容器:
try { if (FileUpload1.HasFile) { CloudStorageAccount storageAccount = CloudStorageAccount.Parse(StorageConnectionString); StorageCredentials credentials = new StorageCredentials(Signature.Text); CloudBlobClient blobClient = new CloudBlobClient(storageAccount.BlobEndpoint, credentials); CloudBlobContainer blobContainer = blobClient.GetContainerReference("mycontainer"); CloudBlockBlob blockBlob = blobContainer.GetBlockBlobReference(FileUpload1.FileName); blockBlob.UploadFromStream(FileUpload1.FileContent); ErrorMsg.Text = ""; } } catch (Exception ex) { ErrorMsg.Text = ex.Message; }
刪除Blob文件:
try { Uri uri = e.Keys[0] as Uri; StorageCredentials credentials = new StorageCredentials(Signature.Text); CloudBlockBlob blob = new CloudBlockBlob(uri, credentials); blob.DeleteIfExists(DeleteSnapshotsOption.None); List_Click(null, null); ErrorMsg.Text = ""; } catch (Exception ex) { ErrorMsg.Text = ex.Message; }
下載Blob文件:
try { string uri = e.CommandArgument.ToString(); StorageCredentials credentials = new StorageCredentials(Signature.Text); CloudBlockBlob blockBlob = new CloudBlockBlob(new Uri(uri), credentials); var memoryStream = new MemoryStream(); if (blockBlob.Exists()) { blockBlob.DownloadToStream(memoryStream); HttpUtils.WriteFileToResponse(this, memoryStream, Path.GetFileName(uri), true, Path.GetExtension(uri)); ErrorMsg.Text = ""; } else { ErrorMsg.Text = "The Blob doesn't exist"; } } catch (Exception ex) { ErrorMsg.Text = ex.Message; }
我們只給Read與List的權限,然后嘗試刪除或者上傳Blob文件,將會產生一個異常:
同理,我們可以自己來做其他策略組合的測試。
在整個Windows Azure Storage中,包含了Queue, Table和Blob,這里只是以Blob做例子演示了訪問權限和策略的配置,其實對於另外兩個存儲也類似。有興趣的朋友可以自己嘗試一下。
點擊 這里 下載源碼。