本文介绍了Azure Blob存储:多个容器的共享访问签名?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!



I'm creating an application that will be hosted in Azure. In this application, users will be able to upload their own content. They will also be able to configure a list of other trusted app users who will be able to read their files. I'm trying to figure out how to architect the storage.


I think that I'll create a storage container named after each user's application ID, and they will be able to upload files there. My question relates to how to grant read access to all files to which a user should have access. I've been reading about shared access signatures and they seem like they could be a great fit for what I'm trying to achieve. But, I'm evaluating the most efficient way to grant access to users. I think that Stored access policies might be useful. But specifically:


Can I use one shared access signature (or stored access policy) to grant a user access to multiple containers? I've found one piece of information which I think is very relevant:



"A container, queue, or table can include up to 5 stored access policies. Each policy can be used by any number of shared access signatures."


But I'm not sure if I'm understanding that correctly. If a user is connected to 20 other people, can I grant him or her access to twenty specific containers? Of course, I could generate twenty individual stored access policies, but that doesn't seem very efficient, and when they first log in, I plan to show a summary of content from all of their other trusted app users, which would equate to demanding 20 signatures at once (if I understand correctly).


Thanks for any suggestions...-Ben



Since you are going to have a container per user (for now I'll equate a user with what you called a user application ID), that means you'll have a storage account that can contain many different containers for many users. If you want to have the application have the ability to upload to only one specific container while reading from many two options come to mind.

首先:创建一个API,该API可以处理所有请求.在API的后面,您的代码将具有对整个存储帐户的完全访问权限,因此您的业务逻辑将确定它们做什么以及没有访问权限.这样做的好处是您根本不必创建共享访问签名(SAS).您的应用只知道如何与API通讯.您甚至可以通过并行调用从应用程序的一次调用中获取来自各个容器的内容,从而组合他们在内容摘要中可以看到的数据.缺点是您现在托管此API服务,该服务必须代理所有这些调用.如果您选择该路线,仍然需要API服务来生成SAS,但是仅需要生成SAS即可,并且客户端应用程序将直接通过Windows Azure存储服务进行调用,从而承担了负载,这将减少资源您真正需要的.

First: Create a API that lives somewhere that handles all the requests. Behind the API your code will have full access to entire storage account so your business logic will determine what they do and do not have access to. The upside of this is that you don't have to create Shared Access Signatures (SAS) at all. Your app only knows how to talk to the API. You can even combine the data that they can see in that summary of content by doing parallel calls to get contents from the various containers from a single call from the application. The downside is that you are now hosting this API service which has to broker ALL of these calls. You'd still need the API service to generate SAS if you go that route, but it would only be needed to generate the SAS and the client applications would make the calls directly with the Windows Azure storage service bearing the load which will reduce the resources you actually need.


Second: Go the SAS route and generate SAS as needed, but this will get a bit tricky.

每个容器最多只能创建五个存储访问策略.对于这五个中的一个,您为容器的所有者"创建了一个策略,该策略为他们提供了读取和写入权限.现在,由于您允许其他人向其他人授予读取权限,因此除非您为读取重复使用相同的策略,否则您将遇到策略计数限制,但是如果用户从某人中删除某人,您将无法撤消该策略受信任的"读者名单.例如,如果我将Bob和James的权限都授予了我的容器,并且他们都被授予了Read SAS的副本,如果我需要删除Bob,则必须取消他们共享的Read Policy并重新发布新的Read SAS给詹姆斯.但这并不是什么大问题,因为该应用程序可以检测到何时不再具有权限并请求更新的SAS.

You can only create up to five Stored Access Policies on each container. For one of these five you create one policy for the "owner" of the container which gives them Read and write permissions. Now, since you are allowing folks to give read permissions to other folks you'll run into the policy count limit unless you reuse the same policy for Read, but then you won't be able to revoke it if the user removes someone from their "trusted" list of readers. For example, if I gave permissions to both Bob and James to my container and they are both handed a copy of the Read SAS, if I needed to remove Bob I'd have to cancel the Read Policy they shared and reissue a new Read SAS to James. That's not really that bad of an issue though as the app can detect when it no longer has permissions and ask for the renewed SAS.


In any case you still kind of want the policies to be short lived. If I removed Bob from my trusted readers I'd pretty much want him cut off immediately. This means you'll be going back to get a renewed SAS quite a bit and recreating the signed access signature which reduces the usefulness of the signed access policies. This really depends on your stomach of how long you were planning on allowing the policy to live and how quickly you'd want someone cut off if they were "untrusted".


Now, a better option could be that you create Ad-hoc signatures. You can have as many Ad-hoc signatures as you want actually, but they can't be revoked and can at most last one hour. Since you'd make them short lived the length or lack of revocation shouldn't be an issue. Going that route will mean that you'd be having the application come back to get them as needed, but given what I mentioned above about when someone is removed and you want the SAS to run out this may not be a big deal. As you pointed out though, this does increase the complexity of things because you're generating a lot of SASs; however, with these being ad-hoc you don't really need to track them.


If you were going to go the SAS route I'd suggest that your API be generating the ad-hoc ones as needed. They shouldn't last more than a few minutes as people can have their permissions to a container removed and all you are trying to do is reduce the load on hosted service for actually doing the upload and download. Again, all the logic for handling what containers someone can see is still in your API service and the applications just get signatures they can use for small periods of time.

这篇关于Azure Blob存储:多个容器的共享访问签名?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

05-28 21:22