摘要:[Windows Azure]Blob儲存服務:建立共享存取簽章(Shared Access Signature)
在前幾天有介紹過怎麼設定blob container的公開存取權限,但是顯然的,這樣的權限設計無法滿足所有的管理者與使用者,
不過微軟很貼心的設計了共享存取簽章(以下簡稱SAS),先來看看一段MSDN的解釋:
A Shared Access Signature is a URL that grants access rights to containers and blobs. By specifying a Shared Access Signature, you can grant users who have the URL access to a specific blob or to any blob within a specified container for a specified period of time. You can also specify what operations can be performed on a blob that's accessed via a Shared Access Signature.
簡單來說,透過SAS,你可以允許使用者在指定時間內存取特定的blob或是container,也可以設定哪些動作是被允許的,像是:
1.Reading and writing blob content, block lists, properties, and metadata
2.Deleting a blob
3.Leasing a blob
4.Creating a snapshot of a blob
5.Listing the blobs within a container
所以今天就來介紹怎麼利用SDK來建立SAS:
var account = CloudStorageAccount.FromConfigurationSetting("Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString");
var client = account.CreateCloudBlobClient();
var container = client.GetContainerReference("container-sas");
container.CreateIfNotExist();
var blobPermissions = new BlobContainerPermissions();
blobPermissions.SharedAccessPolicies.Add("mypolicy", new SharedAccessPolicy()
{
SharedAccessStartTime = DateTime.UtcNow,
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(10),
Permissions = SharedAccessPermissions.Write | SharedAccessPermissions.Read
});
blobPermissions.PublicAccess = BlobContainerPublicAccessType.Off;
container.SetPermissions(blobPermissions);
string sas = container.GetSharedAccessSignature(new SharedAccessPolicy(), "mypolicy");
跟設定公開存取權限很像,只是PublicAccess要設定為Off,並且在SharedAccessPolicies集合內加入你設定的policy,
就是透過SharedAccessPolicy類別來設定
public class SharedAccessPolicy
{
public SharedAccessPolicy();
public SharedAccessPermissions Permissions { get; set; }
public Nullable SharedAccessExpiryTime { get; set; }
public Nullable SharedAccessStartTime { get; set; }
public static SharedAccessPermissions PermissionsFromString(String value);
public static String PermissionsToString( SharedAccessPermissions permissions);
}
SharedAccessStartTime跟SharedAccessExpiryTime就是設定SAS有效時間區間,而Permissions則是允許的指令,
[FlagsAttribute]
public enum SharedAccessPermissions {
None,
Read,
Write,
Delete,
List
}
比較特別的是,這個類別帶有FlagsAttribute,所以你可以這樣設定:
Permissions = SharedAccessPermissions.Write | SharedAccessPermissions.Read
代表你想要設定寫入跟讀取權限。
上面的範例是設定container,假如是只要特定blob呢?像下面一樣:
var account = CloudStorageAccount.FromConfigurationSetting("Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString");
var client = account.CreateCloudBlobClient();
var container = client.GetContainerReference("container-sas");
container.CreateIfNotExist();
var blob = container.GetBlobReference("BlobName");
string sas = blob.GetSharedAccessSignature(new SharedAccessPolicy()
{
SharedAccessStartTime = DateTime.UtcNow,
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(10),
Permissions = SharedAccessPermissions.Write | SharedAccessPermissions.Read
}, "mypolicy");
Blob是直接用GetSharedAccessSignature()來建立SAS,不過比較讓我困惑的是,這樣Blob一次只能建立一組SharedAccessPolicy?!
SAS其實不算難,只是這部分比較少中文的介紹或解釋,所以花了不少時間研究,如果以上所述有誤,
還請各位強者補充了,感恩!
參考:
http://msdn.microsoft.com/en-us/library/hh508996.aspx
http://blog.smarx.com/posts/shared-access-signatures-are-easy-these-days
http://convective.wordpress.com/2010/01/20/access-control-for-azure-blobs/