一, 当前存在的问题
当前 OSS 支持用户使用 HTTPS/HTTP 协议访问 Bucket. 但由于 HTTP 存在安全漏洞. 大型企业客户都要求使用 HTTPS 方式访问 OSS, 并且拒绝 HTTP 访问请求.
目前 OSS 可以通过 RAM policy 方式实现: 限制某个用户, 角色拒绝通过 HTTP 协议访问指定的 Bucket 和对象. 但是 RAM Policy 是一种基于用户的授权方式, 无法针对资源进行授权. 也就是说无法针对 Bucket 或者对象级别, 拒绝所有用户的 HTTP 请求. 目前我们正在基于 Bucket Policy 开发该功能, 后续用户可以直接通过 Bucket Policy 设置 HTTPS 访问策略.
二, 通过 RAM Policy 实现 "限制用户仅通过 HTTPS 方式访问 OSS"
阿里云 RAM Policy 有丰富的 Condition 参数, 可以限制对资源的访问. 这里我们利用 "Secure Transport" 条件参数生成 RAM Policy, 以实现拒绝指定的用户通过 HTTP 方式访问 Bucket.
Condition | 功能 | 合法取值 |
---|---|---|
acs:SecureTransport | 是否是 https 协议 | “true” 或者”false” |
2.1RAM Policy 示例
为了简化配置, 我们事先给账号赋予 "AliyunOSSFullAccess", 然后模拟拒绝一切通过 HTTP 的请求.
- {
- "Version": "1",
- "Statement": [
- {
- "Effect": "Deny",
- "Action": [
- "oss:*"
- ],
- "Resource": [
- "acs:oss:*:*:*"
- ],
- "Condition": {
- "Bool": {
- "acs:SecureTransport": [
- "false"
- ]
- }
- }
- }
- ]
- }
- # -*- coding: utf-8 -*-
- import oss2
- # 阿里云主账号 AccessKey 拥有所有 API 的访问权限, 风险很高. 强烈建议您创建并使用 RAM 账号进行 API 访问或日常运维, 请登录 https://ram.console.aliyun.com 创建 RAM 账号.
- auth = oss2.Auth('<yourAccessKeyId>', '<yourAccessKeySecret>')
- # Endpoint 以杭州为例, 其它 Region 请按实际情况填写.
- bucket = oss2.Bucket(auth, 'https://oss-cn-beijing.aliyuncs.com', 'test-beijing-2018')
- # <yourLocalFile > 由本地文件路径加文件名包括后缀组成, 例如 / users/local/myfile.txt
- bucket.put_object_from_file('02.txt', '002.txt')
- root@shanghai-02:~/figo# python putobject.py
- 2019-01-10 20:55:37,003 oss2.API [INFO] 140496922879744 : Init oss bucket, endpoint: https://oss-cn-beijing.aliyuncs.com, isCname: False, connect_timeout: None, app_name: , enabled_crc: True
- 2019-01-10 20:55:37,008 oss2.API [INFO] 140496922879744 : Put object from file, bucket: test-beijing-2018, key: 02.txt, file path: 002.txt
- 2019-01-10 20:55:37,009 oss2.API [INFO] 140496922879744 : Start to put object, bucket: test-beijing-2018, key: 02.txt, headers: {
- 'Content-Type': 'text/plain'
- }
- 2019-01-10 20:55:37,212 oss2.API [INFO] 140496922879744 : Put object done, req_id: 5C3740C952FF5BAFB298BDDA, status_code: 200
- # -*- coding: utf-8 -*-
- import oss2
- # 阿里云主账号 AccessKey 拥有所有 API 的访问权限, 风险很高. 强烈建议您创建并使用 RAM 账号进行 API 访问或日常运维, 请登录 https://ram.console.aliyun.com 创建 RAM 账号.
- auth = oss2.Auth('<yourAccessKeyId>', '<yourAccessKeySecret>')
- # Endpoint 以杭州为例, 其它 Region 请按实际情况填写.
- bucket = oss2.Bucket(auth, 'http://oss-cn-beijing.aliyuncs.com', 'test-beijing-2018')
- # <yourLocalFile > 由本地文件路径加文件名包括后缀组成, 例如 / users/local/myfile.txt
- bucket.put_object_from_file('02.txt', '002.txt')
- root@shanghai-02:~/figo# python putobject.py
- 2019-01-10 21:14:37,499 oss2.API [INFO] 140697781880576 : Init oss bucket, endpoint: http://oss-cn-beijing.aliyuncs.com, isCname: False, connect_timeout: None, app_name: , enabled_crc: True
- 2019-01-10 21:14:37,501 oss2.API [INFO] 140697781880576 : Put object from file, bucket: test-beijing-2018, key: 02.txt, file path: 002.txt
- 2019-01-10 21:14:37,503 oss2.API [INFO] 140697781880576 : Start to put object, bucket: test-beijing-2018, key: 02.txt, headers: {'Content-Type': 'text/plain'}
- 2019-01-10 21:14:37,585 oss2.API [ERROR] 140697781880576 : Exception: {'status': 403, 'x-oss-request-id': '5C37453DDF97EBEDF4BDA095', 'details': {'HostId': 'test-beijing-2018.oss-cn-beijing.aliyuncs.com', 'Message': 'You have no right to access this object because of bucket acl.', 'Code': 'AccessDenied', 'RequestId': '5C37453DDF97EBEDF4BDA095'}}
- Traceback (most recent call last):
- File "putobject.py", line 10, in <module>
- bucket.put_object_from_file('02.txt', '002.txt')
- File "build/bdist.linux-x86_64/egg/oss2/api.py", line 481, in put_object_from_file
- File "build/bdist.linux-x86_64/egg/oss2/api.py", line 453, in put_object
- File "build/bdist.linux-x86_64/egg/oss2/api.py", line 1579, in __do_object
- File "build/bdist.linux-x86_64/egg/oss2/api.py", line 210, in _do
- oss2.exceptions.AccessDenied: {'status': 403, 'x-oss-request-id': '5C37453DDF97EBEDF4BDA095', 'details': {'HostId': 'test-beijing-2018.oss-cn-beijing.aliyuncs.com', 'Message': 'You have no right to access this object because of bucket acl.', 'Code': 'AccessDenied', 'RequestId': '5C37453DDF97EBEDF4BDA095'}}
来源: https://yq.aliyun.com/articles/686003