英文:
Storage Account that holds Static Web Site has "Anonymous public access" enabled
问题
I'll only provide the translation without additional content:
一旦我部署 Teams 应用程序,会自动创建多个 Azure 资源之一是一个存储帐户,用于保存静态网页和所有自定义站点。该存储帐户似乎默认启用了“允许 Blob 公共访问”选项。至少,我不记得在默认的 Teams Toolkit“部署到云”功能上做过任何更改。现在微软已宣布将在今年八月更改此选项,我想知道在安装应用程序后禁用此选项后,我的 Teams 应用程序是否仍然能正常工作?Azure 存储更新 - 2023 年 8 月
在匿名读取访问配置描述中,我找到了以下内容:
“禁止存储帐户的公共访问不会影响托管在该存储帐户中的任何静态网站。$web 容器始终是公开可访问的。”
那么在该容器中的“azure-webjobs-hosts”和“azure-webjobs-secrets”文件夹呢?这里是否需要默认公共访问的内容?我已禁用了此选项并进行了简要测试,到目前为止似乎仍然可以工作,但我真的想知道这是否仅是 TeamsFX 部署到云功能中“偶然”配置的,还是是否具有更深层次的关联?
英文:
As soon as I provision the Teams App, several Azure Resources are automatically created.
One of them is a storage account, that holds the static web page and all my custom sites.
That storage account seems to have the "Allow Blob public access" Option set to Enabled by default. At least ,I cannot recall changing anything on the default Teams Toolkit "Deploy to the cloud" function behavior.
Now that Microsoft has announced to change this option by August of this year, I am wondering if my Teams Apps will still work when I disable this after the App has been installed?
Azure Storage Update August 2023
In the description Anonymous Read Access Configure I found the passage:
> Disallowing public access for a storage account does not affect any static websites hosted in that storage account. The $web container is always publicly accessible.
So what about the "azure-webjobs-hosts" and "azure-webjobs-secrets" folder in that container, does anything in here need the public access by default ?
I did disable the Option and did a brief test, so far it seems to still work, but I would really like to know if this is just configured by "accident" in the TeamsFX deploy to cloud function, or if this has some deeper connections ?
答案1
得分: 0
I just created a new Teams app with latest Teams Toolkit(v5.0) and found my Storage Account's containers are all private (no anonymous access), even for $web container. The $web container is always public and anyone can access its blob through the static website's endpoint. But anonymous access through the blob endpoint should be blocked.
https://xxx.z13.web.core.windows.net/hello.png √ ok
https://xxx.blob.core.windows.net/$web/hello.png × blocked
So I think you should disable the anonymous access for your Storage Account. As for why it is configured, I cannot tell but it's possibly caused by careless design of old version Teams Toolkit.
英文:
I just created a new Teams app with latest Teams Toolkit(v5.0) and found my Storage Account's containers are all private (no anonymous access), even for $web container. The $web container is always public and anyone can access its blob through the static website's endpoint. But anonymous access through the blob endpoint should be blocked.
https://xxx.z13.web.core.windows.net/hello.png √ ok
https://xxx.blob.core.windows.net/$web/hello.png × blocked
So I think you should disable the anonymous access for your Storage Account. As for why it is configured, I cannot tell but it's possibly caused by careless design of old version Teams Toolkit.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论