让用户在S3中上传/下载文件 – 如何组织存储桶和文件夹?

huangapple go评论62阅读模式
英文:

Letting users upload/download files in S3 -- How to organise the buckets and folders?

问题

以下是翻译好的部分:

在这个项目中,多个用户(假设有1000个用户)将上传文件到同一个存储桶。

应用程序具有来自Web API的用户身份验证。

问题

  1. 每个用户都将拥有自己的存储桶或存储桶对象,这是否正确?
  2. 如何设置不同用户的权限,以便文件是私有的,只有授权的个人才能访问?

如何在不创建亚马逊账户并给予访问权限的情况下实现这一点。

尝试:

  • 我尝试创建了3个具有不同角色的IAM用户,并通过在数据库中存储用户允许的文件夹名称来管理后端的权限。

期望:

要实现的功能:

  • 用户:
    • 用户-A
    • 用户-B
    • 用户-C
  • 用户-A、用户-B、用户-C:拥有一个文件夹名称[userId:email],用户只能读取那些允许他访问的S3存储桶内的文件夹

如何在不创建亚马逊账户并给予访问权限的情况下实现这一点?

英文:

Would love to hear your ideas.

In this project, multiple users (let's say 1000 users) will upload files into the same bucket.

The app does have user authentication from a Web API.

Questions

  1. Is it correct that each user will have his/her own bucket or bucket objects?
  2. How to set permissions for different users in such a way that user the files are private and only shared individual can access that?

How to achieve this without creating users amazon accounts and then giving this access

Tried:

  • I tried creating 3 IAM users with different roles and and managing the permissions from the backend by storing the name for the user allowed folders in the database.

Expected:

Features to achieve:

  • Users:
    • User-A
    • User-B
    • User-C
  • User-A, User-B, User-c: has a folder name [userId:email] where users can only read those folders inside a S3-bucket which are allowed to him

How to achieve this without creating users amazon accounts and then giving this access?

答案1

得分: 2

您绝对不应该为每个用户创建一个存储桶。您的AWS帐户中有关于存储桶数量的限制。

您也不应该向用户提供AWS凭证。

相反,您的应用程序应负责管理上传过程并控制哪些用户可以访问哪些对象。

上传

上传过程如下:

然后,您可以选择如何将上传的文件与用户关联。您可以选择要么:

  • 在S3存储桶中为每个用户使用单独的文件夹,或者
  • Web应用程序可以使用数据库来维护所有上传文件及其'所有者'的记录

如果用户可能上传数千个文件,则数据库将提供更快的对象列表。没有数据库,应用程序将需要列出用户文件夹的内容,因为每个API调用仅返回最多1000个对象。

下载

您的Web应用程序将向用户提供对象列表。在生成此页面的HTML时,每个对象的列表将包括一个Amazon S3预签名URL,该URL提供有时间限制的访问Amazon S3中的私有对象。基本上,他们可以在一定时间段内(例如5分钟)使用该链接,之后该链接将不再有效。

您的应用程序负责确保HTML页面仅列出用户有权访问的对象。如上所述,此列表可以来自列出用户文件夹的内容,也可以通过引用跟踪上传对象的数据库来获取。

这就像一个照片分享网站

上述过程与您与照片分享网站的交互方式相似。用户通过网页登录,通过网页上传文件,然后在网页上获得他们的照片列表。他们可以通过点击网页上的链接下载。他们从不使用AWS凭证来上传/下载 - 存储在S3中的照片对用户来说无关紧要。

如果您寻求更高级的功能,例如在用户之间共享文件(例如与家庭成员分享照片),那么Web应用程序将需要维护一个权限数据库,以知道哪些文件可以与哪些用户共享。

英文:

You should definitely not create one bucket per user. There are limits to the number of buckets you can have in your AWS Account.

You should also not provide users with AWS credentials.

Instead, it will be the responsibility of your application to manage the upload process and to control which users have access to which objects.

Uploading

The upload process would be:

You then have a choice about how to associate the uploaded file with the user. You can either:

  • Use separate folders in the S3 bucket for each user, or
  • The web app can use a database to maintain a record of all uploaded files and their 'owners'

If users might upload thousands of files each, then the database will provide faster listing of objects. Without a database, the app would need to list the contents of the user's folder, which can be relatively slow since each API call only returns a maximum of 1000 objects.

Downloading

Your web app would provide a list of the objects to the user. When generating the HTML for this page, the list of each object would include an Amazon S3 pre-signed URL that provides time-limited access to private objects in Amazon S3. Basically, they can use the link for a given time period (eg 5 minutes), after which the link will no longer work.

Your app would be responsible for making sure that the HTML page only lists objects that the user is entitled to access. As mentioned above, this list would either come from listing the user's folder or by referencing the database that tracks uploaded objects.

It's like a photo-sharing website

The above processes are similar to how you would interact with a photo-sharing website. Users logon via a web page, upload files via the web page and then get a listing of their photos on a web page. They can download by clicking a link on the web page. They never use AWS credentials to upload/download -- the fact that photos are stored in S3 is irrelevant to the users.

If you are seeking more advanced features such as the ability to share files between users (such as sharing photos with family members), then the web app would need to maintain a database of permissions to know which files can be shared with which users.

答案2

得分: -2

  1. 如果文件不重复,每个用户可以拥有自己的存储桶。如果文件是重复的,尝试按照不同级别设置存储桶权限。例如:管理员、用户、只读等。
  2. 管理员可以访问用户、只读以及以下级别,继续...
  3. 您可以将文件存储在特定位置,使该文件对特定角色及其高级别成员可访问。这样,您可以在S3存储桶中节省不必要的重复文件。
  4. 在用户表中添加一个角色列,以启用此权限系统。
英文:
  1. Each user can have his own bucket if the file is not repetitive. If the file is repetitive, try to make the bucket permission as per Levels.
    Ex: Admin, User, Read, etc
  2. The Admin can access the User, Read, and below levels, continue...
  3. You can store the file in a particular location where this file can be accessible to that particular role and its high-level persons. That way you can save the unnecessary repetitive file in your s3 bucket.
  4. Add a role column to enable this permission system in your user table.

huangapple
  • 本文由 发表于 2023年6月19日 17:21:57
  • 转载请务必保留本文链接:https://go.coder-hub.com/76505271.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定