Minio设置文件的公开下载链接三种方法

说明

在项目开发过程中,为了方便存储在 minio 中的文件的使用,常常需要将 存储在 minio 中的文件的访问及下载地址设置为公开,不需要验证访问。

本文记录了三种设置公开链接的方式。


第一种方法:设置Access Policy为public

不论文件是否已经操作过分享动作,只要存储桶中有这个文件就能通过如下形式直接访问: http://x.x.x.x:9000/bucket/xxx.jpg


第二种方法:设置存储桶或路径策略为 download

必须通过minio client才能设置下载策略

wget https://dl.min.io/client/mc/release/linux-amd64/mc
chmod +x mc
./mc --help

# mc config host add <ALIAS> <YOUR-S3-ENDPOINT> <YOUR-ACCESS-KEY> <YOUR-SECRET-KEY> [--api API-SIGNATURE]

# ./mc config host add minio http://192.168.20.102:9000 minioadmin minioadmin --api s3v4
Added `minio` successfully.

# cat ~/.mc/config.json
{
        "version": "10",
        "aliases": {
                "minio": {
                        "url": "http://192.168.20.102:9000",
                        "accessKey": "minioadmin",
                        "secretKey": "minioadmin",
                        "api": "s3v4",
                        "path": "auto"
                },
                "gcs": {
                        "url": "https://storage.googleapis.com",
                        "accessKey": "YOUR-ACCESS-KEY-HERE",
                        "secretKey": "YOUR-SECRET-KEY-HERE",
                        "api": "S3v2",
                        "path": "dns"
                },
                "local": {
                        "url": "http://localhost:9000",
                        "accessKey": "",
                        "secretKey": "",
                        "api": "S3v4",
                        "path": "auto"
                },
                "play": {
                        "url": "https://play.min.io",
                        "accessKey": "Q3AM3UQ867SPQQA43P2F",
                        "secretKey": "zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG",
                        "api": "S3v4",
                        "path": "auto"
                },
                "s3": {
                        "url": "https://s3.amazonaws.com",
                        "accessKey": "YOUR-ACCESS-KEY-HERE",
                        "secretKey": "YOUR-SECRET-KEY-HERE",
                        "api": "S3v4",
                        "path": "dns"
                }
        }
}

# 查询所有的存储桶
# /usr/local/minio/bin/mc ls minio
[2022-03-10 17:53:49 CST]     0B test/

policy命令 - 管理存储桶策略

  1. 通过 mc policy 命令 获取 policy 相关的所有命令

    /usr/local/minio/bin/mc policy

    Name:
    mc policy - manage anonymous access to buckets and objects

    USAGE:
    mc policy [FLAGS] set PERMISSION TARGET
    mc policy [FLAGS] set-json FILE TARGET
    mc policy [FLAGS] get TARGET
    mc policy [FLAGS] get-json TARGET
    mc policy [FLAGS] list TARGET

    FLAGS:
    --recursive, -r list recursively
    --config-dir value, -C value path to configuration folder (default: "/root/.mc")
    --quiet, -q disable progress bar display
    --no-color disable color theme
    --json enable JSON lines formatted output
    --debug enable debug output
    --insecure disable SSL certificate verification
    --help, -h show help

    PERMISSION:
    Allowed policies are: [none, download, upload, public].

    FILE:
    A valid S3 policy JSON filepath.

    EXAMPLES:

    1. Set bucket to "download" on Amazon S3 cloud storage.
      $ mc policy set download s3/burningman2011

    2. Set bucket to "public" on Amazon S3 cloud storage.
      $ mc policy set public s3/shared

    3. Set bucket to "upload" on Amazon S3 cloud storage.
      $ mc policy set upload s3/incoming

    4. Set policy to "public" for bucket with prefix on Amazon S3 cloud storage.
      $ mc policy set public s3/public-commons/images

    5. Set a custom prefix based bucket policy on Amazon S3 cloud storage using a JSON file.
      $ mc policy set-json /path/to/policy.json s3/public-commons/images

    6. Get bucket permissions.
      $ mc policy get s3/shared

    7. Get bucket permissions in JSON format.
      $ mc policy get-json s3/shared

    8. List policies set to a specified bucket.
      $ mc policy list s3/shared

    9. List public object URLs recursively.
      $ mc policy --recursive links s3/shared/

  2. 查看存储桶或路径策略

    /usr/local/minio/bin/mc policy get minio/test

    Access permission for minio/test is public

  3. 设置存储桶或路径策略为 download

    download 后面 跟存储桶或路径

    /usr/local/minio/bin/mc policy set download minio/test

    Access permission for minio/test is set to download

    /usr/local/minio/bin/mc policy get minio/test

    Access permission for minio/test is download

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "*"
                ]
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::test"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "*"
                ]
            },
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::test/*"
            ]
        }
    ]
}

!!!注意: 这里强烈建议设置路径的策略为 download 这样 所属存储桶的策略就变为了 custom 如果直接将 bucket 设置为 download 那么就可以进入到minio客户端,虽然只能看到 设置了相应策略的 bocket ,但是匿名者可以在其中随意的创建与删除文件!

policy命令 - 管理存储桶策略

官方文档地址:http://docs.minio.org.cn/docs/master/minio-client-complete-guide

管理匿名访问存储桶和其内部内容的策略。

用法:
  mc policy [FLAGS] PERMISSION TARGET
  mc policy [FLAGS] TARGET
  mc policy list [FLAGS] TARGET

PERMISSION:
  Allowed policies are: [none, download, upload, public].

FLAGS:
  --help, -h                       显示帮助。

示例: 显示当前匿名存储桶策略

# 显示当前mybucket/myphotos/2020/子文件夹的匿名策略。
mc policy play/mybucket/myphotos/2020/
Access permission for 'play/mybucket/myphotos/2020/' is 'none'

示例:设置可下载的匿名存储桶策略。

# 设置mybucket/myphotos/2020/子文件夹可匿名下载的策略。现在,这个文件夹下的对象可被公开访问。比如:mybucket/myphotos/2020/yourobjectname可通过这个URL https://play.min.io/mybucket/myphotos/2020/yourobjectname访问。
mc policy set download play/mybucket/myphotos/2020/
Access permission for 'play/mybucket/myphotos/2020/' is set to 'download'

示例:删除当前的匿名存储桶策略

# 删除所有mybucket/myphotos/2020/这个子文件夹下的匿名存储桶策略。
mc policy set none play/mybucket/myphotos/2020/
Access permission for 'play/mybucket/myphotos/2020/' is set to 'none'

方法三

当前存储桶策略策略是private,无法访问图片,但是进行如下设置后,就可以访问图片 (图片不用分享也能访问)

此时再查看当前存储桶策略策略,不是private了,而是custom

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "*"
                ]
            },
            "Action": [
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::aaa"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "*"
                ]
            },
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::aaa"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        "*"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "*"
                ]
            },
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::aaa/**"
            ]
        }
    ]
}
posted @ 2022-12-06 14:58  向宁的光  阅读(16736)  评论(0编辑  收藏  举报