Write it down while it’s hot for your future self
preface
We ran into a business problem when using MinIO as a file storage component:
MinIO buckets only have public and private permissions:
- Public: All users can access the resources of the bucket, including the file contents and file directories in the bucket
- Private: No one can directly access the resources of the bucket. If external resources need to be accessed, they can only be accessed through the external chain (the maximum validity period is 7 days).
Our business requirement is to put the user’s profile picture into the MinIO bucket. If the bucket is set to public, everyone can traverse the profile picture information of registered users on the platform, which will cause privacy leakage. If the bucket is set to private, the bucket can only be sent to the front end in the form of the external chain. After 7 days, the external chain I fails, so the front end page cannot display the user’s profile picture.
Is it possible to permanently access a user profile without exposing all the user profile information in the bucket?
The solution
Use the MC tool to customize the policy of a specified bucket
1. Create a bucket named test
The default policy is private, but you can set it to public for demonstration purposes.
2. Upload a file to the test bucket
If you access the directory of the bucket in the browser, you can find that the file directories under the bucket are listed:
3. Set the download permission for the bucket.
mc policy download minio/test
Copy the code
4. View the JSON file of the bucket policy.
mc get-json minio/test
Copy the code
The Policy file (test_policy.json) looks like this:
{
"Statement": [{
"Action": [
"s3:GetBucketLocation"."s3:ListBucket"]."Effect": "Allow"."Principal": {
"AWS": [
"*"]},"Resource": [
"arn:aws:s3:::test"] {},"Action": [
"s3:GetObject"]."Effect": "Allow"."Principal": {
"AWS": [
"*"]},"Resource": [
"arn:aws:s3:::test/*"]}],"Version": "2012-10-17"
}
Copy the code
S3 :ListBucket allows s3:ListBucket allows s3:ListBucket allows s3:ListBucket allows S3 :ListBucket allows S3 :ListBucket allows S3 :ListBucket
5. Modify test_policy.json as follows:
{
"Statement": [{
"Action": [
"s3:GetBucketLocation"]."Effect": "Allow"."Principal": {
"AWS": [
"*"]},"Resource": [
"arn:aws:s3:::test"] {},"Action": [
"s3:GetObject"]."Effect": "Allow"."Principal": {
"AWS": [
"*"]},"Resource": [
"arn:aws:s3:::test/*"]}],"Version": "2012-10-17"
}
Copy the code
6. Re-apply the policy
mc policy set-json test_policy.json minio/test
Copy the code
7. Verify:
As you can see, the bucket directory is no longer iterated.