配置对容器和 blob 的匿名公共读取访问Configure anonymous public read access for containers and blobs

Azure 存储支持对容器和 blob 进行可选的匿名公共读取访问。Azure Storage supports optional anonymous public read access for containers and blobs. 默认情况下,系统从不允许匿名访问你的数据。By default, anonymous access to your data is never permitted. 除非你显式启用匿名访问,否则对容器及其 blob 的所有请求都必须获得授权。Unless you explicitly enable anonymous access, all requests to a container and its blobs must be authorized. 如果你将容器的公共访问级别设置配置为允许匿名访问,则客户端无需对请求进行授权便可读取该容器中的数据。When you configure a container's public access level setting to permit anonymous access, clients can read data in that container without authorizing the request.

警告

为容器配置了公共访问时,任何客户端都可以读取该容器中的数据。When a container is configured for public access, any client can read data in that container. 公共访问会带来潜在的安全风险,因此,如果你的方案不需要公共访问,Azure 建议你为存储帐户禁止它。Public access presents a potential security risk, so if your scenario does not require it, Azure recommends that you disallow it for the storage account. 有关详细信息,请参阅阻止对容器和 Blob 的匿名公共读取访问For more information, see Prevent anonymous public read access to containers and blobs.

本文介绍了如何配置对容器及其 blob 的匿名公共读取访问。This article describes how to configure anonymous public read access for a container and its blobs. 有关如何从客户端应用程序匿名访问 blob 数据的信息,请参阅使用 .NET 匿名访问公共容器和 blobFor information about how to access blob data anonymously from a client application, see Access public containers and blobs anonymously with .NET.

关于匿名公共读取访问About anonymous public read access

默认情况下,系统始终禁止对你的数据进行公共访问。Public access to your data is always prohibited by default. 有两个单独的设置会影响公共访问:There are two separate settings that affect public access:

  1. 允许对存储帐户进行公共访问。Allow public access for the storage account. 默认情况下,存储帐户允许具有适当权限的用户启用对容器的公共访问。By default, a storage account allows a user with the appropriate permissions to enable public access to a container. Blob 数据不可供公共访问,除非用户采取额外步骤显式配置了容器的公共访问设置。Blob data is not available for public access unless the user takes the additional step to explicitly configure the container's public access setting.
  2. 配置容器的公共访问设置。Configure the container's public access setting. 默认情况下,容器的公共访问设置被禁用,这意味着对容器或其数据的每个请求都需要授权。By default, a container's public access setting is disabled, meaning that authorization is required for every request to the container or its data. 具有适当权限的用户可以修改容器的公共访问设置,以便仅在允许对存储帐户进行匿名访问时才启用匿名访问。A user with the appropriate permissions can modify a container's public access setting to enable anonymous access only if anonymous access is allowed for the storage account.

下表总结了这两个设置如何共同影响对容器的公共访问。The following table summarizes how both settings together affect public access for a container.

公共访问设置Public access setting 禁用对容器的公共访问(默认设置)Public access is disabled for a container (default setting) 对容器的公共访问设置为“容器”Public access for a container is set to Container 对容器的公共访问设置为“Blob”Public access a container is set to Blob
禁止对存储帐户进行公共访问Public access is disallowed for the storage account 不允许对存储帐户中的任何容器进行公共访问。No public access to any container in the storage account. 不允许对存储帐户中的任何容器进行公共访问。No public access to any container in the storage account. 存储帐户设置替代容器设置。The storage account setting overrides the container setting. 不允许对存储帐户中的任何容器进行公共访问。No public access to any container in the storage account. 存储帐户设置替代容器设置。The storage account setting overrides the container setting.
允许对存储帐户进行公共访问(默认设置)Public access is allowed for the storage account (default setting) 不允许对此容器进行公共访问(默认配置)。No public access to this container (default configuration). 允许对此容器及其 blob 进行公共访问。Public access is permitted to this container and its blobs. 允许对此容器中的 blob 进行公共访问,但不允许对容器本身进行公共访问。Public access is permitted to blobs in this container, but not to the container itself.

允许或禁止对存储帐户的公共读取访问Allow or disallow public read access for a storage account

默认情况下,存储帐户配置为允许具有适当权限的用户启用对容器的公共访问。By default, a storage account is configured to allow a user with the appropriate permissions to enable public access to a container. 当允许公共访问时,具有适当权限的用户可以修改容器的公共访问设置,以便启用对该容器中的数据的匿名公共访问。When public access is allowed, a user with the appropriate permissions can modify a container's public access setting to enable anonymous public access to the data in that container. Blob 数据从不可供公共访问,除非用户采取额外步骤显式配置了容器的公共访问设置。Blob data is never available for public access unless the user takes the additional step to explicitly configure the container's public access setting.

请记住,默认情况下,对容器的公共访问始终关闭,必须显式配置才能允许匿名请求。Keep in mind that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. 无论存储帐户的设置如何,你的数据将永远不可供公共访问,除非具有适当权限的用户执行此额外步骤以在容器上启用公共访问。Regardless of the setting on the storage account, your data will never be available for public access unless a user with appropriate permissions takes this additional step to enable public access on the container.

禁止对存储帐户的公共访问将阻止对该帐户中的所有容器和 blob 进行匿名访问。Disallowing public access for the storage account prevents anonymous access to all containers and blobs in that account. 如果禁止对帐户的公共访问,则无法将容器的公共访问设置配置为允许匿名访问。When public access is disallowed for the account, it is not possible to configure the public access setting for a container to permit anonymous access. 为了提高安全性,Azure 建议你禁止对存储帐户的公共访问,除非你的方案要求用户匿名访问 blob 资源。For improved security, Azure recommends that you disallow public access for your storage accounts unless your scenario requires that users access blob resources anonymously.

重要

禁止对存储帐户的公共访问将替代该存储帐户中所有容器的公共访问设置。Disallowing public access for a storage account overrides the public access settings for all containers in that storage account. 禁止对存储帐户的公共访问后,将来对该帐户的任何匿名请求都会失败。When public access is disallowed for the storage account, any future anonymous requests to that account will fail. 在更改此设置之前,请务必了解这会对可能匿名访问存储帐户中数据的客户端应用程序带来的影响。Before changing this setting, be sure to understand the impact on client applications that may be accessing data in your storage account anonymously. 有关详细信息,请参阅阻止对容器和 Blob 的匿名公共读取访问For more information, see Prevent anonymous public read access to containers and blobs.

若要允许或禁止对存储帐户的公共访问,请配置帐户的 AllowBlobPublicAccess 属性。To allow or disallow public access for a storage account, configure the account's AllowBlobPublicAccess property. 此属性适用于使用 Azure 资源管理器部署模型创建的所有存储帐户。This property is available for all storage accounts that are created with the Azure Resource Manager deployment model. 有关详细信息,请参阅存储帐户概述For more information, see Storage account overview.

默认情况下,不会设置 AllowBlobPublicAccess 属性。在你显式设置此属性之前,它不会返回值。The AllowBlobPublicAccess property is not set by default and does not return a value until you explicitly set it. 当此属性值为 null 或为 true 时,存储帐户允许公共访问。The storage account permits public access when the property value is either null or true.

若要在 Azure 门户中允许或禁止对存储帐户的公共访问,请执行以下步骤:To allow or disallow public access for a storage account in the Azure portal, follow these steps:

  1. 导航到 Azure 门户中的存储帐户。Navigate to your storage account in the Azure portal.

  2. 在“设置”下找到“配置”设置。 Locate the Configuration setting under Settings.

  3. 将“Blob 公共访问”设置为“启用”或“禁用”。Set Blob public access to Enabled or Disabled.

    屏幕截图显示了如何允许或禁止对帐户的 blob 公共访问

备注

禁止对存储帐户的公共访问不会影响该存储帐户中承载的任何静态网站。Disallowing public access for a storage account does not affect any static websites hosted in that storage account. $web 容器始终可供公共访问。The $web container is always publicly accessible.

更新存储帐户的公共访问设置后,最多可能需要 30 秒才能完全传播更改。After you update the public access setting for the storage account, it may take up to 30 seconds before the change is fully propagated.

允许或禁止 blob 公共访问需要 Azure 存储资源提供程序的 2019-04-01 版或更高版本。Allowing or disallowing blob public access requires version 2019-04-01 or later of the Azure Storage resource provider. 有关详细信息,请参阅 Azure 存储资源提供程序 REST APIFor more information, see Azure Storage Resource Provider REST API.

本部分中的示例展示了如何读取存储帐户的 AllowBlobPublicAccess 属性,以确定当前是允许还是禁止公共访问。The examples in this section showed how to read the AllowBlobPublicAccess property for the storage account to determine if public access is currently allowed or disallowed. 若要详细了解如何验证帐户的公共访问设置是否已配置为阻止匿名访问,请参阅修正匿名公共访问To learn more about how to verify that an account's public access setting is configured to prevent anonymous access, see Remediate anonymous public access.

为容器设置公共访问级别Set the public access level for a container

若要授予匿名用户对容器及其 Blob 的读取访问权限,请首先允许对存储帐户的公共访问,然后设置容器的公共访问级别。To grant anonymous users read access to a container and its blobs, first allow public access for the storage account, then set the container's public access level. 如果拒绝了对存储帐户的公共访问,你将无法配置对容器的公共访问。If public access is denied for the storage account, you will not be able to configure public access for a container.

如果允许对存储帐户的公共访问,则可以为容器配置以下权限:When public access is allowed for a storage account, you can configure a container with the following permissions:

  • 无公共读取访问权限: 只有经授权的请求可以访问容器及其 Blob。No public read access: The container and its blobs can be accessed only with an authorized request. 此选项是所有新容器的默认设置。This option is the default for all new containers.
  • 仅限对 Blob 的公共读取访问权限: 容器中的 Blob 可以通过匿名请求读取,但容器数据不可匿名访问。Public read access for blobs only: Blobs within the container can be read by anonymous request, but container data is not available anonymously. 匿名客户端无法枚举容器中的 Blob。Anonymous clients cannot enumerate the blobs within the container.
  • 对容器及其 Blob 的公共读取访问权限: 匿名请求可以读取容器和 blob 数据,但容器权限设置和容器元数据除外。Public read access for container and its blobs: Container and blob data can be read by anonymous request, except for container permission settings and container metadata. 客户端可以通过匿名请求枚举容器中的 Blob,但无法枚举存储帐户中的容器。Clients can enumerate blobs within the container by anonymous request, but cannot enumerate containers within the storage account.

无法更改单个 Blob 的公共访问级别。You cannot change the public access level for an individual blob. 只能在容器级别设置公共访问级别。Public access level is set only at the container level. 你可以在创建容器时设置容器的公共访问级别,也可以更新现有容器上的设置。You can set the container's public access level when you create the container, or you can update the setting on an existing container.

若要在 Azure 门户中更新一个或多个现有容器的公共访问级别,请执行以下步骤:To update the public access level for one or more existing containers in the Azure portal, follow these steps:

  1. 在 Azure 门户中导航到存储帐户概述。Navigate to your storage account overview in the Azure portal.

  2. 在菜单边栏选项卡上的“Blob 服务”下,选择“容器”。Under Blob service on the menu blade, select Containers.

  3. 选择要对其设置公共访问级别的容器。Select the containers for which you want to set the public access level.

  4. 使用“更改访问级别”按钮显示公共访问权限设置。Use the Change access level button to display the public access settings.

  5. 从“公共访问级别”下拉列表中选择所需的公共访问级别,然后单击“确定”按钮应用对选定容器所做的更改。Select the desired public access level from the Public access level dropdown and click the OK button to apply the change to the selected containers.

    显示如何在门户中设置公共访问级别的屏幕截图

如果禁止对存储帐户的公共访问,则无法设置容器的公共访问级别。When public access is disallowed for the storage account, a container's public access level cannot be set. 如果你尝试设置容器的公共访问级别,你会发现该设置被禁用,因为帐户不允许公共访问。If you attempt to set the container's public access level, you'll see that the setting is disabled because public access is disallowed for the account.

屏幕截图显示当公共访问被禁止时,不允许设置容器公共访问级别

检查一组容器的公共访问设置Check the public access setting for a set of containers

可以通过列出容器并检查公共访问设置来检查为一个或多个存储帐户中的哪些容器配置了公共访问。It is possible to check which containers in one or more storage accounts are configured for public access by listing the containers and checking the public access setting. 当存储帐户未包含大量容器时,或者当你检查少量存储帐户的设置时,此方法是一个可行的选项。This approach is a practical option when a storage account does not contain a large number of containers, or when you are checking the setting across a small number of storage accounts. 但是,如果你尝试枚举大量的容器,则性能可能会降低。However, performance may suffer if you attempt to enumerate a large number of containers.

以下示例使用 PowerShell 获取某个存储帐户中所有容器的公共访问设置。The following example uses PowerShell to get the public access setting for all containers in a storage account. 请记得将括号中的占位符值替换为你自己的值:Remember to replace the placeholder values in brackets with your own values:

$rgName = "<resource-group>"
$accountName = "<storage-account>"

$storageAccount = Get-AzStorageAccount -ResourceGroupName $rgName -Name $accountName
$ctx = $storageAccount.Context

Get-AzStorageContainer -Context $ctx | Select Name, PublicAccess

后续步骤Next steps