管理对容器和 Blob 的匿名读取访问Manage anonymous read access to containers and blobs

可以启用对 Azure Blob 存储中的容器及其 Blob 的匿名公共读取访问。You can enable anonymous, public read access to a container and its blobs in Azure Blob storage. 这样做可以授予对这些资源的只读访问权限,无需共享帐户密钥,也无需共享访问签名 (SAS)。By doing so, you can grant read-only access to these resources without sharing your account key, and without requiring a shared access signature (SAS).

如果想要始终允许对某些 Blob 进行匿名读取访问,最好的方法是启用公共读取访问。Public read access is best for scenarios where you want certain blobs to always be available for anonymous read access. 可以创建共享访问签名,实现更精细的控制。For more fine-grained control, you can create a shared access signature. 利用共享访问签名,可以针对特定时间段提供使用不同权限的受限访问。Shared access signatures enable you to provide restricted access using different permissions, for a specific time period. 有关创建共享访问签名的详细信息,请参阅在 Azure 存储中使用共享访问签名 (SAS)For more information about creating shared access signatures, see Using shared access signatures (SAS) in Azure Storage.

授予对容器和 Blob 的匿名用户权限Grant anonymous users permissions to containers and blobs

默认情况下,只有拥有相应权限的用户才能访问容器及其包含的任何 Blob。By default, a container and any blobs within it may be accessed only by a user that has been given appropriate permissions. 若要授予匿名用户对容器及其 Blob 的读取访问权限,可以设置容器公共访问级别。To grant anonymous users read access to a container and its blobs, you can set the container public access level. 如果授予对容器的公共访问权限,则匿名用户可以读取可公开访问的容器中的 Blob,而无需对请求进行授权。When you grant public access to a container, then anonymous users can read blobs within a publicly accessible container without authorizing the request.

可为容器配置以下权限:You can configure a container with the following permissions:

  • 无公共读取访问权限: 只有存储帐户所有者可以访问容器及其 Blob。No public read access: The container and its blobs can be accessed only by the storage account owner. 这是所有新容器的默认权限。This is the default for all new containers.
  • 仅限对 Blob 的公共读取访问权限: 可以通过匿名请求读取该容器中的 Blob,但容器数据不可用。Public read access for blobs only: Blobs within the container can be read by anonymous request, but container data is not available. 匿名客户端无法枚举容器中的 Blob。Anonymous clients cannot enumerate the blobs within the container.
  • 对容器及其 Blob 的公共读取访问权限: 可以通过匿名请求读取所有容器和 Blob 数据。Public read access for container and its blobs: All container and blob data can be read by anonymous request. 客户端可以通过匿名请求枚举容器中的 Blob,但无法枚举存储帐户中的容器。Clients can enumerate blobs within the container by anonymous request, but cannot enumerate containers within the storage account.

在 Azure 门户中设置容器公共访问级别Set container public access level in the Azure portal

Azure 门户中,可以更新一个或多个容器的公共访问级别:From the Azure portal, you can update the public access level for one or more containers:

  1. 在 Azure 门户中导航到存储帐户概述。Navigate to your storage account overview in the Azure portal.
  2. 在菜单边栏选项卡上的“Blob 服务”下,选择“Blob” 。Under Blob service on the menu blade, select Blobs.
  3. 选择要对其设置公共访问级别的容器。Select the containers for which you want to set the public access level.
  4. 使用“更改访问级别”按钮显示公共访问权限设置。Use the Change access level button to display the public access settings.
  5. 从“公共访问级别”下拉列表中选择所需的公共访问级别,然后单击“确定”按钮应用对选定容器所做的更改。Select the desired public access level from the Public access level dropdown and click the OK button to apply the change to the selected containers.

以下屏幕截图显示如何更改选定容器的公共访问级别。The following screenshot shows how to change the public access level for the selected containers.

显示如何在门户中设置公共访问级别的屏幕截图

备注

无法更改单个 Blob 的公共访问级别。You cannot change the public access level for an individual blob. 只能在容器级别设置公共访问级别。Public access level is set only at the container level.

使用 .NET 设置容器公共访问级别Set container public access level with .NET

要设置容器的权限,请调用 BlobContainerClient.SetAccessPolicy 方法。To set the permissions for a container, call the BlobContainerClient.SetAccessPolicy method.

以下示例将容器的权限设置为完全公共读取访问。The following example sets the container's permissions to full public read access. 要将权限设置为仅对 blob 进行公共读取访问,请将 PublicAccessType.Blob 字段传递到 BlobContainerClient.SetAccessPolicy 方法中。To set permissions to public read access for blobs only, pass the PublicAccessType.Blob field into the BlobContainerClient.SetAccessPolicy method. 要删除匿名用户的所有权限,请使用 BlobContainerPublicAccessType.None 字段。To remove all permissions for anonymous users, use the BlobContainerPublicAccessType.None field.

private static void SetPublicContainerPermissions(BlobContainerClient container)
{
    container.SetAccessPolicy(PublicAccessType.BlobContainer);
    Console.WriteLine("Container {0} - permissions set to {1}", 
        container.Name, container.GetAccessPolicy().Value);
}

匿名访问容器和 BlobAccess containers and blobs anonymously

如果某个客户端需要以匿名方式访问容器和 Blob,该客户端则可以使用不需要凭据的构造函数。A client that accesses containers and blobs anonymously can use constructors that do not require credentials. 以下示例演示如何通过多种不同的方法以匿名方式引用容器和 Blob。The following examples show a few different ways to reference containers and blobs anonymously.

创建匿名客户端对象Create an anonymous client object

通过提供帐户的 Blob 存储终结点,可以创建一个可匿名访问的新服务客户端对象。You can create a new service client object for anonymous access by providing the Blob storage endpoint for the account. 但是,也必须要知道该帐户中允许进行匿名访问的容器的名称。However, you must also know the name of a container in that account that's available for anonymous access.

public static void CreateAnonymousBlobClient()
{
    // Create the client object using the Blob storage endpoint for your account.
    BlobServiceClient blobServiceClient = new BlobServiceClient
        (new Uri(@"https://storagesamples.blob.core.chinacloudapi.cn/"));

    // Get a reference to a container that's available for anonymous access.
    BlobContainerClient container = blobServiceClient.GetBlobContainerClient("sample-container");

    // Read the container's properties. 
    // Note this is only possible when the container supports full public read access.          
    Console.WriteLine(container.GetProperties().Value.LastModified);
    Console.WriteLine(container.GetProperties().Value.ETag);
}

以匿名方式引用容器Reference a container anonymously

如果拥有可以通过匿名方式使用的容器的 URL,则可使用该 URL 来直接引用容器。If you have the URL to a container that is anonymously available, you can use it to reference the container directly.

public static void ListBlobsAnonymously()
{
    // Get a reference to a container that's available for anonymous access.
    BlobContainerClient container = new BlobContainerClient
        (new Uri(@"https://storagesamples.blob.core.chinacloudapi.cn/sample-container"));

    // List blobs in the container.
    // Note this is only possible when the container supports full public read access.
       foreach (BlobItem blobItem in container.GetBlobs())
        {
            Console.WriteLine(container.GetBlockBlobClient(blobItem.Name).Uri);
        }
}

以匿名方式引用 BlobReference a blob anonymously

如果拥有允许进行匿名访问的 Blob 的 URL,则可使用该 URL 来直接引用 Blob:If you have the URL to a blob that is available for anonymous access, you can reference the blob directly using that URL:

public static void DownloadBlobAnonymously()
{
    BlockBlobClient blob = new BlockBlobClient
        (new Uri(@"https://storagesamples.blob.core.chinacloudapi.cn/sample-container/logfile.txt"));
    blob.DownloadTo(@"C:\Temp\logfile.txt");
}

后续步骤Next steps