Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to restrict users to access OSS only through HTTPS". In daily operation, I believe many people have doubts about how to restrict users to access OSS only through HTTPS. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful for you to answer the doubts of "how to restrict users to access OSS only through HTTPS"! Next, please follow the editor to study!

I. current problems

Currently, OSS supports users to access Bucket using HTTPS/HTTP protocol. However, there are security vulnerabilities in HTTP. Large enterprise customers require HTTPS access to OSS and deny HTTP access requests.

At present, OSS can be implemented through RAM policy: restrict a user or role from denying access to specified Bucket and objects through HTTP protocol. However, RAM Policy is a user-based authorization method, which cannot be authorized against resources. That is, HTTP requests from all users cannot be rejected at the Bucket or object level. We are currently developing this feature based on Bucket Policy, and subsequent users can set the HTTPS access policy directly through Bucket Policy.

Second, through RAM Policy to achieve "restrict users to access OSS only through HTTPS"

Ali Cloud RAM Policy has a wealth of Condition parameters, which can restrict access to resources. Here we use the "Secure Transport" condition parameter to generate RAM Policy to deny the specified user access to Bucket through HTTP.

The legal value of Condition function: whether acs:SecureTransport is https protocol "true" or "false" 2.1RAM Policy example

In order to simplify the configuration, we assign "AliyunOSSFullAccess" to the account in advance, and then simulate to reject all requests through HTTP.

Add deny HTTP access request RAM Policy. The specific RAM Policy content is as follows:

{"Version": "1", "Statement": [{"Effect": "Deny", "Action": ["oss:*"], "Resource": ["acs:oss:*"] "Condition": {"Bool": {"acs:SecureTransport": ["false"]}}]}

Description: as above, Policy can deny the user access to OSS resources through HTTP.

2.2 users access OSS through HTTPS for testing

Description:

Let's give an example by uploading files on Python SDK.

As follows, we specify the access path as "https://oss-cn-beijing.aliyunc.com"" in the script

2.2.1 upload files via HTTPS

Examples of python scripts are as follows:

#-*-coding: utf-8-*-import oss2# Ali Cloud's main account AccessKey has access to all API, which is very risky. It is strongly recommended that you create and use a RAM account for API access or daily operation and maintenance. Log in to https://ram.console.aliyun.com to create a RAM account. Auth = oss2.Auth (',') # Endpoint take Hangzhou as an example, please fill in other Region according to the actual situation. Bucket = oss2.Bucket (auth, 'https://oss-cn-beijing.aliyuncs.com',' test-beijing-2018') # consists of a local file path plus a file name including a suffix, such as / users/local/myfile.txtbucket.put_object_from_file ('02.txtforth,' 002.txt')

The implementation results are as follows:

Root@shanghai-02:~/figo# python putobject.py2019-01-10 20 INFO 55 root@shanghai-02:~/figo# python putobject.py2019 37003 oss2.api [INFO] 140496922879744: Init oss bucket, endpoint: https://oss-cn-beijing.aliyuncs.com, isCname: False, connect_timeout: None, app_name:, enabled_crc: True2019-01-10 20 Para55Vera 37008 oss2.api [INFO] 140496922879744: Put object from file, bucket: test-beijing-2018, key: 02.txt File path: 002.txt2019-01-10 20 INFO 55 oss2.api 37009 oss2.api [INFO] 140496922879744: Start to put object, bucket: test-beijing-2018, key: 02.txt, headers: {'Content-Type':' text/plain'} 2019-01-10 20 INFO 55 oss2.api 37212 oss2.api [INFO] 140496922879744: Put object done, req_id: 5C3740C952FF5BAFB298BDDA, status_code: 200

Note: the result of the above execution indicates that the file has been uploaded successfully

2.2.2 upload files via HTTP

Description: as follows, we specify the access path as "http://oss-cn-beijing.aliyuncs.com"" in the script

Examples of python scripts are as follows:

#-*-coding: utf-8-*-import oss2# Ali Cloud's main account AccessKey has access to all API, which is very risky. It is strongly recommended that you create and use a RAM account for API access or daily operation and maintenance. Log in to https://ram.console.aliyun.com to create a RAM account. Auth = oss2.Auth (',') # Endpoint take Hangzhou as an example, please fill in other Region according to the actual situation. Bucket = oss2.Bucket (auth, 'http://oss-cn-beijing.aliyuncs.com',' test-beijing-2018') # consists of a local file path plus a file name including a suffix, such as / users/local/myfile.txtbucket.put_object_from_file ('02.txtforth,' 002.txt')

The implementation results are as follows:

Root@shanghai-02:~/figo# python putobject.py2019-01-10 21 INFO 1415 37499 oss2.api [INFO] 140697781880576: Init oss bucket, endpoint: http://oss-cn-beijing.aliyuncs.com, isCname: False, connect_timeout: None, app_name:, enabled_crc: True2019-01-10 21V 141515 oss2.api [INFO] 140697781880576: Put object from file, bucket: test-beijing-2018, key: 02.txt File path: 002.txt2019-01-10 21 Content-Type': 1415 Content-Type': 37503 oss2.api [INFO] 140697781880576: Start to put object, bucket: test-beijing-2018, key: 02.txt, headers: {'Content-Type':' text/plain'} 2019-01-10 21 21 veg 1415 37585 oss2.api [ERROR] 140697781880576: Exception: {'status': 403,' x fliers requestF97EBEDF4BDA095' 'details': {' HostId': 'test-beijing-2018.oss-cn-beijing.aliyuncs.com',' Message': 'You have no right to access this object because of bucket acl.',' Code': 'AccessDenied',' RequestId': '5C37453DDF97EBEDF4BDA095'} Traceback (most recent call last): File "putobject.py", line 10, in bucket.put_object_from_file (' 02.txt') '002.txt') File "build/bdist.linux-x86_64/egg/oss2/api.py", line 481, in put_object_from_file File "build/bdist.linux-x86_64/egg/oss2/api.py", line 453,in put_object File "build/bdist.linux-x86_64/egg/oss2/api.py", line 1579, in _ do_object File "build/bdist.linux-x86_64/egg/oss2/api.py", line In _ dooss2.exceptions.AccessDenied: {'status': 403,' xmurosMurrequestMutual idols: '5C37453DDF97EBEDF4BDA095', 'details': {' HostId': 'test-beijing-2018.oss-cn-beijing.aliyuncs.com',' Message': 'You have no right to access this object because of bucket acl.',' Code': 'AccessDenied',' RequestId': '5C37453DDF97EBEDF4BDA095'}}

Description:

When we set the upload endpoint to "http://oss-cn-beijing.aliyuncs.com", the upload of the file failed." It means that RAM Policy has come into effect.

Currently, RAM Policy can only restrict access by specified users through HTTPS. Next, OSS will set the "Secure Transport" parameter in Bucket Policy to restrict all users from accessing specified Bucket and objects through HTTP.

At this point, the study on "how to restrict users' access to OSS only through HTTPS" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.