前言

在使用Minio的时候，往往会放置一些公共文件以方便其他人下载和分享。不过Minio默认的分享链接只有7天有效期，想达到永久分享的时候往往会把对象的权限设置为public。设置为public固然方便，不过随之而来的是将该文件的所有权限同样地分享了出去。
如自己博客中使用的图片以及一些其他静态资源有也是放置在minio的blog存储桶中，为了能够公开访问，将blog的权限给设置成了public。下面是存储桶策略设为public时的权限详细:

tianliang@y720:~> mc policy get-json local/blog
{
 "Statement": [
  {
   "Action": [
    "s3:ListBucket",
    "s3:ListBucketMultipartUploads",
    "s3:GetBucketLocation"
   ],
   "Effect": "Allow",
   "Principal": {"AWS": ["*"]},
   "Resource": ["arn:aws:s3:::blog"]
  },
  {
   "Action": [
    "s3:ListMultipartUploadParts",
    "s3:PutObject",
    "s3:AbortMultipartUpload",
    "s3:DeleteObject",
    "s3:GetObject"
   ],
   "Effect": "Allow",
   "Principal": {"AWS": ["*"]},
   "Resource": ["arn:aws:s3:::blog/*"]
  }
 ],
 "Version": "2012-10-17"
}

看着s3:PutObject、s3:DeleteObject这一串真的是如梗在喉。

可以随意拉取文件列表

tianliang@y720:~> curl https://home.lintian.co:9999/blog/
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Name>blog</Name><Prefix/><Marker/><MaxKeys>1000</MaxKeys<Delimiter/>
<IsTruncated>false</IsTruncated>
<Contents>
<Key>header.jpg</Key>
<LastModified>2021-12-31T20:45:46.699Z</LastModified>
<ETag>"7db015c90034723e70ab5aa89a98c89b"</ETag>
<Size>166283</Size>
<Owner>
<ID>02d6176db174dc93cb1b899f7c6078f08654445fe8cf1b6ce98d8855f66bdbf4</ID>
<DisplayName>minio</DisplayName>
</Owner>
<StorageClass>STANDARD</StorageClass>
</Contents>
...

限制公开桶权限，仅可访问单个文件

为了修复这个可随时爆炸的权限问题，我们需要调整桶的策略。在这里我们需要借助官方的Minio Client(mc)来进行设置。
针对于前文的blog桶策略，我们将其修改为:

{
 "Statement": [
  {
   "Action": [
    "s3:GetBucketLocation"
   ],
   "Effect": "Allow",
   "Principal": {"AWS": ["*"]},
   "Resource": ["arn:aws:s3:::blog"]
  },
  {
   "Action": [
    "s3:GetObject"
   ],
   "Effect": "Allow",
   "Principal": {"AWS": ["*"]},
   "Resource": ["arn:aws:s3:::blog/*"]
  }
 ],
 "Version": "2012-10-17"
}

并存为blog.json文件。

更新桶策略

tianliang@y720:~> mc policy set-json blog.json local/blog
Access permission for `local/blog` is set from `blog.json`

限制后访问根目录

tianliang@y720:~> curl https://home.lintian.co:9999/blog/
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied.</Message><BucketName>blog</BucketName><Resource>/blog/</Resource><Region>cn-southwest</Region><RequestId>16CE15B6F211164B</RequestId><HostId>3256e119-010c-4ffc-a902-64888b49cd72</HostId></Error>
tianliang@y720:~>