Question

Given a stored file on Azure Storage (blobs, tables or queues -- doesn t matter), is it possible to allow access to it for all, but only based on permissions?

For example, I have a big storage of images, and a DB containing users and authorizations. I want user X to only be able to access images Y and Z. So, the URL will be generally inaccessible, unless you provide some sort of a temporary security token along with it. How s that possible? I know I can shut the storage from the outside world, and allow access to it only through an application checking this stuff, but this would require the application to be on Azure as well, and on-premise app won t be able to deliver any content from Azure Storage.

It is from my understanding that most CDNs provide such capability, and I sure hope so Azure provides a solution for this as well!

Itamar.

Answer 1

I don t think you can achieve this level of access filtering. The only methods I m aware of are described in this msdn article

Managing Access to Containers and Blobs

and here a blog that describes a little part of code to implement it

Using Container-Level Access Policies in Windows Azure Storage

I m not sure this would fit your need. If I understood it right I would do it this way : 1. Organize your content in container that match the roles 2. On your on premise application check if user has access and if yes generate the right URL to give him a temporary access to the resource.

Of course this only works if the users have to go through a central point to get access to the content in the blob. If they bookmark the generated link it will fail once the expiration date is passed.

Good luck.

Answer 2

This is actually possible to implement with Blob storage. Consider (a) a UI that is like explorer, and (b) that users are already authenticated (could use Access Control Service, but don t need to).

The explorer-like UI could expose resources that are appropriate to the authenticated user. The underlying access to these resources would be Shared Access Signature-controlled at the granularity appropriate for the objects - for example, restrict only see one file in a folder, or the whole folder, or ability to create a file in a folder, etc., can all be expressed.

This explorer-like UI but would need access to logic that would present the right files for a given user, while also creating the appropriate Shared-Access-Signatures as needed. Note that this logic would not need to be hosted in Azure, rather would just need access to the proper storage key (from the Azure portal).

友情链接