OSS的临时授权记录"/>
OSS的临时授权记录
主要是临时授权给移动端上传下载,临时授权提供读写功能
对OSS存储的了解先看这篇博客:
http://172.16.1.98:83/wordpress/2017/11/22/oss%E5%AD%98%E5%82%A8%E8%A7%84%E8%8C%83/
参考文档:.html
package com.lemo.face.util.oss;import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.http.MethodType;
import com.aliyuncs.http.ProtocolType;
import com.aliyuncs.profile.DefaultProfile;
import com.aliyuncs.profile.IClientProfile;
import com.aliyuncs.sts.model.v20150401.AssumeRoleRequest;
import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse;
import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse.Credentials;import lombok.extern.slf4j.Slf4j;/*** 临时访问凭证授权*/
@Slf4j
public class STSUtil {/*** 目前只有"cn-hangzhou"这个region可用, 不要使用填写其他region的值*/private static final String REGION_CN_HANGZHOU = "cn-hangzhou";/*** 当前 STS API 版本*/private static final String STS_API_VERSION = "2015-04-01";/*** 必须是https请求*/private static final ProtocolType PROTOCOL_TYPE = ProtocolType.HTTPS;private static final String ROLE_ARN = "创建ram账号的";/*** 可不用*/private static final String ROLE_SESSION_NAME = "随意";/*** @desc 创建上传临时账号* @author 杨小华* @create 2017/11/29 10:39**/public static Credentials createSTSForPutObject(String folder) {String policy = STSUtil.getPutObjectPolicy(folder);return createSTS(policy);}/*** 创建只读临时授权** @return com.aliyuncs.sts.model.v20150401.AssumeRoleResponse.Credentials* @author 杨小华* @date 2018/1/31 15:24* @since 1.0.0*/public static Credentials createSTSForReadOnly() {String policy = STSUtil.getOSSReadOnlyAccessPolicy();return createSTS(policy);}/*** 授权策略** @param policy 授权策略* @return com.aliyuncs.sts.model.v20150401.AssumeRoleResponse.Credentials* @author 杨小华* @date 2018/1/31 15:22* @since 1.0.0*/private static Credentials createSTS(String policy) {try {final AssumeRoleResponse response =assumeRole(OSSClientUtil.accessKeyId, OSSClientUtil.accessKeySecret,ROLE_ARN, ROLE_SESSION_NAME,policy, PROTOCOL_TYPE);Credentials credentials = response.getCredentials();log.info("expiration:" + credentials.getExpiration() + "\t accessKeyIdSTS:" +credentials.getAccessKeyId() + "\t accessKeySecretSTS:" +credentials.getAccessKeySecret() + "\t " + "securityToken:" +credentials.getSecurityToken());return credentials;} catch (ClientException e) {log.error("Failed to get a token.");log.error("Error code: " + e.getErrCode());log.error("Error message: " + e.getErrMsg());}return null;}/*** @desc 自定义授权策略,对当前文件夹读写* @author 杨小华* @create 2017/11/29 10:39**/private static String getPutObjectPolicy(String folder) {return String.format("{\n" +" \"Version\": \"1\", \n" +" \"Statement\": [\n" +" {\n" +" \"Action\": [\n" +" \"oss:PutObject\" \n" +" ], \n" +" \"Resource\": [\n" +" \"acs:oss:*:*:%s/%s/*\"\n" +" ], \n" +" \"Effect\": \"Allow\"\n" +" }\n" +" ]\n" +"}", OSSClientUtil.BUCKET_NAME, folder);}/*** 只读访问该bucket对象存储服务(OSS)的权限,授权策略** @return java.lang.String* @author 杨小华* @date 2018/1/31 10:38* @since 1.0.0*/private static String getOSSReadOnlyAccessPolicy() {return String.format("{\n" +" \"Statement\": [\n" +" {\n" +" \"Action\": [\n" +" \"oss:Get*\",\n" +" \"oss:List*\"\n" +" ],\n" +" \"Effect\": \"Allow\",\n" +" \"Resource\": [\n" +" \"acs:oss:*:*:%s/*\"\n" +" ]\n" +" }\n" +" ],\n" +" \"Version\": \"1\"\n" +"}", OSSClientUtil.BUCKET_NAME);}/*** @desc 权限验证, 扮演角色(AssumeRole)是实体用户获取角色身份的安全令牌的方法。* @author 杨小华* @create 2017/11/29 10:39**/private static AssumeRoleResponse assumeRole(String accessKeyId, String accessKeySecret,String roleArn,String roleSessionName, String policy,ProtocolType protocolType) throws ClientException {try {IClientProfile profile =DefaultProfile.getProfile(REGION_CN_HANGZHOU, accessKeyId, accessKeySecret);DefaultAcsClient client = new DefaultAcsClient(profile);final AssumeRoleRequest request = new AssumeRoleRequest();//持续秒数 3600秒,即1小时request.setDurationSeconds(3600L);request.setVersion(STS_API_VERSION);request.setMethod(MethodType.POST);request.setProtocol(protocolType);request.setRoleArn(roleArn);request.setRoleSessionName(roleSessionName);request.setPolicy(policy);return client.getAcsResponse(request);} catch (Exception e) {log.error(e.getMessage(), e);}return null;}}
更多推荐
OSS的临时授权记录
发布评论