MinIO 公开的 Bucket 列表权限的关闭方式
使用自建的 MinIO 搭建对象存储之后,创建一个公开的 Bucket 之后,直接通过网址访问这个 Bucket 根目录时,会显示该存储桶的所有文件列表,这样很不安全。如图:
通过 mc命令行,查看当前存储桶的权限:
mc anonymous get-json local/flarum-images
{
"Statement": [
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::flarum-images"
]
},
{
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:AbortMultipartUpload"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::flarum-images/*"
]
}
],
"Version": "2012-10-17"
}
其中的 Action 中的权限就是默认的“公开”权限。
需要删除 s3:ListBucket,即将之修改。
Buckets -> flarum-images -> Summary -> Access Policy 修改为 Custom,并将内容修改为:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::flarum-images/*"
]
}
]
}
删除第一个 Resource arn:aws:s3:::flarum-images 部分的全部内容,并将第二部分的内容只保留 Action 值为 s3:GetObject。
