您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

授权对 Azure 存储的请求Authorize requests to Azure Storage

必须授权针对 Blob、文件、队列或表服务中的安全资源发出的每个请求。Every request made against a secured resource in the Blob, File, Queue, or Table service must be authorized. 授权可确保存储帐户中的资源仅在您希望资源时才能访问,并且仅对您授予访问权限的用户或应用程序进行访问。Authorization ensures that resources in your storage account are accessible only when you want them to be, and only to those users or applications to whom you grant access.

下表介绍了多个选项,Azure 存储提供这些选项,用于授权对资源的访问:The following table describes the options that Azure Storage offers for authorizing access to resources:

共享密钥(存储帐户密钥)Shared Key (storage account key) 共享访问签名 (SAS)Shared access signature (SAS) Azure Active Directory (Azure AD)Azure Active Directory (Azure AD) 活动目录(预览版)Active Directory (preview) 匿名公共读取访问权限Anonymous public read access
Azure BlobAzure Blobs 支持Supported 支持Supported 支持Supported 不支持Not supported 支持Supported
Azure 文件存储 (SMB)Azure Files (SMB) 支持Supported 不支持Not supported 支持,仅适用于 Azure AD 域服务Supported, only with Azure AD Domain Services 受支持,凭据必须同步到 Azure ADSupported, credentials must be synced to Azure AD 不支持Not supported
Azure 文件存储 (REST)Azure Files (REST) 支持Supported 支持Supported 不支持Not supported 不支持Not supported 不支持Not supported
Azure 队列Azure Queues 支持Supported 支持Supported 支持Supported 不支持Not Supported 不支持Not supported
Azure 表Azure Tables 支持Supported 支持Supported 不支持Not supported 不支持Not supported 不支持Not supported

下面简要介绍每个授权选项:Each authorization option is briefly described below:

  • Azure 活动目录 (Azure AD): Azure AD是 Microsoft 基于云的标识和访问管理服务。Azure Active Directory (Azure AD): Azure AD is Microsoft's cloud-based identity and access management service. Azure AD 集成可用于 Blob 和队列服务。Azure AD integration is available for the Blob and Queue services. 使用 Azure AD,您可以通过基于角色的访问控制 (RBAC) 为用户、组或应用程序分配细粒度访问。With Azure AD, you can assign fine-grained access to users, groups, or applications via role-based access control (RBAC). 有关 Azure AD 与 Azure 存储集成的信息,请参阅使用 Azure 活动目录进行授权For information about Azure AD integration with Azure Storage, see Authorize with Azure Active Directory.

  • Azure 活动目录域服务 (Azure AD DS) 授权为 Azure 文件。Azure Active Directory Domain Services (Azure AD DS) authorization for Azure Files. Azure 文件支持通过 Azure AD DS 通过服务器消息块 (SMB) 进行基于标识的授权。Azure Files supports identity-based authorization over Server Message Block (SMB) through Azure AD DS. 可以使用 RBAC 对客户端对存储帐户中的 Azure 文件资源的访问权限进行细粒度控制。You can use RBAC for fine-grained control over a client's access to Azure Files resources in a storage account. 有关使用域服务的 Azure 文件身份验证的详细信息,请参阅Azure 文件基于标识的授权For more information regarding Azure Files authentication using domain services, see Azure Files identity-based authorization.

  • Azure 文件的活动目录 (AD) 授权(预览)。Active Directory (AD) authorization (preview) for Azure Files. Azure 文件通过 AD 支持通过 SMB 进行基于身份的授权。Azure Files supports identity-based authorization over SMB through AD. AD 域服务可以托管在本地计算机或 Azure VM 中。Your AD domain service can be hosted on on-premises machines or in Azure VMs. SMB 访问文件受支持,使用来自域联接的计算机的 AD 凭据,无论是本地还是在 Azure 中。SMB access to Files is supported using AD credentials from domain joined machines, either on-premises or in Azure. 您可以将 RBAC 用于共享级别的访问控制,将 NTFS DACL 用于目录和文件级权限实施。You can use RBAC for share level access control and NTFS DACLs for directory and file level permission enforcement. 有关使用域服务的 Azure 文件身份验证的详细信息,请参阅Azure 文件基于标识的授权For more information regarding Azure Files authentication using domain services, see Azure Files identity-based authorization.

  • 共享密钥: 共享密钥授权依赖于您的帐户访问密钥和其他参数来生成在授权标头中请求传递的加密签名字符串。Shared Key: Shared Key authorization relies on your account access keys and other parameters to produce an encrypted signature string that is passed on the request in the Authorization header. 有关共享密钥授权的详细信息,请参阅使用共享密钥进行授权For more information about Shared Key authorization, see Authorize with Shared Key.

  • 共享访问签名: 共享访问签名 (SAS) 具有指定权限并在指定时间间隔内委托访问帐户中的特定资源。Shared access signatures: Shared access signatures (SAS) delegate access to a particular resource in your account with specified permissions and over a specified time interval. 有关 SAS 的详细信息,请参阅使用共享访问签名委派访问权限For more information about SAS, see Delegate access with a shared access signature.

  • 匿名访问容器和 blob: 您可以选择在容器或 blob 级别公开 Blob 资源。Anonymous access to containers and blobs: You can optionally make blob resources public at the container or blob level. 任何用户都可以访问公共容器或 Blob,以便进行匿名读取访问。A public container or blob is accessible to any user for anonymous read access. 读取对公共容器和 blob 的请求不需要授权。Read requests to public containers and blobs do not require authorization. 有关详细信息,请参阅在Azure Blob 存储中启用容器和 Blob 的公共读取访问For more information, see Enable public read access for containers and blobs in Azure Blob storage.

提示

使用 Azure AD 对 Blob 和队列数据进行身份验证和授权访问比其他授权选项具有更高的安全性和易用性。Authenticating and authorizing access to blob and queue data with Azure AD provides superior security and ease of use over other authorization options. 例如,通过使用 Azure AD,可以避免使用代码存储帐户访问密钥,就像使用共享密钥授权一样。For example, by using Azure AD, you avoid having to store your account access key with your code, as you do with Shared Key authorization. 虽然您可以继续对 blob 和队列应用程序使用共享密钥授权,但 Microsoft 建议尽可能迁移到 Azure AD。While you can continue to use Shared Key authorization with your blob and queue applications, Microsoft recommends moving to Azure AD where possible.

同样,你可以继续使用共享访问签名 (SAS) 授予对存储帐户中的资源的精细访问权限,但 Azure AD 提供了类似的功能,并且不需要管理 SAS 令牌,也不需要担心吊销已泄露的 SAS。Similarly, you can continue to use shared access signatures (SAS) to grant fine-grained access to resources in your storage account, but Azure AD offers similar capabilities without the need to manage SAS tokens or worry about revoking a compromised SAS.

有关 Azure 存储中的 Azure AD 集成的详细信息,请参阅使用 Azure 活动目录 授权访问 Azure blob 和队列For more information about Azure AD integration in Azure Storage, see Authorize access to Azure blobs and queues using Azure Active Directory.