Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9346 Commits
32 Branches
298 Tags
169 MiB
Tree: 039c950cb2
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '039c950cb2'
${ noResults }
seaweedfs/weed/s3api/auth_credentials.go

414 lines
12 KiB
Raw Normal View History

support acl
5 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
s3: fix potencial iam identities data race
3 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
move to https://github.com/seaweedfs/seaweedfs
3 years ago
support acl
5 years ago
fix nil pointer when no identity config init Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
s3: fix potencial iam identities data race
3 years ago
s3: keep auth enabled in case identities are set to empty fix https://github.com/chrislusf/seaweedfs/issues/3084
3 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
AclHandlers
3 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
add v2 support
5 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
add v2 support
5 years ago
s3: use static configuration by default So that users can still use the previous configuration files. If leave it empty, s3 will try to use the version from filer
4 years ago
new pkg s3iam
4 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
s3: use static configuration by default So that users can still use the previous configuration files. If leave it empty, s3 will try to use the version from filer
4 years ago
support acl
5 years ago
s3 config read via grpc
4 years ago
grpc connection to filer add sw-client-id header
2 years ago
refactor: `Directory` readability (#3665)
2 years ago
s3 config read via grpc
4 years ago
refactoring
4 years ago
s3: add grpc server to accept configuration changes
3 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
new pkg s3iam
4 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
support acl
5 years ago
s3: add grpc server to accept configuration changes
3 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
s3: add grpc server to accept configuration changes
3 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
supplement check duplicate accesskey
3 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
new pkg s3iam
4 years ago
s3: subscribe to s3.configure changes
4 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
s3: subscribe to s3.configure changes
4 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
s3: fix potencial iam identities data race
3 years ago
s3: subscribe to s3.configure changes
4 years ago
s3: keep auth enabled in case identities are set to empty fix https://github.com/chrislusf/seaweedfs/issues/3084
3 years ago
s3: fix potencial iam identities data race
3 years ago
support acl
5 years ago
refactoring
5 years ago
s3: keep auth enabled in case identities are set to empty fix https://github.com/chrislusf/seaweedfs/issues/3084
3 years ago
refactoring
5 years ago
support acl
5 years ago
refactoring
5 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
support acl
5 years ago
adjust logs
3 years ago
support acl
5 years ago
log unknown access key
3 years ago
support acl
5 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
add ownership rest apis (#3765)
2 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
s3: access control limited by bucket
5 years ago
enable anonymous access when bucket acl is enabled Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
support acl
5 years ago
enable anonymous access when bucket acl is enabled Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
fix: When there is no access permission configured before startup, the authentication does not take effect after configuring the permission after startup
3 years ago
enable anonymous access when bucket acl is enabled Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
refactoring
4 years ago
Add bucket owner attr.
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
enable admin to access all buckets
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
enable admin to access all buckets
4 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
refactoring
3 years ago
support acl
5 years ago
Add bucket owner attr.
4 years ago
enable anonymous access when bucket acl is enabled Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
enable anonymous access when bucket acl is enabled Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
audit log SignatureVersion
3 years ago
enable anonymous access when bucket acl is enabled Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
move s3 related constants from package http to s3_constants
3 years ago
audit log SignatureVersion
3 years ago
s3: support config action Admin:bucket
4 years ago
enable anonymous access when bucket acl is enabled Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
s3: support config action Admin:bucket
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: support config action Admin:bucket
4 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
s3: support config action Admin:bucket
4 years ago
add ownership rest apis (#3765)
2 years ago
s3: support config action Admin:bucket
4 years ago
support acl
5 years ago
refactoring
4 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
audit log SignatureVersion
3 years ago
support acl
5 years ago
add v2 support
5 years ago
Add bucket owner attr.
4 years ago
add v2 support
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
add v2 support
5 years ago
audit log SignatureVersion
3 years ago
support acl
5 years ago
add v2 support
5 years ago
support acl
5 years ago
audit log SignatureVersion
3 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
s3: deny anonymous type
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
s3: deny anonymous type
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
audit log SignatureVersion
3 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
s3: deny anonymous type
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
audit log SignatureVersion
3 years ago
move s3 related constants from package http to s3_constants
3 years ago
audit log SignatureVersion
3 years ago
support acl
5 years ago
add v2 support
5 years ago
refactoring
4 years ago
Add bucket owner attr.
4 years ago
add v2 support
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
enable admin to access all buckets
4 years ago
s3: access control limited by bucket
5 years ago
fix auth permission checking
3 years ago
https://github.com/chrislusf/seaweedfs/issues/2583
3 years ago
s3: access control limited by bucket
5 years ago
s3: support config action Admin:bucket
4 years ago
s3: access control limited by bucket
5 years ago
auth use bucket wild cards
4 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
auth use bucket wild cards
4 years ago
https://github.com/chrislusf/seaweedfs/issues/2583
3 years ago
auth use bucket wild cards
4 years ago
s3: support config action Admin:bucket
4 years ago
support acl
5 years ago
enable admin to access all buckets
4 years ago
  1. package s3api
  3. import (
  4. "fmt"
  5. "github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
  6. "net/http"
  7. "os"
  8. "strings"
  9. "sync"
  11. "github.com/seaweedfs/seaweedfs/weed/filer"
  12. "github.com/seaweedfs/seaweedfs/weed/glog"
  13. "github.com/seaweedfs/seaweedfs/weed/pb"
  14. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  15. "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
  16. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  17. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  18. )
  20. var IdentityAnonymous = &Identity{
  21. Name: s3account.AccountAnonymous.Name,
  22. AccountId: s3account.AccountAnonymous.Id,
  23. }
  25. type Action string
  27. type Iam interface {
  28. Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
  29. }
  31. type IdentityAccessManagement struct {
  32. m sync.RWMutex
  34. identities []*Identity
  35. isAuthEnabled bool
  36. domain string
  37. }
  39. type Identity struct {
  40. Name string
  41. AccountId string
  42. Credentials []*Credential
  43. Actions []Action
  44. }
  46. func (i *Identity) isAnonymous() bool {
  47. return i.Name == s3account.AccountAnonymous.Name
  48. }
  50. type Credential struct {
  51. AccessKey string
  52. SecretKey string
  53. }
  55. func (action Action) isAdmin() bool {
  56. return strings.HasPrefix(string(action), s3_constants.ACTION_ADMIN)
  57. }
  59. func (action Action) isOwner(bucket string) bool {
  60. return string(action) == s3_constants.ACTION_ADMIN+":"+bucket
  61. }
  63. func (action Action) overBucket(bucket string) bool {
  64. return strings.HasSuffix(string(action), ":"+bucket) || strings.HasSuffix(string(action), ":*")
  65. }
  67. func (action Action) getPermission() Permission {
  68. switch act := strings.Split(string(action), ":")[0]; act {
  69. case s3_constants.ACTION_ADMIN:
  70. return Permission("FULL_CONTROL")
  71. case s3_constants.ACTION_WRITE:
  72. return Permission("WRITE")
  73. case s3_constants.ACTION_READ:
  74. return Permission("READ")
  75. default:
  76. return Permission("")
  77. }
  78. }
  80. func NewIdentityAccessManagement(option *S3ApiServerOption) *IdentityAccessManagement {
  81. iam := &IdentityAccessManagement{
  82. domain: option.DomainName,
  83. }
  84. if option.Config != "" {
  85. if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
  86. glog.Fatalf("fail to load config file %s: %v", option.Config, err)
  87. }
  88. } else {
  89. if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil {
  90. glog.Warningf("fail to load config: %v", err)
  91. }
  92. }
  93. return iam
  94. }
  96. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFiler(option *S3ApiServerOption) (err error) {
  97. var content []byte
  98. err = pb.WithFilerClient(false, 0, option.Filer, option.GrpcDialOption, func(client filer_pb.SeaweedFilerClient) error {
  99. content, err = filer.ReadInsideFiler(client, filer.IamConfigDirectory, filer.IamIdentityFile)
  100. return err
  101. })
  102. if err != nil {
  103. return fmt.Errorf("read S3 config: %v", err)
  104. }
  105. return iam.LoadS3ApiConfigurationFromBytes(content)
  106. }
  108. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFile(fileName string) error {
  109. content, readErr := os.ReadFile(fileName)
  110. if readErr != nil {
  111. glog.Warningf("fail to read %s : %v", fileName, readErr)
  112. return fmt.Errorf("fail to read %s : %v", fileName, readErr)
  113. }
  114. return iam.LoadS3ApiConfigurationFromBytes(content)
  115. }
  117. func (iam *IdentityAccessManagement) LoadS3ApiConfigurationFromBytes(content []byte) error {
  118. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  119. if err := filer.ParseS3ConfigurationFromBytes(content, s3ApiConfiguration); err != nil {
  120. glog.Warningf("unmarshal error: %v", err)
  121. return fmt.Errorf("unmarshal error: %v", err)
  122. }
  124. if err := filer.CheckDuplicateAccessKey(s3ApiConfiguration); err != nil {
  125. return err
  126. }
  128. if err := iam.loadS3ApiConfiguration(s3ApiConfiguration); err != nil {
  129. return err
  130. }
  131. return nil
  132. }
  134. func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error {
  135. var identities []*Identity
  136. for _, ident := range config.Identities {
  137. t := &Identity{
  138. Name: ident.Name,
  139. AccountId: s3account.AccountAdmin.Id,
  140. Credentials: nil,
  141. Actions: nil,
  142. }
  144. if ident.Name == s3account.AccountAnonymous.Name {
  145. if ident.AccountId != "" && ident.AccountId != s3account.AccountAnonymous.Id {
  146. glog.Warningf("anonymous identity is associated with a non-anonymous account ID, the association is invalid")
  147. }
  148. t.AccountId = s3account.AccountAnonymous.Id
  149. IdentityAnonymous = t
  150. } else {
  151. if len(ident.AccountId) > 0 {
  152. t.AccountId = ident.AccountId
  153. }
  154. }
  156. for _, action := range ident.Actions {
  157. t.Actions = append(t.Actions, Action(action))
  158. }
  159. for _, cred := range ident.Credentials {
  160. t.Credentials = append(t.Credentials, &Credential{
  161. AccessKey: cred.AccessKey,
  162. SecretKey: cred.SecretKey,
  163. })
  164. }
  165. identities = append(identities, t)
  166. }
  168. iam.m.Lock()
  169. // atomically switch
  170. iam.identities = identities
  171. if !iam.isAuthEnabled { // one-directional, no toggling
  172. iam.isAuthEnabled = len(identities) > 0
  173. }
  174. iam.m.Unlock()
  175. return nil
  176. }
  178. func (iam *IdentityAccessManagement) isEnabled() bool {
  179. return iam.isAuthEnabled
  180. }
  182. func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
  184. iam.m.RLock()
  185. defer iam.m.RUnlock()
  186. for _, ident := range iam.identities {
  187. for _, cred := range ident.Credentials {
  188. // println("checking", ident.Name, cred.AccessKey)
  189. if cred.AccessKey == accessKey {
  190. return ident, cred, true
  191. }
  192. }
  193. }
  194. glog.V(1).Infof("could not find accessKey %s", accessKey)
  195. return nil, nil, false
  196. }
  198. func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
  199. iam.m.RLock()
  200. defer iam.m.RUnlock()
  201. for _, ident := range iam.identities {
  202. if ident.isAnonymous() {
  203. return ident, true
  204. }
  205. }
  206. return nil, false
  207. }
  209. func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
  210. return Auth(iam, nil, f, action, false)
  211. }
  213. func (s3a *S3ApiServer) Auth(f http.HandlerFunc, action Action, supportAcl bool) http.HandlerFunc {
  214. return Auth(s3a.iam, s3a.bucketRegistry, f, action, supportAcl)
  215. }
  217. func Auth(iam *IdentityAccessManagement, br *BucketRegistry, f http.HandlerFunc, action Action, supportAcl bool) http.HandlerFunc {
  218. return func(w http.ResponseWriter, r *http.Request) {
  219. //unset predefined headers
  220. delete(r.Header, s3_constants.AmzAccountId)
  221. delete(r.Header, s3_constants.ExtAmzOwnerKey)
  222. delete(r.Header, s3_constants.ExtAmzAclKey)
  224. if !iam.isEnabled() {
  225. f(w, r)
  226. return
  227. }
  229. identity, errCode := authRequest(iam, br, r, action, supportAcl)
  230. if errCode == s3err.ErrNone {
  231. if identity != nil && identity.Name != "" {
  232. r.Header.Set(s3_constants.AmzIdentityId, identity.Name)
  233. if identity.isAdmin() {
  234. r.Header.Set(s3_constants.AmzIsAdmin, "true")
  235. } else if _, ok := r.Header[s3_constants.AmzIsAdmin]; ok {
  236. r.Header.Del(s3_constants.AmzIsAdmin)
  237. }
  238. }
  239. f(w, r)
  240. return
  241. }
  242. s3err.WriteErrorResponse(w, r, errCode)
  243. }
  244. }
  246. func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
  247. return authRequest(iam, nil, r, action, false)
  248. }
  250. func authRequest(iam *IdentityAccessManagement, br *BucketRegistry, r *http.Request, action Action, supportAcl bool) (*Identity, s3err.ErrorCode) {
  251. var identity *Identity
  252. var s3Err s3err.ErrorCode
  253. var authType string
  254. switch getRequestAuthType(r) {
  255. case authTypeStreamingSigned:
  256. return identity, s3err.ErrNone
  257. case authTypeUnknown:
  258. glog.V(3).Infof("unknown auth type")
  259. r.Header.Set(s3_constants.AmzAuthType, "Unknown")
  260. return identity, s3err.ErrAccessDenied
  261. case authTypePresignedV2, authTypeSignedV2:
  262. glog.V(3).Infof("v2 auth type")
  263. identity, s3Err = iam.isReqAuthenticatedV2(r)
  264. authType = "SigV2"
  265. case authTypeSigned, authTypePresigned:
  266. glog.V(3).Infof("v4 auth type")
  267. identity, s3Err = iam.reqSignatureV4Verify(r)
  268. authType = "SigV4"
  269. case authTypePostPolicy:
  270. glog.V(3).Infof("post policy auth type")
  271. r.Header.Set(s3_constants.AmzAuthType, "PostPolicy")
  272. return identity, s3err.ErrNone
  273. case authTypeJWT:
  274. glog.V(3).Infof("jwt auth type")
  275. r.Header.Set(s3_constants.AmzAuthType, "Jwt")
  276. return identity, s3err.ErrNotImplemented
  277. case authTypeAnonymous:
  278. if supportAcl && br != nil {
  279. bucket, _ := s3_constants.GetBucketAndObject(r)
  280. bucketMetadata, errorCode := br.GetBucketMetadata(bucket)
  281. if errorCode != s3err.ErrNone {
  282. return nil, errorCode
  283. }
  284. if bucketMetadata.ObjectOwnership != s3_constants.OwnershipBucketOwnerEnforced {
  285. return IdentityAnonymous, s3err.ErrNone
  286. }
  287. }
  288. authType = "Anonymous"
  289. identity = IdentityAnonymous
  290. if len(identity.Actions) == 0 {
  291. r.Header.Set(s3_constants.AmzAuthType, authType)
  292. return identity, s3err.ErrAccessDenied
  293. }
  294. default:
  295. return identity, s3err.ErrNotImplemented
  296. }
  298. if len(authType) > 0 {
  299. r.Header.Set(s3_constants.AmzAuthType, authType)
  300. }
  301. if s3Err != s3err.ErrNone {
  302. return identity, s3Err
  303. }
  305. glog.V(3).Infof("user name: %v account id: %v actions: %v, action: %v", identity.Name, identity.AccountId, identity.Actions, action)
  307. bucket, object := s3_constants.GetBucketAndObject(r)
  309. if !identity.canDo(action, bucket, object) {
  310. return identity, s3err.ErrAccessDenied
  311. }
  313. if !identity.isAnonymous() {
  314. r.Header.Set(s3_constants.AmzAccountId, identity.AccountId)
  315. }
  316. return identity, s3err.ErrNone
  318. }
  320. func (iam *IdentityAccessManagement) authUser(r *http.Request) (*Identity, s3err.ErrorCode) {
  321. var identity *Identity
  322. var s3Err s3err.ErrorCode
  323. var found bool
  324. var authType string
  325. switch getRequestAuthType(r) {
  326. case authTypeStreamingSigned:
  327. return identity, s3err.ErrNone
  328. case authTypeUnknown:
  329. glog.V(3).Infof("unknown auth type")
  330. r.Header.Set(s3_constants.AmzAuthType, "Unknown")
  331. return identity, s3err.ErrAccessDenied
  332. case authTypePresignedV2, authTypeSignedV2:
  333. glog.V(3).Infof("v2 auth type")
  334. identity, s3Err = iam.isReqAuthenticatedV2(r)
  335. authType = "SigV2"
  336. case authTypeSigned, authTypePresigned:
  337. glog.V(3).Infof("v4 auth type")
  338. identity, s3Err = iam.reqSignatureV4Verify(r)
  339. authType = "SigV4"
  340. case authTypePostPolicy:
  341. glog.V(3).Infof("post policy auth type")
  342. r.Header.Set(s3_constants.AmzAuthType, "PostPolicy")
  343. return identity, s3err.ErrNone
  344. case authTypeJWT:
  345. glog.V(3).Infof("jwt auth type")
  346. r.Header.Set(s3_constants.AmzAuthType, "Jwt")
  347. return identity, s3err.ErrNotImplemented
  348. case authTypeAnonymous:
  349. authType = "Anonymous"
  350. identity, found = iam.lookupAnonymous()
  351. if !found {
  352. r.Header.Set(s3_constants.AmzAuthType, authType)
  353. return identity, s3err.ErrAccessDenied
  354. }
  355. default:
  356. return identity, s3err.ErrNotImplemented
  357. }
  359. if len(authType) > 0 {
  360. r.Header.Set(s3_constants.AmzAuthType, authType)
  361. }
  363. glog.V(3).Infof("auth error: %v", s3Err)
  364. if s3Err != s3err.ErrNone {
  365. return identity, s3Err
  366. }
  367. return identity, s3err.ErrNone
  368. }
  370. func (identity *Identity) canDo(action Action, bucket string, objectKey string) bool {
  371. if identity.isAdmin() {
  372. return true
  373. }
  374. for _, a := range identity.Actions {
  375. if a == action {
  376. return true
  377. }
  378. }
  379. if bucket == "" {
  380. return false
  381. }
  382. target := string(action) + ":" + bucket + objectKey
  383. adminTarget := s3_constants.ACTION_ADMIN + ":" + bucket + objectKey
  384. limitedByBucket := string(action) + ":" + bucket
  385. adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket
  386. for _, a := range identity.Actions {
  387. act := string(a)
  388. if strings.HasSuffix(act, "*") {
  389. if strings.HasPrefix(target, act[:len(act)-1]) {
  390. return true
  391. }
  392. if strings.HasPrefix(adminTarget, act[:len(act)-1]) {
  393. return true
  394. }
  395. } else {
  396. if act == limitedByBucket {
  397. return true
  398. }
  399. if act == adminLimitedByBucket {
  400. return true
  401. }
  402. }
  403. }
  404. return false
  405. }
  407. func (identity *Identity) isAdmin() bool {
  408. for _, a := range identity.Actions {
  409. if a == "Admin" {
  410. return true
  411. }
  412. }
  413. return false
  414. }