Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8867 Commits
32 Branches
297 Tags
164 MiB
Tree: 1cdbc8beb5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1cdbc8beb5'
${ noResults }
seaweedfs/weed/s3api/auth_credentials.go

391 lines
10 KiB
Raw Normal View History

support acl
5 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
s3: fix potencial iam identities data race
3 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
move to https://github.com/seaweedfs/seaweedfs
2 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
s3: fix potencial iam identities data race
3 years ago
s3: keep auth enabled in case identities are set to empty fix https://github.com/chrislusf/seaweedfs/issues/3084
3 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
AclHandlers
3 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
add v2 support
5 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
add v2 support
5 years ago
s3: use static configuration by default So that users can still use the previous configuration files. If leave it empty, s3 will try to use the version from filer
4 years ago
new pkg s3iam
4 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
s3: use static configuration by default So that users can still use the previous configuration files. If leave it empty, s3 will try to use the version from filer
4 years ago
support acl
5 years ago
s3 config read via grpc
4 years ago
use streaming mode for long poll grpc calls streaming mode would create separate grpc connections for each call. this is to ensure the long poll connections are properly closed.
3 years ago
refactor: `Directory` readability (#3665)
2 years ago
s3 config read via grpc
4 years ago
refactoring
4 years ago
s3: add grpc server to accept configuration changes
3 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
new pkg s3iam
4 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
support acl
5 years ago
s3: add grpc server to accept configuration changes
3 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
s3: add grpc server to accept configuration changes
3 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
supplement check duplicate accesskey
3 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
new pkg s3iam
4 years ago
s3: subscribe to s3.configure changes
4 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
s3: subscribe to s3.configure changes
4 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
s3: fix potencial iam identities data race
3 years ago
s3: subscribe to s3.configure changes
4 years ago
s3: keep auth enabled in case identities are set to empty fix https://github.com/chrislusf/seaweedfs/issues/3084
3 years ago
s3: fix potencial iam identities data race
3 years ago
support acl
5 years ago
refactoring
5 years ago
s3: keep auth enabled in case identities are set to empty fix https://github.com/chrislusf/seaweedfs/issues/3084
3 years ago
refactoring
5 years ago
support acl
5 years ago
refactoring
5 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
support acl
5 years ago
adjust logs
3 years ago
support acl
5 years ago
log unknown access key
3 years ago
support acl
5 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
add ownership rest apis (#3765)
2 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
s3: access control limited by bucket
5 years ago
support acl
5 years ago
fix: When there is no access permission configured before startup, the authentication does not take effect after configuring the permission after startup
3 years ago
Add bucket owner attr.
4 years ago
refactoring
4 years ago
Add bucket owner attr.
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
enable admin to access all buckets
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
enable admin to access all buckets
4 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
refactoring
3 years ago
support acl
5 years ago
Add bucket owner attr.
4 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
move s3 related constants from package http to s3_constants
3 years ago
audit log SignatureVersion
3 years ago
s3: support config action Admin:bucket
4 years ago
logging
4 years ago
s3: support config action Admin:bucket
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: support config action Admin:bucket
4 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
s3: support config action Admin:bucket
4 years ago
add ownership rest apis (#3765)
2 years ago
s3: support config action Admin:bucket
4 years ago
support acl
5 years ago
refactoring
4 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
audit log SignatureVersion
3 years ago
support acl
5 years ago
add v2 support
5 years ago
Add bucket owner attr.
4 years ago
add v2 support
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
add v2 support
5 years ago
audit log SignatureVersion
3 years ago
support acl
5 years ago
add v2 support
5 years ago
support acl
5 years ago
audit log SignatureVersion
3 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
s3: deny anonymous type
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
s3: deny anonymous type
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
audit log SignatureVersion
3 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
s3: deny anonymous type
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
audit log SignatureVersion
3 years ago
move s3 related constants from package http to s3_constants
3 years ago
audit log SignatureVersion
3 years ago
support acl
5 years ago
add v2 support
5 years ago
refactoring
4 years ago
Add bucket owner attr.
4 years ago
add v2 support
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
enable admin to access all buckets
4 years ago
s3: access control limited by bucket
5 years ago
fix auth permission checking
3 years ago
https://github.com/chrislusf/seaweedfs/issues/2583
3 years ago
s3: access control limited by bucket
5 years ago
s3: support config action Admin:bucket
4 years ago
s3: access control limited by bucket
5 years ago
auth use bucket wild cards
4 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
auth use bucket wild cards
4 years ago
https://github.com/chrislusf/seaweedfs/issues/2583
3 years ago
auth use bucket wild cards
4 years ago
s3: support config action Admin:bucket
4 years ago
support acl
5 years ago
enable admin to access all buckets
4 years ago
  1. package s3api
  3. import (
  4. "fmt"
  5. "net/http"
  6. "os"
  7. "strings"
  8. "sync"
  10. "github.com/seaweedfs/seaweedfs/weed/filer"
  11. "github.com/seaweedfs/seaweedfs/weed/glog"
  12. "github.com/seaweedfs/seaweedfs/weed/pb"
  13. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  14. "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
  15. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  16. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  17. )
  19. var IdentityAnonymous *Identity
  21. type Action string
  23. type Iam interface {
  24. Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
  25. }
  27. type IdentityAccessManagement struct {
  28. m sync.RWMutex
  30. identities []*Identity
  31. isAuthEnabled bool
  32. domain string
  33. }
  35. type Identity struct {
  36. Name string
  37. AccountId string
  38. Credentials []*Credential
  39. Actions []Action
  40. }
  42. func (i *Identity) isAnonymous() bool {
  43. return i.Name == AccountAnonymous.Name
  44. }
  46. type Credential struct {
  47. AccessKey string
  48. SecretKey string
  49. }
  51. func (action Action) isAdmin() bool {
  52. return strings.HasPrefix(string(action), s3_constants.ACTION_ADMIN)
  53. }
  55. func (action Action) isOwner(bucket string) bool {
  56. return string(action) == s3_constants.ACTION_ADMIN+":"+bucket
  57. }
  59. func (action Action) overBucket(bucket string) bool {
  60. return strings.HasSuffix(string(action), ":"+bucket) || strings.HasSuffix(string(action), ":*")
  61. }
  63. func (action Action) getPermission() Permission {
  64. switch act := strings.Split(string(action), ":")[0]; act {
  65. case s3_constants.ACTION_ADMIN:
  66. return Permission("FULL_CONTROL")
  67. case s3_constants.ACTION_WRITE:
  68. return Permission("WRITE")
  69. case s3_constants.ACTION_READ:
  70. return Permission("READ")
  71. default:
  72. return Permission("")
  73. }
  74. }
  76. func NewIdentityAccessManagement(option *S3ApiServerOption) *IdentityAccessManagement {
  77. iam := &IdentityAccessManagement{
  78. domain: option.DomainName,
  79. }
  80. if option.Config != "" {
  81. if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
  82. glog.Fatalf("fail to load config file %s: %v", option.Config, err)
  83. }
  84. } else {
  85. if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil {
  86. glog.Warningf("fail to load config: %v", err)
  87. }
  88. }
  89. return iam
  90. }
  92. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFiler(option *S3ApiServerOption) (err error) {
  93. var content []byte
  94. err = pb.WithFilerClient(false, option.Filer, option.GrpcDialOption, func(client filer_pb.SeaweedFilerClient) error {
  95. content, err = filer.ReadInsideFiler(client, filer.IamConfigDirectory, filer.IamIdentityFile)
  96. return err
  97. })
  98. if err != nil {
  99. return fmt.Errorf("read S3 config: %v", err)
  100. }
  101. return iam.LoadS3ApiConfigurationFromBytes(content)
  102. }
  104. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFile(fileName string) error {
  105. content, readErr := os.ReadFile(fileName)
  106. if readErr != nil {
  107. glog.Warningf("fail to read %s : %v", fileName, readErr)
  108. return fmt.Errorf("fail to read %s : %v", fileName, readErr)
  109. }
  110. return iam.LoadS3ApiConfigurationFromBytes(content)
  111. }
  113. func (iam *IdentityAccessManagement) LoadS3ApiConfigurationFromBytes(content []byte) error {
  114. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  115. if err := filer.ParseS3ConfigurationFromBytes(content, s3ApiConfiguration); err != nil {
  116. glog.Warningf("unmarshal error: %v", err)
  117. return fmt.Errorf("unmarshal error: %v", err)
  118. }
  120. if err := filer.CheckDuplicateAccessKey(s3ApiConfiguration); err != nil {
  121. return err
  122. }
  124. if err := iam.loadS3ApiConfiguration(s3ApiConfiguration); err != nil {
  125. return err
  126. }
  127. return nil
  128. }
  130. func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error {
  131. var identities []*Identity
  132. for _, ident := range config.Identities {
  133. t := &Identity{
  134. Name: ident.Name,
  135. AccountId: AccountAdmin.Id,
  136. Credentials: nil,
  137. Actions: nil,
  138. }
  140. if ident.Name == AccountAnonymous.Name {
  141. if ident.AccountId != "" && ident.AccountId != AccountAnonymous.Id {
  142. glog.Warningf("anonymous identity is associated with a non-anonymous account ID, the association is invalid")
  143. }
  144. t.AccountId = AccountAnonymous.Id
  145. IdentityAnonymous = t
  146. } else {
  147. if len(ident.AccountId) > 0 {
  148. t.AccountId = ident.AccountId
  149. }
  150. }
  152. for _, action := range ident.Actions {
  153. t.Actions = append(t.Actions, Action(action))
  154. }
  155. for _, cred := range ident.Credentials {
  156. t.Credentials = append(t.Credentials, &Credential{
  157. AccessKey: cred.AccessKey,
  158. SecretKey: cred.SecretKey,
  159. })
  160. }
  161. identities = append(identities, t)
  162. }
  164. if IdentityAnonymous == nil {
  165. IdentityAnonymous = &Identity{
  166. Name: AccountAnonymous.Name,
  167. AccountId: AccountAnonymous.Id,
  168. }
  169. }
  170. iam.m.Lock()
  171. // atomically switch
  172. iam.identities = identities
  173. if !iam.isAuthEnabled { // one-directional, no toggling
  174. iam.isAuthEnabled = len(identities) > 0
  175. }
  176. iam.m.Unlock()
  177. return nil
  178. }
  180. func (iam *IdentityAccessManagement) isEnabled() bool {
  181. return iam.isAuthEnabled
  182. }
  184. func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
  186. iam.m.RLock()
  187. defer iam.m.RUnlock()
  188. for _, ident := range iam.identities {
  189. for _, cred := range ident.Credentials {
  190. // println("checking", ident.Name, cred.AccessKey)
  191. if cred.AccessKey == accessKey {
  192. return ident, cred, true
  193. }
  194. }
  195. }
  196. glog.V(1).Infof("could not find accessKey %s", accessKey)
  197. return nil, nil, false
  198. }
  200. func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
  201. iam.m.RLock()
  202. defer iam.m.RUnlock()
  203. for _, ident := range iam.identities {
  204. if ident.isAnonymous() {
  205. return ident, true
  206. }
  207. }
  208. return nil, false
  209. }
  211. func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
  212. return func(w http.ResponseWriter, r *http.Request) {
  213. if !iam.isEnabled() {
  214. f(w, r)
  215. return
  216. }
  218. identity, errCode := iam.authRequest(r, action)
  219. if errCode == s3err.ErrNone {
  220. if identity != nil && identity.Name != "" {
  221. r.Header.Set(s3_constants.AmzIdentityId, identity.Name)
  222. if identity.isAdmin() {
  223. r.Header.Set(s3_constants.AmzIsAdmin, "true")
  224. } else if _, ok := r.Header[s3_constants.AmzIsAdmin]; ok {
  225. r.Header.Del(s3_constants.AmzIsAdmin)
  226. }
  227. }
  228. f(w, r)
  229. return
  230. }
  231. s3err.WriteErrorResponse(w, r, errCode)
  232. }
  233. }
  235. // check whether the request has valid access keys
  236. func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
  237. var identity *Identity
  238. var s3Err s3err.ErrorCode
  239. var found bool
  240. var authType string
  241. switch getRequestAuthType(r) {
  242. case authTypeStreamingSigned:
  243. return identity, s3err.ErrNone
  244. case authTypeUnknown:
  245. glog.V(3).Infof("unknown auth type")
  246. r.Header.Set(s3_constants.AmzAuthType, "Unknown")
  247. return identity, s3err.ErrAccessDenied
  248. case authTypePresignedV2, authTypeSignedV2:
  249. glog.V(3).Infof("v2 auth type")
  250. identity, s3Err = iam.isReqAuthenticatedV2(r)
  251. authType = "SigV2"
  252. case authTypeSigned, authTypePresigned:
  253. glog.V(3).Infof("v4 auth type")
  254. identity, s3Err = iam.reqSignatureV4Verify(r)
  255. authType = "SigV4"
  256. case authTypePostPolicy:
  257. glog.V(3).Infof("post policy auth type")
  258. r.Header.Set(s3_constants.AmzAuthType, "PostPolicy")
  259. return identity, s3err.ErrNone
  260. case authTypeJWT:
  261. glog.V(3).Infof("jwt auth type")
  262. r.Header.Set(s3_constants.AmzAuthType, "Jwt")
  263. return identity, s3err.ErrNotImplemented
  264. case authTypeAnonymous:
  265. authType = "Anonymous"
  266. identity, found = iam.lookupAnonymous()
  267. if !found {
  268. r.Header.Set(s3_constants.AmzAuthType, authType)
  269. return identity, s3err.ErrAccessDenied
  270. }
  271. default:
  272. return identity, s3err.ErrNotImplemented
  273. }
  275. if len(authType) > 0 {
  276. r.Header.Set(s3_constants.AmzAuthType, authType)
  277. }
  278. if s3Err != s3err.ErrNone {
  279. return identity, s3Err
  280. }
  282. glog.V(3).Infof("user name: %v actions: %v, action: %v", identity.Name, identity.Actions, action)
  284. bucket, object := s3_constants.GetBucketAndObject(r)
  286. if !identity.canDo(action, bucket, object) {
  287. return identity, s3err.ErrAccessDenied
  288. }
  290. if !identity.isAnonymous() {
  291. r.Header.Set(s3_constants.AmzAccountId, identity.AccountId)
  292. }
  293. return identity, s3err.ErrNone
  295. }
  297. func (iam *IdentityAccessManagement) authUser(r *http.Request) (*Identity, s3err.ErrorCode) {
  298. var identity *Identity
  299. var s3Err s3err.ErrorCode
  300. var found bool
  301. var authType string
  302. switch getRequestAuthType(r) {
  303. case authTypeStreamingSigned:
  304. return identity, s3err.ErrNone
  305. case authTypeUnknown:
  306. glog.V(3).Infof("unknown auth type")
  307. r.Header.Set(s3_constants.AmzAuthType, "Unknown")
  308. return identity, s3err.ErrAccessDenied
  309. case authTypePresignedV2, authTypeSignedV2:
  310. glog.V(3).Infof("v2 auth type")
  311. identity, s3Err = iam.isReqAuthenticatedV2(r)
  312. authType = "SigV2"
  313. case authTypeSigned, authTypePresigned:
  314. glog.V(3).Infof("v4 auth type")
  315. identity, s3Err = iam.reqSignatureV4Verify(r)
  316. authType = "SigV4"
  317. case authTypePostPolicy:
  318. glog.V(3).Infof("post policy auth type")
  319. r.Header.Set(s3_constants.AmzAuthType, "PostPolicy")
  320. return identity, s3err.ErrNone
  321. case authTypeJWT:
  322. glog.V(3).Infof("jwt auth type")
  323. r.Header.Set(s3_constants.AmzAuthType, "Jwt")
  324. return identity, s3err.ErrNotImplemented
  325. case authTypeAnonymous:
  326. authType = "Anonymous"
  327. identity, found = iam.lookupAnonymous()
  328. if !found {
  329. r.Header.Set(s3_constants.AmzAuthType, authType)
  330. return identity, s3err.ErrAccessDenied
  331. }
  332. default:
  333. return identity, s3err.ErrNotImplemented
  334. }
  336. if len(authType) > 0 {
  337. r.Header.Set(s3_constants.AmzAuthType, authType)
  338. }
  340. glog.V(3).Infof("auth error: %v", s3Err)
  341. if s3Err != s3err.ErrNone {
  342. return identity, s3Err
  343. }
  344. return identity, s3err.ErrNone
  345. }
  347. func (identity *Identity) canDo(action Action, bucket string, objectKey string) bool {
  348. if identity.isAdmin() {
  349. return true
  350. }
  351. for _, a := range identity.Actions {
  352. if a == action {
  353. return true
  354. }
  355. }
  356. if bucket == "" {
  357. return false
  358. }
  359. target := string(action) + ":" + bucket + objectKey
  360. adminTarget := s3_constants.ACTION_ADMIN + ":" + bucket + objectKey
  361. limitedByBucket := string(action) + ":" + bucket
  362. adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket
  363. for _, a := range identity.Actions {
  364. act := string(a)
  365. if strings.HasSuffix(act, "*") {
  366. if strings.HasPrefix(target, act[:len(act)-1]) {
  367. return true
  368. }
  369. if strings.HasPrefix(adminTarget, act[:len(act)-1]) {
  370. return true
  371. }
  372. } else {
  373. if act == limitedByBucket {
  374. return true
  375. }
  376. if act == adminLimitedByBucket {
  377. return true
  378. }
  379. }
  380. }
  381. return false
  382. }
  384. func (identity *Identity) isAdmin() bool {
  385. for _, a := range identity.Actions {
  386. if a == "Admin" {
  387. return true
  388. }
  389. }
  390. return false
  391. }