Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9033 Commits
32 Branches
300 Tags
171 MiB
Tree: 210aa7a7da
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '210aa7a7da'
${ noResults }
seaweedfs/weed/s3api/s3api_acp.go

381 lines
12 KiB
Raw Normal View History

add ownership rest apis (#3765)
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_skip_handlers.go # weed/s3api/s3err/s3api_errors.go
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
implement `GetObjectAclHandler`
2 years ago
add ownership rest apis (#3765)
2 years ago
fix parent path Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
Merge branch '3_bucket_read' # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
add acl validation for s3 bucket read api
2 years ago
Merge branch '7_object_read_acl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
implement `GetObjectAclHandler`
2 years ago
add acl validation for s3 GetObjectHandler
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_skip_handlers.go # weed/s3api/s3err/s3api_errors.go
2 years ago
add acl support for `PutObjectAcl`
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_handlers.go
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
add acl support for `PutObjectAcl`
2 years ago
Merge branch '4_object_write' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_handlers.go # weed/s3api/s3err/s3api_errors.go
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
Merge branch '1_bucket_write' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_bucket_handlers.go
2 years ago
extract and save acl when create bucket
2 years ago
  1. package s3api
  3. import (
  4. "github.com/aws/aws-sdk-go/service/s3"
  5. "github.com/seaweedfs/seaweedfs/weed/glog"
  6. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  7. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  8. "github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
  9. "github.com/seaweedfs/seaweedfs/weed/s3api/s3acl"
  10. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  11. "github.com/seaweedfs/seaweedfs/weed/util"
  12. "net/http"
  13. "path/filepath"
  14. )
  16. func getAccountId(r *http.Request) string {
  17. id := r.Header.Get(s3_constants.AmzAccountId)
  18. if len(id) == 0 {
  19. return s3account.AccountAnonymous.Id
  20. } else {
  21. return id
  22. }
  23. }
  25. func (s3a *S3ApiServer) checkAccessByOwnership(r *http.Request, bucket string) s3err.ErrorCode {
  26. metadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  27. if errCode != s3err.ErrNone {
  28. return errCode
  29. }
  30. accountId := getAccountId(r)
  31. if accountId == s3account.AccountAdmin.Id || accountId == *metadata.Owner.ID {
  32. return s3err.ErrNone
  33. }
  34. return s3err.ErrAccessDenied
  35. }
  37. //Check access for PutBucketAclHandler
  38. func (s3a *S3ApiServer) checkAccessForPutBucketAcl(accountId, bucket string) (*BucketMetaData, s3err.ErrorCode) {
  39. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  40. if errCode != s3err.ErrNone {
  41. return nil, errCode
  42. }
  44. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  45. return nil, s3err.AccessControlListNotSupported
  46. }
  48. if accountId == s3account.AccountAdmin.Id || accountId == *bucketMetadata.Owner.ID {
  49. return bucketMetadata, s3err.ErrNone
  50. }
  52. if len(bucketMetadata.Acl) > 0 {
  53. reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionWriteAcp)
  54. for _, bucketGrant := range bucketMetadata.Acl {
  55. for _, reqGrant := range reqGrants {
  56. if s3acl.GrantEquals(bucketGrant, reqGrant) {
  57. return bucketMetadata, s3err.ErrNone
  58. }
  59. }
  60. }
  61. }
  62. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  63. return nil, s3err.ErrAccessDenied
  64. }
  66. func updateBucketEntry(s3a *S3ApiServer, entry *filer_pb.Entry) error {
  67. return s3a.updateEntry(s3a.option.BucketsPath, entry)
  68. }
  70. // Check Bucket/BucketAcl Read related access
  71. // includes:
  72. // - HeadBucketHandler
  73. // - GetBucketAclHandler
  74. // - ListObjectsV1Handler
  75. // - ListObjectsV2Handler
  76. func (s3a *S3ApiServer) checkAccessForReadBucket(r *http.Request, bucket, aclAction string) (*BucketMetaData, s3err.ErrorCode) {
  77. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  78. if errCode != s3err.ErrNone {
  79. return nil, errCode
  80. }
  82. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  83. return bucketMetadata, s3err.ErrNone
  84. }
  86. accountId := s3acl.GetAccountId(r)
  87. if accountId == s3account.AccountAdmin.Id || accountId == *bucketMetadata.Owner.ID {
  88. return bucketMetadata, s3err.ErrNone
  89. }
  91. if len(bucketMetadata.Acl) > 0 {
  92. reqGrants := s3acl.DetermineReqGrants(accountId, aclAction)
  93. for _, bucketGrant := range bucketMetadata.Acl {
  94. for _, reqGrant := range reqGrants {
  95. if s3acl.GrantEquals(bucketGrant, reqGrant) {
  96. return bucketMetadata, s3err.ErrNone
  97. }
  98. }
  99. }
  100. }
  102. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  103. return nil, s3err.ErrAccessDenied
  104. }
  106. //Check ObjectAcl-Read related access
  107. // includes:
  108. // - GetObjectAclHandler
  109. func (s3a *S3ApiServer) checkAccessForReadObjectAcl(r *http.Request, bucket, object string) (acp *s3.AccessControlPolicy, errCode s3err.ErrorCode) {
  110. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  111. if errCode != s3err.ErrNone {
  112. return nil, errCode
  113. }
  115. getAcpFunc := func() (*s3.AccessControlPolicy, s3err.ErrorCode) {
  116. entry, err := getObjectEntry(s3a, bucket, object)
  117. if err != nil {
  118. if err == filer_pb.ErrNotFound {
  119. return nil, s3err.ErrNoSuchKey
  120. } else {
  121. return nil, s3err.ErrInternalError
  122. }
  123. }
  125. if entry.IsDirectory {
  126. return nil, s3err.ErrExistingObjectIsDirectory
  127. }
  129. acpOwnerId := s3acl.GetAcpOwner(entry.Extended, *bucketMetadata.Owner.ID)
  130. acpOwnerName := s3a.accountManager.IdNameMapping[acpOwnerId]
  131. acpGrants := s3acl.GetAcpGrants(entry.Extended)
  132. acp = &s3.AccessControlPolicy{
  133. Owner: &s3.Owner{
  134. ID: &acpOwnerId,
  135. DisplayName: &acpOwnerName,
  136. },
  137. Grants: acpGrants,
  138. }
  139. return acp, s3err.ErrNone
  140. }
  142. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  143. return getAcpFunc()
  144. } else {
  145. accountId := s3acl.GetAccountId(r)
  147. acp, errCode := getAcpFunc()
  148. if errCode != s3err.ErrNone {
  149. return nil, errCode
  150. }
  152. if accountId == *acp.Owner.ID {
  153. return acp, s3err.ErrNone
  154. }
  156. //find in Grants
  157. if acp.Grants != nil {
  158. reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionReadAcp)
  159. for _, requiredGrant := range reqGrants {
  160. for _, grant := range acp.Grants {
  161. if s3acl.GrantEquals(requiredGrant, grant) {
  162. return acp, s3err.ErrNone
  163. }
  164. }
  165. }
  166. }
  168. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  169. return nil, s3err.ErrAccessDenied
  170. }
  171. }
  173. // Check Object-Read related access
  174. // includes:
  175. // - GetObjectHandler
  176. //
  177. // offload object access validation to Filer layer
  178. // - s3acl.CheckObjectAccessForReadObject
  179. func (s3a *S3ApiServer) checkBucketAccessForReadObject(r *http.Request, bucket string) s3err.ErrorCode {
  180. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  181. if errCode != s3err.ErrNone {
  182. return errCode
  183. }
  185. if bucketMetadata.ObjectOwnership != s3_constants.OwnershipBucketOwnerEnforced {
  186. //offload object acl validation to filer layer
  187. r.Header.Set(s3_constants.XSeaweedFSHeaderAmzBucketOwnerId, *bucketMetadata.Owner.ID)
  188. }
  190. return s3err.ErrNone
  191. }
  193. // Check ObjectAcl-Write related access
  194. // includes:
  195. // - PutObjectAclHandler
  196. func (s3a *S3ApiServer) checkAccessForWriteObjectAcl(accountId, bucket, object string) (bucketMetadata *BucketMetaData, objectEntry *filer_pb.Entry, objectOwner string, errCode s3err.ErrorCode) {
  197. bucketMetadata, errCode = s3a.bucketRegistry.GetBucketMetadata(bucket)
  198. if errCode != s3err.ErrNone {
  199. return nil, nil, "", errCode
  200. }
  202. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  203. return nil, nil, "", s3err.AccessControlListNotSupported
  204. }
  206. //bucket acl
  207. bucketAclAllowed := false
  208. reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionWrite)
  209. if accountId == *bucketMetadata.Owner.ID {
  210. bucketAclAllowed = true
  211. } else if bucketMetadata.Acl != nil {
  212. bucketLoop:
  213. for _, bucketGrant := range bucketMetadata.Acl {
  214. for _, requiredGrant := range reqGrants {
  215. if s3acl.GrantEquals(bucketGrant, requiredGrant) {
  216. bucketAclAllowed = true
  217. break bucketLoop
  218. }
  219. }
  220. }
  221. }
  222. if !bucketAclAllowed {
  223. return nil, nil, "", s3err.ErrAccessDenied
  224. }
  226. //object acl
  227. objectEntry, err := getObjectEntry(s3a, bucket, object)
  228. if err != nil {
  229. if err == filer_pb.ErrNotFound {
  230. return nil, nil, "", s3err.ErrNoSuchKey
  231. }
  232. return nil, nil, "", s3err.ErrInternalError
  233. }
  235. if objectEntry.IsDirectory {
  236. return nil, nil, "", s3err.ErrExistingObjectIsDirectory
  237. }
  239. objectOwner = s3acl.GetAcpOwner(objectEntry.Extended, *bucketMetadata.Owner.ID)
  240. if accountId == objectOwner {
  241. return bucketMetadata, objectEntry, objectOwner, s3err.ErrNone
  242. }
  244. objectGrants := s3acl.GetAcpGrants(objectEntry.Extended)
  245. if objectGrants != nil {
  246. for _, objectGrant := range objectGrants {
  247. for _, requiredGrant := range reqGrants {
  248. if s3acl.GrantEquals(objectGrant, requiredGrant) {
  249. return bucketMetadata, objectEntry, objectOwner, s3err.ErrNone
  250. }
  251. }
  252. }
  253. }
  255. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  256. return nil, nil, "", s3err.ErrAccessDenied
  257. }
  259. func updateObjectEntry(s3a *S3ApiServer, bucket, object string, entry *filer_pb.Entry) error {
  260. dir, _ := filepath.Split(object)
  261. return s3a.updateEntry(util.Join(s3a.option.BucketsPath, bucket, dir), entry)
  262. }
  264. // Check Object-Write related access
  265. // includes:
  266. // - PutObjectHandler
  267. // - PutObjectPartHandler
  268. func (s3a *S3ApiServer) checkAccessForWriteObject(r *http.Request, bucket, object string) s3err.ErrorCode {
  269. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  270. if errCode != s3err.ErrNone {
  271. return errCode
  272. }
  274. accountId := s3acl.GetAccountId(r)
  275. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  276. // validate grants (only bucketOwnerFullControl acl is allowed)
  277. _, grants, errCode := s3acl.ParseAndValidateAclHeaders(r, s3a.accountManager, bucketMetadata.ObjectOwnership, *bucketMetadata.Owner.ID, accountId, false)
  278. if errCode != s3err.ErrNone {
  279. return errCode
  280. }
  281. if len(grants) > 1 {
  282. return s3err.AccessControlListNotSupported
  283. }
  284. bucketOwnerFullControlGrant := &s3.Grant{
  285. Permission: &s3_constants.PermissionFullControl,
  286. Grantee: &s3.Grantee{
  287. Type: &s3_constants.GrantTypeCanonicalUser,
  288. ID: bucketMetadata.Owner.ID,
  289. },
  290. }
  291. if len(grants) == 0 {
  292. // set default grants
  293. s3acl.SetAcpOwnerHeader(r, accountId)
  294. s3acl.SetAcpGrantsHeader(r, []*s3.Grant{bucketOwnerFullControlGrant})
  295. return s3err.ErrNone
  296. }
  298. if !s3acl.GrantEquals(bucketOwnerFullControlGrant, grants[0]) {
  299. return s3err.AccessControlListNotSupported
  300. }
  302. s3acl.SetAcpOwnerHeader(r, accountId)
  303. s3acl.SetAcpGrantsHeader(r, []*s3.Grant{bucketOwnerFullControlGrant})
  304. return s3err.ErrNone
  305. }
  307. //bucket access allowed
  308. bucketAclAllowed := false
  309. if accountId == *bucketMetadata.Owner.ID {
  310. bucketAclAllowed = true
  311. } else {
  312. if len(bucketMetadata.Acl) > 0 {
  313. reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionWrite)
  314. bucketLoop:
  315. for _, bucketGrant := range bucketMetadata.Acl {
  316. for _, requiredGrant := range reqGrants {
  317. if s3acl.GrantEquals(bucketGrant, requiredGrant) {
  318. bucketAclAllowed = true
  319. break bucketLoop
  320. }
  321. }
  322. }
  323. }
  324. }
  325. if !bucketAclAllowed {
  326. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  327. return s3err.ErrAccessDenied
  328. }
  330. //object access allowed
  331. entry, err := getObjectEntry(s3a, bucket, object)
  332. if err != nil {
  333. if err != filer_pb.ErrNotFound {
  334. return s3err.ErrInternalError
  335. }
  336. } else {
  337. if entry.IsDirectory {
  338. return s3err.ErrExistingObjectIsDirectory
  339. }
  341. //Only the owner of the bucket and the owner of the object can overwrite the object
  342. objectOwner := s3acl.GetAcpOwner(entry.Extended, *bucketMetadata.Owner.ID)
  343. if accountId != objectOwner && accountId != *bucketMetadata.Owner.ID {
  344. glog.V(3).Infof("acl denied! request account id: %s, expect account id: %s", accountId, *bucketMetadata.Owner.ID)
  345. return s3err.ErrAccessDenied
  346. }
  347. }
  349. ownerId, grants, errCode := s3acl.ParseAndValidateAclHeadersOrElseDefault(r, s3a.accountManager, bucketMetadata.ObjectOwnership, *bucketMetadata.Owner.ID, accountId, false)
  350. if errCode != s3err.ErrNone {
  351. return errCode
  352. }
  354. s3acl.SetAcpOwnerHeader(r, ownerId)
  355. s3acl.SetAcpGrantsHeader(r, grants)
  357. return s3err.ErrNone
  358. }
  360. func getObjectEntry(s3a *S3ApiServer, bucket, object string) (*filer_pb.Entry, error) {
  361. return s3a.getEntry(util.Join(s3a.option.BucketsPath, bucket), object)
  362. }
  364. func (s3a *S3ApiServer) ExtractBucketAcp(r *http.Request) (owner string, grants []*s3.Grant, errCode s3err.ErrorCode) {
  365. accountId := s3acl.GetAccountId(r)
  367. ownership := s3_constants.DefaultOwnershipForCreate
  368. if ownership == s3_constants.OwnershipBucketOwnerEnforced {
  369. return accountId, []*s3.Grant{
  370. {
  371. Permission: &s3_constants.PermissionFullControl,
  372. Grantee: &s3.Grantee{
  373. Type: &s3_constants.GrantTypeCanonicalUser,
  374. ID: &accountId,
  375. },
  376. },
  377. }, s3err.ErrNone
  378. } else {
  379. return s3acl.ParseAndValidateAclHeadersOrElseDefault(r, s3a.accountManager, ownership, accountId, accountId, false)
  380. }
  381. }