Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3880 Commits
37 Branches
296 Tags
161 MiB
Tree: 24bfd26719
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '24bfd26719'
${ noResults }
seaweedfs/weed/s3api/auth_credentials.go

206 lines
4.5 KiB
Raw Normal View History

support acl
5 years ago
add v2 support
5 years ago
support acl
5 years ago
add v2 support
5 years ago
support acl
5 years ago
configuration stores the identity list
5 years ago
support acl
5 years ago
configuration stores the identity list
5 years ago
support acl
5 years ago
configuration stores the identity list
5 years ago
support acl
5 years ago
configuration stores the identity list
5 years ago
support acl
5 years ago
configuration stores the identity list
5 years ago
support acl
5 years ago
refactoring
5 years ago
support acl
5 years ago
refactoring
5 years ago
support acl
5 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
s3: access control limited by bucket
5 years ago
support acl
5 years ago
fix s3api auth bug
4 years ago
support acl
5 years ago
s3: access control limited by bucket
5 years ago
support acl
5 years ago
s3: access control limited by bucket
5 years ago
support acl
5 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
support acl
5 years ago
add v2 support
5 years ago
support acl
5 years ago
add v2 support
5 years ago
support acl
5 years ago
add v2 support
5 years ago
support acl
5 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
s3: deny anonymous type
5 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
s3: deny anonymous type
5 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
s3: deny anonymous type
5 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
support acl
5 years ago
add v2 support
5 years ago
refactor
4 years ago
s3: access control limited by bucket
5 years ago
support acl
5 years ago
s3: access control limited by bucket
5 years ago
support acl
5 years ago
s3: access control limited by bucket
5 years ago
support acl
5 years ago
  1. package s3api
  3. import (
  4. "bytes"
  5. "fmt"
  6. "io/ioutil"
  7. "net/http"
  9. "github.com/golang/protobuf/jsonpb"
  11. "github.com/chrislusf/seaweedfs/weed/glog"
  12. "github.com/chrislusf/seaweedfs/weed/pb/iam_pb"
  13. )
  15. type Action string
  17. const (
  18. ACTION_READ = "Read"
  19. ACTION_WRITE = "Write"
  20. ACTION_ADMIN = "Admin"
  21. )
  23. type Iam interface {
  24. Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
  25. }
  27. type IdentityAccessManagement struct {
  28. identities []*Identity
  29. domain string
  30. }
  32. type Identity struct {
  33. Name string
  34. Credentials []*Credential
  35. Actions []Action
  36. }
  38. type Credential struct {
  39. AccessKey string
  40. SecretKey string
  41. }
  43. func NewIdentityAccessManagement(fileName string, domain string) *IdentityAccessManagement {
  44. iam := &IdentityAccessManagement{
  45. domain: domain,
  46. }
  47. if fileName == "" {
  48. return iam
  49. }
  50. if err := iam.loadS3ApiConfiguration(fileName); err != nil {
  51. glog.Fatalf("fail to load config file %s: %v", fileName, err)
  52. }
  53. return iam
  54. }
  56. func (iam *IdentityAccessManagement) loadS3ApiConfiguration(fileName string) error {
  58. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  60. rawData, readErr := ioutil.ReadFile(fileName)
  61. if readErr != nil {
  62. glog.Warningf("fail to read %s : %v", fileName, readErr)
  63. return fmt.Errorf("fail to read %s : %v", fileName, readErr)
  64. }
  66. glog.V(1).Infof("maybeLoadVolumeInfo Unmarshal volume info %v", fileName)
  67. if err := jsonpb.Unmarshal(bytes.NewReader(rawData), s3ApiConfiguration); err != nil {
  68. glog.Warningf("unmarshal error: %v", err)
  69. return fmt.Errorf("unmarshal %s error: %v", fileName, err)
  70. }
  72. for _, ident := range s3ApiConfiguration.Identities {
  73. t := &Identity{
  74. Name: ident.Name,
  75. Credentials: nil,
  76. Actions: nil,
  77. }
  78. for _, action := range ident.Actions {
  79. t.Actions = append(t.Actions, Action(action))
  80. }
  81. for _, cred := range ident.Credentials {
  82. t.Credentials = append(t.Credentials, &Credential{
  83. AccessKey: cred.AccessKey,
  84. SecretKey: cred.SecretKey,
  85. })
  86. }
  87. iam.identities = append(iam.identities, t)
  88. }
  90. return nil
  91. }
  93. func (iam *IdentityAccessManagement) isEnabled() bool {
  95. return len(iam.identities) > 0
  96. }
  98. func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
  100. for _, ident := range iam.identities {
  101. for _, cred := range ident.Credentials {
  102. if cred.AccessKey == accessKey {
  103. return ident, cred, true
  104. }
  105. }
  106. }
  107. return nil, nil, false
  108. }
  110. func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
  112. for _, ident := range iam.identities {
  113. if ident.Name == "anonymous" {
  114. return ident, true
  115. }
  116. }
  117. return nil, false
  118. }
  120. func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
  122. if !iam.isEnabled() {
  123. return f
  124. }
  126. return func(w http.ResponseWriter, r *http.Request) {
  127. errCode := iam.authRequest(r, action)
  128. if errCode == ErrNone {
  129. f(w, r)
  130. return
  131. }
  132. writeErrorResponse(w, errCode, r.URL)
  133. }
  134. }
  136. // check whether the request has valid access keys
  137. func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) ErrorCode {
  138. var identity *Identity
  139. var s3Err ErrorCode
  140. var found bool
  141. switch getRequestAuthType(r) {
  142. case authTypeStreamingSigned:
  143. return ErrNone
  144. case authTypeUnknown:
  145. glog.V(3).Infof("unknown auth type")
  146. return ErrAccessDenied
  147. case authTypePresignedV2, authTypeSignedV2:
  148. glog.V(3).Infof("v2 auth type")
  149. identity, s3Err = iam.isReqAuthenticatedV2(r)
  150. case authTypeSigned, authTypePresigned:
  151. glog.V(3).Infof("v4 auth type")
  152. identity, s3Err = iam.reqSignatureV4Verify(r)
  153. case authTypePostPolicy:
  154. glog.V(3).Infof("post policy auth type")
  155. return ErrNotImplemented
  156. case authTypeJWT:
  157. glog.V(3).Infof("jwt auth type")
  158. return ErrNotImplemented
  159. case authTypeAnonymous:
  160. identity, found = iam.lookupAnonymous()
  161. if !found {
  162. return ErrAccessDenied
  163. }
  164. default:
  165. return ErrNotImplemented
  166. }
  168. glog.V(3).Infof("auth error: %v", s3Err)
  169. if s3Err != ErrNone {
  170. return s3Err
  171. }
  173. glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions)
  175. bucket, _ := getBucketAndObject(r)
  177. if !identity.canDo(action, bucket) {
  178. return ErrAccessDenied
  179. }
  181. return ErrNone
  183. }
  185. func (identity *Identity) canDo(action Action, bucket string) bool {
  186. for _, a := range identity.Actions {
  187. if a == "Admin" {
  188. return true
  189. }
  190. }
  191. for _, a := range identity.Actions {
  192. if a == action {
  193. return true
  194. }
  195. }
  196. if bucket == "" {
  197. return false
  198. }
  199. limitedByBucket := string(action) + ":" + bucket
  200. for _, a := range identity.Actions {
  201. if string(a) == limitedByBucket {
  202. return true
  203. }
  204. }
  205. return false
  206. }