Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11008 Commits
32 Branches
297 Tags
164 MiB
Tree: 2637fc0a13
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2637fc0a13'
${ noResults }
seaweedfs/weed/s3api/s3api_acp.go

406 lines
13 KiB
Raw Normal View History

add ownership rest apis (#3765)
2 years ago
acl merge
5 months ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_skip_handlers.go # weed/s3api/s3err/s3api_errors.go
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
acl merge
5 months ago
add ownership rest apis (#3765)
2 years ago
implement `GetObjectAclHandler`
2 years ago
add ownership rest apis (#3765)
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
acl merge
5 months ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
perf(fix): fix bugs Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
Merge branch '3_bucket_read' # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
add acl validation for s3 bucket read api
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl validation for s3 bucket read api
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl validation for s3 bucket read api
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl validation for s3 bucket read api
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl validation for s3 bucket read api
2 years ago
Merge branch '7_object_read_acl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
perf(fix): fix bugs Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `GetObjectAclHandler`
2 years ago
acl merge
5 months ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `GetObjectAclHandler`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `GetObjectAclHandler`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `GetObjectAclHandler`
2 years ago
add acl validation for s3 GetObjectHandler
2 years ago
acl merge
5 months ago
add acl validation for s3 GetObjectHandler
2 years ago
add ownership rest apis (#3765)
2 years ago
add acl validation for s3 GetObjectHandler
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl merge
5 months ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl merge
5 months ago
add acl validation for s3 GetObjectHandler
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_skip_handlers.go # weed/s3api/s3err/s3api_errors.go
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl merge
5 months ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_handlers.go
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
add acl support for `PutObjectAcl`
2 years ago
Merge branch '4_object_write' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_handlers.go # weed/s3api/s3err/s3api_errors.go
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl merge
5 months ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl merge
5 months ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl merge
5 months ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl merge
5 months ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl merge
5 months ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
acl merge
5 months ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
acl merge
5 months ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
acl merge
5 months ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
don't set acp when ownership is BucketOwnerEnfored Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
perf(fix): fix bugs Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
Merge branch '1_bucket_write' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_bucket_handlers.go
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
extract and save acl when create bucket
2 years ago
  1. package s3api
  3. import (
  4. "net/http"
  5. "path/filepath"
  7. "github.com/aws/aws-sdk-go/service/s3"
  8. "github.com/seaweedfs/seaweedfs/weed/glog"
  9. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  10. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  11. "github.com/seaweedfs/seaweedfs/weed/s3api/s3acl"
  12. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  13. "github.com/seaweedfs/seaweedfs/weed/util"
  14. )
  16. func (s3a *S3ApiServer) checkAccessByOwnership(r *http.Request, bucket string) s3err.ErrorCode {
  17. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  18. if errCode != s3err.ErrNone {
  19. return errCode
  20. }
  21. requestAccountId := s3acl.GetAccountId(r)
  22. if s3acl.ValidateAccount(requestAccountId, *bucketMetadata.Owner.ID) {
  23. return s3err.ErrNone
  24. }
  25. return s3err.ErrAccessDenied
  26. }
  28. // Check access for PutBucketAclHandler
  29. func (s3a *S3ApiServer) checkAccessForPutBucketAcl(requestAccountId, bucket string) (*BucketMetaData, s3err.ErrorCode) {
  30. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  31. if errCode != s3err.ErrNone {
  32. return nil, errCode
  33. }
  35. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  36. return nil, s3err.AccessControlListNotSupported
  37. }
  39. if s3acl.ValidateAccount(requestAccountId, *bucketMetadata.Owner.ID) {
  40. return bucketMetadata, s3err.ErrNone
  41. }
  43. if len(bucketMetadata.Acl) > 0 {
  44. reqGrants := s3acl.DetermineRequiredGrants(requestAccountId, s3_constants.PermissionWriteAcp)
  45. for _, bucketGrant := range bucketMetadata.Acl {
  46. for _, reqGrant := range reqGrants {
  47. if s3acl.GrantEquals(bucketGrant, reqGrant) {
  48. return bucketMetadata, s3err.ErrNone
  49. }
  50. }
  51. }
  52. }
  53. glog.V(3).Infof("acl denied! request account id: %s", requestAccountId)
  54. return nil, s3err.ErrAccessDenied
  55. }
  57. func updateBucketEntry(s3a *S3ApiServer, entry *filer_pb.Entry) error {
  58. return s3a.updateEntry(s3a.option.BucketsPath, entry)
  59. }
  61. // Check Bucket/BucketAcl Read related access
  62. // includes:
  63. // - HeadBucketHandler
  64. // - GetBucketAclHandler
  65. // - ListObjectsV1Handler
  66. // - ListObjectsV2Handler
  67. // - ListMultipartUploadsHandler
  68. func (s3a *S3ApiServer) checkAccessForReadBucket(r *http.Request, bucket, aclAction string) (*BucketMetaData, s3err.ErrorCode) {
  69. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  70. if errCode != s3err.ErrNone {
  71. return nil, errCode
  72. }
  74. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  75. return bucketMetadata, s3err.ErrNone
  76. }
  78. requestAccountId := s3acl.GetAccountId(r)
  79. if s3acl.ValidateAccount(requestAccountId, *bucketMetadata.Owner.ID) {
  80. return bucketMetadata, s3err.ErrNone
  81. }
  83. if len(bucketMetadata.Acl) > 0 {
  84. reqGrants := s3acl.DetermineRequiredGrants(requestAccountId, aclAction)
  85. for _, bucketGrant := range bucketMetadata.Acl {
  86. for _, reqGrant := range reqGrants {
  87. if s3acl.GrantEquals(bucketGrant, reqGrant) {
  88. return bucketMetadata, s3err.ErrNone
  89. }
  90. }
  91. }
  92. }
  94. glog.V(3).Infof("acl denied! request account id: %s", requestAccountId)
  95. return nil, s3err.ErrAccessDenied
  96. }
  98. // Check ObjectAcl-Read related access
  99. // includes:
  100. // - GetObjectAclHandler
  101. func (s3a *S3ApiServer) checkAccessForReadObjectAcl(r *http.Request, bucket, object string) (acp *s3.AccessControlPolicy, errCode s3err.ErrorCode) {
  102. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  103. if errCode != s3err.ErrNone {
  104. return nil, errCode
  105. }
  107. getAcpFunc := func() (*s3.AccessControlPolicy, s3err.ErrorCode) {
  108. entry, err := getObjectEntry(s3a, bucket, object)
  109. if err != nil {
  110. if err == filer_pb.ErrNotFound {
  111. return nil, s3err.ErrNoSuchKey
  112. } else {
  113. return nil, s3err.ErrInternalError
  114. }
  115. }
  116. if entry.IsDirectory {
  117. return nil, s3err.ErrExistingObjectIsDirectory
  118. }
  119. acpOwnerId := s3acl.GetAcpOwner(entry.Extended, *bucketMetadata.Owner.ID)
  120. acpOwnerName := s3a.iam.GetAccountNameById(acpOwnerId)
  121. acpGrants := s3acl.GetAcpGrants(&acpOwnerId, entry.Extended)
  122. acp = &s3.AccessControlPolicy{
  123. Owner: &s3.Owner{
  124. ID: &acpOwnerId,
  125. DisplayName: &acpOwnerName,
  126. },
  127. Grants: acpGrants,
  128. }
  129. return acp, s3err.ErrNone
  130. }
  131. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  132. return getAcpFunc()
  133. }
  134. requestAccountId := s3acl.GetAccountId(r)
  135. acp, errCode = getAcpFunc()
  136. if errCode != s3err.ErrNone {
  137. return nil, errCode
  138. }
  139. if s3acl.ValidateAccount(requestAccountId, *acp.Owner.ID) {
  140. return acp, s3err.ErrNone
  141. }
  142. if acp.Grants != nil {
  143. reqGrants := s3acl.DetermineRequiredGrants(requestAccountId, s3_constants.PermissionReadAcp)
  144. for _, requiredGrant := range reqGrants {
  145. for _, grant := range acp.Grants {
  146. if s3acl.GrantEquals(requiredGrant, grant) {
  147. return acp, s3err.ErrNone
  148. }
  149. }
  150. }
  151. }
  152. glog.V(3).Infof("CheckAccessForReadObjectAcl denied! request account id: %s", requestAccountId)
  153. return nil, s3err.ErrAccessDenied
  154. }
  156. // Check Object-Read related access
  157. // includes:
  158. // - GetObjectHandler
  159. //
  160. // offload object access validation to Filer layer
  161. // - CheckObjectAccessForReadObject
  162. func (s3a *S3ApiServer) checkBucketAccessForReadObject(r *http.Request, bucket string) s3err.ErrorCode {
  163. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  164. if errCode != s3err.ErrNone {
  165. return errCode
  166. }
  168. if bucketMetadata.ObjectOwnership != s3_constants.OwnershipBucketOwnerEnforced {
  169. //offload object acl validation to filer layer
  170. _, defaultErrorCode := s3a.checkAccessForReadBucket(r, bucket, s3_constants.PermissionRead)
  171. if defaultErrorCode != s3err.ErrNone {
  172. r.Header.Set(s3_constants.XAmzBucketAccessDenied, "true")
  173. }
  174. r.Header.Set(s3_constants.XAmzBucketOwnerId, *bucketMetadata.Owner.ID)
  175. }
  177. return s3err.ErrNone
  178. }
  180. // Check ObjectAcl-Write related access
  181. // includes:
  182. // - PutObjectAclHandler
  183. func (s3a *S3ApiServer) checkAccessForWriteObjectAcl(r *http.Request, bucket, object string) (*filer_pb.Entry, string, []*s3.Grant, s3err.ErrorCode) {
  184. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  185. if errCode != s3err.ErrNone {
  186. return nil, "", nil, errCode
  187. }
  189. requestAccountId := s3acl.GetAccountId(r)
  190. reqOwnerId, grants, errCode := s3acl.ExtractObjectAcl(r, s3a.iam, bucketMetadata.ObjectOwnership, *bucketMetadata.Owner.ID, requestAccountId, false)
  191. if errCode != s3err.ErrNone {
  192. return nil, "", nil, errCode
  193. }
  195. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  196. return nil, "", nil, s3err.AccessControlListNotSupported
  197. }
  199. //object acl
  200. objectEntry, err := getObjectEntry(s3a, bucket, object)
  201. if err != nil {
  202. if err == filer_pb.ErrNotFound {
  203. return nil, "", nil, s3err.ErrNoSuchKey
  204. }
  205. return nil, "", nil, s3err.ErrInternalError
  206. }
  208. if objectEntry.IsDirectory {
  209. return nil, "", nil, s3err.ErrExistingObjectIsDirectory
  210. }
  212. objectOwner := s3acl.GetAcpOwner(objectEntry.Extended, *bucketMetadata.Owner.ID)
  213. //object owner is immutable
  214. if reqOwnerId != "" && reqOwnerId != objectOwner {
  215. return nil, "", nil, s3err.ErrAccessDenied
  216. }
  217. if s3acl.ValidateAccount(requestAccountId, objectOwner) {
  218. return objectEntry, objectOwner, grants, s3err.ErrNone
  219. }
  221. objectGrants := s3acl.GetAcpGrants(nil, objectEntry.Extended)
  222. if objectGrants != nil {
  223. requiredGrants := s3acl.DetermineRequiredGrants(requestAccountId, s3_constants.PermissionWriteAcp)
  224. for _, objectGrant := range objectGrants {
  225. for _, requiredGrant := range requiredGrants {
  226. if s3acl.GrantEquals(objectGrant, requiredGrant) {
  227. return objectEntry, objectOwner, grants, s3err.ErrNone
  228. }
  229. }
  230. }
  231. }
  233. glog.V(3).Infof("checkAccessForWriteObjectAcl denied! request account id: %s", requestAccountId)
  234. return nil, "", nil, s3err.ErrAccessDenied
  235. }
  237. func updateObjectEntry(s3a *S3ApiServer, bucket, object string, entry *filer_pb.Entry) error {
  238. dir, _ := filepath.Split(object)
  239. return s3a.updateEntry(util.Join(s3a.option.BucketsPath, bucket, dir), entry)
  240. }
  242. // CheckAccessForPutObject Check ACL for PutObject API
  243. // includes:
  244. // - PutObjectHandler
  245. func (s3a *S3ApiServer) CheckAccessForPutObject(r *http.Request, bucket, object string) s3err.ErrorCode {
  246. accountId := s3acl.GetAccountId(r)
  247. return s3a.checkAccessForPutObject(r, bucket, object, accountId)
  248. }
  250. // CheckAccessForPutObjectPartHandler Check Acl for Upload object part
  251. // includes:
  252. // - PutObjectPartHandler
  253. func (s3a *S3ApiServer) CheckAccessForPutObjectPartHandler(r *http.Request, bucket string) s3err.ErrorCode {
  254. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  255. if errCode != s3err.ErrNone {
  256. return errCode
  257. }
  258. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  259. return s3err.ErrNone
  260. }
  261. accountId := s3acl.GetAccountId(r)
  262. if !CheckBucketAccess(accountId, bucketMetadata, s3_constants.PermissionWrite) {
  263. return s3err.ErrAccessDenied
  264. }
  265. return s3err.ErrNone
  266. }
  268. // CheckAccessForNewMultipartUpload Check Acl for API
  269. // includes:
  270. // - NewMultipartUploadHandler
  271. func (s3a *S3ApiServer) CheckAccessForNewMultipartUpload(r *http.Request, bucket, object string) (s3err.ErrorCode, string) {
  272. accountId := s3acl.GetAccountId(r)
  273. if accountId == AccountAnonymous.Id {
  274. return s3err.ErrAccessDenied, ""
  275. }
  276. errCode := s3a.checkAccessForPutObject(r, bucket, object, accountId)
  277. return errCode, accountId
  278. }
  280. func (s3a *S3ApiServer) CheckAccessForAbortMultipartUpload(r *http.Request, bucket, object string) s3err.ErrorCode {
  281. return s3a.CheckAccessWithBucketOwnerAndInitiator(r, bucket, object)
  282. }
  284. func (s3a *S3ApiServer) CheckAccessForCompleteMultipartUpload(r *http.Request, bucket, object string) s3err.ErrorCode {
  285. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  286. if errCode != s3err.ErrNone {
  287. return errCode
  288. }
  290. if bucketMetadata.ObjectOwnership != s3_constants.OwnershipBucketOwnerEnforced {
  291. accountId := s3acl.GetAccountId(r)
  292. if !CheckBucketAccess(accountId, bucketMetadata, s3_constants.PermissionWrite) {
  293. return s3err.ErrAccessDenied
  294. }
  295. }
  296. return s3err.ErrNone
  297. }
  299. func (s3a *S3ApiServer) CheckAccessForListMultipartUploadParts(r *http.Request, bucket, object string) s3err.ErrorCode {
  300. return s3a.CheckAccessWithBucketOwnerAndInitiator(r, bucket, object)
  301. }
  303. // CheckAccessWithBucketOwnerAndInitiator Check Access Permission with 'bucketOwner' and 'multipartUpload initiator'
  304. func (s3a *S3ApiServer) CheckAccessWithBucketOwnerAndInitiator(r *http.Request, bucket, object string) s3err.ErrorCode {
  305. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  306. if errCode != s3err.ErrNone {
  307. return errCode
  308. }
  310. //bucket access allowed
  311. accountId := s3acl.GetAccountId(r)
  312. if s3acl.ValidateAccount(*bucketMetadata.Owner.ID, accountId) {
  313. return s3err.ErrNone
  314. }
  316. //multipart initiator allowed
  317. entry, err := getMultipartUpload(s3a, bucket, object)
  318. if err != nil {
  319. if err != filer_pb.ErrNotFound {
  320. return s3err.ErrInternalError
  321. }
  322. } else {
  323. uploadInitiator, ok := entry.Extended[s3_constants.ExtAmzMultipartInitiator]
  324. if !ok || accountId == string(uploadInitiator) {
  325. return s3err.ErrNone
  326. }
  327. }
  328. glog.V(3).Infof("CheckAccessWithBucketOwnerAndInitiator denied! request account id: %s", accountId)
  329. return s3err.ErrAccessDenied
  330. }
  332. func (s3a *S3ApiServer) checkAccessForPutObject(r *http.Request, bucket, object, requestAccountId string) s3err.ErrorCode {
  333. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  334. if errCode != s3err.ErrNone {
  335. return errCode
  336. }
  338. // if ownership is 'OwnershipBucketOwnerEnforced', acl is not supportedG
  339. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  340. _, _, errCode := s3acl.ExtractObjectAcl(r, s3a.iam, bucketMetadata.ObjectOwnership, *bucketMetadata.Owner.ID, requestAccountId, true)
  341. if errCode != s3err.ErrNone {
  342. return errCode
  343. }
  344. return s3err.ErrNone
  345. }
  347. requestOwnerId, grants, errCode := s3acl.ExtractObjectAcl(r, s3a.iam, bucketMetadata.ObjectOwnership, *bucketMetadata.Owner.ID, requestAccountId, true)
  348. if errCode != s3err.ErrNone {
  349. return errCode
  350. }
  352. if !CheckBucketAccess(requestAccountId, bucketMetadata, s3_constants.PermissionWrite) {
  353. return s3err.ErrAccessDenied
  354. }
  356. if requestOwnerId == "" {
  357. requestOwnerId = requestAccountId
  358. }
  359. entry, err := getObjectEntry(s3a, bucket, object)
  360. if err != nil {
  361. if err == filer_pb.ErrNotFound {
  362. s3acl.SetAcpOwnerHeader(r, requestOwnerId)
  363. s3acl.SetAcpGrantsHeader(r, grants)
  364. return s3err.ErrNone
  365. }
  366. return s3err.ErrInternalError
  367. }
  369. objectOwnerId := s3acl.GetAcpOwner(entry.Extended, *bucketMetadata.Owner.ID)
  371. //object owner is immutable
  372. if !s3acl.ValidateAccount(requestOwnerId, objectOwnerId, *bucketMetadata.Owner.ID) {
  373. return s3err.ErrAccessDenied
  374. }
  376. s3acl.SetAcpOwnerHeader(r, objectOwnerId)
  377. s3acl.SetAcpGrantsHeader(r, grants)
  378. return s3err.ErrNone
  379. }
  381. func CheckBucketAccess(requestAccountId string, bucketMetadata *BucketMetaData, permission string) bool {
  382. if s3acl.ValidateAccount(requestAccountId, *bucketMetadata.Owner.ID) {
  383. return true
  384. } else {
  385. if len(bucketMetadata.Acl) > 0 {
  386. reqGrants := s3acl.DetermineRequiredGrants(requestAccountId, permission)
  387. for _, bucketGrant := range bucketMetadata.Acl {
  388. for _, requiredGrant := range reqGrants {
  389. if s3acl.GrantEquals(bucketGrant, requiredGrant) {
  390. return true
  391. }
  392. }
  393. }
  394. }
  395. }
  396. glog.V(3).Infof("CheckBucketAccess denied! request account id: %s", requestAccountId)
  397. return false
  398. }
  400. func getObjectEntry(s3a *S3ApiServer, bucket, object string) (*filer_pb.Entry, error) {
  401. return s3a.getEntry(util.Join(s3a.option.BucketsPath, bucket), object)
  402. }
  404. func getMultipartUpload(s3a *S3ApiServer, bucket, object string) (*filer_pb.Entry, error) {
  405. return s3a.getEntry(s3a.genUploadsFolder(bucket), object)
  406. }