You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

580 lines
16 KiB

3 years ago
6 years ago
7 years ago
7 years ago
7 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
4 years ago
4 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
4 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client - one JWT for reading and one for writing, analogous to how the JWT between Master and Volume Server works - I did not implement IP `whiteList` parameter on the filer Additionally, because http_util.DownloadFile now sets the JWT, the `download` command should now work when `jwt.signing.read` is configured. By looking at the code, I think this case did not work before. ## Docs to be adjusted after a release Page `Amazon-S3-API`: ``` # Authentication with Filer You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as explained in [Security-Configuration](Security-Configuration) - controlled by the `grpc.*` configuration in `security.toml`. Starting with version XX, it is also possible to authenticate the HTTP operations between the S3-API-Proxy and the Filer (especially uploading new files). This is configured by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. With both configurations (gRPC and JWT), it is possible to have Filer and S3 communicate in fully authenticated fashion; so Filer will reject any unauthenticated communication. ``` Page `Security Overview`: ``` The following items are not covered, yet: - master server http REST services Starting with version XX, the Filer HTTP REST services can be secured with a JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. ... Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer. Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).** ... # Securing Filer HTTP with JWT To enable JWT-based access control for the Filer, 1. generate `security.toml` file by `weed scaffold -config=security` 2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string 3. copy the same `security.toml` file to the filers and all S3 proxies. If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`. If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`. The S3 API Gateway reads the above JWT keys and sends authenticated HTTP requests to the filer. ``` Page `Security Configuration`: ``` (update scaffold file) ... [filer_jwt.signing] key = "blahblahblahblah" [filer_jwt.signing.read] key = "blahblahblahblah" ``` Resolves: #158
3 years ago
3 years ago
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client - one JWT for reading and one for writing, analogous to how the JWT between Master and Volume Server works - I did not implement IP `whiteList` parameter on the filer Additionally, because http_util.DownloadFile now sets the JWT, the `download` command should now work when `jwt.signing.read` is configured. By looking at the code, I think this case did not work before. ## Docs to be adjusted after a release Page `Amazon-S3-API`: ``` # Authentication with Filer You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as explained in [Security-Configuration](Security-Configuration) - controlled by the `grpc.*` configuration in `security.toml`. Starting with version XX, it is also possible to authenticate the HTTP operations between the S3-API-Proxy and the Filer (especially uploading new files). This is configured by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. With both configurations (gRPC and JWT), it is possible to have Filer and S3 communicate in fully authenticated fashion; so Filer will reject any unauthenticated communication. ``` Page `Security Overview`: ``` The following items are not covered, yet: - master server http REST services Starting with version XX, the Filer HTTP REST services can be secured with a JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. ... Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer. Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).** ... # Securing Filer HTTP with JWT To enable JWT-based access control for the Filer, 1. generate `security.toml` file by `weed scaffold -config=security` 2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string 3. copy the same `security.toml` file to the filers and all S3 proxies. If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`. If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`. The S3 API Gateway reads the above JWT keys and sends authenticated HTTP requests to the filer. ``` Page `Security Configuration`: ``` (update scaffold file) ... [filer_jwt.signing] key = "blahblahblahblah" [filer_jwt.signing.read] key = "blahblahblahblah" ``` Resolves: #158
3 years ago
3 years ago
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client - one JWT for reading and one for writing, analogous to how the JWT between Master and Volume Server works - I did not implement IP `whiteList` parameter on the filer Additionally, because http_util.DownloadFile now sets the JWT, the `download` command should now work when `jwt.signing.read` is configured. By looking at the code, I think this case did not work before. ## Docs to be adjusted after a release Page `Amazon-S3-API`: ``` # Authentication with Filer You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as explained in [Security-Configuration](Security-Configuration) - controlled by the `grpc.*` configuration in `security.toml`. Starting with version XX, it is also possible to authenticate the HTTP operations between the S3-API-Proxy and the Filer (especially uploading new files). This is configured by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. With both configurations (gRPC and JWT), it is possible to have Filer and S3 communicate in fully authenticated fashion; so Filer will reject any unauthenticated communication. ``` Page `Security Overview`: ``` The following items are not covered, yet: - master server http REST services Starting with version XX, the Filer HTTP REST services can be secured with a JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. ... Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer. Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).** ... # Securing Filer HTTP with JWT To enable JWT-based access control for the Filer, 1. generate `security.toml` file by `weed scaffold -config=security` 2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string 3. copy the same `security.toml` file to the filers and all S3 proxies. If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`. If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`. The S3 API Gateway reads the above JWT keys and sends authenticated HTTP requests to the filer. ``` Page `Security Configuration`: ``` (update scaffold file) ... [filer_jwt.signing] key = "blahblahblahblah" [filer_jwt.signing.read] key = "blahblahblahblah" ``` Resolves: #158
3 years ago
4 years ago
3 years ago
3 years ago
3 years ago
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client - one JWT for reading and one for writing, analogous to how the JWT between Master and Volume Server works - I did not implement IP `whiteList` parameter on the filer Additionally, because http_util.DownloadFile now sets the JWT, the `download` command should now work when `jwt.signing.read` is configured. By looking at the code, I think this case did not work before. ## Docs to be adjusted after a release Page `Amazon-S3-API`: ``` # Authentication with Filer You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as explained in [Security-Configuration](Security-Configuration) - controlled by the `grpc.*` configuration in `security.toml`. Starting with version XX, it is also possible to authenticate the HTTP operations between the S3-API-Proxy and the Filer (especially uploading new files). This is configured by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. With both configurations (gRPC and JWT), it is possible to have Filer and S3 communicate in fully authenticated fashion; so Filer will reject any unauthenticated communication. ``` Page `Security Overview`: ``` The following items are not covered, yet: - master server http REST services Starting with version XX, the Filer HTTP REST services can be secured with a JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. ... Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer. Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).** ... # Securing Filer HTTP with JWT To enable JWT-based access control for the Filer, 1. generate `security.toml` file by `weed scaffold -config=security` 2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string 3. copy the same `security.toml` file to the filers and all S3 proxies. If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`. If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`. The S3 API Gateway reads the above JWT keys and sends authenticated HTTP requests to the filer. ``` Page `Security Configuration`: ``` (update scaffold file) ... [filer_jwt.signing] key = "blahblahblahblah" [filer_jwt.signing.read] key = "blahblahblahblah" ``` Resolves: #158
3 years ago
3 years ago
3 years ago
4 years ago
3 years ago
5 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client - one JWT for reading and one for writing, analogous to how the JWT between Master and Volume Server works - I did not implement IP `whiteList` parameter on the filer Additionally, because http_util.DownloadFile now sets the JWT, the `download` command should now work when `jwt.signing.read` is configured. By looking at the code, I think this case did not work before. ## Docs to be adjusted after a release Page `Amazon-S3-API`: ``` # Authentication with Filer You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as explained in [Security-Configuration](Security-Configuration) - controlled by the `grpc.*` configuration in `security.toml`. Starting with version XX, it is also possible to authenticate the HTTP operations between the S3-API-Proxy and the Filer (especially uploading new files). This is configured by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. With both configurations (gRPC and JWT), it is possible to have Filer and S3 communicate in fully authenticated fashion; so Filer will reject any unauthenticated communication. ``` Page `Security Overview`: ``` The following items are not covered, yet: - master server http REST services Starting with version XX, the Filer HTTP REST services can be secured with a JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. ... Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer. Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).** ... # Securing Filer HTTP with JWT To enable JWT-based access control for the Filer, 1. generate `security.toml` file by `weed scaffold -config=security` 2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string 3. copy the same `security.toml` file to the filers and all S3 proxies. If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`. If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`. The S3 API Gateway reads the above JWT keys and sends authenticated HTTP requests to the filer. ``` Page `Security Configuration`: ``` (update scaffold file) ... [filer_jwt.signing] key = "blahblahblahblah" [filer_jwt.signing.read] key = "blahblahblahblah" ``` Resolves: #158
3 years ago
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client - one JWT for reading and one for writing, analogous to how the JWT between Master and Volume Server works - I did not implement IP `whiteList` parameter on the filer Additionally, because http_util.DownloadFile now sets the JWT, the `download` command should now work when `jwt.signing.read` is configured. By looking at the code, I think this case did not work before. ## Docs to be adjusted after a release Page `Amazon-S3-API`: ``` # Authentication with Filer You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as explained in [Security-Configuration](Security-Configuration) - controlled by the `grpc.*` configuration in `security.toml`. Starting with version XX, it is also possible to authenticate the HTTP operations between the S3-API-Proxy and the Filer (especially uploading new files). This is configured by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. With both configurations (gRPC and JWT), it is possible to have Filer and S3 communicate in fully authenticated fashion; so Filer will reject any unauthenticated communication. ``` Page `Security Overview`: ``` The following items are not covered, yet: - master server http REST services Starting with version XX, the Filer HTTP REST services can be secured with a JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. ... Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer. Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).** ... # Securing Filer HTTP with JWT To enable JWT-based access control for the Filer, 1. generate `security.toml` file by `weed scaffold -config=security` 2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string 3. copy the same `security.toml` file to the filers and all S3 proxies. If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`. If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`. The S3 API Gateway reads the above JWT keys and sends authenticated HTTP requests to the filer. ``` Page `Security Configuration`: ``` (update scaffold file) ... [filer_jwt.signing] key = "blahblahblahblah" [filer_jwt.signing.read] key = "blahblahblahblah" ``` Resolves: #158
3 years ago
  1. package s3api
  2. import (
  3. "bytes"
  4. "crypto/md5"
  5. "encoding/json"
  6. "encoding/xml"
  7. "fmt"
  8. "io"
  9. "net/http"
  10. "net/url"
  11. "strings"
  12. "time"
  13. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  14. "github.com/seaweedfs/seaweedfs/weed/security"
  15. "github.com/seaweedfs/seaweedfs/weed/util/mem"
  16. "golang.org/x/exp/slices"
  17. "github.com/pquerna/cachecontrol/cacheobject"
  18. "github.com/seaweedfs/seaweedfs/weed/filer"
  19. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  20. "github.com/seaweedfs/seaweedfs/weed/glog"
  21. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  22. weed_server "github.com/seaweedfs/seaweedfs/weed/server"
  23. "github.com/seaweedfs/seaweedfs/weed/util"
  24. )
  25. const (
  26. deleteMultipleObjectsLimit = 1000
  27. )
  28. func mimeDetect(r *http.Request, dataReader io.Reader) io.ReadCloser {
  29. mimeBuffer := make([]byte, 512)
  30. size, _ := dataReader.Read(mimeBuffer)
  31. if size > 0 {
  32. r.Header.Set("Content-Type", http.DetectContentType(mimeBuffer[:size]))
  33. return io.NopCloser(io.MultiReader(bytes.NewReader(mimeBuffer[:size]), dataReader))
  34. }
  35. return io.NopCloser(dataReader)
  36. }
  37. func (s3a *S3ApiServer) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
  38. // http://docs.aws.amazon.com/AmazonS3/latest/dev/UploadingObjects.html
  39. bucket, object := s3_constants.GetBucketAndObject(r)
  40. glog.V(3).Infof("PutObjectHandler %s %s", bucket, object)
  41. _, err := validateContentMd5(r.Header)
  42. if err != nil {
  43. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidDigest)
  44. return
  45. }
  46. if r.Header.Get("Cache-Control") != "" {
  47. if _, err = cacheobject.ParseRequestCacheControl(r.Header.Get("Cache-Control")); err != nil {
  48. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidDigest)
  49. return
  50. }
  51. }
  52. if r.Header.Get("Expires") != "" {
  53. if _, err = time.Parse(http.TimeFormat, r.Header.Get("Expires")); err != nil {
  54. s3err.WriteErrorResponse(w, r, s3err.ErrMalformedDate)
  55. return
  56. }
  57. }
  58. dataReader := r.Body
  59. rAuthType := getRequestAuthType(r)
  60. if s3a.iam.isEnabled() {
  61. var s3ErrCode s3err.ErrorCode
  62. switch rAuthType {
  63. case authTypeStreamingSigned:
  64. dataReader, s3ErrCode = s3a.iam.newSignV4ChunkedReader(r)
  65. case authTypeSignedV2, authTypePresignedV2:
  66. _, s3ErrCode = s3a.iam.isReqAuthenticatedV2(r)
  67. case authTypePresigned, authTypeSigned:
  68. _, s3ErrCode = s3a.iam.reqSignatureV4Verify(r)
  69. }
  70. if s3ErrCode != s3err.ErrNone {
  71. s3err.WriteErrorResponse(w, r, s3ErrCode)
  72. return
  73. }
  74. } else {
  75. if authTypeStreamingSigned == rAuthType {
  76. s3err.WriteErrorResponse(w, r, s3err.ErrAuthNotSetup)
  77. return
  78. }
  79. }
  80. defer dataReader.Close()
  81. objectContentType := r.Header.Get("Content-Type")
  82. if strings.HasSuffix(object, "/") && r.ContentLength <= 1024 {
  83. if err := s3a.mkdir(
  84. s3a.option.BucketsPath, bucket+strings.TrimSuffix(object, "/"),
  85. func(entry *filer_pb.Entry) {
  86. if objectContentType == "" {
  87. objectContentType = s3_constants.FolderMimeType
  88. }
  89. if r.ContentLength > 0 {
  90. entry.Content, _ = io.ReadAll(r.Body)
  91. }
  92. entry.Attributes.Mime = objectContentType
  93. }); err != nil {
  94. s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
  95. return
  96. }
  97. } else {
  98. uploadUrl := s3a.toFilerUrl(bucket, object)
  99. if objectContentType == "" {
  100. dataReader = mimeDetect(r, dataReader)
  101. }
  102. etag, errCode := s3a.putToFiler(r, uploadUrl, dataReader, "", bucket)
  103. if errCode != s3err.ErrNone {
  104. s3err.WriteErrorResponse(w, r, errCode)
  105. return
  106. }
  107. setEtag(w, etag)
  108. }
  109. writeSuccessResponseEmpty(w, r)
  110. }
  111. func urlEscapeObject(object string) string {
  112. t := urlPathEscape(removeDuplicateSlashes(object))
  113. if strings.HasPrefix(t, "/") {
  114. return t
  115. }
  116. return "/" + t
  117. }
  118. func urlPathEscape(object string) string {
  119. var escapedParts []string
  120. for _, part := range strings.Split(object, "/") {
  121. escapedParts = append(escapedParts, url.PathEscape(part))
  122. }
  123. return strings.Join(escapedParts, "/")
  124. }
  125. func removeDuplicateSlashes(object string) string {
  126. result := strings.Builder{}
  127. result.Grow(len(object))
  128. isLastSlash := false
  129. for _, r := range object {
  130. switch r {
  131. case '/':
  132. if !isLastSlash {
  133. result.WriteRune(r)
  134. }
  135. isLastSlash = true
  136. default:
  137. result.WriteRune(r)
  138. isLastSlash = false
  139. }
  140. }
  141. return result.String()
  142. }
  143. func (s3a *S3ApiServer) toFilerUrl(bucket, object string) string {
  144. object = urlPathEscape(removeDuplicateSlashes(object))
  145. destUrl := fmt.Sprintf("http://%s%s/%s%s",
  146. s3a.option.Filer.ToHttpAddress(), s3a.option.BucketsPath, bucket, object)
  147. return destUrl
  148. }
  149. func (s3a *S3ApiServer) GetObjectHandler(w http.ResponseWriter, r *http.Request) {
  150. bucket, object := s3_constants.GetBucketAndObject(r)
  151. glog.V(3).Infof("GetObjectHandler %s %s", bucket, object)
  152. if strings.HasSuffix(r.URL.Path, "/") {
  153. s3err.WriteErrorResponse(w, r, s3err.ErrNotImplemented)
  154. return
  155. }
  156. destUrl := s3a.toFilerUrl(bucket, object)
  157. s3a.proxyToFiler(w, r, destUrl, false, passThroughResponse)
  158. }
  159. func (s3a *S3ApiServer) HeadObjectHandler(w http.ResponseWriter, r *http.Request) {
  160. bucket, object := s3_constants.GetBucketAndObject(r)
  161. glog.V(3).Infof("HeadObjectHandler %s %s", bucket, object)
  162. destUrl := s3a.toFilerUrl(bucket, object)
  163. s3a.proxyToFiler(w, r, destUrl, false, passThroughResponse)
  164. }
  165. func (s3a *S3ApiServer) DeleteObjectHandler(w http.ResponseWriter, r *http.Request) {
  166. bucket, object := s3_constants.GetBucketAndObject(r)
  167. glog.V(3).Infof("DeleteObjectHandler %s %s", bucket, object)
  168. destUrl := s3a.toFilerUrl(bucket, object)
  169. s3a.proxyToFiler(w, r, destUrl, true, func(proxyResponse *http.Response, w http.ResponseWriter) (statusCode int) {
  170. statusCode = http.StatusNoContent
  171. for k, v := range proxyResponse.Header {
  172. w.Header()[k] = v
  173. }
  174. w.WriteHeader(statusCode)
  175. return statusCode
  176. })
  177. }
  178. // / ObjectIdentifier carries key name for the object to delete.
  179. type ObjectIdentifier struct {
  180. ObjectName string `xml:"Key"`
  181. }
  182. // DeleteObjectsRequest - xml carrying the object key names which needs to be deleted.
  183. type DeleteObjectsRequest struct {
  184. // Element to enable quiet mode for the request
  185. Quiet bool
  186. // List of objects to be deleted
  187. Objects []ObjectIdentifier `xml:"Object"`
  188. }
  189. // DeleteError structure.
  190. type DeleteError struct {
  191. Code string
  192. Message string
  193. Key string
  194. }
  195. // DeleteObjectsResponse container for multiple object deletes.
  196. type DeleteObjectsResponse struct {
  197. XMLName xml.Name `xml:"http://s3.amazonaws.com/doc/2006-03-01/ DeleteResult" json:"-"`
  198. // Collection of all deleted objects
  199. DeletedObjects []ObjectIdentifier `xml:"Deleted,omitempty"`
  200. // Collection of errors deleting certain objects.
  201. Errors []DeleteError `xml:"Error,omitempty"`
  202. }
  203. // DeleteMultipleObjectsHandler - Delete multiple objects
  204. func (s3a *S3ApiServer) DeleteMultipleObjectsHandler(w http.ResponseWriter, r *http.Request) {
  205. bucket, _ := s3_constants.GetBucketAndObject(r)
  206. glog.V(3).Infof("DeleteMultipleObjectsHandler %s", bucket)
  207. deleteXMLBytes, err := io.ReadAll(r.Body)
  208. if err != nil {
  209. s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
  210. return
  211. }
  212. deleteObjects := &DeleteObjectsRequest{}
  213. if err := xml.Unmarshal(deleteXMLBytes, deleteObjects); err != nil {
  214. s3err.WriteErrorResponse(w, r, s3err.ErrMalformedXML)
  215. return
  216. }
  217. if len(deleteObjects.Objects) > deleteMultipleObjectsLimit {
  218. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidMaxDeleteObjects)
  219. return
  220. }
  221. var deletedObjects []ObjectIdentifier
  222. var deleteErrors []DeleteError
  223. var auditLog *s3err.AccessLog
  224. directoriesWithDeletion := make(map[string]int)
  225. if s3err.Logger != nil {
  226. auditLog = s3err.GetAccessLog(r, http.StatusNoContent, s3err.ErrNone)
  227. }
  228. s3a.WithFilerClient(false, func(client filer_pb.SeaweedFilerClient) error {
  229. // delete file entries
  230. for _, object := range deleteObjects.Objects {
  231. if object.ObjectName == "" {
  232. continue
  233. }
  234. lastSeparator := strings.LastIndex(object.ObjectName, "/")
  235. parentDirectoryPath, entryName, isDeleteData, isRecursive := "", object.ObjectName, true, false
  236. if lastSeparator > 0 && lastSeparator+1 < len(object.ObjectName) {
  237. entryName = object.ObjectName[lastSeparator+1:]
  238. parentDirectoryPath = "/" + object.ObjectName[:lastSeparator]
  239. }
  240. parentDirectoryPath = fmt.Sprintf("%s/%s%s", s3a.option.BucketsPath, bucket, parentDirectoryPath)
  241. err := doDeleteEntry(client, parentDirectoryPath, entryName, isDeleteData, isRecursive)
  242. if err == nil {
  243. directoriesWithDeletion[parentDirectoryPath]++
  244. deletedObjects = append(deletedObjects, object)
  245. } else if strings.Contains(err.Error(), filer.MsgFailDelNonEmptyFolder) {
  246. deletedObjects = append(deletedObjects, object)
  247. } else {
  248. delete(directoriesWithDeletion, parentDirectoryPath)
  249. deleteErrors = append(deleteErrors, DeleteError{
  250. Code: "",
  251. Message: err.Error(),
  252. Key: object.ObjectName,
  253. })
  254. }
  255. if auditLog != nil {
  256. auditLog.Key = entryName
  257. s3err.PostAccessLog(*auditLog)
  258. }
  259. }
  260. // purge empty folders, only checking folders with deletions
  261. for len(directoriesWithDeletion) > 0 {
  262. directoriesWithDeletion = s3a.doDeleteEmptyDirectories(client, directoriesWithDeletion)
  263. }
  264. return nil
  265. })
  266. deleteResp := DeleteObjectsResponse{}
  267. if !deleteObjects.Quiet {
  268. deleteResp.DeletedObjects = deletedObjects
  269. }
  270. deleteResp.Errors = deleteErrors
  271. writeSuccessResponseXML(w, r, deleteResp)
  272. }
  273. func (s3a *S3ApiServer) doDeleteEmptyDirectories(client filer_pb.SeaweedFilerClient, directoriesWithDeletion map[string]int) (newDirectoriesWithDeletion map[string]int) {
  274. var allDirs []string
  275. for dir := range directoriesWithDeletion {
  276. allDirs = append(allDirs, dir)
  277. }
  278. slices.SortFunc(allDirs, func(a, b string) int {
  279. return len(b) - len(a)
  280. })
  281. newDirectoriesWithDeletion = make(map[string]int)
  282. for _, dir := range allDirs {
  283. parentDir, dirName := util.FullPath(dir).DirAndName()
  284. if parentDir == s3a.option.BucketsPath {
  285. continue
  286. }
  287. if err := doDeleteEntry(client, parentDir, dirName, false, false); err != nil {
  288. glog.V(4).Infof("directory %s has %d deletion but still not empty: %v", dir, directoriesWithDeletion[dir], err)
  289. } else {
  290. newDirectoriesWithDeletion[parentDir]++
  291. }
  292. }
  293. return
  294. }
  295. func (s3a *S3ApiServer) proxyToFiler(w http.ResponseWriter, r *http.Request, destUrl string, isWrite bool, responseFn func(proxyResponse *http.Response, w http.ResponseWriter) (statusCode int)) {
  296. glog.V(3).Infof("s3 proxying %s to %s", r.Method, destUrl)
  297. start := time.Now()
  298. proxyReq, err := http.NewRequest(r.Method, destUrl, r.Body)
  299. if err != nil {
  300. glog.Errorf("NewRequest %s: %v", destUrl, err)
  301. s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
  302. return
  303. }
  304. proxyReq.Header.Set("X-Forwarded-For", r.RemoteAddr)
  305. for k, v := range r.URL.Query() {
  306. if _, ok := s3_constants.PassThroughHeaders[strings.ToLower(k)]; ok {
  307. proxyReq.Header[k] = v
  308. }
  309. if k == "partNumber" {
  310. proxyReq.Header[s3_constants.SeaweedFSPartNumber] = v
  311. }
  312. }
  313. for header, values := range r.Header {
  314. proxyReq.Header[header] = values
  315. }
  316. // ensure that the Authorization header is overriding any previous
  317. // Authorization header which might be already present in proxyReq
  318. s3a.maybeAddFilerJwtAuthorization(proxyReq, isWrite)
  319. resp, postErr := s3a.client.Do(proxyReq)
  320. if postErr != nil {
  321. glog.Errorf("post to filer: %v", postErr)
  322. s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
  323. return
  324. }
  325. defer util.CloseResponse(resp)
  326. if resp.StatusCode == http.StatusPreconditionFailed {
  327. s3err.WriteErrorResponse(w, r, s3err.ErrPreconditionFailed)
  328. return
  329. }
  330. if resp.StatusCode == http.StatusRequestedRangeNotSatisfiable {
  331. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRange)
  332. return
  333. }
  334. if r.Method == "DELETE" {
  335. if resp.StatusCode == http.StatusNotFound {
  336. // this is normal
  337. responseStatusCode := responseFn(resp, w)
  338. s3err.PostLog(r, responseStatusCode, s3err.ErrNone)
  339. return
  340. }
  341. }
  342. if resp.StatusCode == http.StatusNotFound {
  343. s3err.WriteErrorResponse(w, r, s3err.ErrNoSuchKey)
  344. return
  345. }
  346. TimeToFirstByte(r.Method, start, r)
  347. if resp.Header.Get(s3_constants.SeaweedFSIsDirectoryKey) == "true" {
  348. responseStatusCode := responseFn(resp, w)
  349. s3err.PostLog(r, responseStatusCode, s3err.ErrNone)
  350. return
  351. }
  352. if resp.StatusCode == http.StatusInternalServerError {
  353. s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
  354. return
  355. }
  356. // when HEAD a directory, it should be reported as no such key
  357. // https://github.com/seaweedfs/seaweedfs/issues/3457
  358. if resp.ContentLength == -1 && resp.StatusCode != http.StatusNotModified {
  359. s3err.WriteErrorResponse(w, r, s3err.ErrNoSuchKey)
  360. return
  361. }
  362. if resp.StatusCode == http.StatusBadRequest {
  363. resp_body, _ := io.ReadAll(resp.Body)
  364. switch string(resp_body) {
  365. case "InvalidPart":
  366. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidPart)
  367. default:
  368. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
  369. }
  370. resp.Body.Close()
  371. return
  372. }
  373. setUserMetadataKeyToLowercase(resp)
  374. responseStatusCode := responseFn(resp, w)
  375. s3err.PostLog(r, responseStatusCode, s3err.ErrNone)
  376. }
  377. func setUserMetadataKeyToLowercase(resp *http.Response) {
  378. for key, value := range resp.Header {
  379. if strings.HasPrefix(key, s3_constants.AmzUserMetaPrefix) {
  380. resp.Header[strings.ToLower(key)] = value
  381. delete(resp.Header, key)
  382. }
  383. }
  384. }
  385. func passThroughResponse(proxyResponse *http.Response, w http.ResponseWriter) (statusCode int) {
  386. for k, v := range proxyResponse.Header {
  387. w.Header()[k] = v
  388. }
  389. if proxyResponse.Header.Get("Content-Range") != "" && proxyResponse.StatusCode == 200 {
  390. w.WriteHeader(http.StatusPartialContent)
  391. statusCode = http.StatusPartialContent
  392. } else {
  393. statusCode = proxyResponse.StatusCode
  394. }
  395. w.WriteHeader(statusCode)
  396. buf := mem.Allocate(128 * 1024)
  397. defer mem.Free(buf)
  398. if n, err := io.CopyBuffer(w, proxyResponse.Body, buf); err != nil {
  399. glog.V(1).Infof("passthrough response read %d bytes: %v", n, err)
  400. }
  401. return statusCode
  402. }
  403. func (s3a *S3ApiServer) putToFiler(r *http.Request, uploadUrl string, dataReader io.Reader, destination string, bucket string) (etag string, code s3err.ErrorCode) {
  404. hash := md5.New()
  405. var body = io.TeeReader(dataReader, hash)
  406. proxyReq, err := http.NewRequest("PUT", uploadUrl, body)
  407. if err != nil {
  408. glog.Errorf("NewRequest %s: %v", uploadUrl, err)
  409. return "", s3err.ErrInternalError
  410. }
  411. proxyReq.Header.Set("X-Forwarded-For", r.RemoteAddr)
  412. if destination != "" {
  413. proxyReq.Header.Set(s3_constants.SeaweedStorageDestinationHeader, destination)
  414. }
  415. if s3a.option.FilerGroup != "" {
  416. query := proxyReq.URL.Query()
  417. query.Add("collection", s3a.getCollectionName(bucket))
  418. proxyReq.URL.RawQuery = query.Encode()
  419. }
  420. for header, values := range r.Header {
  421. for _, value := range values {
  422. proxyReq.Header.Add(header, value)
  423. }
  424. }
  425. // ensure that the Authorization header is overriding any previous
  426. // Authorization header which might be already present in proxyReq
  427. s3a.maybeAddFilerJwtAuthorization(proxyReq, true)
  428. resp, postErr := s3a.client.Do(proxyReq)
  429. if postErr != nil {
  430. glog.Errorf("post to filer: %v", postErr)
  431. return "", s3err.ErrInternalError
  432. }
  433. defer resp.Body.Close()
  434. etag = fmt.Sprintf("%x", hash.Sum(nil))
  435. resp_body, ra_err := io.ReadAll(resp.Body)
  436. if ra_err != nil {
  437. glog.Errorf("upload to filer response read %d: %v", resp.StatusCode, ra_err)
  438. return etag, s3err.ErrInternalError
  439. }
  440. var ret weed_server.FilerPostResult
  441. unmarshal_err := json.Unmarshal(resp_body, &ret)
  442. if unmarshal_err != nil {
  443. glog.Errorf("failing to read upload to %s : %v", uploadUrl, string(resp_body))
  444. return "", s3err.ErrInternalError
  445. }
  446. if ret.Error != "" {
  447. glog.Errorf("upload to filer error: %v", ret.Error)
  448. return "", filerErrorToS3Error(ret.Error)
  449. }
  450. return etag, s3err.ErrNone
  451. }
  452. func setEtag(w http.ResponseWriter, etag string) {
  453. if etag != "" {
  454. if strings.HasPrefix(etag, "\"") {
  455. w.Header()["ETag"] = []string{etag}
  456. } else {
  457. w.Header()["ETag"] = []string{"\"" + etag + "\""}
  458. }
  459. }
  460. }
  461. func filerErrorToS3Error(errString string) s3err.ErrorCode {
  462. switch {
  463. case strings.HasPrefix(errString, "existing ") && strings.HasSuffix(errString, "is a directory"):
  464. return s3err.ErrExistingObjectIsDirectory
  465. case strings.HasSuffix(errString, "is a file"):
  466. return s3err.ErrExistingObjectIsFile
  467. default:
  468. return s3err.ErrInternalError
  469. }
  470. }
  471. func (s3a *S3ApiServer) maybeAddFilerJwtAuthorization(r *http.Request, isWrite bool) {
  472. encodedJwt := s3a.maybeGetFilerJwtAuthorizationToken(isWrite)
  473. if encodedJwt == "" {
  474. return
  475. }
  476. r.Header.Set("Authorization", "BEARER "+string(encodedJwt))
  477. }
  478. func (s3a *S3ApiServer) maybeGetFilerJwtAuthorizationToken(isWrite bool) string {
  479. var encodedJwt security.EncodedJwt
  480. if isWrite {
  481. encodedJwt = security.GenJwtForFilerServer(s3a.filerGuard.SigningKey, s3a.filerGuard.ExpiresAfterSec)
  482. } else {
  483. encodedJwt = security.GenJwtForFilerServer(s3a.filerGuard.ReadSigningKey, s3a.filerGuard.ReadExpiresAfterSec)
  484. }
  485. return string(encodedJwt)
  486. }