Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8940 Commits
32 Branches
298 Tags
168 MiB
Tree: 3a01ccd0fa
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3a01ccd0fa'
${ noResults }
seaweedfs/weed/s3api/s3api_acp.go

360 lines
11 KiB
Raw Normal View History

add ownership rest apis (#3765)
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_skip_handlers.go # weed/s3api/s3err/s3api_errors.go
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
implement `GetObjectAclHandler`
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
Merge branch '3_bucket_read' # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
add acl validation for s3 bucket read api
2 years ago
Merge branch '7_object_read_acl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
implement `GetObjectAclHandler`
2 years ago
add acl validation for s3 GetObjectHandler
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_skip_handlers.go # weed/s3api/s3err/s3api_errors.go
2 years ago
add acl support for `PutObjectAcl`
2 years ago
Merge branch '4_object_write' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_handlers.go # weed/s3api/s3err/s3api_errors.go
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
  1. package s3api
  3. import (
  4. "github.com/aws/aws-sdk-go/service/s3"
  5. "github.com/seaweedfs/seaweedfs/weed/glog"
  6. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  7. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  8. "github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
  9. "github.com/seaweedfs/seaweedfs/weed/s3api/s3acl"
  10. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  11. "github.com/seaweedfs/seaweedfs/weed/util"
  12. "net/http"
  13. )
  15. func getAccountId(r *http.Request) string {
  16. id := r.Header.Get(s3_constants.AmzAccountId)
  17. if len(id) == 0 {
  18. return s3account.AccountAnonymous.Id
  19. } else {
  20. return id
  21. }
  22. }
  24. func (s3a *S3ApiServer) checkAccessByOwnership(r *http.Request, bucket string) s3err.ErrorCode {
  25. metadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  26. if errCode != s3err.ErrNone {
  27. return errCode
  28. }
  29. accountId := getAccountId(r)
  30. if accountId == s3account.AccountAdmin.Id || accountId == *metadata.Owner.ID {
  31. return s3err.ErrNone
  32. }
  33. return s3err.ErrAccessDenied
  34. }
  36. //Check access for PutBucketAclHandler
  37. func (s3a *S3ApiServer) checkAccessForPutBucketAcl(accountId, bucket string) (*BucketMetaData, s3err.ErrorCode) {
  38. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  39. if errCode != s3err.ErrNone {
  40. return nil, errCode
  41. }
  43. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  44. return nil, s3err.AccessControlListNotSupported
  45. }
  47. if accountId == s3account.AccountAdmin.Id || accountId == *bucketMetadata.Owner.ID {
  48. return bucketMetadata, s3err.ErrNone
  49. }
  51. if len(bucketMetadata.Acl) > 0 {
  52. reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionWriteAcp)
  53. for _, bucketGrant := range bucketMetadata.Acl {
  54. for _, reqGrant := range reqGrants {
  55. if s3acl.GrantEquals(bucketGrant, reqGrant) {
  56. return bucketMetadata, s3err.ErrNone
  57. }
  58. }
  59. }
  60. }
  61. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  62. return nil, s3err.ErrAccessDenied
  63. }
  65. func updateBucketEntry(s3a *S3ApiServer, entry *filer_pb.Entry) error {
  66. return s3a.updateEntry(s3a.option.BucketsPath, entry)
  67. }
  69. // Check Bucket/BucketAcl Read related access
  70. // includes:
  71. // - HeadBucketHandler
  72. // - GetBucketAclHandler
  73. // - ListObjectsV1Handler
  74. // - ListObjectsV2Handler
  75. func (s3a *S3ApiServer) checkAccessForReadBucket(r *http.Request, bucket, aclAction string) (*BucketMetaData, s3err.ErrorCode) {
  76. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  77. if errCode != s3err.ErrNone {
  78. return nil, errCode
  79. }
  81. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  82. return bucketMetadata, s3err.ErrNone
  83. }
  85. accountId := s3acl.GetAccountId(r)
  86. if accountId == s3account.AccountAdmin.Id || accountId == *bucketMetadata.Owner.ID {
  87. return bucketMetadata, s3err.ErrNone
  88. }
  90. if len(bucketMetadata.Acl) > 0 {
  91. reqGrants := s3acl.DetermineReqGrants(accountId, aclAction)
  92. for _, bucketGrant := range bucketMetadata.Acl {
  93. for _, reqGrant := range reqGrants {
  94. if s3acl.GrantEquals(bucketGrant, reqGrant) {
  95. return bucketMetadata, s3err.ErrNone
  96. }
  97. }
  98. }
  99. }
  101. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  102. return nil, s3err.ErrAccessDenied
  103. }
  105. //Check ObjectAcl-Read related access
  106. // includes:
  107. // - GetObjectAclHandler
  108. func (s3a *S3ApiServer) checkAccessForReadObjectAcl(r *http.Request, bucket, object string) (acp *s3.AccessControlPolicy, errCode s3err.ErrorCode) {
  109. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  110. if errCode != s3err.ErrNone {
  111. return nil, errCode
  112. }
  114. getAcpFunc := func() (*s3.AccessControlPolicy, s3err.ErrorCode) {
  115. entry, err := getObjectEntry(s3a, bucket, object)
  116. if err != nil {
  117. if err == filer_pb.ErrNotFound {
  118. return nil, s3err.ErrNoSuchKey
  119. } else {
  120. return nil, s3err.ErrInternalError
  121. }
  122. }
  124. if entry.IsDirectory {
  125. return nil, s3err.ErrExistingObjectIsDirectory
  126. }
  128. acpOwnerId := s3acl.GetAcpOwner(entry.Extended, *bucketMetadata.Owner.ID)
  129. acpOwnerName := s3a.accountManager.IdNameMapping[acpOwnerId]
  130. acpGrants := s3acl.GetAcpGrants(entry.Extended)
  131. acp = &s3.AccessControlPolicy{
  132. Owner: &s3.Owner{
  133. ID: &acpOwnerId,
  134. DisplayName: &acpOwnerName,
  135. },
  136. Grants: acpGrants,
  137. }
  138. return acp, s3err.ErrNone
  139. }
  141. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  142. return getAcpFunc()
  143. } else {
  144. accountId := s3acl.GetAccountId(r)
  146. acp, errCode := getAcpFunc()
  147. if errCode != s3err.ErrNone {
  148. return nil, errCode
  149. }
  151. if accountId == *acp.Owner.ID {
  152. return acp, s3err.ErrNone
  153. }
  155. //find in Grants
  156. if acp.Grants != nil {
  157. reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionReadAcp)
  158. for _, requiredGrant := range reqGrants {
  159. for _, grant := range acp.Grants {
  160. if s3acl.GrantEquals(requiredGrant, grant) {
  161. return acp, s3err.ErrNone
  162. }
  163. }
  164. }
  165. }
  167. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  168. return nil, s3err.ErrAccessDenied
  169. }
  170. }
  172. // Check Object-Read related access
  173. // includes:
  174. // - GetObjectHandler
  175. //
  176. // offload object access validation to Filer layer
  177. // - s3acl.CheckObjectAccessForReadObject
  178. func (s3a *S3ApiServer) checkBucketAccessForReadObject(r *http.Request, bucket string) s3err.ErrorCode {
  179. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  180. if errCode != s3err.ErrNone {
  181. return errCode
  182. }
  184. if bucketMetadata.ObjectOwnership != s3_constants.OwnershipBucketOwnerEnforced {
  185. //offload object acl validation to filer layer
  186. r.Header.Set(s3_constants.XSeaweedFSHeaderAmzBucketOwnerId, *bucketMetadata.Owner.ID)
  187. }
  189. return s3err.ErrNone
  190. }
  192. // Check ObjectAcl-Write related access
  193. // includes:
  194. // - PutObjectAclHandler
  195. func (s3a *S3ApiServer) checkAccessForWriteObjectAcl(accountId, bucket, object string) (bucketMetadata *BucketMetaData, objectEntry *filer_pb.Entry, objectOwner string, errCode s3err.ErrorCode) {
  196. bucketMetadata, errCode = s3a.bucketRegistry.GetBucketMetadata(bucket)
  197. if errCode != s3err.ErrNone {
  198. return nil, nil, "", errCode
  199. }
  201. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  202. return nil, nil, "", s3err.AccessControlListNotSupported
  203. }
  205. //bucket acl
  206. bucketAclAllowed := false
  207. reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionWrite)
  208. if accountId == *bucketMetadata.Owner.ID {
  209. bucketAclAllowed = true
  210. } else if bucketMetadata.Acl != nil {
  211. bucketLoop:
  212. for _, bucketGrant := range bucketMetadata.Acl {
  213. for _, requiredGrant := range reqGrants {
  214. if s3acl.GrantEquals(bucketGrant, requiredGrant) {
  215. bucketAclAllowed = true
  216. break bucketLoop
  217. }
  218. }
  219. }
  220. }
  221. if !bucketAclAllowed {
  222. return nil, nil, "", s3err.ErrAccessDenied
  223. }
  225. //object acl
  226. objectEntry, err := getObjectEntry(s3a, bucket, object)
  227. if err != nil {
  228. if err == filer_pb.ErrNotFound {
  229. return nil, nil, "", s3err.ErrNoSuchKey
  230. }
  231. return nil, nil, "", s3err.ErrInternalError
  232. }
  234. if objectEntry.IsDirectory {
  235. return nil, nil, "", s3err.ErrExistingObjectIsDirectory
  236. }
  238. objectOwner = s3acl.GetAcpOwner(objectEntry.Extended, *bucketMetadata.Owner.ID)
  239. if accountId == objectOwner {
  240. return bucketMetadata, objectEntry, objectOwner, s3err.ErrNone
  241. }
  243. objectGrants := s3acl.GetAcpGrants(objectEntry.Extended)
  244. if objectGrants != nil {
  245. for _, objectGrant := range objectGrants {
  246. for _, requiredGrant := range reqGrants {
  247. if s3acl.GrantEquals(objectGrant, requiredGrant) {
  248. return bucketMetadata, objectEntry, objectOwner, s3err.ErrNone
  249. }
  250. }
  251. }
  252. }
  254. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  255. return nil, nil, "", s3err.ErrAccessDenied
  256. }
  258. func updateObjectEntry(s3a *S3ApiServer, bucket string, entry *filer_pb.Entry) error {
  259. return s3a.updateEntry(util.Join(s3a.option.BucketsPath, bucket), entry)
  260. }
  262. // Check Object-Write related access
  263. // includes:
  264. // - PutObjectHandler
  265. // - PutObjectPartHandler
  266. func (s3a *S3ApiServer) checkAccessForWriteObject(r *http.Request, bucket, object string) s3err.ErrorCode {
  267. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  268. if errCode != s3err.ErrNone {
  269. return errCode
  270. }
  272. accountId := s3acl.GetAccountId(r)
  273. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  274. // validate grants (only bucketOwnerFullControl acl is allowed)
  275. _, grants, errCode := s3acl.ParseAndValidateAclHeaders(r, s3a.accountManager, bucketMetadata.ObjectOwnership, *bucketMetadata.Owner.ID, accountId, false)
  276. if errCode != s3err.ErrNone {
  277. return errCode
  278. }
  279. if len(grants) > 1 {
  280. return s3err.AccessControlListNotSupported
  281. }
  282. bucketOwnerFullControlGrant := &s3.Grant{
  283. Permission: &s3_constants.PermissionFullControl,
  284. Grantee: &s3.Grantee{
  285. Type: &s3_constants.GrantTypeCanonicalUser,
  286. ID: bucketMetadata.Owner.ID,
  287. },
  288. }
  289. if len(grants) == 0 {
  290. // set default grants
  291. s3acl.SetAcpOwnerHeader(r, accountId)
  292. s3acl.SetAcpGrantsHeader(r, []*s3.Grant{bucketOwnerFullControlGrant})
  293. return s3err.ErrNone
  294. }
  296. if !s3acl.GrantEquals(bucketOwnerFullControlGrant, grants[0]) {
  297. return s3err.AccessControlListNotSupported
  298. }
  300. s3acl.SetAcpOwnerHeader(r, accountId)
  301. s3acl.SetAcpGrantsHeader(r, []*s3.Grant{bucketOwnerFullControlGrant})
  302. return s3err.ErrNone
  303. }
  305. //bucket access allowed
  306. bucketAclAllowed := false
  307. if accountId == *bucketMetadata.Owner.ID {
  308. bucketAclAllowed = true
  309. } else {
  310. if len(bucketMetadata.Acl) > 0 {
  311. reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionWrite)
  312. bucketLoop:
  313. for _, bucketGrant := range bucketMetadata.Acl {
  314. for _, requiredGrant := range reqGrants {
  315. if s3acl.GrantEquals(bucketGrant, requiredGrant) {
  316. bucketAclAllowed = true
  317. break bucketLoop
  318. }
  319. }
  320. }
  321. }
  322. }
  323. if !bucketAclAllowed {
  324. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  325. return s3err.ErrAccessDenied
  326. }
  328. //object access allowed
  329. entry, err := getObjectEntry(s3a, bucket, object)
  330. if err != nil {
  331. if err != filer_pb.ErrNotFound {
  332. return s3err.ErrInternalError
  333. }
  334. } else {
  335. if entry.IsDirectory {
  336. return s3err.ErrExistingObjectIsDirectory
  337. }
  339. //Only the owner of the bucket and the owner of the object can overwrite the object
  340. objectOwner := s3acl.GetAcpOwner(entry.Extended, *bucketMetadata.Owner.ID)
  341. if accountId != objectOwner && accountId != *bucketMetadata.Owner.ID {
  342. glog.V(3).Infof("acl denied! request account id: %s, expect account id: %s", accountId, *bucketMetadata.Owner.ID)
  343. return s3err.ErrAccessDenied
  344. }
  345. }
  347. ownerId, grants, errCode := s3acl.ParseAndValidateAclHeadersOrElseDefault(r, s3a.accountManager, bucketMetadata.ObjectOwnership, *bucketMetadata.Owner.ID, accountId, false)
  348. if errCode != s3err.ErrNone {
  349. return errCode
  350. }
  352. s3acl.SetAcpOwnerHeader(r, ownerId)
  353. s3acl.SetAcpGrantsHeader(r, grants)
  355. return s3err.ErrNone
  356. }
  358. func getObjectEntry(s3a *S3ApiServer, bucket, object string) (*filer_pb.Entry, error) {
  359. return s3a.getEntry(util.Join(s3a.option.BucketsPath, bucket), object)
  360. }