Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5591 Commits
32 Branches
297 Tags
164 MiB
Tree: 46ef1811a1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '46ef1811a1'
${ noResults }
seaweedfs/weed/iamapi/iamapi_management_handlers.go

449 lines
13 KiB
Raw Normal View History

init Iam Api Server
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
base handlers
4 years ago
init Iam Api Server
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
init Iam Api Server
4 years ago
base handlers
4 years ago
init Iam Api Server
4 years ago
GetUserPolicy
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
add tests
4 years ago
base handlers
4 years ago
init Iam Api Server
4 years ago
GetUserPolicy
4 years ago
init Iam Api Server
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
GetUserPolicy
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
base handlers
4 years ago
GetUserPolicy
4 years ago
add tests
4 years ago
GetUserPolicy
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
add tests
4 years ago
base handlers
4 years ago
GetUserPolicy
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
base handlers
4 years ago
init Iam Api Server
4 years ago
base handlers
4 years ago
iam GetUser
4 years ago
GetUserPolicy
4 years ago
iam GetUser
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
GetUserPolicy
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
GetUserPolicy
4 years ago
add DeleteUserPolicy
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
SaveAs S3 Configuration
4 years ago
SaveInsideFiler S3 Configuration
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
SaveAs S3 Configuration
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
GetUserPolicy
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
GetUserPolicy
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
SaveAs S3 Configuration
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
GetUserPolicy
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
base handlers
4 years ago
init Iam Api Server
4 years ago
add tests
4 years ago
init Iam Api Server
4 years ago
add tests
4 years ago
init Iam Api Server
4 years ago
add tests
4 years ago
init Iam Api Server
4 years ago
add tests
4 years ago
init Iam Api Server
4 years ago
iam GetUser
4 years ago
SaveAs S3 Configuration
4 years ago
init Iam Api Server
4 years ago
SaveAs S3 Configuration
4 years ago
init Iam Api Server
4 years ago
base handlers
4 years ago
SaveAs S3 Configuration
4 years ago
base handlers
4 years ago
iam GetUser
4 years ago
add DeleteUserPolicy
4 years ago
iam GetUser
4 years ago
GetUserPolicy
4 years ago
base handlers
4 years ago
iam GetUser
4 years ago
add DeleteUserPolicy
4 years ago
iam GetUser
4 years ago
base handlers
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
add tests
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
add tests
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
GetUserPolicy
4 years ago
add DeleteUserPolicy
4 years ago
init Iam Api Server
4 years ago
add DeleteUserPolicy
4 years ago
init Iam Api Server
4 years ago
SaveAs S3 Configuration
4 years ago
add tests
4 years ago
SaveInsideFiler S3 Configuration
4 years ago
add DeleteUserPolicy
4 years ago
SaveAs S3 Configuration
4 years ago
init Iam Api Server
4 years ago
  1. package iamapi
  3. import (
  4. "crypto/sha1"
  5. "encoding/json"
  6. "fmt"
  7. "github.com/chrislusf/seaweedfs/weed/glog"
  8. "github.com/chrislusf/seaweedfs/weed/pb/iam_pb"
  9. "github.com/chrislusf/seaweedfs/weed/s3api/s3_constants"
  10. "github.com/chrislusf/seaweedfs/weed/s3api/s3err"
  11. "math/rand"
  12. "net/http"
  13. "net/url"
  14. "reflect"
  15. "strings"
  16. "sync"
  17. "time"
  19. "github.com/aws/aws-sdk-go/service/iam"
  20. )
  22. const (
  23. charsetUpper = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
  24. charset = charsetUpper + "abcdefghijklmnopqrstuvwxyz/"
  25. policyDocumentVersion = "2012-10-17"
  26. StatementActionAdmin = "*"
  27. StatementActionWrite = "Put*"
  28. StatementActionRead = "Get*"
  29. StatementActionList = "List*"
  30. StatementActionTagging = "Tagging*"
  31. )
  33. var (
  34. seededRand *rand.Rand = rand.New(
  35. rand.NewSource(time.Now().UnixNano()))
  36. policyDocuments = map[string]*PolicyDocument{}
  37. policyLock = sync.RWMutex{}
  38. )
  40. func MapToStatementAction(action string) string {
  41. switch action {
  42. case StatementActionAdmin:
  43. return s3_constants.ACTION_ADMIN
  44. case StatementActionWrite:
  45. return s3_constants.ACTION_WRITE
  46. case StatementActionRead:
  47. return s3_constants.ACTION_READ
  48. case StatementActionList:
  49. return s3_constants.ACTION_LIST
  50. case StatementActionTagging:
  51. return s3_constants.ACTION_TAGGING
  52. default:
  53. return ""
  54. }
  55. }
  57. func MapToIdentitiesAction(action string) string {
  58. switch action {
  59. case s3_constants.ACTION_ADMIN:
  60. return StatementActionAdmin
  61. case s3_constants.ACTION_WRITE:
  62. return StatementActionWrite
  63. case s3_constants.ACTION_READ:
  64. return StatementActionRead
  65. case s3_constants.ACTION_LIST:
  66. return StatementActionList
  67. case s3_constants.ACTION_TAGGING:
  68. return StatementActionTagging
  69. default:
  70. return ""
  71. }
  72. }
  74. type Statement struct {
  75. Effect string `json:"Effect"`
  76. Action []string `json:"Action"`
  77. Resource []string `json:"Resource"`
  78. }
  80. type Policies struct {
  81. Policies map[string]PolicyDocument `json:"policies"`
  82. }
  84. type PolicyDocument struct {
  85. Version string `json:"Version"`
  86. Statement []*Statement `json:"Statement"`
  87. }
  89. func (p PolicyDocument) String() string {
  90. b, _ := json.Marshal(p)
  91. return string(b)
  92. }
  94. func Hash(s *string) string {
  95. h := sha1.New()
  96. h.Write([]byte(*s))
  97. return fmt.Sprintf("%x", h.Sum(nil))
  98. }
  100. func StringWithCharset(length int, charset string) string {
  101. b := make([]byte, length)
  102. for i := range b {
  103. b[i] = charset[seededRand.Intn(len(charset))]
  104. }
  105. return string(b)
  106. }
  108. func (iama *IamApiServer) ListUsers(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp ListUsersResponse) {
  109. for _, ident := range s3cfg.Identities {
  110. resp.ListUsersResult.Users = append(resp.ListUsersResult.Users, &iam.User{UserName: &ident.Name})
  111. }
  112. return resp
  113. }
  115. func (iama *IamApiServer) ListAccessKeys(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp ListAccessKeysResponse) {
  116. status := iam.StatusTypeActive
  117. for _, ident := range s3cfg.Identities {
  118. for _, cred := range ident.Credentials {
  119. resp.ListAccessKeysResult.AccessKeyMetadata = append(resp.ListAccessKeysResult.AccessKeyMetadata,
  120. &iam.AccessKeyMetadata{UserName: &ident.Name, AccessKeyId: &cred.AccessKey, Status: &status},
  121. )
  122. }
  123. }
  124. return resp
  125. }
  127. func (iama *IamApiServer) CreateUser(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreateUserResponse) {
  128. userName := values.Get("UserName")
  129. resp.CreateUserResult.User.UserName = &userName
  130. s3cfg.Identities = append(s3cfg.Identities, &iam_pb.Identity{Name: userName})
  131. return resp
  132. }
  134. func (iama *IamApiServer) DeleteUser(s3cfg *iam_pb.S3ApiConfiguration, userName string) (resp DeleteUserResponse, err error) {
  135. for i, ident := range s3cfg.Identities {
  136. if userName == ident.Name {
  137. s3cfg.Identities = append(s3cfg.Identities[:i], s3cfg.Identities[i+1:]...)
  138. return resp, nil
  139. }
  140. }
  141. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  142. }
  144. func (iama *IamApiServer) GetUser(s3cfg *iam_pb.S3ApiConfiguration, userName string) (resp GetUserResponse, err error) {
  145. for _, ident := range s3cfg.Identities {
  146. if userName == ident.Name {
  147. resp.GetUserResult.User = iam.User{UserName: &ident.Name}
  148. return resp, nil
  149. }
  150. }
  151. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  152. }
  154. func GetPolicyDocument(policy *string) (policyDocument PolicyDocument, err error) {
  155. if err = json.Unmarshal([]byte(*policy), &policyDocument); err != nil {
  156. return PolicyDocument{}, err
  157. }
  158. return policyDocument, err
  159. }
  161. func (iama *IamApiServer) CreatePolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreatePolicyResponse, err error) {
  162. policyName := values.Get("PolicyName")
  163. policyDocumentString := values.Get("PolicyDocument")
  164. policyDocument, err := GetPolicyDocument(&policyDocumentString)
  165. if err != nil {
  166. return CreatePolicyResponse{}, err
  167. }
  168. policyId := Hash(&policyDocumentString)
  169. arn := fmt.Sprintf("arn:aws:iam:::policy/%s", policyName)
  170. resp.CreatePolicyResult.Policy.PolicyName = &policyName
  171. resp.CreatePolicyResult.Policy.Arn = &arn
  172. resp.CreatePolicyResult.Policy.PolicyId = &policyId
  173. policies := Policies{}
  174. policyLock.Lock()
  175. defer policyLock.Unlock()
  176. if err = iama.s3ApiConfig.GetPolicies(&policies); err != nil {
  177. return resp, err
  178. }
  179. policies.Policies[policyName] = policyDocument
  180. if err = iama.s3ApiConfig.PutPolicies(&policies); err != nil {
  181. return resp, err
  182. }
  183. return resp, nil
  184. }
  186. func (iama *IamApiServer) PutUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp PutUserPolicyResponse, err error) {
  187. userName := values.Get("UserName")
  188. policyName := values.Get("PolicyName")
  189. policyDocumentString := values.Get("PolicyDocument")
  190. policyDocument, err := GetPolicyDocument(&policyDocumentString)
  191. if err != nil {
  192. return PutUserPolicyResponse{}, err
  193. }
  194. policyDocuments[policyName] = &policyDocument
  195. actions := GetActions(&policyDocument)
  196. for _, ident := range s3cfg.Identities {
  197. if userName == ident.Name {
  198. for _, action := range actions {
  199. ident.Actions = append(ident.Actions, action)
  200. }
  201. break
  202. }
  203. }
  204. return resp, nil
  205. }
  207. func (iama *IamApiServer) GetUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp GetUserPolicyResponse, err error) {
  208. userName := values.Get("UserName")
  209. policyName := values.Get("PolicyName")
  210. for _, ident := range s3cfg.Identities {
  211. if userName != ident.Name {
  212. continue
  213. }
  215. resp.GetUserPolicyResult.UserName = userName
  216. resp.GetUserPolicyResult.PolicyName = policyName
  217. if len(ident.Actions) == 0 {
  218. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  219. }
  221. policyDocument := PolicyDocument{Version: policyDocumentVersion}
  222. statements := make(map[string][]string)
  223. for _, action := range ident.Actions {
  224. // parse "Read:EXAMPLE-BUCKET"
  225. act := strings.Split(action, ":")
  227. resource := "*"
  228. if len(act) == 2 {
  229. resource = fmt.Sprintf("arn:aws:s3:::%s/*", act[1])
  230. }
  231. statements[resource] = append(statements[resource],
  232. fmt.Sprintf("s3:%s", MapToIdentitiesAction(act[0])),
  233. )
  234. }
  235. for resource, actions := range statements {
  236. isEqAction := false
  237. for i, statement := range policyDocument.Statement {
  238. if reflect.DeepEqual(statement.Action, actions) {
  239. policyDocument.Statement[i].Resource = append(
  240. policyDocument.Statement[i].Resource, resource)
  241. isEqAction = true
  242. break
  243. }
  244. }
  245. if isEqAction {
  246. continue
  247. }
  248. policyDocumentStatement := Statement{
  249. Effect: "Allow",
  250. Action: actions,
  251. }
  252. policyDocumentStatement.Resource = append(policyDocumentStatement.Resource, resource)
  253. policyDocument.Statement = append(policyDocument.Statement, &policyDocumentStatement)
  254. }
  255. resp.GetUserPolicyResult.PolicyDocument = policyDocument.String()
  256. return resp, nil
  257. }
  258. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  259. }
  261. func (iama *IamApiServer) DeleteUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp PutUserPolicyResponse, err error) {
  262. userName := values.Get("UserName")
  263. for i, ident := range s3cfg.Identities {
  264. if ident.Name == userName {
  265. s3cfg.Identities = append(s3cfg.Identities[:i], s3cfg.Identities[i+1:]...)
  266. return resp, nil
  267. }
  268. }
  269. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  270. }
  272. func GetActions(policy *PolicyDocument) (actions []string) {
  273. for _, statement := range policy.Statement {
  274. if statement.Effect != "Allow" {
  275. continue
  276. }
  277. for _, resource := range statement.Resource {
  278. // Parse "arn:aws:s3:::my-bucket/shared/*"
  279. res := strings.Split(resource, ":")
  280. if len(res) != 6 || res[0] != "arn" || res[1] != "aws" || res[2] != "s3" {
  281. glog.Infof("not match resource: %s", res)
  282. continue
  283. }
  284. for _, action := range statement.Action {
  285. // Parse "s3:Get*"
  286. act := strings.Split(action, ":")
  287. if len(act) != 2 || act[0] != "s3" {
  288. glog.Infof("not match action: %s", act)
  289. continue
  290. }
  291. statementAction := MapToStatementAction(act[1])
  292. if res[5] == "*" {
  293. actions = append(actions, statementAction)
  294. continue
  295. }
  296. // Parse my-bucket/shared/*
  297. path := strings.Split(res[5], "/")
  298. if len(path) != 2 || path[1] != "*" {
  299. glog.Infof("not match bucket: %s", path)
  300. continue
  301. }
  302. actions = append(actions, fmt.Sprintf("%s:%s", statementAction, path[0]))
  303. }
  304. }
  305. }
  306. return actions
  307. }
  309. func (iama *IamApiServer) CreateAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreateAccessKeyResponse) {
  310. userName := values.Get("UserName")
  311. status := iam.StatusTypeActive
  312. accessKeyId := StringWithCharset(21, charsetUpper)
  313. secretAccessKey := StringWithCharset(42, charset)
  314. resp.CreateAccessKeyResult.AccessKey.AccessKeyId = &accessKeyId
  315. resp.CreateAccessKeyResult.AccessKey.SecretAccessKey = &secretAccessKey
  316. resp.CreateAccessKeyResult.AccessKey.UserName = &userName
  317. resp.CreateAccessKeyResult.AccessKey.Status = &status
  318. changed := false
  319. for _, ident := range s3cfg.Identities {
  320. if userName == ident.Name {
  321. ident.Credentials = append(ident.Credentials,
  322. &iam_pb.Credential{AccessKey: accessKeyId, SecretKey: secretAccessKey})
  323. changed = true
  324. break
  325. }
  326. }
  327. if !changed {
  328. s3cfg.Identities = append(s3cfg.Identities,
  329. &iam_pb.Identity{Name: userName,
  330. Credentials: []*iam_pb.Credential{
  331. {
  332. AccessKey: accessKeyId,
  333. SecretKey: secretAccessKey,
  334. },
  335. },
  336. },
  337. )
  338. }
  339. return resp
  340. }
  342. func (iama *IamApiServer) DeleteAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp DeleteAccessKeyResponse) {
  343. userName := values.Get("UserName")
  344. accessKeyId := values.Get("AccessKeyId")
  345. for _, ident := range s3cfg.Identities {
  346. if userName == ident.Name {
  347. for i, cred := range ident.Credentials {
  348. if cred.AccessKey == accessKeyId {
  349. ident.Credentials = append(ident.Credentials[:i], ident.Credentials[i+1:]...)
  350. break
  351. }
  352. }
  353. break
  354. }
  355. }
  356. return resp
  357. }
  359. func (iama *IamApiServer) DoActions(w http.ResponseWriter, r *http.Request) {
  360. if err := r.ParseForm(); err != nil {
  361. writeErrorResponse(w, s3err.ErrInvalidRequest, r.URL)
  362. return
  363. }
  364. values := r.PostForm
  365. var s3cfgLock sync.RWMutex
  366. s3cfgLock.RLock()
  367. s3cfg := &iam_pb.S3ApiConfiguration{}
  368. if err := iama.s3ApiConfig.GetS3ApiConfiguration(s3cfg); err != nil {
  369. writeErrorResponse(w, s3err.ErrInternalError, r.URL)
  370. return
  371. }
  372. s3cfgLock.RUnlock()
  374. glog.V(4).Infof("DoActions: %+v", values)
  375. var response interface{}
  376. var err error
  377. changed := true
  378. switch r.Form.Get("Action") {
  379. case "ListUsers":
  380. response = iama.ListUsers(s3cfg, values)
  381. changed = false
  382. case "ListAccessKeys":
  383. response = iama.ListAccessKeys(s3cfg, values)
  384. changed = false
  385. case "CreateUser":
  386. response = iama.CreateUser(s3cfg, values)
  387. case "GetUser":
  388. userName := values.Get("UserName")
  389. response, err = iama.GetUser(s3cfg, userName)
  390. if err != nil {
  391. writeIamErrorResponse(w, err, "user", userName, nil)
  392. return
  393. }
  394. changed = false
  395. case "DeleteUser":
  396. userName := values.Get("UserName")
  397. response, err = iama.DeleteUser(s3cfg, userName)
  398. if err != nil {
  399. writeIamErrorResponse(w, err, "user", userName, nil)
  400. return
  401. }
  402. case "CreateAccessKey":
  403. response = iama.CreateAccessKey(s3cfg, values)
  404. case "DeleteAccessKey":
  405. response = iama.DeleteAccessKey(s3cfg, values)
  406. case "CreatePolicy":
  407. response, err = iama.CreatePolicy(s3cfg, values)
  408. if err != nil {
  409. glog.Errorf("CreatePolicy: %+v", err)
  410. writeErrorResponse(w, s3err.ErrInvalidRequest, r.URL)
  411. return
  412. }
  413. case "PutUserPolicy":
  414. response, err = iama.PutUserPolicy(s3cfg, values)
  415. if err != nil {
  416. glog.Errorf("PutUserPolicy: %+v", err)
  417. writeErrorResponse(w, s3err.ErrInvalidRequest, r.URL)
  418. return
  419. }
  420. case "GetUserPolicy":
  421. response, err = iama.GetUserPolicy(s3cfg, values)
  422. if err != nil {
  423. writeIamErrorResponse(w, err, "user", values.Get("UserName"), nil)
  424. return
  425. }
  426. changed = false
  427. case "DeleteUserPolicy":
  428. if response, err = iama.DeleteUserPolicy(s3cfg, values); err != nil {
  429. writeIamErrorResponse(w, err, "user", values.Get("UserName"), nil)
  430. }
  431. default:
  432. errNotImplemented := s3err.GetAPIError(s3err.ErrNotImplemented)
  433. errorResponse := ErrorResponse{}
  434. errorResponse.Error.Code = &errNotImplemented.Code
  435. errorResponse.Error.Message = &errNotImplemented.Description
  436. writeResponse(w, errNotImplemented.HTTPStatusCode, encodeResponse(errorResponse), mimeXML)
  437. return
  438. }
  439. if changed {
  440. s3cfgLock.Lock()
  441. err := iama.s3ApiConfig.PutS3ApiConfiguration(s3cfg)
  442. s3cfgLock.Unlock()
  443. if err != nil {
  444. writeIamErrorResponse(w, fmt.Errorf(iam.ErrCodeServiceFailureException), "", "", err)
  445. return
  446. }
  447. }
  448. writeSuccessResponseXML(w, encodeResponse(response))
  449. }