Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8942 Commits
32 Branches
297 Tags
164 MiB
Tree: 4c280c06dc
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '4c280c06dc'
${ noResults }
seaweedfs/weed/s3api/auth_credentials.go

417 lines
12 KiB
Raw Normal View History

support acl
5 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
s3: fix potencial iam identities data race
3 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
move to https://github.com/seaweedfs/seaweedfs
2 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
s3: fix potencial iam identities data race
3 years ago
s3: keep auth enabled in case identities are set to empty fix https://github.com/chrislusf/seaweedfs/issues/3084
3 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
AclHandlers
3 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
add v2 support
5 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
add v2 support
5 years ago
s3: use static configuration by default So that users can still use the previous configuration files. If leave it empty, s3 will try to use the version from filer
4 years ago
new pkg s3iam
4 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
s3: use static configuration by default So that users can still use the previous configuration files. If leave it empty, s3 will try to use the version from filer
4 years ago
support acl
5 years ago
s3 config read via grpc
4 years ago
use streaming mode for long poll grpc calls streaming mode would create separate grpc connections for each call. this is to ensure the long poll connections are properly closed.
3 years ago
refactor: `Directory` readability (#3665)
2 years ago
s3 config read via grpc
4 years ago
refactoring
4 years ago
s3: add grpc server to accept configuration changes
3 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
new pkg s3iam
4 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
support acl
5 years ago
s3: add grpc server to accept configuration changes
3 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
s3: add grpc server to accept configuration changes
3 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
supplement check duplicate accesskey
3 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
new pkg s3iam
4 years ago
s3: subscribe to s3.configure changes
4 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
s3: subscribe to s3.configure changes
4 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
s3: fix potencial iam identities data race
3 years ago
s3: subscribe to s3.configure changes
4 years ago
s3: keep auth enabled in case identities are set to empty fix https://github.com/chrislusf/seaweedfs/issues/3084
3 years ago
s3: fix potencial iam identities data race
3 years ago
support acl
5 years ago
refactoring
5 years ago
s3: keep auth enabled in case identities are set to empty fix https://github.com/chrislusf/seaweedfs/issues/3084
3 years ago
refactoring
5 years ago
support acl
5 years ago
refactoring
5 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
support acl
5 years ago
adjust logs
3 years ago
support acl
5 years ago
log unknown access key
3 years ago
support acl
5 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
add ownership rest apis (#3765)
2 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
s3: access control limited by bucket
5 years ago
enable anonymous access when bucket acl is enabled Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
support acl
5 years ago
enable anonymous access when bucket acl is enabled Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
fix: When there is no access permission configured before startup, the authentication does not take effect after configuring the permission after startup
3 years ago
enable anonymous access when bucket acl is enabled Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
refactoring
4 years ago
Add bucket owner attr.
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
enable admin to access all buckets
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
enable admin to access all buckets
4 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
refactoring
3 years ago
support acl
5 years ago
Add bucket owner attr.
4 years ago
enable anonymous access when bucket acl is enabled Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
enable anonymous access when bucket acl is enabled Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
audit log SignatureVersion
3 years ago
enable anonymous access when bucket acl is enabled Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
move s3 related constants from package http to s3_constants
3 years ago
audit log SignatureVersion
3 years ago
s3: support config action Admin:bucket
4 years ago
enable anonymous access when bucket acl is enabled Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
s3: support config action Admin:bucket
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: support config action Admin:bucket
4 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
s3: support config action Admin:bucket
4 years ago
add ownership rest apis (#3765)
2 years ago
s3: support config action Admin:bucket
4 years ago
support acl
5 years ago
refactoring
4 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
audit log SignatureVersion
3 years ago
support acl
5 years ago
add v2 support
5 years ago
Add bucket owner attr.
4 years ago
add v2 support
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
add v2 support
5 years ago
audit log SignatureVersion
3 years ago
support acl
5 years ago
add v2 support
5 years ago
support acl
5 years ago
audit log SignatureVersion
3 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
s3: deny anonymous type
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
s3: deny anonymous type
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
audit log SignatureVersion
3 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
s3: deny anonymous type
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
audit log SignatureVersion
3 years ago
move s3 related constants from package http to s3_constants
3 years ago
audit log SignatureVersion
3 years ago
support acl
5 years ago
add v2 support
5 years ago
refactoring
4 years ago
Add bucket owner attr.
4 years ago
add v2 support
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
enable admin to access all buckets
4 years ago
s3: access control limited by bucket
5 years ago
fix auth permission checking
3 years ago
https://github.com/chrislusf/seaweedfs/issues/2583
3 years ago
s3: access control limited by bucket
5 years ago
s3: support config action Admin:bucket
4 years ago
s3: access control limited by bucket
5 years ago
auth use bucket wild cards
4 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
auth use bucket wild cards
4 years ago
https://github.com/chrislusf/seaweedfs/issues/2583
3 years ago
auth use bucket wild cards
4 years ago
s3: support config action Admin:bucket
4 years ago
support acl
5 years ago
enable admin to access all buckets
4 years ago
  1. package s3api
  3. import (
  4. "fmt"
  5. "github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
  6. "net/http"
  7. "os"
  8. "strings"
  9. "sync"
  11. "github.com/seaweedfs/seaweedfs/weed/filer"
  12. "github.com/seaweedfs/seaweedfs/weed/glog"
  13. "github.com/seaweedfs/seaweedfs/weed/pb"
  14. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  15. "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
  16. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  17. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  18. )
  20. var IdentityAnonymous *Identity
  22. type Action string
  24. type Iam interface {
  25. Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
  26. }
  28. type IdentityAccessManagement struct {
  29. m sync.RWMutex
  31. identities []*Identity
  32. isAuthEnabled bool
  33. domain string
  34. }
  36. type Identity struct {
  37. Name string
  38. AccountId string
  39. Credentials []*Credential
  40. Actions []Action
  41. }
  43. func (i *Identity) isAnonymous() bool {
  44. return i.Name == s3account.AccountAnonymous.Name
  45. }
  47. type Credential struct {
  48. AccessKey string
  49. SecretKey string
  50. }
  52. func (action Action) isAdmin() bool {
  53. return strings.HasPrefix(string(action), s3_constants.ACTION_ADMIN)
  54. }
  56. func (action Action) isOwner(bucket string) bool {
  57. return string(action) == s3_constants.ACTION_ADMIN+":"+bucket
  58. }
  60. func (action Action) overBucket(bucket string) bool {
  61. return strings.HasSuffix(string(action), ":"+bucket) || strings.HasSuffix(string(action), ":*")
  62. }
  64. func (action Action) getPermission() Permission {
  65. switch act := strings.Split(string(action), ":")[0]; act {
  66. case s3_constants.ACTION_ADMIN:
  67. return Permission("FULL_CONTROL")
  68. case s3_constants.ACTION_WRITE:
  69. return Permission("WRITE")
  70. case s3_constants.ACTION_READ:
  71. return Permission("READ")
  72. default:
  73. return Permission("")
  74. }
  75. }
  77. func NewIdentityAccessManagement(option *S3ApiServerOption) *IdentityAccessManagement {
  78. iam := &IdentityAccessManagement{
  79. domain: option.DomainName,
  80. }
  81. if option.Config != "" {
  82. if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
  83. glog.Fatalf("fail to load config file %s: %v", option.Config, err)
  84. }
  85. } else {
  86. if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil {
  87. glog.Warningf("fail to load config: %v", err)
  88. }
  89. }
  90. return iam
  91. }
  93. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFiler(option *S3ApiServerOption) (err error) {
  94. var content []byte
  95. err = pb.WithFilerClient(false, option.Filer, option.GrpcDialOption, func(client filer_pb.SeaweedFilerClient) error {
  96. content, err = filer.ReadInsideFiler(client, filer.IamConfigDirectory, filer.IamIdentityFile)
  97. return err
  98. })
  99. if err != nil {
  100. return fmt.Errorf("read S3 config: %v", err)
  101. }
  102. return iam.LoadS3ApiConfigurationFromBytes(content)
  103. }
  105. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFile(fileName string) error {
  106. content, readErr := os.ReadFile(fileName)
  107. if readErr != nil {
  108. glog.Warningf("fail to read %s : %v", fileName, readErr)
  109. return fmt.Errorf("fail to read %s : %v", fileName, readErr)
  110. }
  111. return iam.LoadS3ApiConfigurationFromBytes(content)
  112. }
  114. func (iam *IdentityAccessManagement) LoadS3ApiConfigurationFromBytes(content []byte) error {
  115. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  116. if err := filer.ParseS3ConfigurationFromBytes(content, s3ApiConfiguration); err != nil {
  117. glog.Warningf("unmarshal error: %v", err)
  118. return fmt.Errorf("unmarshal error: %v", err)
  119. }
  121. if err := filer.CheckDuplicateAccessKey(s3ApiConfiguration); err != nil {
  122. return err
  123. }
  125. if err := iam.loadS3ApiConfiguration(s3ApiConfiguration); err != nil {
  126. return err
  127. }
  128. return nil
  129. }
  131. func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error {
  132. var identities []*Identity
  133. for _, ident := range config.Identities {
  134. t := &Identity{
  135. Name: ident.Name,
  136. AccountId: s3account.AccountAdmin.Id,
  137. Credentials: nil,
  138. Actions: nil,
  139. }
  141. if ident.Name == s3account.AccountAnonymous.Name {
  142. if ident.AccountId != "" && ident.AccountId != s3account.AccountAnonymous.Id {
  143. glog.Warningf("anonymous identity is associated with a non-anonymous account ID, the association is invalid")
  144. }
  145. t.AccountId = s3account.AccountAnonymous.Id
  146. IdentityAnonymous = t
  147. } else {
  148. if len(ident.AccountId) > 0 {
  149. t.AccountId = ident.AccountId
  150. }
  151. }
  153. for _, action := range ident.Actions {
  154. t.Actions = append(t.Actions, Action(action))
  155. }
  156. for _, cred := range ident.Credentials {
  157. t.Credentials = append(t.Credentials, &Credential{
  158. AccessKey: cred.AccessKey,
  159. SecretKey: cred.SecretKey,
  160. })
  161. }
  162. identities = append(identities, t)
  163. }
  165. if IdentityAnonymous == nil {
  166. IdentityAnonymous = &Identity{
  167. Name: s3account.AccountAnonymous.Name,
  168. AccountId: s3account.AccountAnonymous.Id,
  169. }
  170. }
  171. iam.m.Lock()
  172. // atomically switch
  173. iam.identities = identities
  174. if !iam.isAuthEnabled { // one-directional, no toggling
  175. iam.isAuthEnabled = len(identities) > 0
  176. }
  177. iam.m.Unlock()
  178. return nil
  179. }
  181. func (iam *IdentityAccessManagement) isEnabled() bool {
  182. return iam.isAuthEnabled
  183. }
  185. func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
  187. iam.m.RLock()
  188. defer iam.m.RUnlock()
  189. for _, ident := range iam.identities {
  190. for _, cred := range ident.Credentials {
  191. // println("checking", ident.Name, cred.AccessKey)
  192. if cred.AccessKey == accessKey {
  193. return ident, cred, true
  194. }
  195. }
  196. }
  197. glog.V(1).Infof("could not find accessKey %s", accessKey)
  198. return nil, nil, false
  199. }
  201. func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
  202. iam.m.RLock()
  203. defer iam.m.RUnlock()
  204. for _, ident := range iam.identities {
  205. if ident.isAnonymous() {
  206. return ident, true
  207. }
  208. }
  209. return nil, false
  210. }
  212. func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
  213. return Auth(iam, nil, f, action, false)
  214. }
  216. func (s3a *S3ApiServer) Auth(f http.HandlerFunc, action Action, supportAcl bool) http.HandlerFunc {
  217. return Auth(s3a.iam, s3a.bucketRegistry, f, action, supportAcl)
  218. }
  220. func Auth(iam *IdentityAccessManagement, br *BucketRegistry, f http.HandlerFunc, action Action, supportAcl bool) http.HandlerFunc {
  221. return func(w http.ResponseWriter, r *http.Request) {
  222. //unset predefined headers
  223. delete(r.Header, s3_constants.AmzAccountId)
  224. delete(r.Header, s3_constants.ExtAmzOwnerKey)
  225. delete(r.Header, s3_constants.ExtAmzAclKey)
  227. if !iam.isEnabled() {
  228. f(w, r)
  229. return
  230. }
  232. identity, errCode := authRequest(iam, br, r, action, supportAcl)
  233. if errCode == s3err.ErrNone {
  234. if identity != nil && identity.Name != "" {
  235. r.Header.Set(s3_constants.AmzIdentityId, identity.Name)
  236. if identity.isAdmin() {
  237. r.Header.Set(s3_constants.AmzIsAdmin, "true")
  238. } else if _, ok := r.Header[s3_constants.AmzIsAdmin]; ok {
  239. r.Header.Del(s3_constants.AmzIsAdmin)
  240. }
  241. }
  242. f(w, r)
  243. return
  244. }
  245. s3err.WriteErrorResponse(w, r, errCode)
  246. }
  247. }
  249. func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
  250. return authRequest(iam, nil, r, action, false)
  251. }
  253. func authRequest(iam *IdentityAccessManagement, br *BucketRegistry, r *http.Request, action Action, supportAcl bool) (*Identity, s3err.ErrorCode) {
  254. var identity *Identity
  255. var s3Err s3err.ErrorCode
  256. var authType string
  257. switch getRequestAuthType(r) {
  258. case authTypeStreamingSigned:
  259. return identity, s3err.ErrNone
  260. case authTypeUnknown:
  261. glog.V(3).Infof("unknown auth type")
  262. r.Header.Set(s3_constants.AmzAuthType, "Unknown")
  263. return identity, s3err.ErrAccessDenied
  264. case authTypePresignedV2, authTypeSignedV2:
  265. glog.V(3).Infof("v2 auth type")
  266. identity, s3Err = iam.isReqAuthenticatedV2(r)
  267. authType = "SigV2"
  268. case authTypeSigned, authTypePresigned:
  269. glog.V(3).Infof("v4 auth type")
  270. identity, s3Err = iam.reqSignatureV4Verify(r)
  271. authType = "SigV4"
  272. case authTypePostPolicy:
  273. glog.V(3).Infof("post policy auth type")
  274. r.Header.Set(s3_constants.AmzAuthType, "PostPolicy")
  275. return identity, s3err.ErrNone
  276. case authTypeJWT:
  277. glog.V(3).Infof("jwt auth type")
  278. r.Header.Set(s3_constants.AmzAuthType, "Jwt")
  279. return identity, s3err.ErrNotImplemented
  280. case authTypeAnonymous:
  281. if supportAcl && br != nil {
  282. bucket, _ := s3_constants.GetBucketAndObject(r)
  283. bucketMetadata, errorCode := br.GetBucketMetadata(bucket)
  284. if errorCode != s3err.ErrNone {
  285. return nil, errorCode
  286. }
  287. if bucketMetadata.ObjectOwnership != s3_constants.OwnershipBucketOwnerEnforced {
  288. return IdentityAnonymous, s3err.ErrNone
  289. }
  290. }
  291. authType = "Anonymous"
  292. identity = IdentityAnonymous
  293. if len(identity.Actions) == 0 {
  294. r.Header.Set(s3_constants.AmzAuthType, authType)
  295. return identity, s3err.ErrAccessDenied
  296. }
  297. default:
  298. return identity, s3err.ErrNotImplemented
  299. }
  301. if len(authType) > 0 {
  302. r.Header.Set(s3_constants.AmzAuthType, authType)
  303. }
  304. if s3Err != s3err.ErrNone {
  305. return identity, s3Err
  306. }
  308. glog.V(3).Infof("user name: %v account id: %v actions: %v, action: %v", identity.Name, identity.AccountId, identity.Actions, action)
  310. bucket, object := s3_constants.GetBucketAndObject(r)
  312. if !identity.canDo(action, bucket, object) {
  313. return identity, s3err.ErrAccessDenied
  314. }
  316. if !identity.isAnonymous() {
  317. r.Header.Set(s3_constants.AmzAccountId, identity.AccountId)
  318. }
  319. return identity, s3err.ErrNone
  321. }
  323. func (iam *IdentityAccessManagement) authUser(r *http.Request) (*Identity, s3err.ErrorCode) {
  324. var identity *Identity
  325. var s3Err s3err.ErrorCode
  326. var found bool
  327. var authType string
  328. switch getRequestAuthType(r) {
  329. case authTypeStreamingSigned:
  330. return identity, s3err.ErrNone
  331. case authTypeUnknown:
  332. glog.V(3).Infof("unknown auth type")
  333. r.Header.Set(s3_constants.AmzAuthType, "Unknown")
  334. return identity, s3err.ErrAccessDenied
  335. case authTypePresignedV2, authTypeSignedV2:
  336. glog.V(3).Infof("v2 auth type")
  337. identity, s3Err = iam.isReqAuthenticatedV2(r)
  338. authType = "SigV2"
  339. case authTypeSigned, authTypePresigned:
  340. glog.V(3).Infof("v4 auth type")
  341. identity, s3Err = iam.reqSignatureV4Verify(r)
  342. authType = "SigV4"
  343. case authTypePostPolicy:
  344. glog.V(3).Infof("post policy auth type")
  345. r.Header.Set(s3_constants.AmzAuthType, "PostPolicy")
  346. return identity, s3err.ErrNone
  347. case authTypeJWT:
  348. glog.V(3).Infof("jwt auth type")
  349. r.Header.Set(s3_constants.AmzAuthType, "Jwt")
  350. return identity, s3err.ErrNotImplemented
  351. case authTypeAnonymous:
  352. authType = "Anonymous"
  353. identity, found = iam.lookupAnonymous()
  354. if !found {
  355. r.Header.Set(s3_constants.AmzAuthType, authType)
  356. return identity, s3err.ErrAccessDenied
  357. }
  358. default:
  359. return identity, s3err.ErrNotImplemented
  360. }
  362. if len(authType) > 0 {
  363. r.Header.Set(s3_constants.AmzAuthType, authType)
  364. }
  366. glog.V(3).Infof("auth error: %v", s3Err)
  367. if s3Err != s3err.ErrNone {
  368. return identity, s3Err
  369. }
  370. return identity, s3err.ErrNone
  371. }
  373. func (identity *Identity) canDo(action Action, bucket string, objectKey string) bool {
  374. if identity.isAdmin() {
  375. return true
  376. }
  377. for _, a := range identity.Actions {
  378. if a == action {
  379. return true
  380. }
  381. }
  382. if bucket == "" {
  383. return false
  384. }
  385. target := string(action) + ":" + bucket + objectKey
  386. adminTarget := s3_constants.ACTION_ADMIN + ":" + bucket + objectKey
  387. limitedByBucket := string(action) + ":" + bucket
  388. adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket
  389. for _, a := range identity.Actions {
  390. act := string(a)
  391. if strings.HasSuffix(act, "*") {
  392. if strings.HasPrefix(target, act[:len(act)-1]) {
  393. return true
  394. }
  395. if strings.HasPrefix(adminTarget, act[:len(act)-1]) {
  396. return true
  397. }
  398. } else {
  399. if act == limitedByBucket {
  400. return true
  401. }
  402. if act == adminLimitedByBucket {
  403. return true
  404. }
  405. }
  406. }
  407. return false
  408. }
  410. func (identity *Identity) isAdmin() bool {
  411. for _, a := range identity.Actions {
  412. if a == "Admin" {
  413. return true
  414. }
  415. }
  416. return false
  417. }