You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

234 lines
5.8 KiB

5 years ago
4 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
4 years ago
5 years ago
4 years ago
4 years ago
4 years ago
5 years ago
4 years ago
5 years ago
5 years ago
5 years ago
5 years ago
4 years ago
5 years ago
4 years ago
4 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
4 years ago
5 years ago
5 years ago
4 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
4 years ago
5 years ago
4 years ago
5 years ago
5 years ago
5 years ago
  1. package s3api
  2. import (
  3. "fmt"
  4. "github.com/chrislusf/seaweedfs/weed/filer"
  5. "io/ioutil"
  6. "net/http"
  7. "github.com/chrislusf/seaweedfs/weed/glog"
  8. "github.com/chrislusf/seaweedfs/weed/pb/iam_pb"
  9. xhttp "github.com/chrislusf/seaweedfs/weed/s3api/http"
  10. "github.com/chrislusf/seaweedfs/weed/s3api/s3err"
  11. )
  12. type Action string
  13. type Iam interface {
  14. Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
  15. }
  16. type IdentityAccessManagement struct {
  17. identities []*Identity
  18. domain string
  19. }
  20. type Identity struct {
  21. Name string
  22. Credentials []*Credential
  23. Actions []Action
  24. }
  25. type Credential struct {
  26. AccessKey string
  27. SecretKey string
  28. }
  29. func NewIdentityAccessManagement(option *S3ApiServerOption) *IdentityAccessManagement {
  30. iam := &IdentityAccessManagement{
  31. domain: option.DomainName,
  32. }
  33. if option.Config != "" {
  34. if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
  35. glog.Fatalf("fail to load config file %s: %v", option.Config, err)
  36. }
  37. } else {
  38. if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil {
  39. glog.Warningf("fail to load config: %v", err)
  40. }
  41. }
  42. return iam
  43. }
  44. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFiler(option *S3ApiServerOption) error {
  45. content, err := filer.ReadContent(option.Filer, filer.IamConfigDirecotry, filer.IamIdentityFile)
  46. if err != nil {
  47. return fmt.Errorf("read S3 config: %v", err)
  48. }
  49. return iam.loadS3ApiConfigurationFromBytes(content)
  50. }
  51. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFile(fileName string) error {
  52. content, readErr := ioutil.ReadFile(fileName)
  53. if readErr != nil {
  54. glog.Warningf("fail to read %s : %v", fileName, readErr)
  55. return fmt.Errorf("fail to read %s : %v", fileName, readErr)
  56. }
  57. return iam.loadS3ApiConfigurationFromBytes(content)
  58. }
  59. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromBytes(content []byte) error {
  60. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  61. if err := filer.ParseS3ConfigurationFromBytes(content, s3ApiConfiguration); err != nil {
  62. glog.Warningf("unmarshal error: %v", err)
  63. return fmt.Errorf("unmarshal error: %v", err)
  64. }
  65. if err := iam.loadS3ApiConfiguration(s3ApiConfiguration); err != nil {
  66. return err
  67. }
  68. return nil
  69. }
  70. func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error {
  71. var identities []*Identity
  72. for _, ident := range config.Identities {
  73. t := &Identity{
  74. Name: ident.Name,
  75. Credentials: nil,
  76. Actions: nil,
  77. }
  78. for _, action := range ident.Actions {
  79. t.Actions = append(t.Actions, Action(action))
  80. }
  81. for _, cred := range ident.Credentials {
  82. t.Credentials = append(t.Credentials, &Credential{
  83. AccessKey: cred.AccessKey,
  84. SecretKey: cred.SecretKey,
  85. })
  86. }
  87. identities = append(identities, t)
  88. }
  89. // atomically switch
  90. iam.identities = identities
  91. return nil
  92. }
  93. func (iam *IdentityAccessManagement) isEnabled() bool {
  94. return len(iam.identities) > 0
  95. }
  96. func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
  97. for _, ident := range iam.identities {
  98. for _, cred := range ident.Credentials {
  99. if cred.AccessKey == accessKey {
  100. return ident, cred, true
  101. }
  102. }
  103. }
  104. return nil, nil, false
  105. }
  106. func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
  107. for _, ident := range iam.identities {
  108. if ident.Name == "anonymous" {
  109. return ident, true
  110. }
  111. }
  112. return nil, false
  113. }
  114. func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
  115. if !iam.isEnabled() {
  116. return f
  117. }
  118. return func(w http.ResponseWriter, r *http.Request) {
  119. identity, errCode := iam.authRequest(r, action)
  120. if errCode == s3err.ErrNone {
  121. if identity != nil && identity.Name != "" {
  122. r.Header.Set(xhttp.AmzIdentityId, identity.Name)
  123. if identity.isAdmin() {
  124. r.Header.Set(xhttp.AmzIsAdmin, "true")
  125. }
  126. }
  127. f(w, r)
  128. return
  129. }
  130. writeErrorResponse(w, errCode, r.URL)
  131. }
  132. }
  133. // check whether the request has valid access keys
  134. func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
  135. var identity *Identity
  136. var s3Err s3err.ErrorCode
  137. var found bool
  138. switch getRequestAuthType(r) {
  139. case authTypeStreamingSigned:
  140. return identity, s3err.ErrNone
  141. case authTypeUnknown:
  142. glog.V(3).Infof("unknown auth type")
  143. return identity, s3err.ErrAccessDenied
  144. case authTypePresignedV2, authTypeSignedV2:
  145. glog.V(3).Infof("v2 auth type")
  146. identity, s3Err = iam.isReqAuthenticatedV2(r)
  147. case authTypeSigned, authTypePresigned:
  148. glog.V(3).Infof("v4 auth type")
  149. identity, s3Err = iam.reqSignatureV4Verify(r)
  150. case authTypePostPolicy:
  151. glog.V(3).Infof("post policy auth type")
  152. return identity, s3err.ErrNone
  153. case authTypeJWT:
  154. glog.V(3).Infof("jwt auth type")
  155. return identity, s3err.ErrNotImplemented
  156. case authTypeAnonymous:
  157. identity, found = iam.lookupAnonymous()
  158. if !found {
  159. return identity, s3err.ErrAccessDenied
  160. }
  161. default:
  162. return identity, s3err.ErrNotImplemented
  163. }
  164. glog.V(3).Infof("auth error: %v", s3Err)
  165. if s3Err != s3err.ErrNone {
  166. return identity, s3Err
  167. }
  168. glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions)
  169. bucket, _ := getBucketAndObject(r)
  170. if !identity.canDo(action, bucket) {
  171. return identity, s3err.ErrAccessDenied
  172. }
  173. return identity, s3err.ErrNone
  174. }
  175. func (identity *Identity) canDo(action Action, bucket string) bool {
  176. if identity.isAdmin() {
  177. return true
  178. }
  179. for _, a := range identity.Actions {
  180. if a == action {
  181. return true
  182. }
  183. }
  184. if bucket == "" {
  185. return false
  186. }
  187. limitedByBucket := string(action) + ":" + bucket
  188. for _, a := range identity.Actions {
  189. if string(a) == limitedByBucket {
  190. return true
  191. }
  192. }
  193. return false
  194. }
  195. func (identity *Identity) isAdmin() bool {
  196. for _, a := range identity.Actions {
  197. if a == "Admin" {
  198. return true
  199. }
  200. }
  201. return false
  202. }