Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9144 Commits
32 Branches
298 Tags
169 MiB
Tree: 682f24a9ac
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '682f24a9ac'
${ noResults }
seaweedfs/weed/s3api/s3api_acp.go

414 lines
14 KiB
Raw Normal View History

add ownership rest apis (#3765)
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_skip_handlers.go # weed/s3api/s3err/s3api_errors.go
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
implement `GetObjectAclHandler`
2 years ago
add ownership rest apis (#3765)
2 years ago
fix parent path Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
Merge branch '3_bucket_read' # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
add acl validation for s3 bucket read api
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl validation for s3 bucket read api
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl validation for s3 bucket read api
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl validation for s3 bucket read api
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl validation for s3 bucket read api
2 years ago
Merge branch '7_object_read_acl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
implement `GetObjectAclHandler`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `GetObjectAclHandler`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `GetObjectAclHandler`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `GetObjectAclHandler`
2 years ago
add acl validation for s3 GetObjectHandler
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl validation for s3 GetObjectHandler
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_skip_handlers.go # weed/s3api/s3err/s3api_errors.go
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_handlers.go
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
add acl support for `PutObjectAcl`
2 years ago
Merge branch '4_object_write' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_handlers.go # weed/s3api/s3err/s3api_errors.go
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
don't set acp when ownership is BucketOwnerEnfored Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
Merge branch '1_bucket_write' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_bucket_handlers.go
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
extract and save acl when create bucket
2 years ago
  1. package s3api
  3. import (
  4. "github.com/aws/aws-sdk-go/service/s3"
  5. "github.com/seaweedfs/seaweedfs/weed/glog"
  6. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  7. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  8. "github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
  9. "github.com/seaweedfs/seaweedfs/weed/s3api/s3acl"
  10. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  11. "github.com/seaweedfs/seaweedfs/weed/util"
  12. "net/http"
  13. "path/filepath"
  14. )
  16. func getAccountId(r *http.Request) string {
  17. id := r.Header.Get(s3_constants.AmzAccountId)
  18. if len(id) == 0 {
  19. return s3account.AccountAnonymous.Id
  20. } else {
  21. return id
  22. }
  23. }
  25. func (s3a *S3ApiServer) checkAccessByOwnership(r *http.Request, bucket string) s3err.ErrorCode {
  26. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  27. if errCode != s3err.ErrNone {
  28. return errCode
  29. }
  30. requestAccountId := getAccountId(r)
  31. if s3acl.ValidateAccount(requestAccountId, *bucketMetadata.Owner.ID) {
  32. return s3err.ErrNone
  33. }
  34. return s3err.ErrAccessDenied
  35. }
  37. //Check access for PutBucketAclHandler
  38. func (s3a *S3ApiServer) checkAccessForPutBucketAcl(requestAccountId, bucket string) (*BucketMetaData, s3err.ErrorCode) {
  39. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  40. if errCode != s3err.ErrNone {
  41. return nil, errCode
  42. }
  44. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  45. return nil, s3err.AccessControlListNotSupported
  46. }
  48. if s3acl.ValidateAccount(requestAccountId, *bucketMetadata.Owner.ID) {
  49. return bucketMetadata, s3err.ErrNone
  50. }
  52. if len(bucketMetadata.Acl) > 0 {
  53. reqGrants := s3acl.DetermineRequiredGrants(requestAccountId, s3_constants.PermissionWriteAcp)
  54. for _, bucketGrant := range bucketMetadata.Acl {
  55. for _, reqGrant := range reqGrants {
  56. if s3acl.GrantEquals(bucketGrant, reqGrant) {
  57. return bucketMetadata, s3err.ErrNone
  58. }
  59. }
  60. }
  61. }
  62. glog.V(3).Infof("acl denied! request account id: %s", requestAccountId)
  63. return nil, s3err.ErrAccessDenied
  64. }
  66. func updateBucketEntry(s3a *S3ApiServer, entry *filer_pb.Entry) error {
  67. return s3a.updateEntry(s3a.option.BucketsPath, entry)
  68. }
  70. // Check Bucket/BucketAcl Read related access
  71. // includes:
  72. // - HeadBucketHandler
  73. // - GetBucketAclHandler
  74. // - ListObjectsV1Handler
  75. // - ListObjectsV2Handler
  76. // - ListMultipartUploadsHandler
  77. func (s3a *S3ApiServer) checkAccessForReadBucket(r *http.Request, bucket, aclAction string) (*BucketMetaData, s3err.ErrorCode) {
  78. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  79. if errCode != s3err.ErrNone {
  80. return nil, errCode
  81. }
  83. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  84. return bucketMetadata, s3err.ErrNone
  85. }
  87. requestAccountId := s3acl.GetAccountId(r)
  88. if s3acl.ValidateAccount(requestAccountId, *bucketMetadata.Owner.ID) {
  89. return bucketMetadata, s3err.ErrNone
  90. }
  92. if len(bucketMetadata.Acl) > 0 {
  93. reqGrants := s3acl.DetermineRequiredGrants(requestAccountId, aclAction)
  94. for _, bucketGrant := range bucketMetadata.Acl {
  95. for _, reqGrant := range reqGrants {
  96. if s3acl.GrantEquals(bucketGrant, reqGrant) {
  97. return bucketMetadata, s3err.ErrNone
  98. }
  99. }
  100. }
  101. }
  103. glog.V(3).Infof("acl denied! request account id: %s", requestAccountId)
  104. return nil, s3err.ErrAccessDenied
  105. }
  107. //Check ObjectAcl-Read related access
  108. // includes:
  109. // - GetObjectAclHandler
  110. func (s3a *S3ApiServer) checkAccessForReadObjectAcl(r *http.Request, bucket, object string) (acp *s3.AccessControlPolicy, errCode s3err.ErrorCode) {
  111. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  112. if errCode != s3err.ErrNone {
  113. return nil, errCode
  114. }
  116. getAcpFunc := func() (*s3.AccessControlPolicy, s3err.ErrorCode) {
  117. entry, err := getObjectEntry(s3a, bucket, object)
  118. if err != nil {
  119. if err == filer_pb.ErrNotFound {
  120. return nil, s3err.ErrNoSuchKey
  121. } else {
  122. return nil, s3err.ErrInternalError
  123. }
  124. }
  125. if entry.IsDirectory {
  126. return nil, s3err.ErrExistingObjectIsDirectory
  127. }
  128. acpOwnerId := s3acl.GetAcpOwner(entry.Extended, *bucketMetadata.Owner.ID)
  129. acpOwnerName := s3a.accountManager.IdNameMapping[acpOwnerId]
  130. acpGrants := s3acl.GetAcpGrants(&acpOwnerId, entry.Extended)
  131. acp = &s3.AccessControlPolicy{
  132. Owner: &s3.Owner{
  133. ID: &acpOwnerId,
  134. DisplayName: &acpOwnerName,
  135. },
  136. Grants: acpGrants,
  137. }
  138. return acp, s3err.ErrNone
  139. }
  140. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  141. return getAcpFunc()
  142. }
  143. requestAccountId := s3acl.GetAccountId(r)
  144. acp, errCode = getAcpFunc()
  145. if errCode != s3err.ErrNone {
  146. return nil, errCode
  147. }
  148. if s3acl.ValidateAccount(requestAccountId, *acp.Owner.ID) {
  149. return acp, s3err.ErrNone
  150. }
  151. if acp.Grants != nil {
  152. reqGrants := s3acl.DetermineRequiredGrants(requestAccountId, s3_constants.PermissionReadAcp)
  153. for _, requiredGrant := range reqGrants {
  154. for _, grant := range acp.Grants {
  155. if s3acl.GrantEquals(requiredGrant, grant) {
  156. return acp, s3err.ErrNone
  157. }
  158. }
  159. }
  160. }
  161. glog.V(3).Infof("CheckAccessForReadObjectAcl denied! request account id: %s", requestAccountId)
  162. return nil, s3err.ErrAccessDenied
  163. }
  165. // Check Object-Read related access
  166. // includes:
  167. // - GetObjectHandler
  168. //
  169. // offload object access validation to Filer layer
  170. // - s3acl.CheckObjectAccessForReadObject
  171. func (s3a *S3ApiServer) checkBucketAccessForReadObject(r *http.Request, bucket string) s3err.ErrorCode {
  172. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  173. if errCode != s3err.ErrNone {
  174. return errCode
  175. }
  177. if bucketMetadata.ObjectOwnership != s3_constants.OwnershipBucketOwnerEnforced {
  178. //offload object acl validation to filer layer
  179. _, defaultErrorCode := s3a.checkAccessForReadBucket(r, bucket, s3_constants.PermissionRead)
  180. if defaultErrorCode != s3err.ErrNone {
  181. r.Header.Set(s3_constants.XSeaweedFSHeaderAmzBucketAccessDenied, "true")
  182. }
  183. r.Header.Set(s3_constants.XSeaweedFSHeaderAmzBucketOwnerId, *bucketMetadata.Owner.ID)
  184. }
  186. return s3err.ErrNone
  187. }
  189. // Check ObjectAcl-Write related access
  190. // includes:
  191. // - PutObjectAclHandler
  192. func (s3a *S3ApiServer) checkAccessForWriteObjectAcl(r *http.Request, bucket, object string) (*filer_pb.Entry, string, []*s3.Grant, s3err.ErrorCode) {
  193. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  194. if errCode != s3err.ErrNone {
  195. return nil, "", nil, errCode
  196. }
  198. requestAccountId := s3acl.GetAccountId(r)
  199. reqOwnerId, grants, errCode := s3acl.ExtractObjectAcl(r, s3a.accountManager, bucketMetadata.ObjectOwnership, *bucketMetadata.Owner.ID, requestAccountId, false)
  200. if errCode != s3err.ErrNone {
  201. return nil, "", nil, errCode
  202. }
  204. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  205. return nil, "", nil, s3err.AccessControlListNotSupported
  206. }
  208. //object acl
  209. objectEntry, err := getObjectEntry(s3a, bucket, object)
  210. if err != nil {
  211. if err == filer_pb.ErrNotFound {
  212. return nil, "", nil, s3err.ErrNoSuchKey
  213. }
  214. return nil, "", nil, s3err.ErrInternalError
  215. }
  217. if objectEntry.IsDirectory {
  218. return nil, "", nil, s3err.ErrExistingObjectIsDirectory
  219. }
  221. objectOwner := s3acl.GetAcpOwner(objectEntry.Extended, *bucketMetadata.Owner.ID)
  222. //object owner is immutable
  223. if reqOwnerId != "" && reqOwnerId != objectOwner {
  224. return nil, "", nil, s3err.ErrAccessDenied
  225. }
  226. if s3acl.ValidateAccount(requestAccountId, objectOwner) {
  227. return objectEntry, objectOwner, grants, s3err.ErrNone
  228. }
  230. objectGrants := s3acl.GetAcpGrants(nil, objectEntry.Extended)
  231. if objectGrants != nil {
  232. requiredGrants := s3acl.DetermineRequiredGrants(requestAccountId, s3_constants.PermissionWriteAcp)
  233. for _, objectGrant := range objectGrants {
  234. for _, requiredGrant := range requiredGrants {
  235. if s3acl.GrantEquals(objectGrant, requiredGrant) {
  236. return objectEntry, objectOwner, grants, s3err.ErrNone
  237. }
  238. }
  239. }
  240. }
  242. glog.V(3).Infof("checkAccessForWriteObjectAcl denied! request account id: %s", requestAccountId)
  243. return nil, "", nil, s3err.ErrAccessDenied
  244. }
  246. func updateObjectEntry(s3a *S3ApiServer, bucket, object string, entry *filer_pb.Entry) error {
  247. dir, _ := filepath.Split(object)
  248. return s3a.updateEntry(util.Join(s3a.option.BucketsPath, bucket, dir), entry)
  249. }
  251. // CheckAccessForPutObject Check ACL for PutObject API
  252. // includes:
  253. // - PutObjectHandler
  254. func (s3a *S3ApiServer) CheckAccessForPutObject(r *http.Request, bucket, object string) s3err.ErrorCode {
  255. accountId := s3acl.GetAccountId(r)
  256. return s3a.checkAccessForWriteObject(r, bucket, object, accountId)
  257. }
  259. // CheckAccessForPutObjectPartHandler Check Acl for Upload object part
  260. // includes:
  261. // - PutObjectPartHandler
  262. func (s3a *S3ApiServer) CheckAccessForPutObjectPartHandler(r *http.Request, bucket string) s3err.ErrorCode {
  263. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  264. if errCode != s3err.ErrNone {
  265. return errCode
  266. }
  267. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  268. return s3err.ErrNone
  269. }
  270. accountId := s3acl.GetAccountId(r)
  271. if !CheckBucketAccess(accountId, bucketMetadata, s3_constants.PermissionWrite) {
  272. return s3err.ErrAccessDenied
  273. }
  274. return s3err.ErrNone
  275. }
  277. // CheckAccessForNewMultipartUpload Check Acl for API
  278. // includes:
  279. // - NewMultipartUploadHandler
  280. func (s3a *S3ApiServer) CheckAccessForNewMultipartUpload(r *http.Request, bucket, object string) (s3err.ErrorCode, string) {
  281. accountId := s3acl.GetAccountId(r)
  282. if accountId == IdentityAnonymous.AccountId {
  283. return s3err.ErrAccessDenied, ""
  284. }
  285. errCode := s3a.checkAccessForWriteObject(r, bucket, object, accountId)
  286. return errCode, accountId
  287. }
  289. func (s3a *S3ApiServer) CheckAccessForAbortMultipartUpload(r *http.Request, bucket, object string) s3err.ErrorCode {
  290. return s3a.CheckAccessWithBucketOwnerAndInitiator(r, bucket, object)
  291. }
  293. func (s3a *S3ApiServer) CheckAccessForCompleteMultipartUpload(r *http.Request, bucket, object string) s3err.ErrorCode {
  294. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  295. if errCode != s3err.ErrNone {
  296. return errCode
  297. }
  299. if bucketMetadata.ObjectOwnership != s3_constants.OwnershipBucketOwnerEnforced {
  300. accountId := getAccountId(r)
  301. if !CheckBucketAccess(accountId, bucketMetadata, s3_constants.PermissionWrite) {
  302. return s3err.ErrAccessDenied
  303. }
  304. }
  305. return s3err.ErrNone
  306. }
  308. func (s3a *S3ApiServer) CheckAccessForListMultipartUploadParts(r *http.Request, bucket, object string) s3err.ErrorCode {
  309. return s3a.CheckAccessWithBucketOwnerAndInitiator(r, bucket, object)
  310. }
  312. // CheckAccessWithBucketOwnerAndInitiator Check Access Permission with 'bucketOwner' and 'multipartUpload initiator'
  313. func (s3a *S3ApiServer) CheckAccessWithBucketOwnerAndInitiator(r *http.Request, bucket, object string) s3err.ErrorCode {
  314. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  315. if errCode != s3err.ErrNone {
  316. return errCode
  317. }
  319. //bucket access allowed
  320. accountId := s3acl.GetAccountId(r)
  321. if s3acl.ValidateAccount(*bucketMetadata.Owner.ID, accountId) {
  322. return s3err.ErrNone
  323. }
  325. //multipart initiator allowed
  326. entry, err := getMultipartUpload(s3a, bucket, object)
  327. if err != nil {
  328. if err != filer_pb.ErrNotFound {
  329. return s3err.ErrInternalError
  330. }
  331. } else {
  332. uploadInitiator, ok := entry.Extended[s3_constants.ExtAmzMultipartInitiator]
  333. if !ok || accountId == string(uploadInitiator) {
  334. return s3err.ErrNone
  335. }
  336. }
  337. glog.V(3).Infof("CheckAccessWithBucketOwnerAndInitiator denied! request account id: %s", accountId)
  338. return s3err.ErrAccessDenied
  339. }
  341. func (s3a *S3ApiServer) checkAccessForWriteObject(r *http.Request, bucket, object, requestAccountId string) s3err.ErrorCode {
  342. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  343. if errCode != s3err.ErrNone {
  344. return errCode
  345. }
  346. requestOwnerId, grants, errCode := s3acl.ExtractObjectAcl(r, s3a.accountManager, bucketMetadata.ObjectOwnership, *bucketMetadata.Owner.ID, requestAccountId, true)
  347. if errCode != s3err.ErrNone {
  348. return errCode
  349. }
  351. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  352. return s3err.ErrNone
  353. }
  355. if !CheckBucketAccess(requestAccountId, bucketMetadata, s3_constants.PermissionWrite) {
  356. return s3err.ErrAccessDenied
  357. }
  359. if requestOwnerId == "" {
  360. requestOwnerId = requestAccountId
  361. }
  362. entry, err := getObjectEntry(s3a, bucket, object)
  363. if err != nil {
  364. if err == filer_pb.ErrNotFound {
  365. s3acl.SetAcpOwnerHeader(r, requestOwnerId)
  366. s3acl.SetAcpGrantsHeader(r, grants)
  367. return s3err.ErrNone
  368. }
  369. return s3err.ErrInternalError
  370. }
  372. objectOwnerId := s3acl.GetAcpOwner(entry.Extended, *bucketMetadata.Owner.ID)
  373. //object owner is immutable
  374. if requestOwnerId != "" && objectOwnerId != requestOwnerId {
  375. return s3err.ErrAccessDenied
  376. }
  378. //Only the owner of the bucket and the owner of the object can overwrite the object
  379. if s3acl.ValidateAccount(requestOwnerId, objectOwnerId, *bucketMetadata.Owner.ID) {
  380. glog.V(3).Infof("checkAccessForWriteObject denied! request account id: %s, expect account id: %s", requestAccountId, *bucketMetadata.Owner.ID)
  381. return s3err.ErrAccessDenied
  382. }
  384. s3acl.SetAcpOwnerHeader(r, objectOwnerId)
  385. s3acl.SetAcpGrantsHeader(r, grants)
  386. return s3err.ErrNone
  387. }
  389. func CheckBucketAccess(requestAccountId string, bucketMetadata *BucketMetaData, permission string) bool {
  390. if s3acl.ValidateAccount(requestAccountId, *bucketMetadata.Owner.ID) {
  391. return true
  392. } else {
  393. if len(bucketMetadata.Acl) > 0 {
  394. reqGrants := s3acl.DetermineRequiredGrants(requestAccountId, permission)
  395. for _, bucketGrant := range bucketMetadata.Acl {
  396. for _, requiredGrant := range reqGrants {
  397. if s3acl.GrantEquals(bucketGrant, requiredGrant) {
  398. return true
  399. }
  400. }
  401. }
  402. }
  403. }
  404. glog.V(3).Infof("CheckBucketAccess denied! request account id: %s", requestAccountId)
  405. return false
  406. }
  408. func getObjectEntry(s3a *S3ApiServer, bucket, object string) (*filer_pb.Entry, error) {
  409. return s3a.getEntry(util.Join(s3a.option.BucketsPath, bucket), object)
  410. }
  412. func getMultipartUpload(s3a *S3ApiServer, bucket, object string) (*filer_pb.Entry, error) {
  413. return s3a.getEntry(s3a.genUploadsFolder(bucket), object)
  414. }