Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8932 Commits
32 Branches
300 Tags
172 MiB
Tree: 714132dfe0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '714132dfe0'
${ noResults }
seaweedfs/weed/s3api/s3api_acp.go

101 lines
3.0 KiB
Raw Normal View History

add ownership rest apis (#3765)
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
Merge branch '3_bucket_read' # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
add acl validation for s3 bucket read api
2 years ago
  1. package s3api
  3. import (
  4. "github.com/seaweedfs/seaweedfs/weed/glog"
  5. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  6. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  7. "github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
  8. "github.com/seaweedfs/seaweedfs/weed/s3api/s3acl"
  9. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  10. "net/http"
  11. )
  13. func getAccountId(r *http.Request) string {
  14. id := r.Header.Get(s3_constants.AmzAccountId)
  15. if len(id) == 0 {
  16. return s3account.AccountAnonymous.Id
  17. } else {
  18. return id
  19. }
  20. }
  22. func (s3a *S3ApiServer) checkAccessByOwnership(r *http.Request, bucket string) s3err.ErrorCode {
  23. metadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  24. if errCode != s3err.ErrNone {
  25. return errCode
  26. }
  27. accountId := getAccountId(r)
  28. if accountId == s3account.AccountAdmin.Id || accountId == *metadata.Owner.ID {
  29. return s3err.ErrNone
  30. }
  31. return s3err.ErrAccessDenied
  32. }
  34. //Check access for PutBucketAclHandler
  35. func (s3a *S3ApiServer) checkAccessForPutBucketAcl(accountId, bucket string) (*BucketMetaData, s3err.ErrorCode) {
  36. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  37. if errCode != s3err.ErrNone {
  38. return nil, errCode
  39. }
  41. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  42. return nil, s3err.AccessControlListNotSupported
  43. }
  45. if accountId == s3account.AccountAdmin.Id || accountId == *bucketMetadata.Owner.ID {
  46. return bucketMetadata, s3err.ErrNone
  47. }
  49. if len(bucketMetadata.Acl) > 0 {
  50. reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionWriteAcp)
  51. for _, bucketGrant := range bucketMetadata.Acl {
  52. for _, reqGrant := range reqGrants {
  53. if s3acl.GrantEquals(bucketGrant, reqGrant) {
  54. return bucketMetadata, s3err.ErrNone
  55. }
  56. }
  57. }
  58. }
  59. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  60. return nil, s3err.ErrAccessDenied
  61. }
  63. func updateBucketEntry(s3a *S3ApiServer, entry *filer_pb.Entry) error {
  64. return s3a.updateEntry(s3a.option.BucketsPath, entry)
  65. }
  67. // Check Bucket/BucketAcl Read related access
  68. // includes:
  69. // - HeadBucketHandler
  70. // - GetBucketAclHandler
  71. // - ListObjectsV1Handler
  72. // - ListObjectsV2Handler
  73. func (s3a *S3ApiServer) checkAccessForReadBucket(r *http.Request, bucket, aclAction string) (*BucketMetaData, s3err.ErrorCode) {
  74. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  75. if errCode != s3err.ErrNone {
  76. return nil, errCode
  77. }
  79. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  80. return bucketMetadata, s3err.ErrNone
  81. }
  83. accountId := s3acl.GetAccountId(r)
  84. if accountId == s3account.AccountAdmin.Id || accountId == *bucketMetadata.Owner.ID {
  85. return bucketMetadata, s3err.ErrNone
  86. }
  88. if len(bucketMetadata.Acl) > 0 {
  89. reqGrants := s3acl.DetermineReqGrants(accountId, aclAction)
  90. for _, bucketGrant := range bucketMetadata.Acl {
  91. for _, reqGrant := range reqGrants {
  92. if s3acl.GrantEquals(bucketGrant, reqGrant) {
  93. return bucketMetadata, s3err.ErrNone
  94. }
  95. }
  96. }
  97. }
  99. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  100. return nil, s3err.ErrAccessDenied
  101. }