Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9077 Commits
32 Branches
298 Tags
169 MiB
Tree: 82a535e9dd
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '82a535e9dd'
${ noResults }
seaweedfs/weed/s3api/s3api_acp.go

419 lines
13 KiB
Raw Normal View History

add ownership rest apis (#3765)
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_skip_handlers.go # weed/s3api/s3err/s3api_errors.go
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
implement `GetObjectAclHandler`
2 years ago
add ownership rest apis (#3765)
2 years ago
fix parent path Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
Merge branch '3_bucket_read' # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
add acl validation for s3 bucket read api
2 years ago
Merge branch '7_object_read_acl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
implement `GetObjectAclHandler`
2 years ago
add acl validation for s3 GetObjectHandler
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_skip_handlers.go # weed/s3api/s3err/s3api_errors.go
2 years ago
add acl support for `PutObjectAcl`
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_handlers.go
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
add acl support for `PutObjectAcl`
2 years ago
Merge branch '4_object_write' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_handlers.go # weed/s3api/s3err/s3api_errors.go
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
don't set acp when ownership is BucketOwnerEnfored Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
don't set acp when ownership is BucketOwnerEnfored Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
Merge branch '1_bucket_write' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_bucket_handlers.go
2 years ago
extract and save acl when create bucket
2 years ago
  1. package s3api
  3. import (
  4. "github.com/aws/aws-sdk-go/service/s3"
  5. "github.com/seaweedfs/seaweedfs/weed/glog"
  6. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  7. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  8. "github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
  9. "github.com/seaweedfs/seaweedfs/weed/s3api/s3acl"
  10. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  11. "github.com/seaweedfs/seaweedfs/weed/util"
  12. "net/http"
  13. "path/filepath"
  14. )
  16. func getAccountId(r *http.Request) string {
  17. id := r.Header.Get(s3_constants.AmzAccountId)
  18. if len(id) == 0 {
  19. return s3account.AccountAnonymous.Id
  20. } else {
  21. return id
  22. }
  23. }
  25. func (s3a *S3ApiServer) checkAccessByOwnership(r *http.Request, bucket string) s3err.ErrorCode {
  26. metadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  27. if errCode != s3err.ErrNone {
  28. return errCode
  29. }
  30. accountId := getAccountId(r)
  31. if accountId == s3account.AccountAdmin.Id || accountId == *metadata.Owner.ID {
  32. return s3err.ErrNone
  33. }
  34. return s3err.ErrAccessDenied
  35. }
  37. //Check access for PutBucketAclHandler
  38. func (s3a *S3ApiServer) checkAccessForPutBucketAcl(accountId, bucket string) (*BucketMetaData, s3err.ErrorCode) {
  39. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  40. if errCode != s3err.ErrNone {
  41. return nil, errCode
  42. }
  44. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  45. return nil, s3err.AccessControlListNotSupported
  46. }
  48. if accountId == s3account.AccountAdmin.Id || accountId == *bucketMetadata.Owner.ID {
  49. return bucketMetadata, s3err.ErrNone
  50. }
  52. if len(bucketMetadata.Acl) > 0 {
  53. reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionWriteAcp)
  54. for _, bucketGrant := range bucketMetadata.Acl {
  55. for _, reqGrant := range reqGrants {
  56. if s3acl.GrantEquals(bucketGrant, reqGrant) {
  57. return bucketMetadata, s3err.ErrNone
  58. }
  59. }
  60. }
  61. }
  62. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  63. return nil, s3err.ErrAccessDenied
  64. }
  66. func updateBucketEntry(s3a *S3ApiServer, entry *filer_pb.Entry) error {
  67. return s3a.updateEntry(s3a.option.BucketsPath, entry)
  68. }
  70. // Check Bucket/BucketAcl Read related access
  71. // includes:
  72. // - HeadBucketHandler
  73. // - GetBucketAclHandler
  74. // - ListObjectsV1Handler
  75. // - ListObjectsV2Handler
  76. func (s3a *S3ApiServer) checkAccessForReadBucket(r *http.Request, bucket, aclAction string) (*BucketMetaData, s3err.ErrorCode) {
  77. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  78. if errCode != s3err.ErrNone {
  79. return nil, errCode
  80. }
  82. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  83. return bucketMetadata, s3err.ErrNone
  84. }
  86. accountId := s3acl.GetAccountId(r)
  87. if accountId == s3account.AccountAdmin.Id || accountId == *bucketMetadata.Owner.ID {
  88. return bucketMetadata, s3err.ErrNone
  89. }
  91. if len(bucketMetadata.Acl) > 0 {
  92. reqGrants := s3acl.DetermineReqGrants(accountId, aclAction)
  93. for _, bucketGrant := range bucketMetadata.Acl {
  94. for _, reqGrant := range reqGrants {
  95. if s3acl.GrantEquals(bucketGrant, reqGrant) {
  96. return bucketMetadata, s3err.ErrNone
  97. }
  98. }
  99. }
  100. }
  102. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  103. return nil, s3err.ErrAccessDenied
  104. }
  106. //Check ObjectAcl-Read related access
  107. // includes:
  108. // - GetObjectAclHandler
  109. func (s3a *S3ApiServer) checkAccessForReadObjectAcl(r *http.Request, bucket, object string) (acp *s3.AccessControlPolicy, errCode s3err.ErrorCode) {
  110. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  111. if errCode != s3err.ErrNone {
  112. return nil, errCode
  113. }
  115. getAcpFunc := func() (*s3.AccessControlPolicy, s3err.ErrorCode) {
  116. entry, err := getObjectEntry(s3a, bucket, object)
  117. if err != nil {
  118. if err == filer_pb.ErrNotFound {
  119. return nil, s3err.ErrNoSuchKey
  120. } else {
  121. return nil, s3err.ErrInternalError
  122. }
  123. }
  125. if entry.IsDirectory {
  126. return nil, s3err.ErrExistingObjectIsDirectory
  127. }
  129. acpOwnerId := s3acl.GetAcpOwner(entry.Extended, *bucketMetadata.Owner.ID)
  130. acpOwnerName := s3a.accountManager.IdNameMapping[acpOwnerId]
  131. acpGrants := s3acl.GetAcpGrants(entry.Extended)
  132. acp = &s3.AccessControlPolicy{
  133. Owner: &s3.Owner{
  134. ID: &acpOwnerId,
  135. DisplayName: &acpOwnerName,
  136. },
  137. Grants: acpGrants,
  138. }
  139. return acp, s3err.ErrNone
  140. }
  142. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  143. return getAcpFunc()
  144. } else {
  145. accountId := s3acl.GetAccountId(r)
  147. acp, errCode := getAcpFunc()
  148. if errCode != s3err.ErrNone {
  149. return nil, errCode
  150. }
  152. if accountId == *acp.Owner.ID {
  153. return acp, s3err.ErrNone
  154. }
  156. //find in Grants
  157. if acp.Grants != nil {
  158. reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionReadAcp)
  159. for _, requiredGrant := range reqGrants {
  160. for _, grant := range acp.Grants {
  161. if s3acl.GrantEquals(requiredGrant, grant) {
  162. return acp, s3err.ErrNone
  163. }
  164. }
  165. }
  166. }
  168. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  169. return nil, s3err.ErrAccessDenied
  170. }
  171. }
  173. // Check Object-Read related access
  174. // includes:
  175. // - GetObjectHandler
  176. //
  177. // offload object access validation to Filer layer
  178. // - s3acl.CheckObjectAccessForReadObject
  179. func (s3a *S3ApiServer) checkBucketAccessForReadObject(r *http.Request, bucket string) s3err.ErrorCode {
  180. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  181. if errCode != s3err.ErrNone {
  182. return errCode
  183. }
  185. if bucketMetadata.ObjectOwnership != s3_constants.OwnershipBucketOwnerEnforced {
  186. //offload object acl validation to filer layer
  187. r.Header.Set(s3_constants.XSeaweedFSHeaderAmzBucketOwnerId, *bucketMetadata.Owner.ID)
  188. }
  190. return s3err.ErrNone
  191. }
  193. // Check ObjectAcl-Write related access
  194. // includes:
  195. // - PutObjectAclHandler
  196. func (s3a *S3ApiServer) checkAccessForWriteObjectAcl(accountId, bucket, object string) (bucketMetadata *BucketMetaData, objectEntry *filer_pb.Entry, objectOwner string, errCode s3err.ErrorCode) {
  197. bucketMetadata, errCode = s3a.bucketRegistry.GetBucketMetadata(bucket)
  198. if errCode != s3err.ErrNone {
  199. return nil, nil, "", errCode
  200. }
  202. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  203. return nil, nil, "", s3err.AccessControlListNotSupported
  204. }
  206. //bucket acl
  207. bucketAclAllowed := false
  208. reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionWrite)
  209. if accountId == *bucketMetadata.Owner.ID {
  210. bucketAclAllowed = true
  211. } else if bucketMetadata.Acl != nil {
  212. bucketLoop:
  213. for _, bucketGrant := range bucketMetadata.Acl {
  214. for _, requiredGrant := range reqGrants {
  215. if s3acl.GrantEquals(bucketGrant, requiredGrant) {
  216. bucketAclAllowed = true
  217. break bucketLoop
  218. }
  219. }
  220. }
  221. }
  222. if !bucketAclAllowed {
  223. return nil, nil, "", s3err.ErrAccessDenied
  224. }
  226. //object acl
  227. objectEntry, err := getObjectEntry(s3a, bucket, object)
  228. if err != nil {
  229. if err == filer_pb.ErrNotFound {
  230. return nil, nil, "", s3err.ErrNoSuchKey
  231. }
  232. return nil, nil, "", s3err.ErrInternalError
  233. }
  235. if objectEntry.IsDirectory {
  236. return nil, nil, "", s3err.ErrExistingObjectIsDirectory
  237. }
  239. objectOwner = s3acl.GetAcpOwner(objectEntry.Extended, *bucketMetadata.Owner.ID)
  240. if accountId == objectOwner {
  241. return bucketMetadata, objectEntry, objectOwner, s3err.ErrNone
  242. }
  244. objectGrants := s3acl.GetAcpGrants(objectEntry.Extended)
  245. if objectGrants != nil {
  246. for _, objectGrant := range objectGrants {
  247. for _, requiredGrant := range reqGrants {
  248. if s3acl.GrantEquals(objectGrant, requiredGrant) {
  249. return bucketMetadata, objectEntry, objectOwner, s3err.ErrNone
  250. }
  251. }
  252. }
  253. }
  255. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  256. return nil, nil, "", s3err.ErrAccessDenied
  257. }
  259. func updateObjectEntry(s3a *S3ApiServer, bucket, object string, entry *filer_pb.Entry) error {
  260. dir, _ := filepath.Split(object)
  261. return s3a.updateEntry(util.Join(s3a.option.BucketsPath, bucket, dir), entry)
  262. }
  264. // CheckAccessForPutObject Check ACL for PutObject API
  265. // includes:
  266. // - PutObjectHandler
  267. func (s3a *S3ApiServer) CheckAccessForPutObject(r *http.Request, bucket, object string) s3err.ErrorCode {
  268. accountId := s3acl.GetAccountId(r)
  269. return s3a.checkAccessForWriteObject(r, bucket, object, accountId)
  270. }
  272. // CheckAccessForNewMultipartUpload Check Acl for InitiateMultipartUploadResult API
  273. // includes:
  274. // - NewMultipartUploadHandler
  275. func (s3a *S3ApiServer) CheckAccessForNewMultipartUpload(r *http.Request, bucket, object string) s3err.ErrorCode {
  276. accountId := s3acl.GetAccountId(r)
  277. if accountId == IdentityAnonymous.AccountId {
  278. return s3err.ErrAccessDenied
  279. }
  280. return s3a.checkAccessForWriteObject(r, bucket, object, accountId)
  281. }
  283. // CheckAccessForCompleteMultipartUpload Check Acl for CompleteMultipartUpload API
  284. // includes:
  285. // - CompleteMultipartUploadHandler
  286. func (s3a *S3ApiServer) CheckAccessForCompleteMultipartUpload(r *http.Request, bucket, object string) s3err.ErrorCode {
  287. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  288. if errCode != s3err.ErrNone {
  289. return errCode
  290. }
  292. //bucket access allowed
  293. accountId := s3acl.GetAccountId(r)
  294. if accountId == *bucketMetadata.Owner.ID {
  295. return s3err.ErrNone
  296. } else {
  297. if len(bucketMetadata.Acl) > 0 {
  298. reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionWrite)
  299. for _, bucketGrant := range bucketMetadata.Acl {
  300. for _, requiredGrant := range reqGrants {
  301. if s3acl.GrantEquals(bucketGrant, requiredGrant) {
  302. return s3err.ErrNone
  303. }
  304. }
  305. }
  306. }
  307. }
  308. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  309. return s3err.ErrAccessDenied
  310. }
  312. func (s3a *S3ApiServer) checkAccessForWriteObject(r *http.Request, bucket, object, accountId string) s3err.ErrorCode {
  313. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  314. if errCode != s3err.ErrNone {
  315. return errCode
  316. }
  318. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  319. // validate grants (only bucketOwnerFullControl acl is allowed)
  320. _, grants, errCode := s3acl.ParseAndValidateAclHeaders(r, s3a.accountManager, bucketMetadata.ObjectOwnership, *bucketMetadata.Owner.ID, accountId, false)
  321. if errCode != s3err.ErrNone {
  322. return errCode
  323. }
  324. if len(grants) > 1 {
  325. return s3err.AccessControlListNotSupported
  326. }
  327. bucketOwnerFullControlGrant := &s3.Grant{
  328. Permission: &s3_constants.PermissionFullControl,
  329. Grantee: &s3.Grantee{
  330. Type: &s3_constants.GrantTypeCanonicalUser,
  331. ID: bucketMetadata.Owner.ID,
  332. },
  333. }
  334. if len(grants) == 0 {
  335. return s3err.ErrNone
  336. }
  338. if s3acl.GrantEquals(bucketOwnerFullControlGrant, grants[0]) {
  339. return s3err.ErrNone
  340. }
  342. return s3err.AccessControlListNotSupported
  343. }
  345. //bucket access allowed
  346. bucketAclAllowed := false
  347. if accountId == *bucketMetadata.Owner.ID {
  348. bucketAclAllowed = true
  349. } else {
  350. if len(bucketMetadata.Acl) > 0 {
  351. reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionWrite)
  352. bucketLoop:
  353. for _, bucketGrant := range bucketMetadata.Acl {
  354. for _, requiredGrant := range reqGrants {
  355. if s3acl.GrantEquals(bucketGrant, requiredGrant) {
  356. bucketAclAllowed = true
  357. break bucketLoop
  358. }
  359. }
  360. }
  361. }
  362. }
  363. if !bucketAclAllowed {
  364. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  365. return s3err.ErrAccessDenied
  366. }
  368. //object access allowed
  369. entry, err := getObjectEntry(s3a, bucket, object)
  370. if err != nil {
  371. if err != filer_pb.ErrNotFound {
  372. return s3err.ErrInternalError
  373. }
  374. } else {
  375. if entry.IsDirectory {
  376. return s3err.ErrExistingObjectIsDirectory
  377. }
  379. //Only the owner of the bucket and the owner of the object can overwrite the object
  380. objectOwner := s3acl.GetAcpOwner(entry.Extended, *bucketMetadata.Owner.ID)
  381. if accountId != objectOwner && accountId != *bucketMetadata.Owner.ID {
  382. glog.V(3).Infof("acl denied! request account id: %s, expect account id: %s", accountId, *bucketMetadata.Owner.ID)
  383. return s3err.ErrAccessDenied
  384. }
  385. }
  387. ownerId, grants, errCode := s3acl.ParseAndValidateAclHeadersOrElseDefault(r, s3a.accountManager, bucketMetadata.ObjectOwnership, *bucketMetadata.Owner.ID, accountId, false)
  388. if errCode != s3err.ErrNone {
  389. return errCode
  390. }
  392. s3acl.SetAcpOwnerHeader(r, ownerId)
  393. s3acl.SetAcpGrantsHeader(r, grants)
  395. return s3err.ErrNone
  396. }
  398. func getObjectEntry(s3a *S3ApiServer, bucket, object string) (*filer_pb.Entry, error) {
  399. return s3a.getEntry(util.Join(s3a.option.BucketsPath, bucket), object)
  400. }
  402. func (s3a *S3ApiServer) ExtractBucketAcp(r *http.Request) (owner string, grants []*s3.Grant, errCode s3err.ErrorCode) {
  403. accountId := s3acl.GetAccountId(r)
  405. ownership := s3_constants.DefaultOwnershipForCreate
  406. if ownership == s3_constants.OwnershipBucketOwnerEnforced {
  407. return accountId, []*s3.Grant{
  408. {
  409. Permission: &s3_constants.PermissionFullControl,
  410. Grantee: &s3.Grantee{
  411. Type: &s3_constants.GrantTypeCanonicalUser,
  412. ID: &accountId,
  413. },
  414. },
  415. }, s3err.ErrNone
  416. } else {
  417. return s3acl.ParseAndValidateAclHeadersOrElseDefault(r, s3a.accountManager, ownership, accountId, accountId, false)
  418. }
  419. }