Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8920 Commits
32 Branches
300 Tags
172 MiB
Tree: 900feb62b6
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '900feb62b6'
${ noResults }
seaweedfs/weed/s3api/s3api_acp.go

107 lines
3.2 KiB
Raw Normal View History

add ownership rest apis (#3765)
2 years ago
add acl support for `PutObjectAcl`
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add acl support for `PutObjectAcl`
2 years ago
add ownership rest apis (#3765)
2 years ago
add acl support for `PutObjectAcl`
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
add acl support for `PutObjectAcl`
2 years ago
fix parent path Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
  1. package s3api
  3. import (
  4. "github.com/seaweedfs/seaweedfs/weed/glog"
  5. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  6. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  7. "github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
  8. "github.com/seaweedfs/seaweedfs/weed/s3api/s3acl"
  9. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  10. "github.com/seaweedfs/seaweedfs/weed/util"
  11. "net/http"
  12. )
  14. func getAccountId(r *http.Request) string {
  15. id := r.Header.Get(s3_constants.AmzAccountId)
  16. if len(id) == 0 {
  17. return s3account.AccountAnonymous.Id
  18. } else {
  19. return id
  20. }
  21. }
  23. func (s3a *S3ApiServer) checkAccessByOwnership(r *http.Request, bucket string) s3err.ErrorCode {
  24. metadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  25. if errCode != s3err.ErrNone {
  26. return errCode
  27. }
  28. accountId := getAccountId(r)
  29. if accountId == s3account.AccountAdmin.Id || accountId == *metadata.Owner.ID {
  30. return s3err.ErrNone
  31. }
  32. return s3err.ErrAccessDenied
  33. }
  35. // Check ObjectAcl-Write related access
  36. // includes:
  37. // - PutObjectAclHandler
  38. func (s3a *S3ApiServer) checkAccessForWriteObjectAcl(accountId, bucket, object string) (bucketMetadata *BucketMetaData, objectEntry *filer_pb.Entry, objectOwner string, errCode s3err.ErrorCode) {
  39. bucketMetadata, errCode = s3a.bucketRegistry.GetBucketMetadata(bucket)
  40. if errCode != s3err.ErrNone {
  41. return nil, nil, "", errCode
  42. }
  44. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  45. return nil, nil, "", s3err.AccessControlListNotSupported
  46. }
  48. //bucket acl
  49. bucketAclAllowed := false
  50. reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionWrite)
  51. if accountId == *bucketMetadata.Owner.ID {
  52. bucketAclAllowed = true
  53. } else if bucketMetadata.Acl != nil {
  54. bucketLoop:
  55. for _, bucketGrant := range bucketMetadata.Acl {
  56. for _, requiredGrant := range reqGrants {
  57. if s3acl.GrantEquals(bucketGrant, requiredGrant) {
  58. bucketAclAllowed = true
  59. break bucketLoop
  60. }
  61. }
  62. }
  63. }
  64. if !bucketAclAllowed {
  65. return nil, nil, "", s3err.ErrAccessDenied
  66. }
  68. //object acl
  69. objectEntry, err := getObjectEntry(s3a, bucket, object)
  70. if err != nil {
  71. if err == filer_pb.ErrNotFound {
  72. return nil, nil, "", s3err.ErrNoSuchKey
  73. }
  74. return nil, nil, "", s3err.ErrInternalError
  75. }
  77. if objectEntry.IsDirectory {
  78. return nil, nil, "", s3err.ErrExistingObjectIsDirectory
  79. }
  81. objectOwner = s3acl.GetAcpOwner(objectEntry.Extended, *bucketMetadata.Owner.ID)
  82. if accountId == objectOwner {
  83. return bucketMetadata, objectEntry, objectOwner, s3err.ErrNone
  84. }
  86. objectGrants := s3acl.GetAcpGrants(objectEntry.Extended)
  87. if objectGrants != nil {
  88. for _, objectGrant := range objectGrants {
  89. for _, requiredGrant := range reqGrants {
  90. if s3acl.GrantEquals(objectGrant, requiredGrant) {
  91. return bucketMetadata, objectEntry, objectOwner, s3err.ErrNone
  92. }
  93. }
  94. }
  95. }
  97. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  98. return nil, nil, "", s3err.ErrAccessDenied
  99. }
  101. func getObjectEntry(s3a *S3ApiServer, bucket, object string) (*filer_pb.Entry, error) {
  102. return s3a.getEntry(util.Join(s3a.option.BucketsPath, bucket), object)
  103. }
  105. func updateObjectEntry(s3a *S3ApiServer, bucket, object string, entry *filer_pb.Entry) error {
  106. return s3a.updateEntry(util.Join(s3a.option.BucketsPath, bucket, object), entry)
  107. }