Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5258 Commits
32 Branches
298 Tags
167 MiB
Tree: 9f26f2815c
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9f26f2815c'
${ noResults }
seaweedfs/weed/iamapi/iamapi_management_handlers.go

376 lines
11 KiB
Raw Normal View History

init Iam Api Server
4 years ago
SaveAs S3 Configuration
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
init Iam Api Server
4 years ago
base handlers
4 years ago
SaveAs S3 Configuration
4 years ago
init Iam Api Server
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
init Iam Api Server
4 years ago
base handlers
4 years ago
init Iam Api Server
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
base handlers
4 years ago
init Iam Api Server
4 years ago
base handlers
4 years ago
init Iam Api Server
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
base handlers
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
base handlers
4 years ago
init Iam Api Server
4 years ago
base handlers
4 years ago
init Iam Api Server
4 years ago
base handlers
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
base handlers
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
base handlers
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
base handlers
4 years ago
init Iam Api Server
4 years ago
base handlers
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
SaveAs S3 Configuration
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
SaveAs S3 Configuration
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
SaveAs S3 Configuration
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
SaveAs S3 Configuration
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
base handlers
4 years ago
init Iam Api Server
4 years ago
SaveAs S3 Configuration
4 years ago
init Iam Api Server
4 years ago
SaveAs S3 Configuration
4 years ago
init Iam Api Server
4 years ago
base handlers
4 years ago
SaveAs S3 Configuration
4 years ago
base handlers
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
init Iam Api Server
4 years ago
SaveAs S3 Configuration
4 years ago
init Iam Api Server
4 years ago
  1. package iamapi
  3. import (
  4. "bytes"
  5. "crypto/sha1"
  6. "encoding/json"
  7. "encoding/xml"
  8. "fmt"
  9. "github.com/chrislusf/seaweedfs/weed/filer"
  10. "github.com/chrislusf/seaweedfs/weed/glog"
  11. "github.com/chrislusf/seaweedfs/weed/pb/iam_pb"
  12. "github.com/chrislusf/seaweedfs/weed/s3api/s3_constants"
  13. "github.com/chrislusf/seaweedfs/weed/s3api/s3err"
  14. "math/rand"
  15. "net/http"
  16. "net/url"
  17. "strings"
  18. "time"
  20. // "github.com/aws/aws-sdk-go/aws"
  21. "github.com/aws/aws-sdk-go/service/iam"
  22. )
  24. const (
  25. version = "2010-05-08"
  26. charsetUpper = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
  27. charset = charsetUpper + "abcdefghijklmnopqrstuvwxyz/"
  28. )
  30. var (
  31. seededRand *rand.Rand = rand.New(
  32. rand.NewSource(time.Now().UnixNano()))
  33. policyDocuments = map[string]*PolicyDocument{}
  34. )
  36. type PolicyDocument struct {
  37. Version string `json:"Version"`
  38. Statement []struct {
  39. Effect string `json:"Effect"`
  40. Action []string `json:"Action"`
  41. Resource []string `json:"Resource"`
  42. } `json:"Statement"`
  43. }
  45. type CommonResponse struct {
  46. ResponseMetadata struct {
  47. RequestId string `xml:"RequestId"`
  48. } `xml:"ResponseMetadata"`
  49. }
  51. type ListUsersResponse struct {
  52. CommonResponse
  53. XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ ListUsersResponse"`
  54. ListUsersResult struct {
  55. Users []*iam.User `xml:"Users>member"`
  56. IsTruncated bool `xml:"IsTruncated"`
  57. } `xml:"ListUsersResult"`
  58. }
  60. type ListAccessKeysResponse struct {
  61. CommonResponse
  62. XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ ListAccessKeysResponse"`
  63. ListAccessKeysResult struct {
  64. AccessKeyMetadata []*iam.AccessKeyMetadata `xml:"AccessKeyMetadata>member"`
  65. IsTruncated bool `xml:"IsTruncated"`
  66. } `xml:"ListAccessKeysResult"`
  67. }
  69. type DeleteUserResponse struct {
  70. CommonResponse
  71. XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ DeleteUserResponse"`
  72. }
  74. type DeleteAccessKeyResponse struct {
  75. CommonResponse
  76. XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ DeleteAccessKeyResponse"`
  77. }
  79. type CreatePolicyResponse struct {
  80. CommonResponse
  81. XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ CreatePolicyResponse"`
  82. CreatePolicyResult struct {
  83. Policy iam.Policy `xml:"Policy"`
  84. } `xml:"CreatePolicyResult"`
  85. }
  87. type CreateUserResponse struct {
  88. CommonResponse
  89. XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ CreateUserResponse"`
  90. CreateUserResult struct {
  91. User iam.User `xml:"User"`
  92. } `xml:"CreateUserResult"`
  93. }
  95. type CreateAccessKeyResponse struct {
  96. CommonResponse
  97. XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ CreateAccessKeyResponse"`
  98. CreateAccessKeyResult struct {
  99. AccessKey iam.AccessKey `xml:"AccessKey"`
  100. } `xml:"CreateAccessKeyResult"`
  101. }
  103. type PutUserPolicyResponse struct {
  104. CommonResponse
  105. XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ PutUserPolicyResponse"`
  106. }
  108. func (r *CommonResponse) SetRequestId() {
  109. r.ResponseMetadata.RequestId = fmt.Sprintf("%d", time.Now().UnixNano())
  110. }
  112. func Hash(s *string) string {
  113. h := sha1.New()
  114. h.Write([]byte(*s))
  115. return fmt.Sprintf("%x", h.Sum(nil))
  116. }
  118. func StringWithCharset(length int, charset string) string {
  119. b := make([]byte, length)
  120. for i := range b {
  121. b[i] = charset[seededRand.Intn(len(charset))]
  122. }
  123. return string(b)
  124. }
  126. func (iama *IamApiServer) ListUsers(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp ListUsersResponse) {
  127. for _, ident := range s3cfg.Identities {
  128. resp.ListUsersResult.Users = append(resp.ListUsersResult.Users, &iam.User{UserName: &ident.Name})
  129. }
  130. return resp
  131. }
  133. func (iama *IamApiServer) ListAccessKeys(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp ListAccessKeysResponse) {
  134. status := iam.StatusTypeActive
  135. for _, ident := range s3cfg.Identities {
  136. for _, cred := range ident.Credentials {
  137. resp.ListAccessKeysResult.AccessKeyMetadata = append(resp.ListAccessKeysResult.AccessKeyMetadata,
  138. &iam.AccessKeyMetadata{UserName: &ident.Name, AccessKeyId: &cred.AccessKey, Status: &status},
  139. )
  140. }
  141. }
  142. return resp
  143. }
  145. func (iama *IamApiServer) CreateUser(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreateUserResponse) {
  146. userName := values.Get("UserName")
  147. resp.CreateUserResult.User.UserName = &userName
  148. s3cfg.Identities = append(s3cfg.Identities, &iam_pb.Identity{Name: userName})
  149. return resp
  150. }
  151. func GetPolicyDocument(policy *string) (policyDocument PolicyDocument, err error) {
  152. if err = json.Unmarshal([]byte(*policy), &policyDocument); err != nil {
  153. return PolicyDocument{}, err
  154. }
  155. return policyDocument, err
  156. }
  158. func (iama *IamApiServer) CreatePolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreatePolicyResponse, err error) {
  159. policyName := values.Get("PolicyName")
  160. policyDocumentString := values.Get("PolicyDocument")
  161. policyDocument, err := GetPolicyDocument(&policyDocumentString)
  162. if err != nil {
  163. return CreatePolicyResponse{}, err
  164. }
  165. policyId := Hash(&policyDocumentString)
  166. arn := fmt.Sprintf("arn:aws:iam:::policy/%s", policyName)
  167. resp.CreatePolicyResult.Policy.PolicyName = &policyName
  168. resp.CreatePolicyResult.Policy.Arn = &arn
  169. resp.CreatePolicyResult.Policy.PolicyId = &policyId
  170. policyDocuments[policyName] = &policyDocument
  171. return resp, nil
  172. }
  174. func (iama *IamApiServer) PutUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp PutUserPolicyResponse, err error) {
  175. userName := values.Get("UserName")
  176. policyName := values.Get("PolicyName")
  177. policyDocumentString := values.Get("PolicyDocument")
  178. policyDocument, err := GetPolicyDocument(&policyDocumentString)
  179. if err != nil {
  180. return PutUserPolicyResponse{}, err
  181. }
  182. policyDocuments[policyName] = &policyDocument
  183. actions := GetActions(&policyDocument)
  184. for _, ident := range s3cfg.Identities {
  185. if userName == ident.Name {
  186. for _, action := range actions {
  187. ident.Actions = append(ident.Actions, action)
  188. }
  189. break
  190. }
  191. }
  192. return resp, nil
  193. }
  195. func MapAction(action string) string {
  196. switch action {
  197. case "*":
  198. return s3_constants.ACTION_ADMIN
  199. case "Put*":
  200. return s3_constants.ACTION_WRITE
  201. case "Get*":
  202. return s3_constants.ACTION_READ
  203. case "List*":
  204. return s3_constants.ACTION_LIST
  205. default:
  206. return s3_constants.ACTION_TAGGING
  207. }
  208. }
  210. func GetActions(policy *PolicyDocument) (actions []string) {
  211. for _, statement := range policy.Statement {
  212. if statement.Effect != "Allow" {
  213. continue
  214. }
  215. for _, resource := range statement.Resource {
  216. // Parse "arn:aws:s3:::my-bucket/shared/*"
  217. res := strings.Split(resource, ":")
  218. if len(res) != 6 || res[0] != "arn" || res[1] != "aws" || res[2] != "s3" {
  219. glog.Infof("not math resource: %s", res)
  220. continue
  221. }
  222. for _, action := range statement.Action {
  223. // Parse "s3:Get*"
  224. act := strings.Split(action, ":")
  225. if len(act) != 2 || act[0] != "s3" {
  226. glog.Infof("not match action: %s", act)
  227. continue
  228. }
  229. if res[5] == "*" {
  230. actions = append(actions, MapAction(act[1]))
  231. continue
  232. }
  233. // Parse my-bucket/shared/*
  234. path := strings.Split(res[5], "/")
  235. if len(path) != 2 || path[1] != "*" {
  236. glog.Infof("not match bucket: %s", path)
  237. continue
  238. }
  239. actions = append(actions, fmt.Sprintf("%s:%s", MapAction(act[1]), path[0]))
  241. }
  242. }
  243. }
  244. return actions
  245. }
  247. func (iama *IamApiServer) DeleteUser(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp DeleteUserResponse) {
  248. userName := values.Get("UserName")
  249. for i, ident := range s3cfg.Identities {
  250. if userName == ident.Name {
  251. ident.Credentials = append(ident.Credentials[:i], ident.Credentials[i+1:]...)
  252. break
  253. }
  254. }
  255. return resp
  256. }
  258. func (iama *IamApiServer) CreateAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreateAccessKeyResponse) {
  259. userName := values.Get("UserName")
  260. status := iam.StatusTypeActive
  261. accessKeyId := StringWithCharset(21, charsetUpper)
  262. secretAccessKey := StringWithCharset(42, charset)
  263. resp.CreateAccessKeyResult.AccessKey.AccessKeyId = &accessKeyId
  264. resp.CreateAccessKeyResult.AccessKey.SecretAccessKey = &secretAccessKey
  265. resp.CreateAccessKeyResult.AccessKey.UserName = &userName
  266. resp.CreateAccessKeyResult.AccessKey.Status = &status
  267. changed := false
  268. for _, ident := range s3cfg.Identities {
  269. if userName == ident.Name {
  270. ident.Credentials = append(ident.Credentials,
  271. &iam_pb.Credential{AccessKey: accessKeyId, SecretKey: secretAccessKey})
  272. changed = true
  273. break
  274. }
  275. }
  276. if !changed {
  277. s3cfg.Identities = append(s3cfg.Identities,
  278. &iam_pb.Identity{Name: userName,
  279. Credentials: []*iam_pb.Credential{
  280. {
  281. AccessKey: accessKeyId,
  282. SecretKey: secretAccessKey,
  283. },
  284. },
  285. },
  286. )
  287. }
  288. return resp
  289. }
  291. func (iama *IamApiServer) DeleteAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp DeleteAccessKeyResponse) {
  292. userName := values.Get("UserName")
  293. accessKeyId := values.Get("AccessKeyId")
  294. for _, ident := range s3cfg.Identities {
  295. if userName == ident.Name {
  296. for i, cred := range ident.Credentials {
  297. if cred.AccessKey == accessKeyId {
  298. ident.Credentials = append(ident.Credentials[:i], ident.Credentials[i+1:]...)
  299. break
  300. }
  301. }
  302. break
  303. }
  304. }
  305. return resp
  306. }
  308. func (iama *IamApiServer) DoActions(w http.ResponseWriter, r *http.Request) {
  309. if err := r.ParseForm(); err != nil {
  310. writeErrorResponse(w, s3err.ErrInvalidRequest, r.URL)
  311. return
  312. }
  313. values := r.PostForm
  314. s3cfg := &iam_pb.S3ApiConfiguration{}
  315. if err := iama.GetS3ApiConfiguration(s3cfg); err != nil {
  316. writeErrorResponse(w, s3err.ErrInternalError, r.URL)
  317. return
  318. }
  320. glog.Info("values ", values)
  321. var response interface{}
  322. changed := true
  323. switch r.Form.Get("Action") {
  324. case "ListUsers":
  325. response = iama.ListUsers(s3cfg, values)
  326. changed = false
  327. case "ListAccessKeys":
  328. response = iama.ListAccessKeys(s3cfg, values)
  329. changed = false
  330. case "CreateUser":
  331. response = iama.CreateUser(s3cfg, values)
  332. case "DeleteUser":
  333. response = iama.DeleteUser(s3cfg, values)
  334. case "CreateAccessKey":
  335. response = iama.CreateAccessKey(s3cfg, values)
  336. case "DeleteAccessKey":
  337. response = iama.DeleteAccessKey(s3cfg, values)
  338. case "CreatePolicy":
  339. var err error
  340. response, err = iama.CreatePolicy(s3cfg, values)
  341. if err != nil {
  342. writeErrorResponse(w, s3err.ErrInvalidRequest, r.URL)
  343. return
  344. }
  345. case "PutUserPolicy":
  346. var err error
  347. response, err = iama.PutUserPolicy(s3cfg, values)
  348. if err != nil {
  349. writeErrorResponse(w, s3err.ErrInvalidRequest, r.URL)
  350. return
  351. }
  352. default:
  353. writeErrorResponse(w, s3err.ErrNotImplemented, r.URL)
  354. return
  355. }
  356. if changed {
  357. buf := bytes.Buffer{}
  358. if err := filer.S3ConfigurationToText(&buf, s3cfg); err != nil {
  359. glog.Error("S3ConfigurationToText: ", err)
  360. writeErrorResponse(w, s3err.ErrInternalError, r.URL)
  361. return
  362. }
  363. if err := filer.SaveAs(
  364. iama.option.Filer,
  365. 0,
  366. filer.IamConfigDirecotry,
  367. filer.IamIdentityFile,
  368. "text/plain; charset=utf-8",
  369. &buf); err != nil {
  370. glog.Error("SaveAs: ", err)
  371. writeErrorResponse(w, s3err.ErrInternalError, r.URL)
  372. return
  373. }
  374. }
  375. writeSuccessResponseXML(w, encodeResponse(response))
  376. }