Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8919 Commits
32 Branches
301 Tags
175 MiB
Tree: af093721a2
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'af093721a2'
${ noResults }
seaweedfs/weed/s3api/s3api_acp.go

134 lines
4.1 KiB
Raw Normal View History

add ownership rest apis (#3765)
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
add ownership rest apis (#3765)
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
  1. package s3api
  3. import (
  4. "github.com/aws/aws-sdk-go/service/s3"
  5. "github.com/seaweedfs/seaweedfs/weed/glog"
  6. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  7. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  8. "github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
  9. "github.com/seaweedfs/seaweedfs/weed/s3api/s3acl"
  10. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  11. "github.com/seaweedfs/seaweedfs/weed/util"
  12. "net/http"
  13. )
  15. func getAccountId(r *http.Request) string {
  16. id := r.Header.Get(s3_constants.AmzAccountId)
  17. if len(id) == 0 {
  18. return s3account.AccountAnonymous.Id
  19. } else {
  20. return id
  21. }
  22. }
  24. func (s3a *S3ApiServer) checkAccessByOwnership(r *http.Request, bucket string) s3err.ErrorCode {
  25. metadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  26. if errCode != s3err.ErrNone {
  27. return errCode
  28. }
  29. accountId := getAccountId(r)
  30. if accountId == s3account.AccountAdmin.Id || accountId == *metadata.Owner.ID {
  31. return s3err.ErrNone
  32. }
  33. return s3err.ErrAccessDenied
  34. }
  36. // Check Object-Write related access
  37. // includes:
  38. // - PutObjectHandler
  39. // - PutObjectPartHandler
  40. func (s3a *S3ApiServer) checkAccessForWriteObject(r *http.Request, bucket, object string) s3err.ErrorCode {
  41. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  42. if errCode != s3err.ErrNone {
  43. return errCode
  44. }
  46. accountId := s3acl.GetAccountId(r)
  47. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  48. // validate grants (only bucketOwnerFullControl acl is allowed)
  49. _, grants, errCode := s3acl.ParseAndValidateAclHeaders(r, s3a.accountManager, bucketMetadata.ObjectOwnership, *bucketMetadata.Owner.ID, accountId, false)
  50. if errCode != s3err.ErrNone {
  51. return errCode
  52. }
  53. if len(grants) > 1 {
  54. return s3err.AccessControlListNotSupported
  55. }
  56. bucketOwnerFullControlGrant := &s3.Grant{
  57. Permission: &s3_constants.PermissionFullControl,
  58. Grantee: &s3.Grantee{
  59. Type: &s3_constants.GrantTypeCanonicalUser,
  60. ID: bucketMetadata.Owner.ID,
  61. },
  62. }
  63. if len(grants) == 0 {
  64. // set default grants
  65. s3acl.SetAcpOwnerHeader(r, accountId)
  66. s3acl.SetAcpGrantsHeader(r, []*s3.Grant{bucketOwnerFullControlGrant})
  67. return s3err.ErrNone
  68. }
  70. if !s3acl.GrantEquals(bucketOwnerFullControlGrant, grants[0]) {
  71. return s3err.AccessControlListNotSupported
  72. }
  74. s3acl.SetAcpOwnerHeader(r, accountId)
  75. s3acl.SetAcpGrantsHeader(r, []*s3.Grant{bucketOwnerFullControlGrant})
  76. return s3err.ErrNone
  77. }
  79. //bucket access allowed
  80. bucketAclAllowed := false
  81. if accountId == *bucketMetadata.Owner.ID {
  82. bucketAclAllowed = true
  83. } else {
  84. if len(bucketMetadata.Acl) > 0 {
  85. reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionWrite)
  86. bucketLoop:
  87. for _, bucketGrant := range bucketMetadata.Acl {
  88. for _, requiredGrant := range reqGrants {
  89. if s3acl.GrantEquals(bucketGrant, requiredGrant) {
  90. bucketAclAllowed = true
  91. break bucketLoop
  92. }
  93. }
  94. }
  95. }
  96. }
  97. if !bucketAclAllowed {
  98. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  99. return s3err.ErrAccessDenied
  100. }
  102. //object access allowed
  103. entry, err := getObjectEntry(s3a, bucket, object)
  104. if err != nil {
  105. if err != filer_pb.ErrNotFound {
  106. return s3err.ErrInternalError
  107. }
  108. } else {
  109. if entry.IsDirectory {
  110. return s3err.ErrExistingObjectIsDirectory
  111. }
  113. //Only the owner of the bucket and the owner of the object can overwrite the object
  114. objectOwner := s3acl.GetAcpOwner(entry.Extended, *bucketMetadata.Owner.ID)
  115. if accountId != objectOwner && accountId != *bucketMetadata.Owner.ID {
  116. glog.V(3).Infof("acl denied! request account id: %s, expect account id: %s", accountId, *bucketMetadata.Owner.ID)
  117. return s3err.ErrAccessDenied
  118. }
  119. }
  121. ownerId, grants, errCode := s3acl.ParseAndValidateAclHeadersOrElseDefault(r, s3a.accountManager, bucketMetadata.ObjectOwnership, *bucketMetadata.Owner.ID, accountId, false)
  122. if errCode != s3err.ErrNone {
  123. return errCode
  124. }
  126. s3acl.SetAcpOwnerHeader(r, ownerId)
  127. s3acl.SetAcpGrantsHeader(r, grants)
  129. return s3err.ErrNone
  130. }
  132. func getObjectEntry(s3a *S3ApiServer, bucket, object string) (*filer_pb.Entry, error) {
  133. return s3a.getEntry(util.Join(s3a.option.BucketsPath, bucket), object)
  134. }