Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9366 Commits
33 Branches
301 Tags
176 MiB
Tree: b253a20faf
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b253a20faf'
${ noResults }
seaweedfs/weed/s3api/s3api_acp.go

407 lines
13 KiB
Raw Normal View History

add ownership rest apis (#3765)
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_skip_handlers.go # weed/s3api/s3err/s3api_errors.go
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
implement `GetObjectAclHandler`
2 years ago
add ownership rest apis (#3765)
2 years ago
fix parent path Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add ownership rest apis (#3765)
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
perf(fix): fix bugs Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
Merge branch '3_bucket_read' # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
add acl validation for s3 bucket read api
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl validation for s3 bucket read api
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl validation for s3 bucket read api
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl validation for s3 bucket read api
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl validation for s3 bucket read api
2 years ago
Merge branch '7_object_read_acl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
perf(fix): fix bugs Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `GetObjectAclHandler`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `GetObjectAclHandler`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `GetObjectAclHandler`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
implement `GetObjectAclHandler`
2 years ago
add acl validation for s3 GetObjectHandler
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl validation for s3 GetObjectHandler
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_skip_handlers.go # weed/s3api/s3err/s3api_errors.go
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_handlers.go
2 years ago
Merge branch '5_objectWriteAcl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
add acl support for `PutObjectAcl`
2 years ago
Merge branch '4_object_write' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_object_handlers.go # weed/s3api/s3err/s3api_errors.go
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for Initializing multipart upload Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
acl for complete multipart uplod Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
don't set acp when ownership is BucketOwnerEnfored Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
perf(fix): fix bugs Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObject` and `PutObjectPart`
2 years ago
Merge branch '1_bucket_write' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go # weed/s3api/s3api_bucket_handlers.go
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
extract and save acl when create bucket
2 years ago
  1. package s3api
  3. import (
  4. "github.com/aws/aws-sdk-go/service/s3"
  5. "github.com/seaweedfs/seaweedfs/weed/glog"
  6. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  7. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  8. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  9. "github.com/seaweedfs/seaweedfs/weed/util"
  10. "net/http"
  11. "path/filepath"
  12. )
  14. func getAccountId(r *http.Request) string {
  15. id := r.Header.Get(s3_constants.AmzAccountId)
  16. if len(id) == 0 {
  17. return AccountAnonymous.Id
  18. } else {
  19. return id
  20. }
  21. }
  23. func (s3a *S3ApiServer) checkAccessByOwnership(r *http.Request, bucket string) s3err.ErrorCode {
  24. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  25. if errCode != s3err.ErrNone {
  26. return errCode
  27. }
  28. requestAccountId := getAccountId(r)
  29. if s3acl.ValidateAccount(requestAccountId, *bucketMetadata.Owner.ID) {
  30. return s3err.ErrNone
  31. }
  32. return s3err.ErrAccessDenied
  33. }
  35. // Check access for PutBucketAclHandler
  36. func (s3a *S3ApiServer) checkAccessForPutBucketAcl(requestAccountId, bucket string) (*BucketMetaData, s3err.ErrorCode) {
  37. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  38. if errCode != s3err.ErrNone {
  39. return nil, errCode
  40. }
  42. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  43. return nil, s3err.AccessControlListNotSupported
  44. }
  46. if s3acl.ValidateAccount(requestAccountId, *bucketMetadata.Owner.ID) {
  47. return bucketMetadata, s3err.ErrNone
  48. }
  50. if len(bucketMetadata.Acl) > 0 {
  51. reqGrants := s3acl.DetermineRequiredGrants(requestAccountId, s3_constants.PermissionWriteAcp)
  52. for _, bucketGrant := range bucketMetadata.Acl {
  53. for _, reqGrant := range reqGrants {
  54. if s3acl.GrantEquals(bucketGrant, reqGrant) {
  55. return bucketMetadata, s3err.ErrNone
  56. }
  57. }
  58. }
  59. }
  60. glog.V(3).Infof("acl denied! request account id: %s", requestAccountId)
  61. return nil, s3err.ErrAccessDenied
  62. }
  64. func updateBucketEntry(s3a *S3ApiServer, entry *filer_pb.Entry) error {
  65. return s3a.updateEntry(s3a.option.BucketsPath, entry)
  66. }
  68. // Check Bucket/BucketAcl Read related access
  69. // includes:
  70. // - HeadBucketHandler
  71. // - GetBucketAclHandler
  72. // - ListObjectsV1Handler
  73. // - ListObjectsV2Handler
  74. // - ListMultipartUploadsHandler
  75. func (s3a *S3ApiServer) checkAccessForReadBucket(r *http.Request, bucket, aclAction string) (*BucketMetaData, s3err.ErrorCode) {
  76. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  77. if errCode != s3err.ErrNone {
  78. return nil, errCode
  79. }
  81. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  82. return bucketMetadata, s3err.ErrNone
  83. }
  85. requestAccountId := s3acl.GetAccountId(r)
  86. if s3acl.ValidateAccount(requestAccountId, *bucketMetadata.Owner.ID) {
  87. return bucketMetadata, s3err.ErrNone
  88. }
  90. if len(bucketMetadata.Acl) > 0 {
  91. reqGrants := s3acl.DetermineRequiredGrants(requestAccountId, aclAction)
  92. for _, bucketGrant := range bucketMetadata.Acl {
  93. for _, reqGrant := range reqGrants {
  94. if s3acl.GrantEquals(bucketGrant, reqGrant) {
  95. return bucketMetadata, s3err.ErrNone
  96. }
  97. }
  98. }
  99. }
  101. glog.V(3).Infof("acl denied! request account id: %s", requestAccountId)
  102. return nil, s3err.ErrAccessDenied
  103. }
  105. // Check ObjectAcl-Read related access
  106. // includes:
  107. // - GetObjectAclHandler
  108. func (s3a *S3ApiServer) checkAccessForReadObjectAcl(r *http.Request, bucket, object string) (acp *s3.AccessControlPolicy, errCode s3err.ErrorCode) {
  109. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  110. if errCode != s3err.ErrNone {
  111. return nil, errCode
  112. }
  114. getAcpFunc := func() (*s3.AccessControlPolicy, s3err.ErrorCode) {
  115. entry, err := getObjectEntry(s3a, bucket, object)
  116. if err != nil {
  117. if err == filer_pb.ErrNotFound {
  118. return nil, s3err.ErrNoSuchKey
  119. } else {
  120. return nil, s3err.ErrInternalError
  121. }
  122. }
  123. if entry.IsDirectory {
  124. return nil, s3err.ErrExistingObjectIsDirectory
  125. }
  126. acpOwnerId := s3acl.GetAcpOwner(entry.Extended, *bucketMetadata.Owner.ID)
  127. acpOwnerName := s3a.accountManager.IdNameMapping[acpOwnerId]
  128. acpGrants := s3acl.GetAcpGrants(&acpOwnerId, entry.Extended)
  129. acp = &s3.AccessControlPolicy{
  130. Owner: &s3.Owner{
  131. ID: &acpOwnerId,
  132. DisplayName: &acpOwnerName,
  133. },
  134. Grants: acpGrants,
  135. }
  136. return acp, s3err.ErrNone
  137. }
  138. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  139. return getAcpFunc()
  140. }
  141. requestAccountId := s3acl.GetAccountId(r)
  142. acp, errCode = getAcpFunc()
  143. if errCode != s3err.ErrNone {
  144. return nil, errCode
  145. }
  146. if s3acl.ValidateAccount(requestAccountId, *acp.Owner.ID) {
  147. return acp, s3err.ErrNone
  148. }
  149. if acp.Grants != nil {
  150. reqGrants := s3acl.DetermineRequiredGrants(requestAccountId, s3_constants.PermissionReadAcp)
  151. for _, requiredGrant := range reqGrants {
  152. for _, grant := range acp.Grants {
  153. if s3acl.GrantEquals(requiredGrant, grant) {
  154. return acp, s3err.ErrNone
  155. }
  156. }
  157. }
  158. }
  159. glog.V(3).Infof("CheckAccessForReadObjectAcl denied! request account id: %s", requestAccountId)
  160. return nil, s3err.ErrAccessDenied
  161. }
  163. // Check Object-Read related access
  164. // includes:
  165. // - GetObjectHandler
  166. //
  167. // offload object access validation to Filer layer
  168. // - s3acl.CheckObjectAccessForReadObject
  169. func (s3a *S3ApiServer) checkBucketAccessForReadObject(r *http.Request, bucket string) s3err.ErrorCode {
  170. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  171. if errCode != s3err.ErrNone {
  172. return errCode
  173. }
  175. if bucketMetadata.ObjectOwnership != s3_constants.OwnershipBucketOwnerEnforced {
  176. //offload object acl validation to filer layer
  177. _, defaultErrorCode := s3a.checkAccessForReadBucket(r, bucket, s3_constants.PermissionRead)
  178. if defaultErrorCode != s3err.ErrNone {
  179. r.Header.Set(s3_constants.XSeaweedFSHeaderAmzBucketAccessDenied, "true")
  180. }
  181. r.Header.Set(s3_constants.XSeaweedFSHeaderAmzBucketOwnerId, *bucketMetadata.Owner.ID)
  182. }
  184. return s3err.ErrNone
  185. }
  187. // Check ObjectAcl-Write related access
  188. // includes:
  189. // - PutObjectAclHandler
  190. func (s3a *S3ApiServer) checkAccessForWriteObjectAcl(r *http.Request, bucket, object string) (*filer_pb.Entry, string, []*s3.Grant, s3err.ErrorCode) {
  191. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  192. if errCode != s3err.ErrNone {
  193. return nil, "", nil, errCode
  194. }
  196. requestAccountId := s3acl.GetAccountId(r)
  197. reqOwnerId, grants, errCode := s3acl.ExtractObjectAcl(r, s3a.accountManager, bucketMetadata.ObjectOwnership, *bucketMetadata.Owner.ID, requestAccountId, false)
  198. if errCode != s3err.ErrNone {
  199. return nil, "", nil, errCode
  200. }
  202. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  203. return nil, "", nil, s3err.AccessControlListNotSupported
  204. }
  206. //object acl
  207. objectEntry, err := getObjectEntry(s3a, bucket, object)
  208. if err != nil {
  209. if err == filer_pb.ErrNotFound {
  210. return nil, "", nil, s3err.ErrNoSuchKey
  211. }
  212. return nil, "", nil, s3err.ErrInternalError
  213. }
  215. if objectEntry.IsDirectory {
  216. return nil, "", nil, s3err.ErrExistingObjectIsDirectory
  217. }
  219. objectOwner := s3acl.GetAcpOwner(objectEntry.Extended, *bucketMetadata.Owner.ID)
  220. //object owner is immutable
  221. if reqOwnerId != "" && reqOwnerId != objectOwner {
  222. return nil, "", nil, s3err.ErrAccessDenied
  223. }
  224. if s3acl.ValidateAccount(requestAccountId, objectOwner) {
  225. return objectEntry, objectOwner, grants, s3err.ErrNone
  226. }
  228. objectGrants := s3acl.GetAcpGrants(nil, objectEntry.Extended)
  229. if objectGrants != nil {
  230. requiredGrants := s3acl.DetermineRequiredGrants(requestAccountId, s3_constants.PermissionWriteAcp)
  231. for _, objectGrant := range objectGrants {
  232. for _, requiredGrant := range requiredGrants {
  233. if s3acl.GrantEquals(objectGrant, requiredGrant) {
  234. return objectEntry, objectOwner, grants, s3err.ErrNone
  235. }
  236. }
  237. }
  238. }
  240. glog.V(3).Infof("checkAccessForWriteObjectAcl denied! request account id: %s", requestAccountId)
  241. return nil, "", nil, s3err.ErrAccessDenied
  242. }
  244. func updateObjectEntry(s3a *S3ApiServer, bucket, object string, entry *filer_pb.Entry) error {
  245. dir, _ := filepath.Split(object)
  246. return s3a.updateEntry(util.Join(s3a.option.BucketsPath, bucket, dir), entry)
  247. }
  249. // CheckAccessForPutObject Check ACL for PutObject API
  250. // includes:
  251. // - PutObjectHandler
  252. func (s3a *S3ApiServer) CheckAccessForPutObject(r *http.Request, bucket, object string) s3err.ErrorCode {
  253. accountId := s3acl.GetAccountId(r)
  254. return s3a.checkAccessForWriteObject(r, bucket, object, accountId)
  255. }
  257. // CheckAccessForPutObjectPartHandler Check Acl for Upload object part
  258. // includes:
  259. // - PutObjectPartHandler
  260. func (s3a *S3ApiServer) CheckAccessForPutObjectPartHandler(r *http.Request, bucket string) s3err.ErrorCode {
  261. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  262. if errCode != s3err.ErrNone {
  263. return errCode
  264. }
  265. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  266. return s3err.ErrNone
  267. }
  268. accountId := s3acl.GetAccountId(r)
  269. if !CheckBucketAccess(accountId, bucketMetadata, s3_constants.PermissionWrite) {
  270. return s3err.ErrAccessDenied
  271. }
  272. return s3err.ErrNone
  273. }
  275. // CheckAccessForNewMultipartUpload Check Acl for API
  276. // includes:
  277. // - NewMultipartUploadHandler
  278. func (s3a *S3ApiServer) CheckAccessForNewMultipartUpload(r *http.Request, bucket, object string) (s3err.ErrorCode, string) {
  279. accountId := s3acl.GetAccountId(r)
  280. if accountId == IdentityAnonymous.AccountId {
  281. return s3err.ErrAccessDenied, ""
  282. }
  283. errCode := s3a.checkAccessForWriteObject(r, bucket, object, accountId)
  284. return errCode, accountId
  285. }
  287. func (s3a *S3ApiServer) CheckAccessForAbortMultipartUpload(r *http.Request, bucket, object string) s3err.ErrorCode {
  288. return s3a.CheckAccessWithBucketOwnerAndInitiator(r, bucket, object)
  289. }
  291. func (s3a *S3ApiServer) CheckAccessForCompleteMultipartUpload(r *http.Request, bucket, object string) s3err.ErrorCode {
  292. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  293. if errCode != s3err.ErrNone {
  294. return errCode
  295. }
  297. if bucketMetadata.ObjectOwnership != s3_constants.OwnershipBucketOwnerEnforced {
  298. accountId := getAccountId(r)
  299. if !CheckBucketAccess(accountId, bucketMetadata, s3_constants.PermissionWrite) {
  300. return s3err.ErrAccessDenied
  301. }
  302. }
  303. return s3err.ErrNone
  304. }
  306. func (s3a *S3ApiServer) CheckAccessForListMultipartUploadParts(r *http.Request, bucket, object string) s3err.ErrorCode {
  307. return s3a.CheckAccessWithBucketOwnerAndInitiator(r, bucket, object)
  308. }
  310. // CheckAccessWithBucketOwnerAndInitiator Check Access Permission with 'bucketOwner' and 'multipartUpload initiator'
  311. func (s3a *S3ApiServer) CheckAccessWithBucketOwnerAndInitiator(r *http.Request, bucket, object string) s3err.ErrorCode {
  312. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  313. if errCode != s3err.ErrNone {
  314. return errCode
  315. }
  317. //bucket access allowed
  318. accountId := s3acl.GetAccountId(r)
  319. if s3acl.ValidateAccount(*bucketMetadata.Owner.ID, accountId) {
  320. return s3err.ErrNone
  321. }
  323. //multipart initiator allowed
  324. entry, err := getMultipartUpload(s3a, bucket, object)
  325. if err != nil {
  326. if err != filer_pb.ErrNotFound {
  327. return s3err.ErrInternalError
  328. }
  329. } else {
  330. uploadInitiator, ok := entry.Extended[s3_constants.ExtAmzMultipartInitiator]
  331. if !ok || accountId == string(uploadInitiator) {
  332. return s3err.ErrNone
  333. }
  334. }
  335. glog.V(3).Infof("CheckAccessWithBucketOwnerAndInitiator denied! request account id: %s", accountId)
  336. return s3err.ErrAccessDenied
  337. }
  339. func (s3a *S3ApiServer) checkAccessForWriteObject(r *http.Request, bucket, object, requestAccountId string) s3err.ErrorCode {
  340. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  341. if errCode != s3err.ErrNone {
  342. return errCode
  343. }
  344. requestOwnerId, grants, errCode := s3acl.ExtractObjectAcl(r, s3a.accountManager, bucketMetadata.ObjectOwnership, *bucketMetadata.Owner.ID, requestAccountId, true)
  345. if errCode != s3err.ErrNone {
  346. return errCode
  347. }
  349. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  350. return s3err.ErrNone
  351. }
  353. if !CheckBucketAccess(requestAccountId, bucketMetadata, s3_constants.PermissionWrite) {
  354. return s3err.ErrAccessDenied
  355. }
  357. if requestOwnerId == "" {
  358. requestOwnerId = requestAccountId
  359. }
  360. entry, err := getObjectEntry(s3a, bucket, object)
  361. if err != nil {
  362. if err == filer_pb.ErrNotFound {
  363. s3acl.SetAcpOwnerHeader(r, requestOwnerId)
  364. s3acl.SetAcpGrantsHeader(r, grants)
  365. return s3err.ErrNone
  366. }
  367. return s3err.ErrInternalError
  368. }
  370. objectOwnerId := s3acl.GetAcpOwner(entry.Extended, *bucketMetadata.Owner.ID)
  372. //object owner is immutable
  373. if !s3acl.ValidateAccount(requestOwnerId, objectOwnerId, *bucketMetadata.Owner.ID) {
  374. return s3err.ErrAccessDenied
  375. }
  377. s3acl.SetAcpOwnerHeader(r, objectOwnerId)
  378. s3acl.SetAcpGrantsHeader(r, grants)
  379. return s3err.ErrNone
  380. }
  382. func CheckBucketAccess(requestAccountId string, bucketMetadata *BucketMetaData, permission string) bool {
  383. if s3acl.ValidateAccount(requestAccountId, *bucketMetadata.Owner.ID) {
  384. return true
  385. } else {
  386. if len(bucketMetadata.Acl) > 0 {
  387. reqGrants := s3acl.DetermineRequiredGrants(requestAccountId, permission)
  388. for _, bucketGrant := range bucketMetadata.Acl {
  389. for _, requiredGrant := range reqGrants {
  390. if s3acl.GrantEquals(bucketGrant, requiredGrant) {
  391. return true
  392. }
  393. }
  394. }
  395. }
  396. }
  397. glog.V(3).Infof("CheckBucketAccess denied! request account id: %s", requestAccountId)
  398. return false
  399. }
  401. func getObjectEntry(s3a *S3ApiServer, bucket, object string) (*filer_pb.Entry, error) {
  402. return s3a.getEntry(util.Join(s3a.option.BucketsPath, bucket), object)
  403. }
  405. func getMultipartUpload(s3a *S3ApiServer, bucket, object string) (*filer_pb.Entry, error) {
  406. return s3a.getEntry(s3a.genUploadsFolder(bucket), object)
  407. }