Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11247 Commits
32 Branches
298 Tags
166 MiB
Tree: c5f21b2b01
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c5f21b2b01'
${ noResults }
seaweedfs/weed/s3api/auth_credentials.go

511 lines
15 KiB
Raw Normal View History

support acl
5 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
s3: fix potencial iam identities data race
3 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
move to https://github.com/seaweedfs/seaweedfs
3 years ago
support acl
5 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
s3: fix potencial iam identities data race
3 years ago
[s3] optimization iam lookup for reducing algorithm complexity (#4857) optimization iam lookup for reducing algorithm complexity https://github.com/seaweedfs/seaweedfs/issues/4519 Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
1 year ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
1 year ago
[s3] optimization iam lookup for reducing algorithm complexity (#4857) optimization iam lookup for reducing algorithm complexity https://github.com/seaweedfs/seaweedfs/issues/4519 Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
1 year ago
support acl
5 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
1 year ago
support acl
5 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
1 year ago
add ownership rest apis (#3765)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
1 year ago
support acl
5 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
1 year ago
AclHandlers
3 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
1 year ago
AclHandlers
3 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
1 year ago
AclHandlers
3 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
1 year ago
AclHandlers
3 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
add v2 support
5 years ago
Clean up old signature hash pools
1 year ago
add v2 support
5 years ago
fix S3 per-user-directory Policy (#6443) * fix S3 per-user-directory Policy * Delete docker/config.json * add tests * remove logs * undo modifications of weed/shell/command_volume_balance.go * remove modifications of docker-compose * fix failing test --------- Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
4 days ago
s3: use static configuration by default So that users can still use the previous configuration files. If leave it empty, s3 will try to use the version from filer
4 years ago
fix S3 per-user-directory Policy (#6443) * fix S3 per-user-directory Policy * Delete docker/config.json * add tests * remove logs * undo modifications of weed/shell/command_volume_balance.go * remove modifications of docker-compose * fix failing test --------- Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
4 days ago
new pkg s3iam
4 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
s3: use static configuration by default So that users can still use the previous configuration files. If leave it empty, s3 will try to use the version from filer
4 years ago
fix S3 per-user-directory Policy (#6443) * fix S3 per-user-directory Policy * Delete docker/config.json * add tests * remove logs * undo modifications of weed/shell/command_volume_balance.go * remove modifications of docker-compose * fix failing test --------- Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
4 days ago
s3: use static configuration by default So that users can still use the previous configuration files. If leave it empty, s3 will try to use the version from filer
4 years ago
support acl
5 years ago
s3 config read via grpc
4 years ago
grpc connection to filer add sw-client-id header
2 years ago
fix S3 per-user-directory Policy (#6443) * fix S3 per-user-directory Policy * Delete docker/config.json * add tests * remove logs * undo modifications of weed/shell/command_volume_balance.go * remove modifications of docker-compose * fix failing test --------- Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
4 days ago
refactor: `Directory` readability (#3665)
2 years ago
s3 config read via grpc
4 years ago
refactoring
4 years ago
s3: add grpc server to accept configuration changes
3 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
new pkg s3iam
4 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
support acl
5 years ago
s3: add grpc server to accept configuration changes
3 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
s3: add grpc server to accept configuration changes
3 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
supplement check duplicate accesskey
3 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
new pkg s3iam
4 years ago
s3: subscribe to s3.configure changes
4 years ago
[s3] optimization iam lookup for reducing algorithm complexity (#4857) optimization iam lookup for reducing algorithm complexity https://github.com/seaweedfs/seaweedfs/issues/4519 Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
1 year ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
1 year ago
fix S3 per-user-directory Policy (#6443) * fix S3 per-user-directory Policy * Delete docker/config.json * add tests * remove logs * undo modifications of weed/shell/command_volume_balance.go * remove modifications of docker-compose * fix failing test --------- Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
4 days ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
1 year ago
new pkg s3iam
4 years ago
fix S3 per-user-directory Policy (#6443) * fix S3 per-user-directory Policy * Delete docker/config.json * add tests * remove logs * undo modifications of weed/shell/command_volume_balance.go * remove modifications of docker-compose * fix failing test --------- Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
4 days ago
support acl
5 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
1 year ago
[s3] optimization iam lookup for reducing algorithm complexity (#4857) optimization iam lookup for reducing algorithm complexity https://github.com/seaweedfs/seaweedfs/issues/4519 Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
1 year ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
1 year ago
add ownership rest apis (#3765)
2 years ago
fix S3 per-user-directory Policy (#6443) * fix S3 per-user-directory Policy * Delete docker/config.json * add tests * remove logs * undo modifications of weed/shell/command_volume_balance.go * remove modifications of docker-compose * fix failing test --------- Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
4 days ago
support acl
5 years ago
[s3] optimization iam lookup for reducing algorithm complexity (#4857) optimization iam lookup for reducing algorithm complexity https://github.com/seaweedfs/seaweedfs/issues/4519 Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
1 year ago
support acl
5 years ago
s3: subscribe to s3.configure changes
4 years ago
support acl
5 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
1 year ago
s3: fix potencial iam identities data race
3 years ago
s3: subscribe to s3.configure changes
4 years ago
[s3] optimization iam lookup for reducing algorithm complexity (#4857) optimization iam lookup for reducing algorithm complexity https://github.com/seaweedfs/seaweedfs/issues/4519 Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
1 year ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
1 year ago
[s3] optimization iam lookup for reducing algorithm complexity (#4857) optimization iam lookup for reducing algorithm complexity https://github.com/seaweedfs/seaweedfs/issues/4519 Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
1 year ago
s3: keep auth enabled in case identities are set to empty fix https://github.com/chrislusf/seaweedfs/issues/3084
3 years ago
s3: fix potencial iam identities data race
3 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
1 year ago
support acl
5 years ago
refactoring
5 years ago
s3: keep auth enabled in case identities are set to empty fix https://github.com/chrislusf/seaweedfs/issues/3084
3 years ago
refactoring
5 years ago
support acl
5 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
[s3] optimization iam lookup for reducing algorithm complexity (#4857) optimization iam lookup for reducing algorithm complexity https://github.com/seaweedfs/seaweedfs/issues/4519 Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
1 year ago
support acl
5 years ago
log unknown access key
3 years ago
support acl
5 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
[s3] optimization iam lookup for reducing algorithm complexity (#4857) optimization iam lookup for reducing algorithm complexity https://github.com/seaweedfs/seaweedfs/issues/4519 Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
1 year ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
1 year ago
s3: access control limited by bucket
5 years ago
support acl
5 years ago
fix: When there is no access permission configured before startup, the authentication does not take effect after configuring the permission after startup
3 years ago
Add bucket owner attr.
4 years ago
added s3 iam DeleteBucket permission management (#5599)
8 months ago
refactoring
4 years ago
Add bucket owner attr.
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
enable admin to access all buckets
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
enable admin to access all buckets
4 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
refactoring
3 years ago
support acl
5 years ago
Add bucket owner attr.
4 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
Bugfix s3 audit missing requester for PUT requests (#6434) fix s3 audit missing requster for PUT
6 days ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
[s3] optimization iam lookup for reducing algorithm complexity (#4857) optimization iam lookup for reducing algorithm complexity https://github.com/seaweedfs/seaweedfs/issues/4519 Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
1 year ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
move s3 related constants from package http to s3_constants
3 years ago
audit log SignatureVersion
3 years ago
s3: support config action Admin:bucket
4 years ago
logging
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
fix S3 per-user-directory Policy (#6443) * fix S3 per-user-directory Policy * Delete docker/config.json * add tests * remove logs * undo modifications of weed/shell/command_volume_balance.go * remove modifications of docker-compose * fix failing test --------- Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
4 days ago
s3: support config action Admin:bucket
4 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
s3: support config action Admin:bucket
4 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
1 year ago
s3: support config action Admin:bucket
4 years ago
support acl
5 years ago
refactoring
4 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
audit log SignatureVersion
3 years ago
support acl
5 years ago
add v2 support
5 years ago
Add bucket owner attr.
4 years ago
add v2 support
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
add v2 support
5 years ago
audit log SignatureVersion
3 years ago
support acl
5 years ago
add v2 support
5 years ago
support acl
5 years ago
audit log SignatureVersion
3 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
s3: deny anonymous type
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
s3: deny anonymous type
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
audit log SignatureVersion
3 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
s3: deny anonymous type
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
audit log SignatureVersion
3 years ago
move s3 related constants from package http to s3_constants
3 years ago
audit log SignatureVersion
3 years ago
support acl
5 years ago
add v2 support
5 years ago
refactoring
4 years ago
Add bucket owner attr.
4 years ago
add v2 support
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
enable admin to access all buckets
4 years ago
s3: access control limited by bucket
5 years ago
fix S3 per-user-directory Policy (#6443) * fix S3 per-user-directory Policy * Delete docker/config.json * add tests * remove logs * undo modifications of weed/shell/command_volume_balance.go * remove modifications of docker-compose * fix failing test --------- Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
4 days ago
s3: access control limited by bucket
5 years ago
added s3 iam DeleteBucket permission management (#5599)
8 months ago
s3: access control limited by bucket
5 years ago
fix S3 per-user-directory Policy (#6443) * fix S3 per-user-directory Policy * Delete docker/config.json * add tests * remove logs * undo modifications of weed/shell/command_volume_balance.go * remove modifications of docker-compose * fix failing test --------- Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
4 days ago
fix auth permission checking
3 years ago
https://github.com/chrislusf/seaweedfs/issues/2583
3 years ago
s3: access control limited by bucket
5 years ago
s3: support config action Admin:bucket
4 years ago
fix S3 per-user-directory Policy (#6443) * fix S3 per-user-directory Policy * Delete docker/config.json * add tests * remove logs * undo modifications of weed/shell/command_volume_balance.go * remove modifications of docker-compose * fix failing test --------- Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
4 days ago
s3: access control limited by bucket
5 years ago
auth use bucket wild cards
4 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
auth use bucket wild cards
4 years ago
https://github.com/chrislusf/seaweedfs/issues/2583
3 years ago
auth use bucket wild cards
4 years ago
s3: support config action Admin:bucket
4 years ago
support acl
5 years ago
added s3 iam DeleteBucket permission management (#5599)
8 months ago
support acl
5 years ago
enable admin to access all buckets
4 years ago
  1. package s3api
  3. import (
  4. "fmt"
  5. "net/http"
  6. "os"
  7. "strings"
  8. "sync"
  10. "github.com/seaweedfs/seaweedfs/weed/filer"
  11. "github.com/seaweedfs/seaweedfs/weed/glog"
  12. "github.com/seaweedfs/seaweedfs/weed/pb"
  13. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  14. "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
  15. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  16. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  17. )
  19. type Action string
  21. type Iam interface {
  22. Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
  23. }
  25. type IdentityAccessManagement struct {
  26. m sync.RWMutex
  28. identities []*Identity
  29. accessKeyIdent map[string]*Identity
  30. accounts map[string]*Account
  31. emailAccount map[string]*Account
  32. hashes map[string]*sync.Pool
  33. hashCounters map[string]*int32
  34. identityAnonymous *Identity
  35. hashMu sync.RWMutex
  36. domain string
  37. isAuthEnabled bool
  38. }
  40. type Identity struct {
  41. Name string
  42. Account *Account
  43. Credentials []*Credential
  44. Actions []Action
  45. }
  47. // Account represents a system user, a system user can
  48. // configure multiple IAM-Users, IAM-Users can configure
  49. // permissions respectively, and each IAM-User can
  50. // configure multiple security credentials
  51. type Account struct {
  52. //Name is also used to display the "DisplayName" as the owner of the bucket or object
  53. DisplayName string
  54. EmailAddress string
  56. //Id is used to identify an Account when granting cross-account access(ACLs) to buckets and objects
  57. Id string
  58. }
  60. // Predefined Accounts
  61. var (
  62. // AccountAdmin is used as the default account for IAM-Credentials access without Account configured
  63. AccountAdmin = Account{
  64. DisplayName: "admin",
  65. EmailAddress: "admin@example.com",
  66. Id: s3_constants.AccountAdminId,
  67. }
  69. // AccountAnonymous is used to represent the account for anonymous access
  70. AccountAnonymous = Account{
  71. DisplayName: "anonymous",
  72. EmailAddress: "anonymous@example.com",
  73. Id: s3_constants.AccountAnonymousId,
  74. }
  75. )
  77. type Credential struct {
  78. AccessKey string
  79. SecretKey string
  80. }
  82. func (i *Identity) isAnonymous() bool {
  83. return i.Account.Id == s3_constants.AccountAnonymousId
  84. }
  86. func (action Action) isAdmin() bool {
  87. return strings.HasPrefix(string(action), s3_constants.ACTION_ADMIN)
  88. }
  90. func (action Action) isOwner(bucket string) bool {
  91. return string(action) == s3_constants.ACTION_ADMIN+":"+bucket
  92. }
  94. func (action Action) overBucket(bucket string) bool {
  95. return strings.HasSuffix(string(action), ":"+bucket) || strings.HasSuffix(string(action), ":*")
  96. }
  98. // "Permission": "FULL_CONTROL"|"WRITE"|"WRITE_ACP"|"READ"|"READ_ACP"
  99. func (action Action) getPermission() Permission {
  100. switch act := strings.Split(string(action), ":")[0]; act {
  101. case s3_constants.ACTION_ADMIN:
  102. return Permission("FULL_CONTROL")
  103. case s3_constants.ACTION_WRITE:
  104. return Permission("WRITE")
  105. case s3_constants.ACTION_WRITE_ACP:
  106. return Permission("WRITE_ACP")
  107. case s3_constants.ACTION_READ:
  108. return Permission("READ")
  109. case s3_constants.ACTION_READ_ACP:
  110. return Permission("READ_ACP")
  111. default:
  112. return Permission("")
  113. }
  114. }
  116. func NewIdentityAccessManagement(option *S3ApiServerOption) *IdentityAccessManagement {
  117. iam := &IdentityAccessManagement{
  118. domain: option.DomainName,
  119. hashes: make(map[string]*sync.Pool),
  120. hashCounters: make(map[string]*int32),
  121. }
  123. if option.Config != "" {
  124. glog.V(3).Infof("loading static config file %s", option.Config)
  125. if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
  126. glog.Fatalf("fail to load config file %s: %v", option.Config, err)
  127. }
  128. } else {
  129. glog.V(3).Infof("no static config file specified... loading config from filer %s", option.Filer)
  130. if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil {
  131. glog.Warningf("fail to load config: %v", err)
  132. }
  133. }
  134. return iam
  135. }
  137. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFiler(option *S3ApiServerOption) (err error) {
  138. var content []byte
  139. err = pb.WithFilerClient(false, 0, option.Filer, option.GrpcDialOption, func(client filer_pb.SeaweedFilerClient) error {
  140. glog.V(3).Infof("loading config %s from filer %s", filer.IamConfigDirectory+"/"+filer.IamIdentityFile, option.Filer)
  141. content, err = filer.ReadInsideFiler(client, filer.IamConfigDirectory, filer.IamIdentityFile)
  142. return err
  143. })
  144. if err != nil {
  145. return fmt.Errorf("read S3 config: %v", err)
  146. }
  147. return iam.LoadS3ApiConfigurationFromBytes(content)
  148. }
  150. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFile(fileName string) error {
  151. content, readErr := os.ReadFile(fileName)
  152. if readErr != nil {
  153. glog.Warningf("fail to read %s : %v", fileName, readErr)
  154. return fmt.Errorf("fail to read %s : %v", fileName, readErr)
  155. }
  156. return iam.LoadS3ApiConfigurationFromBytes(content)
  157. }
  159. func (iam *IdentityAccessManagement) LoadS3ApiConfigurationFromBytes(content []byte) error {
  160. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  161. if err := filer.ParseS3ConfigurationFromBytes(content, s3ApiConfiguration); err != nil {
  162. glog.Warningf("unmarshal error: %v", err)
  163. return fmt.Errorf("unmarshal error: %v", err)
  164. }
  166. if err := filer.CheckDuplicateAccessKey(s3ApiConfiguration); err != nil {
  167. return err
  168. }
  170. if err := iam.loadS3ApiConfiguration(s3ApiConfiguration); err != nil {
  171. return err
  172. }
  173. return nil
  174. }
  176. func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error {
  177. var identities []*Identity
  178. var identityAnonymous *Identity
  179. accessKeyIdent := make(map[string]*Identity)
  180. accounts := make(map[string]*Account)
  181. emailAccount := make(map[string]*Account)
  182. foundAccountAdmin := false
  183. foundAccountAnonymous := false
  185. for _, account := range config.Accounts {
  186. glog.V(3).Infof("loading account name=%s, id=%s", account.DisplayName, account.Id)
  187. switch account.Id {
  188. case AccountAdmin.Id:
  189. AccountAdmin = Account{
  190. Id: account.Id,
  191. DisplayName: account.DisplayName,
  192. EmailAddress: account.EmailAddress,
  193. }
  194. accounts[account.Id] = &AccountAdmin
  195. foundAccountAdmin = true
  196. case AccountAnonymous.Id:
  197. AccountAnonymous = Account{
  198. Id: account.Id,
  199. DisplayName: account.DisplayName,
  200. EmailAddress: account.EmailAddress,
  201. }
  202. accounts[account.Id] = &AccountAnonymous
  203. foundAccountAnonymous = true
  204. default:
  205. t := Account{
  206. Id: account.Id,
  207. DisplayName: account.DisplayName,
  208. EmailAddress: account.EmailAddress,
  209. }
  210. accounts[account.Id] = &t
  211. }
  212. if account.EmailAddress != "" {
  213. emailAccount[account.EmailAddress] = accounts[account.Id]
  214. }
  215. }
  216. if !foundAccountAdmin {
  217. accounts[AccountAdmin.Id] = &AccountAdmin
  218. emailAccount[AccountAdmin.EmailAddress] = &AccountAdmin
  219. }
  220. if !foundAccountAnonymous {
  221. accounts[AccountAnonymous.Id] = &AccountAnonymous
  222. emailAccount[AccountAnonymous.EmailAddress] = &AccountAnonymous
  223. }
  224. for _, ident := range config.Identities {
  225. glog.V(3).Infof("loading identity %s", ident.Name)
  226. t := &Identity{
  227. Name: ident.Name,
  228. Credentials: nil,
  229. Actions: nil,
  230. }
  231. switch {
  232. case ident.Name == AccountAnonymous.Id:
  233. t.Account = &AccountAnonymous
  234. identityAnonymous = t
  235. case ident.Account == nil:
  236. t.Account = &AccountAdmin
  237. default:
  238. if account, ok := accounts[ident.Account.Id]; ok {
  239. t.Account = account
  240. } else {
  241. t.Account = &AccountAdmin
  242. glog.Warningf("identity %s is associated with a non exist account ID, the association is invalid", ident.Name)
  243. }
  244. }
  246. for _, action := range ident.Actions {
  247. t.Actions = append(t.Actions, Action(action))
  248. }
  249. for _, cred := range ident.Credentials {
  250. t.Credentials = append(t.Credentials, &Credential{
  251. AccessKey: cred.AccessKey,
  252. SecretKey: cred.SecretKey,
  253. })
  254. accessKeyIdent[cred.AccessKey] = t
  255. }
  256. identities = append(identities, t)
  257. }
  259. iam.m.Lock()
  260. // atomically switch
  261. iam.identities = identities
  262. iam.identityAnonymous = identityAnonymous
  263. iam.accounts = accounts
  264. iam.emailAccount = emailAccount
  265. iam.accessKeyIdent = accessKeyIdent
  266. if !iam.isAuthEnabled { // one-directional, no toggling
  267. iam.isAuthEnabled = len(identities) > 0
  268. }
  269. iam.m.Unlock()
  271. return nil
  272. }
  274. func (iam *IdentityAccessManagement) isEnabled() bool {
  275. return iam.isAuthEnabled
  276. }
  278. func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
  279. iam.m.RLock()
  280. defer iam.m.RUnlock()
  281. if ident, ok := iam.accessKeyIdent[accessKey]; ok {
  282. for _, credential := range ident.Credentials {
  283. if credential.AccessKey == accessKey {
  284. return ident, credential, true
  285. }
  286. }
  287. }
  288. glog.V(1).Infof("could not find accessKey %s", accessKey)
  289. return nil, nil, false
  290. }
  292. func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
  293. iam.m.RLock()
  294. defer iam.m.RUnlock()
  295. if iam.identityAnonymous != nil {
  296. return iam.identityAnonymous, true
  297. }
  298. return nil, false
  299. }
  301. func (iam *IdentityAccessManagement) GetAccountNameById(canonicalId string) string {
  302. iam.m.RLock()
  303. defer iam.m.RUnlock()
  304. if account, ok := iam.accounts[canonicalId]; ok {
  305. return account.DisplayName
  306. }
  307. return ""
  308. }
  310. func (iam *IdentityAccessManagement) GetAccountIdByEmail(email string) string {
  311. iam.m.RLock()
  312. defer iam.m.RUnlock()
  313. if account, ok := iam.emailAccount[email]; ok {
  314. return account.Id
  315. }
  316. return ""
  317. }
  319. func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
  320. return func(w http.ResponseWriter, r *http.Request) {
  321. if !iam.isEnabled() {
  322. f(w, r)
  323. return
  324. }
  326. identity, errCode := iam.authRequest(r, action)
  327. glog.V(3).Infof("auth error: %v", errCode)
  328. if errCode == s3err.ErrNone {
  329. if identity != nil && identity.Name != "" {
  330. r.Header.Set(s3_constants.AmzIdentityId, identity.Name)
  331. if identity.isAdmin() {
  332. r.Header.Set(s3_constants.AmzIsAdmin, "true")
  333. } else if _, ok := r.Header[s3_constants.AmzIsAdmin]; ok {
  334. r.Header.Del(s3_constants.AmzIsAdmin)
  335. }
  336. }
  337. f(w, r)
  338. return
  339. }
  340. s3err.WriteErrorResponse(w, r, errCode)
  341. }
  342. }
  344. // check whether the request has valid access keys
  345. func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
  346. var identity *Identity
  347. var s3Err s3err.ErrorCode
  348. var found bool
  349. var authType string
  350. switch getRequestAuthType(r) {
  351. case authTypeUnknown:
  352. glog.V(3).Infof("unknown auth type")
  353. r.Header.Set(s3_constants.AmzAuthType, "Unknown")
  354. return identity, s3err.ErrAccessDenied
  355. case authTypePresignedV2, authTypeSignedV2:
  356. glog.V(3).Infof("v2 auth type")
  357. identity, s3Err = iam.isReqAuthenticatedV2(r)
  358. authType = "SigV2"
  359. case authTypeStreamingSigned, authTypeSigned, authTypePresigned:
  360. glog.V(3).Infof("v4 auth type")
  361. identity, s3Err = iam.reqSignatureV4Verify(r)
  362. authType = "SigV4"
  363. case authTypePostPolicy:
  364. glog.V(3).Infof("post policy auth type")
  365. r.Header.Set(s3_constants.AmzAuthType, "PostPolicy")
  366. return identity, s3err.ErrNone
  367. case authTypeJWT:
  368. glog.V(3).Infof("jwt auth type")
  369. r.Header.Set(s3_constants.AmzAuthType, "Jwt")
  370. return identity, s3err.ErrNotImplemented
  371. case authTypeAnonymous:
  372. authType = "Anonymous"
  373. if identity, found = iam.lookupAnonymous(); !found {
  374. r.Header.Set(s3_constants.AmzAuthType, authType)
  375. return identity, s3err.ErrAccessDenied
  376. }
  377. default:
  378. return identity, s3err.ErrNotImplemented
  379. }
  381. if len(authType) > 0 {
  382. r.Header.Set(s3_constants.AmzAuthType, authType)
  383. }
  384. if s3Err != s3err.ErrNone {
  385. return identity, s3Err
  386. }
  388. glog.V(3).Infof("user name: %v actions: %v, action: %v", identity.Name, identity.Actions, action)
  389. bucket, object := s3_constants.GetBucketAndObject(r)
  390. prefix := s3_constants.GetPrefix(r)
  392. if object == "/" && prefix != "" {
  393. // Using the aws cli with s3, and s3api, and with boto3, the object is always set to "/"
  394. // but the prefix is set to the actual object key
  395. object = prefix
  396. }
  398. if !identity.canDo(action, bucket, object) {
  399. return identity, s3err.ErrAccessDenied
  400. }
  402. r.Header.Set(s3_constants.AmzAccountId, identity.Account.Id)
  404. return identity, s3err.ErrNone
  406. }
  408. func (iam *IdentityAccessManagement) authUser(r *http.Request) (*Identity, s3err.ErrorCode) {
  409. var identity *Identity
  410. var s3Err s3err.ErrorCode
  411. var found bool
  412. var authType string
  413. switch getRequestAuthType(r) {
  414. case authTypeStreamingSigned:
  415. return identity, s3err.ErrNone
  416. case authTypeUnknown:
  417. glog.V(3).Infof("unknown auth type")
  418. r.Header.Set(s3_constants.AmzAuthType, "Unknown")
  419. return identity, s3err.ErrAccessDenied
  420. case authTypePresignedV2, authTypeSignedV2:
  421. glog.V(3).Infof("v2 auth type")
  422. identity, s3Err = iam.isReqAuthenticatedV2(r)
  423. authType = "SigV2"
  424. case authTypeSigned, authTypePresigned:
  425. glog.V(3).Infof("v4 auth type")
  426. identity, s3Err = iam.reqSignatureV4Verify(r)
  427. authType = "SigV4"
  428. case authTypePostPolicy:
  429. glog.V(3).Infof("post policy auth type")
  430. r.Header.Set(s3_constants.AmzAuthType, "PostPolicy")
  431. return identity, s3err.ErrNone
  432. case authTypeJWT:
  433. glog.V(3).Infof("jwt auth type")
  434. r.Header.Set(s3_constants.AmzAuthType, "Jwt")
  435. return identity, s3err.ErrNotImplemented
  436. case authTypeAnonymous:
  437. authType = "Anonymous"
  438. identity, found = iam.lookupAnonymous()
  439. if !found {
  440. r.Header.Set(s3_constants.AmzAuthType, authType)
  441. return identity, s3err.ErrAccessDenied
  442. }
  443. default:
  444. return identity, s3err.ErrNotImplemented
  445. }
  447. if len(authType) > 0 {
  448. r.Header.Set(s3_constants.AmzAuthType, authType)
  449. }
  451. glog.V(3).Infof("auth error: %v", s3Err)
  452. if s3Err != s3err.ErrNone {
  453. return identity, s3Err
  454. }
  455. return identity, s3err.ErrNone
  456. }
  458. func (identity *Identity) canDo(action Action, bucket string, objectKey string) bool {
  459. if identity.isAdmin() {
  460. return true
  461. }
  462. for _, a := range identity.Actions {
  463. // Case where the Resource provided is
  464. // "Resource": [
  465. // "arn:aws:s3:::*"
  466. // ]
  467. if a == action {
  468. return true
  469. }
  470. }
  471. if bucket == "" {
  472. glog.V(3).Infof("identity %s is not allowed to perform action %s on %s -- bucket is empty", identity.Name, action, bucket+objectKey)
  473. return false
  474. }
  475. glog.V(3).Infof("checking if %s can perform %s on bucket '%s'", identity.Name, action, bucket+objectKey)
  476. target := string(action) + ":" + bucket + objectKey
  477. adminTarget := s3_constants.ACTION_ADMIN + ":" + bucket + objectKey
  478. limitedByBucket := string(action) + ":" + bucket
  479. adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket
  481. for _, a := range identity.Actions {
  482. act := string(a)
  483. if strings.HasSuffix(act, "*") {
  484. if strings.HasPrefix(target, act[:len(act)-1]) {
  485. return true
  486. }
  487. if strings.HasPrefix(adminTarget, act[:len(act)-1]) {
  488. return true
  489. }
  490. } else {
  491. if act == limitedByBucket {
  492. return true
  493. }
  494. if act == adminLimitedByBucket {
  495. return true
  496. }
  497. }
  498. }
  499. //log error
  500. glog.V(3).Infof("identity %s is not allowed to perform action %s on %s", identity.Name, action, bucket+objectKey)
  501. return false
  502. }
  504. func (identity *Identity) isAdmin() bool {
  505. for _, a := range identity.Actions {
  506. if a == "Admin" {
  507. return true
  508. }
  509. }
  510. return false
  511. }