Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6607 Commits
32 Branches
298 Tags
167 MiB
Tree: c77c0de418
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c77c0de418'
${ noResults }
seaweedfs/weed/s3api/auth_credentials.go

327 lines
8.5 KiB
Raw Normal View History

support acl
5 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
s3: fix potencial iam identities data race
3 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
refactoring
4 years ago
support acl
5 years ago
s3 config read via grpc
4 years ago
support acl
5 years ago
s3: subscribe to s3.configure changes
4 years ago
auth use bucket wild cards
4 years ago
s3: subscribe to s3.configure changes
4 years ago
support acl
5 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
s3: fix potencial iam identities data race
3 years ago
support acl
5 years ago
add v2 support
5 years ago
support acl
5 years ago
AclHandlers
3 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
add v2 support
5 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
add v2 support
5 years ago
s3: use static configuration by default So that users can still use the previous configuration files. If leave it empty, s3 will try to use the version from filer
4 years ago
new pkg s3iam
4 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
s3: use static configuration by default So that users can still use the previous configuration files. If leave it empty, s3 will try to use the version from filer
4 years ago
support acl
5 years ago
s3 config read via grpc
4 years ago
refactoring
4 years ago
save /etc/iam/identity.json inside filer store
4 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
new pkg s3iam
4 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
support acl
5 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
new pkg s3iam
4 years ago
s3: subscribe to s3.configure changes
4 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
s3: subscribe to s3.configure changes
4 years ago
support acl
5 years ago
s3: fix potencial iam identities data race
3 years ago
s3: subscribe to s3.configure changes
4 years ago
s3: fix potencial iam identities data race
3 years ago
support acl
5 years ago
refactoring
5 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
refactoring
5 years ago
support acl
5 years ago
refactoring
5 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
support acl
5 years ago
adjust logs
3 years ago
support acl
5 years ago
log unknown access key
3 years ago
support acl
5 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
s3: access control limited by bucket
5 years ago
support acl
5 years ago
fix s3api auth bug
5 years ago
support acl
5 years ago
Add bucket owner attr.
4 years ago
refactoring
4 years ago
Add bucket owner attr.
4 years ago
enable admin to access all buckets
4 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
refactoring
3 years ago
support acl
5 years ago
Add bucket owner attr.
4 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
s3: support config action Admin:bucket
4 years ago
logging
4 years ago
s3: support config action Admin:bucket
4 years ago
support acl
5 years ago
refactoring
4 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
support acl
5 years ago
add v2 support
5 years ago
Add bucket owner attr.
4 years ago
add v2 support
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
add v2 support
5 years ago
support acl
5 years ago
add v2 support
5 years ago
support acl
5 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
s3: deny anonymous type
5 years ago
Add bucket owner attr.
4 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
s3: deny anonymous type
5 years ago
Add bucket owner attr.
4 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
Add bucket owner attr.
4 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
s3: deny anonymous type
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
add v2 support
5 years ago
refactoring
4 years ago
Add bucket owner attr.
4 years ago
add v2 support
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
s3: access control limited by bucket
5 years ago
enable admin to access all buckets
4 years ago
s3: access control limited by bucket
5 years ago
s3: support config action Admin:bucket
4 years ago
s3: access control limited by bucket
5 years ago
auth use bucket wild cards
4 years ago
s3: support config action Admin:bucket
4 years ago
support acl
5 years ago
enable admin to access all buckets
4 years ago
  1. package s3api
  3. import (
  4. "fmt"
  5. "net/http"
  6. "os"
  7. "strings"
  8. "sync"
  10. "github.com/chrislusf/seaweedfs/weed/filer"
  11. "github.com/chrislusf/seaweedfs/weed/glog"
  12. "github.com/chrislusf/seaweedfs/weed/pb"
  13. "github.com/chrislusf/seaweedfs/weed/pb/filer_pb"
  14. "github.com/chrislusf/seaweedfs/weed/pb/iam_pb"
  15. xhttp "github.com/chrislusf/seaweedfs/weed/s3api/http"
  16. "github.com/chrislusf/seaweedfs/weed/s3api/s3_constants"
  17. "github.com/chrislusf/seaweedfs/weed/s3api/s3err"
  18. )
  20. type Action string
  22. type Iam interface {
  23. Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
  24. }
  26. type IdentityAccessManagement struct {
  27. m sync.RWMutex
  29. identities []*Identity
  30. domain string
  31. }
  33. type Identity struct {
  34. Name string
  35. Credentials []*Credential
  36. Actions []Action
  37. }
  39. type Credential struct {
  40. AccessKey string
  41. SecretKey string
  42. }
  44. func (action Action) isAdmin() bool {
  45. return strings.HasPrefix(string(action), s3_constants.ACTION_ADMIN)
  46. }
  48. func (action Action) isOwner(bucket string) bool {
  49. return string(action) == s3_constants.ACTION_ADMIN+":"+bucket
  50. }
  52. func (action Action) overBucket(bucket string) bool {
  53. return strings.HasSuffix(string(action), ":"+bucket) || strings.HasSuffix(string(action), ":*")
  54. }
  56. func (action Action) getPermission() Permission {
  57. switch act := strings.Split(string(action), ":")[0]; act {
  58. case s3_constants.ACTION_ADMIN:
  59. return Permission("FULL_CONTROL")
  60. case s3_constants.ACTION_WRITE:
  61. return Permission("WRITE")
  62. case s3_constants.ACTION_READ:
  63. return Permission("READ")
  64. default:
  65. return Permission("")
  66. }
  67. }
  69. func NewIdentityAccessManagement(option *S3ApiServerOption) *IdentityAccessManagement {
  70. iam := &IdentityAccessManagement{
  71. domain: option.DomainName,
  72. }
  73. if option.Config != "" {
  74. if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
  75. glog.Fatalf("fail to load config file %s: %v", option.Config, err)
  76. }
  77. } else {
  78. if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil {
  79. glog.Warningf("fail to load config: %v", err)
  80. }
  81. }
  82. return iam
  83. }
  85. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFiler(option *S3ApiServerOption) (err error) {
  86. var content []byte
  87. err = pb.WithFilerClient(option.Filer, option.GrpcDialOption, func(client filer_pb.SeaweedFilerClient) error {
  88. content, err = filer.ReadInsideFiler(client, filer.IamConfigDirecotry, filer.IamIdentityFile)
  89. return err
  90. })
  91. if err != nil {
  92. return fmt.Errorf("read S3 config: %v", err)
  93. }
  94. return iam.loadS3ApiConfigurationFromBytes(content)
  95. }
  97. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFile(fileName string) error {
  98. content, readErr := os.ReadFile(fileName)
  99. if readErr != nil {
  100. glog.Warningf("fail to read %s : %v", fileName, readErr)
  101. return fmt.Errorf("fail to read %s : %v", fileName, readErr)
  102. }
  103. return iam.loadS3ApiConfigurationFromBytes(content)
  104. }
  106. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromBytes(content []byte) error {
  107. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  108. if err := filer.ParseS3ConfigurationFromBytes(content, s3ApiConfiguration); err != nil {
  109. glog.Warningf("unmarshal error: %v", err)
  110. return fmt.Errorf("unmarshal error: %v", err)
  111. }
  112. if err := iam.loadS3ApiConfiguration(s3ApiConfiguration); err != nil {
  113. return err
  114. }
  115. return nil
  116. }
  118. func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error {
  119. var identities []*Identity
  120. for _, ident := range config.Identities {
  121. t := &Identity{
  122. Name: ident.Name,
  123. Credentials: nil,
  124. Actions: nil,
  125. }
  126. for _, action := range ident.Actions {
  127. t.Actions = append(t.Actions, Action(action))
  128. }
  129. for _, cred := range ident.Credentials {
  130. t.Credentials = append(t.Credentials, &Credential{
  131. AccessKey: cred.AccessKey,
  132. SecretKey: cred.SecretKey,
  133. })
  134. }
  135. identities = append(identities, t)
  136. }
  137. iam.m.Lock()
  138. // atomically switch
  139. iam.identities = identities
  140. iam.m.Unlock()
  141. return nil
  142. }
  144. func (iam *IdentityAccessManagement) isEnabled() bool {
  145. iam.m.RLock()
  146. defer iam.m.RUnlock()
  147. return len(iam.identities) > 0
  148. }
  150. func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
  152. iam.m.RLock()
  153. defer iam.m.RUnlock()
  154. for _, ident := range iam.identities {
  155. for _, cred := range ident.Credentials {
  156. // println("checking", ident.Name, cred.AccessKey)
  157. if cred.AccessKey == accessKey {
  158. return ident, cred, true
  159. }
  160. }
  161. }
  162. glog.V(1).Infof("could not find accessKey %s", accessKey)
  163. return nil, nil, false
  164. }
  166. func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
  167. iam.m.RLock()
  168. defer iam.m.RUnlock()
  169. for _, ident := range iam.identities {
  170. if ident.Name == "anonymous" {
  171. return ident, true
  172. }
  173. }
  174. return nil, false
  175. }
  177. func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
  179. if !iam.isEnabled() {
  180. return f
  181. }
  183. return func(w http.ResponseWriter, r *http.Request) {
  184. identity, errCode := iam.authRequest(r, action)
  185. if errCode == s3err.ErrNone {
  186. if identity != nil && identity.Name != "" {
  187. r.Header.Set(xhttp.AmzIdentityId, identity.Name)
  188. if identity.isAdmin() {
  189. r.Header.Set(xhttp.AmzIsAdmin, "true")
  190. }
  191. }
  192. f(w, r)
  193. return
  194. }
  195. s3err.WriteErrorResponse(w, r, errCode)
  196. }
  197. }
  199. // check whether the request has valid access keys
  200. func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
  201. var identity *Identity
  202. var s3Err s3err.ErrorCode
  203. var found bool
  204. switch getRequestAuthType(r) {
  205. case authTypeStreamingSigned:
  206. return identity, s3err.ErrNone
  207. case authTypeUnknown:
  208. glog.V(3).Infof("unknown auth type")
  209. return identity, s3err.ErrAccessDenied
  210. case authTypePresignedV2, authTypeSignedV2:
  211. glog.V(3).Infof("v2 auth type")
  212. identity, s3Err = iam.isReqAuthenticatedV2(r)
  213. case authTypeSigned, authTypePresigned:
  214. glog.V(3).Infof("v4 auth type")
  215. identity, s3Err = iam.reqSignatureV4Verify(r)
  216. case authTypePostPolicy:
  217. glog.V(3).Infof("post policy auth type")
  218. return identity, s3err.ErrNone
  219. case authTypeJWT:
  220. glog.V(3).Infof("jwt auth type")
  221. return identity, s3err.ErrNotImplemented
  222. case authTypeAnonymous:
  223. identity, found = iam.lookupAnonymous()
  224. if !found {
  225. return identity, s3err.ErrAccessDenied
  226. }
  227. default:
  228. return identity, s3err.ErrNotImplemented
  229. }
  231. if s3Err != s3err.ErrNone {
  232. return identity, s3Err
  233. }
  235. glog.V(3).Infof("user name: %v actions: %v, action: %v", identity.Name, identity.Actions, action)
  237. bucket, _ := getBucketAndObject(r)
  239. if !identity.canDo(action, bucket) {
  240. return identity, s3err.ErrAccessDenied
  241. }
  243. return identity, s3err.ErrNone
  245. }
  247. func (iam *IdentityAccessManagement) authUser(r *http.Request) (*Identity, s3err.ErrorCode) {
  248. var identity *Identity
  249. var s3Err s3err.ErrorCode
  250. var found bool
  251. switch getRequestAuthType(r) {
  252. case authTypeStreamingSigned:
  253. return identity, s3err.ErrNone
  254. case authTypeUnknown:
  255. glog.V(3).Infof("unknown auth type")
  256. return identity, s3err.ErrAccessDenied
  257. case authTypePresignedV2, authTypeSignedV2:
  258. glog.V(3).Infof("v2 auth type")
  259. identity, s3Err = iam.isReqAuthenticatedV2(r)
  260. case authTypeSigned, authTypePresigned:
  261. glog.V(3).Infof("v4 auth type")
  262. identity, s3Err = iam.reqSignatureV4Verify(r)
  263. case authTypePostPolicy:
  264. glog.V(3).Infof("post policy auth type")
  265. return identity, s3err.ErrNone
  266. case authTypeJWT:
  267. glog.V(3).Infof("jwt auth type")
  268. return identity, s3err.ErrNotImplemented
  269. case authTypeAnonymous:
  270. identity, found = iam.lookupAnonymous()
  271. if !found {
  272. return identity, s3err.ErrAccessDenied
  273. }
  274. default:
  275. return identity, s3err.ErrNotImplemented
  276. }
  278. glog.V(3).Infof("auth error: %v", s3Err)
  279. if s3Err != s3err.ErrNone {
  280. return identity, s3Err
  281. }
  282. return identity, s3err.ErrNone
  283. }
  285. func (identity *Identity) canDo(action Action, bucket string) bool {
  286. if identity.isAdmin() {
  287. return true
  288. }
  289. for _, a := range identity.Actions {
  290. if a == action {
  291. return true
  292. }
  293. }
  294. if bucket == "" {
  295. return false
  296. }
  297. limitedByBucket := string(action) + ":" + bucket
  298. adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket
  299. for _, a := range identity.Actions {
  300. act := string(a)
  301. if strings.HasSuffix(act, "*") {
  302. if strings.HasPrefix(limitedByBucket, act[:len(act)-1]) {
  303. return true
  304. }
  305. if strings.HasPrefix(adminLimitedByBucket, act[:len(act)-1]) {
  306. return true
  307. }
  308. } else {
  309. if act == limitedByBucket {
  310. return true
  311. }
  312. if act == adminLimitedByBucket {
  313. return true
  314. }
  315. }
  316. }
  317. return false
  318. }
  320. func (identity *Identity) isAdmin() bool {
  321. for _, a := range identity.Actions {
  322. if a == "Admin" {
  323. return true
  324. }
  325. }
  326. return false
  327. }