Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9625 Commits
32 Branches
300 Tags
172 MiB
Tree: cdd817edf9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'cdd817edf9'
${ noResults }
seaweedfs/weed/s3api/auth_credentials.go

396 lines
11 KiB
Raw Normal View History

support acl
5 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
s3: fix potencial iam identities data race
3 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
move to https://github.com/seaweedfs/seaweedfs
3 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
s3: fix potencial iam identities data race
3 years ago
s3: keep auth enabled in case identities are set to empty fix https://github.com/chrislusf/seaweedfs/issues/3084
3 years ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
AclHandlers
3 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
add v2 support
5 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
add v2 support
5 years ago
s3: use static configuration by default So that users can still use the previous configuration files. If leave it empty, s3 will try to use the version from filer
4 years ago
new pkg s3iam
4 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
s3: use static configuration by default So that users can still use the previous configuration files. If leave it empty, s3 will try to use the version from filer
4 years ago
support acl
5 years ago
s3 config read via grpc
4 years ago
grpc connection to filer add sw-client-id header
2 years ago
refactor: `Directory` readability (#3665)
2 years ago
s3 config read via grpc
4 years ago
refactoring
4 years ago
s3: add grpc server to accept configuration changes
3 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
new pkg s3iam
4 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
support acl
5 years ago
s3: add grpc server to accept configuration changes
3 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
s3: add grpc server to accept configuration changes
3 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
supplement check duplicate accesskey
3 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
new pkg s3iam
4 years ago
s3: subscribe to s3.configure changes
4 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
s3: subscribe to s3.configure changes
4 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
s3: fix potencial iam identities data race
3 years ago
s3: subscribe to s3.configure changes
4 years ago
s3: keep auth enabled in case identities are set to empty fix https://github.com/chrislusf/seaweedfs/issues/3084
3 years ago
s3: fix potencial iam identities data race
3 years ago
support acl
5 years ago
refactoring
5 years ago
s3: keep auth enabled in case identities are set to empty fix https://github.com/chrislusf/seaweedfs/issues/3084
3 years ago
refactoring
5 years ago
support acl
5 years ago
refactoring
5 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
support acl
5 years ago
adjust logs
3 years ago
support acl
5 years ago
log unknown access key
3 years ago
support acl
5 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
add ownership rest apis (#3765)
2 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
s3: access control limited by bucket
5 years ago
support acl
5 years ago
fix: When there is no access permission configured before startup, the authentication does not take effect after configuring the permission after startup
3 years ago
Add bucket owner attr.
4 years ago
refactoring
4 years ago
Add bucket owner attr.
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
enable admin to access all buckets
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
enable admin to access all buckets
4 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
refactoring
3 years ago
support acl
5 years ago
Add bucket owner attr.
4 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
move s3 related constants from package http to s3_constants
3 years ago
audit log SignatureVersion
3 years ago
s3: support config action Admin:bucket
4 years ago
logging
4 years ago
s3: support config action Admin:bucket
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: support config action Admin:bucket
4 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
s3: support config action Admin:bucket
4 years ago
add ownership rest apis (#3765)
2 years ago
s3: support config action Admin:bucket
4 years ago
support acl
5 years ago
refactoring
4 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
audit log SignatureVersion
3 years ago
support acl
5 years ago
add v2 support
5 years ago
Add bucket owner attr.
4 years ago
add v2 support
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
add v2 support
5 years ago
audit log SignatureVersion
3 years ago
support acl
5 years ago
add v2 support
5 years ago
support acl
5 years ago
audit log SignatureVersion
3 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
s3: deny anonymous type
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
s3: deny anonymous type
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
audit log SignatureVersion
3 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
s3: deny anonymous type
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
audit log SignatureVersion
3 years ago
move s3 related constants from package http to s3_constants
3 years ago
audit log SignatureVersion
3 years ago
support acl
5 years ago
add v2 support
5 years ago
refactoring
4 years ago
Add bucket owner attr.
4 years ago
add v2 support
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
enable admin to access all buckets
4 years ago
s3: access control limited by bucket
5 years ago
fix auth permission checking
3 years ago
https://github.com/chrislusf/seaweedfs/issues/2583
3 years ago
s3: access control limited by bucket
5 years ago
s3: support config action Admin:bucket
4 years ago
s3: access control limited by bucket
5 years ago
auth use bucket wild cards
4 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
auth use bucket wild cards
4 years ago
https://github.com/chrislusf/seaweedfs/issues/2583
3 years ago
auth use bucket wild cards
4 years ago
s3: support config action Admin:bucket
4 years ago
support acl
5 years ago
enable admin to access all buckets
4 years ago
  1. package s3api
  3. import (
  4. "fmt"
  5. "net/http"
  6. "os"
  7. "strings"
  8. "sync"
  10. "github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
  12. "github.com/seaweedfs/seaweedfs/weed/filer"
  13. "github.com/seaweedfs/seaweedfs/weed/glog"
  14. "github.com/seaweedfs/seaweedfs/weed/pb"
  15. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  16. "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
  17. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  18. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  19. )
  21. var IdentityAnonymous *Identity
  23. type Action string
  25. type Iam interface {
  26. Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
  27. }
  29. type IdentityAccessManagement struct {
  30. m sync.RWMutex
  32. identities []*Identity
  33. isAuthEnabled bool
  34. domain string
  35. hashes map[string]*sync.Pool
  36. hashMu sync.RWMutex
  37. }
  39. type Identity struct {
  40. Name string
  41. AccountId string
  42. Credentials []*Credential
  43. Actions []Action
  44. }
  46. func (i *Identity) isAnonymous() bool {
  47. return i.Name == s3account.AccountAnonymous.Name
  48. }
  50. type Credential struct {
  51. AccessKey string
  52. SecretKey string
  53. }
  55. func (action Action) isAdmin() bool {
  56. return strings.HasPrefix(string(action), s3_constants.ACTION_ADMIN)
  57. }
  59. func (action Action) isOwner(bucket string) bool {
  60. return string(action) == s3_constants.ACTION_ADMIN+":"+bucket
  61. }
  63. func (action Action) overBucket(bucket string) bool {
  64. return strings.HasSuffix(string(action), ":"+bucket) || strings.HasSuffix(string(action), ":*")
  65. }
  67. func (action Action) getPermission() Permission {
  68. switch act := strings.Split(string(action), ":")[0]; act {
  69. case s3_constants.ACTION_ADMIN:
  70. return Permission("FULL_CONTROL")
  71. case s3_constants.ACTION_WRITE:
  72. return Permission("WRITE")
  73. case s3_constants.ACTION_READ:
  74. return Permission("READ")
  75. default:
  76. return Permission("")
  77. }
  78. }
  80. func NewIdentityAccessManagement(option *S3ApiServerOption) *IdentityAccessManagement {
  81. iam := &IdentityAccessManagement{
  82. domain: option.DomainName,
  83. hashes: make(map[string]*sync.Pool),
  84. }
  85. if option.Config != "" {
  86. if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
  87. glog.Fatalf("fail to load config file %s: %v", option.Config, err)
  88. }
  89. } else {
  90. if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil {
  91. glog.Warningf("fail to load config: %v", err)
  92. }
  93. }
  94. return iam
  95. }
  97. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFiler(option *S3ApiServerOption) (err error) {
  98. var content []byte
  99. err = pb.WithFilerClient(false, 0, option.Filer, option.GrpcDialOption, func(client filer_pb.SeaweedFilerClient) error {
  100. content, err = filer.ReadInsideFiler(client, filer.IamConfigDirectory, filer.IamIdentityFile)
  101. return err
  102. })
  103. if err != nil {
  104. return fmt.Errorf("read S3 config: %v", err)
  105. }
  106. return iam.LoadS3ApiConfigurationFromBytes(content)
  107. }
  109. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFile(fileName string) error {
  110. content, readErr := os.ReadFile(fileName)
  111. if readErr != nil {
  112. glog.Warningf("fail to read %s : %v", fileName, readErr)
  113. return fmt.Errorf("fail to read %s : %v", fileName, readErr)
  114. }
  115. return iam.LoadS3ApiConfigurationFromBytes(content)
  116. }
  118. func (iam *IdentityAccessManagement) LoadS3ApiConfigurationFromBytes(content []byte) error {
  119. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  120. if err := filer.ParseS3ConfigurationFromBytes(content, s3ApiConfiguration); err != nil {
  121. glog.Warningf("unmarshal error: %v", err)
  122. return fmt.Errorf("unmarshal error: %v", err)
  123. }
  125. if err := filer.CheckDuplicateAccessKey(s3ApiConfiguration); err != nil {
  126. return err
  127. }
  129. if err := iam.loadS3ApiConfiguration(s3ApiConfiguration); err != nil {
  130. return err
  131. }
  132. return nil
  133. }
  135. func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error {
  136. var identities []*Identity
  137. for _, ident := range config.Identities {
  138. t := &Identity{
  139. Name: ident.Name,
  140. AccountId: s3account.AccountAdmin.Id,
  141. Credentials: nil,
  142. Actions: nil,
  143. }
  145. if ident.Name == s3account.AccountAnonymous.Name {
  146. if ident.AccountId != "" && ident.AccountId != s3account.AccountAnonymous.Id {
  147. glog.Warningf("anonymous identity is associated with a non-anonymous account ID, the association is invalid")
  148. }
  149. t.AccountId = s3account.AccountAnonymous.Id
  150. IdentityAnonymous = t
  151. } else {
  152. if len(ident.AccountId) > 0 {
  153. t.AccountId = ident.AccountId
  154. }
  155. }
  157. for _, action := range ident.Actions {
  158. t.Actions = append(t.Actions, Action(action))
  159. }
  160. for _, cred := range ident.Credentials {
  161. t.Credentials = append(t.Credentials, &Credential{
  162. AccessKey: cred.AccessKey,
  163. SecretKey: cred.SecretKey,
  164. })
  165. }
  166. identities = append(identities, t)
  167. }
  169. if IdentityAnonymous == nil {
  170. IdentityAnonymous = &Identity{
  171. Name: s3account.AccountAnonymous.Name,
  172. AccountId: s3account.AccountAnonymous.Id,
  173. }
  174. }
  175. iam.m.Lock()
  176. // atomically switch
  177. iam.identities = identities
  178. if !iam.isAuthEnabled { // one-directional, no toggling
  179. iam.isAuthEnabled = len(identities) > 0
  180. }
  181. iam.m.Unlock()
  182. return nil
  183. }
  185. func (iam *IdentityAccessManagement) isEnabled() bool {
  186. return iam.isAuthEnabled
  187. }
  189. func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
  191. iam.m.RLock()
  192. defer iam.m.RUnlock()
  193. for _, ident := range iam.identities {
  194. for _, cred := range ident.Credentials {
  195. // println("checking", ident.Name, cred.AccessKey)
  196. if cred.AccessKey == accessKey {
  197. return ident, cred, true
  198. }
  199. }
  200. }
  201. glog.V(1).Infof("could not find accessKey %s", accessKey)
  202. return nil, nil, false
  203. }
  205. func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
  206. iam.m.RLock()
  207. defer iam.m.RUnlock()
  208. for _, ident := range iam.identities {
  209. if ident.isAnonymous() {
  210. return ident, true
  211. }
  212. }
  213. return nil, false
  214. }
  216. func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
  217. return func(w http.ResponseWriter, r *http.Request) {
  218. if !iam.isEnabled() {
  219. f(w, r)
  220. return
  221. }
  223. identity, errCode := iam.authRequest(r, action)
  224. if errCode == s3err.ErrNone {
  225. if identity != nil && identity.Name != "" {
  226. r.Header.Set(s3_constants.AmzIdentityId, identity.Name)
  227. if identity.isAdmin() {
  228. r.Header.Set(s3_constants.AmzIsAdmin, "true")
  229. } else if _, ok := r.Header[s3_constants.AmzIsAdmin]; ok {
  230. r.Header.Del(s3_constants.AmzIsAdmin)
  231. }
  232. }
  233. f(w, r)
  234. return
  235. }
  236. s3err.WriteErrorResponse(w, r, errCode)
  237. }
  238. }
  240. // check whether the request has valid access keys
  241. func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
  242. var identity *Identity
  243. var s3Err s3err.ErrorCode
  244. var found bool
  245. var authType string
  246. switch getRequestAuthType(r) {
  247. case authTypeStreamingSigned:
  248. return identity, s3err.ErrNone
  249. case authTypeUnknown:
  250. glog.V(3).Infof("unknown auth type")
  251. r.Header.Set(s3_constants.AmzAuthType, "Unknown")
  252. return identity, s3err.ErrAccessDenied
  253. case authTypePresignedV2, authTypeSignedV2:
  254. glog.V(3).Infof("v2 auth type")
  255. identity, s3Err = iam.isReqAuthenticatedV2(r)
  256. authType = "SigV2"
  257. case authTypeSigned, authTypePresigned:
  258. glog.V(3).Infof("v4 auth type")
  259. identity, s3Err = iam.reqSignatureV4Verify(r)
  260. authType = "SigV4"
  261. case authTypePostPolicy:
  262. glog.V(3).Infof("post policy auth type")
  263. r.Header.Set(s3_constants.AmzAuthType, "PostPolicy")
  264. return identity, s3err.ErrNone
  265. case authTypeJWT:
  266. glog.V(3).Infof("jwt auth type")
  267. r.Header.Set(s3_constants.AmzAuthType, "Jwt")
  268. return identity, s3err.ErrNotImplemented
  269. case authTypeAnonymous:
  270. authType = "Anonymous"
  271. identity, found = iam.lookupAnonymous()
  272. if !found {
  273. r.Header.Set(s3_constants.AmzAuthType, authType)
  274. return identity, s3err.ErrAccessDenied
  275. }
  276. default:
  277. return identity, s3err.ErrNotImplemented
  278. }
  280. if len(authType) > 0 {
  281. r.Header.Set(s3_constants.AmzAuthType, authType)
  282. }
  283. if s3Err != s3err.ErrNone {
  284. return identity, s3Err
  285. }
  287. glog.V(3).Infof("user name: %v actions: %v, action: %v", identity.Name, identity.Actions, action)
  289. bucket, object := s3_constants.GetBucketAndObject(r)
  291. if !identity.canDo(action, bucket, object) {
  292. return identity, s3err.ErrAccessDenied
  293. }
  295. if !identity.isAnonymous() {
  296. r.Header.Set(s3_constants.AmzAccountId, identity.AccountId)
  297. }
  298. return identity, s3err.ErrNone
  300. }
  302. func (iam *IdentityAccessManagement) authUser(r *http.Request) (*Identity, s3err.ErrorCode) {
  303. var identity *Identity
  304. var s3Err s3err.ErrorCode
  305. var found bool
  306. var authType string
  307. switch getRequestAuthType(r) {
  308. case authTypeStreamingSigned:
  309. return identity, s3err.ErrNone
  310. case authTypeUnknown:
  311. glog.V(3).Infof("unknown auth type")
  312. r.Header.Set(s3_constants.AmzAuthType, "Unknown")
  313. return identity, s3err.ErrAccessDenied
  314. case authTypePresignedV2, authTypeSignedV2:
  315. glog.V(3).Infof("v2 auth type")
  316. identity, s3Err = iam.isReqAuthenticatedV2(r)
  317. authType = "SigV2"
  318. case authTypeSigned, authTypePresigned:
  319. glog.V(3).Infof("v4 auth type")
  320. identity, s3Err = iam.reqSignatureV4Verify(r)
  321. authType = "SigV4"
  322. case authTypePostPolicy:
  323. glog.V(3).Infof("post policy auth type")
  324. r.Header.Set(s3_constants.AmzAuthType, "PostPolicy")
  325. return identity, s3err.ErrNone
  326. case authTypeJWT:
  327. glog.V(3).Infof("jwt auth type")
  328. r.Header.Set(s3_constants.AmzAuthType, "Jwt")
  329. return identity, s3err.ErrNotImplemented
  330. case authTypeAnonymous:
  331. authType = "Anonymous"
  332. identity, found = iam.lookupAnonymous()
  333. if !found {
  334. r.Header.Set(s3_constants.AmzAuthType, authType)
  335. return identity, s3err.ErrAccessDenied
  336. }
  337. default:
  338. return identity, s3err.ErrNotImplemented
  339. }
  341. if len(authType) > 0 {
  342. r.Header.Set(s3_constants.AmzAuthType, authType)
  343. }
  345. glog.V(3).Infof("auth error: %v", s3Err)
  346. if s3Err != s3err.ErrNone {
  347. return identity, s3Err
  348. }
  349. return identity, s3err.ErrNone
  350. }
  352. func (identity *Identity) canDo(action Action, bucket string, objectKey string) bool {
  353. if identity.isAdmin() {
  354. return true
  355. }
  356. for _, a := range identity.Actions {
  357. if a == action {
  358. return true
  359. }
  360. }
  361. if bucket == "" {
  362. return false
  363. }
  364. target := string(action) + ":" + bucket + objectKey
  365. adminTarget := s3_constants.ACTION_ADMIN + ":" + bucket + objectKey
  366. limitedByBucket := string(action) + ":" + bucket
  367. adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket
  368. for _, a := range identity.Actions {
  369. act := string(a)
  370. if strings.HasSuffix(act, "*") {
  371. if strings.HasPrefix(target, act[:len(act)-1]) {
  372. return true
  373. }
  374. if strings.HasPrefix(adminTarget, act[:len(act)-1]) {
  375. return true
  376. }
  377. } else {
  378. if act == limitedByBucket {
  379. return true
  380. }
  381. if act == adminLimitedByBucket {
  382. return true
  383. }
  384. }
  385. }
  386. return false
  387. }
  389. func (identity *Identity) isAdmin() bool {
  390. for _, a := range identity.Actions {
  391. if a == "Admin" {
  392. return true
  393. }
  394. }
  395. return false
  396. }