Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9634 Commits
37 Branches
296 Tags
161 MiB
Tree: e3a7c503c3
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e3a7c503c3'
${ noResults }
seaweedfs/weed/s3api/auth_credentials.go

398 lines
11 KiB
Raw Normal View History

support acl
5 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
s3: fix potencial iam identities data race
3 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
move to https://github.com/seaweedfs/seaweedfs
2 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
s3: fix potencial iam identities data race
3 years ago
s3: keep auth enabled in case identities are set to empty fix https://github.com/chrislusf/seaweedfs/issues/3084
3 years ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
Clean up old signature hash pools
1 year ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
AclHandlers
3 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
add v2 support
5 years ago
Clean up old signature hash pools
1 year ago
add v2 support
5 years ago
s3: use static configuration by default So that users can still use the previous configuration files. If leave it empty, s3 will try to use the version from filer
4 years ago
new pkg s3iam
4 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
s3: use static configuration by default So that users can still use the previous configuration files. If leave it empty, s3 will try to use the version from filer
4 years ago
support acl
5 years ago
s3 config read via grpc
4 years ago
grpc connection to filer add sw-client-id header
2 years ago
refactor: `Directory` readability (#3665)
2 years ago
s3 config read via grpc
4 years ago
refactoring
4 years ago
s3: add grpc server to accept configuration changes
3 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
new pkg s3iam
4 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
support acl
5 years ago
s3: add grpc server to accept configuration changes
3 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
s3: add grpc server to accept configuration changes
3 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
save /etc/iam/identity.json inside filer store
4 years ago
support acl
5 years ago
supplement check duplicate accesskey
2 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
new pkg s3iam
4 years ago
s3: subscribe to s3.configure changes
4 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
s3: subscribe to s3.configure changes
4 years ago
support acl
5 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
s3: fix potencial iam identities data race
3 years ago
s3: subscribe to s3.configure changes
4 years ago
s3: keep auth enabled in case identities are set to empty fix https://github.com/chrislusf/seaweedfs/issues/3084
3 years ago
s3: fix potencial iam identities data race
3 years ago
support acl
5 years ago
refactoring
5 years ago
s3: keep auth enabled in case identities are set to empty fix https://github.com/chrislusf/seaweedfs/issues/3084
3 years ago
refactoring
5 years ago
support acl
5 years ago
refactoring
5 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
support acl
5 years ago
adjust logs
3 years ago
support acl
5 years ago
log unknown access key
3 years ago
support acl
5 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
s3: add RWMutex to iam, use RLock for concurrent reading
3 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
add ownership rest apis (#3765)
2 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
s3: access control limited by bucket
5 years ago
support acl
5 years ago
fix: When there is no access permission configured before startup, the authentication does not take effect after configuring the permission after startup
3 years ago
Add bucket owner attr.
4 years ago
refactoring
4 years ago
Add bucket owner attr.
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
enable admin to access all buckets
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
enable admin to access all buckets
4 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
refactoring
3 years ago
support acl
5 years ago
Add bucket owner attr.
4 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: fix regression fix https://github.com/chrislusf/seaweedfs/issues/1707
4 years ago
audit log SignatureVersion
3 years ago
move s3 related constants from package http to s3_constants
3 years ago
audit log SignatureVersion
3 years ago
s3: support config action Admin:bucket
4 years ago
logging
4 years ago
s3: support config action Admin:bucket
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
s3: support config action Admin:bucket
4 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
s3: support config action Admin:bucket
4 years ago
add ownership rest apis (#3765)
2 years ago
s3: support config action Admin:bucket
4 years ago
support acl
5 years ago
refactoring
4 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
audit log SignatureVersion
3 years ago
support acl
5 years ago
add v2 support
5 years ago
Add bucket owner attr.
4 years ago
add v2 support
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
add v2 support
5 years ago
audit log SignatureVersion
3 years ago
support acl
5 years ago
add v2 support
5 years ago
support acl
5 years ago
audit log SignatureVersion
3 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
s3: deny anonymous type
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
s3: deny anonymous type
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
audit log SignatureVersion
3 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
move s3 related constants from package http to s3_constants
3 years ago
Add bucket owner attr.
4 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
4 years ago
s3: deny anonymous type
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
audit log SignatureVersion
3 years ago
move s3 related constants from package http to s3_constants
3 years ago
audit log SignatureVersion
3 years ago
support acl
5 years ago
add v2 support
5 years ago
refactoring
4 years ago
Add bucket owner attr.
4 years ago
add v2 support
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
enable admin to access all buckets
4 years ago
s3: access control limited by bucket
5 years ago
fix auth permission checking
3 years ago
https://github.com/chrislusf/seaweedfs/issues/2583
3 years ago
s3: access control limited by bucket
5 years ago
s3: support config action Admin:bucket
4 years ago
s3: access control limited by bucket
5 years ago
auth use bucket wild cards
4 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
auth use bucket wild cards
4 years ago
https://github.com/chrislusf/seaweedfs/issues/2583
3 years ago
auth use bucket wild cards
4 years ago
s3: support config action Admin:bucket
4 years ago
support acl
5 years ago
enable admin to access all buckets
4 years ago
  1. package s3api
  3. import (
  4. "fmt"
  5. "net/http"
  6. "os"
  7. "strings"
  8. "sync"
  10. "github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
  12. "github.com/seaweedfs/seaweedfs/weed/filer"
  13. "github.com/seaweedfs/seaweedfs/weed/glog"
  14. "github.com/seaweedfs/seaweedfs/weed/pb"
  15. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  16. "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
  17. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  18. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  19. )
  21. var IdentityAnonymous *Identity
  23. type Action string
  25. type Iam interface {
  26. Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
  27. }
  29. type IdentityAccessManagement struct {
  30. m sync.RWMutex
  32. identities []*Identity
  33. isAuthEnabled bool
  34. domain string
  35. hashes map[string]*sync.Pool
  36. hashCounters map[string]*int32
  37. hashMu sync.RWMutex
  38. }
  40. type Identity struct {
  41. Name string
  42. AccountId string
  43. Credentials []*Credential
  44. Actions []Action
  45. }
  47. func (i *Identity) isAnonymous() bool {
  48. return i.Name == s3account.AccountAnonymous.Name
  49. }
  51. type Credential struct {
  52. AccessKey string
  53. SecretKey string
  54. }
  56. func (action Action) isAdmin() bool {
  57. return strings.HasPrefix(string(action), s3_constants.ACTION_ADMIN)
  58. }
  60. func (action Action) isOwner(bucket string) bool {
  61. return string(action) == s3_constants.ACTION_ADMIN+":"+bucket
  62. }
  64. func (action Action) overBucket(bucket string) bool {
  65. return strings.HasSuffix(string(action), ":"+bucket) || strings.HasSuffix(string(action), ":*")
  66. }
  68. func (action Action) getPermission() Permission {
  69. switch act := strings.Split(string(action), ":")[0]; act {
  70. case s3_constants.ACTION_ADMIN:
  71. return Permission("FULL_CONTROL")
  72. case s3_constants.ACTION_WRITE:
  73. return Permission("WRITE")
  74. case s3_constants.ACTION_READ:
  75. return Permission("READ")
  76. default:
  77. return Permission("")
  78. }
  79. }
  81. func NewIdentityAccessManagement(option *S3ApiServerOption) *IdentityAccessManagement {
  82. iam := &IdentityAccessManagement{
  83. domain: option.DomainName,
  84. hashes: make(map[string]*sync.Pool),
  85. hashCounters: make(map[string]*int32),
  86. }
  87. if option.Config != "" {
  88. if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
  89. glog.Fatalf("fail to load config file %s: %v", option.Config, err)
  90. }
  91. } else {
  92. if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil {
  93. glog.Warningf("fail to load config: %v", err)
  94. }
  95. }
  96. return iam
  97. }
  99. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFiler(option *S3ApiServerOption) (err error) {
  100. var content []byte
  101. err = pb.WithFilerClient(false, 0, option.Filer, option.GrpcDialOption, func(client filer_pb.SeaweedFilerClient) error {
  102. content, err = filer.ReadInsideFiler(client, filer.IamConfigDirectory, filer.IamIdentityFile)
  103. return err
  104. })
  105. if err != nil {
  106. return fmt.Errorf("read S3 config: %v", err)
  107. }
  108. return iam.LoadS3ApiConfigurationFromBytes(content)
  109. }
  111. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFile(fileName string) error {
  112. content, readErr := os.ReadFile(fileName)
  113. if readErr != nil {
  114. glog.Warningf("fail to read %s : %v", fileName, readErr)
  115. return fmt.Errorf("fail to read %s : %v", fileName, readErr)
  116. }
  117. return iam.LoadS3ApiConfigurationFromBytes(content)
  118. }
  120. func (iam *IdentityAccessManagement) LoadS3ApiConfigurationFromBytes(content []byte) error {
  121. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  122. if err := filer.ParseS3ConfigurationFromBytes(content, s3ApiConfiguration); err != nil {
  123. glog.Warningf("unmarshal error: %v", err)
  124. return fmt.Errorf("unmarshal error: %v", err)
  125. }
  127. if err := filer.CheckDuplicateAccessKey(s3ApiConfiguration); err != nil {
  128. return err
  129. }
  131. if err := iam.loadS3ApiConfiguration(s3ApiConfiguration); err != nil {
  132. return err
  133. }
  134. return nil
  135. }
  137. func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error {
  138. var identities []*Identity
  139. for _, ident := range config.Identities {
  140. t := &Identity{
  141. Name: ident.Name,
  142. AccountId: s3account.AccountAdmin.Id,
  143. Credentials: nil,
  144. Actions: nil,
  145. }
  147. if ident.Name == s3account.AccountAnonymous.Name {
  148. if ident.AccountId != "" && ident.AccountId != s3account.AccountAnonymous.Id {
  149. glog.Warningf("anonymous identity is associated with a non-anonymous account ID, the association is invalid")
  150. }
  151. t.AccountId = s3account.AccountAnonymous.Id
  152. IdentityAnonymous = t
  153. } else {
  154. if len(ident.AccountId) > 0 {
  155. t.AccountId = ident.AccountId
  156. }
  157. }
  159. for _, action := range ident.Actions {
  160. t.Actions = append(t.Actions, Action(action))
  161. }
  162. for _, cred := range ident.Credentials {
  163. t.Credentials = append(t.Credentials, &Credential{
  164. AccessKey: cred.AccessKey,
  165. SecretKey: cred.SecretKey,
  166. })
  167. }
  168. identities = append(identities, t)
  169. }
  171. if IdentityAnonymous == nil {
  172. IdentityAnonymous = &Identity{
  173. Name: s3account.AccountAnonymous.Name,
  174. AccountId: s3account.AccountAnonymous.Id,
  175. }
  176. }
  177. iam.m.Lock()
  178. // atomically switch
  179. iam.identities = identities
  180. if !iam.isAuthEnabled { // one-directional, no toggling
  181. iam.isAuthEnabled = len(identities) > 0
  182. }
  183. iam.m.Unlock()
  184. return nil
  185. }
  187. func (iam *IdentityAccessManagement) isEnabled() bool {
  188. return iam.isAuthEnabled
  189. }
  191. func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
  193. iam.m.RLock()
  194. defer iam.m.RUnlock()
  195. for _, ident := range iam.identities {
  196. for _, cred := range ident.Credentials {
  197. // println("checking", ident.Name, cred.AccessKey)
  198. if cred.AccessKey == accessKey {
  199. return ident, cred, true
  200. }
  201. }
  202. }
  203. glog.V(1).Infof("could not find accessKey %s", accessKey)
  204. return nil, nil, false
  205. }
  207. func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
  208. iam.m.RLock()
  209. defer iam.m.RUnlock()
  210. for _, ident := range iam.identities {
  211. if ident.isAnonymous() {
  212. return ident, true
  213. }
  214. }
  215. return nil, false
  216. }
  218. func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
  219. return func(w http.ResponseWriter, r *http.Request) {
  220. if !iam.isEnabled() {
  221. f(w, r)
  222. return
  223. }
  225. identity, errCode := iam.authRequest(r, action)
  226. if errCode == s3err.ErrNone {
  227. if identity != nil && identity.Name != "" {
  228. r.Header.Set(s3_constants.AmzIdentityId, identity.Name)
  229. if identity.isAdmin() {
  230. r.Header.Set(s3_constants.AmzIsAdmin, "true")
  231. } else if _, ok := r.Header[s3_constants.AmzIsAdmin]; ok {
  232. r.Header.Del(s3_constants.AmzIsAdmin)
  233. }
  234. }
  235. f(w, r)
  236. return
  237. }
  238. s3err.WriteErrorResponse(w, r, errCode)
  239. }
  240. }
  242. // check whether the request has valid access keys
  243. func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
  244. var identity *Identity
  245. var s3Err s3err.ErrorCode
  246. var found bool
  247. var authType string
  248. switch getRequestAuthType(r) {
  249. case authTypeStreamingSigned:
  250. return identity, s3err.ErrNone
  251. case authTypeUnknown:
  252. glog.V(3).Infof("unknown auth type")
  253. r.Header.Set(s3_constants.AmzAuthType, "Unknown")
  254. return identity, s3err.ErrAccessDenied
  255. case authTypePresignedV2, authTypeSignedV2:
  256. glog.V(3).Infof("v2 auth type")
  257. identity, s3Err = iam.isReqAuthenticatedV2(r)
  258. authType = "SigV2"
  259. case authTypeSigned, authTypePresigned:
  260. glog.V(3).Infof("v4 auth type")
  261. identity, s3Err = iam.reqSignatureV4Verify(r)
  262. authType = "SigV4"
  263. case authTypePostPolicy:
  264. glog.V(3).Infof("post policy auth type")
  265. r.Header.Set(s3_constants.AmzAuthType, "PostPolicy")
  266. return identity, s3err.ErrNone
  267. case authTypeJWT:
  268. glog.V(3).Infof("jwt auth type")
  269. r.Header.Set(s3_constants.AmzAuthType, "Jwt")
  270. return identity, s3err.ErrNotImplemented
  271. case authTypeAnonymous:
  272. authType = "Anonymous"
  273. identity, found = iam.lookupAnonymous()
  274. if !found {
  275. r.Header.Set(s3_constants.AmzAuthType, authType)
  276. return identity, s3err.ErrAccessDenied
  277. }
  278. default:
  279. return identity, s3err.ErrNotImplemented
  280. }
  282. if len(authType) > 0 {
  283. r.Header.Set(s3_constants.AmzAuthType, authType)
  284. }
  285. if s3Err != s3err.ErrNone {
  286. return identity, s3Err
  287. }
  289. glog.V(3).Infof("user name: %v actions: %v, action: %v", identity.Name, identity.Actions, action)
  291. bucket, object := s3_constants.GetBucketAndObject(r)
  293. if !identity.canDo(action, bucket, object) {
  294. return identity, s3err.ErrAccessDenied
  295. }
  297. if !identity.isAnonymous() {
  298. r.Header.Set(s3_constants.AmzAccountId, identity.AccountId)
  299. }
  300. return identity, s3err.ErrNone
  302. }
  304. func (iam *IdentityAccessManagement) authUser(r *http.Request) (*Identity, s3err.ErrorCode) {
  305. var identity *Identity
  306. var s3Err s3err.ErrorCode
  307. var found bool
  308. var authType string
  309. switch getRequestAuthType(r) {
  310. case authTypeStreamingSigned:
  311. return identity, s3err.ErrNone
  312. case authTypeUnknown:
  313. glog.V(3).Infof("unknown auth type")
  314. r.Header.Set(s3_constants.AmzAuthType, "Unknown")
  315. return identity, s3err.ErrAccessDenied
  316. case authTypePresignedV2, authTypeSignedV2:
  317. glog.V(3).Infof("v2 auth type")
  318. identity, s3Err = iam.isReqAuthenticatedV2(r)
  319. authType = "SigV2"
  320. case authTypeSigned, authTypePresigned:
  321. glog.V(3).Infof("v4 auth type")
  322. identity, s3Err = iam.reqSignatureV4Verify(r)
  323. authType = "SigV4"
  324. case authTypePostPolicy:
  325. glog.V(3).Infof("post policy auth type")
  326. r.Header.Set(s3_constants.AmzAuthType, "PostPolicy")
  327. return identity, s3err.ErrNone
  328. case authTypeJWT:
  329. glog.V(3).Infof("jwt auth type")
  330. r.Header.Set(s3_constants.AmzAuthType, "Jwt")
  331. return identity, s3err.ErrNotImplemented
  332. case authTypeAnonymous:
  333. authType = "Anonymous"
  334. identity, found = iam.lookupAnonymous()
  335. if !found {
  336. r.Header.Set(s3_constants.AmzAuthType, authType)
  337. return identity, s3err.ErrAccessDenied
  338. }
  339. default:
  340. return identity, s3err.ErrNotImplemented
  341. }
  343. if len(authType) > 0 {
  344. r.Header.Set(s3_constants.AmzAuthType, authType)
  345. }
  347. glog.V(3).Infof("auth error: %v", s3Err)
  348. if s3Err != s3err.ErrNone {
  349. return identity, s3Err
  350. }
  351. return identity, s3err.ErrNone
  352. }
  354. func (identity *Identity) canDo(action Action, bucket string, objectKey string) bool {
  355. if identity.isAdmin() {
  356. return true
  357. }
  358. for _, a := range identity.Actions {
  359. if a == action {
  360. return true
  361. }
  362. }
  363. if bucket == "" {
  364. return false
  365. }
  366. target := string(action) + ":" + bucket + objectKey
  367. adminTarget := s3_constants.ACTION_ADMIN + ":" + bucket + objectKey
  368. limitedByBucket := string(action) + ":" + bucket
  369. adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket
  370. for _, a := range identity.Actions {
  371. act := string(a)
  372. if strings.HasSuffix(act, "*") {
  373. if strings.HasPrefix(target, act[:len(act)-1]) {
  374. return true
  375. }
  376. if strings.HasPrefix(adminTarget, act[:len(act)-1]) {
  377. return true
  378. }
  379. } else {
  380. if act == limitedByBucket {
  381. return true
  382. }
  383. if act == adminLimitedByBucket {
  384. return true
  385. }
  386. }
  387. }
  388. return false
  389. }
  391. func (identity *Identity) isAdmin() bool {
  392. for _, a := range identity.Actions {
  393. if a == "Admin" {
  394. return true
  395. }
  396. }
  397. return false
  398. }