Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8920 Commits
33 Branches
301 Tags
191 MiB
Tree: ebe1e39e7d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ebe1e39e7d'
${ noResults }
seaweedfs/weed/s3api/s3api_acp.go

109 lines
3.3 KiB
Raw Normal View History

add ownership rest apis (#3765)
2 years ago
add acl support for `PutObjectAcl`
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add acl support for `PutObjectAcl`
2 years ago
add ownership rest apis (#3765)
2 years ago
add acl support for `PutObjectAcl`
2 years ago
add ownership rest apis (#3765)
2 years ago
fix parent path Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
add acl support for `PutObjectAcl`
2 years ago
fix parent path Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl support for `PutObjectAcl`
2 years ago
  1. package s3api
  3. import (
  4. "github.com/seaweedfs/seaweedfs/weed/glog"
  5. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  6. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  7. "github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
  8. "github.com/seaweedfs/seaweedfs/weed/s3api/s3acl"
  9. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  10. "github.com/seaweedfs/seaweedfs/weed/util"
  11. "net/http"
  12. "path/filepath"
  13. )
  15. func getAccountId(r *http.Request) string {
  16. id := r.Header.Get(s3_constants.AmzAccountId)
  17. if len(id) == 0 {
  18. return s3account.AccountAnonymous.Id
  19. } else {
  20. return id
  21. }
  22. }
  24. func (s3a *S3ApiServer) checkAccessByOwnership(r *http.Request, bucket string) s3err.ErrorCode {
  25. metadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  26. if errCode != s3err.ErrNone {
  27. return errCode
  28. }
  29. accountId := getAccountId(r)
  30. if accountId == s3account.AccountAdmin.Id || accountId == *metadata.Owner.ID {
  31. return s3err.ErrNone
  32. }
  33. return s3err.ErrAccessDenied
  34. }
  36. // Check ObjectAcl-Write related access
  37. // includes:
  38. // - PutObjectAclHandler
  39. func (s3a *S3ApiServer) checkAccessForWriteObjectAcl(accountId, bucket, object string) (bucketMetadata *BucketMetaData, objectEntry *filer_pb.Entry, objectOwner string, errCode s3err.ErrorCode) {
  40. bucketMetadata, errCode = s3a.bucketRegistry.GetBucketMetadata(bucket)
  41. if errCode != s3err.ErrNone {
  42. return nil, nil, "", errCode
  43. }
  45. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  46. return nil, nil, "", s3err.AccessControlListNotSupported
  47. }
  49. //bucket acl
  50. bucketAclAllowed := false
  51. reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionWrite)
  52. if accountId == *bucketMetadata.Owner.ID {
  53. bucketAclAllowed = true
  54. } else if bucketMetadata.Acl != nil {
  55. bucketLoop:
  56. for _, bucketGrant := range bucketMetadata.Acl {
  57. for _, requiredGrant := range reqGrants {
  58. if s3acl.GrantEquals(bucketGrant, requiredGrant) {
  59. bucketAclAllowed = true
  60. break bucketLoop
  61. }
  62. }
  63. }
  64. }
  65. if !bucketAclAllowed {
  66. return nil, nil, "", s3err.ErrAccessDenied
  67. }
  69. //object acl
  70. objectEntry, err := getObjectEntry(s3a, bucket, object)
  71. if err != nil {
  72. if err == filer_pb.ErrNotFound {
  73. return nil, nil, "", s3err.ErrNoSuchKey
  74. }
  75. return nil, nil, "", s3err.ErrInternalError
  76. }
  78. if objectEntry.IsDirectory {
  79. return nil, nil, "", s3err.ErrExistingObjectIsDirectory
  80. }
  82. objectOwner = s3acl.GetAcpOwner(objectEntry.Extended, *bucketMetadata.Owner.ID)
  83. if accountId == objectOwner {
  84. return bucketMetadata, objectEntry, objectOwner, s3err.ErrNone
  85. }
  87. objectGrants := s3acl.GetAcpGrants(objectEntry.Extended)
  88. if objectGrants != nil {
  89. for _, objectGrant := range objectGrants {
  90. for _, requiredGrant := range reqGrants {
  91. if s3acl.GrantEquals(objectGrant, requiredGrant) {
  92. return bucketMetadata, objectEntry, objectOwner, s3err.ErrNone
  93. }
  94. }
  95. }
  96. }
  98. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  99. return nil, nil, "", s3err.ErrAccessDenied
  100. }
  102. func getObjectEntry(s3a *S3ApiServer, bucket, object string) (*filer_pb.Entry, error) {
  103. return s3a.getEntry(util.Join(s3a.option.BucketsPath, bucket), object)
  104. }
  106. func updateObjectEntry(s3a *S3ApiServer, bucket, object string, entry *filer_pb.Entry) error {
  107. dir, _ := filepath.Split(object)
  108. return s3a.updateEntry(util.Join(s3a.option.BucketsPath, bucket, dir), entry)
  109. }