Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4712 Commits
32 Branches
298 Tags
167 MiB
Tree: eed87791b7
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'eed87791b7'
${ noResults }
seaweedfs/weed/s3api/auth_credentials.go

246 lines
6.2 KiB
Raw Normal View History

support acl
5 years ago
refactoring
4 years ago
support acl
5 years ago
s3: subscribe to s3.configure changes
4 years ago
support acl
5 years ago
s3: Added support for "List" action in weed s3 -config=... in the config file. fix https://github.com/chrislusf/seaweedfs/issues/1511
4 years ago
support acl
5 years ago
add v2 support
5 years ago
support acl
5 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
add v2 support
5 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
add v2 support
5 years ago
new pkg s3iam
4 years ago
s3: subscribe to s3.configure changes
4 years ago
support acl
5 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
new pkg s3iam
4 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
support acl
5 years ago
new pkg s3iam
4 years ago
refactoring
4 years ago
s3: subscribe to s3.configure changes
4 years ago
refactoring
4 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
new pkg s3iam
4 years ago
configuration stores the identity list
5 years ago
support acl
5 years ago
adjust logging
4 years ago
s3: subscribe to s3.configure changes
4 years ago
support acl
5 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
new pkg s3iam
4 years ago
s3: subscribe to s3.configure changes
4 years ago
new pkg s3iam
4 years ago
support acl
5 years ago
s3: subscribe to s3.configure changes
4 years ago
support acl
5 years ago
s3: subscribe to s3.configure changes
4 years ago
support acl
5 years ago
refactoring
5 years ago
support acl
5 years ago
refactoring
5 years ago
support acl
5 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
s3: access control limited by bucket
5 years ago
support acl
5 years ago
fix s3api auth bug
5 years ago
support acl
5 years ago
Add bucket owner attr.
4 years ago
refactoring
4 years ago
Add bucket owner attr.
4 years ago
enable admin to access all buckets
4 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
refactoring
4 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
support acl
5 years ago
add v2 support
5 years ago
Add bucket owner attr.
4 years ago
add v2 support
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
add v2 support
5 years ago
support acl
5 years ago
add v2 support
5 years ago
support acl
5 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
s3: deny anonymous type
5 years ago
Add bucket owner attr.
4 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
s3: deny anonymous type
5 years ago
Add bucket owner attr.
4 years ago
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(*conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(*Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390
5 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
Add bucket owner attr.
4 years ago
S3: configurable access for anonymous user fix https://github.com/chrislusf/seaweedfs/issues/1413
5 years ago
s3: deny anonymous type
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
add v2 support
5 years ago
refactoring
4 years ago
Add bucket owner attr.
4 years ago
add v2 support
5 years ago
refactor
5 years ago
s3: access control limited by bucket
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
Add bucket owner attr.
4 years ago
support acl
5 years ago
s3: access control limited by bucket
5 years ago
enable admin to access all buckets
4 years ago
s3: access control limited by bucket
5 years ago
support acl
5 years ago
enable admin to access all buckets
4 years ago
  1. package s3api
  3. import (
  4. "fmt"
  5. "github.com/chrislusf/seaweedfs/weed/filer"
  6. "io/ioutil"
  7. "net/http"
  9. "github.com/chrislusf/seaweedfs/weed/glog"
  10. "github.com/chrislusf/seaweedfs/weed/pb/iam_pb"
  11. xhttp "github.com/chrislusf/seaweedfs/weed/s3api/http"
  12. "github.com/chrislusf/seaweedfs/weed/s3api/s3err"
  13. )
  15. type Action string
  17. const (
  18. ACTION_READ = "Read"
  19. ACTION_WRITE = "Write"
  20. ACTION_ADMIN = "Admin"
  21. ACTION_TAGGING = "Tagging"
  22. ACTION_LIST = "List"
  23. )
  25. type Iam interface {
  26. Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
  27. }
  29. type IdentityAccessManagement struct {
  30. identities []*Identity
  31. domain string
  32. }
  34. type Identity struct {
  35. Name string
  36. Credentials []*Credential
  37. Actions []Action
  38. }
  40. type Credential struct {
  41. AccessKey string
  42. SecretKey string
  43. }
  45. func NewIdentityAccessManagement(option *S3ApiServerOption) *IdentityAccessManagement {
  46. iam := &IdentityAccessManagement{
  47. domain: option.DomainName,
  48. }
  49. if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil {
  50. glog.Warningf("fail to load config: %v", err)
  51. }
  52. if len(iam.identities) == 0 && option.Config != "" {
  53. if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
  54. glog.Fatalf("fail to load config file %s: %v", option.Config, err)
  55. }
  56. }
  57. return iam
  58. }
  60. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFiler(option *S3ApiServerOption) error {
  61. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  62. content, err := filer.ReadContent(option.Filer, filer.IamConfigDirecotry, filer.IamIdentityFile)
  63. if err != nil {
  64. return fmt.Errorf("read S3 config: %v", err)
  65. }
  66. if err = filer.ParseS3ConfigurationFromBytes(content, s3ApiConfiguration); err != nil {
  67. return fmt.Errorf("parse S3 config: %v", err)
  68. }
  69. if err := iam.loadS3ApiConfiguration(s3ApiConfiguration); err != nil {
  70. return fmt.Errorf("laod S3 config: %v", err)
  71. }
  72. glog.V(0).Infof("loaded %d s3 identities", len(iam.identities))
  73. return nil
  74. }
  76. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFile(fileName string) error {
  77. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  78. rawData, readErr := ioutil.ReadFile(fileName)
  79. if readErr != nil {
  80. glog.Warningf("fail to read %s : %v", fileName, readErr)
  81. return fmt.Errorf("fail to read %s : %v", fileName, readErr)
  82. }
  84. glog.V(1).Infof("load s3 config: %v", fileName)
  85. if err := filer.ParseS3ConfigurationFromBytes(rawData, s3ApiConfiguration); err != nil {
  86. glog.Warningf("unmarshal error: %v", err)
  87. return fmt.Errorf("unmarshal %s error: %v", fileName, err)
  88. }
  89. if err := iam.loadS3ApiConfiguration(s3ApiConfiguration); err != nil {
  90. return err
  91. }
  92. return nil
  93. }
  95. func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error {
  96. var identities []*Identity
  97. for _, ident := range config.Identities {
  98. t := &Identity{
  99. Name: ident.Name,
  100. Credentials: nil,
  101. Actions: nil,
  102. }
  103. for _, action := range ident.Actions {
  104. t.Actions = append(t.Actions, Action(action))
  105. }
  106. for _, cred := range ident.Credentials {
  107. t.Credentials = append(t.Credentials, &Credential{
  108. AccessKey: cred.AccessKey,
  109. SecretKey: cred.SecretKey,
  110. })
  111. }
  112. identities = append(identities, t)
  113. }
  115. // atomically switch
  116. iam.identities = identities
  117. return nil
  118. }
  120. func (iam *IdentityAccessManagement) isEnabled() bool {
  122. return len(iam.identities) > 0
  123. }
  125. func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
  127. for _, ident := range iam.identities {
  128. for _, cred := range ident.Credentials {
  129. if cred.AccessKey == accessKey {
  130. return ident, cred, true
  131. }
  132. }
  133. }
  134. return nil, nil, false
  135. }
  137. func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
  139. for _, ident := range iam.identities {
  140. if ident.Name == "anonymous" {
  141. return ident, true
  142. }
  143. }
  144. return nil, false
  145. }
  147. func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
  149. if !iam.isEnabled() {
  150. return f
  151. }
  153. return func(w http.ResponseWriter, r *http.Request) {
  154. identity, errCode := iam.authRequest(r, action)
  155. if errCode == s3err.ErrNone {
  156. if identity != nil && identity.Name != "" {
  157. r.Header.Set(xhttp.AmzIdentityId, identity.Name)
  158. if identity.isAdmin() {
  159. r.Header.Set(xhttp.AmzIsAdmin, "true")
  160. }
  161. }
  162. f(w, r)
  163. return
  164. }
  165. writeErrorResponse(w, errCode, r.URL)
  166. }
  167. }
  169. // check whether the request has valid access keys
  170. func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
  171. var identity *Identity
  172. var s3Err s3err.ErrorCode
  173. var found bool
  174. switch getRequestAuthType(r) {
  175. case authTypeStreamingSigned:
  176. return identity, s3err.ErrNone
  177. case authTypeUnknown:
  178. glog.V(3).Infof("unknown auth type")
  179. return identity, s3err.ErrAccessDenied
  180. case authTypePresignedV2, authTypeSignedV2:
  181. glog.V(3).Infof("v2 auth type")
  182. identity, s3Err = iam.isReqAuthenticatedV2(r)
  183. case authTypeSigned, authTypePresigned:
  184. glog.V(3).Infof("v4 auth type")
  185. identity, s3Err = iam.reqSignatureV4Verify(r)
  186. case authTypePostPolicy:
  187. glog.V(3).Infof("post policy auth type")
  188. return identity, s3err.ErrNone
  189. case authTypeJWT:
  190. glog.V(3).Infof("jwt auth type")
  191. return identity, s3err.ErrNotImplemented
  192. case authTypeAnonymous:
  193. identity, found = iam.lookupAnonymous()
  194. if !found {
  195. return identity, s3err.ErrAccessDenied
  196. }
  197. default:
  198. return identity, s3err.ErrNotImplemented
  199. }
  201. glog.V(3).Infof("auth error: %v", s3Err)
  202. if s3Err != s3err.ErrNone {
  203. return identity, s3Err
  204. }
  206. glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions)
  208. bucket, _ := getBucketAndObject(r)
  210. if !identity.canDo(action, bucket) {
  211. return identity, s3err.ErrAccessDenied
  212. }
  214. return identity, s3err.ErrNone
  216. }
  218. func (identity *Identity) canDo(action Action, bucket string) bool {
  219. if identity.isAdmin() {
  220. return true
  221. }
  222. for _, a := range identity.Actions {
  223. if a == action {
  224. return true
  225. }
  226. }
  227. if bucket == "" {
  228. return false
  229. }
  230. limitedByBucket := string(action) + ":" + bucket
  231. for _, a := range identity.Actions {
  232. if string(a) == limitedByBucket {
  233. return true
  234. }
  235. }
  236. return false
  237. }
  239. func (identity *Identity) isAdmin() bool {
  240. for _, a := range identity.Actions {
  241. if a == "Admin" {
  242. return true
  243. }
  244. }
  245. return false
  246. }