Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8934 Commits
32 Branches
300 Tags
174 MiB
Tree: ff6fabc000
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ff6fabc000'
${ noResults }
seaweedfs/weed/s3api/s3api_acp.go

174 lines
5.1 KiB
Raw Normal View History

add ownership rest apis (#3765)
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
Merge branch '7_object_read_acl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add ownership rest apis (#3765)
2 years ago
implement `GetObjectAclHandler`
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
change s3_account.go package to avoid cycle dependency (#3813)
2 years ago
add ownership rest apis (#3765)
2 years ago
implement `PutBucketAclHandler` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
Merge branch '3_bucket_read' # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
add acl validation for s3 bucket read api
2 years ago
Merge branch '7_object_read_acl' into 10_acl_merged # Conflicts: # weed/s3api/s3api_acp.go
2 years ago
implement `GetObjectAclHandler`
2 years ago
  1. package s3api
  3. import (
  4. "github.com/seaweedfs/seaweedfs/weed/glog"
  5. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  6. "github.com/aws/aws-sdk-go/service/s3"
  7. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  8. "github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
  9. "github.com/seaweedfs/seaweedfs/weed/s3api/s3acl"
  10. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  11. "github.com/seaweedfs/seaweedfs/weed/util"
  12. "net/http"
  13. )
  15. func getAccountId(r *http.Request) string {
  16. id := r.Header.Get(s3_constants.AmzAccountId)
  17. if len(id) == 0 {
  18. return s3account.AccountAnonymous.Id
  19. } else {
  20. return id
  21. }
  22. }
  24. func (s3a *S3ApiServer) checkAccessByOwnership(r *http.Request, bucket string) s3err.ErrorCode {
  25. metadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  26. if errCode != s3err.ErrNone {
  27. return errCode
  28. }
  29. accountId := getAccountId(r)
  30. if accountId == s3account.AccountAdmin.Id || accountId == *metadata.Owner.ID {
  31. return s3err.ErrNone
  32. }
  33. return s3err.ErrAccessDenied
  34. }
  36. //Check access for PutBucketAclHandler
  37. func (s3a *S3ApiServer) checkAccessForPutBucketAcl(accountId, bucket string) (*BucketMetaData, s3err.ErrorCode) {
  38. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  39. if errCode != s3err.ErrNone {
  40. return nil, errCode
  41. }
  43. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  44. return nil, s3err.AccessControlListNotSupported
  45. }
  47. if accountId == s3account.AccountAdmin.Id || accountId == *bucketMetadata.Owner.ID {
  48. return bucketMetadata, s3err.ErrNone
  49. }
  51. if len(bucketMetadata.Acl) > 0 {
  52. reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionWriteAcp)
  53. for _, bucketGrant := range bucketMetadata.Acl {
  54. for _, reqGrant := range reqGrants {
  55. if s3acl.GrantEquals(bucketGrant, reqGrant) {
  56. return bucketMetadata, s3err.ErrNone
  57. }
  58. }
  59. }
  60. }
  61. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  62. return nil, s3err.ErrAccessDenied
  63. }
  65. func updateBucketEntry(s3a *S3ApiServer, entry *filer_pb.Entry) error {
  66. return s3a.updateEntry(s3a.option.BucketsPath, entry)
  67. }
  69. // Check Bucket/BucketAcl Read related access
  70. // includes:
  71. // - HeadBucketHandler
  72. // - GetBucketAclHandler
  73. // - ListObjectsV1Handler
  74. // - ListObjectsV2Handler
  75. func (s3a *S3ApiServer) checkAccessForReadBucket(r *http.Request, bucket, aclAction string) (*BucketMetaData, s3err.ErrorCode) {
  76. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  77. if errCode != s3err.ErrNone {
  78. return nil, errCode
  79. }
  81. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  82. return bucketMetadata, s3err.ErrNone
  83. }
  85. accountId := s3acl.GetAccountId(r)
  86. if accountId == s3account.AccountAdmin.Id || accountId == *bucketMetadata.Owner.ID {
  87. return bucketMetadata, s3err.ErrNone
  88. }
  90. if len(bucketMetadata.Acl) > 0 {
  91. reqGrants := s3acl.DetermineReqGrants(accountId, aclAction)
  92. for _, bucketGrant := range bucketMetadata.Acl {
  93. for _, reqGrant := range reqGrants {
  94. if s3acl.GrantEquals(bucketGrant, reqGrant) {
  95. return bucketMetadata, s3err.ErrNone
  96. }
  97. }
  98. }
  99. }
  101. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  102. return nil, s3err.ErrAccessDenied
  103. }
  105. //Check ObjectAcl-Read related access
  106. // includes:
  107. // - GetObjectAclHandler
  108. func (s3a *S3ApiServer) checkAccessForReadObjectAcl(r *http.Request, bucket, object string) (acp *s3.AccessControlPolicy, errCode s3err.ErrorCode) {
  109. bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
  110. if errCode != s3err.ErrNone {
  111. return nil, errCode
  112. }
  114. getAcpFunc := func() (*s3.AccessControlPolicy, s3err.ErrorCode) {
  115. entry, err := getObjectEntry(s3a, bucket, object)
  116. if err != nil {
  117. if err == filer_pb.ErrNotFound {
  118. return nil, s3err.ErrNoSuchKey
  119. } else {
  120. return nil, s3err.ErrInternalError
  121. }
  122. }
  124. if entry.IsDirectory {
  125. return nil, s3err.ErrExistingObjectIsDirectory
  126. }
  128. acpOwnerId := s3acl.GetAcpOwner(entry.Extended, *bucketMetadata.Owner.ID)
  129. acpOwnerName := s3a.accountManager.IdNameMapping[acpOwnerId]
  130. acpGrants := s3acl.GetAcpGrants(entry.Extended)
  131. acp = &s3.AccessControlPolicy{
  132. Owner: &s3.Owner{
  133. ID: &acpOwnerId,
  134. DisplayName: &acpOwnerName,
  135. },
  136. Grants: acpGrants,
  137. }
  138. return acp, s3err.ErrNone
  139. }
  141. if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
  142. return getAcpFunc()
  143. } else {
  144. accountId := s3acl.GetAccountId(r)
  146. acp, errCode := getAcpFunc()
  147. if errCode != s3err.ErrNone {
  148. return nil, errCode
  149. }
  151. if accountId == *acp.Owner.ID {
  152. return acp, s3err.ErrNone
  153. }
  155. //find in Grants
  156. if acp.Grants != nil {
  157. reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionReadAcp)
  158. for _, requiredGrant := range reqGrants {
  159. for _, grant := range acp.Grants {
  160. if s3acl.GrantEquals(requiredGrant, grant) {
  161. return acp, s3err.ErrNone
  162. }
  163. }
  164. }
  165. }
  167. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  168. return nil, s3err.ErrAccessDenied
  169. }
  170. }
  172. func getObjectEntry(s3a *S3ApiServer, bucket, object string) (*filer_pb.Entry, error) {
  173. return s3a.getEntry(util.Join(s3a.option.BucketsPath, bucket), object)
  174. }