Browse Source

s3: support config action Admin:bucket

ftp
Chris Lu 4 years ago
parent
commit
090f85be4b
  1. 33
      weed/s3api/auth_credentials.go
  2. 13
      weed/s3api/s3api_bucket_handlers.go
  3. 2
      weed/s3api/s3api_server.go

33
weed/s3api/auth_credentials.go

@ -3,6 +3,7 @@ package s3api
import ( import (
"fmt" "fmt"
"github.com/chrislusf/seaweedfs/weed/filer" "github.com/chrislusf/seaweedfs/weed/filer"
"github.com/chrislusf/seaweedfs/weed/s3api/s3_constants"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
@ -155,6 +156,24 @@ func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) htt
// check whether the request has valid access keys // check whether the request has valid access keys
func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) { func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
identity, s3Err := iam.authUser(r)
if s3Err != s3err.ErrNone {
return identity, s3Err
}
glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions)
bucket, _ := getBucketAndObject(r)
if !identity.canDo(action, bucket) {
return identity, s3err.ErrAccessDenied
}
return identity, s3err.ErrNone
}
func (iam *IdentityAccessManagement) authUser(r *http.Request) (*Identity, s3err.ErrorCode) {
var identity *Identity var identity *Identity
var s3Err s3err.ErrorCode var s3Err s3err.ErrorCode
var found bool var found bool
@ -189,17 +208,7 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
if s3Err != s3err.ErrNone { if s3Err != s3err.ErrNone {
return identity, s3Err return identity, s3Err
} }
glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions)
bucket, _ := getBucketAndObject(r)
if !identity.canDo(action, bucket) {
return identity, s3err.ErrAccessDenied
}
return identity, s3err.ErrNone return identity, s3err.ErrNone
} }
func (identity *Identity) canDo(action Action, bucket string) bool { func (identity *Identity) canDo(action Action, bucket string) bool {
@ -215,10 +224,14 @@ func (identity *Identity) canDo(action Action, bucket string) bool {
return false return false
} }
limitedByBucket := string(action) + ":" + bucket limitedByBucket := string(action) + ":" + bucket
adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket
for _, a := range identity.Actions { for _, a := range identity.Actions {
if string(a) == limitedByBucket { if string(a) == limitedByBucket {
return true return true
} }
if string(a) == adminLimitedByBucket {
return true
}
} }
return false return false
} }

13
weed/s3api/s3api_bucket_handlers.go

@ -4,6 +4,7 @@ import (
"context" "context"
"encoding/xml" "encoding/xml"
"fmt" "fmt"
"github.com/chrislusf/seaweedfs/weed/s3api/s3_constants"
"math" "math"
"net/http" "net/http"
"time" "time"
@ -26,6 +27,16 @@ type ListAllMyBucketsResult struct {
func (s3a *S3ApiServer) ListBucketsHandler(w http.ResponseWriter, r *http.Request) { func (s3a *S3ApiServer) ListBucketsHandler(w http.ResponseWriter, r *http.Request) {
var identity *Identity
var s3Err s3err.ErrorCode
if s3a.iam.isEnabled() {
identity, s3Err = s3a.iam.authUser(r)
if s3Err != s3err.ErrNone {
writeErrorResponse(w, s3Err, r.URL)
return
}
}
var response ListAllMyBucketsResult var response ListAllMyBucketsResult
entries, _, err := s3a.list(s3a.option.BucketsPath, "", "", false, math.MaxInt32) entries, _, err := s3a.list(s3a.option.BucketsPath, "", "", false, math.MaxInt32)
@ -40,7 +51,7 @@ func (s3a *S3ApiServer) ListBucketsHandler(w http.ResponseWriter, r *http.Reques
var buckets []*s3.Bucket var buckets []*s3.Bucket
for _, entry := range entries { for _, entry := range entries {
if entry.IsDirectory { if entry.IsDirectory {
if !s3a.hasAccess(r, entry) {
if identity!=nil && !identity.canDo(s3_constants.ACTION_ADMIN, entry.Name) {
continue continue
} }
buckets = append(buckets, &s3.Bucket{ buckets = append(buckets, &s3.Bucket{

2
weed/s3api/s3api_server.go

@ -128,7 +128,7 @@ func (s3a *S3ApiServer) registerRouter(router *mux.Router) {
} }
// ListBuckets // ListBuckets
apiRouter.Methods("GET").Path("/").HandlerFunc(track(s3a.iam.Auth(s3a.ListBucketsHandler, ACTION_ADMIN), "LIST"))
apiRouter.Methods("GET").Path("/").HandlerFunc(track(s3a.ListBucketsHandler, "LIST"))
// NotFound // NotFound
apiRouter.NotFoundHandler = http.HandlerFunc(notFoundHandler) apiRouter.NotFoundHandler = http.HandlerFunc(notFoundHandler)

Loading…
Cancel
Save