diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index 2b7666345..02138af8d 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -3,10 +3,11 @@ package s3api import ( "bytes" "fmt" - "github.com/chrislusf/seaweedfs/weed/s3api/s3err" "io/ioutil" "net/http" + xhttp "github.com/chrislusf/seaweedfs/weed/s3api/http" + "github.com/chrislusf/seaweedfs/weed/s3api/s3err" "github.com/golang/protobuf/jsonpb" "github.com/chrislusf/seaweedfs/weed/glog" @@ -127,8 +128,11 @@ func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) htt } return func(w http.ResponseWriter, r *http.Request) { - errCode := iam.authRequest(r, action) + identity, errCode := iam.authRequest(r, action) if errCode == s3err.ErrNone { + if identity != nil && identity.Name != "" { + r.Header.Set(xhttp.AmzIdentityId, identity.Name) + } f(w, r) return } @@ -137,16 +141,16 @@ func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) htt } // check whether the request has valid access keys -func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) s3err.ErrorCode { +func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) { var identity *Identity var s3Err s3err.ErrorCode var found bool switch getRequestAuthType(r) { case authTypeStreamingSigned: - return s3err.ErrNone + return identity, s3err.ErrNone case authTypeUnknown: glog.V(3).Infof("unknown auth type") - return s3err.ErrAccessDenied + return identity, s3err.ErrAccessDenied case authTypePresignedV2, authTypeSignedV2: glog.V(3).Infof("v2 auth type") identity, s3Err = iam.isReqAuthenticatedV2(r) @@ -155,22 +159,22 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) identity, s3Err = iam.reqSignatureV4Verify(r) case authTypePostPolicy: glog.V(3).Infof("post policy auth type") - return s3err.ErrNone + return identity, s3err.ErrNone case authTypeJWT: glog.V(3).Infof("jwt auth type") - return s3err.ErrNotImplemented + return identity, s3err.ErrNotImplemented case authTypeAnonymous: identity, found = iam.lookupAnonymous() if !found { - return s3err.ErrAccessDenied + return identity, s3err.ErrAccessDenied } default: - return s3err.ErrNotImplemented + return identity, s3err.ErrNotImplemented } glog.V(3).Infof("auth error: %v", s3Err) if s3Err != s3err.ErrNone { - return s3Err + return identity, s3Err } glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions) @@ -178,10 +182,10 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) bucket, _ := getBucketAndObject(r) if !identity.canDo(action, bucket) { - return s3err.ErrAccessDenied + return identity, s3err.ErrAccessDenied } - return s3err.ErrNone + return identity, s3err.ErrNone } diff --git a/weed/s3api/http/header.go b/weed/s3api/http/header.go index 2802b560f..cdd383c84 100644 --- a/weed/s3api/http/header.go +++ b/weed/s3api/http/header.go @@ -28,3 +28,8 @@ const ( AmzObjectTagging = "X-Amz-Tagging" AmzTagCount = "x-amz-tagging-count" ) + +// Non-Standard S3 HTTP request constants +const ( + AmzIdentityId = "x-amz-identity-id" +) diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go index ab48b19c1..bd3d7fd58 100644 --- a/weed/s3api/s3api_bucket_handlers.go +++ b/weed/s3api/s3api_bucket_handlers.go @@ -4,11 +4,13 @@ import ( "context" "encoding/xml" "fmt" - "github.com/chrislusf/seaweedfs/weed/s3api/s3err" "math" "net/http" "time" + xhttp "github.com/chrislusf/seaweedfs/weed/s3api/http" + "github.com/chrislusf/seaweedfs/weed/s3api/s3err" + "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/s3" @@ -33,9 +35,16 @@ func (s3a *S3ApiServer) ListBucketsHandler(w http.ResponseWriter, r *http.Reques return } + identityId := r.Header.Get(xhttp.AmzIdentityId) + var buckets []*s3.Bucket for _, entry := range entries { if entry.IsDirectory { + if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok { + if identityId != string(id) { + continue + } + } buckets = append(buckets, &s3.Bucket{ Name: aws.String(entry.Name), CreationDate: aws.Time(time.Unix(entry.Attributes.Crtime, 0).UTC()), @@ -45,8 +54,8 @@ func (s3a *S3ApiServer) ListBucketsHandler(w http.ResponseWriter, r *http.Reques response = ListAllMyBucketsResult{ Owner: &s3.Owner{ - ID: aws.String(""), - DisplayName: aws.String(""), + ID: aws.String(identityId), + DisplayName: aws.String(identityId), }, Buckets: buckets, } @@ -80,13 +89,25 @@ func (s3a *S3ApiServer) PutBucketHandler(w http.ResponseWriter, r *http.Request) writeErrorResponse(w, s3err.ErrInternalError, r.URL) return } + if exist, err := s3a.exists(s3a.option.BucketsPath, bucket, true); err == nil && exist { + errCode = s3err.ErrBucketAlreadyExists + } if errCode != s3err.ErrNone { writeErrorResponse(w, errCode, r.URL) return } + fn := func(entry *filer_pb.Entry) { + if identityId := r.Header.Get(xhttp.AmzIdentityId); identityId != "" { + if entry.Extended == nil { + entry.Extended = make(map[string][]byte) + } + entry.Extended[xhttp.AmzIdentityId] = []byte(identityId) + } + } + // create the folder for bucket, but lazily create actual collection - if err := s3a.mkdir(s3a.option.BucketsPath, bucket, nil); err != nil { + if err := s3a.mkdir(s3a.option.BucketsPath, bucket, fn); err != nil { glog.Errorf("PutBucketHandler mkdir: %v", err) writeErrorResponse(w, s3err.ErrInternalError, r.URL) return