s3api: allow-all default when no credentials are configured (#8027)

* s3api: allow-all default for weed mini and handle dynamic credential updates * s3api: refactor authentication initialization for clarity * s3api: reduce lock contention in NewIdentityAccessManagementWithStore * s3api: reduce lock contention and enforce one-way auth in replaceS3ApiConfiguration * s3api: reduce lock contention in mergeS3ApiConfiguration * s3api: simplify auth initialization and remove redundant variables
1 day ago · 12a1a131c9
1 changed files with 41 additions and 4 deletions
--- a/weed/s3api/auth_credentials.go
+++ b/weed/s3api/auth_credentials.go
@ -280,6 +280,27 @@ func NewIdentityAccessManagementWithStore(option *S3ApiServerOption, explicitSto
 		iam.m.Unlock()
 	}

+	// Determine whether to enable S3 authentication based on configuration
+	// For "weed mini" without any S3 config, default to allowing all access (isAuthEnabled = false)
+	// If any credentials are configured (via file, filer, or env vars), enable authentication
+	iam.m.Lock()
+	iam.isAuthEnabled = len(iam.identities) > 0
+	iam.m.Unlock()
+
+	if iam.isAuthEnabled {
+		// Credentials were configured - enable authentication
+		glog.V(0).Infof("S3 authentication enabled (%d identities configured)", len(iam.identities))
+	} else {
+		// No credentials configured
+		if startConfigFile != "" {
+			// Config file was specified but contained no identities - this is unusual, log a warning
+			glog.Warningf("S3 config file %s specified but no identities loaded - authentication disabled", startConfigFile)
+		} else {
+			// No config file and no identities - this is the normal allow-all case
+			glog.V(0).Infof("S3 authentication disabled - no credentials configured (allowing all access)")
+		}
+	}
+
 	return iam
 }

@ -457,11 +478,19 @@ func (iam *IdentityAccessManagement) replaceS3ApiConfiguration(config *iam_pb.S3
 	iam.emailAccount = emailAccount
 	iam.accessKeyIdent = accessKeyIdent
 	iam.nameToIdentity = nameToIdentity
-	if !iam.isAuthEnabled { // one-directional, no toggling
-		iam.isAuthEnabled = len(identities) > 0
+	// Update authentication state based on whether identities exist
+	// Once enabled, keep it enabled (one-way toggle)
+	authJustEnabled := false
+	if !iam.isAuthEnabled && len(identities) > 0 {
+		iam.isAuthEnabled = true
+		authJustEnabled = true
 	}
 	iam.m.Unlock()

+	if authJustEnabled {
+		glog.V(0).Infof("S3 authentication enabled - credentials were added dynamically")
+	}
+
 	// Log configuration summary
 	glog.V(1).Infof("Loaded %d identities, %d accounts, %d access keys. Auth enabled: %v",
 		len(identities), len(accounts), len(accessKeyIdent), iam.isAuthEnabled)
@ -673,11 +702,19 @@ func (iam *IdentityAccessManagement) mergeS3ApiConfiguration(config *iam_pb.S3Ap
 	iam.emailAccount = emailAccount
 	iam.accessKeyIdent = accessKeyIdent
 	iam.nameToIdentity = nameToIdentity
-	if !iam.isAuthEnabled {
-		iam.isAuthEnabled = len(identities) > 0
+	// Update authentication state based on whether identities exist
+	// Once enabled, keep it enabled (one-way toggle)
+	authJustEnabled := false
+	if !iam.isAuthEnabled && len(identities) > 0 {
+		iam.isAuthEnabled = true
+		authJustEnabled = true
 	}
 	iam.m.Unlock()

+	if authJustEnabled {
+		glog.V(0).Infof("S3 authentication enabled - credentials were added dynamically")
+	}
+
 	// Log configuration summary
 	staticCount := len(staticNames)
 	dynamicCount := len(identities) - staticCount