From 12a1a131c97524c8ab4b2328f13730a28ee62f98 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Wed, 14 Jan 2026 13:06:27 -0800 Subject: [PATCH] s3api: allow-all default when no credentials are configured (#8027) * s3api: allow-all default for weed mini and handle dynamic credential updates * s3api: refactor authentication initialization for clarity * s3api: reduce lock contention in NewIdentityAccessManagementWithStore * s3api: reduce lock contention and enforce one-way auth in replaceS3ApiConfiguration * s3api: reduce lock contention in mergeS3ApiConfiguration * s3api: simplify auth initialization and remove redundant variables --- weed/s3api/auth_credentials.go | 45 +++++++++++++++++++++++++++++++--- 1 file changed, 41 insertions(+), 4 deletions(-) diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index ba9560d0a..c21ec94fa 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -280,6 +280,27 @@ func NewIdentityAccessManagementWithStore(option *S3ApiServerOption, explicitSto iam.m.Unlock() } + // Determine whether to enable S3 authentication based on configuration + // For "weed mini" without any S3 config, default to allowing all access (isAuthEnabled = false) + // If any credentials are configured (via file, filer, or env vars), enable authentication + iam.m.Lock() + iam.isAuthEnabled = len(iam.identities) > 0 + iam.m.Unlock() + + if iam.isAuthEnabled { + // Credentials were configured - enable authentication + glog.V(0).Infof("S3 authentication enabled (%d identities configured)", len(iam.identities)) + } else { + // No credentials configured + if startConfigFile != "" { + // Config file was specified but contained no identities - this is unusual, log a warning + glog.Warningf("S3 config file %s specified but no identities loaded - authentication disabled", startConfigFile) + } else { + // No config file and no identities - this is the normal allow-all case + glog.V(0).Infof("S3 authentication disabled - no credentials configured (allowing all access)") + } + } + return iam } @@ -457,11 +478,19 @@ func (iam *IdentityAccessManagement) replaceS3ApiConfiguration(config *iam_pb.S3 iam.emailAccount = emailAccount iam.accessKeyIdent = accessKeyIdent iam.nameToIdentity = nameToIdentity - if !iam.isAuthEnabled { // one-directional, no toggling - iam.isAuthEnabled = len(identities) > 0 + // Update authentication state based on whether identities exist + // Once enabled, keep it enabled (one-way toggle) + authJustEnabled := false + if !iam.isAuthEnabled && len(identities) > 0 { + iam.isAuthEnabled = true + authJustEnabled = true } iam.m.Unlock() + if authJustEnabled { + glog.V(0).Infof("S3 authentication enabled - credentials were added dynamically") + } + // Log configuration summary glog.V(1).Infof("Loaded %d identities, %d accounts, %d access keys. Auth enabled: %v", len(identities), len(accounts), len(accessKeyIdent), iam.isAuthEnabled) @@ -673,11 +702,19 @@ func (iam *IdentityAccessManagement) mergeS3ApiConfiguration(config *iam_pb.S3Ap iam.emailAccount = emailAccount iam.accessKeyIdent = accessKeyIdent iam.nameToIdentity = nameToIdentity - if !iam.isAuthEnabled { - iam.isAuthEnabled = len(identities) > 0 + // Update authentication state based on whether identities exist + // Once enabled, keep it enabled (one-way toggle) + authJustEnabled := false + if !iam.isAuthEnabled && len(identities) > 0 { + iam.isAuthEnabled = true + authJustEnabled = true } iam.m.Unlock() + if authJustEnabled { + glog.V(0).Infof("S3 authentication enabled - credentials were added dynamically") + } + // Log configuration summary staticCount := len(staticNames) dynamicCount := len(identities) - staticCount