Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

s3tables: update namespace handlers for multi-account support 

Updated namespace creation to use authenticated account ID for ownership
and unified permission checks across all namespace operations to use the
correct account principal.
pull/8147/head
Chris Lu 1 month ago
parent
922b0c3171
commit
12c1190a5c
1 changed files with 9 additions and 5 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 14
      weed/s3api/s3tables/handler_namespace.go

14
weed/s3api/s3tables/handler_namespace.go
View File

@ -22,7 +22,8 @@ func (h *S3TablesHandler) handleCreateNamespace(w http.ResponseWriter, r *http.R
// Check permission // Check permission
principal := h.getPrincipalFromRequest(r) principal := h.getPrincipalFromRequest(r)
if !CanCreateNamespace(principal, h.accountID) {
accountID := h.getAccountID(r)
if !CanCreateNamespace(principal, accountID) {
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create namespace") h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create namespace")
return NewAuthError("CreateNamespace", principal, "not authorized to create namespace") return NewAuthError("CreateNamespace", principal, "not authorized to create namespace")
} }
@ -86,7 +87,7 @@ func (h *S3TablesHandler) handleCreateNamespace(w http.ResponseWriter, r *http.R
metadata := &namespaceMetadata{ metadata := &namespaceMetadata{
Namespace: req.Namespace, Namespace: req.Namespace,
CreatedAt: now, CreatedAt: now,
OwnerID: h.accountID,
OwnerID: h.getAccountID(r),
} }
metadataBytes, err := json.Marshal(metadata) metadataBytes, err := json.Marshal(metadata)
@ -133,7 +134,8 @@ func (h *S3TablesHandler) handleGetNamespace(w http.ResponseWriter, r *http.Requ
// Check permission // Check permission
principal := h.getPrincipalFromRequest(r) principal := h.getPrincipalFromRequest(r)
if !CanGetNamespace(principal, h.accountID) {
accountID := h.getAccountID(r)
if !CanGetNamespace(principal, accountID) {
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get namespace details") h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get namespace details")
return NewAuthError("GetNamespace", principal, "not authorized to get namespace details") return NewAuthError("GetNamespace", principal, "not authorized to get namespace details")
} }
@ -196,7 +198,8 @@ func (h *S3TablesHandler) handleListNamespaces(w http.ResponseWriter, r *http.Re
// Check permission // Check permission
principal := h.getPrincipalFromRequest(r) principal := h.getPrincipalFromRequest(r)
if !CanListNamespaces(principal, h.accountID) {
accountID := h.getAccountID(r)
if !CanListNamespaces(principal, accountID) {
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to list namespaces") h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to list namespaces")
return NewAuthError("ListNamespaces", principal, "not authorized to list namespaces") return NewAuthError("ListNamespaces", principal, "not authorized to list namespaces")
} }
@ -330,7 +333,8 @@ func (h *S3TablesHandler) handleDeleteNamespace(w http.ResponseWriter, r *http.R
// Check permission // Check permission
principal := h.getPrincipalFromRequest(r) principal := h.getPrincipalFromRequest(r)
if !CanDeleteNamespace(principal, h.accountID) {
accountID := h.getAccountID(r)
if !CanDeleteNamespace(principal, accountID) {
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete namespace") h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete namespace")
return NewAuthError("DeleteNamespace", principal, "not authorized to delete namespace") return NewAuthError("DeleteNamespace", principal, "not authorized to delete namespace")
} }

Write Preview
Loading…
Cancel
Save