Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

acl for Initializing multipart upload 

Signed-off-by: changlin.shi <changlin.shi@ly.com>
pull/4090/head
changlin.shi 2 years ago
parent
4364f4dfe3
commit
381b496132
3 changed files with 29 additions and 17 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 22
      weed/s3api/s3api_acp.go
  2. 2
      weed/s3api/s3api_object_handlers.go
  3. 22
      weed/s3api/s3api_object_multipart_handlers.go

22
weed/s3api/s3api_acp.go
View File

@ -33,17 +33,31 @@ func (s3a *S3ApiServer) checkAccessByOwnership(r *http.Request, bucket string) s
return s3err.ErrAccessDenied return s3err.ErrAccessDenied
} }
// Check Object-Write related access
// CheckAccessForPutObject Check ACL for PutObject API
// includes: // includes:
// - PutObjectHandler // - PutObjectHandler
// - PutObjectPartHandler
func (s3a *S3ApiServer) checkAccessForWriteObject(r *http.Request, bucket, object string) s3err.ErrorCode {
func (s3a *S3ApiServer) CheckAccessForPutObject(r *http.Request, bucket, object string) s3err.ErrorCode {
accountId := s3acl.GetAccountId(r)
return s3a.checkAccessForWriteObject(r, bucket, object, accountId)
}
// CheckAccessForNewMultipartUpload Check Acl for InitiateMultipartUploadResult API
// includes:
// - NewMultipartUploadHandler
func (s3a *S3ApiServer) CheckAccessForNewMultipartUpload(r *http.Request, bucket, object string) s3err.ErrorCode {
accountId := s3acl.GetAccountId(r)
if accountId == IdentityAnonymous.AccountId {
return s3err.ErrAccessDenied
}
return s3a.checkAccessForWriteObject(r, bucket, object, accountId)
}
func (s3a *S3ApiServer) checkAccessForWriteObject(r *http.Request, bucket, object, accountId string) s3err.ErrorCode {
bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket) bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
if errCode != s3err.ErrNone { if errCode != s3err.ErrNone {
return errCode return errCode
} }
accountId := s3acl.GetAccountId(r)
if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced { if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
// validate grants (only bucketOwnerFullControl acl is allowed) // validate grants (only bucketOwnerFullControl acl is allowed)
_, grants, errCode := s3acl.ParseAndValidateAclHeaders(r, s3a.accountManager, bucketMetadata.ObjectOwnership, *bucketMetadata.Owner.ID, accountId, false) _, grants, errCode := s3acl.ParseAndValidateAclHeaders(r, s3a.accountManager, bucketMetadata.ObjectOwnership, *bucketMetadata.Owner.ID, accountId, false)

2
weed/s3api/s3api_object_handlers.go
View File

@ -99,7 +99,7 @@ func (s3a *S3ApiServer) PutObjectHandler(w http.ResponseWriter, r *http.Request)
} }
defer dataReader.Close() defer dataReader.Close()
errCode := s3a.checkAccessForWriteObject(r, bucket, object)
errCode := s3a.CheckAccessForPutObject(r, bucket, object)
if errCode != s3err.ErrNone { if errCode != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, errCode) s3err.WriteErrorResponse(w, r, errCode)
return return

22
weed/s3api/s3api_object_multipart_handlers.go
View File

@ -30,6 +30,13 @@ const (
func (s3a *S3ApiServer) NewMultipartUploadHandler(w http.ResponseWriter, r *http.Request) { func (s3a *S3ApiServer) NewMultipartUploadHandler(w http.ResponseWriter, r *http.Request) {
bucket, object := s3_constants.GetBucketAndObject(r) bucket, object := s3_constants.GetBucketAndObject(r)
//acl
errCode := s3a.CheckAccessForNewMultipartUpload(r, bucket, object)
if errCode != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, errCode)
return
}
createMultipartUploadInput := &s3.CreateMultipartUploadInput{ createMultipartUploadInput := &s3.CreateMultipartUploadInput{
Bucket: aws.String(bucket), Bucket: aws.String(bucket),
Key: objectKey(aws.String(object)), Key: objectKey(aws.String(object)),
@ -230,31 +237,22 @@ func (s3a *S3ApiServer) PutObjectPartHandler(w http.ResponseWriter, r *http.Requ
if s3a.iam.isEnabled() { if s3a.iam.isEnabled() {
rAuthType := getRequestAuthType(r) rAuthType := getRequestAuthType(r)
var s3ErrCode s3err.ErrorCode var s3ErrCode s3err.ErrorCode
var identity *Identity
switch rAuthType { switch rAuthType {
case authTypeStreamingSigned: case authTypeStreamingSigned:
dataReader, identity, s3ErrCode = s3a.iam.newSignV4ChunkedReader(r)
dataReader, _, s3ErrCode = s3a.iam.newSignV4ChunkedReader(r)
case authTypeSignedV2, authTypePresignedV2: case authTypeSignedV2, authTypePresignedV2:
identity, s3ErrCode = s3a.iam.isReqAuthenticatedV2(r)
_, s3ErrCode = s3a.iam.isReqAuthenticatedV2(r)
case authTypePresigned, authTypeSigned: case authTypePresigned, authTypeSigned:
identity, s3ErrCode = s3a.iam.reqSignatureV4Verify(r)
_, s3ErrCode = s3a.iam.reqSignatureV4Verify(r)
} }
if s3ErrCode != s3err.ErrNone { if s3ErrCode != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, s3ErrCode) s3err.WriteErrorResponse(w, r, s3ErrCode)
return return
} }
r.Header.Set(s3_constants.AmzAccountId, identity.AccountId)
} }
defer dataReader.Close() defer dataReader.Close()
glog.V(2).Infof("PutObjectPartHandler %s %s %04d", bucket, uploadID, partID) glog.V(2).Infof("PutObjectPartHandler %s %s %04d", bucket, uploadID, partID)
s3ErrCode := s3a.checkAccessForWriteObject(r, bucket, object)
if s3ErrCode != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, s3ErrCode)
return
}
uploadUrl := fmt.Sprintf("http://%s%s/%s/%04d.part", uploadUrl := fmt.Sprintf("http://%s%s/%s/%04d.part",
s3a.option.Filer.ToHttpAddress(), s3a.genUploadsFolder(bucket), uploadID, partID) s3a.option.Filer.ToHttpAddress(), s3a.genUploadsFolder(bucket), uploadID, partID)

Write Preview
Loading…
Cancel
Save