Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge branch '5_objectWriteAcl' into 10_acl_merged 

# Conflicts:
#	weed/s3api/s3api_acp.go
#	weed/s3api/s3api_object_skip_handlers.go
#	weed/s3api/s3err/s3api_errors.go
pull/4090/head
changlin.shi 2 years ago
parent
a05785edc9 f79a3a73ee
commit
3a90a3279a
2 changed files with 107 additions and 5 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 80
      weed/s3api/s3api_acp.go
  2. 32
      weed/s3api/s3api_object_handlers.go

80
weed/s3api/s3api_acp.go
View File

@ -1,9 +1,9 @@
package s3api
import (
"github.com/aws/aws-sdk-go/service/s3"
"github.com/seaweedfs/seaweedfs/weed/glog"
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
"github.com/aws/aws-sdk-go/service/s3"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3acl"
@ -169,10 +169,6 @@ func (s3a *S3ApiServer) checkAccessForReadObjectAcl(r *http.Request, bucket, obj
}
}
func getObjectEntry(s3a *S3ApiServer, bucket, object string) (*filer_pb.Entry, error) {
return s3a.getEntry(util.Join(s3a.option.BucketsPath, bucket), object)
}
// Check Object-Read related access
// includes:
// - GetObjectHandler
@ -192,3 +188,77 @@ func (s3a *S3ApiServer) checkBucketAccessForReadObject(r *http.Request, bucket s
return s3err.ErrNone
}
// Check ObjectAcl-Write related access
// includes:
// - PutObjectAclHandler
func (s3a *S3ApiServer) checkAccessForWriteObjectAcl(accountId, bucket, object string) (bucketMetadata *BucketMetaData, objectEntry *filer_pb.Entry, objectOwner string, errCode s3err.ErrorCode) {
bucketMetadata, errCode = s3a.bucketRegistry.GetBucketMetadata(bucket)
if errCode != s3err.ErrNone {
return nil, nil, "", errCode
}
if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced {
return nil, nil, "", s3err.AccessControlListNotSupported
}
//bucket acl
bucketAclAllowed := false
reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionWrite)
if accountId == *bucketMetadata.Owner.ID {
bucketAclAllowed = true
} else if bucketMetadata.Acl != nil {
bucketLoop:
for _, bucketGrant := range bucketMetadata.Acl {
for _, requiredGrant := range reqGrants {
if s3acl.GrantEquals(bucketGrant, requiredGrant) {
bucketAclAllowed = true
break bucketLoop
}
}
}
}
if !bucketAclAllowed {
return nil, nil, "", s3err.ErrAccessDenied
}
//object acl
objectEntry, err := getObjectEntry(s3a, bucket, object)
if err != nil {
if err == filer_pb.ErrNotFound {
return nil, nil, "", s3err.ErrNoSuchKey
}
return nil, nil, "", s3err.ErrInternalError
}
if objectEntry.IsDirectory {
return nil, nil, "", s3err.ErrExistingObjectIsDirectory
}
objectOwner = s3acl.GetAcpOwner(objectEntry.Extended, *bucketMetadata.Owner.ID)
if accountId == objectOwner {
return bucketMetadata, objectEntry, objectOwner, s3err.ErrNone
}
objectGrants := s3acl.GetAcpGrants(objectEntry.Extended)
if objectGrants != nil {
for _, objectGrant := range objectGrants {
for _, requiredGrant := range reqGrants {
if s3acl.GrantEquals(objectGrant, requiredGrant) {
return bucketMetadata, objectEntry, objectOwner, s3err.ErrNone
}
}
}
}
glog.V(3).Infof("acl denied! request account id: %s", accountId)
return nil, nil, "", s3err.ErrAccessDenied
}
func getObjectEntry(s3a *S3ApiServer, bucket, object string) (*filer_pb.Entry, error) {
return s3a.getEntry(util.Join(s3a.option.BucketsPath, bucket), object)
}
func updateObjectEntry(s3a *S3ApiServer, bucket string, entry *filer_pb.Entry) error {
return s3a.updateEntry(util.Join(s3a.option.BucketsPath, bucket), entry)
}

32
weed/s3api/s3api_object_handlers.go
View File

@ -8,6 +8,7 @@ import (
"fmt"
"github.com/aws/aws-sdk-go/service/s3"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3acl"
"github.com/seaweedfs/seaweedfs/weed/security"
"github.com/seaweedfs/seaweedfs/weed/util/mem"
"golang.org/x/exp/slices"
@ -550,3 +551,34 @@ func (s3a *S3ApiServer) maybeGetFilerJwtAuthorizationToken(isWrite bool) string
}
return string(encodedJwt)
}
// PutObjectAclHandler Put object ACL
// https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjecthtml
func (s3a *S3ApiServer) PutObjectAclHandler(w http.ResponseWriter, r *http.Request) {
bucket, object := s3_constants.GetBucketAndObject(r)
accountId := s3acl.GetAccountId(r)
bucketMetadata, objectEntry, objectOwner, errCode := s3a.checkAccessForWriteObjectAcl(accountId, bucket, object)
if errCode != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, errCode)
return
}
grants, errCode := s3acl.ExtractAcl(r, s3a.accountManager, bucketMetadata.ObjectOwnership, *bucketMetadata.Owner.ID, objectOwner, accountId)
if errCode != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, errCode)
return
}
errCode = s3acl.AssembleEntryWithAcp(objectEntry, objectOwner, grants)
if errCode != s3err.ErrNone {
return
}
err := updateObjectEntry(s3a, bucket, objectEntry)
if err != nil {
s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
return
}
w.WriteHeader(http.StatusOK)
}
Write Preview
Loading…
Cancel
Save