Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

s3tables: standardize access denied errors using ErrAccessDenied constant

pull/8147/head
Chris Lu 5 days ago
parent
d98e104dc5
commit
4d4af0589b
4 changed files with 12 additions and 11 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      weed/s3api/s3tables/handler.go
  2. 2
      weed/s3api/s3tables/handler_bucket_get_list_delete.go
  3. 8
      weed/s3api/s3tables/handler_namespace.go
  4. 10
      weed/s3api/s3tables/handler_table.go

3
weed/s3api/s3tables/handler.go
View File

@ -26,6 +26,7 @@ const (
var ( var (
ErrVersionTokenMismatch = errors.New("version token mismatch") ErrVersionTokenMismatch = errors.New("version token mismatch")
ErrAccessDenied = errors.New("access denied")
) )
type ResourceType string type ResourceType string
@ -229,5 +230,5 @@ func (h *S3TablesHandler) generateTableARN(r *http.Request, bucketName, tableID
func isAuthError(err error) bool { func isAuthError(err error) bool {
var authErr *AuthError var authErr *AuthError
return errors.As(err, &authErr)
return errors.As(err, &authErr) || errors.Is(err, ErrAccessDenied)
} }

2
weed/s3api/s3tables/handler_bucket_get_list_delete.go
View File

@ -58,7 +58,7 @@ func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Re
// Check ownership // Check ownership
if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID { if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table bucket details") h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table bucket details")
return fmt.Errorf("access denied")
return ErrAccessDenied
} }
resp := &GetTableBucketResponse{ resp := &GetTableBucketResponse{

8
weed/s3api/s3tables/handler_namespace.go
View File

@ -68,7 +68,7 @@ func (h *S3TablesHandler) handleCreateNamespace(w http.ResponseWriter, r *http.R
// Check ownership // Check ownership
if accountID := h.getAccountID(r); accountID != bucketMetadata.OwnerAccountID { if accountID := h.getAccountID(r); accountID != bucketMetadata.OwnerAccountID {
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create namespace in this bucket") h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create namespace in this bucket")
return fmt.Errorf("access denied")
return ErrAccessDenied
} }
namespacePath := getNamespacePath(bucketName, namespaceName) namespacePath := getNamespacePath(bucketName, namespaceName)
@ -178,7 +178,7 @@ func (h *S3TablesHandler) handleGetNamespace(w http.ResponseWriter, r *http.Requ
// Check ownership // Check ownership
if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID { if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found") h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found")
return fmt.Errorf("access denied")
return ErrAccessDenied
} }
resp := &GetNamespaceResponse{ resp := &GetNamespaceResponse{
@ -242,7 +242,7 @@ func (h *S3TablesHandler) handleListNamespaces(w http.ResponseWriter, r *http.Re
accountID := h.getAccountID(r) accountID := h.getAccountID(r)
if accountID != bucketMetadata.OwnerAccountID { if accountID != bucketMetadata.OwnerAccountID {
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, fmt.Sprintf("table bucket %s not found", bucketName)) h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, fmt.Sprintf("table bucket %s not found", bucketName))
return fmt.Errorf("access denied")
return ErrAccessDenied
} }
var namespaces []NamespaceSummary var namespaces []NamespaceSummary
@ -403,7 +403,7 @@ func (h *S3TablesHandler) handleDeleteNamespace(w http.ResponseWriter, r *http.R
// Check ownership // Check ownership
if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID { if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found") h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found")
return fmt.Errorf("access denied")
return ErrAccessDenied
} }
// Check if namespace is empty // Check if namespace is empty

10
weed/s3api/s3tables/handler_table.go
View File

@ -88,7 +88,7 @@ func (h *S3TablesHandler) handleCreateTable(w http.ResponseWriter, r *http.Reque
// Check ownership // Check ownership
if accountID := h.getAccountID(r); accountID != namespaceMetadata.OwnerAccountID { if accountID := h.getAccountID(r); accountID != namespaceMetadata.OwnerAccountID {
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create table in this namespace") h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create table in this namespace")
return fmt.Errorf("access denied")
return ErrAccessDenied
} }
tablePath := getTablePath(bucketName, namespaceName, tableName) tablePath := getTablePath(bucketName, namespaceName, tableName)
@ -241,7 +241,7 @@ func (h *S3TablesHandler) handleGetTable(w http.ResponseWriter, r *http.Request,
// Check ownership // Check ownership
if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID { if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchTable, fmt.Sprintf("table %s not found", tableName)) h.writeError(w, http.StatusNotFound, ErrCodeNoSuchTable, fmt.Sprintf("table %s not found", tableName))
return fmt.Errorf("access denied")
return ErrAccessDenied
} }
tableARN := h.generateTableARN(r, bucketName, namespace+"/"+tableName) tableARN := h.generateTableARN(r, bucketName, namespace+"/"+tableName)
@ -310,7 +310,7 @@ func (h *S3TablesHandler) handleListTables(w http.ResponseWriter, r *http.Reques
} }
if accountID := h.getAccountID(r); accountID != nsMeta.OwnerAccountID { if accountID := h.getAccountID(r); accountID != nsMeta.OwnerAccountID {
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found") h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found")
return fmt.Errorf("access denied")
return ErrAccessDenied
} }
tables, paginationToken, err = h.listTablesInNamespaceWithClient(r, client, bucketName, namespaceName, req.Prefix, req.ContinuationToken, maxTables) tables, paginationToken, err = h.listTablesInNamespaceWithClient(r, client, bucketName, namespaceName, req.Prefix, req.ContinuationToken, maxTables)
@ -327,7 +327,7 @@ func (h *S3TablesHandler) handleListTables(w http.ResponseWriter, r *http.Reques
} }
if accountID := h.getAccountID(r); accountID != bucketMeta.OwnerAccountID { if accountID := h.getAccountID(r); accountID != bucketMeta.OwnerAccountID {
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, "bucket not found") h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, "bucket not found")
return fmt.Errorf("access denied")
return ErrAccessDenied
} }
tables, paginationToken, err = h.listTablesInAllNamespaces(r, client, bucketName, req.Prefix, req.ContinuationToken, maxTables) tables, paginationToken, err = h.listTablesInAllNamespaces(r, client, bucketName, req.Prefix, req.ContinuationToken, maxTables)
@ -611,7 +611,7 @@ func (h *S3TablesHandler) handleDeleteTable(w http.ResponseWriter, r *http.Reque
// Check ownership // Check ownership
if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID { if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchTable, fmt.Sprintf("table %s not found", tableName)) h.writeError(w, http.StatusNotFound, ErrCodeNoSuchTable, fmt.Sprintf("table %s not found", tableName))
return fmt.Errorf("access denied")
return ErrAccessDenied
} }
// Delete the table // Delete the table

Write Preview
Loading…
Cancel
Save