Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

isAnonymous

pull/7479/head
chrislu 2 months ago
parent
49a9a8e920
commit
56e4652938
2 changed files with 20 additions and 14 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 26
      weed/s3api/s3api_bucket_handlers.go
  2. 8
      weed/s3api/s3api_bucket_policy_engine.go

26
weed/s3api/s3api_bucket_handlers.go
View File

@ -597,16 +597,16 @@ func (s3a *S3ApiServer) AuthWithPublicRead(handler http.HandlerFunc, action Acti
glog.V(4).Infof("AuthWithPublicRead: bucket=%s, object=%s, authType=%v, isAnonymous=%v", bucket, object, authType, isAnonymous)
// For anonymous requests, check if bucket allows public read via ACLs or bucket policies
if isAnonymous {
// First check ACL-based public access
isPublic := s3a.isBucketPublicRead(bucket)
glog.V(4).Infof("AuthWithPublicRead: bucket=%s, isPublicACL=%v", bucket, isPublic)
if isPublic {
glog.V(3).Infof("AuthWithPublicRead: allowing anonymous access to public-read bucket %s (ACL)", bucket)
handler(w, r)
return
}
// For anonymous requests, check if bucket allows public read via ACLs or bucket policies
if isAnonymous {
// First check ACL-based public access
isPublic := s3a.isBucketPublicRead(bucket)
glog.V(4).Infof("AuthWithPublicRead: bucket=%s, isPublicACL=%v", bucket, isPublic)
if isPublic {
glog.V(3).Infof("AuthWithPublicRead: allowing anonymous access to public-read bucket %s (ACL)", bucket)
handler(w, r)
return
}
// Check bucket policy for anonymous access using the policy engine
principal := "*" // Anonymous principal
@ -632,9 +632,9 @@ func (s3a *S3ApiServer) AuthWithPublicRead(handler http.HandlerFunc, action Acti
return
}
}
// No matching policy statement - fall through to check ACLs and then IAM auth
glog.V(3).Infof("AuthWithPublicRead: no bucket policy match for %s, checking ACLs", bucket)
}
// No matching policy statement - fall through to check ACLs and then IAM auth
glog.V(3).Infof("AuthWithPublicRead: no bucket policy match for %s, checking ACLs", bucket)
}
// For all authenticated requests and anonymous requests to non-public buckets,
// use normal IAM auth to enforce policies

8
weed/s3api/s3api_bucket_policy_engine.go
View File

@ -264,6 +264,11 @@ func convertActionToS3Format(action string, r *http.Request) string {
// resolveS3ActionFromRequest determines the specific S3 action from HTTP request context
// This enables fine-grained action resolution without changing handler registrations
//
// TODO: Consider consolidating with determineGranularS3Action() in s3_iam_middleware.go
// to avoid code duplication. This function is used by the bucket policy engine, while
// determineGranularS3Action is used by the IAM integration. They serve similar purposes
// and could potentially be unified into a single shared utility function.
func resolveS3ActionFromRequest(baseAction string, r *http.Request) string {
if r == nil {
return ""
@ -274,7 +279,8 @@ func resolveS3ActionFromRequest(baseAction string, r *http.Request) string {
bucket, object := s3_constants.GetBucketAndObject(r)
// Determine if this is an object or bucket operation
hasObject := object != ""
// Note: "/" is treated as bucket-level, not object-level
hasObject := object != "" && object != "/"
// Check for specific query parameters that indicate specific actions
switch {

Write Preview
Loading…
Cancel
Save