Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Modified ListBucketsHandler to use IAM authorization (authorizeWithIAM) for JWT users instead of legacy identity.canDo()

pull/7160/head
chrislu 2 months ago
parent
8603fe1433
commit
5f32b3c982
1 changed files with 16 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 18
      weed/s3api/s3api_bucket_handlers.go

18
weed/s3api/s3api_bucket_handlers.go
View File

@ -60,8 +60,22 @@ func (s3a *S3ApiServer) ListBucketsHandler(w http.ResponseWriter, r *http.Reques
var listBuckets ListAllMyBucketsList
for _, entry := range entries {
if entry.IsDirectory {
if identity != nil && !identity.canDo(s3_constants.ACTION_LIST, entry.Name, "") {
continue
// Check permissions for each bucket
if identity != nil {
// For JWT-authenticated users, use IAM authorization
sessionToken := r.Header.Get("X-SeaweedFS-Session-Token")
if s3a.iam.iamIntegration != nil && sessionToken != "" {
// Use IAM authorization for JWT users
errCode := s3a.iam.authorizeWithIAM(r, identity, s3_constants.ACTION_LIST, entry.Name, "")
if errCode != s3err.ErrNone {
continue
}
} else {
// Use legacy authorization for non-JWT users
if !identity.canDo(s3_constants.ACTION_LIST, entry.Name, "") {
continue
}
}
}
listBuckets.Bucket = append(listBuckets.Bucket, ListAllMyBucketsEntry{
Name: entry.Name,

Write Preview
Loading…
Cancel
Save