Browse Source

[s3acl] Step 0: Put bucket ACL only responds success if the ACL is private. (#4856)

* Passing test:
test_bucket_acl_default
test_bucket_acl_canned_private_to_private

https://github.com/seaweedfs/seaweedfs/issues/4519

* Update weed/s3api/s3api_bucket_handlers.go

---------

Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
pull/4858/head
Konstantin Lebedev 1 year ago
committed by GitHub
parent
commit
a46f873edd
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
  1. 4
      docker/compose/s3tests.conf
  2. 56
      weed/s3api/s3api_bucket_handlers.go
  3. 6
      weed/s3api/s3api_bucket_skip_handlers.go

4
docker/compose/s3tests.conf

@ -18,10 +18,10 @@ bucket prefix = yournamehere-{random}-
[s3 main] [s3 main]
# main display_name set in vstart.sh # main display_name set in vstart.sh
display_name = M. Tester
display_name = s3_tests
# main user_idname set in vstart.sh # main user_idname set in vstart.sh
user_id = testid
user_id = s3_tests
# main email set in vstart.sh # main email set in vstart.sh
email = tester@ceph.com email = tester@ceph.com

56
weed/s3api/s3api_bucket_handlers.go

@ -259,32 +259,54 @@ func (s3a *S3ApiServer) GetBucketAclHandler(w http.ResponseWriter, r *http.Reque
return return
} }
response := AccessControlPolicy{}
for _, ident := range s3a.iam.identities {
if len(ident.Credentials) == 0 {
continue
}
for _, action := range ident.Actions {
if !action.overBucket(bucket) || action.getPermission() == "" {
continue
}
id := ident.Credentials[0].AccessKey
if response.Owner.DisplayName == "" && action.isOwner(bucket) && len(ident.Credentials) > 0 {
response.Owner.DisplayName = ident.Name
response.Owner.ID = id
identityId := r.Header.Get(s3_constants.AmzIdentityId)
response := AccessControlPolicy{
Owner: CanonicalUser{
ID: identityId,
DisplayName: identityId,
},
} }
response.AccessControlList.Grant = append(response.AccessControlList.Grant, Grant{ response.AccessControlList.Grant = append(response.AccessControlList.Grant, Grant{
Grantee: Grantee{ Grantee: Grantee{
ID: id,
DisplayName: ident.Name,
ID: identityId,
DisplayName: identityId,
Type: "CanonicalUser", Type: "CanonicalUser",
XMLXSI: "CanonicalUser", XMLXSI: "CanonicalUser",
XMLNS: "http://www.w3.org/2001/XMLSchema-instance"}, XMLNS: "http://www.w3.org/2001/XMLSchema-instance"},
Permission: action.getPermission(),
Permission: s3.PermissionFullControl,
}) })
writeSuccessResponseXML(w, r, response)
} }
// PutBucketAclHandler Put bucket ACL only responds success if the ACL is private.
// https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html //
func (s3a *S3ApiServer) PutBucketAclHandler(w http.ResponseWriter, r *http.Request) {
// collect parameters
bucket, _ := s3_constants.GetBucketAndObject(r)
glog.V(3).Infof("PutBucketAclHandler %s", bucket)
if err := s3a.checkBucket(r, bucket); err != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, err)
return
} }
writeSuccessResponseXML(w, r, response)
cannedAcl := r.Header.Get(s3_constants.AmzCannedAcl)
switch {
case cannedAcl == "":
acl := &s3.AccessControlPolicy{}
if err := xmlDecoder(r.Body, acl, r.ContentLength); err != nil {
glog.Errorf("PutBucketAclHandler: %s", err)
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
return
}
if len(acl.Grants) == 1 && acl.Grants[0].Permission != nil && *acl.Grants[0].Permission == s3_constants.PermissionFullControl {
writeSuccessResponseEmpty(w, r)
return
}
case cannedAcl == s3_constants.CannedAclPrivate:
writeSuccessResponseEmpty(w, r)
return
}
s3err.WriteErrorResponse(w, r, s3err.ErrNotImplemented)
} }
// GetBucketLifecycleConfigurationHandler Get Bucket Lifecycle configuration // GetBucketLifecycleConfigurationHandler Get Bucket Lifecycle configuration

6
weed/s3api/s3api_bucket_skip_handlers.go

@ -41,9 +41,3 @@ func (s3a *S3ApiServer) PutBucketPolicyHandler(w http.ResponseWriter, r *http.Re
func (s3a *S3ApiServer) DeleteBucketPolicyHandler(w http.ResponseWriter, r *http.Request) { func (s3a *S3ApiServer) DeleteBucketPolicyHandler(w http.ResponseWriter, r *http.Request) {
s3err.WriteErrorResponse(w, r, http.StatusNoContent) s3err.WriteErrorResponse(w, r, http.StatusNoContent)
} }
// PutBucketAclHandler Put bucket ACL
// https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html
func (s3a *S3ApiServer) PutBucketAclHandler(w http.ResponseWriter, r *http.Request) {
s3err.WriteErrorResponse(w, r, s3err.ErrNotImplemented)
}
Loading…
Cancel
Save