From aacdcc4cad3d3aea58144640545a630c8b62d11a Mon Sep 17 00:00:00 2001 From: LHHDZ Date: Thu, 29 Sep 2022 03:45:18 +0800 Subject: [PATCH] s3: add account (#3753) associate `Account` and `Identity` by accountId --- weed/s3api/s3api_account.go | 69 +++++++++++++++++++++++++++++++++++++ weed/s3api/s3api_server.go | 2 ++ 2 files changed, 71 insertions(+) create mode 100644 weed/s3api/s3api_account.go diff --git a/weed/s3api/s3api_account.go b/weed/s3api/s3api_account.go new file mode 100644 index 000000000..ce17472d8 --- /dev/null +++ b/weed/s3api/s3api_account.go @@ -0,0 +1,69 @@ +package s3api + +import ( + "sync" +) + +//Predefined Accounts +var ( + // AccountAdmin is used as the default account for IAM-Credentials access without Account configured + AccountAdmin = Account{ + Name: "admin", + EmailAddress: "admin@example.com", + Id: "admin", + } + + // AccountAnonymous is used to represent the account for anonymous access + AccountAnonymous = Account{ + Name: "anonymous", + EmailAddress: "anonymous@example.com", + Id: "anonymous", + } +) + +//Account represents a system user, a system user can +//configure multiple IAM-Users, IAM-Users can configure +//permissions respectively, and each IAM-User can +//configure multiple security credentials +type Account struct { + //Name is also used to display the "DisplayName" as the owner of the bucket or object + Name string + EmailAddress string + + //Id is used to identify an Account when granting cross-account access(ACLs) to buckets and objects + Id string +} + +type AccountManager struct { + sync.Mutex + s3a *S3ApiServer + + IdNameMapping map[string]string + EmailIdMapping map[string]string +} + +func NewAccountManager(s3a *S3ApiServer) *AccountManager { + am := &AccountManager{ + s3a: s3a, + IdNameMapping: make(map[string]string), + EmailIdMapping: make(map[string]string), + } + am.initialize() + return am +} + +func (am *AccountManager) GetAccountNameById(canonicalId string) string { + return am.IdNameMapping[canonicalId] +} + +func (am *AccountManager) GetAccountIdByEmail(email string) string { + return am.EmailIdMapping[email] +} + +func (am *AccountManager) initialize() { + // load predefined Accounts + for _, account := range []Account{AccountAdmin, AccountAnonymous} { + am.IdNameMapping[account.Id] = account.Name + am.EmailIdMapping[account.EmailAddress] = account.Id + } +} diff --git a/weed/s3api/s3api_server.go b/weed/s3api/s3api_server.go index 76163d724..7ed5d4e87 100644 --- a/weed/s3api/s3api_server.go +++ b/weed/s3api/s3api_server.go @@ -40,6 +40,7 @@ type S3ApiServer struct { randomClientId int32 filerGuard *security.Guard client *http.Client + accountManager *AccountManager } func NewS3ApiServer(router *mux.Router, option *S3ApiServerOption) (s3ApiServer *S3ApiServer, err error) { @@ -59,6 +60,7 @@ func NewS3ApiServer(router *mux.Router, option *S3ApiServerOption) (s3ApiServer filerGuard: security.NewGuard([]string{}, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec), cb: NewCircuitBreaker(option), } + s3ApiServer.accountManager = NewAccountManager(s3ApiServer) if option.LocalFilerSocket == "" { s3ApiServer.client = &http.Client{Transport: &http.Transport{ MaxIdleConns: 1024,