Browse Source

enable admin to access all buckets

pull/1616/head
Chris Lu 4 years ago
parent
commit
e6333da65a
  1. 16
      weed/s3api/auth_credentials.go
  2. 1
      weed/s3api/http/header.go
  3. 32
      weed/s3api/s3api_bucket_handlers.go

16
weed/s3api/auth_credentials.go

@ -132,6 +132,9 @@ func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) htt
if errCode == s3err.ErrNone { if errCode == s3err.ErrNone {
if identity != nil && identity.Name != "" { if identity != nil && identity.Name != "" {
r.Header.Set(xhttp.AmzIdentityId, identity.Name) r.Header.Set(xhttp.AmzIdentityId, identity.Name)
if identity.isAdmin() {
r.Header.Set(xhttp.AmzIsAdmin, "true")
}
} }
f(w, r) f(w, r)
return return
@ -190,11 +193,9 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
} }
func (identity *Identity) canDo(action Action, bucket string) bool { func (identity *Identity) canDo(action Action, bucket string) bool {
for _, a := range identity.Actions {
if a == "Admin" {
if identity.isAdmin() {
return true return true
} }
}
for _, a := range identity.Actions { for _, a := range identity.Actions {
if a == action { if a == action {
return true return true
@ -211,3 +212,12 @@ func (identity *Identity) canDo(action Action, bucket string) bool {
} }
return false return false
} }
func (identity *Identity) isAdmin() bool {
for _, a := range identity.Actions {
if a == "Admin" {
return true
}
}
return false
}

1
weed/s3api/http/header.go

@ -32,4 +32,5 @@ const (
// Non-Standard S3 HTTP request constants // Non-Standard S3 HTTP request constants
const ( const (
AmzIdentityId = "x-amz-identity-id" AmzIdentityId = "x-amz-identity-id"
AmzIsAdmin = "x-amz-is-admin" // only set to http request header as a context
) )

32
weed/s3api/s3api_bucket_handlers.go

@ -40,11 +40,9 @@ func (s3a *S3ApiServer) ListBucketsHandler(w http.ResponseWriter, r *http.Reques
var buckets []*s3.Bucket var buckets []*s3.Bucket
for _, entry := range entries { for _, entry := range entries {
if entry.IsDirectory { if entry.IsDirectory {
if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok {
if identityId != string(id) {
if !s3a.hasAccess(r, entry) {
continue continue
} }
}
buckets = append(buckets, &s3.Bucket{ buckets = append(buckets, &s3.Bucket{
Name: aws.String(entry.Name), Name: aws.String(entry.Name),
CreationDate: aws.Time(time.Unix(entry.Attributes.Crtime, 0).UTC()), CreationDate: aws.Time(time.Unix(entry.Attributes.Crtime, 0).UTC()),
@ -126,14 +124,10 @@ func (s3a *S3ApiServer) DeleteBucketHandler(w http.ResponseWriter, r *http.Reque
return return
} }
if entry.Extended != nil {
if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok {
if string(id) != r.Header.Get(xhttp.AmzIdentityId) {
if !s3a.hasAccess(r, entry) {
writeErrorResponse(w, s3err.ErrAccessDenied, r.URL) writeErrorResponse(w, s3err.ErrAccessDenied, r.URL)
return return
} }
}
}
err = s3a.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error { err = s3a.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error {
@ -170,14 +164,28 @@ func (s3a *S3ApiServer) HeadBucketHandler(w http.ResponseWriter, r *http.Request
return return
} }
if entry.Extended != nil {
if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok {
if string(id) != r.Header.Get(xhttp.AmzIdentityId) {
if !s3a.hasAccess(r, entry) {
writeErrorResponse(w, s3err.ErrAccessDenied, r.URL) writeErrorResponse(w, s3err.ErrAccessDenied, r.URL)
return return
} }
writeSuccessResponseEmpty(w)
}
func (s3a *S3ApiServer) hasAccess(r *http.Request, entry *filer_pb.Entry) bool {
isAdmin := r.Header.Get(xhttp.AmzIsAdmin) != ""
if isAdmin {
return true
} }
if entry.Extended == nil {
return true
} }
writeSuccessResponseEmpty(w)
identityId := r.Header.Get(xhttp.AmzIdentityId)
if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok {
if identityId != string(id) {
return false
}
}
return true
} }
Loading…
Cancel
Save