Browse Source

Merge branch 'master' of https://github.com/chrislusf/seaweedfs

pull/2590/head
chrislu 3 years ago
parent
commit
e82ad60122
  1. 4
      weed/s3api/auth_credentials.go
  2. 10
      weed/s3api/auth_credentials_test.go

4
weed/s3api/auth_credentials.go

@ -320,6 +320,7 @@ func (identity *Identity) canDo(action Action, bucket string, objectKey string)
return false return false
} }
target := string(action) + ":" + bucket + objectKey target := string(action) + ":" + bucket + objectKey
adminTarget := s3_constants.ACTION_ADMIN + ":" + bucket + objectKey
limitedByBucket := string(action) + ":" + bucket limitedByBucket := string(action) + ":" + bucket
adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket
for _, a := range identity.Actions { for _, a := range identity.Actions {
@ -328,6 +329,9 @@ func (identity *Identity) canDo(action Action, bucket string, objectKey string)
if strings.HasPrefix(target, act[:len(act)-1]) { if strings.HasPrefix(target, act[:len(act)-1]) {
return true return true
} }
if strings.HasPrefix(adminTarget, act[:len(act)-1]) {
return true
}
} else { } else {
if act == limitedByBucket { if act == limitedByBucket {
return true return true

10
weed/s3api/auth_credentials_test.go

@ -115,4 +115,14 @@ func TestCanDo(t *testing.T) {
assert.Equal(t, true, ident4.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt")) assert.Equal(t, true, ident4.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt"))
assert.Equal(t, false, ident4.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt")) assert.Equal(t, false, ident4.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
// admin buckets
ident5 := &Identity{
Name: "anything",
Actions: []Action{
"Admin:special_*",
},
}
assert.Equal(t, true, ident5.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt"))
assert.Equal(t, true, ident5.canDo(ACTION_WRITE, "special_bucket", "/a/b/c/d.txt"))
} }
Loading…
Cancel
Save