seaweedfs

History

Chris Lu f5c0bcafa3 s3: fix ListBuckets not showing buckets created by authenticated users (#7648 ) * s3: fix ListBuckets not showing buckets created by authenticated users Fixes #7647 ## Problem Users with proper Admin permissions could create buckets but couldn't list them. The issue occurred because ListBucketsHandler was not wrapped with the Auth middleware, so the authenticated identity was never set in the request context. ## Root Cause - PutBucketHandler uses iam.Auth() middleware which sets identity in context - ListBucketsHandler did NOT use iam.Auth() middleware - Without the middleware, GetIdentityNameFromContext() returned empty string - Bucket ownership checks failed because no identity was present ## Changes 1. Wrap ListBucketsHandler with iam.Auth() middleware (s3api_server.go) 2. Update ListBucketsHandler to get identity from context (s3api_bucket_handlers.go) 3. Add lookupByIdentityName() helper method (auth_credentials.go) 4. Add comprehensive test TestListBucketsIssue7647 (s3api_bucket_handlers_test.go) ## Testing - All existing tests pass (1348 tests in s3api package) - New test TestListBucketsIssue7647 validates the fix - Verified admin users can see their created buckets - Verified admin users can see all buckets - Verified backward compatibility maintained * s3: fix ListBuckets for JWT/Keycloak authentication The previous fix broke JWT/Keycloak authentication because JWT identities are created on-the-fly and not stored in the iam.identities list. The lookupByIdentityName() would return nil for JWT users. Solution: Store the full Identity object in the request context, not just the name. This allows ListBucketsHandler to retrieve the complete identity for all authentication types (SigV2, SigV4, JWT, Anonymous). Changes: - Add SetIdentityInContext/GetIdentityFromContext in s3_constants/header.go - Update Auth middleware to store full identity in context - Update ListBucketsHandler to retrieve identity from context first, with fallback to lookup for backward compatibility * s3: optimize lookupByIdentityName to O(1) using map Address code review feedback: Use a map for O(1) lookups instead of O(N) linear scan through identities list. Changes: - Add nameToIdentity map to IdentityAccessManagement struct - Populate map in loadS3ApiConfiguration (consistent with accessKeyIdent pattern) - Update lookupByIdentityName to use map lookup instead of loop This improves performance when many identities are configured and aligns with the existing pattern used for accessKeyIdent lookups. * s3: address code review feedback on nameToIdentity and logging Address two code review points: 1. Wire nameToIdentity into env-var fallback path - The AWS env-var fallback in NewIdentityAccessManagementWithStore now populates nameToIdentity map along with accessKeyIdent - Keeps all identity lookup maps in sync - Avoids potential issues if handlers rely on lookupByIdentityName 2. Improve access key lookup logging - Reduce log verbosity: V(1) -> V(2) for failed lookups - Truncate access keys in logs (show first 4 chars + **) - Include key length for debugging - Prevents credential exposure in production logs - Reduces log noise from misconfigured clients fmt * s3: refactor truncation logic and improve error handling Address additional code review feedback: 1. DRY principle: Extract key truncation logic into local function - Define truncate() helper at function start - Reuse throughout lookupByAccessKey - Eliminates code duplication 2. Enhanced security: Mask very short access keys - Keys <= 4 chars now show as '***' instead of full key - Prevents any credential exposure even for short keys - Consistent masking across all log statements 3. Improved robustness: Add warning log for type assertion failure - Log unexpected type when identity context object is wrong type - Helps debug potential middleware or context issues - Better production diagnostics 4. Documentation: Add comment about future optimization opportunity - Note potential for lightweight identity view in context - Suggests credential-free view for better data minimization - Documents design decision for future maintainers		12 hours ago
..
cors	S3: Add `Vary` header for non-wildcard AllowOrigin (#7547)	2 weeks ago
policy	fix	1 year ago
policy_engine	S3: Enforce bucket policy (#7471)	4 weeks ago
s3_constants	s3: fix ListBuckets not showing buckets created by authenticated users (#7648)	12 hours ago
s3bucket	adjust fix	10 months ago
s3err	Filer, S3: Feature/add concurrent file upload limit (#7554)	2 weeks ago
AmazonS3.xsd	add s3test for sql (#5718)	1 year ago
README.txt	add s3test for sql (#5718)	1 year ago
auth_credentials.go	s3: fix ListBuckets not showing buckets created by authenticated users (#7648)	12 hours ago
auth_credentials_subscribe.go	S3: Directly read write volume servers (#7481)	3 weeks ago
auth_credentials_test.go	S3: Enforce bucket policy (#7471)	4 weeks ago
auth_signature_v2.go	fmt	2 weeks ago
auth_signature_v2_test.go	fix(s3api): fix AWS Signature V2 format and validation (#7488)	2 weeks ago
auth_signature_v4.go	s3: support STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER for signed chunked uploads with checksums (#7623)	4 days ago
auth_signature_v4_test.go	Fix IPv6 host header formatting to match AWS SDK behavior (#7414)	1 month ago
auto_signature_v4_test.go	S3: prevent deleting buckets with object locking (#7434)	1 month ago
bucket_metadata.go	added context to filer_client method calls (#6808)	7 months ago
bucket_metadata_test.go	[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859)	2 years ago
chunked_bug_reproduction_test.go	S3 API: unsigned streaming (no cred) but chunks contain signatures (#7118)	4 months ago
chunked_reader_v4.go	s3: support STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER for signed chunked uploads with checksums (#7623)	4 days ago
chunked_reader_v4_test.go	s3: support STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER for signed chunked uploads with checksums (#7623)	4 days ago
custom_types.go	S3: Directly read write volume servers (#7481)	3 weeks ago
filer_multipart.go	fix: CompleteMultipartUpload fails for uploads with more than 1000 parts (#7641)	2 days ago
filer_multipart_test.go	[s3] fix s3 test_multipart_resend_first_finishes_last (#5471)	2 years ago
filer_util.go	S3: Directly read write volume servers (#7481)	3 weeks ago
filer_util_tags.go	added context to filer_client method calls (#6808)	7 months ago
object_lock_utils.go	refactor (#6999)	5 months ago
policy_conversion.go	S3: Directly read write volume servers (#7481)	3 weeks ago
policy_conversion_test.go	S3: Directly read write volume servers (#7481)	3 weeks ago
s3_action_resolver.go	S3: add context aware action resolution (#7479)	4 weeks ago
s3_bucket_encryption.go	S3: Directly read write volume servers (#7481)	3 weeks ago
s3_end_to_end_test.go	S3: Enforce bucket policy (#7471)	4 weeks ago
s3_error_utils.go	S3 API: Add SSE-S3 (#7151)	4 months ago
s3_granular_action_security_test.go	S3: add context aware action resolution (#7479)	4 weeks ago
s3_iam_middleware.go	S3: Directly read write volume servers (#7481)	3 weeks ago
s3_iam_role_selection_test.go	S3 API: Advanced IAM System (#7160)	3 months ago
s3_iam_simple_test.go	S3: add context aware action resolution (#7479)	4 weeks ago
s3_jwt_auth_test.go	S3: Enforce bucket policy (#7471)	4 weeks ago
s3_list_parts_action_test.go	S3: add context aware action resolution (#7479)	4 weeks ago
s3_metadata_util.go	S3: set identity to request context, and remove obsolete code (#7523)	2 weeks ago
s3_multipart_iam.go	S3: Directly read write volume servers (#7481)	3 weeks ago
s3_multipart_iam_test.go	S3: add context aware action resolution (#7479)	4 weeks ago
s3_policy_templates.go	S3: Enforce bucket policy (#7471)	4 weeks ago
s3_policy_templates_test.go	S3: Enforce bucket policy (#7471)	4 weeks ago
s3_presigned_url_iam.go	S3: Enforce bucket policy (#7471)	4 weeks ago
s3_presigned_url_iam_test.go	S3: Enforce bucket policy (#7471)	4 weeks ago
s3_sse_bucket_test.go	S3 API: Add SSE-KMS (#7144)	4 months ago
s3_sse_c.go	S3: Directly read write volume servers (#7481)	3 weeks ago
s3_sse_c_range_test.go	S3 API: Fix SSE-S3 decryption on object download (#7366)	2 months ago
s3_sse_c_test.go	S3 API: Add SSE-KMS (#7144)	4 months ago
s3_sse_copy_test.go	S3 API: Fix SSE-S3 decryption on object download (#7366)	2 months ago
s3_sse_ctr_test.go	S3: Directly read write volume servers (#7481)	3 weeks ago
s3_sse_error_test.go	S3 API: Add SSE-S3 (#7151)	4 months ago
s3_sse_http_test.go	S3 API: Add SSE-KMS (#7144)	4 months ago
s3_sse_kms.go	S3: Directly read write volume servers (#7481)	3 weeks ago
s3_sse_kms_test.go	S3 API: Add SSE-KMS (#7144)	4 months ago
s3_sse_kms_utils.go	S3 API: Add SSE-S3 (#7151)	4 months ago
s3_sse_metadata.go	S3 API: Fix SSE-S3 decryption on object download (#7366)	2 months ago
s3_sse_metadata_test.go	S3 API: Add SSE-KMS (#7144)	4 months ago
s3_sse_multipart_test.go	Migrate from deprecated azure-storage-blob-go to modern Azure SDK (#7310)	2 months ago
s3_sse_s3.go	fix: copy to bucket with default SSE-S3 encryption fails (#7562) (#7568)	1 week ago
s3_sse_s3_integration_test.go	go fmt	1 month ago
s3_sse_s3_multipart_test.go	S3: Directly read write volume servers (#7481)	3 weeks ago
s3_sse_s3_test.go	fix: copy to bucket with default SSE-S3 encryption fails (#7562) (#7568)	1 week ago
s3_sse_test_utils_test.go	S3 API: Fix SSE-S3 decryption on object download (#7366)	2 months ago
s3_sse_utils.go	S3: Directly read write volume servers (#7481)	3 weeks ago
s3_token_differentiation_test.go	S3 API: Advanced IAM System (#7160)	3 months ago
s3_validation_utils.go	go fmt	1 month ago
s3api_acl_helper.go	Add Kafka Gateway (#7231)	2 months ago
s3api_acl_helper_test.go	[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859)	2 years ago
s3api_acp.go	add ownership rest apis (#3765)	3 years ago
s3api_auth.go	s3: support STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER for signed chunked uploads with checksums (#7623)	4 days ago
s3api_bucket_config.go	s3: optimize DELETE by skipping lock check for buckets without Object Lock (#7642)	2 days ago
s3api_bucket_cors_handlers.go	S3: add fallback for CORS (#7404)	1 month ago
s3api_bucket_handlers.go	s3: fix ListBuckets not showing buckets created by authenticated users (#7648)	12 hours ago
s3api_bucket_handlers_object_lock_config.go	S3: S3 Object Retention API to include XML namespace support (#7517)	3 weeks ago
s3api_bucket_handlers_test.go	s3: fix ListBuckets not showing buckets created by authenticated users (#7648)	12 hours ago
s3api_bucket_metadata_test.go	S3 API: Add SSE-KMS (#7144)	4 months ago
s3api_bucket_policy_arn_test.go	S3: Directly read write volume servers (#7481)	3 weeks ago
s3api_bucket_policy_engine.go	S3: Directly read write volume servers (#7481)	3 weeks ago
s3api_bucket_policy_handlers.go	S3: Directly read write volume servers (#7481)	3 weeks ago
s3api_bucket_tagging_handlers.go	S3 API: Add SSE-KMS (#7144)	4 months ago
s3api_circuit_breaker.go	Metrics: Add Prometheus metrics for concurrent upload tracking (#7555)	2 weeks ago
s3api_circuit_breaker_test.go	move to https://github.com/seaweedfs/seaweedfs	3 years ago
s3api_conditional_headers_test.go	s3: fix if-match error (#7277)	1 month ago
s3api_copy_size_calculation.go	S3 API: Add SSE-S3 (#7151)	4 months ago
s3api_copy_validation.go	S3 API: Add SSE-KMS (#7144)	4 months ago
s3api_domain_test.go	fix: Use a mixed of virtual and path styles within a single subdomain (#7357)	2 months ago
s3api_encrypted_volume_copy_test.go	S3: Fix encrypted file copy with multiple chunks (#7530) (#7546)	2 weeks ago
s3api_governance_permissions_test.go	Add policy engine (#6970)	5 months ago
s3api_handlers.go	Support multiple filers for S3 and IAM servers with automatic failover (#7550)	2 weeks ago
s3api_implicit_directory_test.go	S3: Directly read write volume servers (#7481)	3 weeks ago
s3api_key_rotation.go	S3: Fix encrypted file copy with multiple chunks (#7530) (#7546)	2 weeks ago
s3api_object_handlers.go	fix: S3 GetObject/HeadObject with PartNumber should return object ETag, not part ETag (#7622)	4 days ago
s3api_object_handlers_acl.go	S3: Perf related (#7463)	4 weeks ago
s3api_object_handlers_copy.go	Fix SSE-S3 copy: preserve encryption metadata and set chunk SSE type (#7598)	6 days ago
s3api_object_handlers_copy_test.go	fix: copy to bucket with default SSE-S3 encryption fails (#7562) (#7568)	1 week ago
s3api_object_handlers_copy_unified.go	Fix SSE-S3 copy: preserve encryption metadata and set chunk SSE type (#7598)	6 days ago
s3api_object_handlers_delete.go	s3: optimize DELETE by skipping lock check for buckets without Object Lock (#7642)	2 days ago
s3api_object_handlers_legal_hold.go	refactor (#6999)	5 months ago
s3api_object_handlers_list.go	Remove deprecated allowEmptyFolder CLI option	2 days ago
s3api_object_handlers_list_test.go	address List permission	4 months ago
s3api_object_handlers_multipart.go	Support multiple filers for S3 and IAM servers with automatic failover (#7550)	2 weeks ago
s3api_object_handlers_postpolicy.go	Support multiple filers for S3 and IAM servers with automatic failover (#7550)	2 weeks ago
s3api_object_handlers_put.go	s3: optimize DELETE by skipping lock check for buckets without Object Lock (#7642)	2 days ago
s3api_object_handlers_put_test.go	check errors	2 weeks ago
s3api_object_handlers_retention.go	refactor (#6999)	5 months ago
s3api_object_handlers_tagging.go	rename files	2 years ago
s3api_object_handlers_test.go	Support multiple filers for S3 and IAM servers with automatic failover (#7550)	2 weeks ago
s3api_object_lock_fix_test.go	Fix get object lock configuration handler (#6996)	5 months ago
s3api_object_lock_headers_test.go	Test object lock and retention (#6997)	5 months ago
s3api_object_retention.go	s3: optimize DELETE by skipping lock check for buckets without Object Lock (#7642)	2 days ago
s3api_object_retention_test.go	S3: S3 Object Retention API to include XML namespace support (#7517)	3 weeks ago
s3api_object_versioning.go	Support multiple filers for S3 and IAM servers with automatic failover (#7550)	2 weeks ago
s3api_policy.go	[s3] Put bucket lifecycle configuration (#5510)	2 years ago
s3api_put_handlers.go	S3: Directly read write volume servers (#7481)	3 weeks ago
s3api_put_object_helper.go	Fix chunked data reading if iam not enabled (#6898)	6 months ago
s3api_put_object_helper_test.go	Add credential storage (#6938)	5 months ago
s3api_server.go	s3: fix ListBuckets not showing buckets created by authenticated users (#7648)	12 hours ago
s3api_server_grpc.go	move to https://github.com/seaweedfs/seaweedfs	3 years ago
s3api_sse_chunk_metadata_test.go	S3: Directly read write volume servers (#7481)	3 weeks ago
s3api_sse_decrypt_test.go	S3: Directly read write volume servers (#7481)	3 weeks ago
s3api_sse_s3_upload_test.go	S3: Directly read write volume servers (#7481)	3 weeks ago
s3api_status_handlers.go	move to https://github.com/seaweedfs/seaweedfs	3 years ago
s3api_streaming_copy.go	Fix SSE-S3 copy: preserve encryption metadata and set chunk SSE type (#7598)	6 days ago
s3api_test.go	move to https://github.com/seaweedfs/seaweedfs	3 years ago
s3api_xsd_generated.go	fix ListAllMyBucketsResult xmlns	4 months ago
s3api_xsd_generated_helper.go	add s3test for sql (#5718)	1 year ago
stats.go	Populate bucket_traffic_received_bytes_total metric (#7249)	3 months ago
tags.go	tag parsing decode url encoded	4 months ago
tags_test.go	tag parsing decode url encoded	4 months ago

README.txt

see https://blog.aqwari.net/xml-schema-go/

1. go get aqwari.net/xml/cmd/xsdgen
2. Add EncodingType element for ListBucketResult in AmazonS3.xsd
3. xsdgen -o s3api_xsd_generated.go -pkg s3api AmazonS3.xsd
4. Remove empty Grantee struct in s3api_xsd_generated.go
5. Remove xmlns: sed s'/http:\/\/s3.amazonaws.com\/doc\/2006-03-01\/\ //' s3api_xsd_generated.go