seaweedfs/weed/s3api/auth_credentials.go

248 lines
6.2 KiB
Go
Raw Normal View History

2020-02-09 22:30:02 +00:00
package s3api
import (
"bytes"
"fmt"
2020-11-25 20:30:11 +00:00
"github.com/chrislusf/seaweedfs/weed/pb"
"github.com/chrislusf/seaweedfs/weed/pb/filer_pb"
"google.golang.org/grpc"
2020-02-09 22:30:02 +00:00
"io/ioutil"
"net/http"
2020-11-11 08:20:59 +00:00
xhttp "github.com/chrislusf/seaweedfs/weed/s3api/http"
"github.com/chrislusf/seaweedfs/weed/s3api/s3err"
2020-11-25 20:30:11 +00:00
"github.com/chrislusf/seaweedfs/weed/s3iam"
2020-02-09 22:30:02 +00:00
"github.com/golang/protobuf/jsonpb"
"github.com/chrislusf/seaweedfs/weed/glog"
"github.com/chrislusf/seaweedfs/weed/pb/iam_pb"
)
type Action string
const (
ACTION_READ = "Read"
ACTION_WRITE = "Write"
ACTION_ADMIN = "Admin"
ACTION_TAGGING = "Tagging"
ACTION_LIST = "List"
2020-02-09 22:30:02 +00:00
)
type Iam interface {
Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
}
type IdentityAccessManagement struct {
identities []*Identity
2020-02-10 00:02:05 +00:00
domain string
2020-02-09 22:30:02 +00:00
}
type Identity struct {
Name string
Credentials []*Credential
Actions []Action
}
type Credential struct {
AccessKey string
SecretKey string
}
func NewIdentityAccessManagement(option *S3ApiServerOption) *IdentityAccessManagement {
2020-02-10 00:02:05 +00:00
iam := &IdentityAccessManagement{
domain: option.DomainName,
2020-02-10 00:02:05 +00:00
}
2020-11-25 20:30:11 +00:00
if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil {
glog.Warningf("fail to load config %v", err)
2020-02-09 22:30:02 +00:00
}
if len(iam.identities) == 0 && option.Config != "" {
2020-11-25 20:30:11 +00:00
if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
glog.Fatalf("fail to load config file %s: %v", option.Config, err)
}
2020-02-09 22:30:02 +00:00
}
return iam
}
2020-11-25 20:30:11 +00:00
func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFiler(option *S3ApiServerOption) error {
s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
return pb.WithCachedGrpcClient(func(grpcConnection *grpc.ClientConn) error {
client := filer_pb.NewSeaweedFilerClient(grpcConnection)
store := s3iam.NewIAMFilerStore(&client)
if err := store.LoadIAMConfig(s3ApiConfiguration); err != nil {
return nil
}
if err := iam.loadS3ApiConfiguration(s3ApiConfiguration); err != nil {
return err
}
return nil
}, option.FilerGrpcAddress, option.GrpcDialOption)
}
2020-02-09 22:30:02 +00:00
2020-11-25 20:30:11 +00:00
func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFile(fileName string) error {
2020-02-17 20:31:59 +00:00
s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
2020-02-09 22:30:02 +00:00
rawData, readErr := ioutil.ReadFile(fileName)
if readErr != nil {
glog.Warningf("fail to read %s : %v", fileName, readErr)
return fmt.Errorf("fail to read %s : %v", fileName, readErr)
}
2020-09-20 22:38:59 +00:00
glog.V(1).Infof("load s3 config: %v", fileName)
2020-02-17 20:31:59 +00:00
if err := jsonpb.Unmarshal(bytes.NewReader(rawData), s3ApiConfiguration); err != nil {
2020-02-09 22:30:02 +00:00
glog.Warningf("unmarshal error: %v", err)
return fmt.Errorf("unmarshal %s error: %v", fileName, err)
}
2020-11-25 20:30:11 +00:00
if err := iam.loadS3ApiConfiguration(s3ApiConfiguration); err != nil {
return err
}
return nil
}
2020-02-09 22:30:02 +00:00
2020-11-25 20:30:11 +00:00
func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error {
for _, ident := range config.Identities {
2020-02-09 22:30:02 +00:00
t := &Identity{
Name: ident.Name,
Credentials: nil,
Actions: nil,
}
for _, action := range ident.Actions {
t.Actions = append(t.Actions, Action(action))
}
for _, cred := range ident.Credentials {
t.Credentials = append(t.Credentials, &Credential{
AccessKey: cred.AccessKey,
SecretKey: cred.SecretKey,
})
}
iam.identities = append(iam.identities, t)
}
return nil
}
2020-07-11 16:11:15 +00:00
func (iam *IdentityAccessManagement) isEnabled() bool {
return len(iam.identities) > 0
}
2020-02-09 22:30:02 +00:00
func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
2020-07-11 16:11:15 +00:00
2020-02-09 22:30:02 +00:00
for _, ident := range iam.identities {
for _, cred := range ident.Credentials {
if cred.AccessKey == accessKey {
return ident, cred, true
}
}
}
return nil, nil, false
}
func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
for _, ident := range iam.identities {
if ident.Name == "anonymous" {
return ident, true
}
}
return nil, false
}
2020-02-23 05:34:18 +00:00
func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
2020-02-09 22:30:02 +00:00
2020-07-25 09:14:49 +00:00
if !iam.isEnabled() {
2020-02-09 22:30:02 +00:00
return f
}
return func(w http.ResponseWriter, r *http.Request) {
2020-11-11 08:20:59 +00:00
identity, errCode := iam.authRequest(r, action)
2020-09-19 21:09:58 +00:00
if errCode == s3err.ErrNone {
2020-11-11 08:20:59 +00:00
if identity != nil && identity.Name != "" {
r.Header.Set(xhttp.AmzIdentityId, identity.Name)
2020-11-12 21:57:54 +00:00
if identity.isAdmin() {
r.Header.Set(xhttp.AmzIsAdmin, "true")
}
2020-11-11 08:20:59 +00:00
}
2020-02-09 22:30:02 +00:00
f(w, r)
return
}
writeErrorResponse(w, errCode, r.URL)
}
}
// check whether the request has valid access keys
2020-11-11 08:20:59 +00:00
func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
2020-02-09 22:30:02 +00:00
var identity *Identity
2020-09-19 21:09:58 +00:00
var s3Err s3err.ErrorCode
var found bool
2020-02-09 22:30:02 +00:00
switch getRequestAuthType(r) {
2020-02-10 00:02:05 +00:00
case authTypeStreamingSigned:
2020-11-11 08:20:59 +00:00
return identity, s3err.ErrNone
2020-02-10 00:02:05 +00:00
case authTypeUnknown:
glog.V(3).Infof("unknown auth type")
2020-11-11 08:20:59 +00:00
return identity, s3err.ErrAccessDenied
2020-02-09 22:30:02 +00:00
case authTypePresignedV2, authTypeSignedV2:
2020-02-10 00:02:05 +00:00
glog.V(3).Infof("v2 auth type")
identity, s3Err = iam.isReqAuthenticatedV2(r)
2020-02-09 22:30:02 +00:00
case authTypeSigned, authTypePresigned:
2020-02-10 00:02:05 +00:00
glog.V(3).Infof("v4 auth type")
2020-02-09 22:30:02 +00:00
identity, s3Err = iam.reqSignatureV4Verify(r)
case authTypePostPolicy:
2020-02-22 22:01:04 +00:00
glog.V(3).Infof("post policy auth type")
2020-11-11 08:20:59 +00:00
return identity, s3err.ErrNone
case authTypeJWT:
2020-02-22 22:01:04 +00:00
glog.V(3).Infof("jwt auth type")
2020-11-11 08:20:59 +00:00
return identity, s3err.ErrNotImplemented
case authTypeAnonymous:
identity, found = iam.lookupAnonymous()
if !found {
2020-11-11 08:20:59 +00:00
return identity, s3err.ErrAccessDenied
}
2020-02-22 22:01:04 +00:00
default:
2020-11-11 08:20:59 +00:00
return identity, s3err.ErrNotImplemented
2020-02-09 22:30:02 +00:00
}
2020-02-10 00:02:05 +00:00
glog.V(3).Infof("auth error: %v", s3Err)
2020-09-19 21:09:58 +00:00
if s3Err != s3err.ErrNone {
2020-11-11 08:20:59 +00:00
return identity, s3Err
2020-02-10 00:02:05 +00:00
}
glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions)
2020-07-26 19:58:58 +00:00
bucket, _ := getBucketAndObject(r)
2020-02-23 05:34:18 +00:00
if !identity.canDo(action, bucket) {
2020-11-11 08:20:59 +00:00
return identity, s3err.ErrAccessDenied
2020-02-09 22:30:02 +00:00
}
2020-11-11 08:20:59 +00:00
return identity, s3err.ErrNone
2020-02-09 22:30:02 +00:00
}
2020-02-23 05:34:18 +00:00
func (identity *Identity) canDo(action Action, bucket string) bool {
2020-11-12 21:57:54 +00:00
if identity.isAdmin() {
return true
2020-02-23 05:34:18 +00:00
}
for _, a := range identity.Actions {
if a == action {
return true
}
}
if bucket == "" {
return false
}
limitedByBucket := string(action) + ":" + bucket
for _, a := range identity.Actions {
if string(a) == limitedByBucket {
return true
2020-02-09 22:30:02 +00:00
}
}
return false
}
2020-11-12 21:57:54 +00:00
func (identity *Identity) isAdmin() bool {
for _, a := range identity.Actions {
if a == "Admin" {
return true
}
}
return false
}