[s3acl] Step 0: Put bucket ACL only responds success if the ACL is private. (#4856)

* Passing test:
test_bucket_acl_default
test_bucket_acl_canned_private_to_private

https://github.com/seaweedfs/seaweedfs/issues/4519

* Update weed/s3api/s3api_bucket_handlers.go

---------

Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
This commit is contained in:
Konstantin Lebedev 2023-09-21 20:20:05 +05:00 committed by GitHub
parent d8b424d123
commit a46f873edd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 48 additions and 32 deletions

View file

@ -18,10 +18,10 @@ bucket prefix = yournamehere-{random}-
[s3 main] [s3 main]
# main display_name set in vstart.sh # main display_name set in vstart.sh
display_name = M. Tester display_name = s3_tests
# main user_idname set in vstart.sh # main user_idname set in vstart.sh
user_id = testid user_id = s3_tests
# main email set in vstart.sh # main email set in vstart.sh
email = tester@ceph.com email = tester@ceph.com

View file

@ -259,34 +259,56 @@ func (s3a *S3ApiServer) GetBucketAclHandler(w http.ResponseWriter, r *http.Reque
return return
} }
response := AccessControlPolicy{} identityId := r.Header.Get(s3_constants.AmzIdentityId)
for _, ident := range s3a.iam.identities { response := AccessControlPolicy{
if len(ident.Credentials) == 0 { Owner: CanonicalUser{
continue ID: identityId,
} DisplayName: identityId,
for _, action := range ident.Actions { },
if !action.overBucket(bucket) || action.getPermission() == "" {
continue
}
id := ident.Credentials[0].AccessKey
if response.Owner.DisplayName == "" && action.isOwner(bucket) && len(ident.Credentials) > 0 {
response.Owner.DisplayName = ident.Name
response.Owner.ID = id
} }
response.AccessControlList.Grant = append(response.AccessControlList.Grant, Grant{ response.AccessControlList.Grant = append(response.AccessControlList.Grant, Grant{
Grantee: Grantee{ Grantee: Grantee{
ID: id, ID: identityId,
DisplayName: ident.Name, DisplayName: identityId,
Type: "CanonicalUser", Type: "CanonicalUser",
XMLXSI: "CanonicalUser", XMLXSI: "CanonicalUser",
XMLNS: "http://www.w3.org/2001/XMLSchema-instance"}, XMLNS: "http://www.w3.org/2001/XMLSchema-instance"},
Permission: action.getPermission(), Permission: s3.PermissionFullControl,
}) })
}
}
writeSuccessResponseXML(w, r, response) writeSuccessResponseXML(w, r, response)
} }
// PutBucketAclHandler Put bucket ACL only responds success if the ACL is private.
// https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html //
func (s3a *S3ApiServer) PutBucketAclHandler(w http.ResponseWriter, r *http.Request) {
// collect parameters
bucket, _ := s3_constants.GetBucketAndObject(r)
glog.V(3).Infof("PutBucketAclHandler %s", bucket)
if err := s3a.checkBucket(r, bucket); err != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, err)
return
}
cannedAcl := r.Header.Get(s3_constants.AmzCannedAcl)
switch {
case cannedAcl == "":
acl := &s3.AccessControlPolicy{}
if err := xmlDecoder(r.Body, acl, r.ContentLength); err != nil {
glog.Errorf("PutBucketAclHandler: %s", err)
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
return
}
if len(acl.Grants) == 1 && acl.Grants[0].Permission != nil && *acl.Grants[0].Permission == s3_constants.PermissionFullControl {
writeSuccessResponseEmpty(w, r)
return
}
case cannedAcl == s3_constants.CannedAclPrivate:
writeSuccessResponseEmpty(w, r)
return
}
s3err.WriteErrorResponse(w, r, s3err.ErrNotImplemented)
}
// GetBucketLifecycleConfigurationHandler Get Bucket Lifecycle configuration // GetBucketLifecycleConfigurationHandler Get Bucket Lifecycle configuration
// https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketLifecycleConfiguration.html // https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketLifecycleConfiguration.html
func (s3a *S3ApiServer) GetBucketLifecycleConfigurationHandler(w http.ResponseWriter, r *http.Request) { func (s3a *S3ApiServer) GetBucketLifecycleConfigurationHandler(w http.ResponseWriter, r *http.Request) {

View file

@ -41,9 +41,3 @@ func (s3a *S3ApiServer) PutBucketPolicyHandler(w http.ResponseWriter, r *http.Re
func (s3a *S3ApiServer) DeleteBucketPolicyHandler(w http.ResponseWriter, r *http.Request) { func (s3a *S3ApiServer) DeleteBucketPolicyHandler(w http.ResponseWriter, r *http.Request) {
s3err.WriteErrorResponse(w, r, http.StatusNoContent) s3err.WriteErrorResponse(w, r, http.StatusNoContent)
} }
// PutBucketAclHandler Put bucket ACL
// https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html
func (s3a *S3ApiServer) PutBucketAclHandler(w http.ResponseWriter, r *http.Request) {
s3err.WriteErrorResponse(w, r, s3err.ErrNotImplemented)
}