check permission for bucket delete/head.

This commit is contained in:
ruitao.liu 2020-11-12 16:15:59 +08:00
parent d7cc0498e0
commit e06676f007
2 changed files with 23 additions and 19 deletions

View file

@ -7,6 +7,7 @@ import (
"github.com/chrislusf/seaweedfs/weed/glog" "github.com/chrislusf/seaweedfs/weed/glog"
"github.com/chrislusf/seaweedfs/weed/pb/filer_pb" "github.com/chrislusf/seaweedfs/weed/pb/filer_pb"
"github.com/chrislusf/seaweedfs/weed/util"
) )
func (s3a *S3ApiServer) mkdir(parentDirectoryPath string, dirName string, fn func(entry *filer_pb.Entry)) error { func (s3a *S3ApiServer) mkdir(parentDirectoryPath string, dirName string, fn func(entry *filer_pb.Entry)) error {
@ -75,6 +76,11 @@ func (s3a *S3ApiServer) exists(parentDirectoryPath string, entryName string, isD
} }
func (s3a *S3ApiServer) get(parentDirectoryPath, entryName string) (entry *filer_pb.Entry, err error) {
fullPath := util.NewFullPath(parentDirectoryPath, entryName)
return filer_pb.GetEntry(s3a, fullPath)
}
func objectKey(key *string) *string { func objectKey(key *string) *string {
if strings.HasPrefix(*key, "/") { if strings.HasPrefix(*key, "/") {
t := (*key)[1:] t := (*key)[1:]

View file

@ -120,6 +120,15 @@ func (s3a *S3ApiServer) DeleteBucketHandler(w http.ResponseWriter, r *http.Reque
bucket, _ := getBucketAndObject(r) bucket, _ := getBucketAndObject(r)
if entry, err := s3a.get(s3a.option.BucketsPath, bucket); entry != nil && err == nil {
if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok {
if string(id) != r.Header.Get(xhttp.AmzIdentityId) {
writeErrorResponse(w, s3err.ErrAccessDenied, r.URL)
return
}
}
}
err := s3a.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error { err := s3a.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error {
// delete collection // delete collection
@ -149,28 +158,17 @@ func (s3a *S3ApiServer) HeadBucketHandler(w http.ResponseWriter, r *http.Request
bucket, _ := getBucketAndObject(r) bucket, _ := getBucketAndObject(r)
err := s3a.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error { entry, err := s3a.get(s3a.option.BucketsPath, bucket)
if entry == nil || err != nil {
request := &filer_pb.LookupDirectoryEntryRequest{
Directory: s3a.option.BucketsPath,
Name: bucket,
}
glog.V(1).Infof("lookup bucket: %v", request)
if _, err := filer_pb.LookupEntry(client, request); err != nil {
if err == filer_pb.ErrNotFound {
return filer_pb.ErrNotFound
}
return fmt.Errorf("lookup bucket %s/%s: %v", s3a.option.BucketsPath, bucket, err)
}
return nil
})
if err != nil {
writeErrorResponse(w, s3err.ErrNoSuchBucket, r.URL) writeErrorResponse(w, s3err.ErrNoSuchBucket, r.URL)
return return
} }
if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok {
if string(id) != r.Header.Get(xhttp.AmzIdentityId) {
writeErrorResponse(w, s3err.ErrAccessDenied, r.URL)
return
}
}
writeSuccessResponseEmpty(w) writeSuccessResponseEmpty(w)
} }