mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2024-01-19 02:48:24 +00:00
enable admin to access all buckets
This commit is contained in:
parent
7094492428
commit
e6333da65a
|
@ -132,6 +132,9 @@ func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) htt
|
|||
if errCode == s3err.ErrNone {
|
||||
if identity != nil && identity.Name != "" {
|
||||
r.Header.Set(xhttp.AmzIdentityId, identity.Name)
|
||||
if identity.isAdmin() {
|
||||
r.Header.Set(xhttp.AmzIsAdmin, "true")
|
||||
}
|
||||
}
|
||||
f(w, r)
|
||||
return
|
||||
|
@ -190,10 +193,8 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
|
|||
}
|
||||
|
||||
func (identity *Identity) canDo(action Action, bucket string) bool {
|
||||
for _, a := range identity.Actions {
|
||||
if a == "Admin" {
|
||||
return true
|
||||
}
|
||||
if identity.isAdmin() {
|
||||
return true
|
||||
}
|
||||
for _, a := range identity.Actions {
|
||||
if a == action {
|
||||
|
@ -211,3 +212,12 @@ func (identity *Identity) canDo(action Action, bucket string) bool {
|
|||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func (identity *Identity) isAdmin() bool {
|
||||
for _, a := range identity.Actions {
|
||||
if a == "Admin" {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
|
|
@ -32,4 +32,5 @@ const (
|
|||
// Non-Standard S3 HTTP request constants
|
||||
const (
|
||||
AmzIdentityId = "x-amz-identity-id"
|
||||
AmzIsAdmin = "x-amz-is-admin" // only set to http request header as a context
|
||||
)
|
||||
|
|
|
@ -40,10 +40,8 @@ func (s3a *S3ApiServer) ListBucketsHandler(w http.ResponseWriter, r *http.Reques
|
|||
var buckets []*s3.Bucket
|
||||
for _, entry := range entries {
|
||||
if entry.IsDirectory {
|
||||
if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok {
|
||||
if identityId != string(id) {
|
||||
continue
|
||||
}
|
||||
if !s3a.hasAccess(r, entry) {
|
||||
continue
|
||||
}
|
||||
buckets = append(buckets, &s3.Bucket{
|
||||
Name: aws.String(entry.Name),
|
||||
|
@ -126,13 +124,9 @@ func (s3a *S3ApiServer) DeleteBucketHandler(w http.ResponseWriter, r *http.Reque
|
|||
return
|
||||
}
|
||||
|
||||
if entry.Extended != nil {
|
||||
if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok {
|
||||
if string(id) != r.Header.Get(xhttp.AmzIdentityId) {
|
||||
writeErrorResponse(w, s3err.ErrAccessDenied, r.URL)
|
||||
return
|
||||
}
|
||||
}
|
||||
if !s3a.hasAccess(r, entry) {
|
||||
writeErrorResponse(w, s3err.ErrAccessDenied, r.URL)
|
||||
return
|
||||
}
|
||||
|
||||
err = s3a.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error {
|
||||
|
@ -170,14 +164,28 @@ func (s3a *S3ApiServer) HeadBucketHandler(w http.ResponseWriter, r *http.Request
|
|||
return
|
||||
}
|
||||
|
||||
if entry.Extended != nil {
|
||||
if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok {
|
||||
if string(id) != r.Header.Get(xhttp.AmzIdentityId) {
|
||||
writeErrorResponse(w, s3err.ErrAccessDenied, r.URL)
|
||||
return
|
||||
}
|
||||
}
|
||||
if !s3a.hasAccess(r, entry) {
|
||||
writeErrorResponse(w, s3err.ErrAccessDenied, r.URL)
|
||||
return
|
||||
}
|
||||
|
||||
writeSuccessResponseEmpty(w)
|
||||
}
|
||||
|
||||
func (s3a *S3ApiServer) hasAccess(r *http.Request, entry *filer_pb.Entry) bool {
|
||||
isAdmin := r.Header.Get(xhttp.AmzIsAdmin) != ""
|
||||
if isAdmin {
|
||||
return true
|
||||
}
|
||||
if entry.Extended == nil {
|
||||
return true
|
||||
}
|
||||
|
||||
identityId := r.Header.Get(xhttp.AmzIdentityId)
|
||||
if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok {
|
||||
if identityId != string(id) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
Loading…
Reference in a new issue