enable admin to access all buckets

This commit is contained in:
Chris Lu 2020-11-12 13:57:54 -08:00
parent 7094492428
commit e6333da65a
3 changed files with 41 additions and 22 deletions

View file

@ -132,6 +132,9 @@ func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) htt
if errCode == s3err.ErrNone {
if identity != nil && identity.Name != "" {
r.Header.Set(xhttp.AmzIdentityId, identity.Name)
if identity.isAdmin() {
r.Header.Set(xhttp.AmzIsAdmin, "true")
}
}
f(w, r)
return
@ -190,10 +193,8 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
}
func (identity *Identity) canDo(action Action, bucket string) bool {
for _, a := range identity.Actions {
if a == "Admin" {
return true
}
if identity.isAdmin() {
return true
}
for _, a := range identity.Actions {
if a == action {
@ -211,3 +212,12 @@ func (identity *Identity) canDo(action Action, bucket string) bool {
}
return false
}
func (identity *Identity) isAdmin() bool {
for _, a := range identity.Actions {
if a == "Admin" {
return true
}
}
return false
}

View file

@ -32,4 +32,5 @@ const (
// Non-Standard S3 HTTP request constants
const (
AmzIdentityId = "x-amz-identity-id"
AmzIsAdmin = "x-amz-is-admin" // only set to http request header as a context
)

View file

@ -40,10 +40,8 @@ func (s3a *S3ApiServer) ListBucketsHandler(w http.ResponseWriter, r *http.Reques
var buckets []*s3.Bucket
for _, entry := range entries {
if entry.IsDirectory {
if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok {
if identityId != string(id) {
continue
}
if !s3a.hasAccess(r, entry) {
continue
}
buckets = append(buckets, &s3.Bucket{
Name: aws.String(entry.Name),
@ -126,13 +124,9 @@ func (s3a *S3ApiServer) DeleteBucketHandler(w http.ResponseWriter, r *http.Reque
return
}
if entry.Extended != nil {
if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok {
if string(id) != r.Header.Get(xhttp.AmzIdentityId) {
writeErrorResponse(w, s3err.ErrAccessDenied, r.URL)
return
}
}
if !s3a.hasAccess(r, entry) {
writeErrorResponse(w, s3err.ErrAccessDenied, r.URL)
return
}
err = s3a.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error {
@ -170,14 +164,28 @@ func (s3a *S3ApiServer) HeadBucketHandler(w http.ResponseWriter, r *http.Request
return
}
if entry.Extended != nil {
if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok {
if string(id) != r.Header.Get(xhttp.AmzIdentityId) {
writeErrorResponse(w, s3err.ErrAccessDenied, r.URL)
return
}
}
if !s3a.hasAccess(r, entry) {
writeErrorResponse(w, s3err.ErrAccessDenied, r.URL)
return
}
writeSuccessResponseEmpty(w)
}
func (s3a *S3ApiServer) hasAccess(r *http.Request, entry *filer_pb.Entry) bool {
isAdmin := r.Header.Get(xhttp.AmzIsAdmin) != ""
if isAdmin {
return true
}
if entry.Extended == nil {
return true
}
identityId := r.Header.Get(xhttp.AmzIdentityId)
if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok {
if identityId != string(id) {
return false
}
}
return true
}