gitlab-com-seaweedfs/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2024-01-19 02:48:24 +00:00
Code Issues Projects Releases Wiki Activity

enable admin to access all buckets

Browse source
This commit is contained in:
Chris Lu 2020-11-12 13:57:54 -08:00
parent 7094492428
commit e6333da65a
3 changed files with 41 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
weed/s3api/auth_credentials.go
View file

@ -132,6 +132,9 @@ func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) htt
if errCode == s3err.ErrNone { if errCode == s3err.ErrNone {
if identity != nil && identity.Name != "" { if identity != nil && identity.Name != "" {
r.Header.Set(xhttp.AmzIdentityId, identity.Name) r.Header.Set(xhttp.AmzIdentityId, identity.Name)
if identity.isAdmin() {
r.Header.Set(xhttp.AmzIsAdmin, "true")
}
} }
f(w, r) f(w, r)
return return
@ -190,10 +193,8 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
} }
func (identity *Identity) canDo(action Action, bucket string) bool { func (identity *Identity) canDo(action Action, bucket string) bool {
for _, a := range identity.Actions { if identity.isAdmin() {
if a == "Admin" { return true
return true
}
} }
for _, a := range identity.Actions { for _, a := range identity.Actions {
if a == action { if a == action {
@ -211,3 +212,12 @@ func (identity *Identity) canDo(action Action, bucket string) bool {
} }
return false return false
} }
func (identity *Identity) isAdmin() bool {
for _, a := range identity.Actions {
if a == "Admin" {
return true
}
}
return false
}

1
weed/s3api/http/header.go
View file

@ -32,4 +32,5 @@ const (
// Non-Standard S3 HTTP request constants // Non-Standard S3 HTTP request constants
const ( const (
AmzIdentityId = "x-amz-identity-id" AmzIdentityId = "x-amz-identity-id"
AmzIsAdmin = "x-amz-is-admin" // only set to http request header as a context
) )

44
weed/s3api/s3api_bucket_handlers.go
View file

@ -40,10 +40,8 @@ func (s3a *S3ApiServer) ListBucketsHandler(w http.ResponseWriter, r *http.Reques
var buckets []*s3.Bucket var buckets []*s3.Bucket
for _, entry := range entries { for _, entry := range entries {
if entry.IsDirectory { if entry.IsDirectory {
if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok { if !s3a.hasAccess(r, entry) {
if identityId != string(id) { continue
continue
}
} }
buckets = append(buckets, &s3.Bucket{ buckets = append(buckets, &s3.Bucket{
Name: aws.String(entry.Name), Name: aws.String(entry.Name),
@ -126,13 +124,9 @@ func (s3a *S3ApiServer) DeleteBucketHandler(w http.ResponseWriter, r *http.Reque
return return
} }
if entry.Extended != nil { if !s3a.hasAccess(r, entry) {
if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok { writeErrorResponse(w, s3err.ErrAccessDenied, r.URL)
if string(id) != r.Header.Get(xhttp.AmzIdentityId) { return
writeErrorResponse(w, s3err.ErrAccessDenied, r.URL)
return
}
}
} }
err = s3a.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error { err = s3a.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error {
@ -170,14 +164,28 @@ func (s3a *S3ApiServer) HeadBucketHandler(w http.ResponseWriter, r *http.Request
return return
} }
if entry.Extended != nil { if !s3a.hasAccess(r, entry) {
if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok { writeErrorResponse(w, s3err.ErrAccessDenied, r.URL)
if string(id) != r.Header.Get(xhttp.AmzIdentityId) { return
writeErrorResponse(w, s3err.ErrAccessDenied, r.URL)
return
}
}
} }
writeSuccessResponseEmpty(w) writeSuccessResponseEmpty(w)
} }
func (s3a *S3ApiServer) hasAccess(r *http.Request, entry *filer_pb.Entry) bool {
isAdmin := r.Header.Get(xhttp.AmzIsAdmin) != ""
if isAdmin {
return true
}
if entry.Extended == nil {
return true
}
identityId := r.Header.Get(xhttp.AmzIdentityId)
if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok {
if identityId != string(id) {
return false
}
}
return true
}