From edb753ab4d3c49287cfb1ec0f0650aad23977b1c Mon Sep 17 00:00:00 2001 From: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.com> Date: Wed, 12 Jan 2022 16:04:59 +0500 Subject: [PATCH] https://github.com/chrislusf/seaweedfs/issues/2583 --- weed/s3api/auth_credentials.go | 4 ++++ weed/s3api/auth_credentials_test.go | 10 ++++++++++ 2 files changed, 14 insertions(+) diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index 5b5075d78..6a7d83919 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -320,6 +320,7 @@ func (identity *Identity) canDo(action Action, bucket string, objectKey string) return false } target := string(action) + ":" + bucket + objectKey + adminTarget := s3_constants.ACTION_ADMIN + ":" + bucket + objectKey limitedByBucket := string(action) + ":" + bucket adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket for _, a := range identity.Actions { @@ -328,6 +329,9 @@ func (identity *Identity) canDo(action Action, bucket string, objectKey string) if strings.HasPrefix(target, act[:len(act)-1]) { return true } + if strings.HasPrefix(adminTarget, act[:len(act)-1]) { + return true + } } else { if act == limitedByBucket { return true diff --git a/weed/s3api/auth_credentials_test.go b/weed/s3api/auth_credentials_test.go index 94479b4f5..4545d13bc 100644 --- a/weed/s3api/auth_credentials_test.go +++ b/weed/s3api/auth_credentials_test.go @@ -115,4 +115,14 @@ func TestCanDo(t *testing.T) { assert.Equal(t, true, ident4.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt")) assert.Equal(t, false, ident4.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt")) + // admin buckets + ident5 := &Identity{ + Name: "anything", + Actions: []Action{ + "Admin:special_*", + }, + } + assert.Equal(t, true, ident5.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt")) + assert.Equal(t, true, ident5.canDo(ACTION_WRITE, "special_bucket", "/a/b/c/d.txt")) + }