diff options
| author | ruitao.liu <ruitao.liu@cloudminds.com> | 2020-11-12 16:15:59 +0800 |
|---|---|---|
| committer | ruitao.liu <ruitao.liu@cloudminds.com> | 2020-11-12 16:15:59 +0800 |
| commit | e06676f007934ef20ae1429a097137a9b0466425 (patch) | |
| tree | 09397ee2a1e1ba536b25fcd5bc417d723430952d | |
| parent | d7cc0498e012dd5a1d641d80187b1f4241bf56e3 (diff) | |
| download | seaweedfs-e06676f007934ef20ae1429a097137a9b0466425.tar.xz seaweedfs-e06676f007934ef20ae1429a097137a9b0466425.zip | |
check permission for bucket delete/head.
| -rw-r--r-- | weed/s3api/filer_util.go | 6 | ||||
| -rw-r--r-- | weed/s3api/s3api_bucket_handlers.go | 36 |
2 files changed, 23 insertions, 19 deletions
diff --git a/weed/s3api/filer_util.go b/weed/s3api/filer_util.go index ebdbe8245..72df337a5 100644 --- a/weed/s3api/filer_util.go +++ b/weed/s3api/filer_util.go @@ -7,6 +7,7 @@ import ( "github.com/chrislusf/seaweedfs/weed/glog" "github.com/chrislusf/seaweedfs/weed/pb/filer_pb" + "github.com/chrislusf/seaweedfs/weed/util" ) func (s3a *S3ApiServer) mkdir(parentDirectoryPath string, dirName string, fn func(entry *filer_pb.Entry)) error { @@ -75,6 +76,11 @@ func (s3a *S3ApiServer) exists(parentDirectoryPath string, entryName string, isD } +func (s3a *S3ApiServer) get(parentDirectoryPath, entryName string) (entry *filer_pb.Entry, err error) { + fullPath := util.NewFullPath(parentDirectoryPath, entryName) + return filer_pb.GetEntry(s3a, fullPath) +} + func objectKey(key *string) *string { if strings.HasPrefix(*key, "/") { t := (*key)[1:] diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go index bd3d7fd58..744f22617 100644 --- a/weed/s3api/s3api_bucket_handlers.go +++ b/weed/s3api/s3api_bucket_handlers.go @@ -120,6 +120,15 @@ func (s3a *S3ApiServer) DeleteBucketHandler(w http.ResponseWriter, r *http.Reque bucket, _ := getBucketAndObject(r) + if entry, err := s3a.get(s3a.option.BucketsPath, bucket); entry != nil && err == nil { + if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok { + if string(id) != r.Header.Get(xhttp.AmzIdentityId) { + writeErrorResponse(w, s3err.ErrAccessDenied, r.URL) + return + } + } + } + err := s3a.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error { // delete collection @@ -149,28 +158,17 @@ func (s3a *S3ApiServer) HeadBucketHandler(w http.ResponseWriter, r *http.Request bucket, _ := getBucketAndObject(r) - err := s3a.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error { - - request := &filer_pb.LookupDirectoryEntryRequest{ - Directory: s3a.option.BucketsPath, - Name: bucket, - } - - glog.V(1).Infof("lookup bucket: %v", request) - if _, err := filer_pb.LookupEntry(client, request); err != nil { - if err == filer_pb.ErrNotFound { - return filer_pb.ErrNotFound - } - return fmt.Errorf("lookup bucket %s/%s: %v", s3a.option.BucketsPath, bucket, err) - } - - return nil - }) - - if err != nil { + entry, err := s3a.get(s3a.option.BucketsPath, bucket) + if entry == nil || err != nil { writeErrorResponse(w, s3err.ErrNoSuchBucket, r.URL) return } + if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok { + if string(id) != r.Header.Get(xhttp.AmzIdentityId) { + writeErrorResponse(w, s3err.ErrAccessDenied, r.URL) + return + } + } writeSuccessResponseEmpty(w) } |