s3: support config action Admin:bucket

3 files changed, 36 insertions, 12 deletions

diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go
index 93544b75e..c305fee6f 100644
--- a/weed/s3api/auth_credentials.go
+++ b/weed/s3api/auth_credentials.go
@@ -3,6 +3,7 @@ package s3api
 import (
 	"fmt"
 	"github.com/chrislusf/seaweedfs/weed/filer"
+	"github.com/chrislusf/seaweedfs/weed/s3api/s3_constants"
 	"io/ioutil"
 	"net/http"
 
@@ -155,6 +156,24 @@ func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) htt
 
 // check whether the request has valid access keys
 func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
+	identity, s3Err := iam.authUser(r)
+	if s3Err != s3err.ErrNone {
+		return identity, s3Err
+	}
+
+	glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions)
+
+	bucket, _ := getBucketAndObject(r)
+
+	if !identity.canDo(action, bucket) {
+		return identity, s3err.ErrAccessDenied
+	}
+
+	return identity, s3err.ErrNone
+
+}
+
+func (iam *IdentityAccessManagement) authUser(r *http.Request) (*Identity, s3err.ErrorCode) {
 	var identity *Identity
 	var s3Err s3err.ErrorCode
 	var found bool
@@ -189,17 +208,7 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
 	if s3Err != s3err.ErrNone {
 		return identity, s3Err
 	}
-
-	glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions)
-
-	bucket, _ := getBucketAndObject(r)
-
-	if !identity.canDo(action, bucket) {
-		return identity, s3err.ErrAccessDenied
-	}
-
 	return identity, s3err.ErrNone
-
 }
 
 func (identity *Identity) canDo(action Action, bucket string) bool {
@@ -215,10 +224,14 @@ func (identity *Identity) canDo(action Action, bucket string) bool {
 		return false
 	}
 	limitedByBucket := string(action) + ":" + bucket
+	adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket
 	for _, a := range identity.Actions {
 		if string(a) == limitedByBucket {
 			return true
 		}
+		if string(a) == adminLimitedByBucket {
+			return true
+		}
 	}
 	return false
 }
diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go
index 00b7382cc..f750f6e53 100644
--- a/weed/s3api/s3api_bucket_handlers.go
+++ b/weed/s3api/s3api_bucket_handlers.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/xml"
 	"fmt"
+	"github.com/chrislusf/seaweedfs/weed/s3api/s3_constants"
 	"math"
 	"net/http"
 	"time"
@@ -26,6 +27,16 @@ type ListAllMyBucketsResult struct {
 
 func (s3a *S3ApiServer) ListBucketsHandler(w http.ResponseWriter, r *http.Request) {
 
+	var identity *Identity
+	var s3Err s3err.ErrorCode
+	if s3a.iam.isEnabled() {
+		identity, s3Err = s3a.iam.authUser(r)
+		if s3Err != s3err.ErrNone {
+			writeErrorResponse(w, s3Err, r.URL)
+			return
+		}
+	}
+
 	var response ListAllMyBucketsResult
 
 	entries, _, err := s3a.list(s3a.option.BucketsPath, "", "", false, math.MaxInt32)
@@ -40,7 +51,7 @@ func (s3a *S3ApiServer) ListBucketsHandler(w http.ResponseWriter, r *http.Reques
 	var buckets []*s3.Bucket
 	for _, entry := range entries {
 		if entry.IsDirectory {
-			if !s3a.hasAccess(r, entry) {
+			if identity!=nil && !identity.canDo(s3_constants.ACTION_ADMIN, entry.Name) {
 				continue
 			}
 			buckets = append(buckets, &s3.Bucket{
diff --git a/weed/s3api/s3api_server.go b/weed/s3api/s3api_server.go
index 93e2bb575..e4a07a443 100644
--- a/weed/s3api/s3api_server.go
+++ b/weed/s3api/s3api_server.go
@@ -128,7 +128,7 @@ func (s3a *S3ApiServer) registerRouter(router *mux.Router) {
 	}
 
 	// ListBuckets
-	apiRouter.Methods("GET").Path("/").HandlerFunc(track(s3a.iam.Auth(s3a.ListBucketsHandler, ACTION_ADMIN), "LIST"))
+	apiRouter.Methods("GET").Path("/").HandlerFunc(track(s3a.ListBucketsHandler, "LIST"))
 
 	// NotFound
 	apiRouter.NotFoundHandler = http.HandlerFunc(notFoundHandler)