diff options
| author | Chris Lu <chris.lu@gmail.com> | 2020-02-22 21:34:18 -0800 |
|---|---|---|
| committer | Chris Lu <chris.lu@gmail.com> | 2020-02-22 21:34:18 -0800 |
| commit | 4ed6b584e22eb332bfdc61112a625d49c772bafb (patch) | |
| tree | 9320fc5dbc1802cba4a129f49a71486cd3de609f | |
| parent | e83bfd0a35a01ff873b7669c8b3b74062ff6b69e (diff) | |
| download | seaweedfs-4ed6b584e22eb332bfdc61112a625d49c772bafb.tar.xz seaweedfs-4ed6b584e22eb332bfdc61112a625d49c772bafb.zip | |
s3: access control limited by bucket
| -rw-r--r-- | weed/command/s3.go | 13 | ||||
| -rw-r--r-- | weed/s3api/auth_credentials.go | 34 |
2 files changed, 38 insertions, 9 deletions
diff --git a/weed/command/s3.go b/weed/command/s3.go index 4dc4b82f6..5fb59fcca 100644 --- a/weed/command/s3.go +++ b/weed/command/s3.go @@ -87,6 +87,19 @@ var cmdS3 = &Command{ "Read", "Write" ] + }, + { + "name": "user_limited_to_bucket1", + "credentials": [ + { + "accessKey": "some_access_key4", + "secretKey": "some_secret_key4" + } + ], + "actions": [ + "Read:bucket1", + "Write:bucket1" + ] } ] } diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index 6d3363232..c1e8dff1e 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -7,6 +7,7 @@ import ( "net/http" "github.com/golang/protobuf/jsonpb" + "github.com/gorilla/mux" "github.com/chrislusf/seaweedfs/weed/glog" "github.com/chrislusf/seaweedfs/weed/pb/iam_pb" @@ -101,14 +102,14 @@ func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identi return nil, nil, false } -func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, actions ...Action) http.HandlerFunc { +func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc { if len(iam.identities) == 0 { return f } return func(w http.ResponseWriter, r *http.Request) { - errCode := iam.authRequest(r, actions) + errCode := iam.authRequest(r, action) if errCode == ErrNone { f(w, r) return @@ -118,7 +119,7 @@ func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, actions ...Action) } // check whether the request has valid access keys -func (iam *IdentityAccessManagement) authRequest(r *http.Request, actions []Action) ErrorCode { +func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) ErrorCode { var identity *Identity var s3Err ErrorCode switch getRequestAuthType(r) { @@ -152,7 +153,10 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, actions []Acti glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions) - if !identity.canDo(actions) { + vars := mux.Vars(r) + bucket := vars["bucket"] + + if !identity.canDo(action, bucket) { return ErrAccessDenied } @@ -160,12 +164,24 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, actions []Acti } -func (identity *Identity) canDo(actions []Action) bool { +func (identity *Identity) canDo(action Action, bucket string) bool { for _, a := range identity.Actions { - for _, b := range actions { - if a == b { - return true - } + if a == "Admin" { + return true + } + } + for _, a := range identity.Actions { + if a == action { + return true + } + } + if bucket == "" { + return false + } + limitedByBucket := string(action) + ":" + bucket + for _, a := range identity.Actions { + if string(a) == limitedByBucket { + return true } } return false |