diff options
| author | LHHDZ <changlin.shi@ly.com> | 2022-09-29 03:45:18 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-28 12:45:18 -0700 |
| commit | aacdcc4cad3d3aea58144640545a630c8b62d11a (patch) | |
| tree | c2c0aad79a61308b119be7cda9ebd8cdfe4ab285 | |
| parent | 301b678147c4cca7a3a7b70273ddf389cfcd133a (diff) | |
| download | seaweedfs-aacdcc4cad3d3aea58144640545a630c8b62d11a.tar.xz seaweedfs-aacdcc4cad3d3aea58144640545a630c8b62d11a.zip | |
s3: add account (#3753)
associate `Account` and `Identity` by accountId
| -rw-r--r-- | weed/s3api/s3api_account.go | 69 | ||||
| -rw-r--r-- | weed/s3api/s3api_server.go | 2 |
2 files changed, 71 insertions, 0 deletions
diff --git a/weed/s3api/s3api_account.go b/weed/s3api/s3api_account.go new file mode 100644 index 000000000..ce17472d8 --- /dev/null +++ b/weed/s3api/s3api_account.go @@ -0,0 +1,69 @@ +package s3api + +import ( + "sync" +) + +//Predefined Accounts +var ( + // AccountAdmin is used as the default account for IAM-Credentials access without Account configured + AccountAdmin = Account{ + Name: "admin", + EmailAddress: "admin@example.com", + Id: "admin", + } + + // AccountAnonymous is used to represent the account for anonymous access + AccountAnonymous = Account{ + Name: "anonymous", + EmailAddress: "anonymous@example.com", + Id: "anonymous", + } +) + +//Account represents a system user, a system user can +//configure multiple IAM-Users, IAM-Users can configure +//permissions respectively, and each IAM-User can +//configure multiple security credentials +type Account struct { + //Name is also used to display the "DisplayName" as the owner of the bucket or object + Name string + EmailAddress string + + //Id is used to identify an Account when granting cross-account access(ACLs) to buckets and objects + Id string +} + +type AccountManager struct { + sync.Mutex + s3a *S3ApiServer + + IdNameMapping map[string]string + EmailIdMapping map[string]string +} + +func NewAccountManager(s3a *S3ApiServer) *AccountManager { + am := &AccountManager{ + s3a: s3a, + IdNameMapping: make(map[string]string), + EmailIdMapping: make(map[string]string), + } + am.initialize() + return am +} + +func (am *AccountManager) GetAccountNameById(canonicalId string) string { + return am.IdNameMapping[canonicalId] +} + +func (am *AccountManager) GetAccountIdByEmail(email string) string { + return am.EmailIdMapping[email] +} + +func (am *AccountManager) initialize() { + // load predefined Accounts + for _, account := range []Account{AccountAdmin, AccountAnonymous} { + am.IdNameMapping[account.Id] = account.Name + am.EmailIdMapping[account.EmailAddress] = account.Id + } +} diff --git a/weed/s3api/s3api_server.go b/weed/s3api/s3api_server.go index 76163d724..7ed5d4e87 100644 --- a/weed/s3api/s3api_server.go +++ b/weed/s3api/s3api_server.go @@ -40,6 +40,7 @@ type S3ApiServer struct { randomClientId int32 filerGuard *security.Guard client *http.Client + accountManager *AccountManager } func NewS3ApiServer(router *mux.Router, option *S3ApiServerOption) (s3ApiServer *S3ApiServer, err error) { @@ -59,6 +60,7 @@ func NewS3ApiServer(router *mux.Router, option *S3ApiServerOption) (s3ApiServer filerGuard: security.NewGuard([]string{}, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec), cb: NewCircuitBreaker(option), } + s3ApiServer.accountManager = NewAccountManager(s3ApiServer) if option.LocalFilerSocket == "" { s3ApiServer.client = &http.Client{Transport: &http.Transport{ MaxIdleConns: 1024, |