S3 authorization: StreamingSigned enforces access control

fix https://github.com/chrislusf/seaweedfs/issues/2180
author: Chris Lu <chris.lu@gmail.com> 2021-07-03 14:50:53 -0700
committer: Chris Lu <chris.lu@gmail.com> 2021-07-03 14:50:53 -0700
commit: d39b2689a5e6e651fadc18ae079bbaf4e74fc5c4 (patch)
tree: 17929b717a864dbcc28ec26c56bfd939e764560d
parent: 3986601ee82a7a7edef01970ad57e523693fdd3c (diff)
download: seaweedfs-d39b2689a5e6e651fadc18ae079bbaf4e74fc5c4.tar.xz
seaweedfs-d39b2689a5e6e651fadc18ae079bbaf4e74fc5c4.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/weed/s3api/chunked_reader_v4.go b/weed/s3api/chunked_reader_v4.go
index b163ec2f6..ec26f693a 100644
--- a/weed/s3api/chunked_reader_v4.go
+++ b/weed/s3api/chunked_reader_v4.go
@@ -85,11 +85,17 @@ func (iam *IdentityAccessManagement) calculateSeedSignature(r *http.Request) (cr
 		return nil, "", "", time.Time{}, errCode
 	}
 	// Verify if the access key id matches.
-	_, cred, found := iam.lookupByAccessKey(signV4Values.Credential.accessKey)
+	identity, cred, found := iam.lookupByAccessKey(signV4Values.Credential.accessKey)
 	if !found {
 		return nil, "", "", time.Time{}, s3err.ErrInvalidAccessKeyID
 	}
 
+	bucket, _ := getBucketAndObject(r)
+	if !identity.canDo("Write", bucket) {
+		errCode = s3err.ErrAccessDenied
+		return
+	}
+
 	// Verify if region is valid.
 	region = signV4Values.Credential.scope.region
author	Chris Lu <chris.lu@gmail.com>	2021-07-03 14:50:53 -0700
committer	Chris Lu <chris.lu@gmail.com>	2021-07-03 14:50:53 -0700
commit	d39b2689a5e6e651fadc18ae079bbaf4e74fc5c4 (patch)
tree	17929b717a864dbcc28ec26c56bfd939e764560d
parent	3986601ee82a7a7edef01970ad57e523693fdd3c (diff)
download	seaweedfs-d39b2689a5e6e651fadc18ae079bbaf4e74fc5c4.tar.xz seaweedfs-d39b2689a5e6e651fadc18ae079bbaf4e74fc5c4.zip