aboutsummaryrefslogtreecommitdiff
path: root/weed/s3api/auth_credentials.go
diff options
context:
space:
mode:
authorChris Lu <chris.lu@gmail.com>2020-12-25 00:38:56 -0800
committerChris Lu <chris.lu@gmail.com>2020-12-25 00:38:56 -0800
commit090f85be4b4c02dfd57942e2816dd609b002995d (patch)
tree1f2395273ba28c4f379854b472d75212b40c4648 /weed/s3api/auth_credentials.go
parent75613b2cc7fda522e28ca1e3d9e5dd9957bb5a89 (diff)
downloadseaweedfs-090f85be4b4c02dfd57942e2816dd609b002995d.tar.xz
seaweedfs-090f85be4b4c02dfd57942e2816dd609b002995d.zip
s3: support config action Admin:bucket
Diffstat (limited to 'weed/s3api/auth_credentials.go')
-rw-r--r--weed/s3api/auth_credentials.go33
1 files changed, 23 insertions, 10 deletions
diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go
index 93544b75e..c305fee6f 100644
--- a/weed/s3api/auth_credentials.go
+++ b/weed/s3api/auth_credentials.go
@@ -3,6 +3,7 @@ package s3api
import (
"fmt"
"github.com/chrislusf/seaweedfs/weed/filer"
+ "github.com/chrislusf/seaweedfs/weed/s3api/s3_constants"
"io/ioutil"
"net/http"
@@ -155,6 +156,24 @@ func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) htt
// check whether the request has valid access keys
func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
+ identity, s3Err := iam.authUser(r)
+ if s3Err != s3err.ErrNone {
+ return identity, s3Err
+ }
+
+ glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions)
+
+ bucket, _ := getBucketAndObject(r)
+
+ if !identity.canDo(action, bucket) {
+ return identity, s3err.ErrAccessDenied
+ }
+
+ return identity, s3err.ErrNone
+
+}
+
+func (iam *IdentityAccessManagement) authUser(r *http.Request) (*Identity, s3err.ErrorCode) {
var identity *Identity
var s3Err s3err.ErrorCode
var found bool
@@ -189,17 +208,7 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
if s3Err != s3err.ErrNone {
return identity, s3Err
}
-
- glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions)
-
- bucket, _ := getBucketAndObject(r)
-
- if !identity.canDo(action, bucket) {
- return identity, s3err.ErrAccessDenied
- }
-
return identity, s3err.ErrNone
-
}
func (identity *Identity) canDo(action Action, bucket string) bool {
@@ -215,10 +224,14 @@ func (identity *Identity) canDo(action Action, bucket string) bool {
return false
}
limitedByBucket := string(action) + ":" + bucket
+ adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket
for _, a := range identity.Actions {
if string(a) == limitedByBucket {
return true
}
+ if string(a) == adminLimitedByBucket {
+ return true
+ }
}
return false
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-21 21:53:15 +0000