diff options
| author | chrislu <chris.lu@gmail.com> | 2023-09-21 11:08:30 -0700 |
|---|---|---|
| committer | chrislu <chris.lu@gmail.com> | 2023-09-21 11:08:30 -0700 |
| commit | b38895734036f70879b5a342bdd7dbc222ecf55d (patch) | |
| tree | 0c0d064ae0f568c006abc91428749060279a6c04 /weed/s3api/auth_credentials.go | |
| parent | 31fc1657151eb7bb0f45c0657deabe664526a0eb (diff) | |
| parent | a46f873edd8a5fb0c25aeb1c5c3c33e925ed63dd (diff) | |
| download | seaweedfs-b38895734036f70879b5a342bdd7dbc222ecf55d.tar.xz seaweedfs-b38895734036f70879b5a342bdd7dbc222ecf55d.zip | |
Merge branch 'master' of https://github.com/seaweedfs/seaweedfs
Diffstat (limited to 'weed/s3api/auth_credentials.go')
| -rw-r--r-- | weed/s3api/auth_credentials.go | 49 |
1 files changed, 21 insertions, 28 deletions
diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index 234dc100b..38ff2b5ca 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -18,8 +18,6 @@ import ( "github.com/seaweedfs/seaweedfs/weed/s3api/s3err" ) -var IdentityAnonymous *Identity - type Action string type Iam interface { @@ -29,12 +27,14 @@ type Iam interface { type IdentityAccessManagement struct { m sync.RWMutex - identities []*Identity - isAuthEnabled bool - domain string - hashes map[string]*sync.Pool - hashCounters map[string]*int32 - hashMu sync.RWMutex + identities []*Identity + accessKeyIdent map[string]*Identity + hashes map[string]*sync.Pool + hashCounters map[string]*int32 + identityAnonymous *Identity + hashMu sync.RWMutex + domain string + isAuthEnabled bool } type Identity struct { @@ -136,6 +136,8 @@ func (iam *IdentityAccessManagement) LoadS3ApiConfigurationFromBytes(content []b func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error { var identities []*Identity + var identityAnonymous *Identity + accessKeyIdent := make(map[string]*Identity) for _, ident := range config.Identities { t := &Identity{ Name: ident.Name, @@ -149,7 +151,7 @@ func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3Api glog.Warningf("anonymous identity is associated with a non-anonymous account ID, the association is invalid") } t.AccountId = s3account.AccountAnonymous.Id - IdentityAnonymous = t + identityAnonymous = t } else { if len(ident.AccountId) > 0 { t.AccountId = ident.AccountId @@ -164,19 +166,15 @@ func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3Api AccessKey: cred.AccessKey, SecretKey: cred.SecretKey, }) + accessKeyIdent[cred.AccessKey] = t } identities = append(identities, t) } - - if IdentityAnonymous == nil { - IdentityAnonymous = &Identity{ - Name: s3account.AccountAnonymous.Name, - AccountId: s3account.AccountAnonymous.Id, - } - } iam.m.Lock() // atomically switch iam.identities = identities + iam.identityAnonymous = identityAnonymous + iam.accessKeyIdent = accessKeyIdent if !iam.isAuthEnabled { // one-directional, no toggling iam.isAuthEnabled = len(identities) > 0 } @@ -189,14 +187,12 @@ func (iam *IdentityAccessManagement) isEnabled() bool { } func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) { - iam.m.RLock() defer iam.m.RUnlock() - for _, ident := range iam.identities { - for _, cred := range ident.Credentials { - // println("checking", ident.Name, cred.AccessKey) - if cred.AccessKey == accessKey { - return ident, cred, true + if ident, ok := iam.accessKeyIdent[accessKey]; ok { + for _, credential := range ident.Credentials { + if credential.AccessKey == accessKey { + return ident, credential, true } } } @@ -207,10 +203,8 @@ func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identi func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) { iam.m.RLock() defer iam.m.RUnlock() - for _, ident := range iam.identities { - if ident.isAnonymous() { - return ident, true - } + if iam.identityAnonymous != nil { + return iam.identityAnonymous, true } return nil, false } @@ -270,8 +264,7 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) return identity, s3err.ErrNotImplemented case authTypeAnonymous: authType = "Anonymous" - identity, found = iam.lookupAnonymous() - if !found { + if identity, found = iam.lookupAnonymous(); !found { r.Header.Set(s3_constants.AmzAuthType, authType) return identity, s3err.ErrAccessDenied } |