diff options
| author | Chris Lu <chrislusf@users.noreply.github.com> | 2025-08-01 12:13:11 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-08-01 12:13:11 -0700 |
| commit | 52d87f1d29501004dddb69a0a6e42eae3a1075ef (patch) | |
| tree | 096a25388dab139e53ae16d6fb2682b8f5b3c6a5 /weed/s3api/auth_credentials.go | |
| parent | 0975968e71b05368d5f28f788cf863c2042c2696 (diff) | |
| download | seaweedfs-52d87f1d29501004dddb69a0a6e42eae3a1075ef.tar.xz seaweedfs-52d87f1d29501004dddb69a0a6e42eae3a1075ef.zip | |
S3: fix list buckets handler (#7067)
* s3: fix list buckets handler
* ListBuckets permission checking
Diffstat (limited to 'weed/s3api/auth_credentials.go')
| -rw-r--r-- | weed/s3api/auth_credentials.go | 64 |
1 files changed, 8 insertions, 56 deletions
diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index 5115e21af..266a6144a 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -455,68 +455,20 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) object = prefix } - if !identity.canDo(action, bucket, object) { - return identity, s3err.ErrAccessDenied - } - - r.Header.Set(s3_constants.AmzAccountId, identity.Account.Id) - - return identity, s3err.ErrNone - -} - -func (iam *IdentityAccessManagement) authUser(r *http.Request) (*Identity, s3err.ErrorCode) { - var identity *Identity - var s3Err s3err.ErrorCode - var found bool - var authType string - switch getRequestAuthType(r) { - case authTypeStreamingSigned: - glog.V(3).Infof("signed streaming upload") - return identity, s3err.ErrNone - case authTypeStreamingUnsigned: - glog.V(3).Infof("unsigned streaming upload") - return identity, s3err.ErrNone - case authTypeUnknown: - glog.V(3).Infof("unknown auth type") - r.Header.Set(s3_constants.AmzAuthType, "Unknown") - return identity, s3err.ErrAccessDenied - case authTypePresignedV2, authTypeSignedV2: - glog.V(3).Infof("v2 auth type") - identity, s3Err = iam.isReqAuthenticatedV2(r) - authType = "SigV2" - case authTypeSigned, authTypePresigned: - glog.V(3).Infof("v4 auth type") - identity, s3Err = iam.reqSignatureV4Verify(r) - authType = "SigV4" - case authTypePostPolicy: - glog.V(3).Infof("post policy auth type") - r.Header.Set(s3_constants.AmzAuthType, "PostPolicy") - return identity, s3err.ErrNone - case authTypeJWT: - glog.V(3).Infof("jwt auth type") - r.Header.Set(s3_constants.AmzAuthType, "Jwt") - return identity, s3err.ErrNotImplemented - case authTypeAnonymous: - authType = "Anonymous" - identity, found = iam.lookupAnonymous() - if !found { - r.Header.Set(s3_constants.AmzAuthType, authType) + // For ListBuckets, authorization is performed in the handler by iterating + // through buckets and checking permissions for each. Skip the global check here. + if action == s3_constants.ACTION_LIST && bucket == "" { + // ListBuckets operation - authorization handled per-bucket in the handler + } else { + if !identity.canDo(action, bucket, object) { return identity, s3err.ErrAccessDenied } - default: - return identity, s3err.ErrNotImplemented } - if len(authType) > 0 { - r.Header.Set(s3_constants.AmzAuthType, authType) - } + r.Header.Set(s3_constants.AmzAccountId, identity.Account.Id) - glog.V(3).Infof("auth error: %v", s3Err) - if s3Err != s3err.ErrNone { - return identity, s3Err - } return identity, s3err.ErrNone + } func (identity *Identity) canDo(action Action, bucket string, objectKey string) bool { |