diff options
| author | Chris Lu <chrislusf@users.noreply.github.com> | 2025-12-12 14:45:23 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-12-12 14:45:23 -0800 |
| commit | 6fb3ec968d64e867ceb52c4f1db45c80309d91dd (patch) | |
| tree | 20caeebbd546b3a5a831445a39399c53f2051e24 /weed | |
| parent | b0e0c5aaabd393ca633c9c1e5d24d15d47e05bec (diff) | |
| download | seaweedfs-6fb3ec968d64e867ceb52c4f1db45c80309d91dd.tar.xz seaweedfs-6fb3ec968d64e867ceb52c4f1db45c80309d91dd.zip | |
s3: allow -s3.config and -s3.iam.config to work together (#7727)
When both -s3.config and -s3.iam.config are configured, traditional
credentials from -s3.config were failing with Access Denied because
the authorization code always used IAM authorization when IAM
integration was configured.
The fix checks if the identity has legacy Actions (from -s3.config).
If so, use the legacy canDo() authorization. Only use IAM authorization
for JWT/STS identities that don't have legacy Actions.
This allows both configuration options to coexist:
- Traditional credentials use legacy authorization
- JWT/STS credentials use IAM authorization
Fixes #7720
Diffstat (limited to 'weed')
| -rw-r--r-- | weed/s3api/auth_credentials.go | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index eab237b0b..7b5d9a262 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -610,19 +610,19 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) } // Only check IAM if bucket policy didn't explicitly allow - // This ensures bucket policies can independently grant access (AWS semantics) if !policyAllows { - // Use enhanced IAM authorization if available, otherwise fall back to legacy authorization - if iam.iamIntegration != nil { - // Always use IAM when available for unified authorization + // Traditional identities (with Actions from -s3.config) use legacy auth, + // JWT/STS identities (no Actions) use IAM authorization + if len(identity.Actions) > 0 { + if !identity.canDo(action, bucket, object) { + return identity, s3err.ErrAccessDenied + } + } else if iam.iamIntegration != nil { if errCode := iam.authorizeWithIAM(r, identity, action, bucket, object); errCode != s3err.ErrNone { return identity, errCode } } else { - // Fall back to existing authorization when IAM is not configured - if !identity.canDo(action, bucket, object) { - return identity, s3err.ErrAccessDenied - } + return identity, s3err.ErrAccessDenied } } } |