diff options
Diffstat (limited to 'weed/s3api/auth_credentials.go')
| -rw-r--r-- | weed/s3api/auth_credentials.go | 112 |
1 files changed, 105 insertions, 7 deletions
diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index 545223841..1f147e884 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -50,6 +50,9 @@ type IdentityAccessManagement struct { credentialManager *credential.CredentialManager filerClient filer_pb.SeaweedFilerClient grpcDialOption grpc.DialOption + + // IAM Integration for advanced features + iamIntegration *S3IAMIntegration } type Identity struct { @@ -57,6 +60,7 @@ type Identity struct { Account *Account Credentials []*Credential Actions []Action + PrincipalArn string // ARN for IAM authorization (e.g., "arn:seaweed:iam::user/username") } // Account represents a system user, a system user can @@ -299,9 +303,10 @@ func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3Api for _, ident := range config.Identities { glog.V(3).Infof("loading identity %s", ident.Name) t := &Identity{ - Name: ident.Name, - Credentials: nil, - Actions: nil, + Name: ident.Name, + Credentials: nil, + Actions: nil, + PrincipalArn: generatePrincipalArn(ident.Name), } switch { case ident.Name == AccountAnonymous.Id: @@ -373,6 +378,19 @@ func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, foun return nil, false } +// generatePrincipalArn generates an ARN for a user identity +func generatePrincipalArn(identityName string) string { + // Handle special cases + switch identityName { + case AccountAnonymous.Id: + return "arn:seaweed:iam::user/anonymous" + case AccountAdmin.Id: + return "arn:seaweed:iam::user/admin" + default: + return fmt.Sprintf("arn:seaweed:iam::user/%s", identityName) + } +} + func (iam *IdentityAccessManagement) GetAccountNameById(canonicalId string) string { iam.m.RLock() defer iam.m.RUnlock() @@ -439,9 +457,15 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) glog.V(3).Infof("unsigned streaming upload") return identity, s3err.ErrNone case authTypeJWT: - glog.V(3).Infof("jwt auth type") + glog.V(3).Infof("jwt auth type detected, iamIntegration != nil? %t", iam.iamIntegration != nil) r.Header.Set(s3_constants.AmzAuthType, "Jwt") - return identity, s3err.ErrNotImplemented + if iam.iamIntegration != nil { + identity, s3Err = iam.authenticateJWTWithIAM(r) + authType = "Jwt" + } else { + glog.V(0).Infof("IAM integration is nil, returning ErrNotImplemented") + return identity, s3err.ErrNotImplemented + } case authTypeAnonymous: authType = "Anonymous" if identity, found = iam.lookupAnonymous(); !found { @@ -478,8 +502,17 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) if action == s3_constants.ACTION_LIST && bucket == "" { // ListBuckets operation - authorization handled per-bucket in the handler } else { - if !identity.canDo(action, bucket, object) { - return identity, s3err.ErrAccessDenied + // Use enhanced IAM authorization if available, otherwise fall back to legacy authorization + if iam.iamIntegration != nil { + // Always use IAM when available for unified authorization + if errCode := iam.authorizeWithIAM(r, identity, action, bucket, object); errCode != s3err.ErrNone { + return identity, errCode + } + } else { + // Fall back to existing authorization when IAM is not configured + if !identity.canDo(action, bucket, object) { + return identity, s3err.ErrAccessDenied + } } } @@ -581,3 +614,68 @@ func (iam *IdentityAccessManagement) initializeKMSFromJSON(configContent []byte) // Load KMS configuration directly from the parsed JSON data return kms.LoadKMSFromConfig(kmsVal) } + +// SetIAMIntegration sets the IAM integration for advanced authentication and authorization +func (iam *IdentityAccessManagement) SetIAMIntegration(integration *S3IAMIntegration) { + iam.m.Lock() + defer iam.m.Unlock() + iam.iamIntegration = integration +} + +// authenticateJWTWithIAM authenticates JWT tokens using the IAM integration +func (iam *IdentityAccessManagement) authenticateJWTWithIAM(r *http.Request) (*Identity, s3err.ErrorCode) { + ctx := r.Context() + + // Use IAM integration to authenticate JWT + iamIdentity, errCode := iam.iamIntegration.AuthenticateJWT(ctx, r) + if errCode != s3err.ErrNone { + return nil, errCode + } + + // Convert IAMIdentity to existing Identity structure + identity := &Identity{ + Name: iamIdentity.Name, + Account: iamIdentity.Account, + Actions: []Action{}, // Empty - authorization handled by policy engine + } + + // Store session info in request headers for later authorization + r.Header.Set("X-SeaweedFS-Session-Token", iamIdentity.SessionToken) + r.Header.Set("X-SeaweedFS-Principal", iamIdentity.Principal) + + return identity, s3err.ErrNone +} + +// authorizeWithIAM authorizes requests using the IAM integration policy engine +func (iam *IdentityAccessManagement) authorizeWithIAM(r *http.Request, identity *Identity, action Action, bucket string, object string) s3err.ErrorCode { + ctx := r.Context() + + // Get session info from request headers (for JWT-based authentication) + sessionToken := r.Header.Get("X-SeaweedFS-Session-Token") + principal := r.Header.Get("X-SeaweedFS-Principal") + + // Create IAMIdentity for authorization + iamIdentity := &IAMIdentity{ + Name: identity.Name, + Account: identity.Account, + } + + // Handle both session-based (JWT) and static-key-based (V4 signature) principals + if sessionToken != "" && principal != "" { + // JWT-based authentication - use session token and principal from headers + iamIdentity.Principal = principal + iamIdentity.SessionToken = sessionToken + glog.V(3).Infof("Using JWT-based IAM authorization for principal: %s", principal) + } else if identity.PrincipalArn != "" { + // V4 signature authentication - use principal ARN from identity + iamIdentity.Principal = identity.PrincipalArn + iamIdentity.SessionToken = "" // No session token for static credentials + glog.V(3).Infof("Using V4 signature IAM authorization for principal: %s", identity.PrincipalArn) + } else { + glog.V(3).Info("No valid principal information for IAM authorization") + return s3err.ErrAccessDenied + } + + // Use IAM integration for authorization + return iam.iamIntegration.AuthorizeAction(ctx, iamIdentity, action, bucket, object, r) +} |