aboutsummaryrefslogtreecommitdiff
path: root/weed/s3api/s3api_server.go
diff options
context:
space:
mode:
Diffstat (limited to 'weed/s3api/s3api_server.go')
-rw-r--r--weed/s3api/s3api_server.go18
1 files changed, 18 insertions, 0 deletions
diff --git a/weed/s3api/s3api_server.go b/weed/s3api/s3api_server.go
index 4a8368409..bf1a44e54 100644
--- a/weed/s3api/s3api_server.go
+++ b/weed/s3api/s3api_server.go
@@ -50,6 +50,7 @@ type S3ApiServerOption struct {
IamConfig string // Advanced IAM configuration file path
ConcurrentUploadLimit int64
ConcurrentFileUploadLimit int64
+ EnableIam bool // Enable embedded IAM API on the same port
}
type S3ApiServer struct {
@@ -69,6 +70,7 @@ type S3ApiServer struct {
inFlightDataSize int64
inFlightUploads int64
inFlightDataLimitCond *sync.Cond
+ embeddedIam *EmbeddedIamApi // Embedded IAM API server (when enabled)
}
func NewS3ApiServer(router *mux.Router, option *S3ApiServerOption) (s3ApiServer *S3ApiServer, err error) {
@@ -186,6 +188,12 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl
}
}
+ // Initialize embedded IAM API if enabled
+ if option.EnableIam {
+ s3ApiServer.embeddedIam = NewEmbeddedIamApi(s3ApiServer.credentialManager, iam)
+ glog.V(0).Infof("Embedded IAM API initialized (use -iam=false to disable)")
+ }
+
if option.Config != "" {
grace.OnReload(func() {
if err := s3ApiServer.iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
@@ -594,6 +602,16 @@ func (s3a *S3ApiServer) registerRouter(router *mux.Router) {
}
})
+ // Embedded IAM API (POST to "/" with Action parameter)
+ // This must be before ListBuckets since IAM uses POST and ListBuckets uses GET
+ // Uses AuthIam for granular permission checking:
+ // - Self-service operations (own access keys) don't require admin
+ // - Operations on other users require admin privileges
+ if s3a.embeddedIam != nil {
+ apiRouter.Methods(http.MethodPost).Path("/").HandlerFunc(track(s3a.embeddedIam.AuthIam(s3a.cb.Limit(s3a.embeddedIam.DoActions, ACTION_WRITE)), "IAM"))
+ glog.V(0).Infof("Embedded IAM API enabled on S3 port")
+ }
+
// ListBuckets
apiRouter.Methods(http.MethodGet).Path("/").HandlerFunc(track(s3a.iam.Auth(s3a.ListBucketsHandler, ACTION_LIST), "LIST"))
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-20 20:27:02 +0000