From 1db7c2b8aad59177f9ccb32f156908faf0c13eca Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Wed, 2 Jul 2025 18:03:17 -0700 Subject: Add credential storage (#6938) * add credential store interface * load credential.toml * lint * create credentialManager with explicit store type * add type name * InitializeCredentialManager * remove unused functions * fix missing import * fix import * fix nil configuration --- weed/s3api/s3api_server.go | 40 ++++++++++++++++++++++++++-------------- 1 file changed, 26 insertions(+), 14 deletions(-) (limited to 'weed/s3api/s3api_server.go') diff --git a/weed/s3api/s3api_server.go b/weed/s3api/s3api_server.go index 2f9e9e3fb..f0aaa3985 100644 --- a/weed/s3api/s3api_server.go +++ b/weed/s3api/s3api_server.go @@ -8,6 +8,7 @@ import ( "strings" "time" + "github.com/seaweedfs/seaweedfs/weed/credential" "github.com/seaweedfs/seaweedfs/weed/filer" "github.com/seaweedfs/seaweedfs/weed/glog" "github.com/seaweedfs/seaweedfs/weed/pb/s3_pb" @@ -41,16 +42,21 @@ type S3ApiServerOption struct { type S3ApiServer struct { s3_pb.UnimplementedSeaweedS3Server - option *S3ApiServerOption - iam *IdentityAccessManagement - cb *CircuitBreaker - randomClientId int32 - filerGuard *security.Guard - client util_http_client.HTTPClientInterface - bucketRegistry *BucketRegistry + option *S3ApiServerOption + iam *IdentityAccessManagement + cb *CircuitBreaker + randomClientId int32 + filerGuard *security.Guard + client util_http_client.HTTPClientInterface + bucketRegistry *BucketRegistry + credentialManager *credential.CredentialManager } func NewS3ApiServer(router *mux.Router, option *S3ApiServerOption) (s3ApiServer *S3ApiServer, err error) { + return NewS3ApiServerWithStore(router, option, "") +} + +func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, explicitStore string) (s3ApiServer *S3ApiServer, err error) { startTsNs := time.Now().UnixNano() v := util.GetViper() @@ -64,19 +70,25 @@ func NewS3ApiServer(router *mux.Router, option *S3ApiServerOption) (s3ApiServer v.SetDefault("cors.allowed_origins.values", "*") - if (option.AllowedOrigins == nil) || (len(option.AllowedOrigins) == 0) { + if len(option.AllowedOrigins) == 0 { allowedOrigins := v.GetString("cors.allowed_origins.values") domains := strings.Split(allowedOrigins, ",") option.AllowedOrigins = domains } + var iam *IdentityAccessManagement + + iam = NewIdentityAccessManagementWithStore(option, explicitStore) + s3ApiServer = &S3ApiServer{ - option: option, - iam: NewIdentityAccessManagement(option), - randomClientId: util.RandomInt32(), - filerGuard: security.NewGuard([]string{}, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec), - cb: NewCircuitBreaker(option), + option: option, + iam: iam, + randomClientId: util.RandomInt32(), + filerGuard: security.NewGuard([]string{}, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec), + cb: NewCircuitBreaker(option), + credentialManager: iam.credentialManager, } + if option.Config != "" { grace.OnReload(func() { if err := s3ApiServer.iam.loadS3ApiConfigurationFromFile(option.Config); err != nil { @@ -119,7 +131,7 @@ func (s3a *S3ApiServer) registerRouter(router *mux.Router) { func(w http.ResponseWriter, r *http.Request) { origin := r.Header.Get("Origin") if origin != "" { - if s3a.option.AllowedOrigins == nil || len(s3a.option.AllowedOrigins) == 0 || s3a.option.AllowedOrigins[0] == "*" { + if len(s3a.option.AllowedOrigins) == 0 || s3a.option.AllowedOrigins[0] == "*" { origin = "*" } else { originFound := false -- cgit v1.2.3