seaweedfs/weed/s3api/auth_credentials.go

491 lines
14 KiB
Go
Raw Normal View History

2020-02-10 06:30:02 +08:00
package s3api
import (
"fmt"
"net/http"
"os"
"strings"
"sync"
"github.com/seaweedfs/seaweedfs/weed/filer"
"github.com/seaweedfs/seaweedfs/weed/glog"
"github.com/seaweedfs/seaweedfs/weed/pb"
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
2020-02-10 06:30:02 +08:00
)
type Action string
type Iam interface {
Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
}
type IdentityAccessManagement struct {
m sync.RWMutex
identities []*Identity
accessKeyIdent map[string]*Identity
accounts map[string]*Account
emailAccount map[string]*Account
hashes map[string]*sync.Pool
hashCounters map[string]*int32
identityAnonymous *Identity
hashMu sync.RWMutex
domain string
isAuthEnabled bool
2020-02-10 06:30:02 +08:00
}
type Identity struct {
Name string
Account *Account
2020-02-10 06:30:02 +08:00
Credentials []*Credential
Actions []Action
}
// Account represents a system user, a system user can
// configure multiple IAM-Users, IAM-Users can configure
// permissions respectively, and each IAM-User can
// configure multiple security credentials
type Account struct {
//Name is also used to display the "DisplayName" as the owner of the bucket or object
DisplayName string
EmailAddress string
//Id is used to identify an Account when granting cross-account access(ACLs) to buckets and objects
Id string
2022-10-02 10:18:00 +08:00
}
// Predefined Accounts
var (
// AccountAdmin is used as the default account for IAM-Credentials access without Account configured
AccountAdmin = Account{
DisplayName: "admin",
EmailAddress: "admin@example.com",
Id: s3_constants.AccountAdminId,
}
// AccountAnonymous is used to represent the account for anonymous access
AccountAnonymous = Account{
DisplayName: "anonymous",
EmailAddress: "anonymous@example.com",
Id: s3_constants.AccountAnonymousId,
}
)
2020-02-10 06:30:02 +08:00
type Credential struct {
AccessKey string
SecretKey string
}
func (i *Identity) isAnonymous() bool {
return i.Account.Id == s3_constants.AccountAnonymousId
}
2021-10-11 18:03:56 +08:00
func (action Action) isAdmin() bool {
return strings.HasPrefix(string(action), s3_constants.ACTION_ADMIN)
}
func (action Action) isOwner(bucket string) bool {
return string(action) == s3_constants.ACTION_ADMIN+":"+bucket
}
func (action Action) overBucket(bucket string) bool {
return strings.HasSuffix(string(action), ":"+bucket) || strings.HasSuffix(string(action), ":*")
}
// "Permission": "FULL_CONTROL"|"WRITE"|"WRITE_ACP"|"READ"|"READ_ACP"
2021-10-11 18:03:56 +08:00
func (action Action) getPermission() Permission {
switch act := strings.Split(string(action), ":")[0]; act {
case s3_constants.ACTION_ADMIN:
return Permission("FULL_CONTROL")
case s3_constants.ACTION_WRITE:
return Permission("WRITE")
case s3_constants.ACTION_WRITE_ACP:
return Permission("WRITE_ACP")
2021-10-11 18:03:56 +08:00
case s3_constants.ACTION_READ:
return Permission("READ")
case s3_constants.ACTION_READ_ACP:
return Permission("READ_ACP")
2021-10-11 18:03:56 +08:00
default:
return Permission("")
}
}
func NewIdentityAccessManagement(option *S3ApiServerOption) *IdentityAccessManagement {
2020-02-10 08:02:05 +08:00
iam := &IdentityAccessManagement{
2023-09-02 01:57:04 +08:00
domain: option.DomainName,
hashes: make(map[string]*sync.Pool),
hashCounters: make(map[string]*int32),
2020-02-10 08:02:05 +08:00
}
if option.Config != "" {
2020-11-26 04:30:11 +08:00
if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
glog.Fatalf("fail to load config file %s: %v", option.Config, err)
}
} else {
if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil {
glog.Warningf("fail to load config: %v", err)
}
2020-02-10 06:30:02 +08:00
}
return iam
}
2021-07-09 17:48:03 +08:00
func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFiler(option *S3ApiServerOption) (err error) {
var content []byte
err = pb.WithFilerClient(false, 0, option.Filer, option.GrpcDialOption, func(client filer_pb.SeaweedFilerClient) error {
content, err = filer.ReadInsideFiler(client, filer.IamConfigDirectory, filer.IamIdentityFile)
2021-07-09 17:48:03 +08:00
return err
})
2020-12-07 15:16:20 +08:00
if err != nil {
return fmt.Errorf("read S3 config: %v", err)
}
return iam.LoadS3ApiConfigurationFromBytes(content)
2020-11-26 04:30:11 +08:00
}
2020-02-10 06:30:02 +08:00
2020-11-26 04:30:11 +08:00
func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFile(fileName string) error {
content, readErr := os.ReadFile(fileName)
2020-02-10 06:30:02 +08:00
if readErr != nil {
glog.Warningf("fail to read %s : %v", fileName, readErr)
return fmt.Errorf("fail to read %s : %v", fileName, readErr)
}
return iam.LoadS3ApiConfigurationFromBytes(content)
}
2020-02-10 06:30:02 +08:00
func (iam *IdentityAccessManagement) LoadS3ApiConfigurationFromBytes(content []byte) error {
s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
if err := filer.ParseS3ConfigurationFromBytes(content, s3ApiConfiguration); err != nil {
2020-02-10 06:30:02 +08:00
glog.Warningf("unmarshal error: %v", err)
return fmt.Errorf("unmarshal error: %v", err)
2020-02-10 06:30:02 +08:00
}
2022-07-13 17:28:20 +08:00
if err := filer.CheckDuplicateAccessKey(s3ApiConfiguration); err != nil {
return err
}
2020-11-26 04:30:11 +08:00
if err := iam.loadS3ApiConfiguration(s3ApiConfiguration); err != nil {
return err
}
return nil
}
2020-02-10 06:30:02 +08:00
2020-11-26 04:30:11 +08:00
func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error {
2020-12-07 16:10:29 +08:00
var identities []*Identity
var identityAnonymous *Identity
accessKeyIdent := make(map[string]*Identity)
accounts := make(map[string]*Account)
emailAccount := make(map[string]*Account)
foundAccountAdmin := false
foundAccountAnonymous := false
for _, account := range config.Accounts {
switch account.Id {
case AccountAdmin.Id:
AccountAdmin = Account{
Id: account.Id,
DisplayName: account.DisplayName,
EmailAddress: account.EmailAddress,
}
accounts[account.Id] = &AccountAdmin
foundAccountAdmin = true
case AccountAnonymous.Id:
AccountAnonymous = Account{
Id: account.Id,
DisplayName: account.DisplayName,
EmailAddress: account.EmailAddress,
}
accounts[account.Id] = &AccountAnonymous
foundAccountAnonymous = true
default:
t := Account{
Id: account.Id,
DisplayName: account.DisplayName,
EmailAddress: account.EmailAddress,
}
accounts[account.Id] = &t
}
if account.EmailAddress != "" {
emailAccount[account.EmailAddress] = accounts[account.Id]
}
}
if !foundAccountAdmin {
accounts[AccountAdmin.Id] = &AccountAdmin
emailAccount[AccountAdmin.EmailAddress] = &AccountAdmin
}
if !foundAccountAnonymous {
accounts[AccountAnonymous.Id] = &AccountAnonymous
emailAccount[AccountAnonymous.EmailAddress] = &AccountAnonymous
}
2020-11-26 04:30:11 +08:00
for _, ident := range config.Identities {
2020-02-10 06:30:02 +08:00
t := &Identity{
Name: ident.Name,
Credentials: nil,
Actions: nil,
}
switch {
case ident.Name == AccountAnonymous.Id:
t.Account = &AccountAnonymous
identityAnonymous = t
case ident.Account == nil:
t.Account = &AccountAdmin
default:
if account, ok := accounts[ident.Account.Id]; ok {
t.Account = account
} else {
t.Account = &AccountAdmin
glog.Warningf("identity %s is associated with a non exist account ID, the association is invalid", ident.Name)
2022-10-02 10:18:00 +08:00
}
}
2020-02-10 06:30:02 +08:00
for _, action := range ident.Actions {
t.Actions = append(t.Actions, Action(action))
}
for _, cred := range ident.Credentials {
t.Credentials = append(t.Credentials, &Credential{
AccessKey: cred.AccessKey,
SecretKey: cred.SecretKey,
})
accessKeyIdent[cred.AccessKey] = t
2020-02-10 06:30:02 +08:00
}
2020-12-07 16:10:29 +08:00
identities = append(identities, t)
2020-02-10 06:30:02 +08:00
}
iam.m.Lock()
2020-12-07 16:10:29 +08:00
// atomically switch
iam.identities = identities
iam.identityAnonymous = identityAnonymous
iam.accounts = accounts
iam.emailAccount = emailAccount
iam.accessKeyIdent = accessKeyIdent
if !iam.isAuthEnabled { // one-directional, no toggling
iam.isAuthEnabled = len(identities) > 0
}
iam.m.Unlock()
2020-02-10 06:30:02 +08:00
return nil
}
2020-07-12 00:11:15 +08:00
func (iam *IdentityAccessManagement) isEnabled() bool {
return iam.isAuthEnabled
2020-07-12 00:11:15 +08:00
}
2020-02-10 06:30:02 +08:00
func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
iam.m.RLock()
defer iam.m.RUnlock()
if ident, ok := iam.accessKeyIdent[accessKey]; ok {
for _, credential := range ident.Credentials {
if credential.AccessKey == accessKey {
return ident, credential, true
2020-02-10 06:30:02 +08:00
}
}
}
2021-11-08 04:37:46 +08:00
glog.V(1).Infof("could not find accessKey %s", accessKey)
2020-02-10 06:30:02 +08:00
return nil, nil, false
}
func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
iam.m.RLock()
defer iam.m.RUnlock()
if iam.identityAnonymous != nil {
return iam.identityAnonymous, true
}
return nil, false
}
func (iam *IdentityAccessManagement) GetAccountNameById(canonicalId string) string {
iam.m.RLock()
defer iam.m.RUnlock()
if account, ok := iam.accounts[canonicalId]; ok {
return account.DisplayName
}
return ""
}
func (iam *IdentityAccessManagement) GetAccountIdByEmail(email string) string {
iam.m.RLock()
defer iam.m.RUnlock()
if account, ok := iam.emailAccount[email]; ok {
return account.Id
}
return ""
}
2020-02-23 13:34:18 +08:00
func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
2020-02-10 06:30:02 +08:00
return func(w http.ResponseWriter, r *http.Request) {
if !iam.isEnabled() {
f(w, r)
return
}
2020-11-11 16:20:59 +08:00
identity, errCode := iam.authRequest(r, action)
2020-09-20 05:09:58 +08:00
if errCode == s3err.ErrNone {
2020-11-11 16:20:59 +08:00
if identity != nil && identity.Name != "" {
r.Header.Set(s3_constants.AmzIdentityId, identity.Name)
2020-11-13 05:57:54 +08:00
if identity.isAdmin() {
r.Header.Set(s3_constants.AmzIsAdmin, "true")
} else if _, ok := r.Header[s3_constants.AmzIsAdmin]; ok {
r.Header.Del(s3_constants.AmzIsAdmin)
2020-11-13 05:57:54 +08:00
}
2020-11-11 16:20:59 +08:00
}
2020-02-10 06:30:02 +08:00
f(w, r)
return
}
2021-11-01 09:05:34 +08:00
s3err.WriteErrorResponse(w, r, errCode)
2020-02-10 06:30:02 +08:00
}
}
// check whether the request has valid access keys
2020-11-11 16:20:59 +08:00
func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
var identity *Identity
var s3Err s3err.ErrorCode
var found bool
2021-12-10 22:40:32 +08:00
var authType string
switch getRequestAuthType(r) {
case authTypeStreamingSigned:
return identity, s3err.ErrNone
case authTypeUnknown:
glog.V(3).Infof("unknown auth type")
r.Header.Set(s3_constants.AmzAuthType, "Unknown")
return identity, s3err.ErrAccessDenied
case authTypePresignedV2, authTypeSignedV2:
glog.V(3).Infof("v2 auth type")
identity, s3Err = iam.isReqAuthenticatedV2(r)
2021-12-10 22:40:32 +08:00
authType = "SigV2"
case authTypeSigned, authTypePresigned:
glog.V(3).Infof("v4 auth type")
identity, s3Err = iam.reqSignatureV4Verify(r)
2021-12-10 22:40:32 +08:00
authType = "SigV4"
case authTypePostPolicy:
glog.V(3).Infof("post policy auth type")
r.Header.Set(s3_constants.AmzAuthType, "PostPolicy")
return identity, s3err.ErrNone
case authTypeJWT:
glog.V(3).Infof("jwt auth type")
r.Header.Set(s3_constants.AmzAuthType, "Jwt")
return identity, s3err.ErrNotImplemented
case authTypeAnonymous:
2021-12-10 22:40:32 +08:00
authType = "Anonymous"
if identity, found = iam.lookupAnonymous(); !found {
r.Header.Set(s3_constants.AmzAuthType, authType)
return identity, s3err.ErrAccessDenied
}
default:
return identity, s3err.ErrNotImplemented
}
2021-12-10 22:40:32 +08:00
if len(authType) > 0 {
r.Header.Set(s3_constants.AmzAuthType, authType)
2021-12-10 22:40:32 +08:00
}
2020-12-25 16:38:56 +08:00
if s3Err != s3err.ErrNone {
return identity, s3Err
}
2021-07-04 05:51:01 +08:00
glog.V(3).Infof("user name: %v actions: %v, action: %v", identity.Name, identity.Actions, action)
2020-12-25 16:38:56 +08:00
bucket, object := s3_constants.GetBucketAndObject(r)
2020-12-25 16:38:56 +08:00
if !identity.canDo(action, bucket, object) {
2020-12-25 16:38:56 +08:00
return identity, s3err.ErrAccessDenied
}
r.Header.Set(s3_constants.AmzAccountId, identity.Account.Id)
2020-12-25 16:38:56 +08:00
return identity, s3err.ErrNone
}
func (iam *IdentityAccessManagement) authUser(r *http.Request) (*Identity, s3err.ErrorCode) {
2020-02-10 06:30:02 +08:00
var identity *Identity
2020-09-20 05:09:58 +08:00
var s3Err s3err.ErrorCode
var found bool
2021-12-10 22:40:32 +08:00
var authType string
2020-02-10 06:30:02 +08:00
switch getRequestAuthType(r) {
2020-02-10 08:02:05 +08:00
case authTypeStreamingSigned:
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrNone
2020-02-10 08:02:05 +08:00
case authTypeUnknown:
glog.V(3).Infof("unknown auth type")
r.Header.Set(s3_constants.AmzAuthType, "Unknown")
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrAccessDenied
2020-02-10 06:30:02 +08:00
case authTypePresignedV2, authTypeSignedV2:
2020-02-10 08:02:05 +08:00
glog.V(3).Infof("v2 auth type")
identity, s3Err = iam.isReqAuthenticatedV2(r)
2021-12-10 22:40:32 +08:00
authType = "SigV2"
2020-02-10 06:30:02 +08:00
case authTypeSigned, authTypePresigned:
2020-02-10 08:02:05 +08:00
glog.V(3).Infof("v4 auth type")
2020-02-10 06:30:02 +08:00
identity, s3Err = iam.reqSignatureV4Verify(r)
2021-12-10 22:40:32 +08:00
authType = "SigV4"
case authTypePostPolicy:
2020-02-23 06:01:04 +08:00
glog.V(3).Infof("post policy auth type")
r.Header.Set(s3_constants.AmzAuthType, "PostPolicy")
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrNone
case authTypeJWT:
2020-02-23 06:01:04 +08:00
glog.V(3).Infof("jwt auth type")
r.Header.Set(s3_constants.AmzAuthType, "Jwt")
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrNotImplemented
case authTypeAnonymous:
2021-12-10 22:40:32 +08:00
authType = "Anonymous"
identity, found = iam.lookupAnonymous()
if !found {
r.Header.Set(s3_constants.AmzAuthType, authType)
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrAccessDenied
}
2020-02-23 06:01:04 +08:00
default:
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrNotImplemented
2020-02-10 06:30:02 +08:00
}
2021-12-10 22:40:32 +08:00
if len(authType) > 0 {
r.Header.Set(s3_constants.AmzAuthType, authType)
2021-12-10 22:40:32 +08:00
}
2020-02-10 06:30:02 +08:00
2020-02-10 08:02:05 +08:00
glog.V(3).Infof("auth error: %v", s3Err)
2020-09-20 05:09:58 +08:00
if s3Err != s3err.ErrNone {
2020-11-11 16:20:59 +08:00
return identity, s3Err
2020-02-10 08:02:05 +08:00
}
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrNone
2020-02-10 06:30:02 +08:00
}
func (identity *Identity) canDo(action Action, bucket string, objectKey string) bool {
2020-11-13 05:57:54 +08:00
if identity.isAdmin() {
return true
2020-02-23 13:34:18 +08:00
}
for _, a := range identity.Actions {
if a == action {
return true
}
}
if bucket == "" {
return false
}
2022-01-04 13:05:20 +08:00
target := string(action) + ":" + bucket + objectKey
adminTarget := s3_constants.ACTION_ADMIN + ":" + bucket + objectKey
2020-02-23 13:34:18 +08:00
limitedByBucket := string(action) + ":" + bucket
2020-12-25 16:38:56 +08:00
adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket
2020-02-23 13:34:18 +08:00
for _, a := range identity.Actions {
2021-04-28 00:45:40 +08:00
act := string(a)
if strings.HasSuffix(act, "*") {
if strings.HasPrefix(target, act[:len(act)-1]) {
2021-04-28 00:45:40 +08:00
return true
}
if strings.HasPrefix(adminTarget, act[:len(act)-1]) {
return true
}
2021-04-28 00:45:40 +08:00
} else {
if act == limitedByBucket {
return true
}
if act == adminLimitedByBucket {
return true
}
2020-12-25 16:38:56 +08:00
}
2020-02-10 06:30:02 +08:00
}
return false
}
2020-11-13 05:57:54 +08:00
func (identity *Identity) isAdmin() bool {
for _, a := range identity.Actions {
if a == "Admin" {
return true
}
}
return false
}