seaweedfs/weed/s3api/auth_credentials.go

393 lines
10 KiB
Go
Raw Normal View History

2020-02-10 06:30:02 +08:00
package s3api
import (
"fmt"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
"net/http"
"os"
"strings"
"sync"
"github.com/seaweedfs/seaweedfs/weed/filer"
"github.com/seaweedfs/seaweedfs/weed/glog"
"github.com/seaweedfs/seaweedfs/weed/pb"
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
2020-02-10 06:30:02 +08:00
)
2022-10-02 10:18:00 +08:00
var IdentityAnonymous *Identity
2020-02-10 06:30:02 +08:00
type Action string
type Iam interface {
Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
}
type IdentityAccessManagement struct {
m sync.RWMutex
identities []*Identity
isAuthEnabled bool
domain string
2020-02-10 06:30:02 +08:00
}
type Identity struct {
Name string
2022-10-02 10:18:00 +08:00
AccountId string
2020-02-10 06:30:02 +08:00
Credentials []*Credential
Actions []Action
}
2022-10-02 10:18:00 +08:00
func (i *Identity) isAnonymous() bool {
return i.Name == s3account.AccountAnonymous.Name
2022-10-02 10:18:00 +08:00
}
2020-02-10 06:30:02 +08:00
type Credential struct {
AccessKey string
SecretKey string
}
2021-10-11 18:03:56 +08:00
func (action Action) isAdmin() bool {
return strings.HasPrefix(string(action), s3_constants.ACTION_ADMIN)
}
func (action Action) isOwner(bucket string) bool {
return string(action) == s3_constants.ACTION_ADMIN+":"+bucket
}
func (action Action) overBucket(bucket string) bool {
return strings.HasSuffix(string(action), ":"+bucket) || strings.HasSuffix(string(action), ":*")
}
func (action Action) getPermission() Permission {
switch act := strings.Split(string(action), ":")[0]; act {
case s3_constants.ACTION_ADMIN:
return Permission("FULL_CONTROL")
case s3_constants.ACTION_WRITE:
return Permission("WRITE")
case s3_constants.ACTION_READ:
return Permission("READ")
default:
return Permission("")
}
}
func NewIdentityAccessManagement(option *S3ApiServerOption) *IdentityAccessManagement {
2020-02-10 08:02:05 +08:00
iam := &IdentityAccessManagement{
domain: option.DomainName,
2020-02-10 08:02:05 +08:00
}
if option.Config != "" {
2020-11-26 04:30:11 +08:00
if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
glog.Fatalf("fail to load config file %s: %v", option.Config, err)
}
} else {
if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil {
glog.Warningf("fail to load config: %v", err)
}
2020-02-10 06:30:02 +08:00
}
return iam
}
2021-07-09 17:48:03 +08:00
func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFiler(option *S3ApiServerOption) (err error) {
var content []byte
err = pb.WithFilerClient(false, 0, option.Filer, option.GrpcDialOption, func(client filer_pb.SeaweedFilerClient) error {
content, err = filer.ReadInsideFiler(client, filer.IamConfigDirectory, filer.IamIdentityFile)
2021-07-09 17:48:03 +08:00
return err
})
2020-12-07 15:16:20 +08:00
if err != nil {
return fmt.Errorf("read S3 config: %v", err)
}
return iam.LoadS3ApiConfigurationFromBytes(content)
2020-11-26 04:30:11 +08:00
}
2020-02-10 06:30:02 +08:00
2020-11-26 04:30:11 +08:00
func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFile(fileName string) error {
content, readErr := os.ReadFile(fileName)
2020-02-10 06:30:02 +08:00
if readErr != nil {
glog.Warningf("fail to read %s : %v", fileName, readErr)
return fmt.Errorf("fail to read %s : %v", fileName, readErr)
}
return iam.LoadS3ApiConfigurationFromBytes(content)
}
2020-02-10 06:30:02 +08:00
func (iam *IdentityAccessManagement) LoadS3ApiConfigurationFromBytes(content []byte) error {
s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
if err := filer.ParseS3ConfigurationFromBytes(content, s3ApiConfiguration); err != nil {
2020-02-10 06:30:02 +08:00
glog.Warningf("unmarshal error: %v", err)
return fmt.Errorf("unmarshal error: %v", err)
2020-02-10 06:30:02 +08:00
}
2022-07-13 17:28:20 +08:00
if err := filer.CheckDuplicateAccessKey(s3ApiConfiguration); err != nil {
return err
}
2020-11-26 04:30:11 +08:00
if err := iam.loadS3ApiConfiguration(s3ApiConfiguration); err != nil {
return err
}
return nil
}
2020-02-10 06:30:02 +08:00
2020-11-26 04:30:11 +08:00
func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error {
2020-12-07 16:10:29 +08:00
var identities []*Identity
2020-11-26 04:30:11 +08:00
for _, ident := range config.Identities {
2020-02-10 06:30:02 +08:00
t := &Identity{
Name: ident.Name,
AccountId: s3account.AccountAdmin.Id,
2020-02-10 06:30:02 +08:00
Credentials: nil,
Actions: nil,
}
2022-10-02 10:18:00 +08:00
if ident.Name == s3account.AccountAnonymous.Name {
if ident.AccountId != "" && ident.AccountId != s3account.AccountAnonymous.Id {
2022-10-02 10:18:00 +08:00
glog.Warningf("anonymous identity is associated with a non-anonymous account ID, the association is invalid")
}
t.AccountId = s3account.AccountAnonymous.Id
2022-10-02 10:18:00 +08:00
IdentityAnonymous = t
} else {
if len(ident.AccountId) > 0 {
t.AccountId = ident.AccountId
}
}
2020-02-10 06:30:02 +08:00
for _, action := range ident.Actions {
t.Actions = append(t.Actions, Action(action))
}
for _, cred := range ident.Credentials {
t.Credentials = append(t.Credentials, &Credential{
AccessKey: cred.AccessKey,
SecretKey: cred.SecretKey,
})
}
2020-12-07 16:10:29 +08:00
identities = append(identities, t)
2020-02-10 06:30:02 +08:00
}
2022-10-02 10:18:00 +08:00
if IdentityAnonymous == nil {
IdentityAnonymous = &Identity{
Name: s3account.AccountAnonymous.Name,
AccountId: s3account.AccountAnonymous.Id,
2022-10-02 10:18:00 +08:00
}
}
iam.m.Lock()
2020-12-07 16:10:29 +08:00
// atomically switch
iam.identities = identities
if !iam.isAuthEnabled { // one-directional, no toggling
iam.isAuthEnabled = len(identities) > 0
}
iam.m.Unlock()
2020-02-10 06:30:02 +08:00
return nil
}
2020-07-12 00:11:15 +08:00
func (iam *IdentityAccessManagement) isEnabled() bool {
return iam.isAuthEnabled
2020-07-12 00:11:15 +08:00
}
2020-02-10 06:30:02 +08:00
func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
2020-07-12 00:11:15 +08:00
iam.m.RLock()
defer iam.m.RUnlock()
2020-02-10 06:30:02 +08:00
for _, ident := range iam.identities {
for _, cred := range ident.Credentials {
2021-11-08 05:27:57 +08:00
// println("checking", ident.Name, cred.AccessKey)
2020-02-10 06:30:02 +08:00
if cred.AccessKey == accessKey {
return ident, cred, true
}
}
}
2021-11-08 04:37:46 +08:00
glog.V(1).Infof("could not find accessKey %s", accessKey)
2020-02-10 06:30:02 +08:00
return nil, nil, false
}
func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
iam.m.RLock()
defer iam.m.RUnlock()
for _, ident := range iam.identities {
2022-10-02 10:18:00 +08:00
if ident.isAnonymous() {
return ident, true
}
}
return nil, false
}
2020-02-23 13:34:18 +08:00
func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
2020-02-10 06:30:02 +08:00
return func(w http.ResponseWriter, r *http.Request) {
if !iam.isEnabled() {
f(w, r)
return
}
2020-11-11 16:20:59 +08:00
identity, errCode := iam.authRequest(r, action)
2020-09-20 05:09:58 +08:00
if errCode == s3err.ErrNone {
2020-11-11 16:20:59 +08:00
if identity != nil && identity.Name != "" {
r.Header.Set(s3_constants.AmzIdentityId, identity.Name)
2020-11-13 05:57:54 +08:00
if identity.isAdmin() {
r.Header.Set(s3_constants.AmzIsAdmin, "true")
} else if _, ok := r.Header[s3_constants.AmzIsAdmin]; ok {
r.Header.Del(s3_constants.AmzIsAdmin)
2020-11-13 05:57:54 +08:00
}
2020-11-11 16:20:59 +08:00
}
2020-02-10 06:30:02 +08:00
f(w, r)
return
}
2021-11-01 09:05:34 +08:00
s3err.WriteErrorResponse(w, r, errCode)
2020-02-10 06:30:02 +08:00
}
}
// check whether the request has valid access keys
2020-11-11 16:20:59 +08:00
func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
var identity *Identity
var s3Err s3err.ErrorCode
var found bool
2021-12-10 22:40:32 +08:00
var authType string
switch getRequestAuthType(r) {
case authTypeStreamingSigned:
return identity, s3err.ErrNone
case authTypeUnknown:
glog.V(3).Infof("unknown auth type")
r.Header.Set(s3_constants.AmzAuthType, "Unknown")
return identity, s3err.ErrAccessDenied
case authTypePresignedV2, authTypeSignedV2:
glog.V(3).Infof("v2 auth type")
identity, s3Err = iam.isReqAuthenticatedV2(r)
2021-12-10 22:40:32 +08:00
authType = "SigV2"
case authTypeSigned, authTypePresigned:
glog.V(3).Infof("v4 auth type")
identity, s3Err = iam.reqSignatureV4Verify(r)
2021-12-10 22:40:32 +08:00
authType = "SigV4"
case authTypePostPolicy:
glog.V(3).Infof("post policy auth type")
r.Header.Set(s3_constants.AmzAuthType, "PostPolicy")
return identity, s3err.ErrNone
case authTypeJWT:
glog.V(3).Infof("jwt auth type")
r.Header.Set(s3_constants.AmzAuthType, "Jwt")
return identity, s3err.ErrNotImplemented
case authTypeAnonymous:
2021-12-10 22:40:32 +08:00
authType = "Anonymous"
identity, found = iam.lookupAnonymous()
if !found {
r.Header.Set(s3_constants.AmzAuthType, authType)
return identity, s3err.ErrAccessDenied
}
default:
return identity, s3err.ErrNotImplemented
}
2021-12-10 22:40:32 +08:00
if len(authType) > 0 {
r.Header.Set(s3_constants.AmzAuthType, authType)
2021-12-10 22:40:32 +08:00
}
2020-12-25 16:38:56 +08:00
if s3Err != s3err.ErrNone {
return identity, s3Err
}
2021-07-04 05:51:01 +08:00
glog.V(3).Infof("user name: %v actions: %v, action: %v", identity.Name, identity.Actions, action)
2020-12-25 16:38:56 +08:00
bucket, object := s3_constants.GetBucketAndObject(r)
2020-12-25 16:38:56 +08:00
if !identity.canDo(action, bucket, object) {
2020-12-25 16:38:56 +08:00
return identity, s3err.ErrAccessDenied
}
2022-10-02 10:18:00 +08:00
if !identity.isAnonymous() {
r.Header.Set(s3_constants.AmzAccountId, identity.AccountId)
}
2020-12-25 16:38:56 +08:00
return identity, s3err.ErrNone
}
func (iam *IdentityAccessManagement) authUser(r *http.Request) (*Identity, s3err.ErrorCode) {
2020-02-10 06:30:02 +08:00
var identity *Identity
2020-09-20 05:09:58 +08:00
var s3Err s3err.ErrorCode
var found bool
2021-12-10 22:40:32 +08:00
var authType string
2020-02-10 06:30:02 +08:00
switch getRequestAuthType(r) {
2020-02-10 08:02:05 +08:00
case authTypeStreamingSigned:
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrNone
2020-02-10 08:02:05 +08:00
case authTypeUnknown:
glog.V(3).Infof("unknown auth type")
r.Header.Set(s3_constants.AmzAuthType, "Unknown")
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrAccessDenied
2020-02-10 06:30:02 +08:00
case authTypePresignedV2, authTypeSignedV2:
2020-02-10 08:02:05 +08:00
glog.V(3).Infof("v2 auth type")
identity, s3Err = iam.isReqAuthenticatedV2(r)
2021-12-10 22:40:32 +08:00
authType = "SigV2"
2020-02-10 06:30:02 +08:00
case authTypeSigned, authTypePresigned:
2020-02-10 08:02:05 +08:00
glog.V(3).Infof("v4 auth type")
2020-02-10 06:30:02 +08:00
identity, s3Err = iam.reqSignatureV4Verify(r)
2021-12-10 22:40:32 +08:00
authType = "SigV4"
case authTypePostPolicy:
2020-02-23 06:01:04 +08:00
glog.V(3).Infof("post policy auth type")
r.Header.Set(s3_constants.AmzAuthType, "PostPolicy")
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrNone
case authTypeJWT:
2020-02-23 06:01:04 +08:00
glog.V(3).Infof("jwt auth type")
r.Header.Set(s3_constants.AmzAuthType, "Jwt")
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrNotImplemented
case authTypeAnonymous:
2021-12-10 22:40:32 +08:00
authType = "Anonymous"
identity, found = iam.lookupAnonymous()
if !found {
r.Header.Set(s3_constants.AmzAuthType, authType)
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrAccessDenied
}
2020-02-23 06:01:04 +08:00
default:
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrNotImplemented
2020-02-10 06:30:02 +08:00
}
2021-12-10 22:40:32 +08:00
if len(authType) > 0 {
r.Header.Set(s3_constants.AmzAuthType, authType)
2021-12-10 22:40:32 +08:00
}
2020-02-10 06:30:02 +08:00
2020-02-10 08:02:05 +08:00
glog.V(3).Infof("auth error: %v", s3Err)
2020-09-20 05:09:58 +08:00
if s3Err != s3err.ErrNone {
2020-11-11 16:20:59 +08:00
return identity, s3Err
2020-02-10 08:02:05 +08:00
}
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrNone
2020-02-10 06:30:02 +08:00
}
func (identity *Identity) canDo(action Action, bucket string, objectKey string) bool {
2020-11-13 05:57:54 +08:00
if identity.isAdmin() {
return true
2020-02-23 13:34:18 +08:00
}
for _, a := range identity.Actions {
if a == action {
return true
}
}
if bucket == "" {
return false
}
2022-01-04 13:05:20 +08:00
target := string(action) + ":" + bucket + objectKey
adminTarget := s3_constants.ACTION_ADMIN + ":" + bucket + objectKey
2020-02-23 13:34:18 +08:00
limitedByBucket := string(action) + ":" + bucket
2020-12-25 16:38:56 +08:00
adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket
2020-02-23 13:34:18 +08:00
for _, a := range identity.Actions {
2021-04-28 00:45:40 +08:00
act := string(a)
if strings.HasSuffix(act, "*") {
if strings.HasPrefix(target, act[:len(act)-1]) {
2021-04-28 00:45:40 +08:00
return true
}
if strings.HasPrefix(adminTarget, act[:len(act)-1]) {
return true
}
2021-04-28 00:45:40 +08:00
} else {
if act == limitedByBucket {
return true
}
if act == adminLimitedByBucket {
return true
}
2020-12-25 16:38:56 +08:00
}
2020-02-10 06:30:02 +08:00
}
return false
}
2020-11-13 05:57:54 +08:00
func (identity *Identity) isAdmin() bool {
for _, a := range identity.Actions {
if a == "Admin" {
return true
}
}
return false
}