gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

IAM: add support for advanced IAM config file to server command (#7317)

Browse Source 
* IAM: add support for advanced IAM config file to server command

* Add support for advanced IAM config file in S3 options

* Fix S3 IAM config handling to simplify checks for configuration presence

* simplify

* simplify again

* copy the value

* const

---------

Co-authored-by: chrislu <chris.lu@gmail.com>
Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
This commit is contained in:
Nial
2025-10-29 00:30:12 +00:00
committed by GitHub
parent b8bef0328b
commit 20e0d91037
2 changed files with 20 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
weed/command/server.go
View File

@@ -63,6 +63,7 @@ var (
serverRack = cmdServer.Flag.String("rack", "", "current volume server's rack name")
serverWhiteListOption = cmdServer.Flag.String("whiteList", "", "comma separated Ip addresses having write permission. No limit if empty.")
serverDisableHttp = cmdServer.Flag.Bool("disableHttp", false, "disable http requests, only gRPC operations are allowed.")
serverIamConfig = cmdServer.Flag.String("iam.config", "", "path to the advanced IAM config file for S3. An alias for -s3.iam.config, but with lower priority.")
volumeDataFolders = cmdServer.Flag.String("dir", os.TempDir(), "directories to store data files. dir[,dir]...")
volumeMaxDataVolumeCounts = cmdServer.Flag.String("volume.max", "8", "maximum numbers of volumes, count[,count]... If set to zero, the limit will be auto configured as free disk space divided by volume size.")
volumeMinFreeSpacePercent = cmdServer.Flag.String("volume.minFreeSpacePercent", "1", "minimum free disk space (default to 1%). Low disk space will mark all volumes as ReadOnly (deprecated, use minFreeSpace instead).")
@@ -160,6 +161,7 @@ func init() {
s3Options.tlsCACertificate = cmdServer.Flag.String("s3.cacert.file", "", "path to the TLS CA certificate file")
s3Options.tlsVerifyClientCert = cmdServer.Flag.Bool("s3.tlsVerifyClientCert", false, "whether to verify the client's certificate")
s3Options.config = cmdServer.Flag.String("s3.config", "", "path to the config file")
s3Options.iamConfig = cmdServer.Flag.String("s3.iam.config", "", "path to the advanced IAM config file for S3. Overrides -iam.config if both are provided.")
s3Options.auditLogConfig = cmdServer.Flag.String("s3.auditLogConfig", "", "path to the audit log config file")
s3Options.allowEmptyFolder = cmdServer.Flag.Bool("s3.allowEmptyFolder", true, "allow empty folders")
s3Options.allowDeleteBucketNotEmpty = cmdServer.Flag.Bool("s3.allowDeleteBucketNotEmpty", true, "allow recursive deleting all entries along with bucket")
@@ -321,6 +323,12 @@ func runServer(cmd *Command, args []string) bool {
}
if *isStartingS3 {
// Handle IAM config: -s3.iam.config takes precedence over -iam.config
if *s3Options.iamConfig == "" {
*s3Options.iamConfig = *serverIamConfig
} else if *serverIamConfig != "" && *s3Options.iamConfig != *serverIamConfig {
glog.V(0).Infof("both -s3.iam.config(%s) and -iam.config(%s) provided; using -s3.iam.config", *s3Options.iamConfig, *serverIamConfig)
}
go func() {
time.Sleep(2 * time.Second)
s3Options.localFilerSocket = filerOptions.localSocket

13
weed/s3api/s3api_server.go
View File

@@ -473,12 +473,23 @@ func loadIAMManagerFromConfig(configPath string, filerAddressProvider func() str
return nil, fmt.Errorf("failed to parse config: %w", err)
}
// Ensure a valid policy engine config exists
if configRoot.Policy == nil {
// Provide a secure default if not specified in the config file
// Default to Deny with in-memory store so that JSON-defined policies work without filer
glog.V(0).Infof("No policy engine config provided; using defaults (DefaultEffect=%s, StoreType=%s)", sts.EffectDeny, sts.StoreTypeMemory)
configRoot.Policy = &policy.PolicyEngineConfig{
DefaultEffect: sts.EffectDeny,
StoreType: sts.StoreTypeMemory,
}
}
// Create IAM configuration
iamConfig := &integration.IAMConfig{
STS: configRoot.STS,
Policy: configRoot.Policy,
Roles: &integration.RoleStoreConfig{
StoreType: "memory", // Use memory store for JSON config-based setup
StoreType: sts.StoreTypeMemory, // Use memory store for JSON config-based setup
},
}