gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

S3 Tables: secure API router with IAM authentication

Browse Source 
- Wrap S3 Tables handler with authenticateS3Tables.
- Use AuthSignatureOnly to enforce valid credentials while delegating granular authorization to handlers.
- Prevent anonymous access to all S3 Tables endpoints.
This commit is contained in:
Chris Lu
2026-01-28 12:09:15 -08:00
parent ae19621230
commit b7c1eba0a1
1 changed files with 33 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
weed/s3api/s3api_tables.go
View File

@@ -8,6 +8,8 @@ import (
"github.com/seaweedfs/seaweedfs/weed/glog"
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3tables"
)
@@ -97,11 +99,11 @@ func (s3a *S3ApiServer) registerS3TablesRoutes(router *mux.Router) {
return false
}
// Register the S3 Tables handler
// Register the S3 Tables handler wrapped with IAM authentication
router.Methods(http.MethodPost).Path("/").MatcherFunc(s3TablesMatcher).
HandlerFunc(track(func(w http.ResponseWriter, r *http.Request) {
HandlerFunc(track(s3a.authenticateS3Tables(func(w http.ResponseWriter, r *http.Request) {
s3TablesApi.S3TablesHandler(w, r)
}, "S3Tables"))
}), "S3Tables"))
glog.V(1).Infof("S3 Tables API enabled")
}
@@ -111,3 +113,31 @@ func isS3TablesAction(action string) bool {
_, ok := s3TablesActionsMap[action]
return ok
}
// authenticateS3Tables wraps the handler with IAM authentication using AuthSignatureOnly
// This authenticates the request but delegates authorization to the S3 Tables handler
// which performs granular permission checks based on the specific operation.
func (s3a *S3ApiServer) authenticateS3Tables(f http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
if !s3a.iam.isEnabled() {
f(w, r)
return
}
// Use AuthSignatureOnly to authenticate the request without authorizing specific actions
identity, errCode := s3a.iam.AuthSignatureOnly(r)
if errCode != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, errCode)
return
}
// Store the authenticated identity in request context
if identity != nil && identity.Name != "" {
ctx := s3_constants.SetIdentityNameInContext(r.Context(), identity.Name)
ctx = s3_constants.SetIdentityInContext(ctx, identity)
r = r.WithContext(ctx)
}
f(w, r)
}
}