s3tables: enforce strict resource ownership and implement result filtering for tables
This commit is contained in:
Chris Lu
@@ -85,11 +85,10 @@ func (h *S3TablesHandler) handleCreateTable(w http.ResponseWriter, r *http.Reque
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check permission
|
// Check ownership
|
||||||
principal := h.getPrincipalFromRequest(r)
|
if accountID := h.getAccountID(r); accountID != namespaceMetadata.OwnerAccountID {
|
||||||
if !CanCreateTable(principal, namespaceMetadata.OwnerAccountID) {
|
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create table in this namespace")
|
||||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create table")
|
return fmt.Errorf("access denied")
|
||||||
return NewAuthError("CreateTable", principal, "not authorized to create table")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
tablePath := getTablePath(bucketName, namespaceName, tableName)
|
tablePath := getTablePath(bucketName, namespaceName, tableName)
|
||||||
@@ -239,11 +238,10 @@ func (h *S3TablesHandler) handleGetTable(w http.ResponseWriter, r *http.Request,
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check permission
|
// Check ownership
|
||||||
principal := h.getPrincipalFromRequest(r)
|
if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
|
||||||
if !CanGetTable(principal, metadata.OwnerAccountID) {
|
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchTable, fmt.Sprintf("table %s not found", tableName))
|
||||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table")
|
return fmt.Errorf("access denied")
|
||||||
return NewAuthError("GetTable", principal, "not authorized to get table")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
tableARN := h.generateTableARN(r, bucketName, namespace+"/"+tableName)
|
tableARN := h.generateTableARN(r, bucketName, namespace+"/"+tableName)
|
||||||
@@ -310,9 +308,9 @@ func (h *S3TablesHandler) handleListTables(w http.ResponseWriter, r *http.Reques
|
|||||||
if err := json.Unmarshal(data, &nsMeta); err != nil {
|
if err := json.Unmarshal(data, &nsMeta); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
principal := h.getPrincipalFromRequest(r)
|
if accountID := h.getAccountID(r); accountID != nsMeta.OwnerAccountID {
|
||||||
if !CanListTables(principal, nsMeta.OwnerAccountID) {
|
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found")
|
||||||
return NewAuthError("ListTables", principal, "not authorized to list tables")
|
return fmt.Errorf("access denied")
|
||||||
}
|
}
|
||||||
|
|
||||||
tables, paginationToken, err = h.listTablesInNamespaceWithClient(r, client, bucketName, namespaceName, req.Prefix, req.ContinuationToken, maxTables)
|
tables, paginationToken, err = h.listTablesInNamespaceWithClient(r, client, bucketName, namespaceName, req.Prefix, req.ContinuationToken, maxTables)
|
||||||
@@ -327,9 +325,9 @@ func (h *S3TablesHandler) handleListTables(w http.ResponseWriter, r *http.Reques
|
|||||||
if err := json.Unmarshal(data, &bucketMeta); err != nil {
|
if err := json.Unmarshal(data, &bucketMeta); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
principal := h.getPrincipalFromRequest(r)
|
if accountID := h.getAccountID(r); accountID != bucketMeta.OwnerAccountID {
|
||||||
if !CanListTables(principal, bucketMeta.OwnerAccountID) {
|
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, "bucket not found")
|
||||||
return NewAuthError("ListTables", principal, "not authorized to list tables")
|
return fmt.Errorf("access denied")
|
||||||
}
|
}
|
||||||
|
|
||||||
tables, paginationToken, err = h.listTablesInAllNamespaces(r, client, bucketName, req.Prefix, req.ContinuationToken, maxTables)
|
tables, paginationToken, err = h.listTablesInAllNamespaces(r, client, bucketName, req.Prefix, req.ContinuationToken, maxTables)
|
||||||
@@ -428,6 +426,10 @@ func (h *S3TablesHandler) listTablesWithClient(r *http.Request, client filer_pb.
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if metadata.OwnerAccountID != h.getAccountID(r) {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
tableARN := h.generateTableARN(r, bucketName, namespaceName+"/"+entry.Entry.Name)
|
tableARN := h.generateTableARN(r, bucketName, namespaceName+"/"+entry.Entry.Name)
|
||||||
|
|
||||||
tables = append(tables, TableSummary{
|
tables = append(tables, TableSummary{
|
||||||
@@ -601,11 +603,10 @@ func (h *S3TablesHandler) handleDeleteTable(w http.ResponseWriter, r *http.Reque
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check permission
|
// Check ownership
|
||||||
principal := h.getPrincipalFromRequest(r)
|
if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
|
||||||
if !CanDeleteTable(principal, metadata.OwnerAccountID) {
|
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchTable, fmt.Sprintf("table %s not found", tableName))
|
||||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete table")
|
return fmt.Errorf("access denied")
|
||||||
return NewAuthError("DeleteTable", principal, "not authorized to delete table")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Delete the table
|
// Delete the table
|
||||||
|
|||||||
Reference in New Issue
Block a user