gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

s3api: Allow anonymous access to SOSAPI virtual objects

Browse Source 
Enable discovery of SOSAPI capabilities without requiring credentials.

- Modify AuthWithPublicRead to bypass auth for SOSAPI objects if bucket exists
- Supports Veeam's initial discovery phase before full IAM setup
- Validates bucket existence to prevent information disclosure
This commit is contained in:
Chris Lu
2025-12-28 12:57:01 -08:00
parent a757ef77b1
commit e8baeb3616
1 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
weed/s3api/s3api_bucket_handlers.go
View File

@@ -624,6 +624,17 @@ func (s3a *S3ApiServer) AuthWithPublicRead(handler http.HandlerFunc, action Acti
glog.V(4).Infof("AuthWithPublicRead: bucket=%s, object=%s, authType=%v, isAnonymous=%v", bucket, object, authType, isAnonymous)
// Allow anonymous access for SOSAPI virtual objects (discovery)
if isSOSAPIObject(object) {
// Ensure the bucket exists anyway
_, errCode := s3a.getBucketConfig(bucket)
if errCode == s3err.ErrNone {
glog.V(3).Infof("AuthWithPublicRead: allowing anonymous access to SOSAPI object %s in bucket %s", object, bucket)
handler(w, r)
return
}
}
// For anonymous requests, check if bucket allows public read via ACLs or bucket policies
if isAnonymous {
// First check ACL-based public access