gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c5a9c2744921b441910485706891b11cf53da914
seaweedFS/weed/s3api/auth_credentials.go
Chris Lu c5a9c27449 Migrate from deprecated azure-storage-blob-go to modern Azure SDK (#7310) 
* Migrate from deprecated azure-storage-blob-go to modern Azure SDK

Migrates Azure Blob Storage integration from the deprecated
github.com/Azure/azure-storage-blob-go to the modern
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob SDK.

## Changes

### Removed Files
- weed/remote_storage/azure/azure_highlevel.go
  - Custom upload helper no longer needed with new SDK

### Updated Files
- weed/remote_storage/azure/azure_storage_client.go
  - Migrated from ServiceURL/ContainerURL/BlobURL to Client-based API
  - Updated client creation using NewClientWithSharedKeyCredential
  - Replaced ListBlobsFlatSegment with NewListBlobsFlatPager
  - Updated Download to DownloadStream with proper HTTPRange
  - Replaced custom uploadReaderAtToBlockBlob with UploadStream
  - Updated GetProperties, SetMetadata, Delete to use new client methods
  - Fixed metadata conversion to return map[string]*string

- weed/replication/sink/azuresink/azure_sink.go
  - Migrated from ContainerURL to Client-based API
  - Updated client initialization
  - Replaced AppendBlobURL with AppendBlobClient
  - Updated error handling to use azcore.ResponseError
  - Added streaming.NopCloser for AppendBlock

### New Test Files
- weed/remote_storage/azure/azure_storage_client_test.go
  - Comprehensive unit tests for all client operations
  - Tests for Traverse, ReadFile, WriteFile, UpdateMetadata, Delete
  - Tests for metadata conversion function
  - Benchmark tests
  - Integration tests (skippable without credentials)

- weed/replication/sink/azuresink/azure_sink_test.go
  - Unit tests for Azure sink operations
  - Tests for CreateEntry, UpdateEntry, DeleteEntry
  - Tests for cleanKey function
  - Tests for configuration-based initialization
  - Integration tests (skippable without credentials)
  - Benchmark tests

### Dependency Updates
- go.mod: Removed github.com/Azure/azure-storage-blob-go v0.15.0
- go.mod: Made github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.2 direct dependency
- All deprecated dependencies automatically cleaned up

## API Migration Summary

Old SDK → New SDK mappings:
- ServiceURL → Client (service-level operations)
- ContainerURL → ContainerClient
- BlobURL → BlobClient
- BlockBlobURL → BlockBlobClient
- AppendBlobURL → AppendBlobClient
- ListBlobsFlatSegment() → NewListBlobsFlatPager()
- Download() → DownloadStream()
- Upload() → UploadStream()
- Marker-based pagination → Pager-based pagination
- azblob.ResponseError → azcore.ResponseError

## Testing

All tests pass:
-  Unit tests for metadata conversion
-  Unit tests for helper functions (cleanKey)
-  Interface implementation tests
-  Build successful
-  No compilation errors
-  Integration tests available (require Azure credentials)

## Benefits

-  Uses actively maintained SDK
-  Better performance with modern API design
-  Improved error handling
-  Removes ~200 lines of custom upload code
-  Reduces dependency count
-  Better async/streaming support
-  Future-proof against SDK deprecation

## Backward Compatibility

The changes are transparent to users:
- Same configuration parameters (account name, account key)
- Same functionality and behavior
- No changes to SeaweedFS API or user-facing features
- Existing Azure storage configurations continue to work

## Breaking Changes

None - this is an internal implementation change only.

* Address Gemini Code Assist review comments

Fixed three issues identified by Gemini Code Assist:

1. HIGH: ReadFile now uses blob.CountToEnd when size is 0
   - Old SDK: size=0 meant "read to end"
   - New SDK: size=0 means "read 0 bytes"
   - Fix: Use blob.CountToEnd (-1) to read entire blob from offset

2. MEDIUM: Use to.Ptr() instead of slice trick for DeleteSnapshots
   - Replaced &[]Type{value}[0] with to.Ptr(value)
   - Cleaner, more idiomatic Azure SDK pattern
   - Applied to both azure_storage_client.go and azure_sink.go

3. Added missing imports:
   - github.com/Azure/azure-sdk-for-go/sdk/azcore/to

These changes improve code clarity and correctness while following
Azure SDK best practices.

* Address second round of Gemini Code Assist review comments

Fixed all issues identified in the second review:

1. MEDIUM: Added constants for hardcoded values
   - Defined defaultBlockSize (4 MB) and defaultConcurrency (16)
   - Applied to WriteFile UploadStream options
   - Improves maintainability and readability

2. MEDIUM: Made DeleteFile idempotent
   - Now returns nil (no error) if blob doesn't exist
   - Uses bloberror.HasCode(err, bloberror.BlobNotFound)
   - Consistent with idempotent operation expectations

3. Fixed TestToMetadata test failures
   - Test was using lowercase 'x-amz-meta-' but constant is 'X-Amz-Meta-'
   - Updated test to use s3_constants.AmzUserMetaPrefix
   - All tests now pass

Changes:
- Added import: github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/bloberror
- Added constants: defaultBlockSize, defaultConcurrency
- Updated WriteFile to use constants
- Updated DeleteFile to be idempotent
- Fixed test to use correct S3 metadata prefix constant

All tests pass. Build succeeds. Code follows Azure SDK best practices.

* Address third round of Gemini Code Assist review comments

Fixed all issues identified in the third review:

1. MEDIUM: Use bloberror.HasCode for ContainerAlreadyExists
   - Replaced fragile string check with bloberror.HasCode()
   - More robust and aligned with Azure SDK best practices
   - Applied to CreateBucket test

2. MEDIUM: Use bloberror.HasCode for BlobNotFound in test
   - Replaced generic error check with specific BlobNotFound check
   - Makes test more precise and verifies correct error returned
   - Applied to VerifyDeleted test

3. MEDIUM: Made DeleteEntry idempotent in azure_sink.go
   - Now returns nil (no error) if blob doesn't exist
   - Uses bloberror.HasCode(err, bloberror.BlobNotFound)
   - Consistent with DeleteFile implementation
   - Makes replication sink more robust to retries

Changes:
- Added import to azure_storage_client_test.go: bloberror
- Added import to azure_sink.go: bloberror
- Updated CreateBucket test to use bloberror.HasCode
- Updated VerifyDeleted test to use bloberror.HasCode
- Updated DeleteEntry to be idempotent

All tests pass. Build succeeds. Code uses Azure SDK best practices.

* Address fourth round of Gemini Code Assist review comments

Fixed two critical issues identified in the fourth review:

1. HIGH: Handle BlobAlreadyExists in append blob creation
   - Problem: If append blob already exists, Create() fails causing replication failure
   - Fix: Added bloberror.HasCode(err, bloberror.BlobAlreadyExists) check
   - Behavior: Existing append blobs are now acceptable, appends can proceed
   - Impact: Makes replication sink more robust, prevents unnecessary failures
   - Location: azure_sink.go CreateEntry function

2. MEDIUM: Configure custom retry policy for download resiliency
   - Problem: Old SDK had MaxRetryRequests: 20, new SDK defaults to 3 retries
   - Fix: Configured policy.RetryOptions with MaxRetries: 10
   - Settings: TryTimeout=1min, RetryDelay=2s, MaxRetryDelay=1min
   - Impact: Maintains similar resiliency in unreliable network conditions
   - Location: azure_storage_client.go client initialization

Changes:
- Added import: github.com/Azure/azure-sdk-for-go/sdk/azcore/policy
- Updated NewClientWithSharedKeyCredential to include ClientOptions with retry policy
- Updated CreateEntry error handling to allow BlobAlreadyExists

Technical details:
- Retry policy uses exponential backoff (default SDK behavior)
- MaxRetries=10 provides good balance (was 20 in old SDK, default is 3)
- TryTimeout prevents individual requests from hanging indefinitely
- BlobAlreadyExists handling allows idempotent append operations

All tests pass. Build succeeds. Code is more resilient and robust.

* Update weed/replication/sink/azuresink/azure_sink.go

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Revert "Update weed/replication/sink/azuresink/azure_sink.go"

This reverts commit 605e41cadf4aaa3bb7b1796f71233ff73d90ed72.

* Address fifth round of Gemini Code Assist review comment

Added retry policy to azure_sink.go for consistency and resiliency:

1. MEDIUM: Configure retry policy in azure_sink.go client
   - Problem: azure_sink.go was using default retry policy (3 retries) while
     azure_storage_client.go had custom policy (10 retries)
   - Fix: Added same retry policy configuration for consistency
   - Settings: MaxRetries=10, TryTimeout=1min, RetryDelay=2s, MaxRetryDelay=1min
   - Impact: Replication sink now has same resiliency as storage client
   - Rationale: Replication sink needs to be robust against transient network errors

Changes:
- Added import: github.com/Azure/azure-sdk-for-go/sdk/azcore/policy
- Updated NewClientWithSharedKeyCredential call in initialize() function
- Both azure_storage_client.go and azure_sink.go now have identical retry policies

Benefits:
- Consistency: Both Azure clients now use same retry configuration
- Resiliency: Replication operations more robust to network issues
- Best practices: Follows Azure SDK recommended patterns for production use

All tests pass. Build succeeds. Code is consistent and production-ready.

* fmt

* Address sixth round of Gemini Code Assist review comment

Fixed HIGH priority metadata key validation for Azure compliance:

1. HIGH: Handle metadata keys starting with digits
   - Problem: Azure Blob Storage requires metadata keys to be valid C# identifiers
   - Constraint: C# identifiers cannot start with a digit (0-9)
   - Issue: S3 metadata like 'x-amz-meta-123key' would fail with InvalidInput error
   - Fix: Prefix keys starting with digits with underscore '_'
   - Example: '123key' becomes '_123key', '456-test' becomes '_456_test'

2. Code improvement: Use strings.ReplaceAll for better readability
   - Changed from: strings.Replace(str, "-", "_", -1)
   - Changed to: strings.ReplaceAll(str, "-", "_")
   - Both are functionally equivalent, ReplaceAll is more readable

Changes:
- Updated toMetadata() function in azure_storage_client.go
- Added digit prefix check: if key[0] >= '0' && key[0] <= '9'
- Added comprehensive test case 'keys starting with digits'
- Tests cover: '123key' -> '_123key', '456-test' -> '_456_test', '789' -> '_789'

Technical details:
- Azure SDK validates metadata keys as C# identifiers
- C# identifier rules: must start with letter or underscore
- Digits allowed in identifiers but not as first character
- This prevents SetMetadata() and UploadStream() failures

All tests pass including new test case. Build succeeds.
Code is now fully compliant with Azure metadata requirements.

* Address seventh round of Gemini Code Assist review comment

Normalize metadata keys to lowercase for S3 compatibility:

1. MEDIUM: Convert metadata keys to lowercase
   - Rationale: S3 specification stores user-defined metadata keys in lowercase
   - Consistency: Azure Blob Storage metadata is case-insensitive
   - Best practice: Normalizing to lowercase ensures consistent behavior
   - Example: 'x-amz-meta-My-Key' -> 'my_key' (not 'My_Key')

Changes:
- Updated toMetadata() to apply strings.ToLower() to keys
- Added comment explaining S3 lowercase normalization
- Order of operations: strip prefix -> lowercase -> replace dashes -> check digits

Test coverage:
- Added new test case 'uppercase and mixed case keys'
- Tests: 'My-Key' -> 'my_key', 'UPPERCASE' -> 'uppercase', 'MiXeD-CaSe' -> 'mixed_case'
- All 6 test cases pass

Benefits:
- S3 compatibility: Matches S3 metadata key behavior
- Azure consistency: Case-insensitive keys work predictably
- Cross-platform: Same metadata keys work identically on both S3 and Azure
- Prevents issues: No surprises from case-sensitive key handling

Implementation:
```go
key := strings.ReplaceAll(strings.ToLower(k[len(s3_constants.AmzUserMetaPrefix):]), "-", "_")
```

All tests pass. Build succeeds. Metadata handling is now fully S3-compatible.

* Address eighth round of Gemini Code Assist review comments

Use %w instead of %v for error wrapping across both files:

1. MEDIUM: Error wrapping in azure_storage_client.go
   - Problem: Using %v in fmt.Errorf loses error type information
   - Modern Go practice: Use %w to preserve error chains
   - Benefit: Enables errors.Is() and errors.As() for callers
   - Example: Can check for bloberror.BlobNotFound after wrapping

2. MEDIUM: Error wrapping in azure_sink.go
   - Applied same improvement for consistency
   - All error wrapping now preserves underlying errors
   - Improved debugging and error handling capabilities

Changes applied to all fmt.Errorf calls:
- azure_storage_client.go: 10 instances changed from %v to %w
  - Invalid credential error
  - Client creation error
  - Traverse errors
  - Download errors (2)
  - Upload error
  - Delete error
  - Create/Delete bucket errors (2)

- azure_sink.go: 3 instances changed from %v to %w
  - Credential creation error
  - Client creation error
  - Delete entry error
  - Create append blob error

Benefits:
- Error inspection: Callers can use errors.Is(err, target)
- Error unwrapping: Callers can use errors.As(err, &target)
- Type preservation: Original error types maintained through wraps
- Better debugging: Full error chain available for inspection
- Modern Go: Follows Go 1.13+ error wrapping best practices

Example usage after this change:
```go
err := client.ReadFile(...)
if errors.Is(err, bloberror.BlobNotFound) {
    // Can detect specific Azure errors even after wrapping
}
```

All tests pass. Build succeeds. Error handling is now modern and robust.

* Address ninth round of Gemini Code Assist review comment

Improve metadata key sanitization with comprehensive character validation:

1. MEDIUM: Complete Azure C# identifier validation
   - Problem: Previous implementation only handled dashes, not all invalid chars
   - Issue: Keys like 'my.key', 'key+plus', 'key@symbol' would cause InvalidMetadata
   - Azure requirement: Metadata keys must be valid C# identifiers
   - Valid characters: letters (a-z, A-Z), digits (0-9), underscore (_) only

2. Implemented robust regex-based sanitization
   - Added package-level regex: `[^a-zA-Z0-9_]`
   - Matches ANY character that's not alphanumeric or underscore
   - Replaces all invalid characters with underscore
   - Compiled once at package init for performance

Implementation details:
- Regex declared at package level: var invalidMetadataChars = regexp.MustCompile(`[^a-zA-Z0-9_]`)
- Avoids recompiling regex on every toMetadata() call
- Efficient single-pass replacement of all invalid characters
- Processing order: lowercase -> regex replace -> digit check

Examples of character transformations:
- Dots: 'my.key' -> 'my_key'
- Plus: 'key+plus' -> 'key_plus'
- At symbol: 'key@symbol' -> 'key_symbol'
- Mixed: 'key-with.' -> 'key_with_'
- Slash: 'key/slash' -> 'key_slash'
- Combined: '123-key.value+test' -> '_123_key_value_test'

Test coverage:
- Added comprehensive test case 'keys with invalid characters'
- Tests: dot, plus, at-symbol, dash+dot, slash
- All 7 test cases pass (was 6, now 7)

Benefits:
- Complete Azure compliance: Handles ALL invalid characters
- Robust: Works with any S3 metadata key format
- Performant: Regex compiled once, reused efficiently
- Maintainable: Single source of truth for valid characters
- Prevents errors: No more InvalidMetadata errors during upload

All tests pass. Build succeeds. Metadata sanitization is now bulletproof.

* Address tenth round review - HIGH: Fix metadata key collision issue

Prevent metadata loss by using hex encoding for invalid characters:

1. HIGH PRIORITY: Metadata key collision prevention
   - Critical Issue: Different S3 keys mapping to same Azure key causes data loss
   - Example collisions (BEFORE):
     * 'my-key' -> 'my_key'
     * 'my.key' -> 'my_key'   COLLISION! Second overwrites first
     * 'my_key' -> 'my_key'   All three map to same key!

   - Fixed with hex encoding (AFTER):
     * 'my-key' -> 'my_2d_key' (dash = 0x2d)
     * 'my.key' -> 'my_2e_key' (dot = 0x2e)
     * 'my_key' -> 'my_key'    (underscore is valid)
      All three are now unique!

2. Implemented collision-proof hex encoding
   - Pattern: Invalid chars -> _XX_ where XX is hex code
   - Dash (0x2d): 'content-type' -> 'content_2d_type'
   - Dot (0x2e): 'my.key' -> 'my_2e_key'
   - Plus (0x2b): 'key+plus' -> 'key_2b_plus'
   - At (0x40): 'key@symbol' -> 'key_40_symbol'
   - Slash (0x2f): 'key/slash' -> 'key_2f_slash'

3. Created sanitizeMetadataKey() function
   - Encapsulates hex encoding logic
   - Uses ReplaceAllStringFunc for efficient transformation
   - Maintains digit prefix check for Azure C# identifier rules
   - Clear documentation with examples

Implementation details:
```go
func sanitizeMetadataKey(key string) string {
    // Replace each invalid character with _XX_ where XX is the hex code
    result := invalidMetadataChars.ReplaceAllStringFunc(key, func(s string) string {
        return fmt.Sprintf("_%02x_", s[0])
    })

    // Azure metadata keys cannot start with a digit
    if len(result) > 0 && result[0] >= '0' && result[0] <= '9' {
        result = "_" + result
    }

    return result
}
```

Why hex encoding solves the collision problem:
- Each invalid character gets unique hex representation
- Two-digit hex ensures no confusion (always _XX_ format)
- Preserves all information from original key
- Reversible (though not needed for this use case)
- Azure-compliant (hex codes don't introduce new invalid chars)

Test coverage:
- Updated all test expectations to match hex encoding
- Added 'collision prevention' test case demonstrating uniqueness:
  * Tests my-key, my.key, my_key all produce different results
  * Proves metadata from different S3 keys won't collide
- Total test cases: 8 (was 7, added collision prevention)

Examples from tests:
- 'content-type' -> 'content_2d_type' (0x2d = dash)
- '456-test' -> '_456_2d_test' (digit prefix + dash)
- 'My-Key' -> 'my_2d_key' (lowercase + hex encode dash)
- 'key-with.' -> 'key_2d_with_2e_' (multiple chars: dash, dot, trailing dot)

Benefits:
-  Zero collision risk: Every unique S3 key -> unique Azure key
-  Data integrity: No metadata loss from overwrites
-  Complete info preservation: Original key distinguishable
-  Azure compliant: Hex-encoded keys are valid C# identifiers
-  Maintainable: Clean function with clear purpose
-  Testable: Collision prevention explicitly tested

All tests pass. Build succeeds. Metadata integrity is now guaranteed.

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
2025-10-08 23:12:03 -07:00

682 lines
21 KiB
Go
Raw Blame History

package s3api
import (
"context"
"encoding/json"
"fmt"
"net/http"
"os"
"slices"
"strings"
"sync"
"github.com/seaweedfs/seaweedfs/weed/credential"
"github.com/seaweedfs/seaweedfs/weed/filer"
"github.com/seaweedfs/seaweedfs/weed/glog"
"github.com/seaweedfs/seaweedfs/weed/kms"
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
// Import KMS providers to register them
_ "github.com/seaweedfs/seaweedfs/weed/kms/aws"
// _ "github.com/seaweedfs/seaweedfs/weed/kms/azure" // TODO: Fix Azure SDK compatibility issues
_ "github.com/seaweedfs/seaweedfs/weed/kms/gcp"
_ "github.com/seaweedfs/seaweedfs/weed/kms/local"
_ "github.com/seaweedfs/seaweedfs/weed/kms/openbao"
"google.golang.org/grpc"
)
type Action string
type Iam interface {
Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
}
type IdentityAccessManagement struct {
m sync.RWMutex
identities []*Identity
accessKeyIdent map[string]*Identity
accounts map[string]*Account
emailAccount map[string]*Account
hashes map[string]*sync.Pool
hashCounters map[string]*int32
identityAnonymous *Identity
hashMu sync.RWMutex
domain string
isAuthEnabled bool
credentialManager *credential.CredentialManager
filerClient filer_pb.SeaweedFilerClient
grpcDialOption grpc.DialOption
// IAM Integration for advanced features
iamIntegration *S3IAMIntegration
}
type Identity struct {
Name string
Account *Account
Credentials []*Credential
Actions []Action
PrincipalArn string // ARN for IAM authorization (e.g., "arn:seaweed:iam::user/username")
}
// Account represents a system user, a system user can
// configure multiple IAM-Users, IAM-Users can configure
// permissions respectively, and each IAM-User can
// configure multiple security credentials
type Account struct {
//Name is also used to display the "DisplayName" as the owner of the bucket or object
DisplayName string
EmailAddress string
//Id is used to identify an Account when granting cross-account access(ACLs) to buckets and objects
Id string
}
// Predefined Accounts
var (
// AccountAdmin is used as the default account for IAM-Credentials access without Account configured
AccountAdmin = Account{
DisplayName: "admin",
EmailAddress: "admin@example.com",
Id: s3_constants.AccountAdminId,
}
// AccountAnonymous is used to represent the account for anonymous access
AccountAnonymous = Account{
DisplayName: "anonymous",
EmailAddress: "anonymous@example.com",
Id: s3_constants.AccountAnonymousId,
}
)
type Credential struct {
AccessKey string
SecretKey string
}
// "Permission": "FULL_CONTROL"|"WRITE"|"WRITE_ACP"|"READ"|"READ_ACP"
func (action Action) getPermission() Permission {
switch act := strings.Split(string(action), ":")[0]; act {
case s3_constants.ACTION_ADMIN:
return Permission("FULL_CONTROL")
case s3_constants.ACTION_WRITE:
return Permission("WRITE")
case s3_constants.ACTION_WRITE_ACP:
return Permission("WRITE_ACP")
case s3_constants.ACTION_READ:
return Permission("READ")
case s3_constants.ACTION_READ_ACP:
return Permission("READ_ACP")
default:
return Permission("")
}
}
func NewIdentityAccessManagement(option *S3ApiServerOption) *IdentityAccessManagement {
return NewIdentityAccessManagementWithStore(option, "")
}
func NewIdentityAccessManagementWithStore(option *S3ApiServerOption, explicitStore string) *IdentityAccessManagement {
iam := &IdentityAccessManagement{
domain: option.DomainName,
hashes: make(map[string]*sync.Pool),
hashCounters: make(map[string]*int32),
}
// Always initialize credential manager with fallback to defaults
credentialManager, err := credential.NewCredentialManagerWithDefaults(credential.CredentialStoreTypeName(explicitStore))
if err != nil {
glog.Fatalf("failed to initialize credential manager: %v", err)
}
// For stores that need filer client details, set them
if store := credentialManager.GetStore(); store != nil {
if filerClientSetter, ok := store.(interface {
SetFilerClient(string, grpc.DialOption)
}); ok {
filerClientSetter.SetFilerClient(string(option.Filer), option.GrpcDialOption)
}
}
iam.credentialManager = credentialManager
// Track whether any configuration was successfully loaded
configLoaded := false
// First, try to load configurations from file or filer
if option.Config != "" {
glog.V(3).Infof("loading static config file %s", option.Config)
if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
glog.Fatalf("fail to load config file %s: %v", option.Config, err)
}
// Mark as loaded since an explicit config file was provided
// This prevents fallback to environment variables even if no identities were loaded
// (e.g., config file contains only KMS settings)
configLoaded = true
} else {
glog.V(3).Infof("no static config file specified... loading config from credential manager")
if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil {
glog.Warningf("fail to load config: %v", err)
} else {
// Check if any identities were actually loaded from filer
iam.m.RLock()
if len(iam.identities) > 0 {
configLoaded = true
}
iam.m.RUnlock()
}
}
// Only use environment variables as fallback if no configuration was loaded
if !configLoaded {
accessKeyId := os.Getenv("AWS_ACCESS_KEY_ID")
secretAccessKey := os.Getenv("AWS_SECRET_ACCESS_KEY")
if accessKeyId != "" && secretAccessKey != "" {
glog.V(0).Infof("No S3 configuration found, using AWS environment variables as fallback")
// Create environment variable identity name
identityNameSuffix := accessKeyId
if len(accessKeyId) > 8 {
identityNameSuffix = accessKeyId[:8]
}
// Create admin identity with environment variable credentials
envIdentity := &Identity{
Name: "admin-" + identityNameSuffix,
Account: &AccountAdmin,
Credentials: []*Credential{
{
AccessKey: accessKeyId,
SecretKey: secretAccessKey,
},
},
Actions: []Action{
s3_constants.ACTION_ADMIN,
},
}
// Set as the only configuration
iam.m.Lock()
if len(iam.identities) == 0 {
iam.identities = []*Identity{envIdentity}
iam.accessKeyIdent = map[string]*Identity{accessKeyId: envIdentity}
iam.isAuthEnabled = true
}
iam.m.Unlock()
glog.V(0).Infof("Added admin identity from AWS environment variables: %s", envIdentity.Name)
}
}
return iam
}
func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFiler(option *S3ApiServerOption) error {
return iam.LoadS3ApiConfigurationFromCredentialManager()
}
func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFile(fileName string) error {
content, readErr := os.ReadFile(fileName)
if readErr != nil {
glog.Warningf("fail to read %s : %v", fileName, readErr)
return fmt.Errorf("fail to read %s : %v", fileName, readErr)
}
// Initialize KMS if configuration contains KMS settings
if err := iam.initializeKMSFromConfig(content); err != nil {
glog.Warningf("KMS initialization failed: %v", err)
}
return iam.LoadS3ApiConfigurationFromBytes(content)
}
func (iam *IdentityAccessManagement) LoadS3ApiConfigurationFromBytes(content []byte) error {
s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
if err := filer.ParseS3ConfigurationFromBytes(content, s3ApiConfiguration); err != nil {
glog.Warningf("unmarshal error: %v", err)
return fmt.Errorf("unmarshal error: %w", err)
}
if err := filer.CheckDuplicateAccessKey(s3ApiConfiguration); err != nil {
return err
}
if err := iam.loadS3ApiConfiguration(s3ApiConfiguration); err != nil {
return err
}
return nil
}
func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error {
var identities []*Identity
var identityAnonymous *Identity
accessKeyIdent := make(map[string]*Identity)
accounts := make(map[string]*Account)
emailAccount := make(map[string]*Account)
foundAccountAdmin := false
foundAccountAnonymous := false
for _, account := range config.Accounts {
glog.V(3).Infof("loading account name=%s, id=%s", account.DisplayName, account.Id)
switch account.Id {
case AccountAdmin.Id:
AccountAdmin = Account{
Id: account.Id,
DisplayName: account.DisplayName,
EmailAddress: account.EmailAddress,
}
accounts[account.Id] = &AccountAdmin
foundAccountAdmin = true
case AccountAnonymous.Id:
AccountAnonymous = Account{
Id: account.Id,
DisplayName: account.DisplayName,
EmailAddress: account.EmailAddress,
}
accounts[account.Id] = &AccountAnonymous
foundAccountAnonymous = true
default:
t := Account{
Id: account.Id,
DisplayName: account.DisplayName,
EmailAddress: account.EmailAddress,
}
accounts[account.Id] = &t
}
if account.EmailAddress != "" {
emailAccount[account.EmailAddress] = accounts[account.Id]
}
}
if !foundAccountAdmin {
accounts[AccountAdmin.Id] = &AccountAdmin
emailAccount[AccountAdmin.EmailAddress] = &AccountAdmin
}
if !foundAccountAnonymous {
accounts[AccountAnonymous.Id] = &AccountAnonymous
emailAccount[AccountAnonymous.EmailAddress] = &AccountAnonymous
}
for _, ident := range config.Identities {
glog.V(3).Infof("loading identity %s", ident.Name)
t := &Identity{
Name: ident.Name,
Credentials: nil,
Actions: nil,
PrincipalArn: generatePrincipalArn(ident.Name),
}
switch {
case ident.Name == AccountAnonymous.Id:
t.Account = &AccountAnonymous
identityAnonymous = t
case ident.Account == nil:
t.Account = &AccountAdmin
default:
if account, ok := accounts[ident.Account.Id]; ok {
t.Account = account
} else {
t.Account = &AccountAdmin
glog.Warningf("identity %s is associated with a non exist account ID, the association is invalid", ident.Name)
}
}
for _, action := range ident.Actions {
t.Actions = append(t.Actions, Action(action))
}
for _, cred := range ident.Credentials {
t.Credentials = append(t.Credentials, &Credential{
AccessKey: cred.AccessKey,
SecretKey: cred.SecretKey,
})
accessKeyIdent[cred.AccessKey] = t
}
identities = append(identities, t)
}
iam.m.Lock()
// atomically switch
iam.identities = identities
iam.identityAnonymous = identityAnonymous
iam.accounts = accounts
iam.emailAccount = emailAccount
iam.accessKeyIdent = accessKeyIdent
if !iam.isAuthEnabled { // one-directional, no toggling
iam.isAuthEnabled = len(identities) > 0
}
iam.m.Unlock()
return nil
}
func (iam *IdentityAccessManagement) isEnabled() bool {
return iam.isAuthEnabled
}
func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
iam.m.RLock()
defer iam.m.RUnlock()
if ident, ok := iam.accessKeyIdent[accessKey]; ok {
for _, credential := range ident.Credentials {
if credential.AccessKey == accessKey {
return ident, credential, true
}
}
}
glog.V(1).Infof("could not find accessKey %s", accessKey)
return nil, nil, false
}
func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
iam.m.RLock()
defer iam.m.RUnlock()
if iam.identityAnonymous != nil {
return iam.identityAnonymous, true
}
return nil, false
}
// generatePrincipalArn generates an ARN for a user identity
func generatePrincipalArn(identityName string) string {
// Handle special cases
switch identityName {
case AccountAnonymous.Id:
return "arn:seaweed:iam::user/anonymous"
case AccountAdmin.Id:
return "arn:seaweed:iam::user/admin"
default:
return fmt.Sprintf("arn:seaweed:iam::user/%s", identityName)
}
}
func (iam *IdentityAccessManagement) GetAccountNameById(canonicalId string) string {
iam.m.RLock()
defer iam.m.RUnlock()
if account, ok := iam.accounts[canonicalId]; ok {
return account.DisplayName
}
return ""
}
func (iam *IdentityAccessManagement) GetAccountIdByEmail(email string) string {
iam.m.RLock()
defer iam.m.RUnlock()
if account, ok := iam.emailAccount[email]; ok {
return account.Id
}
return ""
}
func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
if !iam.isEnabled() {
f(w, r)
return
}
identity, errCode := iam.authRequest(r, action)
glog.V(3).Infof("auth error: %v", errCode)
if errCode == s3err.ErrNone {
if identity != nil && identity.Name != "" {
r.Header.Set(s3_constants.AmzIdentityId, identity.Name)
}
f(w, r)
return
}
s3err.WriteErrorResponse(w, r, errCode)
}
}
// check whether the request has valid access keys
func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
var identity *Identity
var s3Err s3err.ErrorCode
var found bool
var authType string
switch getRequestAuthType(r) {
case authTypeUnknown:
glog.V(3).Infof("unknown auth type")
r.Header.Set(s3_constants.AmzAuthType, "Unknown")
return identity, s3err.ErrAccessDenied
case authTypePresignedV2, authTypeSignedV2:
glog.V(3).Infof("v2 auth type")
identity, s3Err = iam.isReqAuthenticatedV2(r)
authType = "SigV2"
case authTypeStreamingSigned, authTypeSigned, authTypePresigned:
glog.V(3).Infof("v4 auth type")
identity, s3Err = iam.reqSignatureV4Verify(r)
authType = "SigV4"
case authTypePostPolicy:
glog.V(3).Infof("post policy auth type")
r.Header.Set(s3_constants.AmzAuthType, "PostPolicy")
return identity, s3err.ErrNone
case authTypeStreamingUnsigned:
glog.V(3).Infof("unsigned streaming upload")
return identity, s3err.ErrNone
case authTypeJWT:
glog.V(3).Infof("jwt auth type detected, iamIntegration != nil? %t", iam.iamIntegration != nil)
r.Header.Set(s3_constants.AmzAuthType, "Jwt")
if iam.iamIntegration != nil {
identity, s3Err = iam.authenticateJWTWithIAM(r)
authType = "Jwt"
} else {
glog.V(0).Infof("IAM integration is nil, returning ErrNotImplemented")
return identity, s3err.ErrNotImplemented
}
case authTypeAnonymous:
authType = "Anonymous"
if identity, found = iam.lookupAnonymous(); !found {
r.Header.Set(s3_constants.AmzAuthType, authType)
return identity, s3err.ErrAccessDenied
}
default:
return identity, s3err.ErrNotImplemented
}
if len(authType) > 0 {
r.Header.Set(s3_constants.AmzAuthType, authType)
}
if s3Err != s3err.ErrNone {
return identity, s3Err
}
glog.V(3).Infof("user name: %v actions: %v, action: %v", identity.Name, identity.Actions, action)
bucket, object := s3_constants.GetBucketAndObject(r)
prefix := s3_constants.GetPrefix(r)
// For List operations, use prefix for permission checking if available
if action == s3_constants.ACTION_LIST && object == "" && prefix != "" {
// List operation with prefix - check permission for the prefix path
object = prefix
} else if (object == "/" || object == "") && prefix != "" {
// Using the aws cli with s3, and s3api, and with boto3, the object is often set to "/" or empty
// but the prefix is set to the actual object key for permission checking
object = prefix
}
// For ListBuckets, authorization is performed in the handler by iterating
// through buckets and checking permissions for each. Skip the global check here.
if action == s3_constants.ACTION_LIST && bucket == "" {
// ListBuckets operation - authorization handled per-bucket in the handler
} else {
// Use enhanced IAM authorization if available, otherwise fall back to legacy authorization
if iam.iamIntegration != nil {
// Always use IAM when available for unified authorization
if errCode := iam.authorizeWithIAM(r, identity, action, bucket, object); errCode != s3err.ErrNone {
return identity, errCode
}
} else {
// Fall back to existing authorization when IAM is not configured
if !identity.canDo(action, bucket, object) {
return identity, s3err.ErrAccessDenied
}
}
}
r.Header.Set(s3_constants.AmzAccountId, identity.Account.Id)
return identity, s3err.ErrNone
}
func (identity *Identity) canDo(action Action, bucket string, objectKey string) bool {
if identity.isAdmin() {
return true
}
for _, a := range identity.Actions {
// Case where the Resource provided is
// "Resource": [
// "arn:aws:s3:::*"
// ]
if a == action {
return true
}
}
if bucket == "" {
glog.V(3).Infof("identity %s is not allowed to perform action %s on %s -- bucket is empty", identity.Name, action, bucket+objectKey)
return false
}
glog.V(3).Infof("checking if %s can perform %s on bucket '%s'", identity.Name, action, bucket+objectKey)
target := string(action) + ":" + bucket + objectKey
adminTarget := s3_constants.ACTION_ADMIN + ":" + bucket + objectKey
limitedByBucket := string(action) + ":" + bucket
adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket
for _, a := range identity.Actions {
act := string(a)
if strings.HasSuffix(act, "*") {
if strings.HasPrefix(target, act[:len(act)-1]) {
return true
}
if strings.HasPrefix(adminTarget, act[:len(act)-1]) {
return true
}
} else {
if act == limitedByBucket {
return true
}
if act == adminLimitedByBucket {
return true
}
}
}
//log error
glog.V(3).Infof("identity %s is not allowed to perform action %s on %s", identity.Name, action, bucket+objectKey)
return false
}
func (identity *Identity) isAdmin() bool {
return slices.Contains(identity.Actions, s3_constants.ACTION_ADMIN)
}
// GetCredentialManager returns the credential manager instance
func (iam *IdentityAccessManagement) GetCredentialManager() *credential.CredentialManager {
return iam.credentialManager
}
// LoadS3ApiConfigurationFromCredentialManager loads configuration using the credential manager
func (iam *IdentityAccessManagement) LoadS3ApiConfigurationFromCredentialManager() error {
s3ApiConfiguration, err := iam.credentialManager.LoadConfiguration(context.Background())
if err != nil {
return fmt.Errorf("failed to load configuration from credential manager: %w", err)
}
return iam.loadS3ApiConfiguration(s3ApiConfiguration)
}
// initializeKMSFromConfig loads KMS configuration from TOML format
func (iam *IdentityAccessManagement) initializeKMSFromConfig(configContent []byte) error {
// JSON-only KMS configuration
if err := iam.initializeKMSFromJSON(configContent); err == nil {
glog.V(1).Infof("Successfully loaded KMS configuration from JSON format")
return nil
}
glog.V(2).Infof("No KMS configuration found in S3 config - SSE-KMS will not be available")
return nil
}
// initializeKMSFromJSON loads KMS configuration from JSON format when provided in the same file
func (iam *IdentityAccessManagement) initializeKMSFromJSON(configContent []byte) error {
// Parse as generic JSON and extract optional "kms" block
var m map[string]any
if err := json.Unmarshal([]byte(strings.TrimSpace(string(configContent))), &m); err != nil {
return err
}
kmsVal, ok := m["kms"]
if !ok {
return fmt.Errorf("no KMS section found")
}
// Load KMS configuration directly from the parsed JSON data
return kms.LoadKMSFromConfig(kmsVal)
}
// SetIAMIntegration sets the IAM integration for advanced authentication and authorization
func (iam *IdentityAccessManagement) SetIAMIntegration(integration *S3IAMIntegration) {
iam.m.Lock()
defer iam.m.Unlock()
iam.iamIntegration = integration
}
// authenticateJWTWithIAM authenticates JWT tokens using the IAM integration
func (iam *IdentityAccessManagement) authenticateJWTWithIAM(r *http.Request) (*Identity, s3err.ErrorCode) {
ctx := r.Context()
// Use IAM integration to authenticate JWT
iamIdentity, errCode := iam.iamIntegration.AuthenticateJWT(ctx, r)
if errCode != s3err.ErrNone {
return nil, errCode
}
// Convert IAMIdentity to existing Identity structure
identity := &Identity{
Name: iamIdentity.Name,
Account: iamIdentity.Account,
Actions: []Action{}, // Empty - authorization handled by policy engine
}
// Store session info in request headers for later authorization
r.Header.Set("X-SeaweedFS-Session-Token", iamIdentity.SessionToken)
r.Header.Set("X-SeaweedFS-Principal", iamIdentity.Principal)
return identity, s3err.ErrNone
}
// authorizeWithIAM authorizes requests using the IAM integration policy engine
func (iam *IdentityAccessManagement) authorizeWithIAM(r *http.Request, identity *Identity, action Action, bucket string, object string) s3err.ErrorCode {
ctx := r.Context()
// Get session info from request headers (for JWT-based authentication)
sessionToken := r.Header.Get("X-SeaweedFS-Session-Token")
principal := r.Header.Get("X-SeaweedFS-Principal")
// Create IAMIdentity for authorization
iamIdentity := &IAMIdentity{
Name: identity.Name,
Account: identity.Account,
}
// Handle both session-based (JWT) and static-key-based (V4 signature) principals
if sessionToken != "" && principal != "" {
// JWT-based authentication - use session token and principal from headers
iamIdentity.Principal = principal
iamIdentity.SessionToken = sessionToken
glog.V(3).Infof("Using JWT-based IAM authorization for principal: %s", principal)
} else if identity.PrincipalArn != "" {
// V4 signature authentication - use principal ARN from identity
iamIdentity.Principal = identity.PrincipalArn
iamIdentity.SessionToken = "" // No session token for static credentials
glog.V(3).Infof("Using V4 signature IAM authorization for principal: %s", identity.PrincipalArn)
} else {
glog.V(3).Info("No valid principal information for IAM authorization")
return s3err.ErrAccessDenied
}
// Use IAM integration for authorization
return iam.iamIntegration.AuthorizeAction(ctx, iamIdentity, action, bucket, object, r)
}
Reference in New Issue View Git Blame Copy Permalink