forked from TrueCloudLab/frostfs-s3-gw
[#676] Fix object acl
Put object acl always add rules to specific version of object. Get object acl consider READ rights as FULL_CONTROL because WRITE cannot be applied to object Signed-off-by: Denis Kirillov <denis@nspcc.ru>
This commit is contained in:
parent
163038b37d
commit
e38bdae07a
1 changed files with 30 additions and 38 deletions
|
@ -327,30 +327,6 @@ func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
list := &AccessControlPolicy{}
|
|
||||||
if r.ContentLength == 0 {
|
|
||||||
list, err = parseACLHeaders(r.Header, key)
|
|
||||||
if err != nil {
|
|
||||||
h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
} else if err = xml.NewDecoder(r.Body).Decode(list); err != nil {
|
|
||||||
h.logAndSendError(w, "could not parse bucket acl", reqInfo, errors.GetAPIError(errors.ErrMalformedXML))
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
resInfo := &resourceInfo{
|
|
||||||
Bucket: reqInfo.BucketName,
|
|
||||||
Object: reqInfo.ObjectName,
|
|
||||||
Version: versionID,
|
|
||||||
}
|
|
||||||
|
|
||||||
astObject, err := aclToAst(list, resInfo)
|
|
||||||
if err != nil {
|
|
||||||
h.logAndSendError(w, "could not translate acl to ast", reqInfo, err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
|
bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
h.logAndSendError(w, "could not get bucket info", reqInfo, err)
|
h.logAndSendError(w, "could not get bucket info", reqInfo, err)
|
||||||
|
@ -369,6 +345,30 @@ func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
list := &AccessControlPolicy{}
|
||||||
|
if r.ContentLength == 0 {
|
||||||
|
list, err = parseACLHeaders(r.Header, key)
|
||||||
|
if err != nil {
|
||||||
|
h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
} else if err = xml.NewDecoder(r.Body).Decode(list); err != nil {
|
||||||
|
h.logAndSendError(w, "could not parse bucket acl", reqInfo, errors.GetAPIError(errors.ErrMalformedXML))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
resInfo := &resourceInfo{
|
||||||
|
Bucket: reqInfo.BucketName,
|
||||||
|
Object: reqInfo.ObjectName,
|
||||||
|
Version: objInfo.VersionID(),
|
||||||
|
}
|
||||||
|
|
||||||
|
astObject, err := aclToAst(list, resInfo)
|
||||||
|
if err != nil {
|
||||||
|
h.logAndSendError(w, "could not translate acl to ast", reqInfo, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
updated, err := h.updateBucketACL(r, astObject, bktInfo, token)
|
updated, err := h.updateBucketACL(r, astObject, bktInfo, token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
h.logAndSendError(w, "could not update bucket acl", reqInfo, err)
|
h.logAndSendError(w, "could not update bucket acl", reqInfo, err)
|
||||||
|
@ -1361,25 +1361,17 @@ func (h *handler) encodeObjectACL(bucketACL *layer.BucketACL, bucketName, object
|
||||||
|
|
||||||
for key, val := range m {
|
for key, val := range m {
|
||||||
permission := aclFullControl
|
permission := aclFullControl
|
||||||
read, write := true, true
|
read := true
|
||||||
for op := eacl.OperationGet; op <= eacl.OperationRangeHash; op++ {
|
for op := eacl.OperationGet; op <= eacl.OperationRangeHash; op++ {
|
||||||
if !contains(val, op) {
|
if !contains(val, op) && !isWriteOperation(op) {
|
||||||
if isWriteOperation(op) {
|
read = false
|
||||||
write = false
|
|
||||||
} else {
|
|
||||||
read = false
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if !read && !write {
|
if read {
|
||||||
|
permission = aclFullControl
|
||||||
|
} else {
|
||||||
h.log.Warn("some acl not fully mapped")
|
h.log.Warn("some acl not fully mapped")
|
||||||
continue
|
|
||||||
}
|
|
||||||
if !read {
|
|
||||||
permission = aclWrite
|
|
||||||
} else if !write {
|
|
||||||
permission = aclRead
|
|
||||||
}
|
}
|
||||||
|
|
||||||
var grantee *Grantee
|
var grantee *Grantee
|
||||||
|
|
Loading…
Reference in a new issue