r.loginov/frostfs-s3-gw
1
0
Fork 0
forked from TrueCloudLab/frostfs-s3-gw
Code Pull requests Activity

[#676] Fix object acl

Browse source 
Put object acl always add rules to specific version of object.
Get object acl consider READ rights as FULL_CONTROL
because WRITE cannot be applied to object

Signed-off-by: Denis Kirillov <denis@nspcc.ru>
This commit is contained in:
Denis Kirillov 2022-08-24 18:22:18 +03:00 committed by Alex Vanin
parent 163038b37d
commit e38bdae07a
1 changed files with 30 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

66
api/handler/acl.go
View file

@ -327,30 +327,6 @@ func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) {
return return
} }
list := &AccessControlPolicy{}
if r.ContentLength == 0 {
list, err = parseACLHeaders(r.Header, key)
if err != nil {
h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
return
}
} else if err = xml.NewDecoder(r.Body).Decode(list); err != nil {
h.logAndSendError(w, "could not parse bucket acl", reqInfo, errors.GetAPIError(errors.ErrMalformedXML))
return
}
resInfo := &resourceInfo{
Bucket: reqInfo.BucketName,
Object: reqInfo.ObjectName,
Version: versionID,
}
astObject, err := aclToAst(list, resInfo)
if err != nil {
h.logAndSendError(w, "could not translate acl to ast", reqInfo, err)
return
}
bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName) bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
if err != nil { if err != nil {
h.logAndSendError(w, "could not get bucket info", reqInfo, err) h.logAndSendError(w, "could not get bucket info", reqInfo, err)
@ -369,6 +345,30 @@ func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) {
return return
} }
list := &AccessControlPolicy{}
if r.ContentLength == 0 {
list, err = parseACLHeaders(r.Header, key)
if err != nil {
h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
return
}
} else if err = xml.NewDecoder(r.Body).Decode(list); err != nil {
h.logAndSendError(w, "could not parse bucket acl", reqInfo, errors.GetAPIError(errors.ErrMalformedXML))
return
}
resInfo := &resourceInfo{
Bucket: reqInfo.BucketName,
Object: reqInfo.ObjectName,
Version: objInfo.VersionID(),
}
astObject, err := aclToAst(list, resInfo)
if err != nil {
h.logAndSendError(w, "could not translate acl to ast", reqInfo, err)
return
}
updated, err := h.updateBucketACL(r, astObject, bktInfo, token) updated, err := h.updateBucketACL(r, astObject, bktInfo, token)
if err != nil { if err != nil {
h.logAndSendError(w, "could not update bucket acl", reqInfo, err) h.logAndSendError(w, "could not update bucket acl", reqInfo, err)
@ -1361,25 +1361,17 @@ func (h *handler) encodeObjectACL(bucketACL *layer.BucketACL, bucketName, object
for key, val := range m { for key, val := range m {
permission := aclFullControl permission := aclFullControl
read, write := true, true read := true
for op := eacl.OperationGet; op <= eacl.OperationRangeHash; op++ { for op := eacl.OperationGet; op <= eacl.OperationRangeHash; op++ {
if !contains(val, op) { if !contains(val, op) && !isWriteOperation(op) {
if isWriteOperation(op) {
write = false
} else {
read = false read = false
} }
} }
}
if !read && !write { if read {
permission = aclFullControl
} else {
h.log.Warn("some acl not fully mapped") h.log.Warn("some acl not fully mapped")
continue
}
if !read {
permission = aclWrite
} else if !write {
permission = aclRead
} }
var grantee *Grantee var grantee *Grantee