Skip to content

Commit

Permalink
api: Enable container ACL
Browse files Browse the repository at this point in the history 
Signed-off-by: Evgenii Baidakov <[email protected]>
  • Loading branch information
@smallhive
smallhive committed Nov 1, 2024
1 parent 73e4f54 commit 729dee0
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 0 deletions.
31 changes: 31 additions & 0 deletions api/handler/acl.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -991,6 +991,11 @@ func formRecords(resource *astResource) ([]*eacl.Record, error) {
return res, nil
}

if resource.Version == aclEnabledObjectWriter && resource.Object == aclEnabledObjectWriter {
res = append(res, bucketACLObjectWriterRecord())
return res, nil
}

for i := len(resource.Operations) - 1; i >= 0; i-- {
astOp := resource.Operations[i]
record := eacl.NewRecord()
Expand Down Expand Up @@ -1113,6 +1118,20 @@ func policyToAst(bktPolicy *bucketPolicy) (*ast, error) {
return nil, fmt.Errorf("unsupported ownership: %v", state.Principal)
}

if state.Sid == "BucketEnableACL" &&
state.Action.Equal(stringOrSlice{values: []string{"s3:PutObject"}}) &&
state.Effect == "Allow" &&
state.Resource.Equal(stringOrSlice{values: []string{"*"}}) {
rr[aclEnabledObjectWriter] = &astResource{
resourceInfo: resourceInfo{
Version: aclEnabledObjectWriter,
Object: aclEnabledObjectWriter,
},
}

continue
}

if state.Principal.AWS != "" && state.Principal.AWS != allUsersWildcard ||
state.Principal.AWS == "" && state.Principal.CanonicalUser == "" {
return nil, fmt.Errorf("unsupported principal: %v", state.Principal)
Expand Down Expand Up @@ -1718,6 +1737,18 @@ func bucketOwnerPreferredRecord() *eacl.Record {
return markerRecord
}

func bucketACLObjectWriterRecord() *eacl.Record {
var markerRecord = eacl.CreateRecord(eacl.ActionAllow, eacl.OperationPut)
markerRecord.AddFilter(
eacl.HeaderFromRequest,
eacl.MatchStringEqual,
amzBucketOwnerField,
aclEnabledObjectWriter,
)

return markerRecord
}

func checkACLRestrictions(table *eacl.Table) error {
if table == nil {
return nil
Expand Down
2 changes: 2 additions & 0 deletions api/handler/put.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,8 @@ const (

amzBucketOwnerField = "BucketOwnerEnforcedField"
amzBucketOwnerEnforced = "BucketOwnerEnforced"

aclEnabledObjectWriter = "ObjectWriter"
)

type createBucketParams struct {
Expand Down
14 changes: 14 additions & 0 deletions docs/aws_s3_compat.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -329,6 +329,20 @@ If case you need to enable ACLs with `Bucket owner preferred` option you should
]
}
```
If case you need to enable ACLs (not recommended) option you should use `PutBucketPolicy` command with the next policy:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BucketEnableACL",
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "*"
}
]
}
```
## Request payment
Expand Down

0 comments on commit 729dee0

Please sign in to comment.