mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2026-05-13 21:31:32 +00:00
d123a2768b
* shell: add s3.accesskey.*, s3.anonymous.*, s3.serviceaccount.* commands Add credential, anonymous access, and service account management commands: Access key commands: - s3.accesskey.create: add credentials to an existing user - s3.accesskey.list: list access keys for a user (key ID + status) - s3.accesskey.delete: remove a specific access key - s3.accesskey.rotate: atomic create-new + delete-old key rotation Anonymous access commands: - s3.anonymous.set: set/remove public access on a bucket - s3.anonymous.get: show anonymous access for a bucket - s3.anonymous.list: list all buckets with anonymous access Service account commands: - s3.serviceaccount.create: create with optional action subset and expiry - s3.serviceaccount.list: tabular listing, optionally filtered by parent - s3.serviceaccount.show: detailed view of a service account - s3.serviceaccount.delete: remove a service account These replace the credential and anonymous portions of the monolithic s3.configure and s3.bucket.access commands. * shell: address review feedback for s3.accesskey.*, s3.anonymous.*, s3.serviceaccount.* - Return flag parse errors instead of swallowing them (all commands) - Add action validation in s3.anonymous.set (Read, Write, List, Tagging, Admin) - Fix s3.serviceaccount.create output: note to use list for server-assigned ID since CreateServiceAccountResponse does not return the ID * shell: fix bucket matching and action validation in s3.anonymous.* - Use SplitN instead of HasSuffix for bucket name matching to avoid false positives when one bucket name is a suffix of another - Make action validation case-insensitive with canonical normalization * shell: fix nil panics, dedup actions, validate service account actions - Fix nil-pointer panic in getOrCreateAnonymousUser when GetUser returns err==nil with nil Identity (status.FromError(nil) returns nil status) - Add nil Identity guards in s3.anonymous.get and s3.anonymous.list - Deduplicate action values in s3.anonymous.set (e.g. -access Read,Read) - Add action validation in s3.serviceaccount.create with case normalization * shell: dedup actions and reject negative expiry in s3.serviceaccount.create - Deduplicate -actions values (e.g. Read,read,Read produces one entry) - Reject negative -expiry values instead of silently treating as no expiration
76 lines
1.7 KiB
Go
76 lines
1.7 KiB
Go
package shell
|
|
|
|
import (
|
|
"context"
|
|
"flag"
|
|
"fmt"
|
|
"io"
|
|
"text/tabwriter"
|
|
"time"
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/pb"
|
|
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
|
|
"google.golang.org/grpc"
|
|
)
|
|
|
|
func init() {
|
|
Commands = append(Commands, &commandS3AccessKeyList{})
|
|
}
|
|
|
|
type commandS3AccessKeyList struct {
|
|
}
|
|
|
|
func (c *commandS3AccessKeyList) Name() string {
|
|
return "s3.accesskey.list"
|
|
}
|
|
|
|
func (c *commandS3AccessKeyList) Help() string {
|
|
return `list access keys for an S3 IAM user
|
|
|
|
s3.accesskey.list -user <username>
|
|
`
|
|
}
|
|
|
|
func (c *commandS3AccessKeyList) HasTag(CommandTag) bool {
|
|
return false
|
|
}
|
|
|
|
func (c *commandS3AccessKeyList) Do(args []string, commandEnv *CommandEnv, writer io.Writer) error {
|
|
f := flag.NewFlagSet(c.Name(), flag.ContinueOnError)
|
|
user := f.String("user", "", "user name")
|
|
if err := f.Parse(args); err != nil {
|
|
return err
|
|
}
|
|
|
|
if *user == "" {
|
|
return fmt.Errorf("-user is required")
|
|
}
|
|
|
|
return pb.WithGrpcClient(false, 0, func(conn *grpc.ClientConn) error {
|
|
client := iam_pb.NewSeaweedIdentityAccessManagementClient(conn)
|
|
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
|
defer cancel()
|
|
|
|
resp, err := client.GetUser(ctx, &iam_pb.GetUserRequest{Username: *user})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if len(resp.Identity.Credentials) == 0 {
|
|
fmt.Fprintf(writer, "No access keys for user %q.\n", *user)
|
|
return nil
|
|
}
|
|
|
|
tw := tabwriter.NewWriter(writer, 0, 4, 2, ' ', 0)
|
|
fmt.Fprintln(tw, "ACCESS KEY\tSTATUS")
|
|
for _, cred := range resp.Identity.Credentials {
|
|
st := cred.Status
|
|
if st == "" {
|
|
st = "Active"
|
|
}
|
|
fmt.Fprintf(tw, "%s\t%s\n", cred.AccessKey, st)
|
|
}
|
|
return tw.Flush()
|
|
}, commandEnv.option.FilerAddress.ToGrpcAddress(), false, commandEnv.option.GrpcDialOption)
|
|
}
|