mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2026-05-14 05:41:29 +00:00
d50889002b
* shell: add s3.iam.*, s3.config.show, s3.user.provision; hide legacy commands Add import/export, configuration summary, and a convenience provisioning command: - s3.iam.export: dump full IAM state as JSON (stdout or file) - s3.iam.import: replace IAM state from a JSON file - s3.config.show: human-readable summary (users, policies, service accounts, groups with status and counts) - s3.user.provision: one-step user+policy+credentials creation for common readonly/readwrite/admin roles Hide legacy commands from help listing: - s3.configure: still works but hidden from help output - s3.bucket.access: still works but hidden from help output Both hidden commands remain fully functional for existing scripts. Also adds a Hidden command tag and filters it from printGenericHelp. * shell: address review feedback for s3.iam.*, s3.config.show, s3.user.provision - Simplify joinMax using strings.Join - Fix rolePolicies: remove s3:ListBucket from object-level actions (already covered by bucket-level statement) - Fix admin role: grant s3:* on bucket resource too - Return flag parse errors instead of swallowing them * shell: address missed review feedback for PR 3 - s3.iam.import: require -force flag for destructive IAM overwrite - s3.config.show: add nil guard for resp.Configuration - s3.user.provision: check if user exists before creating policy - s3.user.provision: reject wildcard bucket names (* ?) * shell: distinguish NotFound from transient errors in provision, use %w wrapping - s3.user.provision: check gRPC status code on GetUser error — only proceed on NotFound, abort on transient/network errors - s3.iam.import: use %w for error wrapping to preserve error chains, wrap PutConfiguration error with context * shell: remove duplicate joinMax after PR 8954 merge command_s3_helpers.go defined joinMax which is already in command_s3_user_list.go from the merged PR 8954. * shell: restrict export file permissions, rollback policy on user create failure - s3.iam.export: use os.OpenFile with mode 0600 instead of os.Create to protect exported credentials from other users - s3.user.provision: rollback the created policy if CreateUser fails, with a warning if the rollback itself fails
206 lines
5.9 KiB
Go
206 lines
5.9 KiB
Go
package shell
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"flag"
|
|
"fmt"
|
|
"io"
|
|
"sort"
|
|
"strings"
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/filer"
|
|
"github.com/seaweedfs/seaweedfs/weed/pb"
|
|
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
|
|
"google.golang.org/grpc"
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/status"
|
|
)
|
|
|
|
// canonicalActions maps lowercased action names to their canonical form.
|
|
var canonicalActions = map[string]string{
|
|
"read": "Read",
|
|
"write": "Write",
|
|
"list": "List",
|
|
"tagging": "Tagging",
|
|
"admin": "Admin",
|
|
}
|
|
|
|
func init() {
|
|
Commands = append(Commands, &commandS3BucketAccess{})
|
|
}
|
|
|
|
type commandS3BucketAccess struct {
|
|
}
|
|
|
|
func (c *commandS3BucketAccess) Name() string {
|
|
return "s3.bucket.access"
|
|
}
|
|
|
|
func (c *commandS3BucketAccess) Help() string {
|
|
return `view or set per-bucket access for a user
|
|
|
|
Example:
|
|
# View current access for a user on a bucket
|
|
s3.bucket.access -name <bucket_name> -user <username>
|
|
|
|
# Grant anonymous read and list access
|
|
s3.bucket.access -name <bucket_name> -user anonymous -access Read,List
|
|
|
|
# Grant full anonymous access
|
|
s3.bucket.access -name <bucket_name> -user anonymous -access Read,Write,List
|
|
|
|
# Remove all access for a user on a bucket
|
|
s3.bucket.access -name <bucket_name> -user <username> -access none
|
|
|
|
Supported action names (comma-separated):
|
|
Read, Write, List, Tagging, Admin
|
|
|
|
The user is auto-created if it does not exist. Actions are scoped to
|
|
the specified bucket (stored as "Action:bucket" in the identity).
|
|
`
|
|
}
|
|
|
|
func (c *commandS3BucketAccess) HasTag(tag CommandTag) bool {
|
|
return tag == Hidden
|
|
}
|
|
|
|
func (c *commandS3BucketAccess) Do(args []string, commandEnv *CommandEnv, writer io.Writer) (err error) {
|
|
|
|
bucketCommand := flag.NewFlagSet(c.Name(), flag.ContinueOnError)
|
|
bucketName := bucketCommand.String("name", "", "bucket name")
|
|
userName := bucketCommand.String("user", "", "user name")
|
|
access := bucketCommand.String("access", "", "comma-separated actions: Read,Write,List,Tagging,Admin or none")
|
|
if err = bucketCommand.Parse(args); err != nil {
|
|
return err
|
|
}
|
|
|
|
if *bucketName == "" {
|
|
return fmt.Errorf("empty bucket name")
|
|
}
|
|
if *userName == "" {
|
|
return fmt.Errorf("empty user name")
|
|
}
|
|
|
|
accessStr := strings.TrimSpace(*access)
|
|
|
|
// Validate and normalize actions to canonical casing
|
|
if accessStr != "" && strings.ToLower(accessStr) != "none" {
|
|
var normalized []string
|
|
for _, a := range strings.Split(accessStr, ",") {
|
|
a = strings.TrimSpace(a)
|
|
canonical, ok := canonicalActions[strings.ToLower(a)]
|
|
if !ok {
|
|
return fmt.Errorf("invalid action %q: must be Read, Write, List, Tagging, Admin, or none", a)
|
|
}
|
|
normalized = append(normalized, canonical)
|
|
}
|
|
accessStr = strings.Join(normalized, ",")
|
|
}
|
|
|
|
err = pb.WithGrpcClient(false, 0, func(conn *grpc.ClientConn) error {
|
|
client := iam_pb.NewSeaweedIdentityAccessManagementClient(conn)
|
|
|
|
// Get or create user
|
|
identity, isNewUser, getErr := getOrCreateIdentity(client, *userName)
|
|
if getErr != nil {
|
|
return getErr
|
|
}
|
|
|
|
// View mode: show current bucket-scoped actions
|
|
if accessStr == "" {
|
|
return displayBucketAccess(writer, *bucketName, *userName, identity)
|
|
}
|
|
|
|
// Set mode: update actions
|
|
updateBucketActions(identity, *bucketName, accessStr)
|
|
|
|
// Show the resulting identity
|
|
var buf bytes.Buffer
|
|
filer.ProtoToText(&buf, identity)
|
|
fmt.Fprint(writer, buf.String())
|
|
fmt.Fprintln(writer)
|
|
|
|
// Save
|
|
if isNewUser {
|
|
if _, err := client.CreateUser(context.Background(), &iam_pb.CreateUserRequest{Identity: identity}); err != nil {
|
|
return fmt.Errorf("failed to create user %s: %w", *userName, err)
|
|
}
|
|
fmt.Fprintf(writer, "Created user %q and set access on bucket %s.\n", *userName, *bucketName)
|
|
} else {
|
|
if _, err := client.UpdateUser(context.Background(), &iam_pb.UpdateUserRequest{Username: *userName, Identity: identity}); err != nil {
|
|
return fmt.Errorf("failed to update user %s: %w", *userName, err)
|
|
}
|
|
fmt.Fprintf(writer, "Updated access for user %q on bucket %s.\n", *userName, *bucketName)
|
|
}
|
|
return nil
|
|
}, commandEnv.option.FilerAddress.ToGrpcAddress(), false, commandEnv.option.GrpcDialOption)
|
|
|
|
return err
|
|
}
|
|
|
|
func getOrCreateIdentity(client iam_pb.SeaweedIdentityAccessManagementClient, userName string) (*iam_pb.Identity, bool, error) {
|
|
resp, getErr := client.GetUser(context.Background(), &iam_pb.GetUserRequest{
|
|
Username: userName,
|
|
})
|
|
if getErr == nil && resp.Identity != nil {
|
|
return resp.Identity, false, nil
|
|
}
|
|
|
|
st, ok := status.FromError(getErr)
|
|
if ok && st.Code() == codes.NotFound {
|
|
return &iam_pb.Identity{
|
|
Name: userName,
|
|
Credentials: []*iam_pb.Credential{},
|
|
Actions: []string{},
|
|
PolicyNames: []string{},
|
|
}, true, nil
|
|
}
|
|
|
|
return nil, false, fmt.Errorf("failed to get user %s: %v", userName, getErr)
|
|
}
|
|
|
|
func displayBucketAccess(writer io.Writer, bucketName, userName string, identity *iam_pb.Identity) error {
|
|
suffix := ":" + bucketName
|
|
var actions []string
|
|
for _, a := range identity.Actions {
|
|
if strings.HasSuffix(a, suffix) {
|
|
actions = append(actions, strings.TrimSuffix(a, suffix))
|
|
}
|
|
}
|
|
fmt.Fprintf(writer, "Bucket: %s\n", bucketName)
|
|
fmt.Fprintf(writer, "User: %s\n", userName)
|
|
if len(actions) == 0 {
|
|
fmt.Fprintln(writer, "Access: none")
|
|
} else {
|
|
sort.Strings(actions)
|
|
fmt.Fprintf(writer, "Access: %s\n", strings.Join(actions, ","))
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// updateBucketActions removes existing actions for the bucket and adds the new ones.
|
|
func updateBucketActions(identity *iam_pb.Identity, bucketName, accessStr string) {
|
|
suffix := ":" + bucketName
|
|
|
|
// Remove existing actions for this bucket
|
|
var kept []string
|
|
for _, a := range identity.Actions {
|
|
if !strings.HasSuffix(a, suffix) {
|
|
kept = append(kept, a)
|
|
}
|
|
}
|
|
|
|
// Add new actions (unless "none")
|
|
if strings.ToLower(accessStr) != "none" {
|
|
for _, action := range strings.Split(accessStr, ",") {
|
|
action = strings.TrimSpace(action)
|
|
if action != "" {
|
|
kept = append(kept, action+suffix)
|
|
}
|
|
}
|
|
}
|
|
|
|
identity.Actions = kept
|
|
}
|