fix: Avoid force delete in compliance/worm mode (#9276)

also, bring in an additional policy to ensure that
force delete bucket is only allowed with the right
policy for the user, just DeleteBucketAction
policy action is not enough.
master
Harshavardhana 5 years ago committed by GitHub
parent 928f5b0564
commit 2c20716f37
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 24
      cmd/bucket-handlers.go
  2. 3
      cmd/http/headers.go
  3. 5
      pkg/bucket/policy/action.go
  4. 5
      pkg/iam/policy/action.go

@ -891,9 +891,15 @@ func (api objectAPIHandlers) DeleteBucketHandler(w http.ResponseWriter, r *http.
vars := mux.Vars(r) vars := mux.Vars(r)
bucket := vars["bucket"] bucket := vars["bucket"]
objectAPI := api.ObjectAPI()
if objectAPI == nil {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
return
}
forceDelete := false forceDelete := false
if vs, found := r.Header[http.CanonicalHeaderKey("x-minio-force-delete")]; found { if value := r.Header.Get(xhttp.MinIOForceDelete); value != "" {
switch strings.ToLower(strings.Join(vs, "")) { switch value {
case "true": case "true":
forceDelete = true forceDelete = true
case "false": case "false":
@ -903,16 +909,22 @@ func (api objectAPIHandlers) DeleteBucketHandler(w http.ResponseWriter, r *http.
} }
} }
objectAPI := api.ObjectAPI() if forceDelete {
if objectAPI == nil { if s3Error := checkRequestAuthType(ctx, r, policy.ForceDeleteBucketAction, bucket, ""); s3Error != ErrNone {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r)) writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
return return
} }
} else {
if s3Error := checkRequestAuthType(ctx, r, policy.DeleteBucketAction, bucket, ""); s3Error != ErrNone { if s3Error := checkRequestAuthType(ctx, r, policy.DeleteBucketAction, bucket, ""); s3Error != ErrNone {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r)) writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
return return
} }
}
if _, ok := globalBucketObjectLockConfig.Get(bucket); (ok || globalWORMEnabled) && forceDelete {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
return
}
deleteBucket := objectAPI.DeleteBucket deleteBucket := objectAPI.DeleteBucket

@ -106,4 +106,7 @@ const (
// Server-Status // Server-Status
MinIOServerStatus = "x-minio-server-status" MinIOServerStatus = "x-minio-server-status"
// Delete special flag
MinIOForceDelete = "x-minio-force-delete"
) )

@ -37,6 +37,10 @@ const (
// DeleteBucketAction - DeleteBucket Rest API action. // DeleteBucketAction - DeleteBucket Rest API action.
DeleteBucketAction = "s3:DeleteBucket" DeleteBucketAction = "s3:DeleteBucket"
// ForceDeleteBucketAction - DeleteBucket Rest API action when x-minio-force-delete flag
// is specified.
ForceDeleteBucketAction = "s3:ForceDeleteBucket"
// DeleteBucketPolicyAction - DeleteBucketPolicy Rest API action. // DeleteBucketPolicyAction - DeleteBucketPolicy Rest API action.
DeleteBucketPolicyAction = "s3:DeleteBucketPolicy" DeleteBucketPolicyAction = "s3:DeleteBucketPolicy"
@ -146,6 +150,7 @@ var supportedActions = map[Action]struct{}{
AbortMultipartUploadAction: {}, AbortMultipartUploadAction: {},
CreateBucketAction: {}, CreateBucketAction: {},
DeleteBucketAction: {}, DeleteBucketAction: {},
ForceDeleteBucketAction: {},
DeleteBucketPolicyAction: {}, DeleteBucketPolicyAction: {},
DeleteObjectAction: {}, DeleteObjectAction: {},
GetBucketLocationAction: {}, GetBucketLocationAction: {},

@ -38,6 +38,10 @@ const (
// DeleteBucketAction - DeleteBucket Rest API action. // DeleteBucketAction - DeleteBucket Rest API action.
DeleteBucketAction = "s3:DeleteBucket" DeleteBucketAction = "s3:DeleteBucket"
// ForceDeleteBucketAction - DeleteBucket Rest API action when x-minio-force-delete flag
// is specified.
ForceDeleteBucketAction = "s3:ForceDeleteBucket"
// DeleteBucketPolicyAction - DeleteBucketPolicy Rest API action. // DeleteBucketPolicyAction - DeleteBucketPolicy Rest API action.
DeleteBucketPolicyAction = "s3:DeleteBucketPolicy" DeleteBucketPolicyAction = "s3:DeleteBucketPolicy"
@ -136,6 +140,7 @@ var supportedActions = map[Action]struct{}{
AbortMultipartUploadAction: {}, AbortMultipartUploadAction: {},
CreateBucketAction: {}, CreateBucketAction: {},
DeleteBucketAction: {}, DeleteBucketAction: {},
ForceDeleteBucketAction: {},
DeleteBucketPolicyAction: {}, DeleteBucketPolicyAction: {},
DeleteObjectAction: {}, DeleteObjectAction: {},
GetBucketLocationAction: {}, GetBucketLocationAction: {},

Loading…
Cancel
Save