diff --git a/cmd/api-datatypes.go b/cmd/api-datatypes.go
index d24d8c70b..59f2fd41e 100644
--- a/cmd/api-datatypes.go
+++ b/cmd/api-datatypes.go
@@ -26,7 +26,7 @@ type ObjectIdentifier struct {
}
// createBucketConfiguration container for bucket configuration request from client.
-// Used for parsing the location from the request body for MakeBucketbucket.
+// Used for parsing the location from the request body for Makebucket.
type createBucketLocationConfiguration struct {
XMLName xml.Name `xml:"CreateBucketConfiguration" json:"-"`
Location string `xml:"LocationConstraint"`
diff --git a/cmd/api-errors.go b/cmd/api-errors.go
index 652ec359a..df9ef33ff 100644
--- a/cmd/api-errors.go
+++ b/cmd/api-errors.go
@@ -141,6 +141,12 @@ const (
ErrInvalidPrefixMarker
ErrBadRequest
ErrKeyTooLongError
+ ErrInvalidBucketObjectLockConfiguration
+ ErrObjectLocked
+ ErrInvalidRetentionDate
+ ErrPastObjectLockRetainDate
+ ErrUnknownWORMModeDirective
+ ErrObjectLockInvalidHeaders
// Add new error codes here.
// SSE-S3 related API errors
@@ -720,7 +726,36 @@ var errorCodes = errorCodeMap{
Description: "Duration provided in the request is invalid.",
HTTPStatusCode: http.StatusBadRequest,
},
-
+ ErrInvalidBucketObjectLockConfiguration: {
+ Code: "InvalidRequest",
+ Description: "Bucket is missing ObjectLockConfiguration",
+ HTTPStatusCode: http.StatusBadRequest,
+ },
+ ErrObjectLocked: {
+ Code: "InvalidRequest",
+ Description: "Object is WORM protected and cannot be overwritten",
+ HTTPStatusCode: http.StatusBadRequest,
+ },
+ ErrInvalidRetentionDate: {
+ Code: "InvalidRequest",
+ Description: "Date must be provided in ISO 8601 format",
+ HTTPStatusCode: http.StatusBadRequest,
+ },
+ ErrPastObjectLockRetainDate: {
+ Code: "InvalidRequest",
+ Description: "the retain until date must be in the future",
+ HTTPStatusCode: http.StatusBadRequest,
+ },
+ ErrUnknownWORMModeDirective: {
+ Code: "InvalidRequest",
+ Description: "unknown wormMode directive",
+ HTTPStatusCode: http.StatusBadRequest,
+ },
+ ErrObjectLockInvalidHeaders: {
+ Code: "InvalidRequest",
+ Description: "x-amz-object-lock-retain-until-date and x-amz-object-lock-mode must both be supplied",
+ HTTPStatusCode: http.StatusBadRequest,
+ },
/// Bucket notification related errors.
ErrEventNotification: {
Code: "InvalidArgument",
@@ -1569,6 +1604,14 @@ func toAPIErrorCode(ctx context.Context, err error) (apiErr APIErrorCode) {
apiErr = ErrOperationTimedOut
case errDiskNotFound:
apiErr = ErrSlowDown
+ case errInvalidRetentionDate:
+ apiErr = ErrInvalidRetentionDate
+ case errPastObjectLockRetainDate:
+ apiErr = ErrPastObjectLockRetainDate
+ case errUnknownWORMModeDirective:
+ apiErr = ErrUnknownWORMModeDirective
+ case errObjectLockInvalidHeaders:
+ apiErr = ErrObjectLockInvalidHeaders
}
// Compression errors
diff --git a/cmd/api-router.go b/cmd/api-router.go
index 28e749b65..5ce073bf9 100644
--- a/cmd/api-router.go
+++ b/cmd/api-router.go
@@ -103,22 +103,22 @@ func registerAPIRouter(router *mux.Router, encryptionEnabled, allowSSEKMS bool)
bucket.Methods(http.MethodGet).Path("/{object:.+}").HandlerFunc(collectAPIStats("getobjecttagging", httpTraceHdrs(api.GetObjectTaggingHandler))).Queries("tagging", "")
// SelectObjectContent
bucket.Methods(http.MethodPost).Path("/{object:.+}").HandlerFunc(collectAPIStats("selectobjectcontent", httpTraceHdrs(api.SelectObjectContentHandler))).Queries("select", "").Queries("select-type", "2")
+ // GetObjectRetention
+ bucket.Methods(http.MethodGet).Path("/{object:.+}").HandlerFunc(collectAPIStats("getobjectretention", httpTraceHdrs(api.GetObjectRetentionHandler))).Queries("retention", "")
// GetObject
bucket.Methods(http.MethodGet).Path("/{object:.+}").HandlerFunc(collectAPIStats("getobject", httpTraceHdrs(api.GetObjectHandler)))
// CopyObject
bucket.Methods(http.MethodPut).Path("/{object:.+}").HeadersRegexp(xhttp.AmzCopySource, ".*?(\\/|%2F).*?").HandlerFunc(collectAPIStats("copyobject", httpTraceAll(api.CopyObjectHandler)))
+ // PutObjectRetention
+ bucket.Methods(http.MethodPut).Path("/{object:.+}").HandlerFunc(collectAPIStats("putobjectretention", httpTraceHdrs(api.PutObjectRetentionHandler))).Queries("retention", "")
// PutObject
bucket.Methods(http.MethodPut).Path("/{object:.+}").HandlerFunc(collectAPIStats("putobject", httpTraceHdrs(api.PutObjectHandler)))
// DeleteObject
bucket.Methods(http.MethodDelete).Path("/{object:.+}").HandlerFunc(collectAPIStats("deleteobject", httpTraceAll(api.DeleteObjectHandler)))
// PutObjectLegalHold
- bucket.Methods(http.MethodPut).Path("/{object:.+}").HandlerFunc(collectAPIStats("putobjectlegalhold", httpTraceHdrs(api.PutObjectLegalHoldHandler))).Queries("legal-hold", "").Queries("versionId", "")
+ bucket.Methods(http.MethodPut).Path("/{object:.+}").HandlerFunc(collectAPIStats("putobjectlegalhold", httpTraceHdrs(api.PutObjectLegalHoldHandler))).Queries("legal-hold", "")
// GetObjectLegalHold
- bucket.Methods(http.MethodGet).Path("/{object:.+}").HandlerFunc(collectAPIStats("getobjectlegalhold", httpTraceHdrs(api.GetObjectLegalHoldHandler))).Queries("legal-hold", "").Queries("versionId", "")
- // PutObjectRetention
- bucket.Methods(http.MethodPut).Path("/{object:.+}").HandlerFunc(collectAPIStats("putobjectretention", httpTraceHdrs(api.PutObjectRetentionHandler))).Queries("retention", "").Queries("versionId", "")
- // GetObjectRetention
- bucket.Methods(http.MethodGet).Path("/{object:.+}").HandlerFunc(collectAPIStats("getobjectretention", httpTraceHdrs(api.GetObjectRetentionHandler))).Queries("retention", "").Queries("versionId", "")
+ bucket.Methods(http.MethodGet).Path("/{object:.+}").HandlerFunc(collectAPIStats("getobjectlegalhold", httpTraceHdrs(api.GetObjectLegalHoldHandler))).Queries("legal-hold", "")
/// Bucket operations
// GetBucketLocation
diff --git a/cmd/auth-handler.go b/cmd/auth-handler.go
index 765b061e2..3ae1b746b 100644
--- a/cmd/auth-handler.go
+++ b/cmd/auth-handler.go
@@ -357,7 +357,6 @@ func checkRequestAuthTypeToAccessKey(ctx context.Context, r *http.Request, actio
}
return accessKey, owner, ErrAccessDenied
}
-
if globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: cred.AccessKey,
Action: iampolicy.Action(action),
@@ -487,10 +486,10 @@ func (a authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
writeErrorResponse(context.Background(), w, errorCodes.ToAPIErr(ErrSignatureVersionNotSupported), r.URL, guessIsBrowserReq(r))
}
-// isPutAllowed - check if PUT operation is allowed on the resource, this
+// isPutActionAllowed - check if PUT operation is allowed on the resource, this
// call verifies bucket policies and IAM policies, supports multi user
// checks etc.
-func isPutAllowed(atype authType, bucketName, objectName string, r *http.Request) (s3Err APIErrorCode) {
+func isPutActionAllowed(atype authType, bucketName, objectName string, r *http.Request, action iampolicy.Action) (s3Err APIErrorCode) {
var cred auth.Credentials
var owner bool
switch atype {
@@ -527,7 +526,7 @@ func isPutAllowed(atype authType, bucketName, objectName string, r *http.Request
if globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: cred.AccessKey,
- Action: policy.PutObjectAction,
+ Action: action,
BucketName: bucketName,
ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
ObjectName: objectName,
diff --git a/cmd/bucket-handlers.go b/cmd/bucket-handlers.go
index c566e97a8..b7b06bc60 100644
--- a/cmd/bucket-handlers.go
+++ b/cmd/bucket-handlers.go
@@ -45,10 +45,10 @@ import (
)
const (
- getBucketVersioningResponse = ``
- objectLockConfig = "object-lock.xml"
- objectLockEnabledConfigFile = "object-lock-enabled.json"
- objectLockEnabledConfig = `{"x-amz-bucket-object-lock-enabled":true}`
+ getBucketVersioningResponse = ``
+ objectLockConfig = "object-lock.xml"
+ bucketObjectLockEnabledConfigFile = "object-lock-enabled.json"
+ bucketObjectLockEnabledConfig = `{"x-amz-bucket-object-lock-enabled":true}`
)
// Check if there are buckets on server without corresponding entry in etcd backend and
@@ -370,20 +370,17 @@ func (api objectAPIHandlers) DeleteMultipleObjectsHandler(w http.ResponseWriter,
return
}
- // Deny if WORM is enabled
- if _, isWORMBucket := isWORMEnabled(bucket); isWORMBucket {
- // Not required to check whether given objects exist or not, because
- // DeleteMultipleObject is always successful irrespective of object existence.
- writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
- return
- }
-
deleteObjectsFn := objectAPI.DeleteObjects
if api.CacheAPI() != nil {
deleteObjectsFn = api.CacheAPI().DeleteObjects
}
var objectsToDelete = map[string]int{}
+ getObjectInfoFn := objectAPI.GetObjectInfo
+ if api.CacheAPI() != nil {
+ getObjectInfoFn = api.CacheAPI().GetObjectInfo
+ }
+
var dErrs = make([]APIErrorCode, len(deleteObjects.Objects))
for index, object := range deleteObjects.Objects {
@@ -394,7 +391,11 @@ func (api objectAPIHandlers) DeleteMultipleObjectsHandler(w http.ResponseWriter,
}
continue
}
-
+ govBypassPerms := checkRequestAuthType(ctx, r, policy.BypassGovernanceRetentionAction, bucket, object.ObjectName)
+ if _, err := checkGovernanceBypassAllowed(ctx, r, bucket, object.ObjectName, getObjectInfoFn, govBypassPerms); err != ErrNone {
+ dErrs[index] = err
+ continue
+ }
// Avoid duplicate objects, we use map to filter them out.
if _, ok := objectsToDelete[object.ObjectName]; !ok {
objectsToDelete[object.ObjectName] = index
@@ -517,8 +518,8 @@ func (api objectAPIHandlers) PutBucketHandler(w http.ResponseWriter, r *http.Req
}
if objectLockEnabled {
- configFile := path.Join(bucketConfigPrefix, bucket, objectLockEnabledConfigFile)
- if err = saveConfig(ctx, objectAPI, configFile, []byte(objectLockEnabledConfig)); err != nil {
+ configFile := path.Join(bucketConfigPrefix, bucket, bucketObjectLockEnabledConfigFile)
+ if err = saveConfig(ctx, objectAPI, configFile, []byte(bucketObjectLockEnabledConfig)); err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
@@ -553,11 +554,12 @@ func (api objectAPIHandlers) PutBucketHandler(w http.ResponseWriter, r *http.Req
}
if objectLockEnabled {
- configFile := path.Join(bucketConfigPrefix, bucket, objectLockEnabledConfigFile)
- if err = saveConfig(ctx, objectAPI, configFile, []byte(objectLockEnabledConfig)); err != nil {
+ configFile := path.Join(bucketConfigPrefix, bucket, bucketObjectLockEnabledConfigFile)
+ if err = saveConfig(ctx, objectAPI, configFile, []byte(bucketObjectLockEnabledConfig)); err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
+ globalBucketObjectLockConfig.Set(bucket, Retention{})
}
// Make sure to add Location information here only for bucket
@@ -890,7 +892,7 @@ func (api objectAPIHandlers) DeleteBucketHandler(w http.ResponseWriter, r *http.
}
}
- globalBucketRetentionConfig.Delete(bucket)
+ globalBucketObjectLockConfig.Delete(bucket)
globalNotificationSys.RemoveNotification(bucket)
globalPolicySys.Remove(bucket)
globalNotificationSys.DeleteBucket(ctx, bucket)
@@ -979,7 +981,10 @@ func (api objectAPIHandlers) PutBucketObjectLockConfigHandler(w http.ResponseWri
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
return
}
-
+ if s3Error := checkRequestAuthType(ctx, r, policy.PutBucketObjectLockConfigurationAction, bucket, ""); s3Error != ErrNone {
+ writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
+ return
+ }
config, err := parseObjectLockConfig(r.Body)
if err != nil {
apiErr := errorCodes.ToAPIErr(ErrMalformedXML)
@@ -987,8 +992,7 @@ func (api objectAPIHandlers) PutBucketObjectLockConfigHandler(w http.ResponseWri
writeErrorResponse(ctx, w, apiErr, r.URL, guessIsBrowserReq(r))
return
}
-
- configFile := path.Join(bucketConfigPrefix, bucket, objectLockEnabledConfigFile)
+ configFile := path.Join(bucketConfigPrefix, bucket, bucketObjectLockEnabledConfigFile)
configData, err := readConfig(ctx, objectAPI, configFile)
if err != nil {
aerr := toAPIError(ctx, err)
@@ -999,29 +1003,27 @@ func (api objectAPIHandlers) PutBucketObjectLockConfigHandler(w http.ResponseWri
return
}
- if string(configData) != objectLockEnabledConfig {
+ if string(configData) != bucketObjectLockEnabledConfig {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInternalError), r.URL, guessIsBrowserReq(r))
return
}
-
+ data, err := xml.Marshal(config)
+ if err != nil {
+ writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
+ return
+ }
+ configFile = path.Join(bucketConfigPrefix, bucket, objectLockConfig)
+ if err = saveConfig(ctx, objectAPI, configFile, data); err != nil {
+ writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
+ return
+ }
if config.Rule != nil {
- data, err := xml.Marshal(config)
- if err != nil {
- writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
- return
- }
-
- configFile := path.Join(bucketConfigPrefix, bucket, objectLockConfig)
- if err = saveConfig(ctx, objectAPI, configFile, data); err != nil {
- writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
- return
- }
-
retention := config.ToRetention()
- globalBucketRetentionConfig.Set(bucket, retention)
+ globalBucketObjectLockConfig.Set(bucket, retention)
globalNotificationSys.PutBucketObjectLockConfig(ctx, bucket, retention)
} else {
- globalBucketRetentionConfig.Delete(bucket)
+ globalBucketObjectLockConfig.Set(bucket, Retention{})
+ globalBucketObjectLockConfig.Delete(bucket)
}
// Write success response.
@@ -1046,8 +1048,12 @@ func (api objectAPIHandlers) GetBucketObjectLockConfigHandler(w http.ResponseWri
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
return
}
-
- configFile := path.Join(bucketConfigPrefix, bucket, objectLockEnabledConfigFile)
+ // check if user has permissions to perform this operation
+ if s3Error := checkRequestAuthType(ctx, r, policy.GetBucketObjectLockConfigurationAction, bucket, ""); s3Error != ErrNone {
+ writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
+ return
+ }
+ configFile := path.Join(bucketConfigPrefix, bucket, bucketObjectLockEnabledConfigFile)
configData, err := readConfig(ctx, objectAPI, configFile)
if err != nil {
aerr := toAPIError(ctx, err)
@@ -1058,7 +1064,7 @@ func (api objectAPIHandlers) GetBucketObjectLockConfigHandler(w http.ResponseWri
return
}
- if string(configData) != objectLockEnabledConfig {
+ if string(configData) != bucketObjectLockEnabledConfig {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInternalError), r.URL, guessIsBrowserReq(r))
return
}
diff --git a/cmd/disk-cache.go b/cmd/disk-cache.go
index 50d0e7b5e..6d470c161 100644
--- a/cmd/disk-cache.go
+++ b/cmd/disk-cache.go
@@ -527,6 +527,13 @@ func (c *cacheObjects) PutObject(ctx context.Context, bucket, object string, r *
if opts.ServerSideEncryption != nil {
return putObjectFn(ctx, bucket, object, r, opts)
}
+
+ // skip cache for objects with locks
+ objRetention := getObjectRetentionMeta(opts.UserDefined)
+ if objRetention.Mode == Governance || objRetention.Mode == Compliance {
+ return putObjectFn(ctx, bucket, object, r, opts)
+ }
+
// fetch from backend if cache exclude pattern or cache-control
// directive set to exclude
if c.isCacheExclude(bucket, object) {
diff --git a/cmd/fs-v1-multipart.go b/cmd/fs-v1-multipart.go
index efb43900d..e83370f94 100644
--- a/cmd/fs-v1-multipart.go
+++ b/cmd/fs-v1-multipart.go
@@ -683,8 +683,8 @@ func (fs *FSObjects) CompleteMultipartUpload(ctx context.Context, bucket string,
}
// Deny if WORM is enabled
- if retention, isWORMBucket := isWORMEnabled(bucket); isWORMBucket {
- if fi, err := fsStatFile(ctx, pathJoin(fs.fsPath, bucket, object)); err == nil && retention.Retain(fi.ModTime()) {
+ if globalWORMEnabled {
+ if _, err := fsStatFile(ctx, pathJoin(fs.fsPath, bucket, object)); err == nil {
return ObjectInfo{}, ObjectAlreadyExists{Bucket: bucket, Object: object}
}
}
diff --git a/cmd/fs-v1.go b/cmd/fs-v1.go
index 88d0924a5..280fa72db 100644
--- a/cmd/fs-v1.go
+++ b/cmd/fs-v1.go
@@ -931,8 +931,8 @@ func (fs *FSObjects) putObject(ctx context.Context, bucket string, object string
// Entire object was written to the temp location, now it's safe to rename it to the actual location.
fsNSObjPath := pathJoin(fs.fsPath, bucket, object)
// Deny if WORM is enabled
- if retention, isWORMBucket := isWORMEnabled(bucket); isWORMBucket {
- if fi, err := fsStatFile(ctx, fsNSObjPath); err == nil && retention.Retain(fi.ModTime()) {
+ if globalWORMEnabled {
+ if _, err := fsStatFile(ctx, fsNSObjPath); err == nil {
return ObjectInfo{}, ObjectAlreadyExists{Bucket: bucket, Object: object}
}
}
diff --git a/cmd/globals.go b/cmd/globals.go
index ea7d57700..211599935 100644
--- a/cmd/globals.go
+++ b/cmd/globals.go
@@ -196,7 +196,7 @@ var (
// Is worm enabled
globalWORMEnabled bool
- globalBucketRetentionConfig = newBucketRetentionConfig()
+ globalBucketObjectLockConfig = newBucketObjectLockConfig()
// Disk cache drives
globalCacheConfig cache.Config
diff --git a/cmd/handler-utils.go b/cmd/handler-utils.go
index 1a12dfbe5..09ea0950b 100644
--- a/cmd/handler-utils.go
+++ b/cmd/handler-utils.go
@@ -141,7 +141,6 @@ func extractMetadata(ctx context.Context, r *http.Request) (metadata map[string]
if _, ok := metadata["content-type"]; !ok {
metadata["content-type"] = "application/octet-stream"
}
-
// Success.
return metadata, nil
}
diff --git a/cmd/http/headers.go b/cmd/http/headers.go
index 793f580ff..14c26e794 100644
--- a/cmd/http/headers.go
+++ b/cmd/http/headers.go
@@ -57,10 +57,14 @@ const (
AmzCopySourceIfNoneMatch = "x-amz-copy-source-if-none-match"
AmzCopySourceIfMatch = "x-amz-copy-source-if-match"
- AmzCopySource = "X-Amz-Copy-Source"
- AmzCopySourceVersionID = "X-Amz-Copy-Source-Version-Id"
- AmzCopySourceRange = "X-Amz-Copy-Source-Range"
- AmzMetadataDirective = "X-Amz-Metadata-Directive"
+ AmzCopySource = "X-Amz-Copy-Source"
+ AmzCopySourceVersionID = "X-Amz-Copy-Source-Version-Id"
+ AmzCopySourceRange = "X-Amz-Copy-Source-Range"
+ AmzMetadataDirective = "X-Amz-Metadata-Directive"
+ AmzObjectLockMode = "X-Amz-Object-Lock-Mode"
+ AmzObjectLockRetainUntilDate = "X-Amz-Object-Lock-Retain-Until-Date"
+ AmzObjectLockLegalHold = "X-Amz-Object-Lock-Legal-Hold"
+ AmzObjectLockBypassGovernance = "X-Amz-Bypass-Governance-Retention"
// Signature V4 related contants.
AmzContentSha256 = "X-Amz-Content-Sha256"
diff --git a/cmd/notification.go b/cmd/notification.go
index 2e404a3be..994cc9f2f 100644
--- a/cmd/notification.go
+++ b/cmd/notification.go
@@ -777,20 +777,37 @@ func (sys *NotificationSys) load(buckets []BucketInfo, objAPI ObjectLayer) error
return nil
}
-func (sys *NotificationSys) initBucketRetentionConfig(objAPI ObjectLayer) error {
+func (sys *NotificationSys) initBucketObjectLockConfig(objAPI ObjectLayer) error {
buckets, err := objAPI.ListBuckets(context.Background())
if err != nil {
return err
}
for _, bucket := range buckets {
ctx := logger.SetReqInfo(context.Background(), &logger.ReqInfo{BucketName: bucket.Name})
- configFile := path.Join(bucketConfigPrefix, bucket.Name, objectLockConfig)
- configData, err := readConfig(ctx, objAPI, configFile)
+ configFile := path.Join(bucketConfigPrefix, bucket.Name, bucketObjectLockEnabledConfigFile)
+ bucketObjLockData, err := readConfig(ctx, objAPI, configFile)
+
if err != nil {
if err == errConfigNotFound {
continue
}
+ return err
+ }
+ if string(bucketObjLockData) != bucketObjectLockEnabledConfig {
+ // this should never happen
+ logger.LogIf(ctx, errMalformedBucketObjectConfig)
+ continue
+ }
+
+ configFile = path.Join(bucketConfigPrefix, bucket.Name, objectLockConfig)
+ configData, err := readConfig(ctx, objAPI, configFile)
+
+ if err != nil {
+ if err == errConfigNotFound {
+ globalBucketObjectLockConfig.Set(bucket.Name, Retention{})
+ continue
+ }
return err
}
@@ -798,10 +815,11 @@ func (sys *NotificationSys) initBucketRetentionConfig(objAPI ObjectLayer) error
if err != nil {
return err
}
-
+ retention := Retention{}
if config.Rule != nil {
- globalBucketRetentionConfig.Set(bucket.Name, config.ToRetention())
+ retention = config.ToRetention()
}
+ globalBucketObjectLockConfig.Set(bucket.Name, retention)
}
return nil
}
@@ -849,7 +867,7 @@ func (sys *NotificationSys) Init(buckets []BucketInfo, objAPI ObjectLayer) error
for {
select {
case <-retryTimerCh:
- if err := sys.initBucketRetentionConfig(objAPI); err != nil {
+ if err := sys.initBucketObjectLockConfig(objAPI); err != nil {
if err == errDiskNotFound ||
strings.Contains(err.Error(), InsufficientReadQuorum{}.Error()) ||
strings.Contains(err.Error(), InsufficientWriteQuorum{}.Error()) {
diff --git a/cmd/object-api-interface.go b/cmd/object-api-interface.go
index 4bcd7fa22..122eebc4a 100644
--- a/cmd/object-api-interface.go
+++ b/cmd/object-api-interface.go
@@ -30,6 +30,9 @@ import (
// CheckCopyPreconditionFn returns true if copy precondition check failed.
type CheckCopyPreconditionFn func(o ObjectInfo, encETag string) bool
+// GetObjectInfoFn is the signature of GetObjectInfo function.
+type GetObjectInfoFn func(ctx context.Context, bucket, object string, opts ObjectOptions) (objInfo ObjectInfo, err error)
+
// ObjectOptions represents object options for ObjectLayer operations
type ObjectOptions struct {
ServerSideEncryption encrypt.ServerSide
diff --git a/cmd/object-handlers.go b/cmd/object-handlers.go
index 1b5fc553b..947db98fd 100644
--- a/cmd/object-handlers.go
+++ b/cmd/object-handlers.go
@@ -43,6 +43,7 @@ import (
"github.com/minio/minio/pkg/event"
"github.com/minio/minio/pkg/handlers"
"github.com/minio/minio/pkg/hash"
+ iampolicy "github.com/minio/minio/pkg/iam/policy"
"github.com/minio/minio/pkg/ioutil"
"github.com/minio/minio/pkg/policy"
"github.com/minio/minio/pkg/s3select"
@@ -201,6 +202,9 @@ func (api objectAPIHandlers) SelectObjectContentHandler(w http.ResponseWriter, r
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
+ getRetPerms := checkRequestAuthType(ctx, r, policy.GetObjectRetentionAction, bucket, object)
+ // filter object lock metadata if permission does not permit
+ objInfo.UserDefined = filterObjectLockMetadata(ctx, r, bucket, object, objInfo.UserDefined, false, getRetPerms)
if err = s3Select.Open(getObject); err != nil {
if serr, ok := err.(s3select.SelectError); ok {
@@ -341,6 +345,10 @@ func (api objectAPIHandlers) GetObjectHandler(w http.ResponseWriter, r *http.Req
defer gr.Close()
objInfo := gr.ObjInfo
+ // filter object lock metadata if permission does not permit
+ getRetPerms := checkRequestAuthType(ctx, r, policy.GetObjectRetentionAction, bucket, object)
+ objInfo.UserDefined = filterObjectLockMetadata(ctx, r, bucket, object, objInfo.UserDefined, false, getRetPerms)
+
if objectAPI.IsEncryptionSupported() {
objInfo.UserDefined = CleanMinioInternalMetadataKeys(objInfo.UserDefined)
if _, err = DecryptObjectInfo(&objInfo, r.Header); err != nil {
@@ -501,6 +509,11 @@ func (api objectAPIHandlers) HeadObjectHandler(w http.ResponseWriter, r *http.Re
writeErrorResponseHeadersOnly(w, toAPIError(ctx, err))
return
}
+
+ // filter object lock metadata if permission does not permit
+ getRetPerms := checkRequestAuthType(ctx, r, policy.GetObjectRetentionAction, bucket, object)
+ objInfo.UserDefined = filterObjectLockMetadata(ctx, r, bucket, object, objInfo.UserDefined, false, getRetPerms)
+
if objectAPI.IsEncryptionSupported() {
if _, err = DecryptObjectInfo(&objInfo, r.Header); err != nil {
writeErrorResponseHeadersOnly(w, toAPIError(ctx, err))
@@ -737,14 +750,6 @@ func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Re
cpSrcDstSame := isStringEqual(pathJoin(srcBucket, srcObject), pathJoin(dstBucket, dstObject))
- // Deny if WORM is enabled.
- if retention, isWORMBucket := isWORMEnabled(dstBucket); isWORMBucket {
- if oi, err := objectAPI.GetObjectInfo(ctx, dstBucket, dstObject, dstOpts); err == nil && retention.Retain(oi.ModTime) {
- writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
- return
- }
- }
-
getObjectNInfo := objectAPI.GetObjectNInfo
if api.CacheAPI() != nil {
getObjectNInfo = api.CacheAPI().GetObjectNInfo
@@ -944,7 +949,24 @@ func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Re
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
-
+ getObjectInfo := objectAPI.GetObjectInfo
+ if api.CacheAPI() != nil {
+ getObjectInfo = api.CacheAPI().GetObjectInfo
+ }
+ isCpy := true
+ getRetPerms := checkRequestAuthType(ctx, r, policy.GetObjectRetentionAction, srcBucket, srcObject)
+ srcInfo.UserDefined = filterObjectLockMetadata(ctx, r, srcBucket, srcObject, srcInfo.UserDefined, isCpy, getRetPerms)
+ retPerms := isPutActionAllowed(getRequestAuthType(r), dstBucket, dstObject, r, iampolicy.PutObjectRetentionAction)
+ // apply default bucket configuration/governance headers for dest side.
+ retentionMode, retentionDate, s3Err := checkPutObjectRetentionAllowed(ctx, r, dstBucket, dstObject, getObjectInfo, retPerms)
+ if s3Err == ErrNone && retentionMode != "" {
+ srcInfo.UserDefined[xhttp.AmzObjectLockMode] = string(retentionMode)
+ srcInfo.UserDefined[xhttp.AmzObjectLockRetainUntilDate] = retentionDate.UTC().Format(time.RFC3339)
+ }
+ if s3Err != ErrNone {
+ writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL, guessIsBrowserReq(r))
+ return
+ }
// Store the preserved compression metadata.
for k, v := range compressMetadata {
srcInfo.UserDefined[k] = v
@@ -1036,7 +1058,6 @@ func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Re
// - X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key
func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "PutObject")
-
defer logger.AuditLog(w, r, "PutObject", mustGetClaimsFromToken(r))
objectAPI := api.ObjectAPI()
@@ -1142,7 +1163,7 @@ func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Req
reader = r.Body
// Check if put is allowed
- if s3Err = isPutAllowed(rAuthType, bucket, object, r); s3Err != ErrNone {
+ if s3Err = isPutActionAllowed(rAuthType, bucket, object, r, iampolicy.PutObjectAction); s3Err != ErrNone {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL, guessIsBrowserReq(r))
return
}
@@ -1220,12 +1241,15 @@ func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Req
getObjectInfo = api.CacheAPI().GetObjectInfo
putObject = api.CacheAPI().PutObject
}
- // Deny if WORM is enabled
- if retention, isWORMBucket := isWORMEnabled(bucket); isWORMBucket {
- if oi, err := getObjectInfo(ctx, bucket, object, opts); err == nil && retention.Retain(oi.ModTime) {
- writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
- return
- }
+ retPerms := isPutActionAllowed(rAuthType, bucket, object, r, iampolicy.PutObjectRetentionAction)
+ retentionMode, retentionDate, s3Err := checkPutObjectRetentionAllowed(ctx, r, bucket, object, getObjectInfo, retPerms)
+ if s3Err == ErrNone && retentionMode != "" {
+ metadata[strings.ToLower(xhttp.AmzObjectLockMode)] = string(retentionMode)
+ metadata[strings.ToLower(xhttp.AmzObjectLockRetainUntilDate)] = retentionDate.UTC().Format(time.RFC3339)
+ }
+ if s3Err != ErrNone {
+ writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL, guessIsBrowserReq(r))
+ return
}
var objectEncryptionKey []byte
@@ -1347,14 +1371,6 @@ func (api objectAPIHandlers) NewMultipartUploadHandler(w http.ResponseWriter, r
return
}
- // Deny if WORM is enabled
- if retention, isWORMBucket := isWORMEnabled(bucket); isWORMBucket {
- if oi, err := objectAPI.GetObjectInfo(ctx, bucket, object, opts); err == nil && retention.Retain(oi.ModTime) {
- writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
- return
- }
- }
-
// Validate storage class metadata if present
if sc := r.Header.Get(xhttp.AmzStorageClass); sc != "" {
if !storageclass.IsValid(sc) {
@@ -1383,7 +1399,16 @@ func (api objectAPIHandlers) NewMultipartUploadHandler(w http.ResponseWriter, r
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
-
+ retPerms := isPutActionAllowed(getRequestAuthType(r), bucket, object, r, iampolicy.PutObjectRetentionAction)
+ retentionMode, retentionDate, s3Err := checkPutObjectRetentionAllowed(ctx, r, bucket, object, objectAPI.GetObjectInfo, retPerms)
+ if s3Err == ErrNone && retentionMode != "" {
+ metadata[strings.ToLower(xhttp.AmzObjectLockMode)] = string(retentionMode)
+ metadata[strings.ToLower(xhttp.AmzObjectLockRetainUntilDate)] = retentionDate.UTC().Format(time.RFC3339)
+ }
+ if s3Err != ErrNone {
+ writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL, guessIsBrowserReq(r))
+ return
+ }
// We need to preserve the encryption headers set in EncryptRequest,
// so we do not want to override them, copy them instead.
for k, v := range encMetadata {
@@ -1520,9 +1545,9 @@ func (api objectAPIHandlers) CopyObjectPartHandler(w http.ResponseWriter, r *htt
return
}
- // Deny if WORM is enabled
- if retention, isWORMBucket := isWORMEnabled(dstBucket); isWORMBucket {
- if oi, err := objectAPI.GetObjectInfo(ctx, dstBucket, dstObject, dstOpts); err == nil && retention.Retain(oi.ModTime) {
+ // Deny if global WORM is enabled
+ if globalWORMEnabled {
+ if _, err := objectAPI.GetObjectInfo(ctx, dstBucket, dstObject, dstOpts); err == nil {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
return
}
@@ -1822,7 +1847,7 @@ func (api objectAPIHandlers) PutObjectPartHandler(w http.ResponseWriter, r *http
s3Error APIErrorCode
)
reader = r.Body
- if s3Error = isPutAllowed(rAuthType, bucket, object, r); s3Error != ErrNone {
+ if s3Error = isPutActionAllowed(rAuthType, bucket, object, r, iampolicy.PutObjectAction); s3Error != ErrNone {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
return
}
@@ -1898,8 +1923,8 @@ func (api objectAPIHandlers) PutObjectPartHandler(w http.ResponseWriter, r *http
pReader := NewPutObjReader(rawReader, nil, nil)
// Deny if WORM is enabled
- if retention, isWORMBucket := isWORMEnabled(bucket); isWORMBucket {
- if oi, err := objectAPI.GetObjectInfo(ctx, bucket, object, opts); err == nil && retention.Retain(oi.ModTime) {
+ if globalWORMEnabled {
+ if _, err := objectAPI.GetObjectInfo(ctx, bucket, object, opts); err == nil {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
return
}
@@ -2006,14 +2031,6 @@ func (api objectAPIHandlers) AbortMultipartUploadHandler(w http.ResponseWriter,
return
}
- // Deny if WORM is enabled
- if retention, isWORMBucket := isWORMEnabled(bucket); isWORMBucket {
- if oi, err := objectAPI.GetObjectInfo(ctx, bucket, object, ObjectOptions{}); err == nil && retention.Retain(oi.ModTime) {
- writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
- return
- }
- }
-
uploadID, _, _, _, s3Error := getObjectResources(r.URL.Query())
if s3Error != ErrNone {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
@@ -2182,12 +2199,17 @@ func (api objectAPIHandlers) CompleteMultipartUploadHandler(w http.ResponseWrite
return
}
- // Deny if WORM is enabled
- if retention, isWORMBucket := isWORMEnabled(bucket); isWORMBucket {
- if oi, err := objectAPI.GetObjectInfo(ctx, bucket, object, ObjectOptions{}); err == nil && retention.Retain(oi.ModTime) {
- writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
- return
- }
+ // Reject retention or governance headers if set, CompleteMultipartUpload spec
+ // does not use these headers, and should not be passed down to checkPutObjectRetentionAllowed
+ if isObjectLockRequested(r.Header) || isObjectLockGovernanceBypassSet(r.Header) {
+ writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL, guessIsBrowserReq(r))
+ return
+ }
+ // Enforce object lock governance in case a competing upload finalized first.
+ retPerms := isPutActionAllowed(getRequestAuthType(r), bucket, object, r, iampolicy.PutObjectRetentionAction)
+ if _, _, s3Err := checkPutObjectRetentionAllowed(ctx, r, bucket, object, objectAPI.GetObjectInfo, retPerms); s3Err != ErrNone {
+ writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL, guessIsBrowserReq(r))
+ return
}
// Get upload id.
@@ -2377,14 +2399,16 @@ func (api objectAPIHandlers) DeleteObjectHandler(w http.ResponseWriter, r *http.
return
}
- // Deny if WORM is enabled
- if _, isWORMBucket := isWORMEnabled(bucket); isWORMBucket {
- // Not required to check whether given object exists or not, because
- // DeleteObject is always successful irrespective of object existence.
- writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
- return
+ getObjectInfo := objectAPI.GetObjectInfo
+ if api.CacheAPI() != nil {
+ getObjectInfo = api.CacheAPI().GetObjectInfo
}
+ govBypassPerms := checkRequestAuthType(ctx, r, policy.BypassGovernanceRetentionAction, bucket, object)
+ if _, err := checkGovernanceBypassAllowed(ctx, r, bucket, object, getObjectInfo, govBypassPerms); err != ErrNone {
+ writeErrorResponse(ctx, w, errorCodes.ToAPIErr(err), r.URL, guessIsBrowserReq(r))
+ return
+ }
if globalDNSConfig != nil {
_, err := globalDNSConfig.Get(bucket)
if err != nil {
@@ -2486,7 +2510,7 @@ func (api objectAPIHandlers) GetObjectLegalHoldHandler(w http.ResponseWriter, r
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r))
}
-// PutObjectRetentionHandler - set legal hold configuration to object,
+// PutObjectRetentionHandler - set object hold configuration to object,
func (api objectAPIHandlers) PutObjectRetentionHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "PutObjectRetention")
@@ -2506,30 +2530,78 @@ func (api objectAPIHandlers) PutObjectRetentionHandler(w http.ResponseWriter, r
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
return
}
+ // Check permissions to perform this governance operation
+ if s3Err := isPutActionAllowed(getRequestAuthType(r), bucket, object, r, policy.PutObjectRetentionAction); s3Err != ErrNone {
+ writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL, guessIsBrowserReq(r))
+ return
+ }
+
+ // Get Content-Md5 sent by client and verify if valid
+ md5Bytes, err := checkValidMD5(r.Header)
+ if err != nil {
+ writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidDigest), r.URL, guessIsBrowserReq(r))
+ return
+ }
+ if _, isWORMBucket := isWORMEnabled(bucket); !isWORMBucket {
+ writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidBucketObjectLockConfiguration), r.URL, guessIsBrowserReq(r))
+ return
+ }
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
- opts, err := getOpts(ctx, r, bucket, object)
+ govBypassPerms := checkRequestAuthType(ctx, r, policy.BypassGovernanceRetentionAction, bucket, object)
+ objInfo, s3Err := checkGovernanceBypassAllowed(ctx, r, bucket, object, getObjectInfo, govBypassPerms)
+ if s3Err != ErrNone {
+ writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL, guessIsBrowserReq(r))
+ return
+ }
+
+ objRetention, err := parseObjectRetention(r.Body)
if err != nil {
+ apiErr := errorCodes.ToAPIErr(ErrMalformedXML)
+ apiErr.Description = err.Error()
+ writeErrorResponse(ctx, w, apiErr, r.URL, guessIsBrowserReq(r))
+ return
+ }
+ // verify Content-MD5 sum of request body if this header set
+ if len(md5Bytes) > 0 {
+ data, err := xml.Marshal(objRetention)
+ if err != nil {
+ writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
+ return
+ }
+ if hex.EncodeToString(md5Bytes) != getMD5Hash(data) {
+ writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidDigest), r.URL, guessIsBrowserReq(r))
+ return
+ }
+ }
+ objInfo.UserDefined[strings.ToLower(xhttp.AmzObjectLockMode)] = string(objRetention.Mode)
+ objInfo.UserDefined[strings.ToLower(xhttp.AmzObjectLockRetainUntilDate)] = objRetention.RetainUntilDate.UTC().Format(time.RFC3339)
+ objInfo.metadataOnly = true
+ if _, err = objectAPI.CopyObject(ctx, bucket, object, bucket, object, objInfo, ObjectOptions{}, ObjectOptions{}); err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
- if _, err = getObjectInfo(ctx, bucket, object, opts); err != nil {
- writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
- return
- }
-
- writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r))
+ writeSuccessNoContent(w)
+ // Notify object event.
+ sendEvent(eventArgs{
+ EventName: event.ObjectCreatedPutRetention,
+ BucketName: bucket,
+ Object: objInfo,
+ ReqParams: extractReqParams(r),
+ RespElements: extractRespElements(w),
+ UserAgent: r.UserAgent(),
+ Host: handlers.GetSourceIP(r),
+ })
}
-// GetObjectRetentionHandler - get legal hold configuration to object,
+// GetObjectRetentionHandler - get object retention configuration of object,
func (api objectAPIHandlers) GetObjectRetentionHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "GetObjectRetention")
-
defer logger.AuditLog(w, r, "GetObjectRetention", mustGetClaimsFromToken(r))
vars := mux.Vars(r)
@@ -2546,6 +2618,10 @@ func (api objectAPIHandlers) GetObjectRetentionHandler(w http.ResponseWriter, r
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
return
}
+ if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectRetentionAction, bucket, object); s3Error != ErrNone {
+ writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
+ return
+ }
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
@@ -2558,10 +2634,23 @@ func (api objectAPIHandlers) GetObjectRetentionHandler(w http.ResponseWriter, r
return
}
- if _, err = getObjectInfo(ctx, bucket, object, opts); err != nil {
+ objInfo, err := getObjectInfo(ctx, bucket, object, opts)
+ if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
- writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r))
+ retention := getObjectRetentionMeta(objInfo.UserDefined)
+
+ writeSuccessResponseXML(w, encodeResponse(retention))
+ // Notify object retention accessed via a GET request.
+ sendEvent(eventArgs{
+ EventName: event.ObjectAccessedGetRetention,
+ BucketName: bucket,
+ Object: objInfo,
+ ReqParams: extractReqParams(r),
+ RespElements: extractRespElements(w),
+ UserAgent: r.UserAgent(),
+ Host: handlers.GetSourceIP(r),
+ })
}
diff --git a/cmd/object-lock.go b/cmd/object-lock.go
index 9dbc4e687..7d689b375 100644
--- a/cmd/object-lock.go
+++ b/cmd/object-lock.go
@@ -17,11 +17,17 @@
package cmd
import (
+ "context"
"encoding/xml"
+ "errors"
"fmt"
"io"
+ "net/http"
+ "strings"
"sync"
"time"
+
+ xhttp "github.com/minio/minio/cmd/http"
)
// RetentionMode - object retention mode.
@@ -33,6 +39,30 @@ const (
// Compliance - compliance mode.
Compliance RetentionMode = "COMPLIANCE"
+
+ // Invalid - invalid retention mode.
+ Invalid RetentionMode = "Invalid"
+)
+
+func parseRetentionMode(modeStr string) (mode RetentionMode) {
+ switch strings.ToUpper(modeStr) {
+ case "GOVERNANCE":
+ mode = Governance
+ case "COMPLIANCE":
+ mode = Compliance
+ default:
+ mode = Invalid
+ }
+ return mode
+}
+
+var (
+ errMalformedBucketObjectConfig = errors.New("Invalid bucket object lock config")
+ errInvalidRetentionDate = errors.New("Date must be provided in ISO 8601 format")
+ errPastObjectLockRetainDate = errors.New("the retain until date must be in the future")
+ errUnknownWORMModeDirective = errors.New("unknown WORM mode directive")
+ errObjectLockMissingContentMD5 = errors.New("Content-MD5 HTTP header is required for Put Object requests with Object Lock parameters")
+ errObjectLockInvalidHeaders = errors.New("x-amz-object-lock-retain-until-date and x-amz-object-lock-mode must both be supplied")
)
// Retention - bucket level retention configuration.
@@ -51,37 +81,36 @@ func (r Retention) Retain(created time.Time) bool {
return globalWORMEnabled || created.Add(r.Validity).After(time.Now())
}
-// BucketRetentionConfig - map of bucket and retention configuration.
-type BucketRetentionConfig struct {
+// BucketObjectLockConfig - map of bucket and retention configuration.
+type BucketObjectLockConfig struct {
sync.RWMutex
retentionMap map[string]Retention
}
// Set - set retention configuration.
-func (config *BucketRetentionConfig) Set(bucketName string, retention Retention) {
+func (config *BucketObjectLockConfig) Set(bucketName string, retention Retention) {
config.Lock()
config.retentionMap[bucketName] = retention
config.Unlock()
}
// Get - Get retention configuration.
-func (config *BucketRetentionConfig) Get(bucketName string) (r Retention, ok bool) {
+func (config *BucketObjectLockConfig) Get(bucketName string) (r Retention, ok bool) {
config.RLock()
defer config.RUnlock()
-
r, ok = config.retentionMap[bucketName]
return r, ok
}
// Delete - delete retention configuration.
-func (config *BucketRetentionConfig) Delete(bucketName string) {
+func (config *BucketObjectLockConfig) Delete(bucketName string) {
config.Lock()
delete(config.retentionMap, bucketName)
config.Unlock()
}
-func newBucketRetentionConfig() *BucketRetentionConfig {
- return &BucketRetentionConfig{
+func newBucketObjectLockConfig() *BucketObjectLockConfig {
+ return &BucketObjectLockConfig{
retentionMap: map[string]Retention{},
}
}
@@ -130,12 +159,12 @@ func (dr *DefaultRetention) UnmarshalXML(d *xml.Decoder, start xml.StartElement)
return fmt.Errorf("Default retention period must be a positive integer value for 'Days'")
}
if *retention.Days > maximumRetentionDays {
- return fmt.Errorf("Default retention period too large for 'Days' %w", *retention.Days)
+ return fmt.Errorf("Default retention period too large for 'Days' %d", *retention.Days)
}
} else if *retention.Years == 0 {
return fmt.Errorf("Default retention period must be a positive integer value for 'Years'")
} else if *retention.Years > maximumRetentionYears {
- return fmt.Errorf("Default retention period too large for 'Years' %w", *retention.Years)
+ return fmt.Errorf("Default retention period too large for 'Years' %d", *retention.Years)
}
*dr = DefaultRetention(retention)
@@ -201,3 +230,253 @@ func newObjectLockConfig() *ObjectLockConfig {
ObjectLockEnabled: "Enabled",
}
}
+
+// RetentionDate is a embedded type containing time.Time to unmarshal
+// Date in Retention
+type RetentionDate struct {
+ time.Time
+}
+
+// UnmarshalXML parses date from Expiration and validates date format
+func (rDate *RetentionDate) UnmarshalXML(d *xml.Decoder, startElement xml.StartElement) error {
+ var dateStr string
+ err := d.DecodeElement(&dateStr, &startElement)
+ if err != nil {
+ return err
+ }
+ // While AWS documentation mentions that the date specified
+ // must be present in ISO 8601 format, in reality they allow
+ // users to provide RFC 3339 compliant dates.
+ retDate, err := time.Parse(time.RFC3339, dateStr)
+ if err != nil {
+ return errInvalidRetentionDate
+ }
+
+ *rDate = RetentionDate{retDate}
+ return nil
+}
+
+// MarshalXML encodes expiration date if it is non-zero and encodes
+// empty string otherwise
+func (rDate *RetentionDate) MarshalXML(e *xml.Encoder, startElement xml.StartElement) error {
+ if *rDate == (RetentionDate{time.Time{}}) {
+ return nil
+ }
+ return e.EncodeElement(rDate.Format(time.RFC3339), startElement)
+}
+
+// ObjectRetention specified in
+// https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectRetention.html
+type ObjectRetention struct {
+ XMLNS string `xml:"xmlns,attr,omitempty"`
+ XMLName xml.Name `xml:"Retention"`
+ Mode RetentionMode `xml:"Mode,omitempty"`
+ RetainUntilDate RetentionDate `xml:"RetainUntilDate,omitempty"`
+}
+
+func parseObjectRetention(reader io.Reader) (*ObjectRetention, error) {
+ ret := ObjectRetention{}
+ if err := xml.NewDecoder(reader).Decode(&ret); err != nil {
+ return nil, err
+ }
+ if ret.Mode != Compliance && ret.Mode != Governance {
+ return &ret, errUnknownWORMModeDirective
+ }
+ if ret.RetainUntilDate.Before(time.Now()) {
+ return &ret, errPastObjectLockRetainDate
+ }
+ return &ret, nil
+}
+
+func isObjectLockRetentionRequested(h http.Header) bool {
+ if _, ok := h[xhttp.AmzObjectLockMode]; ok {
+ return true
+ }
+ if _, ok := h[xhttp.AmzObjectLockRetainUntilDate]; ok {
+ return true
+ }
+ return false
+}
+
+func isObjectLockLegalHoldRequested(h http.Header) bool {
+ _, ok := h[xhttp.AmzObjectLockLegalHold]
+ return ok
+}
+
+func isObjectLockGovernanceBypassSet(h http.Header) bool {
+ v, ok := h[xhttp.AmzObjectLockBypassGovernance]
+ if !ok {
+ return false
+ }
+ val := strings.Join(v, "")
+ return strings.ToLower(val) == "true"
+}
+
+func isObjectLockRequested(h http.Header) bool {
+ return isObjectLockLegalHoldRequested(h) || isObjectLockRetentionRequested(h)
+}
+
+func parseObjectLockRetentionHeaders(h http.Header) (rmode RetentionMode, r RetentionDate, err error) {
+ retMode, ok := h[xhttp.AmzObjectLockMode]
+ if ok {
+ rmode = parseRetentionMode(strings.Join(retMode, ""))
+ if rmode == Invalid {
+ return rmode, r, errUnknownWORMModeDirective
+ }
+ }
+ var retDate time.Time
+ dateStr, ok := h[xhttp.AmzObjectLockRetainUntilDate]
+ if ok {
+ // While AWS documentation mentions that the date specified
+ // must be present in ISO 8601 format, in reality they allow
+ // users to provide RFC 3339 compliant dates.
+ retDate, err = time.Parse(time.RFC3339, strings.Join(dateStr, ""))
+ if err != nil {
+ return rmode, r, errInvalidRetentionDate
+ }
+ if retDate.Before(time.Now()) {
+ return rmode, r, errPastObjectLockRetainDate
+ }
+ }
+ if len(retMode) == 0 || len(dateStr) == 0 {
+ return rmode, r, errObjectLockInvalidHeaders
+ }
+ return rmode, RetentionDate{retDate}, nil
+
+}
+
+func getObjectRetentionMeta(meta map[string]string) ObjectRetention {
+ var mode RetentionMode
+ var retainTill RetentionDate
+ if modeStr, ok := meta[strings.ToLower(xhttp.AmzObjectLockMode)]; ok {
+ mode = parseRetentionMode(modeStr)
+ }
+ if tillStr, ok := meta[strings.ToLower(xhttp.AmzObjectLockRetainUntilDate)]; ok {
+ if t, e := time.Parse(time.RFC3339, tillStr); e == nil {
+ retainTill = RetentionDate{t.UTC()}
+ }
+ }
+ return ObjectRetention{Mode: mode, RetainUntilDate: retainTill}
+}
+
+// checkGovernanceBypassAllowed enforces whether an existing object under governance can be overwritten
+// with governance bypass headers set in the request.
+// Objects under site wide WORM or those in "Compliance" mode can never be overwritten.
+// For objects in "Governance" mode, overwrite is allowed if a) object retention date is past OR
+// governance bypass headers are set and user has governance bypass permissions.
+func checkGovernanceBypassAllowed(ctx context.Context, r *http.Request, bucket, object string, getObjectInfoFn GetObjectInfoFn, govBypassPerm APIErrorCode) (oi ObjectInfo, s3Err APIErrorCode) {
+ var err error
+ var opts ObjectOptions
+ opts, err = getOpts(ctx, r, bucket, object)
+ if err != nil {
+ return oi, toAPIErrorCode(ctx, err)
+ }
+ oi, err = getObjectInfoFn(ctx, bucket, object, opts)
+ if err != nil {
+ // ignore case where object no longer exists
+ if toAPIError(ctx, err).Code == "NoSuchKey" {
+ return oi, ErrNone
+ }
+ return oi, toAPIErrorCode(ctx, err)
+ }
+ ret := getObjectRetentionMeta(oi.UserDefined)
+ if globalWORMEnabled || ret.Mode == Compliance {
+ return oi, ErrObjectLocked
+ }
+ // Here bucket does not support object lock
+ if ret.Mode == Invalid && isObjectLockGovernanceBypassSet(r.Header) {
+ return oi, ErrInvalidBucketObjectLockConfiguration
+ }
+ if ret.Mode == Compliance {
+ return oi, ErrObjectLocked
+ }
+ if ret.Mode == Governance {
+ if !isObjectLockGovernanceBypassSet(r.Header) {
+ if ret.RetainUntilDate.After(UTCNow()) {
+ return oi, ErrObjectLocked
+ }
+ return oi, ErrNone
+ }
+ if govBypassPerm != ErrNone {
+ return oi, ErrAccessDenied
+ }
+ }
+ return oi, ErrNone
+}
+
+// checkPutObjectRetentionAllowed enforces object retention policy for requests with WORM headers
+// See https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-managing.html for the spec.
+// For non-existing objects with object retention headers set, this method returns ErrNone if bucket has
+// locking enabled and user has requisite permissions (s3:PutObjectRetention)
+// If object exists on object store, if retention mode is "Compliance" or site wide WORM enabled -this method
+// returns an error. For objects in "Governance" mode, overwrite is allowed if the retention date has expired.
+func checkPutObjectRetentionAllowed(ctx context.Context, r *http.Request, bucket, object string, getObjectInfoFn GetObjectInfoFn, retentionPermErr APIErrorCode) (RetentionMode, RetentionDate, APIErrorCode) {
+ var mode RetentionMode
+ var retainDate RetentionDate
+ retention, isWORMBucket := isWORMEnabled(bucket)
+
+ retentionRequested := isObjectLockRequested(r.Header)
+
+ var objExists bool
+ opts, err := getOpts(ctx, r, bucket, object)
+ if err != nil {
+ return mode, retainDate, toAPIErrorCode(ctx, err)
+ }
+ if objInfo, err := getObjectInfoFn(ctx, bucket, object, opts); err == nil {
+ objExists = true
+ r := getObjectRetentionMeta(objInfo.UserDefined)
+ if globalWORMEnabled || r.Mode == Compliance {
+ return mode, retainDate, ErrObjectLocked
+ }
+ mode = r.Mode
+ retainDate = r.RetainUntilDate
+ }
+ if retentionRequested {
+ if !isWORMBucket {
+ return mode, retainDate, ErrInvalidBucketObjectLockConfiguration
+ }
+ rMode, rDate, err := parseObjectLockRetentionHeaders(r.Header)
+ if err != nil {
+ return mode, retainDate, toAPIErrorCode(ctx, err)
+ }
+ // AWS S3 just creates a new version of object when an object is being overwritten.
+ if objExists && retainDate.After(UTCNow()) {
+ return mode, retainDate, ErrObjectLocked
+ }
+ if rMode == Invalid {
+ return mode, retainDate, toAPIErrorCode(ctx, errObjectLockInvalidHeaders)
+ }
+ if retentionPermErr != ErrNone {
+ return mode, retainDate, retentionPermErr
+ }
+ return rMode, rDate, ErrNone
+ }
+ if !retentionRequested && isWORMBucket && !retention.IsEmpty() {
+ if retentionPermErr != ErrNone {
+ return mode, retainDate, retentionPermErr
+ }
+ // AWS S3 just creates a new version of object when an object is being overwritten.
+ if objExists && retainDate.After(UTCNow()) {
+ return mode, retainDate, ErrObjectLocked
+ }
+ // inherit retention from bucket configuration
+ return retention.Mode, RetentionDate{UTCNow().Add(retention.Validity)}, ErrNone
+ }
+ return mode, retainDate, ErrNone
+}
+
+// filter object lock metadata if s3:GetObjectRetention permission is denied or if isCopy flag set.
+func filterObjectLockMetadata(ctx context.Context, r *http.Request, bucket, object string, metadata map[string]string, isCopy bool, getRetPerms APIErrorCode) map[string]string {
+ ret := getObjectRetentionMeta(metadata)
+ if ret.Mode == Invalid || isCopy {
+ delete(metadata, xhttp.AmzObjectLockMode)
+ delete(metadata, xhttp.AmzObjectLockRetainUntilDate)
+ return metadata
+ }
+ if getRetPerms == ErrNone {
+ return metadata
+ }
+ delete(metadata, xhttp.AmzObjectLockMode)
+ delete(metadata, xhttp.AmzObjectLockRetainUntilDate)
+ return metadata
+}
diff --git a/cmd/peer-rest-server.go b/cmd/peer-rest-server.go
index 4d13167e7..b74a69e79 100644
--- a/cmd/peer-rest-server.go
+++ b/cmd/peer-rest-server.go
@@ -510,7 +510,7 @@ func (s *peerRESTServer) DeleteBucketHandler(w http.ResponseWriter, r *http.Requ
globalNotificationSys.RemoveNotification(bucketName)
globalPolicySys.Remove(bucketName)
- globalBucketRetentionConfig.Delete(bucketName)
+ globalBucketObjectLockConfig.Delete(bucketName)
w.(http.Flusher).Flush()
}
@@ -787,7 +787,7 @@ func (s *peerRESTServer) PutBucketObjectLockConfigHandler(w http.ResponseWriter,
return
}
- globalBucketRetentionConfig.Set(bucketName, retention)
+ globalBucketObjectLockConfig.Set(bucketName, retention)
w.(http.Flusher).Flush()
}
diff --git a/cmd/utils.go b/cmd/utils.go
index 84af93a77..c854e0995 100644
--- a/cmd/utils.go
+++ b/cmd/utils.go
@@ -521,6 +521,5 @@ func isWORMEnabled(bucket string) (Retention, bool) {
if globalWORMEnabled {
return Retention{}, true
}
-
- return globalBucketRetentionConfig.Get(bucket)
+ return globalBucketObjectLockConfig.Get(bucket)
}
diff --git a/cmd/web-handlers.go b/cmd/web-handlers.go
index 604607930..90b6c2674 100644
--- a/cmd/web-handlers.go
+++ b/cmd/web-handlers.go
@@ -598,7 +598,10 @@ func (web *webAPIHandlers) RemoveObject(r *http.Request, args *RemoveObjectArgs,
return toJSONError(ctx, errServerNotInitialized)
}
listObjects := objectAPI.ListObjects
-
+ getObjectInfo := objectAPI.GetObjectInfo
+ if web.CacheAPI() != nil {
+ getObjectInfo = web.CacheAPI().GetObjectInfo
+ }
claims, owner, authErr := webRequestAuthenticate(r)
if authErr != nil {
if authErr == errNoAuthToken {
@@ -667,15 +670,10 @@ next:
for _, objectName := range args.Objects {
// If not a directory, remove the object.
if !hasSuffix(objectName, SlashSeparator) && objectName != "" {
- // Deny if WORM is enabled
- if retention, isWORMBucket := isWORMEnabled(args.BucketName); isWORMBucket {
- if oi, err := objectAPI.GetObjectInfo(ctx, args.BucketName, objectName, ObjectOptions{}); err == nil && retention.Retain(oi.ModTime) {
- return toJSONError(ctx, errMethodNotAllowed)
- }
- }
// Check for permissions only in the case of
// non-anonymous login. For anonymous login, policy has already
// been checked.
+ govBypassPerms := ErrAccessDenied
if authErr != errNoAuthToken {
if !globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: claims.AccessKey(),
@@ -688,8 +686,33 @@ next:
}) {
return toJSONError(ctx, errAccessDenied)
}
+ if globalIAMSys.IsAllowed(iampolicy.Args{
+ AccountName: claims.AccessKey(),
+ Action: iampolicy.BypassGovernanceRetentionAction,
+ BucketName: args.BucketName,
+ ConditionValues: getConditionValues(r, "", claims.AccessKey(), claims.Map()),
+ IsOwner: owner,
+ ObjectName: objectName,
+ Claims: claims.Map(),
+ }) {
+ govBypassPerms = ErrNone
+ }
+ }
+ if authErr == errNoAuthToken {
+ // Check if object is allowed to be deleted anonymously
+ if globalPolicySys.IsAllowed(policy.Args{
+ Action: policy.BypassGovernanceRetentionAction,
+ BucketName: args.BucketName,
+ ConditionValues: getConditionValues(r, "", "", nil),
+ IsOwner: false,
+ ObjectName: objectName,
+ }) {
+ govBypassPerms = ErrNone
+ }
+ }
+ if _, err := checkGovernanceBypassAllowed(ctx, r, args.BucketName, objectName, getObjectInfo, govBypassPerms); err != ErrNone {
+ return toJSONError(ctx, errAccessDenied)
}
-
if err = deleteObject(ctx, objectAPI, web.CacheAPI(), args.BucketName, objectName, r); err != nil {
break next
}
@@ -906,6 +929,8 @@ func (web *webAPIHandlers) Upload(w http.ResponseWriter, r *http.Request) {
bucket := vars["bucket"]
object := vars["object"]
+ retPerms := ErrAccessDenied
+
claims, owner, authErr := webRequestAuthenticate(r)
if authErr != nil {
if authErr == errNoAuthToken {
@@ -940,6 +965,18 @@ func (web *webAPIHandlers) Upload(w http.ResponseWriter, r *http.Request) {
writeWebErrorResponse(w, errAuthentication)
return
}
+ if globalIAMSys.IsAllowed(iampolicy.Args{
+ AccountName: claims.AccessKey(),
+ Action: iampolicy.PutObjectRetentionAction,
+ BucketName: bucket,
+ ConditionValues: getConditionValues(r, "", claims.AccessKey(), claims.Map()),
+ IsOwner: owner,
+ ObjectName: object,
+ Claims: claims.Map(),
+ }) {
+ retPerms = ErrNone
+ }
+
}
// Check if bucket is a reserved bucket name or invalid.
@@ -1028,12 +1065,19 @@ func (web *webAPIHandlers) Upload(w http.ResponseWriter, r *http.Request) {
// Ensure that metadata does not contain sensitive information
crypto.RemoveSensitiveEntries(metadata)
- // Deny if WORM is enabled
- if retention, isWORMBucket := isWORMEnabled(bucket); isWORMBucket {
- if oi, err := objectAPI.GetObjectInfo(ctx, bucket, object, opts); err == nil && retention.Retain(oi.ModTime) {
- writeWebErrorResponse(w, errMethodNotAllowed)
- return
- }
+ getObjectInfo := objectAPI.GetObjectInfo
+ if web.CacheAPI() != nil {
+ getObjectInfo = web.CacheAPI().GetObjectInfo
+ }
+ // enforce object retention rules
+ retentionMode, retentionDate, s3Err := checkPutObjectRetentionAllowed(ctx, r, bucket, object, getObjectInfo, retPerms)
+ if s3Err == ErrNone && retentionMode != "" {
+ opts.UserDefined[xhttp.AmzObjectLockMode] = string(retentionMode)
+ opts.UserDefined[xhttp.AmzObjectLockRetainUntilDate] = retentionDate.UTC().Format(time.RFC3339)
+ }
+ if s3Err != ErrNone {
+ writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL, guessIsBrowserReq(r))
+ return
}
putObject := objectAPI.PutObject
@@ -1087,6 +1131,8 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) {
object := vars["object"]
token := r.URL.Query().Get("token")
+ getRetPerms := ErrAccessDenied
+
claims, owner, authErr := webTokenAuthenticate(token)
if authErr != nil {
if authErr == errNoAuthToken {
@@ -1101,6 +1147,15 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) {
writeWebErrorResponse(w, errAuthentication)
return
}
+ if globalPolicySys.IsAllowed(policy.Args{
+ Action: policy.GetObjectRetentionAction,
+ BucketName: bucket,
+ ConditionValues: getConditionValues(r, "", "", nil),
+ IsOwner: false,
+ ObjectName: object,
+ }) {
+ getRetPerms = ErrNone
+ }
} else {
writeWebErrorResponse(w, authErr)
return
@@ -1121,6 +1176,17 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) {
writeWebErrorResponse(w, errAuthentication)
return
}
+ if globalIAMSys.IsAllowed(iampolicy.Args{
+ AccountName: claims.AccessKey(),
+ Action: iampolicy.GetObjectRetentionAction,
+ BucketName: bucket,
+ ConditionValues: getConditionValues(r, "", claims.AccessKey(), claims.Map()),
+ IsOwner: owner,
+ ObjectName: object,
+ Claims: claims.Map(),
+ }) {
+ getRetPerms = ErrNone
+ }
}
// Check if bucket is a reserved bucket name or invalid.
@@ -1144,6 +1210,9 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) {
objInfo := gr.ObjInfo
+ // filter object lock metadata if permission does not permit
+ objInfo.UserDefined = filterObjectLockMetadata(ctx, r, bucket, object, objInfo.UserDefined, false, getRetPerms)
+
if objectAPI.IsEncryptionSupported() {
if _, err = DecryptObjectInfo(&objInfo, r.Header); err != nil {
writeWebErrorResponse(w, err)
@@ -1234,9 +1303,9 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) {
writeWebErrorResponse(w, decodeErr)
return
}
-
token := r.URL.Query().Get("token")
claims, owner, authErr := webTokenAuthenticate(token)
+ var getRetPerms []APIErrorCode
if authErr != nil {
if authErr == errNoAuthToken {
for _, object := range args.Objects {
@@ -1251,6 +1320,17 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) {
writeWebErrorResponse(w, errAuthentication)
return
}
+ retentionPerm := ErrAccessDenied
+ if globalPolicySys.IsAllowed(policy.Args{
+ Action: policy.GetObjectRetentionAction,
+ BucketName: args.BucketName,
+ ConditionValues: getConditionValues(r, "", "", nil),
+ IsOwner: false,
+ ObjectName: pathJoin(args.Prefix, object),
+ }) {
+ retentionPerm = ErrNone
+ }
+ getRetPerms = append(getRetPerms, retentionPerm)
}
} else {
writeWebErrorResponse(w, authErr)
@@ -1273,6 +1353,19 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) {
writeWebErrorResponse(w, errAuthentication)
return
}
+ retentionPerm := ErrAccessDenied
+ if globalIAMSys.IsAllowed(iampolicy.Args{
+ AccountName: claims.AccessKey(),
+ Action: iampolicy.GetObjectAction,
+ BucketName: args.BucketName,
+ ConditionValues: getConditionValues(r, "", claims.AccessKey(), claims.Map()),
+ IsOwner: owner,
+ ObjectName: pathJoin(args.Prefix, object),
+ Claims: claims.Map(),
+ }) {
+ retentionPerm = ErrNone
+ }
+ getRetPerms = append(getRetPerms, retentionPerm)
}
}
@@ -1291,7 +1384,7 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) {
archive := zip.NewWriter(w)
defer archive.Close()
- for _, object := range args.Objects {
+ for i, object := range args.Objects {
// Writes compressed object file to the response.
zipit := func(objectName string) error {
var opts ObjectOptions
@@ -1302,6 +1395,9 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) {
defer gr.Close()
info := gr.ObjInfo
+ // filter object lock metadata if permission does not permit
+ info.UserDefined = filterObjectLockMetadata(ctx, r, args.BucketName, objectName, info.UserDefined, false, getRetPerms[i])
+
if info.IsCompressed() {
// For reporting, set the file size to the uncompressed size.
info.Size = info.GetActualSize()
diff --git a/cmd/xl-v1-multipart.go b/cmd/xl-v1-multipart.go
index 1dbd4ddca..4f9e30aed 100644
--- a/cmd/xl-v1-multipart.go
+++ b/cmd/xl-v1-multipart.go
@@ -708,8 +708,8 @@ func (xl xlObjects) CompleteMultipartUpload(ctx context.Context, bucket string,
if xl.isObject(bucket, object) {
// Deny if WORM is enabled
- if retention, isWORMBucket := isWORMEnabled(bucket); isWORMBucket {
- if oi, err := xl.getObjectInfo(ctx, bucket, object); err == nil && retention.Retain(oi.ModTime) {
+ if globalWORMEnabled {
+ if _, err := xl.getObjectInfo(ctx, bucket, object); err == nil {
return ObjectInfo{}, ObjectAlreadyExists{Bucket: bucket, Object: object}
}
}
diff --git a/cmd/xl-v1-object.go b/cmd/xl-v1-object.go
index fb9f5764f..eddde4a65 100644
--- a/cmd/xl-v1-object.go
+++ b/cmd/xl-v1-object.go
@@ -611,8 +611,8 @@ func (xl xlObjects) putObject(ctx context.Context, bucket string, object string,
if xl.isObject(bucket, object) {
// Deny if WORM is enabled
- if retention, isWORMBucket := isWORMEnabled(bucket); isWORMBucket {
- if oi, err := xl.getObjectInfo(ctx, bucket, object); err == nil && retention.Retain(oi.ModTime) {
+ if globalWORMEnabled {
+ if _, err := xl.getObjectInfo(ctx, bucket, object); err == nil {
return ObjectInfo{}, ObjectAlreadyExists{Bucket: bucket, Object: object}
}
}
diff --git a/docs/retention/README.md b/docs/retention/README.md
index 7c187c2d4..607d4564a 100644
--- a/docs/retention/README.md
+++ b/docs/retention/README.md
@@ -1,6 +1,9 @@
# Object Lock and Immutablity [](https://slack.min.io)
-MinIO server allows to set bucket level WORM which makes objects in the bucket immutable i.e. delete and overwrite are not allowed till stipulated time specified in the bucket's object lock configuration.
+MinIO server allows selectively specify WORM for specific objects or configuring a bucket with default object lock configuration that applies default retention mode and retention duration to all incoming objects. Essentially, this makes objects in the bucket immutable i.e. delete and overwrite are not allowed till stipulated time specified in the bucket's object lock configuration or object retention.
+
+Object locking requires locking to be enabled on a bucket at the time of bucket creation. In addition, a default retention period and retention mode can be configured on a bucket to be
+applied to objects created in that bucket.
## Get Started
@@ -8,19 +11,33 @@ MinIO server allows to set bucket level WORM which makes objects in the bucket i
Install MinIO - [MinIO Quickstart Guide](https://docs.min.io/docs/minio-quickstart-guide).
-### 2. Set per bucket WORM
+### 2. Set bucket WORM configuration
WORM on a bucket is enabled by setting object lock configuration. This configuration is applied to existing and new objects in the bucket. Below is an example sets `Governance` mode and one day retention time from object creation time of all objects in `mybucket`.
```sh
$ awscli s3api put-object-lock-configuration --bucket mybucket --object-lock-configuration 'ObjectLockEnabled=\"Enabled\",Rule={DefaultRetention={Mode=\"GOVERNANCE\",Days=1}}'
```
+### Set object lock
+
+PutObject API allows setting per object retention mode and retention duration using `x-amz-object-lock-mode` and `x-amz-object-lock-retain-until-date` headers. This takes precedence over any bucket object lock configuration w.r.t retention.
+
+```sh
+aws s3api put-object --bucket testbucket --key lockme --object-lock-mode GOVERNANCE --object-lock-retain-until-date "2019-11-20" --body /etc/issue
+```
+
+See https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-overview.html for AWS S3 spec on
+object locking and permissions required for object retention and governance bypass overrides.
### 3. Note
- When global WORM is enabled by `MINIO_WORM` environment variable or `worm` field in configuration file supersedes bucket level WORM and `PUT object lock configuration` REST API is disabled.
-- Currently Governance mode is treated as Compliance mode.
-- Once object lock configuration is set to a bucket, existing and new objects are put in WORM mode.
+- global WORM and objects in `Compliance` mode can never be overwritten
+- Currently `Governance` mode does not allow overwriting an existing object as versioning is not
+available in MinIO. To that extent `Governance` mode is similar to `Compliance`. However,
+if user has requisite `Governance` bypass permissions, an object in `Governance` mode can be overwritten.
+- Once object lock configuration is set to a bucket, new objects inherit the retention settings of the bucket object lock configuration (if set) or the retention headers set in the PUT request
+or set with PutObjectRetention API call
## Explore Further
diff --git a/pkg/event/name.go b/pkg/event/name.go
index 81a076608..4fdb06586 100644
--- a/pkg/event/name.go
+++ b/pkg/event/name.go
@@ -29,12 +29,14 @@ type Name int
const (
ObjectAccessedAll Name = 1 + iota
ObjectAccessedGet
+ ObjectAccessedGetRetention
ObjectAccessedHead
ObjectCreatedAll
ObjectCreatedCompleteMultipartUpload
ObjectCreatedCopy
ObjectCreatedPost
ObjectCreatedPut
+ ObjectCreatedPutRetention
ObjectRemovedAll
ObjectRemovedDelete
)
@@ -43,9 +45,9 @@ const (
func (name Name) Expand() []Name {
switch name {
case ObjectAccessedAll:
- return []Name{ObjectAccessedGet, ObjectAccessedHead}
+ return []Name{ObjectAccessedGet, ObjectAccessedHead, ObjectAccessedGetRetention}
case ObjectCreatedAll:
- return []Name{ObjectCreatedCompleteMultipartUpload, ObjectCreatedCopy, ObjectCreatedPost, ObjectCreatedPut}
+ return []Name{ObjectCreatedCompleteMultipartUpload, ObjectCreatedCopy, ObjectCreatedPost, ObjectCreatedPut, ObjectCreatedPutRetention}
case ObjectRemovedAll:
return []Name{ObjectRemovedDelete}
default:
@@ -60,6 +62,8 @@ func (name Name) String() string {
return "s3:ObjectAccessed:*"
case ObjectAccessedGet:
return "s3:ObjectAccessed:Get"
+ case ObjectAccessedGetRetention:
+ return "s3:ObjectAccessed:GetRetention"
case ObjectAccessedHead:
return "s3:ObjectAccessed:Head"
case ObjectCreatedAll:
@@ -72,6 +76,8 @@ func (name Name) String() string {
return "s3:ObjectCreated:Post"
case ObjectCreatedPut:
return "s3:ObjectCreated:Put"
+ case ObjectCreatedPutRetention:
+ return "s3:ObjectAccessed:PutRetention"
case ObjectRemovedAll:
return "s3:ObjectRemoved:*"
case ObjectRemovedDelete:
@@ -130,6 +136,8 @@ func ParseName(s string) (Name, error) {
return ObjectAccessedAll, nil
case "s3:ObjectAccessed:Get":
return ObjectAccessedGet, nil
+ case "s3:ObjectAccessed:GetRetention":
+ return ObjectAccessedGetRetention, nil
case "s3:ObjectAccessed:Head":
return ObjectAccessedHead, nil
case "s3:ObjectCreated:*":
@@ -142,6 +150,8 @@ func ParseName(s string) (Name, error) {
return ObjectCreatedPost, nil
case "s3:ObjectCreated:Put":
return ObjectCreatedPut, nil
+ case "s3:ObjectCreated:PutRetention":
+ return ObjectCreatedPutRetention, nil
case "s3:ObjectRemoved:*":
return ObjectRemovedAll, nil
case "s3:ObjectRemoved:Delete":
diff --git a/pkg/event/target/elasticsearch.go b/pkg/event/target/elasticsearch.go
index c7e55c01d..792154b32 100644
--- a/pkg/event/target/elasticsearch.go
+++ b/pkg/event/target/elasticsearch.go
@@ -146,7 +146,6 @@ func (target *ElasticsearchTarget) send(eventData event.Event) error {
} else {
err = update()
}
-
return err
}
diff --git a/pkg/iam/policy/action.go b/pkg/iam/policy/action.go
index ad35f0b4a..d2ab1a682 100644
--- a/pkg/iam/policy/action.go
+++ b/pkg/iam/policy/action.go
@@ -91,33 +91,57 @@ const (
// PutObjectAction - PutObject Rest API action.
PutObjectAction = "s3:PutObject"
+ // BypassGovernanceModeAction - bypass governance mode for DeleteObject Rest API action.
+ BypassGovernanceModeAction = "s3:BypassGovernanceMode"
+
+ // BypassGovernanceRetentionAction - bypass governance retention for PutObjectRetention, PutObject and DeleteObject Rest API action.
+ BypassGovernanceRetentionAction = "s3:BypassGovernanceRetention"
+
+ // PutObjectRetentionAction - PutObjectRetention Rest API action.
+ PutObjectRetentionAction = "s3:PutObjectRetention"
+
+ // GetObjectRetentionAction - GetObjectRetention, GetObject, HeadObject Rest API action.
+ GetObjectRetentionAction = "s3:GetObjectRetention"
+
+ // GetBucketObjectLockConfigurationAction - GetBucketObjectLockConfiguration Rest API action
+ GetBucketObjectLockConfigurationAction = "s3:GetBucketObjectLockConfiguration"
+
+ // PutBucketObjectLockConfigurationAction - PutBucketObjectLockConfiguration Rest API action
+ PutBucketObjectLockConfigurationAction = "s3:PutBucketObjectLockConfiguration"
+
// AllActions - all API actions
AllActions = "s3:*"
)
// List of all supported actions.
var supportedActions = map[Action]struct{}{
- AllActions: {},
- AbortMultipartUploadAction: {},
- CreateBucketAction: {},
- DeleteBucketAction: {},
- DeleteBucketPolicyAction: {},
- DeleteObjectAction: {},
- GetBucketLocationAction: {},
- GetBucketNotificationAction: {},
- GetBucketPolicyAction: {},
- GetObjectAction: {},
- HeadBucketAction: {},
- ListAllMyBucketsAction: {},
- ListBucketAction: {},
- ListBucketMultipartUploadsAction: {},
- ListenBucketNotificationAction: {},
- ListMultipartUploadPartsAction: {},
- PutBucketNotificationAction: {},
- PutBucketPolicyAction: {},
- PutObjectAction: {},
- GetBucketLifecycleAction: {},
- PutBucketLifecycleAction: {},
+ AllActions: {},
+ AbortMultipartUploadAction: {},
+ CreateBucketAction: {},
+ DeleteBucketAction: {},
+ DeleteBucketPolicyAction: {},
+ DeleteObjectAction: {},
+ GetBucketLocationAction: {},
+ GetBucketNotificationAction: {},
+ GetBucketPolicyAction: {},
+ GetObjectAction: {},
+ HeadBucketAction: {},
+ ListAllMyBucketsAction: {},
+ ListBucketAction: {},
+ ListBucketMultipartUploadsAction: {},
+ ListenBucketNotificationAction: {},
+ ListMultipartUploadPartsAction: {},
+ PutBucketNotificationAction: {},
+ PutBucketPolicyAction: {},
+ PutObjectAction: {},
+ GetBucketLifecycleAction: {},
+ PutBucketLifecycleAction: {},
+ PutObjectRetentionAction: {},
+ GetObjectRetentionAction: {},
+ PutBucketObjectLockConfigurationAction: {},
+ GetBucketObjectLockConfigurationAction: {},
+ BypassGovernanceModeAction: {},
+ BypassGovernanceRetentionAction: {},
}
// isObjectAction - returns whether action is object type or not.
@@ -127,6 +151,10 @@ func (action Action) isObjectAction() bool {
fallthrough
case ListMultipartUploadPartsAction, PutObjectAction, AllActions:
return true
+ case BypassGovernanceModeAction, BypassGovernanceRetentionAction:
+ return true
+ case PutObjectRetentionAction, GetObjectRetentionAction:
+ return true
}
return false
@@ -238,4 +266,10 @@ var actionConditionKeyMap = map[Action]condition.KeySet{
condition.S3XAmzMetadataDirective,
condition.S3XAmzStorageClass,
}, condition.CommonKeys...)...),
+ PutObjectRetentionAction: condition.NewKeySet(condition.CommonKeys...),
+ GetObjectRetentionAction: condition.NewKeySet(condition.CommonKeys...),
+ BypassGovernanceModeAction: condition.NewKeySet(condition.CommonKeys...),
+ BypassGovernanceRetentionAction: condition.NewKeySet(condition.CommonKeys...),
+ GetBucketObjectLockConfigurationAction: condition.NewKeySet(condition.CommonKeys...),
+ PutBucketObjectLockConfigurationAction: condition.NewKeySet(condition.CommonKeys...),
}
diff --git a/pkg/policy/action.go b/pkg/policy/action.go
index fb16160b1..b3466ec85 100644
--- a/pkg/policy/action.go
+++ b/pkg/policy/action.go
@@ -89,6 +89,20 @@ const (
// GetBucketLifecycleAction - GetBucketLifecycle Rest API action.
GetBucketLifecycleAction = "s3:GetBucketLifecycle"
+
+ // BypassGovernanceModeAction - bypass governance mode for DeleteObject Rest API action.
+ BypassGovernanceModeAction = "s3:BypassGovernanceMode"
+ // BypassGovernanceRetentionAction - bypass governance retention for PutObjectRetention, PutObject and DeleteObject Rest API action.
+ BypassGovernanceRetentionAction = "s3:BypassGovernanceRetention"
+ // PutObjectRetentionAction - PutObjectRetention Rest API action.
+ PutObjectRetentionAction = "s3:PutObjectRetention"
+
+ // GetObjectRetentionAction - GetObjectRetention, GetObject, HeadObject Rest API action.
+ GetObjectRetentionAction = "s3:GetObjectRetention"
+ // GetBucketObjectLockConfigurationAction - GetObjectLockConfiguration Rest API action
+ GetBucketObjectLockConfigurationAction = "s3:GetBucketObjectLockConfiguration"
+ // PutBucketObjectLockConfigurationAction - PutObjectLockConfiguration Rest API action
+ PutBucketObjectLockConfigurationAction = "s3:PutBucketObjectLockConfiguration"
)
// isObjectAction - returns whether action is object type or not.
@@ -98,6 +112,10 @@ func (action Action) isObjectAction() bool {
fallthrough
case ListMultipartUploadPartsAction, PutObjectAction:
return true
+ case PutObjectRetentionAction, GetObjectRetentionAction:
+ return true
+ case BypassGovernanceModeAction, BypassGovernanceRetentionAction:
+ return true
}
return false
@@ -122,6 +140,12 @@ func (action Action) IsValid() bool {
fallthrough
case PutBucketLifecycleAction, GetBucketLifecycleAction:
return true
+ case BypassGovernanceModeAction, BypassGovernanceRetentionAction:
+ return true
+ case PutObjectRetentionAction, GetObjectRetentionAction:
+ return true
+ case PutBucketObjectLockConfigurationAction, GetBucketObjectLockConfigurationAction:
+ return true
}
return false
@@ -204,4 +228,10 @@ var actionConditionKeyMap = map[Action]condition.KeySet{
condition.S3XAmzMetadataDirective,
condition.S3XAmzStorageClass,
}, condition.CommonKeys...)...),
+ PutObjectRetentionAction: condition.NewKeySet(condition.CommonKeys...),
+ GetObjectRetentionAction: condition.NewKeySet(condition.CommonKeys...),
+ BypassGovernanceModeAction: condition.NewKeySet(condition.CommonKeys...),
+ BypassGovernanceRetentionAction: condition.NewKeySet(condition.CommonKeys...),
+ GetBucketObjectLockConfigurationAction: condition.NewKeySet(condition.CommonKeys...),
+ PutBucketObjectLockConfigurationAction: condition.NewKeySet(condition.CommonKeys...),
}