Disable Dockerfile.source

fix: Refactor session policy handling and fix owner permission check (#226 )
Modify docker source file
2026-01-17 09:40:32 +00:00 · 2025-07-16 18:03:09 +08:00 · 2025-07-16 16:40:51 +08:00 · 2025-07-15 23:17:39 +08:00 · 2025-07-15 22:10:00 +08:00
7 changed files with 31 additions and 28 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -223,12 +223,12 @@ jobs:
          - name: production
            dockerfile: Dockerfile
            platforms: linux/amd64,linux/arm64
-          - name: source
-            dockerfile: Dockerfile.source
-            platforms: linux/amd64,linux/arm64
-          - name: dev
-            dockerfile: Dockerfile.source
-            platforms: linux/amd64,linux/arm64
+          #- name: source
+          #  dockerfile: Dockerfile.source
+          #  platforms: linux/amd64,linux/arm64
+          #- name: dev
+          #  dockerfile: Dockerfile.source
+          #  platforms: linux/amd64,linux/arm64
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
--- a/3
+++ b/3
@@ -121,9 +121,6 @@ WORKDIR /data
 # Expose port
 EXPOSE 9000

-# Health check
-HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=40s \
-    CMD curl -f http://localhost:9000/health || exit 1

 # Volume for data
 VOLUME ["/data"]
--- a/Dockerfile.source
+++ b/Dockerfile.source
@@ -19,11 +19,11 @@ RUN apt-get update && apt-get install -y \
    && rm -rf /var/lib/apt/lists/*

 # Install sccache for Rust compilation caching
-RUN wget https://github.com/mozilla/sccache/releases/download/v0.8.1/sccache-v0.8.1-x86_64-unknown-linux-gnu.tar.gz \
-    && tar -xzf sccache-v0.8.1-x86_64-unknown-linux-gnu.tar.gz \
-    && mv sccache-v0.8.1-x86_64-unknown-linux-gnu/sccache /usr/local/bin/ \
+RUN wget https://github.com/mozilla/sccache/releases/download/v0.10.0/sccache-dist-v0.10.0-x86_64-unknown-linux-musl.tar.gz \
+    && tar -xzf sccache-dist-v0.10.0-x86_64-unknown-linux-musl.tar.gz \
+    && mv sccache-dist-v0.10.0-x86_64-unknown-linux-musl/sccache-dist /usr/local/bin/sccache \
    && chmod +x /usr/local/bin/sccache \
-    && rm -rf sccache-v0.8.1-x86_64-unknown-linux-gnu.tar.gz sccache-v0.8.1-x86_64-unknown-linux-gnu
+    && rm -rf sccache-dist-v0.10.0-x86_64-unknown-linux-musl.tar.gz sccache-dist-v0.10.0-x86_64-unknown-linux-musl

 # Set up sccache environment
 ENV RUSTC_WRAPPER=sccache \
@@ -63,7 +63,7 @@ ENV CXX_aarch64_unknown_linux_gnu=aarch64-linux-gnu-g++
 WORKDIR /usr/src/rustfs

 # Copy cargo configuration for optimized builds
-COPY cargo.config.toml ./.cargo/config.toml
+COPY Cargo.toml ./.cargo/config.toml

 # Copy Cargo files for dependency caching
 COPY Cargo.toml Cargo.lock ./
@@ -147,9 +147,6 @@ ENV RUSTFS_ACCESS_KEY=rustfsadmin \
    RUSTFS_VOLUMES=/data \
    RUST_LOG=warn

-# Health check
-HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
-    CMD wget --no-verbose --tries=1 --spider http://localhost:9000/health || exit 1

 # Volume for data
 VOLUME ["/data"]
--- a/crates/iam/src/manager.rs
+++ b/crates/iam/src/manager.rs
@@ -13,6 +13,7 @@
 // limitations under the License.

 use crate::error::{Error, Result, is_err_config_not_found};
+use crate::sys::get_claims_from_token_with_secret;
 use crate::{
    cache::{Cache, CacheEntity},
    error::{Error as IamError, is_err_no_such_group, is_err_no_such_policy, is_err_no_such_user},
@@ -26,7 +27,7 @@ use rustfs_ecstore::global::get_global_action_cred;
 use rustfs_madmin::{AccountStatus, AddOrUpdateUserReq, GroupDesc};
 use rustfs_policy::{
    arn::ARN,
-    auth::{self, Credentials, UserIdentity, get_claims_from_token_with_secret, is_secret_key_valid, jwt_sign},
+    auth::{self, Credentials, UserIdentity, is_secret_key_valid, jwt_sign},
    format::Format,
    policy::{
        EMBEDDED_POLICY_TYPE, INHERITED_POLICY_TYPE, Policy, PolicyDoc, default::DEFAULT_POLICIES, iam_policy_claim_name_sa,
--- a/crates/iam/src/sys.rs
+++ b/crates/iam/src/sys.rs
@@ -23,6 +23,7 @@ use crate::store::GroupInfo;
 use crate::store::MappedPolicy;
 use crate::store::Store;
 use crate::store::UserType;
+use crate::utils::extract_claims;
 use rustfs_ecstore::global::get_global_action_cred;
 use rustfs_madmin::AddOrUpdateUserReq;
 use rustfs_madmin::GroupDesc;
@@ -542,7 +543,7 @@ impl<T: Store> IamSys<T> {
            }
        };

-        if policies.is_empty() {
+        if !is_owner && policies.is_empty() {
            return false;
        }

@@ -732,3 +733,18 @@ pub struct UpdateServiceAccountOpts {
    pub expiration: Option<OffsetDateTime>,
    pub status: Option<String>,
 }
+
+pub fn get_claims_from_token_with_secret(token: &str, secret: &str) -> Result<HashMap<String, Value>> {
+    let mut ms =
+        extract_claims::<HashMap<String, Value>>(token, secret).map_err(|e| Error::other(format!("extract claims err {e}")))?;
+
+    if let Some(session_policy) = ms.claims.get(SESSION_POLICY_NAME) {
+        let policy_str = session_policy.as_str().unwrap_or_default();
+        let policy = base64_decode(policy_str.as_bytes()).map_err(|e| Error::other(format!("base64 decode err {e}")))?;
+        ms.claims.insert(
+            SESSION_POLICY_NAME_EXTRACTED.to_string(),
+            Value::String(String::from_utf8(policy).map_err(|e| Error::other(format!("utf8 decode err {e}")))?),
+        );
+    }
+    Ok(ms.claims)
+}
--- a/crates/policy/src/auth/credentials.rs
+++ b/crates/policy/src/auth/credentials.rs
@@ -16,8 +16,6 @@ use crate::error::Error as IamError;
 use crate::error::{Error, Result};
 use crate::policy::{INHERITED_POLICY_TYPE, Policy, Validator, iam_policy_claim_name_sa};
 use crate::utils;
-use crate::utils::extract_claims;
-use serde::de::DeserializeOwned;
 use serde::{Deserialize, Serialize};
 use serde_json::{Value, json};
 use std::collections::HashMap;
@@ -253,12 +251,6 @@ pub fn create_new_credentials_with_metadata(
    })
 }

-pub fn get_claims_from_token_with_secret<T: DeserializeOwned>(token: &str, secret: &str) -> Result<T> {
-    let ms = extract_claims::<T>(token, secret)?;
-    // TODO SessionPolicyName
-    Ok(ms.claims)
-}
-
 pub fn jwt_sign<T: Serialize>(claims: &T, token_secret: &str) -> Result<String> {
    let token = utils::generate_jwt(claims, token_secret)?;
    Ok(token)
--- a/rustfs/src/auth.rs
+++ b/rustfs/src/auth.rs
@@ -17,8 +17,8 @@ use http::Uri;
 use rustfs_ecstore::global::get_global_action_cred;
 use rustfs_iam::error::Error as IamError;
 use rustfs_iam::sys::SESSION_POLICY_NAME;
+use rustfs_iam::sys::get_claims_from_token_with_secret;
 use rustfs_policy::auth;
-use rustfs_policy::auth::get_claims_from_token_with_secret;
 use s3s::S3Error;
 use s3s::S3ErrorCode;
 use s3s::S3Result;
Author	SHA1	Message	Date
loverustfs	e5d17f5382	Disable Dockerfile.source	2025-07-16 18:03:09 +08:00
weisd	982cc66c74	fix: Refactor session policy handling and fix owner permission check (#226 )	2025-07-16 16:40:51 +08:00
loverustfs	74bf4909c8	Modify docker source file	2025-07-15 23:17:39 +08:00
loverustfs	9c956b4445	Disable other docker mode	2025-07-15 22:10:00 +08:00