Converge PolicyDBGet functions in IAM (#11891)
This commit is contained in:
Aditya Manthramurthy
GitHub
parent
d7f32ad649
commit
b4d8bcf644
|
|
@ -748,7 +748,11 @@ func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Requ
|
|||
case MinIOUsersSysType:
|
||||
policies, err = globalIAMSys.PolicyDBGet(accountName, false)
|
||||
case LDAPUsersSysType:
|
||||
policies, err = globalIAMSys.PolicyDBGetLDAP(cred.ParentUser, cred.Groups...)
|
||||
parentUser := accountName
|
||||
if cred.ParentUser != "" {
|
||||
parentUser = cred.ParentUser
|
||||
}
|
||||
policies, err = globalIAMSys.PolicyDBGet(parentUser, false, cred.Groups...)
|
||||
default:
|
||||
err = errors.New("should not happen!")
|
||||
}
|
||||
|
|
|
|||
62
cmd/iam.go
62
cmd/iam.go
|
|
@ -1661,8 +1661,9 @@ func (sys *IAMSys) policyDBSet(name, policyName string, userType IAMUserType, is
|
|||
return nil
|
||||
}
|
||||
|
||||
// PolicyDBGetLDAP is only used by LDAP code, it is similar to PolicyDBGet
|
||||
func (sys *IAMSys) PolicyDBGetLDAP(name string, groups ...string) ([]string, error) {
|
||||
// PolicyDBGet - gets policy set on a user or group. If a list of groups is
|
||||
// given, policies associated with them are included as well.
|
||||
func (sys *IAMSys) PolicyDBGet(name string, isGroup bool, groups ...string) ([]string, error) {
|
||||
if !sys.Initialized() {
|
||||
return nil, errServerNotInitialized
|
||||
}
|
||||
|
|
@ -1674,40 +1675,35 @@ func (sys *IAMSys) PolicyDBGetLDAP(name string, groups ...string) ([]string, err
|
|||
sys.store.rlock()
|
||||
defer sys.store.runlock()
|
||||
|
||||
var policies []string
|
||||
mp, ok := sys.iamUserPolicyMap[name]
|
||||
if ok {
|
||||
// returned policy could be empty
|
||||
policies = append(policies, mp.toSlice()...)
|
||||
policies, err := sys.policyDBGet(name, isGroup)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
for _, group := range groups {
|
||||
p := sys.iamGroupPolicyMap[group]
|
||||
policies = append(policies, p.toSlice()...)
|
||||
if !isGroup {
|
||||
for _, group := range groups {
|
||||
ps, err := sys.policyDBGet(group, true)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
policies = append(policies, ps...)
|
||||
}
|
||||
}
|
||||
|
||||
return policies, nil
|
||||
}
|
||||
|
||||
// PolicyDBGet - gets policy set on a user or group. Since a user may
|
||||
// be a member of multiple groups, this function returns an array of
|
||||
// applicable policies
|
||||
func (sys *IAMSys) PolicyDBGet(name string, isGroup bool) ([]string, error) {
|
||||
if !sys.Initialized() {
|
||||
return nil, errServerNotInitialized
|
||||
}
|
||||
|
||||
if name == "" {
|
||||
return nil, errInvalidArgument
|
||||
}
|
||||
|
||||
sys.store.rlock()
|
||||
defer sys.store.runlock()
|
||||
|
||||
return sys.policyDBGet(name, isGroup)
|
||||
}
|
||||
|
||||
// This call assumes that caller has the sys.RLock()
|
||||
// This call assumes that caller has the sys.RLock().
|
||||
//
|
||||
// If a group is passed, it returns policies associated with the group.
|
||||
//
|
||||
// If a user is passed, it returns policies of the user along with any groups
|
||||
// that the server knows the user is a member of.
|
||||
//
|
||||
// In LDAP users mode, the server does not store any group membership
|
||||
// information in IAM (i.e sys.iam*Map) - this info is stored only in the STS
|
||||
// generated credentials. Thus we skip looking up group memberships, user map,
|
||||
// and group map and check the appropriate policy maps directly.
|
||||
func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) {
|
||||
if isGroup {
|
||||
if sys.usersSysType == MinIOUsersSysType {
|
||||
|
|
@ -1727,12 +1723,12 @@ func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) {
|
|||
return mp.toSlice(), nil
|
||||
}
|
||||
|
||||
// When looking for a user's policies, we also check if the
|
||||
// user and the groups they are member of are enabled.
|
||||
|
||||
var u auth.Credentials
|
||||
var ok bool
|
||||
if sys.usersSysType == MinIOUsersSysType {
|
||||
// When looking for a user's policies, we also check if the user
|
||||
// and the groups they are member of are enabled.
|
||||
|
||||
u, ok = sys.iamUsersMap[name]
|
||||
if !ok {
|
||||
return nil, errNoSuchUser
|
||||
|
|
@ -1891,7 +1887,7 @@ func (sys *IAMSys) IsAllowedLDAPSTS(args iampolicy.Args, parentUser string) bool
|
|||
}
|
||||
|
||||
// Check policy for this LDAP user.
|
||||
ldapPolicies, err := sys.PolicyDBGetLDAP(parentUser, args.Groups...)
|
||||
ldapPolicies, err := sys.PolicyDBGet(parentUser, false, args.Groups...)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
|
|
|||
|
|
@ -498,7 +498,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
|
|||
}
|
||||
|
||||
// Check if this user or their groups have a policy applied.
|
||||
ldapPolicies, _ := globalIAMSys.PolicyDBGetLDAP(ldapUserDN, groupDistNames...)
|
||||
ldapPolicies, _ := globalIAMSys.PolicyDBGet(ldapUserDN, false, groupDistNames...)
|
||||
if len(ldapPolicies) == 0 {
|
||||
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
|
||||
fmt.Errorf("expecting a policy to be set for user `%s` or one of their groups: `%s` - rejecting this request",
|
||||
|
|
|
|||
Loading…
Reference in a new issue