37d066b563
This PR fixes couple of behaviors with service accounts - not need to have session token for service accounts - service accounts can be generated by any user for themselves implicitly, with a valid signature. - policy input for AddNewServiceAccount API is not fully typed allowing for validation before it is sent to the server. - also bring in additional context for admin API errors if any when replying back to client. - deprecate GetServiceAccount API as we do not need to reply back session tokens
70 lines
2 KiB
Go
70 lines
2 KiB
Go
// +build ignore
|
|
|
|
/*
|
|
* MinIO Cloud Storage, (C) 2017 MinIO, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*
|
|
*/
|
|
|
|
package main
|
|
|
|
import (
|
|
"context"
|
|
"log"
|
|
|
|
"github.com/minio/minio/pkg/bucket/policy"
|
|
"github.com/minio/minio/pkg/bucket/policy/condition"
|
|
iampolicy "github.com/minio/minio/pkg/iam/policy"
|
|
"github.com/minio/minio/pkg/madmin"
|
|
)
|
|
|
|
func main() {
|
|
// Note: YOUR-ACCESSKEYID, YOUR-SECRETACCESSKEY are
|
|
// dummy values, please replace them with original values.
|
|
|
|
// Note: YOUR-ACCESSKEYID, YOUR-SECRETACCESSKEY are
|
|
// dummy values, please replace them with original values.
|
|
|
|
// API requests are secure (HTTPS) if secure=true and insecure (HTTP) otherwise.
|
|
// New returns an MinIO Admin client object.
|
|
madmClnt, err := madmin.New("your-minio.example.com:9000", "YOUR-ACCESSKEYID", "YOUR-SECRETACCESSKEY", true)
|
|
if err != nil {
|
|
log.Fatalln(err)
|
|
}
|
|
|
|
if err = madmClnt.AddUser(context.Background(), "newuser", "newstrongpassword"); err != nil {
|
|
log.Fatalln(err)
|
|
}
|
|
|
|
// Create policy
|
|
p := iampolicy.Policy{
|
|
Version: iampolicy.DefaultVersion,
|
|
Statements: []iampolicy.Statement{
|
|
iampolicy.NewStatement(
|
|
policy.Allow,
|
|
iampolicy.NewActionSet(iampolicy.GetObjectAction),
|
|
iampolicy.NewResourceSet(iampolicy.NewResource("testbucket/*", "")),
|
|
condition.NewFunctions(),
|
|
)},
|
|
}
|
|
|
|
if err = madmClnt.AddCannedPolicy(context.Background(), "get-only", &p); err != nil {
|
|
log.Fatalln(err)
|
|
}
|
|
|
|
if err = madmClnt.SetUserPolicy(context.Background(), "newuser", "get-only"); err != nil {
|
|
log.Fatalln(err)
|
|
}
|
|
}
|