MyFavMirrors
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
minio/cmd/admin-handlers-users.go

1524 lines
44 KiB
Go
Raw Normal View History

update license change for MinIO Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-18 15:41:13 -04:00
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
package cmd
import (
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 11:52:02 -04:00
"bytes"
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
"encoding/json"
fix: AccountInfo API for LDAP users (#11874) Also, ensure admin APIs auth additionally validates groups
2021-03-23 20:39:20 -04:00
"errors"
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
"io"
"io/ioutil"
"net/http"
fix: accountInfo API to cater for federated setups (#11484) when MinIO is deployed in a federated setup, use etcd based listing of buckets to provide appropriate filtering of buckets per user.
2021-02-09 12:53:07 -05:00
"sort"
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
"github.com/gorilla/mux"
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 11:52:02 -04:00
"github.com/minio/madmin-go"
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-06 19:36:31 -04:00
"github.com/minio/minio/internal/auth"
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
2021-06-01 17:59:40 -04:00
"github.com/minio/minio/internal/config/dns"
"github.com/minio/minio/internal/logger"
move to iam, bucket policy from minio/pkg (#12400)
2021-05-30 00:16:42 -04:00
iampolicy "github.com/minio/pkg/iam/policy"
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
)
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
// RemoveUser - DELETE /minio/admin/v3/remove-user?accessKey=<access_key>
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
func (a adminAPIHandlers) RemoveUser(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "RemoveUser")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-11 13:34:08 -04:00
Use common function for authenticating admin requests (#12915)
2021-08-09 21:14:38 -04:00
objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.DeleteUserAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
accessKey := vars["accessKey"]
fix: service account permissions generated from LDAP user (#11637) service accounts generated from LDAP parent user did not inherit correct permissions, this PR fixes this fully.
2021-02-25 16:49:59 -05:00
ok, _, err := globalIAMSys.IsTempUser(accessKey)
fix: temp credentials shouldn't allow policy/group changes (#8675) This PR fixes the issue where we might allow policy changes for temporary credentials out of band, this situation allows privilege escalation for those temporary credentials. We should disallow any external actions on temporary creds as a practice and we should clearly differentiate which are static and which are temporary credentials. Refer #8667
2019-12-19 17:21:21 -05:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
if ok {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errIAMActionNotAllowed), r.URL)
return
}
add thread context in surrounding function into IAM functions (#13658)
2021-11-15 17:14:22 -05:00
if err := globalIAMSys.DeleteUser(ctx, accessKey); err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
// Notify all other MinIO peers to delete user.
for _, nerr := range globalNotificationSys.DeleteUser(accessKey) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-27 13:15:02 -04:00
// ListUsers - GET /minio/admin/v3/list-users?bucket={bucket}
func (a adminAPIHandlers) ListBucketUsers(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "ListBucketUsers")
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
Use common function for authenticating admin requests (#12915)
2021-08-09 21:14:38 -04:00
objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ListUsersAdminAction)
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-27 13:15:02 -04:00
if objectAPI == nil {
return
}
bucket := mux.Vars(r)["bucket"]
password := cred.SecretKey
allCredentials, err := globalIAMSys.ListBucketUsers(bucket)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
data, err := json.Marshal(allCredentials)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
econfigData, err := madmin.EncryptData(password, data)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, econfigData)
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
// ListUsers - GET /minio/admin/v3/list-users
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
func (a adminAPIHandlers) ListUsers(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "ListUsers")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-11 13:34:08 -04:00
Use common function for authenticating admin requests (#12915)
2021-08-09 21:14:38 -04:00
objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ListUsersAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
if objectAPI == nil {
return
}
honor the credentials of user admin for encrypt/decrypt (#9194) Fixes #9193
2020-03-23 17:06:00 -04:00
password := cred.SecretKey
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
allCredentials, err := globalIAMSys.ListUsers()
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
data, err := json.Marshal(allCredentials)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
econfigData, err := madmin.EncryptData(password, data)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, econfigData)
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
// GetUserInfo - GET /minio/admin/v3/user-info
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
func (a adminAPIHandlers) GetUserInfo(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "GetUserInfo")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-11 13:34:08 -04:00
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-27 20:23:57 -05:00
vars := mux.Vars(r)
name := vars["accessKey"]
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
return
}
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-27 20:23:57 -05:00
cred, claims, owner, s3Err := validateAdminSignature(ctx, r, "")
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
fix: root credentials should be able to create users (#12511)
2021-06-15 21:52:01 -04:00
accessKey := cred.ParentUser
if accessKey == "" {
accessKey = cred.AccessKey
}
// For temporary credentials always
// the temporary credentials to check
// policy without implicit permissions.
if cred.IsTemp() && cred.ParentUser == globalActiveCred.AccessKey {
accessKey = cred.AccessKey
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-27 20:23:57 -05:00
}
implicitPerm := name == accessKey
if !implicitPerm {
if !globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: accessKey,
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-23 18:15:51 -04:00
Groups: cred.Groups,
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-27 20:23:57 -05:00
Action: iampolicy.GetUserAdminAction,
ConditionValues: getConditionValues(r, "", accessKey, claims),
IsOwner: owner,
Claims: claims,
}) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
add thread context in surrounding function into IAM functions (#13658)
2021-11-15 17:14:22 -05:00
userInfo, err := globalIAMSys.GetUserInfo(ctx, name)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
data, err := json.Marshal(userInfo)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, data)
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
// UpdateGroupMembers - PUT /minio/admin/v3/update-group-members
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
func (a adminAPIHandlers) UpdateGroupMembers(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "UpdateGroupMembers")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-11 13:34:08 -04:00
Use common function for authenticating admin requests (#12915)
2021-08-09 21:14:38 -04:00
objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.AddUserToGroupAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
if objectAPI == nil {
return
}
data, err := ioutil.ReadAll(r.Body)
if err != nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
var updReq madmin.GroupAddRemove
err = json.Unmarshal(data, &updReq)
if err != nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
if updReq.IsRemove {
add thread context in surrounding function into IAM functions (#13658)
2021-11-15 17:14:22 -05:00
err = globalIAMSys.RemoveUsersFromGroup(ctx, updReq.Group, updReq.Members)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
} else {
add thread context in surrounding function into IAM functions (#13658)
2021-11-15 17:14:22 -05:00
err = globalIAMSys.AddUsersToGroup(ctx, updReq.Group, updReq.Members)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
}
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
// Notify all other MinIO peers to load group.
For IAM with etcd backend, avoid sending notifications (#13472) As we use etcd's watch interface, we do not need the network notifications as they are no-ops anyway. Bonus: Remove globalEtcdClient global usage in IAM
2021-10-20 06:22:35 -04:00
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadGroup(updReq.Group) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
}
}
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
// GetGroup - /minio/admin/v3/group?group=mygroup1
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
func (a adminAPIHandlers) GetGroup(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "GetGroup")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-11 13:34:08 -04:00
Use common function for authenticating admin requests (#12915)
2021-08-09 21:14:38 -04:00
objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.GetGroupAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
group := vars["group"]
gdesc, err := globalIAMSys.GetGroupDescription(group)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
body, err := json.Marshal(gdesc)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, body)
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
// ListGroups - GET /minio/admin/v3/groups
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
func (a adminAPIHandlers) ListGroups(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "ListGroups")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-11 13:34:08 -04:00
Use common function for authenticating admin requests (#12915)
2021-08-09 21:14:38 -04:00
objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListGroupsAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
if objectAPI == nil {
return
}
add thread context in surrounding function into IAM functions (#13658)
2021-11-15 17:14:22 -05:00
groups, err := globalIAMSys.ListGroups(ctx)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
body, err := json.Marshal(groups)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, body)
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
// SetGroupStatus - PUT /minio/admin/v3/set-group-status?group=mygroup1&status=enabled
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
func (a adminAPIHandlers) SetGroupStatus(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "SetGroupStatus")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-11 13:34:08 -04:00
Use common function for authenticating admin requests (#12915)
2021-08-09 21:14:38 -04:00
objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.EnableGroupAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
group := vars["group"]
status := vars["status"]
var err error
if status == statusEnabled {
add thread context in surrounding function into IAM functions (#13658)
2021-11-15 17:14:22 -05:00
err = globalIAMSys.SetGroupStatus(ctx, group, true)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
} else if status == statusDisabled {
add thread context in surrounding function into IAM functions (#13658)
2021-11-15 17:14:22 -05:00
err = globalIAMSys.SetGroupStatus(ctx, group, false)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
} else {
err = errInvalidArgument
}
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
// Notify all other MinIO peers to reload user.
For IAM with etcd backend, avoid sending notifications (#13472) As we use etcd's watch interface, we do not need the network notifications as they are no-ops anyway. Bonus: Remove globalEtcdClient global usage in IAM
2021-10-20 06:22:35 -04:00
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadGroup(group) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
}
}
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
// SetUserStatus - PUT /minio/admin/v3/set-user-status?accessKey=<access_key>&status=[enabled|disabled]
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
func (a adminAPIHandlers) SetUserStatus(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "SetUserStatus")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-11 13:34:08 -04:00
Use common function for authenticating admin requests (#12915)
2021-08-09 21:14:38 -04:00
objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.EnableUserAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
accessKey := vars["accessKey"]
status := vars["status"]
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-27 20:23:57 -05:00
// This API is not allowed to lookup accessKey user status
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
if accessKey == globalActiveCred.AccessKey {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
add thread context in surrounding function into IAM functions (#13658)
2021-11-15 17:14:22 -05:00
if err := globalIAMSys.SetUserStatus(ctx, accessKey, madmin.AccountStatus(status)); err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
// Notify all other MinIO peers to reload user.
For IAM with etcd backend, avoid sending notifications (#13472) As we use etcd's watch interface, we do not need the network notifications as they are no-ops anyway. Bonus: Remove globalEtcdClient global usage in IAM
2021-10-20 06:22:35 -04:00
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
}
}
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
// AddUser - PUT /minio/admin/v3/add-user?accessKey=<access_key>
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "AddUser")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-11 13:34:08 -04:00
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-27 20:23:57 -05:00
vars := mux.Vars(r)
fix: add helper for expected path.Clean behavior (#12068) current usage of path.Clean returns "." for empty strings instead we need `""` string as-is, make relevant changes as needed.
2021-04-15 19:32:13 -04:00
accessKey := vars["accessKey"]
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-27 20:23:57 -05:00
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
return
}
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-27 20:23:57 -05:00
cred, claims, owner, s3Err := validateAdminSignature(ctx, r, "")
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
fix: allow STS creds for admin accounts to add users (#11138) Allow rotating creds with privileges to add users fixes https://github.com/minio/console/issues/529
2020-12-19 16:24:21 -05:00
// Not allowed to add a user with same access key as root credential
if owner && accessKey == cred.AccessKey {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAddUserInvalidArgument), r.URL)
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-27 20:23:57 -05:00
return
}
fix: allow STS creds for admin accounts to add users (#11138) Allow rotating creds with privileges to add users fixes https://github.com/minio/console/issues/529
2020-12-19 16:24:21 -05:00
if (cred.IsTemp() || cred.IsServiceAccount()) && cred.ParentUser == accessKey {
// Incoming access key matches parent user then we should
// reject password change requests.
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAddUserInvalidArgument), r.URL)
return
}
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-27 20:23:57 -05:00
implicitPerm := accessKey == cred.AccessKey
if !implicitPerm {
fix: allow STS creds for admin accounts to add users (#11138) Allow rotating creds with privileges to add users fixes https://github.com/minio/console/issues/529
2020-12-19 16:24:21 -05:00
parentUser := cred.ParentUser
if parentUser == "" {
parentUser = cred.AccessKey
}
fix: root credentials should be able to create users (#12511)
2021-06-15 21:52:01 -04:00
// For temporary credentials always
// the temporary credentials to check
// policy without implicit permissions.
if cred.IsTemp() && cred.ParentUser == globalActiveCred.AccessKey {
parentUser = cred.AccessKey
}
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-27 20:23:57 -05:00
if !globalIAMSys.IsAllowed(iampolicy.Args{
fix: allow STS creds for admin accounts to add users (#11138) Allow rotating creds with privileges to add users fixes https://github.com/minio/console/issues/529
2020-12-19 16:24:21 -05:00
AccountName: parentUser,
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-23 18:15:51 -04:00
Groups: cred.Groups,
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-27 20:23:57 -05:00
Action: iampolicy.CreateUserAdminAction,
fix: allow STS creds for admin accounts to add users (#11138) Allow rotating creds with privileges to add users fixes https://github.com/minio/console/issues/529
2020-12-19 16:24:21 -05:00
ConditionValues: getConditionValues(r, "", parentUser, claims),
fix: do not deny admins to change other passwords fixes a regression from #11680
2021-03-02 20:02:29 -05:00
IsOwner: owner,
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-27 20:23:57 -05:00
Claims: claims,
}) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
}
fix: enforce deny if present for implicit permissions (#11680) Implicit permissions for any user is to be allowed to change their own password, we need to restrict this further even if there is an implicit allow for this scenario - we have to honor Deny statements if they are specified.
2021-03-02 18:35:50 -05:00
if implicitPerm && !globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: accessKey,
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-23 18:15:51 -04:00
Groups: cred.Groups,
fix: enforce deny if present for implicit permissions (#11680) Implicit permissions for any user is to be allowed to change their own password, we need to restrict this further even if there is an implicit allow for this scenario - we have to honor Deny statements if they are specified.
2021-03-02 18:35:50 -05:00
Action: iampolicy.CreateUserAdminAction,
ConditionValues: getConditionValues(r, "", accessKey, claims),
fix: do not deny admins to change other passwords fixes a regression from #11680
2021-03-02 20:02:29 -05:00
IsOwner: owner,
fix: enforce deny if present for implicit permissions (#11680) Implicit permissions for any user is to be allowed to change their own password, we need to restrict this further even if there is an implicit allow for this scenario - we have to honor Deny statements if they are specified.
2021-03-02 18:35:50 -05:00
Claims: claims,
DenyOnly: true, // check if changing password is explicitly denied.
}) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
if r.ContentLength > maxEConfigJSONSize || r.ContentLength == -1 {
// More than maxConfigSize bytes were available
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigTooLarge), r.URL)
return
}
Add support for multiple admins (#8487) Also define IAM policies for administering MinIO server
2019-11-19 05:03:18 -05:00
password := cred.SecretKey
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
configBytes, err := madmin.DecryptData(password, io.LimitReader(r.Body, r.ContentLength))
if err != nil {
logger.LogIf(ctx, err)
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigBadJSON), r.URL)
return
}
var uinfo madmin.UserInfo
if err = json.Unmarshal(configBytes, &uinfo); err != nil {
logger.LogIf(ctx, err)
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigBadJSON), r.URL)
return
}
add thread context in surrounding function into IAM functions (#13658)
2021-11-15 17:14:22 -05:00
if err = globalIAMSys.CreateUser(ctx, accessKey, uinfo); err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
// Notify all other Minio peers to reload user
For IAM with etcd backend, avoid sending notifications (#13472) As we use etcd's watch interface, we do not need the network notifications as they are no-ops anyway. Bonus: Remove globalEtcdClient global usage in IAM
2021-10-20 06:22:35 -04:00
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
}
}
}
fix: deprecate requirement of session token for service accounts (#9320) This PR fixes couple of behaviors with service accounts - not need to have session token for service accounts - service accounts can be generated by any user for themselves implicitly, with a valid signature. - policy input for AddNewServiceAccount API is not fully typed allowing for validation before it is sent to the server. - also bring in additional context for admin API errors if any when replying back to client. - deprecate GetServiceAccount API as we do not need to reply back session tokens
2020-04-14 14:28:56 -04:00
// AddServiceAccount - PUT /minio/admin/v3/add-service-account
Add service account type in IAM (#9029)
2020-03-17 13:36:13 -04:00
func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "AddServiceAccount")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-11 13:34:08 -04:00
fix: deprecate requirement of session token for service accounts (#9320) This PR fixes couple of behaviors with service accounts - not need to have session token for service accounts - service accounts can be generated by any user for themselves implicitly, with a valid signature. - policy input for AddNewServiceAccount API is not fully typed allowing for validation before it is sent to the server. - also bring in additional context for admin API errors if any when replying back to client. - deprecate GetServiceAccount API as we do not need to reply back session tokens
2020-04-14 14:28:56 -04:00
// Get current object layer instance.
remove safeMode behavior in startup (#10645) In almost all scenarios MinIO now is mostly ready for all sub-systems independently, safe-mode is not useful anymore and do not serve its original intended purpose. allow server to be fully functional even with config partially configured, this is to cater for availability of actual I/O v/s manually fixing the server. In k8s like environments it will never make sense to take pod into safe-mode state, because there is no real access to perform any remote operation on them.
2020-10-09 12:59:52 -04:00
objectAPI := newObjectLayerFn()
initialize IAM as soon as object layer is initialized (#10700) Allow requests to come in for users as soon as object layer and config are initialized, this allows users to be authenticated sooner and would succeed automatically on servers which are yet to fully initialize.
2020-10-19 12:54:40 -04:00
if objectAPI == nil || globalNotificationSys == nil {
fix: deprecate requirement of session token for service accounts (#9320) This PR fixes couple of behaviors with service accounts - not need to have session token for service accounts - service accounts can be generated by any user for themselves implicitly, with a valid signature. - policy input for AddNewServiceAccount API is not fully typed allowing for validation before it is sent to the server. - also bring in additional context for admin API errors if any when replying back to client. - deprecate GetServiceAccount API as we do not need to reply back session tokens
2020-04-14 14:28:56 -04:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Add service account type in IAM (#9029)
2020-03-17 13:36:13 -04:00
return
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
cred, claims, owner, s3Err := validateAdminSignature(ctx, r, "")
fix: deprecate requirement of session token for service accounts (#9320) This PR fixes couple of behaviors with service accounts - not need to have session token for service accounts - service accounts can be generated by any user for themselves implicitly, with a valid signature. - policy input for AddNewServiceAccount API is not fully typed allowing for validation before it is sent to the server. - also bring in additional context for admin API errors if any when replying back to client. - deprecate GetServiceAccount API as we do not need to reply back session tokens
2020-04-14 14:28:56 -04:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
Add service account type in IAM (#9029)
2020-03-17 13:36:13 -04:00
return
}
password := cred.SecretKey
add list/delete API service accounts admin API (#9402)
2020-04-24 15:10:09 -04:00
reqBytes, err := madmin.DecryptData(password, io.LimitReader(r.Body, r.ContentLength))
Add service account type in IAM (#9029)
2020-03-17 13:36:13 -04:00
if err != nil {
fix: deprecate requirement of session token for service accounts (#9320) This PR fixes couple of behaviors with service accounts - not need to have session token for service accounts - service accounts can be generated by any user for themselves implicitly, with a valid signature. - policy input for AddNewServiceAccount API is not fully typed allowing for validation before it is sent to the server. - also bring in additional context for admin API errors if any when replying back to client. - deprecate GetServiceAccount API as we do not need to reply back session tokens
2020-04-14 14:28:56 -04:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErrWithErr(ErrAdminConfigBadJSON, err), r.URL)
Add service account type in IAM (#9029)
2020-03-17 13:36:13 -04:00
return
}
var createReq madmin.AddServiceAccountReq
add list/delete API service accounts admin API (#9402)
2020-04-24 15:10:09 -04:00
if err = json.Unmarshal(reqBytes, &createReq); err != nil {
fix: deprecate requirement of session token for service accounts (#9320) This PR fixes couple of behaviors with service accounts - not need to have session token for service accounts - service accounts can be generated by any user for themselves implicitly, with a valid signature. - policy input for AddNewServiceAccount API is not fully typed allowing for validation before it is sent to the server. - also bring in additional context for admin API errors if any when replying back to client. - deprecate GetServiceAccount API as we do not need to reply back session tokens
2020-04-14 14:28:56 -04:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErrWithErr(ErrAdminConfigBadJSON, err), r.URL)
Add service account type in IAM (#9029)
2020-03-17 13:36:13 -04:00
return
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
var (
targetUser string
targetGroups []string
)
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-20 17:28:19 -04:00
// If the request did not set a TargetUser, the service account is
// created for the request sender.
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
targetUser = createReq.TargetUser
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-20 17:28:19 -04:00
if targetUser == "" {
targetUser = cred.AccessKey
}
opts := newServiceAccountOpts{
accessKey: createReq.AccessKey,
secretKey: createReq.SecretKey,
feat: create service accounts with same claims as parent (#13357) allow claims from LDAP/OIDC to be inherited to service accounts as well to allow dynamic policies. fixes #13325
2021-10-05 14:49:33 -04:00
claims: make(map[string]interface{}),
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-20 17:28:19 -04:00
}
// Find the user for the request sender (as it may be sent via a service
// account or STS account):
requestorUser := cred.AccessKey
requestorParentUser := cred.AccessKey
requestorGroups := cred.Groups
requestorIsDerivedCredential := false
if cred.IsServiceAccount() || cred.IsTemp() {
requestorParentUser = cred.ParentUser
requestorIsDerivedCredential = true
}
// Check if we are creating svc account for request sender.
isSvcAccForRequestor := false
if targetUser == requestorUser || targetUser == requestorParentUser {
isSvcAccForRequestor = true
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-20 17:28:19 -04:00
// If we are creating svc account for request sender, ensure
// that targetUser is a real user (i.e. not derived
// credentials).
if isSvcAccForRequestor {
add explicit deny support for service accounts (#13657) creating service accounts is implicitly enabled for all users, this PR however adds support to reject creating service accounts, with an explicit "Deny" policy.
2021-11-15 09:57:52 -05:00
// Check if adding service account is explicitly denied.
//
// This allows turning off service accounts for request sender,
// if there is no deny statement this call is implicitly enabled.
if !globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: requestorUser,
Action: iampolicy.CreateServiceAccountAdminAction,
ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
IsOwner: owner,
Claims: claims,
DenyOnly: true,
}) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-20 17:28:19 -04:00
if requestorIsDerivedCredential {
if requestorParentUser == "" {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx,
errors.New("service accounts cannot be generated for temporary credentials without parent")), r.URL)
return
}
targetUser = requestorParentUser
}
targetGroups = requestorGroups
feat: create service accounts with same claims as parent (#13357) allow claims from LDAP/OIDC to be inherited to service accounts as well to allow dynamic policies. fixes #13325
2021-10-05 14:49:33 -04:00
// In case of LDAP/OIDC we need to set `opts.claims` to ensure
// it is associated with the LDAP/OIDC user properly.
for k, v := range cred.Claims {
if k == expClaim {
continue
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-20 17:28:19 -04:00
}
feat: create service accounts with same claims as parent (#13357) allow claims from LDAP/OIDC to be inherited to service accounts as well to allow dynamic policies. fixes #13325
2021-10-05 14:49:33 -04:00
opts.claims[k] = v
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-20 17:28:19 -04:00
}
} else {
// Need permission if we are creating a service acccount for a
// user <> to the request sender
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
if !globalIAMSys.IsAllowed(iampolicy.Args{
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-20 17:28:19 -04:00
AccountName: requestorUser,
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
Action: iampolicy.CreateServiceAccountAdminAction,
ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
IsOwner: owner,
Claims: claims,
}) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
fix: add service account support for AssumeRole/LDAPIdentity creds (#9451) allow generating service accounts for temporary credentials which have a designated parent, currently OpenID is not yet supported. added checks to ensure that service account cannot generate further service accounts for itself, service accounts can never be a parent to any credential.
2020-04-28 15:49:56 -04:00
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-20 17:28:19 -04:00
// In case of LDAP we need to resolve the targetUser to a DN and
// query their groups:
if globalLDAPConfig.Enabled {
feat: create service accounts with same claims as parent (#13357) allow claims from LDAP/OIDC to be inherited to service accounts as well to allow dynamic policies. fixes #13325
2021-10-05 14:49:33 -04:00
opts.claims[ldapUserN] = targetUser // simple username
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-20 17:28:19 -04:00
targetUser, targetGroups, err = globalLDAPConfig.LookupUserDN(targetUser)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
support service accounts for OpenID connect properly (#12178) OpenID connect generated service accounts do not work properly after console logout, since the parentUser state is lost - instead use sub+iss claims for parentUser, according to OIDC spec both the claims provide the necessary stability across logins etc.
2021-04-29 16:01:42 -04:00
return
}
feat: create service accounts with same claims as parent (#13357) allow claims from LDAP/OIDC to be inherited to service accounts as well to allow dynamic policies. fixes #13325
2021-10-05 14:49:33 -04:00
opts.claims[ldapUser] = targetUser // username DN
fix: LDAP authentication with groups only (#12283) fixes #12282
2021-05-13 00:25:07 -04:00
}
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-20 17:28:19 -04:00
// NOTE: if not using LDAP, then internal IDP or open ID is
// being used - in the former, group info is enforced when
// generated credentials are used to make requests, and in the
// latter, a group notion is not supported.
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
}
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 11:52:02 -04:00
var sp *iampolicy.Policy
if len(createReq.Policy) > 0 {
sp, err = iampolicy.ParseConfig(bytes.NewReader(createReq.Policy))
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
}
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-20 17:28:19 -04:00
opts.sessionPolicy = sp
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
newCred, err := globalIAMSys.NewServiceAccount(ctx, targetUser, targetGroups, opts)
Add service account type in IAM (#9029)
2020-03-17 13:36:13 -04:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
add list/delete API service accounts admin API (#9402)
2020-04-24 15:10:09 -04:00
// Notify all other Minio peers to reload user the service account
For IAM with etcd backend, avoid sending notifications (#13472) As we use etcd's watch interface, we do not need the network notifications as they are no-ops anyway. Bonus: Remove globalEtcdClient global usage in IAM
2021-10-20 06:22:35 -04:00
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadServiceAccount(newCred.AccessKey) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
Add service account type in IAM (#9029)
2020-03-17 13:36:13 -04:00
}
}
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-06 19:36:31 -04:00
// Call hook for cluster-replication.
//
// FIXME: This wont work in an OpenID situation as the parent credential
// may not be present on peer clusters to provide inherited policies.
// Also, we should not be replicating root user's service account - as
// they are not authenticated by a common external IDP, so we skip when
// opts.ldapUser == "".
if _, isLDAPAccount := opts.claims[ldapUserN]; isLDAPAccount {
err = globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Type: madmin.SRIAMItemSvcAcc,
SvcAccChange: &madmin.SRSvcAccChange{
Create: &madmin.SRSvcAccCreate{
Parent: newCred.ParentUser,
AccessKey: newCred.AccessKey,
SecretKey: newCred.SecretKey,
Groups: newCred.Groups,
Claims: opts.claims,
SessionPolicy: createReq.Policy,
Status: auth.AccountOn,
},
},
})
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
}
Add service account type in IAM (#9029)
2020-03-17 13:36:13 -04:00
var createResp = madmin.AddServiceAccountResp{
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 11:52:02 -04:00
Credentials: madmin.Credentials{
add list/delete API service accounts admin API (#9402)
2020-04-24 15:10:09 -04:00
AccessKey: newCred.AccessKey,
SecretKey: newCred.SecretKey,
fix: deprecate requirement of session token for service accounts (#9320) This PR fixes couple of behaviors with service accounts - not need to have session token for service accounts - service accounts can be generated by any user for themselves implicitly, with a valid signature. - policy input for AddNewServiceAccount API is not fully typed allowing for validation before it is sent to the server. - also bring in additional context for admin API errors if any when replying back to client. - deprecate GetServiceAccount API as we do not need to reply back session tokens
2020-04-14 14:28:56 -04:00
},
Add service account type in IAM (#9029)
2020-03-17 13:36:13 -04:00
}
data, err := json.Marshal(createResp)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
add list/delete API service accounts admin API (#9402)
2020-04-24 15:10:09 -04:00
encryptedData, err := madmin.EncryptData(password, data)
Add service account type in IAM (#9029)
2020-03-17 13:36:13 -04:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
add list/delete API service accounts admin API (#9402)
2020-04-24 15:10:09 -04:00
writeSuccessResponseJSON(w, encryptedData)
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
// UpdateServiceAccount - POST /minio/admin/v3/update-service-account
func (a adminAPIHandlers) UpdateServiceAccount(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "UpdateServiceAccount")
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
cred, claims, owner, s3Err := validateAdminSignature(ctx, r, "")
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
accessKey := mux.Vars(r)["accessKey"]
if accessKey == "" {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
svcAccount, _, err := globalIAMSys.GetServiceAccount(ctx, accessKey)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
if !globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: cred.AccessKey,
Action: iampolicy.UpdateServiceAccountAdminAction,
ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
IsOwner: owner,
Claims: claims,
}) {
requestUser := cred.AccessKey
if cred.ParentUser != "" {
requestUser = cred.ParentUser
}
if requestUser != svcAccount.ParentUser {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
}
password := cred.SecretKey
reqBytes, err := madmin.DecryptData(password, io.LimitReader(r.Body, r.ContentLength))
if err != nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErrWithErr(ErrAdminConfigBadJSON, err), r.URL)
return
}
var updateReq madmin.UpdateServiceAccountReq
if err = json.Unmarshal(reqBytes, &updateReq); err != nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErrWithErr(ErrAdminConfigBadJSON, err), r.URL)
return
}
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 11:52:02 -04:00
var sp *iampolicy.Policy
if len(updateReq.NewPolicy) > 0 {
sp, err = iampolicy.ParseConfig(bytes.NewReader(updateReq.NewPolicy))
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
}
opts := updateServiceAccountOpts{
secretKey: updateReq.NewSecretKey,
status: updateReq.NewStatus,
sessionPolicy: sp,
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
err = globalIAMSys.UpdateServiceAccount(ctx, accessKey, opts)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
// Notify all other Minio peers to reload user the service account
For IAM with etcd backend, avoid sending notifications (#13472) As we use etcd's watch interface, we do not need the network notifications as they are no-ops anyway. Bonus: Remove globalEtcdClient global usage in IAM
2021-10-20 06:22:35 -04:00
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadServiceAccount(accessKey) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
}
}
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-06 19:36:31 -04:00
// Call site replication hook. Only LDAP accounts are supported for
// replication operations.
svcAccClaims, err := globalIAMSys.GetClaimsForSvcAcc(ctx, accessKey)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
if _, isLDAPAccount := svcAccClaims[ldapUserN]; isLDAPAccount {
err = globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Type: madmin.SRIAMItemSvcAcc,
SvcAccChange: &madmin.SRSvcAccChange{
Update: &madmin.SRSvcAccUpdate{
AccessKey: accessKey,
SecretKey: opts.secretKey,
Status: opts.status,
SessionPolicy: updateReq.NewPolicy,
},
},
})
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
writeSuccessNoContent(w)
}
// InfoServiceAccount - GET /minio/admin/v3/info-service-account
func (a adminAPIHandlers) InfoServiceAccount(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "InfoServiceAccount")
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
cred, claims, owner, s3Err := validateAdminSignature(ctx, r, "")
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
accessKey := mux.Vars(r)["accessKey"]
if accessKey == "" {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
svcAccount, policy, err := globalIAMSys.GetServiceAccount(ctx, accessKey)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
if !globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: cred.AccessKey,
Action: iampolicy.ListServiceAccountsAdminAction,
ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
IsOwner: owner,
Claims: claims,
}) {
requestUser := cred.AccessKey
if cred.ParentUser != "" {
requestUser = cred.ParentUser
}
if requestUser != svcAccount.ParentUser {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
}
var svcAccountPolicy iampolicy.Policy
impliedPolicy := policy == nil
// If policy is empty, check for policy of the parent user
if !impliedPolicy {
svc: Display the correct policy of a particular service account (#12064) For InfoServiceAccount API, calculating the policy before showing it to the user was not correctly done (only UX issue, not a security issue) This commit fixes it.
2021-04-15 17:47:58 -04:00
svcAccountPolicy = svcAccountPolicy.Merge(*policy)
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
} else {
svcacct: Always search for parent user policy svcacct implied policy (#12117) InfoServiceAccount admin API does not correctly calculate the policy for a given service account in case if the policy is implied. Fix it. Signed-off-by: Anis Elleuch <anis@min.io>
2021-04-21 21:12:02 -04:00
policiesNames, err := globalIAMSys.PolicyDBGet(svcAccount.ParentUser, false)
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
svc: Display the correct policy of a particular service account (#12064) For InfoServiceAccount API, calculating the policy before showing it to the user was not correctly done (only UX issue, not a security issue) This commit fixes it.
2021-04-15 17:47:58 -04:00
svcAccountPolicy = svcAccountPolicy.Merge(globalIAMSys.GetCombinedPolicy(policiesNames...))
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
}
always indent and reply policy JSON (#12399)
2021-05-29 12:22:22 -04:00
policyJSON, err := json.MarshalIndent(svcAccountPolicy, "", " ")
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
var infoResp = madmin.InfoServiceAccountResp{
ParentUser: svcAccount.ParentUser,
AccountStatus: svcAccount.Status,
ImpliedPolicy: impliedPolicy,
Policy: string(policyJSON),
}
data, err := json.Marshal(infoResp)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
encryptedData, err := madmin.EncryptData(cred.SecretKey, data)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, encryptedData)
}
add list/delete API service accounts admin API (#9402)
2020-04-24 15:10:09 -04:00
// ListServiceAccounts - GET /minio/admin/v3/list-service-accounts
func (a adminAPIHandlers) ListServiceAccounts(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "ListServiceAccounts")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-11 13:34:08 -04:00
add list/delete API service accounts admin API (#9402)
2020-04-24 15:10:09 -04:00
// Get current object layer instance.
remove safeMode behavior in startup (#10645) In almost all scenarios MinIO now is mostly ready for all sub-systems independently, safe-mode is not useful anymore and do not serve its original intended purpose. allow server to be fully functional even with config partially configured, this is to cater for availability of actual I/O v/s manually fixing the server. In k8s like environments it will never make sense to take pod into safe-mode state, because there is no real access to perform any remote operation on them.
2020-10-09 12:59:52 -04:00
objectAPI := newObjectLayerFn()
initialize IAM as soon as object layer is initialized (#10700) Allow requests to come in for users as soon as object layer and config are initialized, this allows users to be authenticated sooner and would succeed automatically on servers which are yet to fully initialize.
2020-10-19 12:54:40 -04:00
if objectAPI == nil || globalNotificationSys == nil {
add list/delete API service accounts admin API (#9402)
2020-04-24 15:10:09 -04:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
cred, claims, owner, s3Err := validateAdminSignature(ctx, r, "")
add list/delete API service accounts admin API (#9402)
2020-04-24 15:10:09 -04:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
var targetAccount string
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 01:43:01 -04:00
user := r.Form.Get("user")
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
if user != "" {
if !globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: cred.AccessKey,
Action: iampolicy.ListServiceAccountsAdminAction,
ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
IsOwner: owner,
Claims: claims,
}) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
targetAccount = user
} else {
targetAccount = cred.AccessKey
if cred.ParentUser != "" {
targetAccount = cred.ParentUser
}
fix: assume parentUser correctly for serviceAccounts (#9504) ListServiceAccounts/DeleteServiceAccount didn't work properly with STS credentials yet due to incorrect Parent user.
2020-05-01 11:05:14 -04:00
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
serviceAccounts, err := globalIAMSys.ListServiceAccounts(ctx, targetAccount)
add list/delete API service accounts admin API (#9402)
2020-04-24 15:10:09 -04:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
var serviceAccountsNames []string
for _, svc := range serviceAccounts {
serviceAccountsNames = append(serviceAccountsNames, svc.AccessKey)
}
add list/delete API service accounts admin API (#9402)
2020-04-24 15:10:09 -04:00
var listResp = madmin.ListServiceAccountsResp{
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
Accounts: serviceAccountsNames,
add list/delete API service accounts admin API (#9402)
2020-04-24 15:10:09 -04:00
}
data, err := json.Marshal(listResp)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
encryptedData, err := madmin.EncryptData(cred.SecretKey, data)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, encryptedData)
}
// DeleteServiceAccount - DELETE /minio/admin/v3/delete-service-account
func (a adminAPIHandlers) DeleteServiceAccount(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "DeleteServiceAccount")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-11 13:34:08 -04:00
add list/delete API service accounts admin API (#9402)
2020-04-24 15:10:09 -04:00
// Get current object layer instance.
remove safeMode behavior in startup (#10645) In almost all scenarios MinIO now is mostly ready for all sub-systems independently, safe-mode is not useful anymore and do not serve its original intended purpose. allow server to be fully functional even with config partially configured, this is to cater for availability of actual I/O v/s manually fixing the server. In k8s like environments it will never make sense to take pod into safe-mode state, because there is no real access to perform any remote operation on them.
2020-10-09 12:59:52 -04:00
objectAPI := newObjectLayerFn()
initialize IAM as soon as object layer is initialized (#10700) Allow requests to come in for users as soon as object layer and config are initialized, this allows users to be authenticated sooner and would succeed automatically on servers which are yet to fully initialize.
2020-10-19 12:54:40 -04:00
if objectAPI == nil || globalNotificationSys == nil {
add list/delete API service accounts admin API (#9402)
2020-04-24 15:10:09 -04:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
cred, claims, owner, s3Err := validateAdminSignature(ctx, r, "")
add list/delete API service accounts admin API (#9402)
2020-04-24 15:10:09 -04:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
serviceAccount := mux.Vars(r)["accessKey"]
if serviceAccount == "" {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminInvalidArgument), r.URL)
return
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
svcAccount, _, err := globalIAMSys.GetServiceAccount(ctx, serviceAccount)
add list/delete API service accounts admin API (#9402)
2020-04-24 15:10:09 -04:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
adminPrivilege := globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: cred.AccessKey,
Action: iampolicy.RemoveServiceAccountAdminAction,
ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
IsOwner: owner,
Claims: claims,
})
fix: assume parentUser correctly for serviceAccounts (#9504) ListServiceAccounts/DeleteServiceAccount didn't work properly with STS credentials yet due to incorrect Parent user.
2020-05-01 11:05:14 -04:00
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
if !adminPrivilege {
parentUser := cred.AccessKey
if cred.ParentUser != "" {
parentUser = cred.ParentUser
}
if parentUser != svcAccount.ParentUser {
// The service account belongs to another user but return not
// found error to mitigate brute force attacks. or the
// serviceAccount doesn't exist.
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminServiceAccountNotFound), r.URL)
return
}
add list/delete API service accounts admin API (#9402)
2020-04-24 15:10:09 -04:00
}
err = globalIAMSys.DeleteServiceAccount(ctx, serviceAccount)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
fix: propagate service account deletes properly (#12717) service account deletes were not propagating to remote peers, fix this.
2021-07-15 00:28:53 -04:00
for _, nerr := range globalNotificationSys.DeleteServiceAccount(serviceAccount) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-06 19:36:31 -04:00
// Call site replication hook. Only LDAP accounts are supported for
// replication operations.
svcAccClaims, err := globalIAMSys.GetClaimsForSvcAcc(ctx, serviceAccount)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
if _, isLDAPAccount := svcAccClaims[ldapUserN]; isLDAPAccount {
err = globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Type: madmin.SRIAMItemSvcAcc,
SvcAccChange: &madmin.SRSvcAccChange{
Delete: &madmin.SRSvcAccDelete{
AccessKey: serviceAccount,
},
},
})
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
}
add list/delete API service accounts admin API (#9402)
2020-04-24 15:10:09 -04:00
writeSuccessNoContent(w)
Add service account type in IAM (#9029)
2020-03-17 13:36:13 -04:00
}
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-27 20:23:57 -05:00
// AccountInfoHandler returns usage
func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "AccountInfo")
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-15 21:16:45 -04:00
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-15 21:16:45 -04:00
// Get current object layer instance.
remove safeMode behavior in startup (#10645) In almost all scenarios MinIO now is mostly ready for all sub-systems independently, safe-mode is not useful anymore and do not serve its original intended purpose. allow server to be fully functional even with config partially configured, this is to cater for availability of actual I/O v/s manually fixing the server. In k8s like environments it will never make sense to take pod into safe-mode state, because there is no real access to perform any remote operation on them.
2020-10-09 12:59:52 -04:00
objectAPI := newObjectLayerFn()
initialize IAM as soon as object layer is initialized (#10700) Allow requests to come in for users as soon as object layer and config are initialized, this allows users to be authenticated sooner and would succeed automatically on servers which are yet to fully initialize.
2020-10-19 12:54:40 -04:00
if objectAPI == nil || globalNotificationSys == nil {
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-15 21:16:45 -04:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
cred, claims, owner, s3Err := validateAdminSignature(ctx, r, "")
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
// Set prefix value for "s3:prefix" policy conditionals.
r.Header.Set("prefix", "")
// Set delimiter value for "s3:delimiter" policy conditionals.
r.Header.Set("delimiter", SlashSeparator)
Move prefix usage in admin AccountInfo API (#12710)
2021-07-14 11:51:10 -04:00
// Check if we are asked to return prefix usage
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 01:43:01 -04:00
enablePrefixUsage := r.Form.Get("prefix-usage") == "true"
Move prefix usage in admin AccountInfo API (#12710)
2021-07-14 11:51:10 -04:00
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-15 21:16:45 -04:00
isAllowedAccess := func(bucketName string) (rd, wr bool) {
if globalIAMSys.IsAllowed(iampolicy.Args{
fix: allow STS credentials with dynamic policies (#12681) - ParentUser for OIDC auth changed to `openid:` instead of `jwt:` to avoid clashes with variable substitution - Do not pass in random parents into IsAllowed() policy evaluation as it can change the behavior of looking for correct policies underneath. fixes #12676 fixes #12680
2021-07-11 20:39:52 -04:00
AccountName: cred.AccessKey,
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-23 18:15:51 -04:00
Groups: cred.Groups,
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-15 21:16:45 -04:00
Action: iampolicy.ListBucketAction,
BucketName: bucketName,
fix: allow STS credentials with dynamic policies (#12681) - ParentUser for OIDC auth changed to `openid:` instead of `jwt:` to avoid clashes with variable substitution - Do not pass in random parents into IsAllowed() policy evaluation as it can change the behavior of looking for correct policies underneath. fixes #12676 fixes #12680
2021-07-11 20:39:52 -04:00
ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-15 21:16:45 -04:00
IsOwner: owner,
ObjectName: "",
Claims: claims,
}) {
rd = true
}
if globalIAMSys.IsAllowed(iampolicy.Args{
fix: allow STS credentials with dynamic policies (#12681) - ParentUser for OIDC auth changed to `openid:` instead of `jwt:` to avoid clashes with variable substitution - Do not pass in random parents into IsAllowed() policy evaluation as it can change the behavior of looking for correct policies underneath. fixes #12676 fixes #12680
2021-07-11 20:39:52 -04:00
AccountName: cred.AccessKey,
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-23 18:15:51 -04:00
Groups: cred.Groups,
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-15 21:16:45 -04:00
Action: iampolicy.PutObjectAction,
BucketName: bucketName,
fix: allow STS credentials with dynamic policies (#12681) - ParentUser for OIDC auth changed to `openid:` instead of `jwt:` to avoid clashes with variable substitution - Do not pass in random parents into IsAllowed() policy evaluation as it can change the behavior of looking for correct policies underneath. fixes #12676 fixes #12680
2021-07-11 20:39:52 -04:00
ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-15 21:16:45 -04:00
IsOwner: owner,
ObjectName: "",
Claims: claims,
}) {
wr = true
}
return rd, wr
}
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
var dataUsageInfo DataUsageInfo
fix: allow gateway to work with root credentials (#12655)
2021-07-09 13:35:09 -04:00
var err error
if !globalIsGateway {
// Load the latest calculated data usage
dataUsageInfo, err = loadDataUsageFromBackend(ctx, objectAPI)
if err != nil {
// log the error, continue with the accounting response
logger.LogIf(ctx, err)
}
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-15 21:16:45 -04:00
}
fix: accountInfo API to cater for federated setups (#11484) when MinIO is deployed in a federated setup, use etcd based listing of buckets to provide appropriate filtering of buckets per user.
2021-02-09 12:53:07 -05:00
// If etcd, dns federation configured list buckets from etcd.
var buckets []BucketInfo
if globalDNSConfig != nil && globalBucketFederation {
dnsBuckets, err := globalDNSConfig.List()
if err != nil && !IsErrIgnored(err,
dns.ErrNoEntriesFound,
dns.ErrDomainMissing) {
fix: root credentials should be able to create users (#12511)
2021-06-15 21:52:01 -04:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
fix: accountInfo API to cater for federated setups (#11484) when MinIO is deployed in a federated setup, use etcd based listing of buckets to provide appropriate filtering of buckets per user.
2021-02-09 12:53:07 -05:00
return
}
for _, dnsRecords := range dnsBuckets {
buckets = append(buckets, BucketInfo{
Name: dnsRecords[0].Key,
Created: dnsRecords[0].CreationDate,
})
}
sort.Slice(buckets, func(i, j int) bool {
return buckets[i].Name < buckets[j].Name
})
} else {
buckets, err = objectAPI.ListBuckets(ctx)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
}
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-15 21:16:45 -04:00
accountName := cred.AccessKey
fix: AccountInfo API for LDAP users (#11874) Also, ensure admin APIs auth additionally validates groups
2021-03-23 20:39:20 -04:00
var policies []string
switch globalIAMSys.usersSysType {
case MinIOUsersSysType:
policies, err = globalIAMSys.PolicyDBGet(accountName, false)
case LDAPUsersSysType:
Converge PolicyDBGet functions in IAM (#11891)
2021-03-25 03:38:15 -04:00
parentUser := accountName
if cred.ParentUser != "" {
parentUser = cred.ParentUser
}
policies, err = globalIAMSys.PolicyDBGet(parentUser, false, cred.Groups...)
fix: AccountInfo API for LDAP users (#11874) Also, ensure admin APIs auth additionally validates groups
2021-03-23 20:39:20 -04:00
default:
support service accounts for OpenID connect properly (#12178) OpenID connect generated service accounts do not work properly after console logout, since the parentUser state is lost - instead use sub+iss claims for parentUser, according to OIDC spec both the claims provide the necessary stability across logins etc.
2021-04-29 16:01:42 -04:00
err = errors.New("should never happen")
fix: AccountInfo API for LDAP users (#11874) Also, ensure admin APIs auth additionally validates groups
2021-03-23 20:39:20 -04:00
}
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-27 20:23:57 -05:00
if err != nil {
logger.LogIf(ctx, err)
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
always indent and reply policy JSON (#12399)
2021-05-29 12:22:22 -04:00
buf, err := json.MarshalIndent(globalIAMSys.GetCombinedPolicy(policies...), "", " ")
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 11:52:02 -04:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-27 20:23:57 -05:00
acctInfo := madmin.AccountInfo{
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-15 21:16:45 -04:00
AccountName: accountName,
send backendInfo as part AccountInfo (#12733) This is needed for console UI to change the UI behavior for different modes of operation.
2021-07-16 17:37:06 -04:00
Server: objectAPI.BackendInfo(),
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 11:52:02 -04:00
Policy: buf,
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-15 21:16:45 -04:00
}
for _, bucket := range buckets {
rd, wr := isAllowedAccess(bucket.Name)
if rd || wr {
// Fetch the data usage of the current bucket
Move prefix usage in admin AccountInfo API (#12710)
2021-07-14 11:51:10 -04:00
var size uint64
remove ListBucketsMetadata instead add them to AccountInfo() (#13241)
2021-09-17 18:02:21 -04:00
var objectsCount uint64
var objectsHist map[string]uint64
Export bucket usage counts as part of bucket metrics (#9710) Bonus fixes in quota enforcement to use the new datastructure and use timedValue to cache a value/reload automatically avoids one less global variable.
2020-05-27 09:45:43 -04:00
if !dataUsageInfo.LastUpdate.IsZero() {
size = dataUsageInfo.BucketsUsage[bucket.Name].Size
remove ListBucketsMetadata instead add them to AccountInfo() (#13241)
2021-09-17 18:02:21 -04:00
objectsCount = dataUsageInfo.BucketsUsage[bucket.Name].ObjectsCount
objectsHist = dataUsageInfo.BucketsUsage[bucket.Name].ObjectSizesHistogram
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-15 21:16:45 -04:00
}
Move prefix usage in admin AccountInfo API (#12710)
2021-07-14 11:51:10 -04:00
// Fetch the prefix usage of the current bucket
var prefixUsage map[string]uint64
if enablePrefixUsage {
if pu, err := loadPrefixUsageFromBackend(ctx, objectAPI, bucket.Name); err == nil {
prefixUsage = pu
} else {
logger.LogIf(ctx, err)
}
}
remove ListBucketsMetadata instead add them to AccountInfo() (#13241)
2021-09-17 18:02:21 -04:00
lcfg, _ := globalBucketObjectLockSys.Get(bucket.Name)
quota, _ := globalBucketQuotaSys.Get(bucket.Name)
rcfg, _ := globalBucketMetadataSys.GetReplicationConfig(ctx, bucket.Name)
tcfg, _ := globalBucketMetadataSys.GetTaggingConfig(bucket.Name)
Various improvements in replication (#11949) - collect real time replication metrics for prometheus. - add pending_count, failed_count metric for total pending/failed replication operations. - add API to get replication metrics - add MRF worker to handle spill-over replication operations - multiple issues found with replication - fixes an issue when client sends a bucket name with `/` at the end from SetRemoteTarget API call make sure to trim the bucket name to avoid any extra `/`. - hold write locks in GetObjectNInfo during replication to ensure that object version stack is not overwritten while reading the content. - add additional protection during WriteMetadata() to ensure that we always write a valid FileInfo{} and avoid ever writing empty FileInfo{} to the lowest layers. Co-authored-by: Poorna Krishnamoorthy <poorna@minio.io> Co-authored-by: Harshavardhana <harsha@minio.io>
2021-04-03 12:03:42 -04:00
acctInfo.Buckets = append(acctInfo.Buckets, madmin.BucketAccessInfo{
remove ListBucketsMetadata instead add them to AccountInfo() (#13241)
2021-09-17 18:02:21 -04:00
Name: bucket.Name,
Created: bucket.Created,
Size: size,
Objects: objectsCount,
ObjectSizesHistogram: objectsHist,
PrefixUsage: prefixUsage,
Details: &madmin.BucketDetails{
Versioning: globalBucketVersioningSys.Enabled(bucket.Name),
VersioningSuspended: globalBucketVersioningSys.Suspended(bucket.Name),
Replication: rcfg != nil,
Locking: lcfg.LockEnabled,
Quota: quota,
Tagging: tcfg,
},
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-15 21:16:45 -04:00
Access: madmin.AccountAccess{
Read: rd,
Write: wr,
},
})
}
}
usageInfoJSON, err := json.Marshal(acctInfo)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, usageInfoJSON)
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
// InfoCannedPolicy - GET /minio/admin/v3/info-canned-policy?name={policyName}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
func (a adminAPIHandlers) InfoCannedPolicy(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "InfoCannedPolicy")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-11 13:34:08 -04:00
Use common function for authenticating admin requests (#12915)
2021-08-09 21:14:38 -04:00
objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.GetPolicyAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
if objectAPI == nil {
return
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
policy, err := globalIAMSys.InfoPolicy(mux.Vars(r)["name"])
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
always indent and reply policy JSON (#12399)
2021-05-29 12:22:22 -04:00
buf, err := json.MarshalIndent(policy, "", " ")
if err != nil {
Handling unhandled errors in the InfoCannedPolicy method. (#10575)
2020-09-27 13:24:04 -04:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
always indent and reply policy JSON (#12399)
2021-05-29 12:22:22 -04:00
w.Write(buf)
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
}
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-27 13:15:02 -04:00
// ListBucketPolicies - GET /minio/admin/v3/list-canned-policies?bucket={bucket}
func (a adminAPIHandlers) ListBucketPolicies(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "ListBucketPolicies")
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-11 13:34:08 -04:00
Use common function for authenticating admin requests (#12915)
2021-08-09 21:14:38 -04:00
objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListUserPoliciesAdminAction)
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
if objectAPI == nil {
return
}
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-27 13:15:02 -04:00
bucket := mux.Vars(r)["bucket"]
add thread context in surrounding function into IAM functions (#13658)
2021-11-15 17:14:22 -05:00
policies, err := globalIAMSys.ListPolicies(ctx, bucket)
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-27 13:15:02 -04:00
var newPolicies = make(map[string]iampolicy.Policy)
for name, p := range policies {
_, err = json.Marshal(p)
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
if err != nil {
logger.LogIf(ctx, err)
continue
}
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-27 13:15:02 -04:00
newPolicies[name] = p
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
}
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-27 13:15:02 -04:00
if err = json.NewEncoder(w).Encode(newPolicies); err != nil {
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
// ListCannedPolicies - GET /minio/admin/v3/list-canned-policies
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
func (a adminAPIHandlers) ListCannedPolicies(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "ListCannedPolicies")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-11 13:34:08 -04:00
Use common function for authenticating admin requests (#12915)
2021-08-09 21:14:38 -04:00
objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListUserPoliciesAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
if objectAPI == nil {
return
}
add thread context in surrounding function into IAM functions (#13658)
2021-11-15 17:14:22 -05:00
policies, err := globalIAMSys.ListPolicies(ctx, "")
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
fix support OBDAdminAction is valid action (#9354)
2020-04-15 15:16:40 -04:00
var newPolicies = make(map[string]iampolicy.Policy)
for name, p := range policies {
_, err = json.Marshal(p)
if err != nil {
logger.LogIf(ctx, err)
continue
}
newPolicies[name] = p
}
if err = json.NewEncoder(w).Encode(newPolicies); err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
// RemoveCannedPolicy - DELETE /minio/admin/v3/remove-canned-policy?name=<policy_name>
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
func (a adminAPIHandlers) RemoveCannedPolicy(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "RemoveCannedPolicy")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-11 13:34:08 -04:00
Use common function for authenticating admin requests (#12915)
2021-08-09 21:14:38 -04:00
objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.DeletePolicyAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
policyName := vars["name"]
add thread context in surrounding function into IAM functions (#13658)
2021-11-15 17:14:22 -05:00
if err := globalIAMSys.DeletePolicy(ctx, policyName); err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
// Notify all other MinIO peers to delete policy
for _, nerr := range globalNotificationSys.DeletePolicy(policyName) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-06 19:36:31 -04:00
// Call cluster-replication policy creation hook to replicate policy deletion to
// other minio clusters.
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Type: madmin.SRIAMItemPolicy,
Name: policyName,
}); err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
// AddCannedPolicy - PUT /minio/admin/v3/add-canned-policy?name=<policy_name>
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
func (a adminAPIHandlers) AddCannedPolicy(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "AddCannedPolicy")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-11 13:34:08 -04:00
Use common function for authenticating admin requests (#12915)
2021-08-09 21:14:38 -04:00
objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.CreatePolicyAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
policyName := vars["name"]
// Error out if Content-Length is missing.
if r.ContentLength <= 0 {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrMissingContentLength), r.URL)
return
}
// Error out if Content-Length is beyond allowed size.
if r.ContentLength > maxBucketPolicySize {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrEntityTooLarge), r.URL)
return
}
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-06 19:36:31 -04:00
iamPolicyBytes, err := ioutil.ReadAll(io.LimitReader(r.Body, r.ContentLength))
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
iamPolicy, err := iampolicy.ParseConfig(bytes.NewReader(iamPolicyBytes))
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
if err != nil {
Add more context aware error for policy parsing errors (#8726) In existing functionality we simply return a generic error such as "MalformedPolicy" which indicates just a generic string "invalid resource" which is not very meaningful when there might be multiple types of errors during policy parsing. This PR ensures that we send these errors back to client to indicate the actual error, brings in two concrete types such as - iampolicy.Error - policy.Error Refer #8202
2020-01-03 14:28:52 -05:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
return
}
// Version in policy must not be empty
if iamPolicy.Version == "" {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrMalformedPolicy), r.URL)
return
}
add thread context in surrounding function into IAM functions (#13658)
2021-11-15 17:14:22 -05:00
if err = globalIAMSys.SetPolicy(ctx, policyName, *iamPolicy); err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
// Notify all other MinIO peers to reload policy
For IAM with etcd backend, avoid sending notifications (#13472) As we use etcd's watch interface, we do not need the network notifications as they are no-ops anyway. Bonus: Remove globalEtcdClient global usage in IAM
2021-10-20 06:22:35 -04:00
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadPolicy(policyName) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
}
}
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-06 19:36:31 -04:00
// Call cluster-replication policy creation hook to replicate policy to
// other minio clusters.
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Type: madmin.SRIAMItemPolicy,
Name: policyName,
Policy: iamPolicyBytes,
}); err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-07 22:30:59 -04:00
// SetPolicyForUserOrGroup - PUT /minio/admin/v3/set-policy?policy=xxx&user-or-group=?[&is-group]
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "SetPolicyForUserOrGroup")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-11 13:34:08 -04:00
Use common function for authenticating admin requests (#12915)
2021-08-09 21:14:38 -04:00
objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.AttachPolicyAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
policyName := vars["policyName"]
entityName := vars["userOrGroup"]
isGroup := vars["isGroup"] == "true"
fix: temp credentials shouldn't allow policy/group changes (#8675) This PR fixes the issue where we might allow policy changes for temporary credentials out of band, this situation allows privilege escalation for those temporary credentials. We should disallow any external actions on temporary creds as a practice and we should clearly differentiate which are static and which are temporary credentials. Refer #8667
2019-12-19 17:21:21 -05:00
if !isGroup {
fix: service account permissions generated from LDAP user (#11637) service accounts generated from LDAP parent user did not inherit correct permissions, this PR fixes this fully.
2021-02-25 16:49:59 -05:00
ok, _, err := globalIAMSys.IsTempUser(entityName)
Fix policy setting error in LDAP setups (#9303) Fixes #8667 In addition to the above, if the user is mapped to a policy or belongs in a group, the user-info API returns this information, but otherwise, the API will now return a non-existent user error.
2020-04-09 04:04:08 -04:00
if err != nil && err != errNoSuchUser {
fix: temp credentials shouldn't allow policy/group changes (#8675) This PR fixes the issue where we might allow policy changes for temporary credentials out of band, this situation allows privilege escalation for those temporary credentials. We should disallow any external actions on temporary creds as a practice and we should clearly differentiate which are static and which are temporary credentials. Refer #8667
2019-12-19 17:21:21 -05:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
if ok {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errIAMActionNotAllowed), r.URL)
return
}
}
add thread context in surrounding function into IAM functions (#13658)
2021-11-15 17:14:22 -05:00
if err := globalIAMSys.PolicyDBSet(ctx, entityName, policyName, isGroup); err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
// Notify all other MinIO peers to reload policy
For IAM with etcd backend, avoid sending notifications (#13472) As we use etcd's watch interface, we do not need the network notifications as they are no-ops anyway. Bonus: Remove globalEtcdClient global usage in IAM
2021-10-20 06:22:35 -04:00
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadPolicyMapping(entityName, isGroup) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
}
}
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-06 19:36:31 -04:00
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Type: madmin.SRIAMItemPolicyMapping,
PolicyMapping: &madmin.SRPolicyMapping{
UserOrGroup: entityName,
IsGroup: isGroup,
Policy: policyName,
},
}); err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 12:27:23 -05:00
}