2021-11-11 14:23:30 -05:00
|
|
|
name: IAM integration
|
2021-11-09 12:25:13 -05:00
|
|
|
|
|
|
|
on:
|
|
|
|
pull_request:
|
|
|
|
branches:
|
fix: IAM import for LDAP should replace mappings (#19607)
Existing IAM import logic for LDAP creates new mappings when the
normalized form of the mapping key differs from the existing mapping key
in storage. This change effectively replaces the existing mapping key by
first deleting it and then recreating with the normalized form of the
mapping key.
For e.g. if an older deployment had a policy mapped to a user DN -
`UID=alice1,OU=people,OU=hwengg,DC=min,DC=io`
instead of adding a mapping for the normalized form -
`uid=alice1,ou=people,ou=hwengg,dc=min,dc=io`
we should replace the existing mapping.
This ensures that duplicates mappings won't remain after the import.
Some additional cleanup cases are also covered. If there are multiple
mappings for the name normalized key such as:
`UID=alice1,OU=people,OU=hwengg,DC=min,DC=io`
`uid=alice1,ou=people,ou=hwengg,DC=min,DC=io`
`uid=alice1,ou=people,ou=hwengg,dc=min,dc=io`
we check if the list of policies mapped to all these keys are exactly
the same, and if so remove all of them and create a single mapping with
the normalized key. However, if the policies mapped to such keys differ,
the import operation returns an error as the server cannot automatically
pick the "right" list of policies to map.
2024-04-25 11:49:53 -04:00
|
|
|
- master
|
2021-11-09 12:25:13 -05:00
|
|
|
|
|
|
|
# This ensures that previous jobs for the PR are canceled when the PR is
|
|
|
|
# updated.
|
2021-11-10 21:18:09 -05:00
|
|
|
concurrency:
|
2021-11-09 12:25:13 -05:00
|
|
|
group: ${{ github.workflow }}-${{ github.head_ref }}
|
|
|
|
cancel-in-progress: true
|
|
|
|
|
2022-04-11 05:45:59 -04:00
|
|
|
permissions:
|
|
|
|
contents: read
|
|
|
|
|
2021-11-09 12:25:13 -05:00
|
|
|
jobs:
|
2021-11-11 14:23:30 -05:00
|
|
|
iam-matrix-test:
|
|
|
|
name: "[Go=${{ matrix.go-version }}|ldap=${{ matrix.ldap }}|etcd=${{ matrix.etcd }}|openid=${{ matrix.openid }}]"
|
2021-11-09 12:25:13 -05:00
|
|
|
runs-on: ubuntu-latest
|
|
|
|
|
|
|
|
services:
|
|
|
|
openldap:
|
|
|
|
image: quay.io/minio/openldap
|
|
|
|
ports:
|
|
|
|
- "389:389"
|
|
|
|
- "636:636"
|
|
|
|
env:
|
|
|
|
LDAP_ORGANIZATION: "MinIO Inc"
|
|
|
|
LDAP_DOMAIN: "min.io"
|
|
|
|
LDAP_ADMIN_PASSWORD: "admin"
|
|
|
|
etcd:
|
|
|
|
image: "quay.io/coreos/etcd:v3.5.1"
|
|
|
|
env:
|
|
|
|
ETCD_LISTEN_CLIENT_URLS: "http://0.0.0.0:2379"
|
|
|
|
ETCD_ADVERTISE_CLIENT_URLS: "http://0.0.0.0:2379"
|
|
|
|
ports:
|
|
|
|
- "2379:2379"
|
|
|
|
options: >-
|
|
|
|
--health-cmd "etcdctl endpoint health"
|
|
|
|
--health-interval 10s
|
|
|
|
--health-timeout 5s
|
|
|
|
--health-retries 5
|
2021-11-11 14:23:30 -05:00
|
|
|
openid:
|
|
|
|
image: quay.io/minio/dex
|
2021-11-09 12:25:13 -05:00
|
|
|
ports:
|
2021-11-11 14:23:30 -05:00
|
|
|
- "5556:5556"
|
2021-11-09 12:25:13 -05:00
|
|
|
env:
|
2021-11-11 14:23:30 -05:00
|
|
|
DEX_LDAP_SERVER: "openldap:389"
|
2022-04-28 21:27:09 -04:00
|
|
|
openid2:
|
|
|
|
image: quay.io/minio/dex
|
|
|
|
ports:
|
|
|
|
- "5557:5557"
|
|
|
|
env:
|
|
|
|
DEX_LDAP_SERVER: "openldap:389"
|
|
|
|
DEX_ISSUER: "http://127.0.0.1:5557/dex"
|
|
|
|
DEX_WEB_HTTP: "0.0.0.0:5557"
|
2021-11-09 12:25:13 -05:00
|
|
|
|
|
|
|
strategy:
|
2021-11-11 14:23:30 -05:00
|
|
|
# When ldap, etcd or openid vars are empty below, those external servers
|
|
|
|
# are turned off - i.e. if ldap="", then ldap server is not enabled for
|
|
|
|
# the tests.
|
2021-11-09 12:25:13 -05:00
|
|
|
matrix:
|
2024-05-09 04:36:00 -04:00
|
|
|
go-version: [1.22.x]
|
2021-11-11 14:23:30 -05:00
|
|
|
ldap: ["", "localhost:389"]
|
|
|
|
etcd: ["", "http://localhost:2379"]
|
|
|
|
openid: ["", "http://127.0.0.1:5556/dex"]
|
|
|
|
exclude:
|
|
|
|
# exclude combos where all are empty.
|
|
|
|
- ldap: ""
|
|
|
|
etcd: ""
|
|
|
|
openid: ""
|
|
|
|
# exclude combos where both ldap and openid IDPs are specified.
|
|
|
|
- ldap: "localhost:389"
|
|
|
|
openid: "http://127.0.0.1:5556/dex"
|
2021-11-09 12:25:13 -05:00
|
|
|
|
|
|
|
steps:
|
2024-03-28 19:44:49 -04:00
|
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/setup-go@v5
|
2021-11-09 12:25:13 -05:00
|
|
|
with:
|
|
|
|
go-version: ${{ matrix.go-version }}
|
2022-03-25 11:56:04 -04:00
|
|
|
check-latest: true
|
2021-11-19 19:18:23 -05:00
|
|
|
- name: Test LDAP/OpenID/Etcd combo
|
2021-11-09 12:25:13 -05:00
|
|
|
env:
|
2023-07-20 10:52:49 -04:00
|
|
|
_MINIO_LDAP_TEST_SERVER: ${{ matrix.ldap }}
|
|
|
|
_MINIO_ETCD_TEST_SERVER: ${{ matrix.etcd }}
|
|
|
|
_MINIO_OPENID_TEST_SERVER: ${{ matrix.openid }}
|
2021-11-09 12:25:13 -05:00
|
|
|
run: |
|
|
|
|
sudo sysctl net.ipv6.conf.all.disable_ipv6=0
|
|
|
|
sudo sysctl net.ipv6.conf.default.disable_ipv6=0
|
|
|
|
make test-iam
|
2022-04-28 21:27:09 -04:00
|
|
|
- name: Test with multiple OpenID providers
|
|
|
|
if: matrix.openid == 'http://127.0.0.1:5556/dex'
|
|
|
|
env:
|
2023-07-20 10:52:49 -04:00
|
|
|
_MINIO_LDAP_TEST_SERVER: ${{ matrix.ldap }}
|
|
|
|
_MINIO_ETCD_TEST_SERVER: ${{ matrix.etcd }}
|
|
|
|
_MINIO_OPENID_TEST_SERVER: ${{ matrix.openid }}
|
|
|
|
_MINIO_OPENID_TEST_SERVER_2: "http://127.0.0.1:5557/dex"
|
2022-04-28 21:27:09 -04:00
|
|
|
run: |
|
|
|
|
sudo sysctl net.ipv6.conf.all.disable_ipv6=0
|
|
|
|
sudo sysctl net.ipv6.conf.default.disable_ipv6=0
|
|
|
|
make test-iam
|
2022-05-12 18:24:19 -04:00
|
|
|
- name: Test with Access Management Plugin enabled
|
|
|
|
env:
|
2023-07-20 10:52:49 -04:00
|
|
|
_MINIO_LDAP_TEST_SERVER: ${{ matrix.ldap }}
|
|
|
|
_MINIO_ETCD_TEST_SERVER: ${{ matrix.etcd }}
|
|
|
|
_MINIO_OPENID_TEST_SERVER: ${{ matrix.openid }}
|
|
|
|
_MINIO_POLICY_PLUGIN_TEST_ENDPOINT: "http://127.0.0.1:8080"
|
2022-05-12 18:24:19 -04:00
|
|
|
run: |
|
|
|
|
sudo sysctl net.ipv6.conf.all.disable_ipv6=0
|
|
|
|
sudo sysctl net.ipv6.conf.default.disable_ipv6=0
|
|
|
|
go run docs/iam/access-manager-plugin.go &
|
|
|
|
make test-iam
|
fix: IAM import for LDAP should replace mappings (#19607)
Existing IAM import logic for LDAP creates new mappings when the
normalized form of the mapping key differs from the existing mapping key
in storage. This change effectively replaces the existing mapping key by
first deleting it and then recreating with the normalized form of the
mapping key.
For e.g. if an older deployment had a policy mapped to a user DN -
`UID=alice1,OU=people,OU=hwengg,DC=min,DC=io`
instead of adding a mapping for the normalized form -
`uid=alice1,ou=people,ou=hwengg,dc=min,dc=io`
we should replace the existing mapping.
This ensures that duplicates mappings won't remain after the import.
Some additional cleanup cases are also covered. If there are multiple
mappings for the name normalized key such as:
`UID=alice1,OU=people,OU=hwengg,DC=min,DC=io`
`uid=alice1,ou=people,ou=hwengg,DC=min,DC=io`
`uid=alice1,ou=people,ou=hwengg,dc=min,dc=io`
we check if the list of policies mapped to all these keys are exactly
the same, and if so remove all of them and create a single mapping with
the normalized key. However, if the policies mapped to such keys differ,
the import operation returns an error as the server cannot automatically
pick the "right" list of policies to map.
2024-04-25 11:49:53 -04:00
|
|
|
- name: Test MinIO Old Version data to IAM import current version
|
|
|
|
if: matrix.ldap == 'ldaphost:389'
|
|
|
|
env:
|
|
|
|
_MINIO_LDAP_TEST_SERVER: ${{ matrix.ldap }}
|
|
|
|
run: |
|
|
|
|
make test-iam-ldap-upgrade-import
|
2021-12-08 14:50:15 -05:00
|
|
|
- name: Test LDAP for automatic site replication
|
|
|
|
if: matrix.ldap == 'localhost:389'
|
|
|
|
run: |
|
2022-01-07 20:41:43 -05:00
|
|
|
make test-site-replication-ldap
|
|
|
|
- name: Test OIDC for automatic site replication
|
|
|
|
if: matrix.openid == 'http://127.0.0.1:5556/dex'
|
|
|
|
run: |
|
|
|
|
make test-site-replication-oidc
|
2024-09-12 11:59:00 -04:00
|
|
|
iam-import-with-missing-entities:
|
|
|
|
name: Test IAM import in new cluster with missing entities
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/setup-go@v5
|
|
|
|
with:
|
|
|
|
go-version: ${{ matrix.go-version }}
|
|
|
|
check-latest: true
|
|
|
|
- name: Checkout minio-iam-testing
|
|
|
|
uses: actions/checkout@v4
|
|
|
|
with:
|
|
|
|
repository: minio/minio-iam-testing
|
|
|
|
path: minio-iam-testing
|
|
|
|
- name: Test import of IAM artifacts when in fresh cluster there are missing groups etc
|
|
|
|
run: |
|
|
|
|
make test-iam-import-with-missing-entities
|