MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-04-20 10:37:31 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fix OPA result response handling (#7763)

Browse Source 
Also update the document with updated rego policy
and updated OPA agent REST API.

This PR is to fix a regression caused by PR #7637
This commit is contained in:
Harshavardhana 2019-06-10 17:06:32 -07:00 committed by kannappanr
parent 91ceae23d0
commit 002a205c9c
4 changed files with 43 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/sts/docker-compose.yml
View File

@ -1,7 +1,7 @@
version: '2' version: '2'
services: services:
opa: opa:
image: openpolicyagent/opa:0.9.1 image: openpolicyagent/opa:0.11.0
ports: ports:
- 8181:8181 - 8181:8181
command: command:

13
docs/sts/opa.md
View File

@ -15,7 +15,7 @@ cat >docker-compose.yml <<EOF
version: '2' version: '2'
services: services:
opa: opa:
image: openpolicyagent/opa:0.9.1 image: openpolicyagent/opa:0.11.0
ports: ports:
- 8181:8181 - 8181:8181
command: command:
@ -45,11 +45,12 @@ package httpapi.authz
import input as http_api import input as http_api
allow { default allow = false
input.action = "s3:PutObject"
input.owner = false
}
allow = true {
http_api.action = "s3:PutObject"
http_api.owner = false
}
EOF EOF
``` ```
@ -62,7 +63,7 @@ curl -X PUT --data-binary @putobject.rego \
### 4. Setup MinIO with OPA ### 4. Setup MinIO with OPA
MinIO server expects environment variable for OPA http API url as `MINIO_IAM_OPA_URL`, this environment variable takes a single entry. MinIO server expects environment variable for OPA http API url as `MINIO_IAM_OPA_URL`, this environment variable takes a single entry.
``` ```
export MINIO_IAM_OPA_URL=http://localhost:8181/v1/data/httpapi/authz export MINIO_IAM_OPA_URL=http://localhost:8181/v1/data/httpapi/authz/allow
minio server /mnt/data minio server /mnt/data
``` ```

8
docs/sts/putobject.rego
View File

@ -2,7 +2,9 @@ package httpapi.authz
import input as http_api import input as http_api
allow { default allow = false
input.action = "s3:PutObject"
input.owner = false allow = true {
http_api.action = "s3:PutObject"
http_api.owner = false
} }

37
pkg/iam/policy/opa.go
View File

@ -20,6 +20,7 @@ import (
"bytes" "bytes"
"encoding/json" "encoding/json"
"io" "io"
"io/ioutil"
"net/http" "net/http"
"os" "os"
@ -121,14 +122,36 @@ func (o *Opa) IsAllowed(args Args) bool {
} }
defer o.args.CloseRespFn(resp.Body) defer o.args.CloseRespFn(resp.Body)
// Handle OPA response // Read the body to be saved later.
type opaResponse struct { opaRespBytes, err := ioutil.ReadAll(resp.Body)
Allow bool `json:"allow"` if err != nil {
}
var result opaResponse
if err = json.NewDecoder(resp.Body).Decode(&result); err != nil {
return false return false
} }
return result.Allow // Handle large OPA responses when OPA URL is of
// form http://localhost:8181/v1/data/httpapi/authz
type opaResultAllow struct {
Result struct {
Allow bool `json:"allow"`
} `json:"result"`
}
// Handle simpler OPA responses when OPA URL is of
// form http://localhost:8181/v1/data/httpapi/authz/allow
type opaResult struct {
Result bool `json:"result"`
}
respBody := bytes.NewReader(opaRespBytes)
var result opaResult
if err = json.NewDecoder(respBody).Decode(&result); err != nil {
respBody.Seek(0, 0)
var resultAllow opaResultAllow
if err = json.NewDecoder(respBody).Decode(&resultAllow); err != nil {
return false
}
return resultAllow.Result.Allow
}
return result.Result
} }