ldap: Create services accounts for LDAP and STS temp accounts (#11808)

2025-11-25 12:06:10 -05:00 · 2021-04-15 06:51:14 +01:00
parent b70c298c27
commit 291d2793ca
12 changed files with 731 additions and 178 deletions
--- a/pkg/iam/policy/admin-action.go
+++ b/pkg/iam/policy/admin-action.go
@@ -77,6 +77,17 @@ const (
 	// GetUserAdminAction - allows GET permission on user info
 	GetUserAdminAction = "admin:GetUser"

+	// Service account Actions
+
+	// CreateServiceAccountAdminAction - allow create a service account for a user
+	CreateServiceAccountAdminAction = "admin:CreateServiceAccount"
+	// UpdateServiceAccountAdminAction - allow updating a service account
+	UpdateServiceAccountAdminAction = "admin:UpdateServiceAccount"
+	// RemoveServiceAccountAdminAction - allow removing a service account
+	RemoveServiceAccountAdminAction = "admin:RemoveServiceAccount"
+	// ListServiceAccountsAdminAction - allow listing service accounts
+	ListServiceAccountsAdminAction = "admin:ListServiceAccounts"
+
 	// Group Actions

 	// AddUserToGroupAdminAction - allow adding user to group permission
@@ -125,43 +136,47 @@ const (

 // List of all supported admin actions.
 var supportedAdminActions = map[AdminAction]struct{}{
-	HealAdminAction:                {},
-	StorageInfoAdminAction:         {},
-	DataUsageInfoAdminAction:       {},
-	TopLocksAdminAction:            {},
-	ProfilingAdminAction:           {},
-	TraceAdminAction:               {},
-	ConsoleLogAdminAction:          {},
-	KMSKeyStatusAdminAction:        {},
-	ServerInfoAdminAction:          {},
-	HealthInfoAdminAction:          {},
-	BandwidthMonitorAction:         {},
-	ServerUpdateAdminAction:        {},
-	ServiceRestartAdminAction:      {},
-	ServiceStopAdminAction:         {},
-	ConfigUpdateAdminAction:        {},
-	CreateUserAdminAction:          {},
-	DeleteUserAdminAction:          {},
-	ListUsersAdminAction:           {},
-	EnableUserAdminAction:          {},
-	DisableUserAdminAction:         {},
-	GetUserAdminAction:             {},
-	AddUserToGroupAdminAction:      {},
-	RemoveUserFromGroupAdminAction: {},
-	GetGroupAdminAction:            {},
-	ListGroupsAdminAction:          {},
-	EnableGroupAdminAction:         {},
-	DisableGroupAdminAction:        {},
-	CreatePolicyAdminAction:        {},
-	DeletePolicyAdminAction:        {},
-	GetPolicyAdminAction:           {},
-	AttachPolicyAdminAction:        {},
-	ListUserPoliciesAdminAction:    {},
-	SetBucketQuotaAdminAction:      {},
-	GetBucketQuotaAdminAction:      {},
-	SetBucketTargetAction:          {},
-	GetBucketTargetAction:          {},
-	AllAdminActions:                {},
+	HealAdminAction:                 {},
+	StorageInfoAdminAction:          {},
+	DataUsageInfoAdminAction:        {},
+	TopLocksAdminAction:             {},
+	ProfilingAdminAction:            {},
+	TraceAdminAction:                {},
+	ConsoleLogAdminAction:           {},
+	KMSKeyStatusAdminAction:         {},
+	ServerInfoAdminAction:           {},
+	HealthInfoAdminAction:           {},
+	BandwidthMonitorAction:          {},
+	ServerUpdateAdminAction:         {},
+	ServiceRestartAdminAction:       {},
+	ServiceStopAdminAction:          {},
+	ConfigUpdateAdminAction:         {},
+	CreateUserAdminAction:           {},
+	DeleteUserAdminAction:           {},
+	ListUsersAdminAction:            {},
+	EnableUserAdminAction:           {},
+	DisableUserAdminAction:          {},
+	GetUserAdminAction:              {},
+	AddUserToGroupAdminAction:       {},
+	RemoveUserFromGroupAdminAction:  {},
+	GetGroupAdminAction:             {},
+	ListGroupsAdminAction:           {},
+	EnableGroupAdminAction:          {},
+	DisableGroupAdminAction:         {},
+	CreateServiceAccountAdminAction: {},
+	UpdateServiceAccountAdminAction: {},
+	RemoveServiceAccountAdminAction: {},
+	ListServiceAccountsAdminAction:  {},
+	CreatePolicyAdminAction:         {},
+	DeletePolicyAdminAction:         {},
+	GetPolicyAdminAction:            {},
+	AttachPolicyAdminAction:         {},
+	ListUserPoliciesAdminAction:     {},
+	SetBucketQuotaAdminAction:       {},
+	GetBucketQuotaAdminAction:       {},
+	SetBucketTargetAction:           {},
+	GetBucketTargetAction:           {},
+	AllAdminActions:                 {},
 }

 // IsValid - checks if action is valid or not.
@@ -172,40 +187,45 @@ func (action AdminAction) IsValid() bool {

 // adminActionConditionKeyMap - holds mapping of supported condition key for an action.
 var adminActionConditionKeyMap = map[Action]condition.KeySet{
-	AllAdminActions:                condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	HealAdminAction:                condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	StorageInfoAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ServerInfoAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	DataUsageInfoAdminAction:       condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	HealthInfoAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	BandwidthMonitorAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	TopLocksAdminAction:            condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ProfilingAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	TraceAdminAction:               condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ConsoleLogAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	KMSKeyStatusAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ServerUpdateAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ServiceRestartAdminAction:      condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ServiceStopAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ConfigUpdateAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	CreateUserAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	DeleteUserAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ListUsersAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	EnableUserAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	DisableUserAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	GetUserAdminAction:             condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	AddUserToGroupAdminAction:      condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	RemoveUserFromGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ListGroupsAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	EnableGroupAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	DisableGroupAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	CreatePolicyAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	DeletePolicyAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	GetPolicyAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	AttachPolicyAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ListUserPoliciesAdminAction:    condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	SetBucketQuotaAdminAction:      condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	GetBucketQuotaAdminAction:      condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	SetBucketTargetAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	GetBucketTargetAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	AllAdminActions:                 condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	HealAdminAction:                 condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	StorageInfoAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ServerInfoAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	DataUsageInfoAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	HealthInfoAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	BandwidthMonitorAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	TopLocksAdminAction:             condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ProfilingAdminAction:            condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	TraceAdminAction:                condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ConsoleLogAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	KMSKeyStatusAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ServerUpdateAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ServiceRestartAdminAction:       condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ServiceStopAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ConfigUpdateAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	CreateUserAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	DeleteUserAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ListUsersAdminAction:            condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	EnableUserAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	DisableUserAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	GetUserAdminAction:              condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	AddUserToGroupAdminAction:       condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	RemoveUserFromGroupAdminAction:  condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ListGroupsAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	EnableGroupAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	DisableGroupAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	CreateServiceAccountAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	UpdateServiceAccountAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	RemoveServiceAccountAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ListServiceAccountsAdminAction:  condition.NewKeySet(condition.AllSupportedAdminKeys...),
+
+	CreatePolicyAdminAction:     condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	DeletePolicyAdminAction:     condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	GetPolicyAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	AttachPolicyAdminAction:     condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ListUserPoliciesAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	SetBucketQuotaAdminAction:   condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	GetBucketQuotaAdminAction:   condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	SetBucketTargetAction:       condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	GetBucketTargetAction:       condition.NewKeySet(condition.AllSupportedAdminKeys...),
 }