mirror of https://github.com/minio/minio.git
support ldap:username for policy substitution (#12390)
LDAPusername is the simpler form of LDAPUser (userDN), using a simpler version is convenient from policy conditions point of view, since these are unique id's used for LDAP login.
This commit is contained in:
parent
fa8e3151bc
commit
4444ba13a4
|
@ -174,6 +174,8 @@ func getConditionValues(r *http.Request, lc string, username string, claims map[
|
|||
// Special case for AD/LDAP STS users
|
||||
if k == ldapUser {
|
||||
args["user"] = []string{vStr}
|
||||
} else if k == ldapUsername {
|
||||
args["username"] = []string{vStr}
|
||||
} else {
|
||||
args[k] = []string{vStr}
|
||||
}
|
||||
|
|
|
@ -64,7 +64,8 @@ const (
|
|||
parentClaim = "parent"
|
||||
|
||||
// LDAP claim keys
|
||||
ldapUser = "ldapUser"
|
||||
ldapUser = "ldapUser"
|
||||
ldapUsername = "ldapUsername"
|
||||
)
|
||||
|
||||
// stsAPIHandlers implements and provides http handlers for AWS STS API.
|
||||
|
@ -525,8 +526,9 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
|
|||
|
||||
expiryDur := globalLDAPConfig.GetExpiryDuration()
|
||||
m := map[string]interface{}{
|
||||
expClaim: UTCNow().Add(expiryDur).Unix(),
|
||||
ldapUser: ldapUserDN,
|
||||
expClaim: UTCNow().Add(expiryDur).Unix(),
|
||||
ldapUsername: ldapUsername,
|
||||
ldapUser: ldapUserDN,
|
||||
}
|
||||
|
||||
if len(sessionPolicyStr) > 0 {
|
||||
|
|
|
@ -191,7 +191,7 @@ Following example shows OpenID users with full programmatic access to a OpenID u
|
|||
}
|
||||
```
|
||||
|
||||
If the user is authenticating using an STS credential which was authorized from AD/LDAP we allow `ldap:*` variables, currently only supports `ldap:user`. Following example shows LDAP users full programmatic access to a LDAP user-specific directory (their own "home directory") in MinIO.
|
||||
If the user is authenticating using an STS credential which was authorized from AD/LDAP we allow `ldap:*` variables, currently only supports `ldap:username`. Following example shows LDAP users full programmatic access to a LDAP user-specific directory (their own "home directory") in MinIO.
|
||||
```
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
|
@ -200,7 +200,7 @@ If the user is authenticating using an STS credential which was authorized from
|
|||
"Action": ["s3:ListBucket"],
|
||||
"Effect": "Allow",
|
||||
"Resource": ["arn:aws:s3:::mybucket"],
|
||||
"Condition": {"StringLike": {"s3:prefix": ["${ldap:user}/*"]}}
|
||||
"Condition": {"StringLike": {"s3:prefix": ["${ldap:username}/*"]}}
|
||||
},
|
||||
{
|
||||
"Action": [
|
||||
|
@ -208,7 +208,7 @@ If the user is authenticating using an STS credential which was authorized from
|
|||
"s3:PutObject"
|
||||
],
|
||||
"Effect": "Allow",
|
||||
"Resource": ["arn:aws:s3:::mybucket/${ldap:user}/*"]
|
||||
"Resource": ["arn:aws:s3:::mybucket/${ldap:username}/*"]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -235,7 +235,7 @@ If the user is authenticating using an STS credential which was authorized from
|
|||
```
|
||||
|
||||
- *aws:UserAgent* - This value is a string that contains information about the requester's client application. This string is generated by the client and can be unreliable. You can only use this context key from `mc` or other MinIO SDKs which standardize the User-Agent string.
|
||||
- *aws:username* - This is a string containing the friendly name of the current user, this value would point to STS temporary credential in `AssumeRole`ed requests, instead use `jwt:preferred_username` in case of OpenID connect and `ldap:user` in case of AD/LDAP connect. *aws:userid* is an alias to *aws:username* in MinIO.
|
||||
- *aws:username* - This is a string containing the friendly name of the current user, this value would point to STS temporary credential in `AssumeRole`ed requests, instead use `jwt:preferred_username` in case of OpenID connect and `ldap:username` in case of AD/LDAP connect. *aws:userid* is an alias to *aws:username* in MinIO.
|
||||
|
||||
|
||||
## Explore Further
|
||||
|
|
|
@ -4,10 +4,10 @@
|
|||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"s3:ListBucket"
|
||||
"s3:*"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:s3:::${ldap:user}"
|
||||
"arn:aws:s3:::${ldap:username}/*"
|
||||
]
|
||||
}
|
||||
]
|
|
@ -148,6 +148,7 @@ var AllSupportedKeys = append([]Key{
|
|||
AWSUserID,
|
||||
AWSUsername,
|
||||
LDAPUser,
|
||||
LDAPUsername,
|
||||
// Add new supported condition keys.
|
||||
}, JWTKeys...)
|
||||
|
||||
|
@ -167,6 +168,7 @@ var CommonKeys = append([]Key{
|
|||
AWSUserID,
|
||||
AWSUsername,
|
||||
LDAPUser,
|
||||
LDAPUsername,
|
||||
}, JWTKeys...)
|
||||
|
||||
func substFuncFromValues(values map[string][]string) func(string) string {
|
||||
|
|
|
@ -18,6 +18,9 @@
|
|||
package condition
|
||||
|
||||
const (
|
||||
// LDAPUser - LDAP username, in MinIO this value is equal to your authenticating LDAP user.
|
||||
// LDAPUser - LDAP user DN, in MinIO this value is equal to user DN of the authenticated user.
|
||||
LDAPUser Key = "ldap:user"
|
||||
|
||||
// LDAPUsername - LDAP username, in MinIO is the authenticated simply user.
|
||||
LDAPUsername Key = "ldap:username"
|
||||
)
|
||||
|
|
Loading…
Reference in New Issue