support ldap:username for policy substitution (#12390)

LDAPusername is the simpler form of LDAPUser (userDN),
using a simpler version is convenient from policy
conditions point of view, since these are unique id's
used for LDAP login.
This commit is contained in:
Harshavardhana 2021-05-28 10:33:07 -07:00 committed by GitHub
parent fa8e3151bc
commit 4444ba13a4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 19 additions and 10 deletions

View File

@ -174,6 +174,8 @@ func getConditionValues(r *http.Request, lc string, username string, claims map[
// Special case for AD/LDAP STS users
if k == ldapUser {
args["user"] = []string{vStr}
} else if k == ldapUsername {
args["username"] = []string{vStr}
} else {
args[k] = []string{vStr}
}

View File

@ -64,7 +64,8 @@ const (
parentClaim = "parent"
// LDAP claim keys
ldapUser = "ldapUser"
ldapUser = "ldapUser"
ldapUsername = "ldapUsername"
)
// stsAPIHandlers implements and provides http handlers for AWS STS API.
@ -525,8 +526,9 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
expiryDur := globalLDAPConfig.GetExpiryDuration()
m := map[string]interface{}{
expClaim: UTCNow().Add(expiryDur).Unix(),
ldapUser: ldapUserDN,
expClaim: UTCNow().Add(expiryDur).Unix(),
ldapUsername: ldapUsername,
ldapUser: ldapUserDN,
}
if len(sessionPolicyStr) > 0 {

View File

@ -191,7 +191,7 @@ Following example shows OpenID users with full programmatic access to a OpenID u
}
```
If the user is authenticating using an STS credential which was authorized from AD/LDAP we allow `ldap:*` variables, currently only supports `ldap:user`. Following example shows LDAP users full programmatic access to a LDAP user-specific directory (their own "home directory") in MinIO.
If the user is authenticating using an STS credential which was authorized from AD/LDAP we allow `ldap:*` variables, currently only supports `ldap:username`. Following example shows LDAP users full programmatic access to a LDAP user-specific directory (their own "home directory") in MinIO.
```
{
"Version": "2012-10-17",
@ -200,7 +200,7 @@ If the user is authenticating using an STS credential which was authorized from
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition": {"StringLike": {"s3:prefix": ["${ldap:user}/*"]}}
"Condition": {"StringLike": {"s3:prefix": ["${ldap:username}/*"]}}
},
{
"Action": [
@ -208,7 +208,7 @@ If the user is authenticating using an STS credential which was authorized from
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${ldap:user}/*"]
"Resource": ["arn:aws:s3:::mybucket/${ldap:username}/*"]
}
]
}
@ -235,7 +235,7 @@ If the user is authenticating using an STS credential which was authorized from
```
- *aws:UserAgent* - This value is a string that contains information about the requester's client application. This string is generated by the client and can be unreliable. You can only use this context key from `mc` or other MinIO SDKs which standardize the User-Agent string.
- *aws:username* - This is a string containing the friendly name of the current user, this value would point to STS temporary credential in `AssumeRole`ed requests, instead use `jwt:preferred_username` in case of OpenID connect and `ldap:user` in case of AD/LDAP connect. *aws:userid* is an alias to *aws:username* in MinIO.
- *aws:username* - This is a string containing the friendly name of the current user, this value would point to STS temporary credential in `AssumeRole`ed requests, instead use `jwt:preferred_username` in case of OpenID connect and `ldap:username` in case of AD/LDAP connect. *aws:userid* is an alias to *aws:username* in MinIO.
## Explore Further

View File

@ -4,10 +4,10 @@
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
"s3:*"
],
"Resource": [
"arn:aws:s3:::${ldap:user}"
"arn:aws:s3:::${ldap:username}/*"
]
}
]

View File

@ -148,6 +148,7 @@ var AllSupportedKeys = append([]Key{
AWSUserID,
AWSUsername,
LDAPUser,
LDAPUsername,
// Add new supported condition keys.
}, JWTKeys...)
@ -167,6 +168,7 @@ var CommonKeys = append([]Key{
AWSUserID,
AWSUsername,
LDAPUser,
LDAPUsername,
}, JWTKeys...)
func substFuncFromValues(values map[string][]string) func(string) string {

View File

@ -18,6 +18,9 @@
package condition
const (
// LDAPUser - LDAP username, in MinIO this value is equal to your authenticating LDAP user.
// LDAPUser - LDAP user DN, in MinIO this value is equal to user DN of the authenticated user.
LDAPUser Key = "ldap:user"
// LDAPUsername - LDAP username, in MinIO is the authenticated simply user.
LDAPUsername Key = "ldap:username"
)