MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 12:52:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

support ldap:username for policy substitution (#12390)

Browse Source 
LDAPusername is the simpler form of LDAPUser (userDN),
using a simpler version is convenient from policy
conditions point of view, since these are unique id's
used for LDAP login.
This commit is contained in:
Harshavardhana
2021-05-28 10:33:07 -07:00
committed by GitHub
parent fa8e3151bc
commit 4444ba13a4
6 changed files with 19 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/multi-user/README.md
View File

@@ -191,7 +191,7 @@ Following example shows OpenID users with full programmatic access to a OpenID u
}
```
If the user is authenticating using an STS credential which was authorized from AD/LDAP we allow `ldap:*` variables, currently only supports `ldap:user`. Following example shows LDAP users full programmatic access to a LDAP user-specific directory (their own "home directory") in MinIO.
If the user is authenticating using an STS credential which was authorized from AD/LDAP we allow `ldap:*` variables, currently only supports `ldap:username`. Following example shows LDAP users full programmatic access to a LDAP user-specific directory (their own "home directory") in MinIO.
```
{
"Version": "2012-10-17",
@@ -200,7 +200,7 @@ If the user is authenticating using an STS credential which was authorized from
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition": {"StringLike": {"s3:prefix": ["${ldap:user}/*"]}}
"Condition": {"StringLike": {"s3:prefix": ["${ldap:username}/*"]}}
},
{
"Action": [
@@ -208,7 +208,7 @@ If the user is authenticating using an STS credential which was authorized from
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${ldap:user}/*"]
"Resource": ["arn:aws:s3:::mybucket/${ldap:username}/*"]
}
]
}
@@ -235,7 +235,7 @@ If the user is authenticating using an STS credential which was authorized from
```
- *aws:UserAgent* - This value is a string that contains information about the requester's client application. This string is generated by the client and can be unreliable. You can only use this context key from `mc` or other MinIO SDKs which standardize the User-Agent string.
- *aws:username* - This is a string containing the friendly name of the current user, this value would point to STS temporary credential in `AssumeRole`ed requests, instead use `jwt:preferred_username` in case of OpenID connect and `ldap:user` in case of AD/LDAP connect. *aws:userid* is an alias to *aws:username* in MinIO.
- *aws:username* - This is a string containing the friendly name of the current user, this value would point to STS temporary credential in `AssumeRole`ed requests, instead use `jwt:preferred_username` in case of OpenID connect and `ldap:username` in case of AD/LDAP connect. *aws:userid* is an alias to *aws:username* in MinIO.
## Explore Further