MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-04-18 09:50:02 -04:00
Code Issues Packages Projects Releases Wiki Activity

support ldap:username for policy substitution (#12390)

Browse Source 
LDAPusername is the simpler form of LDAPUser (userDN),
using a simpler version is convenient from policy
conditions point of view, since these are unique id's
used for LDAP login.
This commit is contained in:
Harshavardhana 2021-05-28 10:33:07 -07:00 committed by GitHub
parent fa8e3151bc
commit 4444ba13a4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 19 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/bucket-policy.go
View File

@ -174,6 +174,8 @@ func getConditionValues(r *http.Request, lc string, username string, claims map[
// Special case for AD/LDAP STS users // Special case for AD/LDAP STS users
if k == ldapUser { if k == ldapUser {
args["user"] = []string{vStr} args["user"] = []string{vStr}
} else if k == ldapUsername {
args["username"] = []string{vStr}
} else { } else {
args[k] = []string{vStr} args[k] = []string{vStr}
} }

2
cmd/sts-handlers.go
View File

@ -65,6 +65,7 @@ const (
// LDAP claim keys // LDAP claim keys
ldapUser = "ldapUser" ldapUser = "ldapUser"
ldapUsername = "ldapUsername"
) )
// stsAPIHandlers implements and provides http handlers for AWS STS API. // stsAPIHandlers implements and provides http handlers for AWS STS API.
@ -526,6 +527,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
expiryDur := globalLDAPConfig.GetExpiryDuration() expiryDur := globalLDAPConfig.GetExpiryDuration()
m := map[string]interface{}{ m := map[string]interface{}{
expClaim: UTCNow().Add(expiryDur).Unix(), expClaim: UTCNow().Add(expiryDur).Unix(),
ldapUsername: ldapUsername,
ldapUser: ldapUserDN, ldapUser: ldapUserDN,
} }

8
docs/multi-user/README.md
View File

@ -191,7 +191,7 @@ Following example shows OpenID users with full programmatic access to a OpenID u
} }
``` ```
If the user is authenticating using an STS credential which was authorized from AD/LDAP we allow `ldap:*` variables, currently only supports `ldap:user`. Following example shows LDAP users full programmatic access to a LDAP user-specific directory (their own "home directory") in MinIO. If the user is authenticating using an STS credential which was authorized from AD/LDAP we allow `ldap:*` variables, currently only supports `ldap:username`. Following example shows LDAP users full programmatic access to a LDAP user-specific directory (their own "home directory") in MinIO.
``` ```
{ {
"Version": "2012-10-17", "Version": "2012-10-17",
@ -200,7 +200,7 @@ If the user is authenticating using an STS credential which was authorized from
"Action": ["s3:ListBucket"], "Action": ["s3:ListBucket"],
"Effect": "Allow", "Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"], "Resource": ["arn:aws:s3:::mybucket"],
"Condition": {"StringLike": {"s3:prefix": ["${ldap:user}/*"]}} "Condition": {"StringLike": {"s3:prefix": ["${ldap:username}/*"]}}
}, },
{ {
"Action": [ "Action": [
@ -208,7 +208,7 @@ If the user is authenticating using an STS credential which was authorized from
"s3:PutObject" "s3:PutObject"
], ],
"Effect": "Allow", "Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${ldap:user}/*"] "Resource": ["arn:aws:s3:::mybucket/${ldap:username}/*"]
} }
] ]
} }
@ -235,7 +235,7 @@ If the user is authenticating using an STS credential which was authorized from
``` ```
- *aws:UserAgent* - This value is a string that contains information about the requester's client application. This string is generated by the client and can be unreliable. You can only use this context key from `mc` or other MinIO SDKs which standardize the User-Agent string. - *aws:UserAgent* - This value is a string that contains information about the requester's client application. This string is generated by the client and can be unreliable. You can only use this context key from `mc` or other MinIO SDKs which standardize the User-Agent string.
- *aws:username* - This is a string containing the friendly name of the current user, this value would point to STS temporary credential in `AssumeRole`ed requests, instead use `jwt:preferred_username` in case of OpenID connect and `ldap:user` in case of AD/LDAP connect. *aws:userid* is an alias to *aws:username* in MinIO. - *aws:username* - This is a string containing the friendly name of the current user, this value would point to STS temporary credential in `AssumeRole`ed requests, instead use `jwt:preferred_username` in case of OpenID connect and `ldap:username` in case of AD/LDAP connect. *aws:userid* is an alias to *aws:username* in MinIO.
## Explore Further ## Explore Further

4
docs/sts/list-objects-with-ldap-user.json → docs/sts/rw-ldap-username.json
View File

@ -4,10 +4,10 @@
{ {
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": [
"s3:ListBucket" "s3:*"
], ],
"Resource": [ "Resource": [
"arn:aws:s3:::${ldap:user}" "arn:aws:s3:::${ldap:username}/*"
] ]
} }
] ]

2
pkg/bucket/policy/condition/key.go
View File

@ -148,6 +148,7 @@ var AllSupportedKeys = append([]Key{
AWSUserID, AWSUserID,
AWSUsername, AWSUsername,
LDAPUser, LDAPUser,
LDAPUsername,
// Add new supported condition keys. // Add new supported condition keys.
}, JWTKeys...) }, JWTKeys...)
@ -167,6 +168,7 @@ var CommonKeys = append([]Key{
AWSUserID, AWSUserID,
AWSUsername, AWSUsername,
LDAPUser, LDAPUser,
LDAPUsername,
}, JWTKeys...) }, JWTKeys...)
func substFuncFromValues(values map[string][]string) func(string) string { func substFuncFromValues(values map[string][]string) func(string) string {

5
pkg/bucket/policy/condition/ldap.go
View File

@ -18,6 +18,9 @@
package condition package condition
const ( const (
// LDAPUser - LDAP username, in MinIO this value is equal to your authenticating LDAP user. // LDAPUser - LDAP user DN, in MinIO this value is equal to user DN of the authenticated user.
LDAPUser Key = "ldap:user" LDAPUser Key = "ldap:user"
// LDAPUsername - LDAP username, in MinIO is the authenticated simply user.
LDAPUsername Key = "ldap:username"
) )