Add service account type in IAM (#9029)

pkg/auth/credentials.go

@@ -90,6 +90,7 @@ type Credentials struct {
 	Expiration   time.Time `xml:"Expiration" json:"expiration,omitempty"`
 	SessionToken string    `xml:"SessionToken" json:"sessionToken,omitempty"`
 	Status       string    `xml:"-" json:"status,omitempty"`
+	ParentUser   string    `xml:"-" json:"parentUser,omitempty"`
 }
 
 func (cred Credentials) String() string {
@@ -119,7 +120,12 @@ func (cred Credentials) IsExpired() bool {
 
 // IsTemp - returns whether credential is temporary or not.
 func (cred Credentials) IsTemp() bool {
-	return cred.SessionToken != ""
+	return cred.SessionToken != "" && cred.ParentUser == ""
+}
+
+// IsServiceAccount - returns whether credential is a service account or not
+func (cred Credentials) IsServiceAccount() bool {
+	return cred.ParentUser != ""
 }
 
 // IsValid - returns whether credential is valid or not.
@@ -207,14 +213,15 @@ func GetNewCredentialsWithMetadata(m map[string]interface{}, tokenSecret string)
 		"/", "+", -1)
 	cred.Status = "on"
 
+	if tokenSecret == "" {
+		cred.Expiration = timeSentinel
+		return cred, nil
+	}
+
 	expiry, err := ExpToInt64(m["exp"])
 	if err != nil {
 		return cred, err
 	}
-	if expiry == 0 {
-		cred.Expiration = timeSentinel
-		return cred, nil
-	}
 
 	m["accessKey"] = cred.AccessKey
 	jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims(m))

pkg/madmin/examples/add-service-account-and-policy.go

@@ -0,0 +1,52 @@
+// +build ignore
+
+/*
+ * MinIO Cloud Storage, (C) 2020 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package main
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/minio/minio/pkg/madmin"
+)
+
+func main() {
+	// Note: YOUR-ACCESSKEYID, YOUR-SECRETACCESSKEY are
+	// dummy values, please replace them with original values.
+
+	// Note: YOUR-ACCESSKEYID, YOUR-SECRETACCESSKEY are
+	// dummy values, please replace them with original values.
+
+	// API requests are secure (HTTPS) if secure=true and insecure (HTTP) otherwise.
+	// New returns an MinIO Admin client object.
+	madmClnt, err := madmin.New("your-minio.example.com:9000", "YOUR-ACCESSKEYID", "YOUR-SECRETACCESSKEY", true)
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+	// Create policy
+	policy := `{"Version": "2012-10-17","Statement": [{"Action": ["s3:GetObject"],"Effect": "Allow","Resource": ["arn:aws:s3:::testbucket/*"],"Sid": ""}]}`
+
+	creds, err := madmClnt.AddServiceAccount("parentuser", policy)
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+	fmt.Println(creds)
+}

pkg/madmin/examples/get-service-account.go

@@ -0,0 +1,49 @@
+// +build ignore
+
+/*
+ * MinIO Cloud Storage, (C) 2020 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package main
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/minio/minio/pkg/madmin"
+)
+
+func main() {
+	// Note: YOUR-ACCESSKEYID, YOUR-SECRETACCESSKEY are
+	// dummy values, please replace them with original values.
+
+	// Note: YOUR-ACCESSKEYID, YOUR-SECRETACCESSKEY are
+	// dummy values, please replace them with original values.
+
+	// API requests are secure (HTTPS) if secure=true and insecure (HTTP) otherwise.
+	// New returns an MinIO Admin client object.
+	madmClnt, err := madmin.New("your-minio.example.com:9000", "YOUR-ACCESSKEYID", "YOUR-SECRETACCESSKEY", true)
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+	creds, err := madmClnt.GetServiceAccount("service-account-access-key")
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+	fmt.Println(creds)
+}

pkg/madmin/user-commands.go

@@ -210,3 +210,101 @@ func (adm *AdminClient) SetUserStatus(accessKey string, status AccountStatus) er
 
 	return nil
 }
+
+// AddServiceAccountReq is the request body of the add service account admin call
+type AddServiceAccountReq struct {
+	Parent string `json:"parent"`
+	Policy string `json:"policy"`
+}
+
+// AddServiceAccountResp is the response body of the add service account admin call
+type AddServiceAccountResp struct {
+	Credentials auth.Credentials `json:"credentials"`
+}
+
+// AddServiceAccount - creates a new service account belonging to the given parent user
+// while restricting the service account permission by the given policy document.
+func (adm *AdminClient) AddServiceAccount(parentUser string, policy string) (auth.Credentials, error) {
+
+	if !auth.IsAccessKeyValid(parentUser) {
+		return auth.Credentials{}, auth.ErrInvalidAccessKeyLength
+	}
+
+	data, err := json.Marshal(AddServiceAccountReq{
+		Parent: parentUser,
+		Policy: policy,
+	})
+	if err != nil {
+		return auth.Credentials{}, err
+	}
+
+	econfigBytes, err := EncryptData(adm.secretAccessKey, data)
+	if err != nil {
+		return auth.Credentials{}, err
+	}
+
+	reqData := requestData{
+		relPath: adminAPIPrefix + "/add-service-account",
+		content: econfigBytes,
+	}
+
+	// Execute PUT on /minio/admin/v2/add-service-account to set a user.
+	resp, err := adm.executeMethod("PUT", reqData)
+	defer closeResponse(resp)
+	if err != nil {
+		return auth.Credentials{}, err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return auth.Credentials{}, httpRespToErrorResponse(resp)
+	}
+
+	data, err = DecryptData(adm.secretAccessKey, resp.Body)
+	if err != nil {
+		return auth.Credentials{}, err
+	}
+
+	var serviceAccountResp AddServiceAccountResp
+	if err = json.Unmarshal(data, &serviceAccountResp); err != nil {
+		return auth.Credentials{}, err
+	}
+	return serviceAccountResp.Credentials, nil
+}
+
+// GetServiceAccount returns the credential of the service account
+func (adm *AdminClient) GetServiceAccount(serviceAccountAccessKey string) (auth.Credentials, error) {
+
+	if !auth.IsAccessKeyValid(serviceAccountAccessKey) {
+		return auth.Credentials{}, auth.ErrInvalidAccessKeyLength
+	}
+
+	queryValues := url.Values{}
+	queryValues.Set("accessKey", serviceAccountAccessKey)
+
+	reqData := requestData{
+		relPath:     adminAPIPrefix + "/get-service-account",
+		queryValues: queryValues,
+	}
+
+	// Execute GET on /minio/admin/v2/get-service-account to set a user.
+	resp, err := adm.executeMethod("GET", reqData)
+	defer closeResponse(resp)
+	if err != nil {
+		return auth.Credentials{}, err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return auth.Credentials{}, httpRespToErrorResponse(resp)
+	}
+
+	data, err := DecryptData(adm.secretAccessKey, resp.Body)
+	if err != nil {
+		return auth.Credentials{}, err
+	}
+
+	var creds auth.Credentials
+	if err = json.Unmarshal(data, &creds); err != nil {
+		return auth.Credentials{}, err
+	}
+	return creds, nil
+}