support 'ldap:user' variable replacement properly (#10391)

also update `ldap.go` examples with latest
minio-go changes

Fixes #10367
This commit is contained in:
Harshavardhana 2020-08-31 23:56:22 -07:00 committed by GitHub
parent 9ffad7fceb
commit 4b6585d249
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 36 additions and 26 deletions

View File

@ -151,9 +151,10 @@ func getConditionValues(r *http.Request, lc string, username string, claims map[
if ok {
// Special case for AD/LDAP STS users
if k == ldapUser {
args[ldapUserPolicyVariable] = []string{vStr}
args["user"] = []string{vStr}
} else {
args[k] = []string{vStr}
}
args[k] = []string{vStr}
}
}

View File

@ -61,8 +61,7 @@ const (
parentClaim = "parent"
// LDAP claim keys
ldapUser = "ldapUser"
ldapUserPolicyVariable = "ldap:user"
ldapUser = "ldapUser"
)
// stsAPIHandlers implements and provides http handlers for AWS STS API.

View File

@ -18,12 +18,13 @@
package main
import (
"context"
"flag"
"fmt"
"log"
"net/url"
miniogo "github.com/minio/minio-go/v7"
"github.com/minio/minio-go/v7"
cr "github.com/minio/minio-go/v7/pkg/credentials"
)
@ -53,39 +54,34 @@ func main() {
// LDAP STS API.
// Initialize LDAP credentials
li, err := cr.NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword)
if err != nil {
log.Fatalf("INIT Err: %v", err)
}
li, _ := cr.NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword)
// Generate temporary STS credentials
v, err := li.Get()
if err != nil {
log.Fatalf("GET Err: %v", err)
}
fmt.Printf("%#v\n", v)
stsEndpointUrl, err := url.Parse(stsEndpoint)
stsEndpointURL, err := url.Parse(stsEndpoint)
if err != nil {
log.Fatalf("Err: %v", err)
}
secure := false
if stsEndpointUrl.Scheme == "https" {
secure = true
opts := &minio.Options{
Creds: li,
Secure: stsEndpointURL.Scheme == "https",
}
fmt.Println(li.Get())
// Use generated credentials to authenticate with MinIO server
minioClient, err := miniogo.NewWithCredentials(stsEndpointUrl.Host, li, secure, "")
minioClient, err := minio.New(stsEndpointURL.Host, opts)
if err != nil {
log.Fatalln(err)
}
// Use minIO Client object normally like the regular client.
fmt.Println("Calling list buckets with temp creds:")
b, err := minioClient.ListBuckets()
if err != nil {
log.Fatalln(err)
fmt.Println("Calling list objects with temp creds: ")
objCh := minioClient.ListObjects(context.Background(), ldapUsername, minio.ListObjectsOptions{})
for obj := range objCh {
if obj.Err != nil {
if err != nil {
log.Fatalln(err)
}
}
fmt.Println(obj)
}
fmt.Println(b)
}

View File

@ -0,0 +1,14 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::${ldap:user}"
]
}
]
}