mirror of
https://github.com/minio/minio.git
synced 2024-12-24 22:25:54 -05:00
fix: support LDAP settings properly in ftp/sftp (#17536)
Bonus this PR enhances and supports creating buckets via ftp `mkdir` fixes #17526
This commit is contained in:
parent
73de721a63
commit
5317a0b755
@ -253,11 +253,7 @@ func (driver *ftpDriver) CheckPasswd(c *ftp.Context, username, password string)
|
|||||||
return false, err
|
return false, err
|
||||||
}
|
}
|
||||||
ldapPolicies, _ := globalIAMSys.PolicyDBGet(ldapUserDN, false, groupDistNames...)
|
ldapPolicies, _ := globalIAMSys.PolicyDBGet(ldapUserDN, false, groupDistNames...)
|
||||||
if len(ldapPolicies) == 0 {
|
return len(ldapPolicies) > 0, nil
|
||||||
// no policy associated reject it.
|
|
||||||
return false, nil
|
|
||||||
}
|
|
||||||
return true, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
ui, ok := globalIAMSys.GetUser(context.Background(), username)
|
ui, ok := globalIAMSys.GetUser(context.Background(), username)
|
||||||
@ -362,12 +358,20 @@ func (driver *ftpDriver) DeleteDir(ctx *ftp.Context, path string) (err error) {
|
|||||||
cctx, cancel := context.WithCancel(context.Background())
|
cctx, cancel := context.WithCancel(context.Background())
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
|
||||||
|
if prefix == "" {
|
||||||
|
// if all objects are not deleted yet this call may fail.
|
||||||
|
return clnt.RemoveBucket(cctx, bucket)
|
||||||
|
}
|
||||||
|
|
||||||
objectsCh := make(chan minio.ObjectInfo)
|
objectsCh := make(chan minio.ObjectInfo)
|
||||||
|
|
||||||
// Send object names that are needed to be removed to objectsCh
|
// Send object names that are needed to be removed to objectsCh
|
||||||
go func() {
|
go func() {
|
||||||
defer close(objectsCh)
|
defer close(objectsCh)
|
||||||
opts := minio.ListObjectsOptions{Prefix: prefix, Recursive: true}
|
opts := minio.ListObjectsOptions{
|
||||||
|
Prefix: prefix,
|
||||||
|
Recursive: true,
|
||||||
|
}
|
||||||
for object := range clnt.ListObjects(cctx, bucket, opts) {
|
for object := range clnt.ListObjects(cctx, bucket, opts) {
|
||||||
if object.Err != nil {
|
if object.Err != nil {
|
||||||
return
|
return
|
||||||
@ -427,6 +431,10 @@ func (driver *ftpDriver) MakeDir(ctx *ftp.Context, path string) (err error) {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if prefix == "" {
|
||||||
|
return clnt.MakeBucket(context.Background(), bucket, minio.MakeBucketOptions{Region: globalSite.Region})
|
||||||
|
}
|
||||||
|
|
||||||
dirPath := buildMinioDir(prefix)
|
dirPath := buildMinioDir(prefix)
|
||||||
|
|
||||||
_, err = clnt.PutObject(context.Background(), bucket, dirPath, bytes.NewReader([]byte("")), 0,
|
_, err = clnt.PutObject(context.Background(), bucket, dirPath, bytes.NewReader([]byte("")), 0,
|
||||||
|
@ -129,10 +129,29 @@ func startSFTPServer(c *cli.Context) {
|
|||||||
// certificate details and handles authentication of ServerConns.
|
// certificate details and handles authentication of ServerConns.
|
||||||
config := &ssh.ServerConfig{
|
config := &ssh.ServerConfig{
|
||||||
PasswordCallback: func(c ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
|
PasswordCallback: func(c ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
|
||||||
|
if globalIAMSys.LDAPConfig.Enabled() {
|
||||||
|
targetUser, targetGroups, err := globalIAMSys.LDAPConfig.Bind(c.User(), string(pass))
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
ldapPolicies, _ := globalIAMSys.PolicyDBGet(targetUser, false, targetGroups...)
|
||||||
|
if len(ldapPolicies) == 0 {
|
||||||
|
return nil, errAuthentication
|
||||||
|
}
|
||||||
|
return &ssh.Permissions{
|
||||||
|
CriticalOptions: map[string]string{
|
||||||
|
ldapUser: targetUser,
|
||||||
|
ldapUserN: c.User(),
|
||||||
|
},
|
||||||
|
Extensions: make(map[string]string),
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
ui, ok := globalIAMSys.GetUser(context.Background(), c.User())
|
ui, ok := globalIAMSys.GetUser(context.Background(), c.User())
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, errNoSuchUser
|
return nil, errNoSuchUser
|
||||||
}
|
}
|
||||||
|
|
||||||
if subtle.ConstantTimeCompare([]byte(ui.Credentials.SecretKey), pass) == 1 {
|
if subtle.ConstantTimeCompare([]byte(ui.Credentials.SecretKey), pass) == 1 {
|
||||||
return &ssh.Permissions{
|
return &ssh.Permissions{
|
||||||
CriticalOptions: map[string]string{
|
CriticalOptions: map[string]string{
|
||||||
|
@ -97,18 +97,15 @@ func (f *sftpDriver) getMinIOClient() (*minio.Client, error) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
ldapPolicies, _ := globalIAMSys.PolicyDBGet(targetUser, false, targetGroups...)
|
|
||||||
if len(ldapPolicies) == 0 {
|
|
||||||
return nil, errAuthentication
|
|
||||||
}
|
|
||||||
expiryDur, err := globalIAMSys.LDAPConfig.GetExpiryDuration("")
|
expiryDur, err := globalIAMSys.LDAPConfig.GetExpiryDuration("")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
claims := make(map[string]interface{})
|
claims := make(map[string]interface{})
|
||||||
claims[expClaim] = UTCNow().Add(expiryDur).Unix()
|
claims[expClaim] = UTCNow().Add(expiryDur).Unix()
|
||||||
claims[ldapUser] = targetUser
|
for k, v := range f.permissions.CriticalOptions {
|
||||||
claims[ldapUserN] = f.AccessKey()
|
claims[k] = v
|
||||||
|
}
|
||||||
|
|
||||||
cred, err := auth.GetNewCredentialsWithMetadata(claims, globalActiveCred.SecretKey)
|
cred, err := auth.GetNewCredentialsWithMetadata(claims, globalActiveCred.SecretKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -165,6 +162,9 @@ func (f *sftpDriver) getMinIOClient() (*minio.Client, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (f *sftpDriver) AccessKey() string {
|
func (f *sftpDriver) AccessKey() string {
|
||||||
|
if _, ok := f.permissions.CriticalOptions["accessKey"]; !ok {
|
||||||
|
return f.permissions.CriticalOptions[ldapUserN]
|
||||||
|
}
|
||||||
return f.permissions.CriticalOptions["accessKey"]
|
return f.permissions.CriticalOptions["accessKey"]
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -270,12 +270,20 @@ func (f *sftpDriver) Filecmd(r *sftp.Request) (err error) {
|
|||||||
cctx, cancel := context.WithCancel(context.Background())
|
cctx, cancel := context.WithCancel(context.Background())
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
|
||||||
|
if prefix == "" {
|
||||||
|
// if all objects are not deleted yet this call may fail.
|
||||||
|
return clnt.RemoveBucket(cctx, bucket)
|
||||||
|
}
|
||||||
|
|
||||||
objectsCh := make(chan minio.ObjectInfo)
|
objectsCh := make(chan minio.ObjectInfo)
|
||||||
|
|
||||||
// Send object names that are needed to be removed to objectsCh
|
// Send object names that are needed to be removed to objectsCh
|
||||||
go func() {
|
go func() {
|
||||||
defer close(objectsCh)
|
defer close(objectsCh)
|
||||||
opts := minio.ListObjectsOptions{Prefix: prefix, Recursive: true}
|
opts := minio.ListObjectsOptions{
|
||||||
|
Prefix: prefix,
|
||||||
|
Recursive: true,
|
||||||
|
}
|
||||||
for object := range clnt.ListObjects(cctx, bucket, opts) {
|
for object := range clnt.ListObjects(cctx, bucket, opts) {
|
||||||
if object.Err != nil {
|
if object.Err != nil {
|
||||||
return
|
return
|
||||||
@ -305,6 +313,10 @@ func (f *sftpDriver) Filecmd(r *sftp.Request) (err error) {
|
|||||||
return errors.New("bucket name cannot be empty")
|
return errors.New("bucket name cannot be empty")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if prefix == "" {
|
||||||
|
return clnt.MakeBucket(context.Background(), bucket, minio.MakeBucketOptions{Region: globalSite.Region})
|
||||||
|
}
|
||||||
|
|
||||||
dirPath := buildMinioDir(prefix)
|
dirPath := buildMinioDir(prefix)
|
||||||
|
|
||||||
_, err = clnt.PutObject(context.Background(), bucket, dirPath, bytes.NewReader([]byte("")), 0,
|
_, err = clnt.PutObject(context.Background(), bucket, dirPath, bytes.NewReader([]byte("")), 0,
|
||||||
|
Loading…
Reference in New Issue
Block a user