MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-04-10 06:30:07 -04:00
Code Issues Packages Projects Releases Wiki Activity

Remove older policy attach behavior for LDAP (#17240)

Browse Source
This commit is contained in:
Aditya Manthramurthy 2023-05-26 06:31:24 -07:00 committed by GitHub
parent 7a69c9c75a
commit 65cba212e8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 174 additions and 157 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
cmd/admin-handlers-users.go
View File

@ -1767,7 +1767,7 @@ func (a adminAPIHandlers) ListPolicyMappingEntities(w http.ResponseWriter, r *ht
writeSuccessResponseJSON(w, econfigData) writeSuccessResponseJSON(w, econfigData)
} }
// AttachPolicyBuiltin - POST /minio/admin/v3/idp/builtin/attach // AttachPolicyBuiltin - POST /minio/admin/v3/idp/builtin/policy/attach
func (a adminAPIHandlers) AttachPolicyBuiltin(w http.ResponseWriter, r *http.Request) { func (a adminAPIHandlers) AttachPolicyBuiltin(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "AttachPolicyBuiltin") ctx := newContext(r, w, "AttachPolicyBuiltin")
@ -1835,20 +1835,19 @@ func (a adminAPIHandlers) AttachPolicyBuiltin(w http.ResponseWriter, r *http.Req
} }
// Validate that user exists. // Validate that user exists.
if globalIAMSys.GetUsersSysType() == MinIOUsersSysType { _, ok = globalIAMSys.GetUser(ctx, userOrGroup)
_, ok := globalIAMSys.GetUser(ctx, userOrGroup) if !ok {
if !ok { if globalIAMSys.LDAPConfig.Enabled() {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errNoSuchUser), r.URL) // When LDAP is enabled, warn user that they are using the wrong
// API.
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errNoSuchUserLDAPWarn), r.URL)
return return
} }
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errNoSuchUser), r.URL)
return
} }
} }
userType := regUser
if globalIAMSys.GetUsersSysType() == LDAPUsersSysType {
userType = stsUser
}
var existingPolicies []string var existingPolicies []string
if isGroup { if isGroup {
existingPolicies, err = globalIAMSys.PolicyDBGet(userOrGroup, true) existingPolicies, err = globalIAMSys.PolicyDBGet(userOrGroup, true)
@ -1878,6 +1877,7 @@ func (a adminAPIHandlers) AttachPolicyBuiltin(w http.ResponseWriter, r *http.Req
existingPolicies = append(existingPolicies, policiesToAttach...) existingPolicies = append(existingPolicies, policiesToAttach...)
newPolicies := strings.Join(existingPolicies, ",") newPolicies := strings.Join(existingPolicies, ",")
userType := regUser
updatedAt, err := globalIAMSys.PolicyDBSet(ctx, userOrGroup, newPolicies, userType, isGroup) updatedAt, err := globalIAMSys.PolicyDBSet(ctx, userOrGroup, newPolicies, userType, isGroup)
if err != nil { if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
@ -1898,7 +1898,7 @@ func (a adminAPIHandlers) AttachPolicyBuiltin(w http.ResponseWriter, r *http.Req
writeResponse(w, http.StatusCreated, nil, mimeNone) writeResponse(w, http.StatusCreated, nil, mimeNone)
} }
// DetachPolicyBuiltin - POST /minio/admin/v3/idp/builtin/detach // DetachPolicyBuiltin - POST /minio/admin/v3/idp/builtin/policy/detach
func (a adminAPIHandlers) DetachPolicyBuiltin(w http.ResponseWriter, r *http.Request) { func (a adminAPIHandlers) DetachPolicyBuiltin(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "DetachPolicyBuiltin") ctx := newContext(r, w, "DetachPolicyBuiltin")
@ -1959,12 +1959,16 @@ func (a adminAPIHandlers) DetachPolicyBuiltin(w http.ResponseWriter, r *http.Req
} }
// Validate that user exists. // Validate that user exists.
if globalIAMSys.GetUsersSysType() == MinIOUsersSysType { _, ok = globalIAMSys.GetUser(ctx, userOrGroup)
_, ok := globalIAMSys.GetUser(ctx, userOrGroup) if !ok {
if !ok { if globalIAMSys.LDAPConfig.Enabled() {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errNoSuchUser), r.URL) // When LDAP is enabled, warn user that they are using the wrong
// API.
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errNoSuchUserLDAPWarn), r.URL)
return return
} }
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errNoSuchUser), r.URL)
return
} }
} }

8
cmd/api-errors.go
View File

@ -269,6 +269,7 @@ const (
ErrMalformedJSON ErrMalformedJSON
ErrAdminNoSuchUser ErrAdminNoSuchUser
ErrAdminNoSuchUserLDAPWarn
ErrAdminNoSuchGroup ErrAdminNoSuchGroup
ErrAdminGroupNotEmpty ErrAdminGroupNotEmpty
ErrAdminGroupDisabled ErrAdminGroupDisabled
@ -1266,6 +1267,11 @@ var errorCodes = errorCodeMap{
Description: "The specified user does not exist.", Description: "The specified user does not exist.",
HTTPStatusCode: http.StatusNotFound, HTTPStatusCode: http.StatusNotFound,
}, },
ErrAdminNoSuchUserLDAPWarn: {
Code: "XMinioAdminNoSuchUser",
Description: "The specified user does not exist. If you meant a user in LDAP, use `mc idp ldap`",
HTTPStatusCode: http.StatusNotFound,
},
ErrAdminNoSuchGroup: { ErrAdminNoSuchGroup: {
Code: "XMinioAdminNoSuchGroup", Code: "XMinioAdminNoSuchGroup",
Description: "The specified group does not exist.", Description: "The specified group does not exist.",
@ -2036,6 +2042,8 @@ func toAPIErrorCode(ctx context.Context, err error) (apiErr APIErrorCode) {
apiErr = ErrAdminNoSuchPolicy apiErr = ErrAdminNoSuchPolicy
case errNoSuchUser: case errNoSuchUser:
apiErr = ErrAdminNoSuchUser apiErr = ErrAdminNoSuchUser
case errNoSuchUserLDAPWarn:
apiErr = ErrAdminNoSuchUserLDAPWarn
case errNoSuchServiceAccount: case errNoSuchServiceAccount:
apiErr = ErrAdminServiceAccountNotFound apiErr = ErrAdminServiceAccountNotFound
case errNoSuchGroup: case errNoSuchGroup:

283
cmd/apierrorcode_string.go
View File

File diff suppressed because one or more lines are too long

4
cmd/typed-errors.go
View File

@ -65,6 +65,10 @@ var errInvalidDecompressedSize = errors.New("Invalid Decompressed Size")
// error returned in IAM subsystem when user doesn't exist. // error returned in IAM subsystem when user doesn't exist.
var errNoSuchUser = errors.New("Specified user does not exist") var errNoSuchUser = errors.New("Specified user does not exist")
// error returned by IAM when a use a builtin IDP command when they could mean
// to use a LDAP command.
var errNoSuchUserLDAPWarn = errors.New("Specified user does not exist. If you meant a user in LDAP please use command under `mc idp ldap`")
// error returned when service account is not found // error returned when service account is not found
var errNoSuchServiceAccount = errors.New("Specified service account does not exist") var errNoSuchServiceAccount = errors.New("Specified service account does not exist")

2
docs/site-replication/run-multi-site-ldap.sh
View File

@ -64,7 +64,7 @@ export MC_HOST_minio3=http://minio:minio123@localhost:9003
./mc admin replicate add minio1 minio2 minio3 ./mc admin replicate add minio1 minio2 minio3
./mc admin policy attach minio1 consoleAdmin --user="uid=dillon,ou=people,ou=swengg,dc=min,dc=io" ./mc admin idp ldap policy attach minio1 consoleAdmin --user="uid=dillon,ou=people,ou=swengg,dc=min,dc=io"
sleep 5 sleep 5
./mc admin user info minio2 "uid=dillon,ou=people,ou=swengg,dc=min,dc=io" ./mc admin user info minio2 "uid=dillon,ou=people,ou=swengg,dc=min,dc=io"