MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 12:52:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: avoid some IAM import errors if LDAP enabled (#19591)

Browse Source 
When LDAP is enabled, previously we were:

- rejecting creation of users and groups via the IAM import functionality

- throwing a `not a valid DN` error when non-LDAP group mappings are present

This change allows for these cases as we need to support situations
where the MinIO server contains users, groups and policy mappings
created before LDAP was enabled.
This commit is contained in:
Aditya Manthramurthy
2024-04-23 18:23:08 -07:00
committed by GitHub
parent f7b665347e
commit 7640cd24c9
4 changed files with 143 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
cmd/iam.go
View File

@@ -1269,10 +1269,6 @@ func (sys *IAMSys) CreateUser(ctx context.Context, accessKey string, ureq madmin
return updatedAt, errServerNotInitialized
}
if sys.usersSysType != MinIOUsersSysType {
return updatedAt, errIAMActionNotAllowed
}
if !auth.IsAccessKeyValid(accessKey) {
return updatedAt, auth.ErrInvalidAccessKeyLength
}
@@ -1702,10 +1698,6 @@ func (sys *IAMSys) AddUsersToGroup(ctx context.Context, group string, members []
return updatedAt, errServerNotInitialized
}
if sys.usersSysType != MinIOUsersSysType {
return updatedAt, errIAMActionNotAllowed
}
updatedAt, err = sys.store.AddUsersToGroup(ctx, group, members)
if err != nil {
return updatedAt, err
@@ -1777,36 +1769,14 @@ func (sys *IAMSys) ListGroups(ctx context.Context) (r []string, err error) {
}
}
// PolicyDBSet - sets a policy for a user or group in the PolicyDB - the user doesn't have to exist since sometimes they are virtuals
// PolicyDBSet - sets a policy for a user or group in the PolicyDB. This does
// not validate if the user/group exists - that is the responsibility of the
// caller.
func (sys *IAMSys) PolicyDBSet(ctx context.Context, name, policy string, userType IAMUserType, isGroup bool) (updatedAt time.Time, err error) {
if !sys.Initialized() {
return updatedAt, errServerNotInitialized
}
if sys.LDAPConfig.Enabled() {
if isGroup {
var foundGroupDN string
if foundGroupDN, err = sys.LDAPConfig.GetValidatedGroupDN(nil, name); err != nil {
iamLogIf(ctx, err)
return
} else if foundGroupDN == "" {
err = errNoSuchGroup
return
}
name = foundGroupDN
} else {
var foundUserDN string
if foundUserDN, err = sys.LDAPConfig.GetValidatedDNForUsername(name); err != nil {
iamLogIf(ctx, err)
return
} else if foundUserDN == "" {
err = errNoSuchUser
return
}
name = foundUserDN
}
}
updatedAt, err = sys.store.PolicyDBSet(ctx, name, policy, userType, isGroup)
if err != nil {
return