MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-01-23 12:43:16 -05:00
Code Issues Packages Projects Releases Wiki Activity

Update builtin policy entities command (#17241)

Browse Source
This commit is contained in:
Aditya Manthramurthy 2023-05-25 22:31:05 -07:00 committed by GitHub
parent 4a425cbac1
commit 7a69c9c75a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 44 additions and 174 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

203
cmd/iam-store.go
View File

@ -1387,169 +1387,6 @@ func (store *IAMStoreSys) GetUsers() map[string]madmin.UserInfo {
return result return result
} }
// Assumes store is locked by caller. If users is empty, returns all user mappings.
func (store *IAMStoreSys) listLDAPUserPolicyMappings(cache *iamCache, users []string,
isLDAPUserDN func(string) bool,
) []madmin.UserPolicyEntities {
var r []madmin.UserPolicyEntities
usersSet := set.CreateStringSet(users...)
for user, mappedPolicy := range cache.iamUserPolicyMap {
if !isLDAPUserDN(user) {
continue
}
if !usersSet.IsEmpty() && !usersSet.Contains(user) {
continue
}
ps := mappedPolicy.toSlice()
sort.Strings(ps)
r = append(r, madmin.UserPolicyEntities{
User: user,
Policies: ps,
})
}
sort.Slice(r, func(i, j int) bool {
return r[i].User < r[j].User
})
return r
}
// Assumes store is locked by caller. If groups is empty, returns all group mappings.
func (store *IAMStoreSys) listLDAPGroupPolicyMappings(cache *iamCache, groups []string,
isLDAPGroupDN func(string) bool,
) []madmin.GroupPolicyEntities {
var r []madmin.GroupPolicyEntities
groupsSet := set.CreateStringSet(groups...)
for group, mappedPolicy := range cache.iamGroupPolicyMap {
if !isLDAPGroupDN(group) {
continue
}
if !groupsSet.IsEmpty() && !groupsSet.Contains(group) {
continue
}
ps := mappedPolicy.toSlice()
sort.Strings(ps)
r = append(r, madmin.GroupPolicyEntities{
Group: group,
Policies: ps,
})
}
sort.Slice(r, func(i, j int) bool {
return r[i].Group < r[j].Group
})
return r
}
// Assumes store is locked by caller. If policies is empty, returns all policy mappings.
func (store *IAMStoreSys) listLDAPPolicyMappings(cache *iamCache, policy []string,
isLDAPUserDN, isLDAPGroupDN func(string) bool,
) []madmin.PolicyEntities {
queryPolSet := set.CreateStringSet(policy...)
policyToUsersMap := make(map[string]set.StringSet)
for user, mappedPolicy := range cache.iamUserPolicyMap {
if !isLDAPUserDN(user) {
continue
}
commonPolicySet := mappedPolicy.policySet()
if !queryPolSet.IsEmpty() {
commonPolicySet = commonPolicySet.Intersection(queryPolSet)
}
for _, policy := range commonPolicySet.ToSlice() {
s, ok := policyToUsersMap[policy]
if !ok {
policyToUsersMap[policy] = set.CreateStringSet(user)
} else {
s.Add(user)
policyToUsersMap[policy] = s
}
}
}
policyToGroupsMap := make(map[string]set.StringSet)
for group, mappedPolicy := range cache.iamGroupPolicyMap {
if !isLDAPGroupDN(group) {
continue
}
commonPolicySet := mappedPolicy.policySet()
if !queryPolSet.IsEmpty() {
commonPolicySet = commonPolicySet.Intersection(queryPolSet)
}
for _, policy := range commonPolicySet.ToSlice() {
s, ok := policyToUsersMap[policy]
if !ok {
policyToGroupsMap[policy] = set.CreateStringSet(group)
} else {
s.Add(group)
policyToGroupsMap[policy] = s
}
}
}
m := make(map[string]madmin.PolicyEntities, len(policyToGroupsMap))
for policy, groups := range policyToGroupsMap {
s := groups.ToSlice()
sort.Strings(s)
m[policy] = madmin.PolicyEntities{
Policy: policy,
Groups: s,
}
}
for policy, users := range policyToUsersMap {
s := users.ToSlice()
sort.Strings(s)
// Update existing value in map
pe := m[policy]
pe.Policy = policy
pe.Users = s
m[policy] = pe
}
policyEntities := make([]madmin.PolicyEntities, 0, len(m))
for _, v := range m {
policyEntities = append(policyEntities, v)
}
sort.Slice(policyEntities, func(i, j int) bool {
return policyEntities[i].Policy < policyEntities[j].Policy
})
return policyEntities
}
// ListLDAPPolicyMappings - return LDAP users/groups mapped to policies.
func (store *IAMStoreSys) ListLDAPPolicyMappings(q madmin.PolicyEntitiesQuery,
isLDAPUserDN, isLDAPGroupDN func(string) bool,
) madmin.PolicyEntitiesResult {
cache := store.rlock()
defer store.runlock()
var result madmin.PolicyEntitiesResult
isAllPoliciesQuery := len(q.Users) == 0 && len(q.Groups) == 0 && len(q.Policy) == 0
if len(q.Users) > 0 {
result.UserMappings = store.listLDAPUserPolicyMappings(cache, q.Users, isLDAPUserDN)
}
if len(q.Groups) > 0 {
result.GroupMappings = store.listLDAPGroupPolicyMappings(cache, q.Groups, isLDAPGroupDN)
}
if len(q.Policy) > 0 || isAllPoliciesQuery {
result.PolicyMappings = store.listLDAPPolicyMappings(cache, q.Policy, isLDAPUserDN, isLDAPGroupDN)
}
return result
}
// GetUsersWithMappedPolicies - safely returns the name of access keys with associated policies // GetUsersWithMappedPolicies - safely returns the name of access keys with associated policies
func (store *IAMStoreSys) GetUsersWithMappedPolicies() map[string]string { func (store *IAMStoreSys) GetUsersWithMappedPolicies() map[string]string {
cache := store.rlock() cache := store.rlock()
@ -1951,10 +1788,16 @@ func (store *IAMStoreSys) GetAllParentUsers() map[string]ParentUserInfo {
} }
// Assumes store is locked by caller. If users is empty, returns all user mappings. // Assumes store is locked by caller. If users is empty, returns all user mappings.
func (store *IAMStoreSys) listUserPolicyMappings(cache *iamCache, users []string) []madmin.UserPolicyEntities { func (store *IAMStoreSys) listUserPolicyMappings(cache *iamCache, users []string,
userPredicate func(string) bool,
) []madmin.UserPolicyEntities {
var r []madmin.UserPolicyEntities var r []madmin.UserPolicyEntities
usersSet := set.CreateStringSet(users...) usersSet := set.CreateStringSet(users...)
for user, mappedPolicy := range cache.iamUserPolicyMap { for user, mappedPolicy := range cache.iamUserPolicyMap {
if userPredicate != nil && !userPredicate(user) {
continue
}
if !usersSet.IsEmpty() && !usersSet.Contains(user) { if !usersSet.IsEmpty() && !usersSet.Contains(user) {
continue continue
} }
@ -1975,10 +1818,16 @@ func (store *IAMStoreSys) listUserPolicyMappings(cache *iamCache, users []string
} }
// Assumes store is locked by caller. If groups is empty, returns all group mappings. // Assumes store is locked by caller. If groups is empty, returns all group mappings.
func (store *IAMStoreSys) listGroupPolicyMappings(cache *iamCache, groups []string) []madmin.GroupPolicyEntities { func (store *IAMStoreSys) listGroupPolicyMappings(cache *iamCache, groups []string,
groupPredicate func(string) bool,
) []madmin.GroupPolicyEntities {
var r []madmin.GroupPolicyEntities var r []madmin.GroupPolicyEntities
groupsSet := set.CreateStringSet(groups...) groupsSet := set.CreateStringSet(groups...)
for group, mappedPolicy := range cache.iamGroupPolicyMap { for group, mappedPolicy := range cache.iamGroupPolicyMap {
if groupPredicate != nil && !groupPredicate(group) {
continue
}
if !groupsSet.IsEmpty() && !groupsSet.Contains(group) { if !groupsSet.IsEmpty() && !groupsSet.Contains(group) {
continue continue
} }
@ -1999,11 +1848,17 @@ func (store *IAMStoreSys) listGroupPolicyMappings(cache *iamCache, groups []stri
} }
// Assumes store is locked by caller. If policies is empty, returns all policy mappings. // Assumes store is locked by caller. If policies is empty, returns all policy mappings.
func (store *IAMStoreSys) listPolicyMappings(cache *iamCache, policies []string) []madmin.PolicyEntities { func (store *IAMStoreSys) listPolicyMappings(cache *iamCache, policies []string,
userPredicate, groupPredicate func(string) bool,
) []madmin.PolicyEntities {
queryPolSet := set.CreateStringSet(policies...) queryPolSet := set.CreateStringSet(policies...)
policyToUsersMap := make(map[string]set.StringSet) policyToUsersMap := make(map[string]set.StringSet)
for user, mappedPolicy := range cache.iamUserPolicyMap { for user, mappedPolicy := range cache.iamUserPolicyMap {
if userPredicate != nil && !userPredicate(user) {
continue
}
commonPolicySet := mappedPolicy.policySet() commonPolicySet := mappedPolicy.policySet()
if !queryPolSet.IsEmpty() { if !queryPolSet.IsEmpty() {
commonPolicySet = commonPolicySet.Intersection(queryPolSet) commonPolicySet = commonPolicySet.Intersection(queryPolSet)
@ -2021,6 +1876,10 @@ func (store *IAMStoreSys) listPolicyMappings(cache *iamCache, policies []string)
policyToGroupsMap := make(map[string]set.StringSet) policyToGroupsMap := make(map[string]set.StringSet)
for group, mappedPolicy := range cache.iamGroupPolicyMap { for group, mappedPolicy := range cache.iamGroupPolicyMap {
if groupPredicate != nil && !groupPredicate(group) {
continue
}
commonPolicySet := mappedPolicy.policySet() commonPolicySet := mappedPolicy.policySet()
if !queryPolSet.IsEmpty() { if !queryPolSet.IsEmpty() {
commonPolicySet = commonPolicySet.Intersection(queryPolSet) commonPolicySet = commonPolicySet.Intersection(queryPolSet)
@ -2068,8 +1927,10 @@ func (store *IAMStoreSys) listPolicyMappings(cache *iamCache, policies []string)
return policyEntities return policyEntities
} }
// ListPolicyMappings - return builtin users/groups mapped to policies. // ListPolicyMappings - return users/groups mapped to policies.
func (store *IAMStoreSys) ListPolicyMappings(q madmin.PolicyEntitiesQuery) madmin.PolicyEntitiesResult { func (store *IAMStoreSys) ListPolicyMappings(q madmin.PolicyEntitiesQuery,
userPredicate, groupPredicate func(string) bool,
) madmin.PolicyEntitiesResult {
cache := store.rlock() cache := store.rlock()
defer store.runlock() defer store.runlock()
@ -2078,13 +1939,13 @@ func (store *IAMStoreSys) ListPolicyMappings(q madmin.PolicyEntitiesQuery) madmi
isAllPoliciesQuery := len(q.Users) == 0 && len(q.Groups) == 0 && len(q.Policy) == 0 isAllPoliciesQuery := len(q.Users) == 0 && len(q.Groups) == 0 && len(q.Policy) == 0
if len(q.Users) > 0 { if len(q.Users) > 0 {
result.UserMappings = store.listUserPolicyMappings(cache, q.Users) result.UserMappings = store.listUserPolicyMappings(cache, q.Users, userPredicate)
} }
if len(q.Groups) > 0 { if len(q.Groups) > 0 {
result.GroupMappings = store.listGroupPolicyMappings(cache, q.Groups) result.GroupMappings = store.listGroupPolicyMappings(cache, q.Groups, groupPredicate)
} }
if len(q.Policy) > 0 || isAllPoliciesQuery { if len(q.Policy) > 0 || isAllPoliciesQuery {
result.PolicyMappings = store.listPolicyMappings(cache, q.Policy) result.PolicyMappings = store.listPolicyMappings(cache, q.Policy, userPredicate, groupPredicate)
} }
return result return result
} }

15
cmd/iam.go
View File

@ -791,13 +791,13 @@ func (sys *IAMSys) QueryLDAPPolicyEntities(ctx context.Context, q madmin.PolicyE
return nil, errServerNotInitialized return nil, errServerNotInitialized
} }
if sys.usersSysType != LDAPUsersSysType { if !sys.LDAPConfig.Enabled() {
return nil, errIAMActionNotAllowed return nil, errIAMActionNotAllowed
} }
select { select {
case <-sys.configLoaded: case <-sys.configLoaded:
pe := sys.store.ListLDAPPolicyMappings(q, sys.LDAPConfig.IsLDAPUserDN, sys.LDAPConfig.IsLDAPGroupDN) pe := sys.store.ListPolicyMappings(q, sys.LDAPConfig.IsLDAPUserDN, sys.LDAPConfig.IsLDAPGroupDN)
pe.Timestamp = UTCNow() pe.Timestamp = UTCNow()
return &pe, nil return &pe, nil
case <-ctx.Done(): case <-ctx.Done():
@ -864,7 +864,16 @@ func (sys *IAMSys) QueryPolicyEntities(ctx context.Context, q madmin.PolicyEntit
select { select {
case <-sys.configLoaded: case <-sys.configLoaded:
pe := sys.store.ListPolicyMappings(q) var userPredicate, groupPredicate func(string) bool
if sys.LDAPConfig.Enabled() {
userPredicate = func(s string) bool {
return !sys.LDAPConfig.IsLDAPUserDN(s)
}
groupPredicate = func(s string) bool {
return !sys.LDAPConfig.IsLDAPGroupDN(s)
}
}
pe := sys.store.ListPolicyMappings(q, userPredicate, groupPredicate)
pe.Timestamp = UTCNow() pe.Timestamp = UTCNow()
return &pe, nil return &pe, nil
case <-ctx.Done(): case <-ctx.Done():