mirror of
https://github.com/minio/minio.git
synced 2025-11-20 18:06:10 -05:00
Add support for Access Management Plugin (#14875)
- This change renames the OPA integration as Access Management Plugin - there is nothing specific to OPA in the integration, it is just a webhook. - OPA configuration is automatically migrated to Access Management Plugin and OPA specific configuration is marked as deprecated. - OPA doc is updated and moved.
This commit is contained in:
Aditya Manthramurthy
committed by
GitHub
GitHub
parent
edf364bf21
commit
83071a3459
83
docs/iam/access-manager-plugin.go
Normal file
83
docs/iam/access-manager-plugin.go
Normal file
@@ -0,0 +1,83 @@
|
||||
//go:build ignore
|
||||
// +build ignore
|
||||
|
||||
// Copyright (c) 2015-2022 MinIO, Inc.
|
||||
//
|
||||
// This file is part of MinIO Object Storage stack
|
||||
//
|
||||
// This program is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU Affero General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
//
|
||||
// This program is distributed in the hope that it will be useful
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU Affero General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU Affero General Public License
|
||||
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"net/http"
|
||||
"strings"
|
||||
)
|
||||
|
||||
func writeErrorResponse(w http.ResponseWriter, err error) {
|
||||
w.WriteHeader(http.StatusBadRequest)
|
||||
json.NewEncoder(w).Encode(map[string]string{
|
||||
"error": fmt.Sprintf("%v", err),
|
||||
})
|
||||
}
|
||||
|
||||
type Result struct {
|
||||
Result bool `json:"result"`
|
||||
}
|
||||
|
||||
func mainHandler(w http.ResponseWriter, r *http.Request) {
|
||||
body, err := ioutil.ReadAll(r.Body)
|
||||
if err != nil {
|
||||
writeErrorResponse(w, err)
|
||||
return
|
||||
}
|
||||
|
||||
reqMap := make(map[string]interface{})
|
||||
err = json.Unmarshal(body, &reqMap)
|
||||
if err != nil {
|
||||
writeErrorResponse(w, err)
|
||||
return
|
||||
}
|
||||
|
||||
// fmt.Printf("request: %#v\n", reqMap)
|
||||
|
||||
m := reqMap["input"].(map[string]interface{})
|
||||
accountValue := m["account"].(string)
|
||||
actionValue := m["action"].(string)
|
||||
|
||||
// Allow user `minio` to perform any action.
|
||||
var res Result
|
||||
if accountValue == "minio" {
|
||||
res.Result = true
|
||||
} else {
|
||||
// All other users may not perform any `s3:Put*` operations.
|
||||
res.Result = true
|
||||
if strings.HasPrefix(actionValue, "s3:Put") {
|
||||
res.Result = false
|
||||
}
|
||||
}
|
||||
fmt.Printf("account: %v | action: %v | allowed: %v\n", accountValue, actionValue, res.Result)
|
||||
json.NewEncoder(w).Encode(res)
|
||||
return
|
||||
}
|
||||
|
||||
func main() {
|
||||
http.HandleFunc("/", mainHandler)
|
||||
|
||||
log.Fatal(http.ListenAndServe(":8080", nil))
|
||||
}
|
||||
Reference in New Issue
Block a user