MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-05-05 16:48:15 -04:00
Code Issues Packages Projects Releases Wiki Activity

DEPRECATION Warning: Avoid configuring default LDAP STS Expiry (#12781)

Browse Source 
- Show notice when `MINIO_IDENTITY_LDAP_STS_EXPIRY` or the 
  corresponding to the configuration option is used at server startup.
- Once support is removed, the default will be fixed at 1 hour.
- Users may specify expiry directly in the STS API.
- Update docs and help message
- Adds example in ldap.go to configure expiry in STS API.
This commit is contained in:
Aditya Manthramurthy 2021-07-22 16:43:57 -07:00 committed by GitHub
parent df2871de53
commit 9a31030e74
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 15 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
docs/sts/ldap.go
View File

@ -27,6 +27,7 @@ import (
"log" "log"
"net/url" "net/url"
"os" "os"
"time"
"github.com/minio/minio-go/v7" "github.com/minio/minio-go/v7"
cr "github.com/minio/minio-go/v7/pkg/credentials" cr "github.com/minio/minio-go/v7/pkg/credentials"
@ -43,6 +44,9 @@ var (
// Display credentials flag // Display credentials flag
displayCreds bool displayCreds bool
// Credential expiry duration
expiryDuration time.Duration
// Bucket to list // Bucket to list
bucketToList string bucketToList string
@ -55,6 +59,7 @@ func init() {
flag.StringVar(&ldapUsername, "u", "", "AD/LDAP Username") flag.StringVar(&ldapUsername, "u", "", "AD/LDAP Username")
flag.StringVar(&ldapPassword, "p", "", "AD/LDAP Password") flag.StringVar(&ldapPassword, "p", "", "AD/LDAP Password")
flag.BoolVar(&displayCreds, "d", false, "Only show generated credentials") flag.BoolVar(&displayCreds, "d", false, "Only show generated credentials")
flag.DurationVar(&expiryDuration, "e", 0, "Request a duration of validity for the generated credential")
flag.StringVar(&bucketToList, "b", "", "Bucket to list (defaults to ldap username)") flag.StringVar(&bucketToList, "b", "", "Bucket to list (defaults to ldap username)")
flag.StringVar(&sessionPolicyFile, "s", "", "File containing session policy to apply to the STS request") flag.StringVar(&sessionPolicyFile, "s", "", "File containing session policy to apply to the STS request")
} }
@ -70,11 +75,8 @@ func main() {
// LDAP STS API. // LDAP STS API.
// Initialize LDAP credentials // Initialize LDAP credentials
var li *cr.Credentials var ldapOpts []cr.LDAPIdentityOpt
var err error if sessionPolicyFile != "" {
if sessionPolicyFile == "" {
li, err = cr.NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword)
} else {
var policy string var policy string
if f, err := os.Open(sessionPolicyFile); err != nil { if f, err := os.Open(sessionPolicyFile); err != nil {
log.Fatalf("Unable to open session policy file: %v", sessionPolicyFile, err) log.Fatalf("Unable to open session policy file: %v", sessionPolicyFile, err)
@ -85,8 +87,12 @@ func main() {
} }
policy = string(bs) policy = string(bs)
} }
li, err = cr.NewLDAPIdentityWithSessionPolicy(stsEndpoint, ldapUsername, ldapPassword, policy) ldapOpts = append(ldapOpts, cr.LDAPIdentityPolicyOpt(policy))
} }
if expiryDuration != 0 {
ldapOpts = append(ldapOpts, cr.LDAPIdentityExpiryOpt(expiryDuration))
}
li, err := cr.NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword, ldapOpts...)
if err != nil { if err != nil {
log.Fatalf("Error initializing LDAP Identity: %v", err) log.Fatalf("Error initializing LDAP Identity: %v", err)
} }

4
docs/sts/ldap.md
View File

@ -54,7 +54,6 @@ identity_ldap enable LDAP SSO support
ARGS: ARGS:
MINIO_IDENTITY_LDAP_SERVER_ADDR* (address) AD/LDAP server address e.g. "myldapserver.com:636" MINIO_IDENTITY_LDAP_SERVER_ADDR* (address) AD/LDAP server address e.g. "myldapserver.com:636"
MINIO_IDENTITY_LDAP_STS_EXPIRY (duration) temporary credentials validity duration in s,m,h,d. Default is "1h"
MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN (string) DN for LDAP read-only service account used to perform DN and group lookups MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN (string) DN for LDAP read-only service account used to perform DN and group lookups
MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD (string) Password for LDAP read-only service account used to perform DN and group lookups MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD (string) Password for LDAP read-only service account used to perform DN and group lookups
MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN (string) Base LDAP DN to search for user DN MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN (string) Base LDAP DN to search for user DN
@ -123,12 +122,9 @@ export MINIO_IDENTITY_LDAP_SERVER_ADDR=myldapserver.com:636
export MINIO_IDENTITY_LDAP_USERNAME_FORMAT="uid=%s,cn=accounts,dc=myldapserver,dc=com" export MINIO_IDENTITY_LDAP_USERNAME_FORMAT="uid=%s,cn=accounts,dc=myldapserver,dc=com"
export MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN="dc=myldapserver,dc=com" export MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN="dc=myldapserver,dc=com"
export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER="(&(objectclass=groupOfNames)(memberUid=%s)$)" export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER="(&(objectclass=groupOfNames)(memberUid=%s)$)"
export MINIO_IDENTITY_LDAP_STS_EXPIRY=720h
export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on
``` ```
> NOTE: In this example STS_EXPIRY is set to 1month, maximum expiry that can be set is 365 days.
### Variable substitution in AD/LDAP configuration strings ### ### Variable substitution in AD/LDAP configuration strings ###
In the configuration variables, `%s` is substituted with the *username* from the STS request and `%d` is substituted with the *distinguished username (user DN)* of the LDAP user. Please see the following table for which configuration variables support these substitution variables: In the configuration variables, `%s` is substituted with the *username* from the STS request and `%d` is substituted with the *distinguished username (user DN)* of the LDAP user. Please see the following table for which configuration variables support these substitution variables:

2
internal/config/identity/ldap/config.go
View File

@ -31,6 +31,7 @@ import (
ldap "github.com/go-ldap/ldap/v3" ldap "github.com/go-ldap/ldap/v3"
"github.com/minio/minio/internal/auth" "github.com/minio/minio/internal/auth"
"github.com/minio/minio/internal/config" "github.com/minio/minio/internal/config"
"github.com/minio/minio/internal/logger"
"github.com/minio/pkg/env" "github.com/minio/pkg/env"
) )
@ -553,6 +554,7 @@ func Lookup(kvs config.KVS, rootCAs *x509.CertPool) (l Config, err error) {
l.ServerAddr = ldapServer l.ServerAddr = ldapServer
l.stsExpiryDuration = defaultLDAPExpiry l.stsExpiryDuration = defaultLDAPExpiry
if v := env.Get(EnvSTSExpiry, kvs.Get(STSExpiry)); v != "" { if v := env.Get(EnvSTSExpiry, kvs.Get(STSExpiry)); v != "" {
logger.Info("DEPRECATION WARNING: Support for configuring the default LDAP credentials expiry duration will be removed in a future release. Please use the `DurationSeconds` parameter in the LDAP STS API instead.")
expDur, err := time.ParseDuration(v) expDur, err := time.ParseDuration(v)
if err != nil { if err != nil {
return l, errors.New("LDAP expiry time err:" + err.Error()) return l, errors.New("LDAP expiry time err:" + err.Error())

2
internal/config/identity/ldap/help.go
View File

@ -30,7 +30,7 @@ var (
}, },
config.HelpKV{ config.HelpKV{
Key: STSExpiry, Key: STSExpiry,
Description: `temporary credentials validity duration in s,m,h,d. Default is "1h"`, Description: `[DEPRECATED] temporary credentials validity duration in s,m,h,d. Default is "1h"`,
Optional: true, Optional: true,
Type: "duration", Type: "duration",
}, },