gateway/manta: Add support for RBAC (#5332)

Manta has the ability to allow users to authenticate with a username other than the main account. We want to expose this functionality to minio manta gateway.
2025-11-09 05:34:56 -05:00 · 2018-01-05 10:00:29 +02:00
parent b85c75996d
commit a1a98617ca
10 changed files with 180 additions and 68 deletions
--- a/vendor/github.com/joyent/triton-go/client/client.go
+++ b/vendor/github.com/joyent/triton-go/client/client.go
@@ -21,7 +21,7 @@ import (
 const nilContext = "nil context"

 var (
-	ErrDefaultAuth = errors.New("default SSH agent authentication requires SDC_KEY_ID and SSH_AUTH_SOCK")
+	ErrDefaultAuth = errors.New("default SSH agent authentication requires SDC_KEY_ID / TRITON_KEY_ID and SSH_AUTH_SOCK")
 	ErrAccountName = errors.New("missing account name for Triton/Manta")
 	ErrMissingURL  = errors.New("missing Triton and/or Manta URL")

@@ -36,6 +36,7 @@ type Client struct {
 	TritonURL   url.URL
 	MantaURL    url.URL
 	AccountName string
+	Username    string
 }

 // New is used to construct a Client in order to make API
@@ -81,7 +82,7 @@ func New(tritonURL string, mantaURL string, accountName string, signers ...authe
 	}

 	// Default to constructing an SSHAgentSigner if there are no other signers
-	// passed into NewClient and there's an SDC_KEY_ID and SSH_AUTH_SOCK
+	// passed into NewClient and there's an TRITON_KEY_ID and SSH_AUTH_SOCK
 	// available in the user's environ(7).
 	if len(newClient.Authorizers) == 0 {
 		if err := newClient.DefaultAuth(); err != nil {
@@ -92,21 +93,43 @@ func New(tritonURL string, mantaURL string, accountName string, signers ...authe
 	return newClient, nil
 }

+var envPrefixes = []string{"TRITON", "SDC"}
+
+// GetTritonEnv looks up environment variables using the preferred "TRITON"
+// prefix, but falls back to the SDC prefix.  For example, looking up "USER"
+// will search for "TRITON_USER" followed by "SDC_USER".  If the environment
+// variable is not set, an empty string is returned.  GetTritonEnv() is used to
+// aid in the transition and deprecation of the SDC_* environment variables.
+func GetTritonEnv(name string) string {
+	for _, prefix := range envPrefixes {
+		if val, found := os.LookupEnv(prefix + "_" + name); found {
+			return val
+		}
+	}
+
+	return ""
+}
+
 // initDefaultAuth provides a default key signer for a client. This should only
 // be used internally if the client has no other key signer for authenticating
 // with Triton. We first look for both `SDC_KEY_ID` and `SSH_AUTH_SOCK` in the
 // user's environ(7). If so we default to the SSH agent key signer.
 func (c *Client) DefaultAuth() error {
-	if keyID, keyOk := os.LookupEnv("SDC_KEY_ID"); keyOk {
-		defaultSigner, err := authentication.NewSSHAgentSigner(keyID, c.AccountName)
+	tritonKeyId := GetTritonEnv("KEY_ID")
+	if tritonKeyId != "" {
+		input := authentication.SSHAgentSignerInput{
+			KeyID:       tritonKeyId,
+			AccountName: c.AccountName,
+			Username:    c.Username,
+		}
+		defaultSigner, err := authentication.NewSSHAgentSigner(input)
 		if err != nil {
 			return errwrap.Wrapf("problem initializing NewSSHAgentSigner: {{err}}", err)
 		}
 		c.Authorizers = append(c.Authorizers, defaultSigner)
-	} else {
-		return ErrDefaultAuth
 	}
-	return nil
+
+	return ErrDefaultAuth
 }

 // InsecureSkipTLSVerify turns off TLS verification for the client connection. This