MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-07-21 06:21:15 -04:00
Code Issues Packages Projects Releases Wiki Activity

Converge PolicyDBGet functions in IAM (#11891)

Browse Source
This commit is contained in:
Aditya Manthramurthy 2021-03-25 00:38:15 -07:00 committed by GitHub
parent d7f32ad649
commit b4d8bcf644
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 35 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cmd/admin-handlers-users.go
View File

@ -748,7 +748,11 @@ func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Requ
case MinIOUsersSysType: case MinIOUsersSysType:
policies, err = globalIAMSys.PolicyDBGet(accountName, false) policies, err = globalIAMSys.PolicyDBGet(accountName, false)
case LDAPUsersSysType: case LDAPUsersSysType:
policies, err = globalIAMSys.PolicyDBGetLDAP(cred.ParentUser, cred.Groups...) parentUser := accountName
if cred.ParentUser != "" {
parentUser = cred.ParentUser
}
policies, err = globalIAMSys.PolicyDBGet(parentUser, false, cred.Groups...)
default: default:
err = errors.New("should not happen!") err = errors.New("should not happen!")
} }

60
cmd/iam.go
View File

@ -1661,8 +1661,9 @@ func (sys *IAMSys) policyDBSet(name, policyName string, userType IAMUserType, is
return nil return nil
} }
// PolicyDBGetLDAP is only used by LDAP code, it is similar to PolicyDBGet // PolicyDBGet - gets policy set on a user or group. If a list of groups is
func (sys *IAMSys) PolicyDBGetLDAP(name string, groups ...string) ([]string, error) { // given, policies associated with them are included as well.
func (sys *IAMSys) PolicyDBGet(name string, isGroup bool, groups ...string) ([]string, error) {
if !sys.Initialized() { if !sys.Initialized() {
return nil, errServerNotInitialized return nil, errServerNotInitialized
} }
@ -1674,40 +1675,35 @@ func (sys *IAMSys) PolicyDBGetLDAP(name string, groups ...string) ([]string, err
sys.store.rlock() sys.store.rlock()
defer sys.store.runlock() defer sys.store.runlock()
var policies []string policies, err := sys.policyDBGet(name, isGroup)
mp, ok := sys.iamUserPolicyMap[name] if err != nil {
if ok { return nil, err
// returned policy could be empty
policies = append(policies, mp.toSlice()...)
} }
if !isGroup {
for _, group := range groups { for _, group := range groups {
p := sys.iamGroupPolicyMap[group] ps, err := sys.policyDBGet(group, true)
policies = append(policies, p.toSlice()...) if err != nil {
return nil, err
}
policies = append(policies, ps...)
}
} }
return policies, nil return policies, nil
} }
// PolicyDBGet - gets policy set on a user or group. Since a user may // This call assumes that caller has the sys.RLock().
// be a member of multiple groups, this function returns an array of //
// applicable policies // If a group is passed, it returns policies associated with the group.
func (sys *IAMSys) PolicyDBGet(name string, isGroup bool) ([]string, error) { //
if !sys.Initialized() { // If a user is passed, it returns policies of the user along with any groups
return nil, errServerNotInitialized // that the server knows the user is a member of.
} //
// In LDAP users mode, the server does not store any group membership
if name == "" { // information in IAM (i.e sys.iam*Map) - this info is stored only in the STS
return nil, errInvalidArgument // generated credentials. Thus we skip looking up group memberships, user map,
} // and group map and check the appropriate policy maps directly.
sys.store.rlock()
defer sys.store.runlock()
return sys.policyDBGet(name, isGroup)
}
// This call assumes that caller has the sys.RLock()
func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) { func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) {
if isGroup { if isGroup {
if sys.usersSysType == MinIOUsersSysType { if sys.usersSysType == MinIOUsersSysType {
@ -1727,12 +1723,12 @@ func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) {
return mp.toSlice(), nil return mp.toSlice(), nil
} }
// When looking for a user's policies, we also check if the
// user and the groups they are member of are enabled.
var u auth.Credentials var u auth.Credentials
var ok bool var ok bool
if sys.usersSysType == MinIOUsersSysType { if sys.usersSysType == MinIOUsersSysType {
// When looking for a user's policies, we also check if the user
// and the groups they are member of are enabled.
u, ok = sys.iamUsersMap[name] u, ok = sys.iamUsersMap[name]
if !ok { if !ok {
return nil, errNoSuchUser return nil, errNoSuchUser
@ -1891,7 +1887,7 @@ func (sys *IAMSys) IsAllowedLDAPSTS(args iampolicy.Args, parentUser string) bool
} }
// Check policy for this LDAP user. // Check policy for this LDAP user.
ldapPolicies, err := sys.PolicyDBGetLDAP(parentUser, args.Groups...) ldapPolicies, err := sys.PolicyDBGet(parentUser, false, args.Groups...)
if err != nil { if err != nil {
return false return false
} }

2
cmd/sts-handlers.go
View File

@ -498,7 +498,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
} }
// Check if this user or their groups have a policy applied. // Check if this user or their groups have a policy applied.
ldapPolicies, _ := globalIAMSys.PolicyDBGetLDAP(ldapUserDN, groupDistNames...) ldapPolicies, _ := globalIAMSys.PolicyDBGet(ldapUserDN, false, groupDistNames...)
if len(ldapPolicies) == 0 { if len(ldapPolicies) == 0 {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
fmt.Errorf("expecting a policy to be set for user `%s` or one of their groups: `%s` - rejecting this request", fmt.Errorf("expecting a policy to be set for user `%s` or one of their groups: `%s` - rejecting this request",