From ba756cf3664c99b0589cfc087683258fdea3655f Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Fri, 10 Jul 2020 14:48:44 -0700 Subject: [PATCH] fix: extract array type for policy claim if present (#10014) --- cmd/sts-handlers.go | 5 +++-- docs/gateway/hdfs.md | 10 +++------- pkg/iam/policy/policy.go | 13 ++++++++++--- 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go index fdc3806b3..4d1cfb299 100644 --- a/cmd/sts-handlers.go +++ b/cmd/sts-handlers.go @@ -357,8 +357,9 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ // be set and configured on your identity provider as part of // JWT custom claims. var policyName string - if v, ok := m[iamPolicyClaimNameOpenID()]; ok { - policyName, _ = v.(string) + policySet, ok := iampolicy.GetPoliciesFromClaims(m, iamPolicyClaimNameOpenID()) + if ok { + policyName = strings.Join(policySet.ToSlice(), ",") } var subFromToken string diff --git a/docs/gateway/hdfs.md b/docs/gateway/hdfs.md index 41c25effe..ab1361046 100644 --- a/docs/gateway/hdfs.md +++ b/docs/gateway/hdfs.md @@ -1,6 +1,8 @@ # MinIO HDFS Gateway [![Slack](https://slack.minio.io/slack?type=svg)](https://slack.minio.io) MinIO HDFS gateway adds Amazon S3 API support to Hadoop HDFS filesystem. Applications can use both the S3 and file APIs concurrently without requiring any data migration. Since the gateway is stateless and shared-nothing, you may elastically provision as many MinIO instances as needed to distribute the load. +> NOTE: Intention of this gateway implementation it to make it easy to migrate your existing data on HDFS clusters to MinIO clusters using standard tools like `mc` or `aws-cli`, if the goal is to use HDFS perpetually we recommend that HDFS should be used directly for all write operations. + ## Run MinIO Gateway for HDFS Storage ### Using Binary @@ -58,13 +60,7 @@ Gateway inherits the following limitations of HDFS storage layer: - No bucket notification APIs are not supported (HDFS has no support for fsnotify) - No server side encryption support (Intentionally not implemented) - No server side compression support (Intentionally not implemented) - -## Roadmap -- Additional metadata support for PutObject operations -- Additional metadata support for Multipart operations -- Background append to provide concurrency support for multipart operations - -Please open a GitHub issue if you wish these to be fixed https://github.com/minio/minio/issues +- Concurrent multipart operations are not supported (HDFS lacks safe locking support, or poorly implemented) ## Explore Further - [`mc` command-line interface](https://docs.minio.io/docs/minio-client-quickstart-guide) diff --git a/pkg/iam/policy/policy.go b/pkg/iam/policy/policy.go index 3d1138c93..0133c5769 100644 --- a/pkg/iam/policy/policy.go +++ b/pkg/iam/policy/policy.go @@ -39,10 +39,11 @@ type Args struct { Claims map[string]interface{} `json:"claims"` } -// GetPolicies get policies -func (a Args) GetPolicies(policyClaimName string) (set.StringSet, bool) { +// GetPoliciesFromClaims returns the list of policies to be applied for this +// incoming request, extracting the information from input JWT claims. +func GetPoliciesFromClaims(claims map[string]interface{}, policyClaimName string) (set.StringSet, bool) { s := set.NewStringSet() - pname, ok := a.Claims[policyClaimName] + pname, ok := claims[policyClaimName] if !ok { return s, false } @@ -67,6 +68,12 @@ func (a Args) GetPolicies(policyClaimName string) (set.StringSet, bool) { return s, true } +// GetPolicies returns the list of policies to be applied for this +// incoming request, extracting the information from JWT claims. +func (a Args) GetPolicies(policyClaimName string) (set.StringSet, bool) { + return GetPoliciesFromClaims(a.Claims, policyClaimName) +} + // Policy - iam bucket iamp. type Policy struct { ID policy.ID `json:"ID,omitempty"`