Set the policy mapping for a user or group (#8036)

Add API to set policy mapping for a user or group Contains a breaking Admin APIs change. - Also enforce all applicable policies - Removes the previous /set-user-policy API Bump up peerRESTVersion Add get user info API to show groups of a user
2025-11-09 21:49:46 -05:00 · 2019-08-13 13:41:06 -07:00
parent bc79b435a2
commit bf9b619d86
10 changed files with 301 additions and 78 deletions
--- a/pkg/madmin/policy-commands.go
+++ b/pkg/madmin/policy-commands.go
@@ -105,3 +105,32 @@ func (adm *AdminClient) AddCannedPolicy(policyName, policy string) error {

 	return nil
 }
+
+// SetPolicy - sets the policy for a user or a group.
+func (adm *AdminClient) SetPolicy(policyName, entityName string, isGroup bool) error {
+	queryValues := url.Values{}
+	queryValues.Set("policyName", policyName)
+	queryValues.Set("userOrGroup", entityName)
+	groupStr := "false"
+	if isGroup {
+		groupStr = "true"
+	}
+	queryValues.Set("isGroup", groupStr)
+
+	reqData := requestData{
+		relPath:     "/v1/set-user-or-group-policy",
+		queryValues: queryValues,
+	}
+
+	// Execute PUT on /minio/admin/v1/set-user-or-group-policy to set policy.
+	resp, err := adm.executeMethod("PUT", reqData)
+	defer closeResponse(resp)
+	if err != nil {
+		return err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return httpRespToErrorResponse(resp)
+	}
+	return nil
+}
--- a/pkg/madmin/user-commands.go
+++ b/pkg/madmin/user-commands.go
@@ -19,6 +19,7 @@ package madmin

 import (
 	"encoding/json"
+	"io/ioutil"
 	"net/http"
 	"net/url"

@@ -39,6 +40,7 @@ type UserInfo struct {
 	SecretKey  string        `json:"secretKey,omitempty"`
 	PolicyName string        `json:"policyName,omitempty"`
 	Status     AccountStatus `json:"status"`
+	MemberOf   []string      `json:"memberOf,omitempty"`
 }

 // RemoveUser - remove a user.
@@ -97,6 +99,40 @@ func (adm *AdminClient) ListUsers() (map[string]UserInfo, error) {
 	return users, nil
 }

+// GetUserInfo - get info on a user
+func (adm *AdminClient) GetUserInfo(name string) (u UserInfo, err error) {
+	queryValues := url.Values{}
+	queryValues.Set("accessKey", name)
+
+	reqData := requestData{
+		relPath:     "/v1/user-info",
+		queryValues: queryValues,
+	}
+
+	// Execute GET on /minio/admin/v1/user-info
+	resp, err := adm.executeMethod("GET", reqData)
+
+	defer closeResponse(resp)
+	if err != nil {
+		return u, err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return u, httpRespToErrorResponse(resp)
+	}
+
+	b, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return u, err
+	}
+
+	if err = json.Unmarshal(b, &u); err != nil {
+		return u, err
+	}
+
+	return u, nil
+}
+
 // SetUser - sets a user info.
 func (adm *AdminClient) SetUser(accessKey, secretKey string, status AccountStatus) error {

@@ -149,32 +185,6 @@ func (adm *AdminClient) AddUser(accessKey, secretKey string) error {
 	return adm.SetUser(accessKey, secretKey, AccountEnabled)
 }

-// SetUserPolicy - adds a policy for a user.
-func (adm *AdminClient) SetUserPolicy(accessKey, policyName string) error {
-	queryValues := url.Values{}
-	queryValues.Set("accessKey", accessKey)
-	queryValues.Set("name", policyName)
-
-	reqData := requestData{
-		relPath:     "/v1/set-user-policy",
-		queryValues: queryValues,
-	}
-
-	// Execute PUT on /minio/admin/v1/set-user-policy to set policy.
-	resp, err := adm.executeMethod("PUT", reqData)
-
-	defer closeResponse(resp)
-	if err != nil {
-		return err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return httpRespToErrorResponse(resp)
-	}
-
-	return nil
-}
-
 // SetUserStatus - adds a status for a user.
 func (adm *AdminClient) SetUserStatus(accessKey string, status AccountStatus) error {
 	queryValues := url.Values{}