mirror of
https://github.com/minio/minio.git
synced 2025-11-09 13:39:46 -05:00
fix: LDAP groups handling and group mapping (#11855)
comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
This commit is contained in:
Harshavardhana
GitHub
30
cmd/iam.go
30
cmd/iam.go
@@ -1661,6 +1661,34 @@ func (sys *IAMSys) policyDBSet(name, policyName string, userType IAMUserType, is
|
||||
return nil
|
||||
}
|
||||
|
||||
// PolicyDBGetLDAP is only used by LDAP code, it is similar to PolicyDBGet
|
||||
func (sys *IAMSys) PolicyDBGetLDAP(name string, groups ...string) ([]string, error) {
|
||||
if !sys.Initialized() {
|
||||
return nil, errServerNotInitialized
|
||||
}
|
||||
|
||||
if name == "" {
|
||||
return nil, errInvalidArgument
|
||||
}
|
||||
|
||||
sys.store.rlock()
|
||||
defer sys.store.runlock()
|
||||
|
||||
var policies []string
|
||||
mp, ok := sys.iamUserPolicyMap[name]
|
||||
if ok {
|
||||
// returned policy could be empty
|
||||
policies = append(policies, mp.toSlice()...)
|
||||
}
|
||||
|
||||
for _, group := range groups {
|
||||
p := sys.iamGroupPolicyMap[group]
|
||||
policies = append(policies, p.toSlice()...)
|
||||
}
|
||||
|
||||
return policies, nil
|
||||
}
|
||||
|
||||
// PolicyDBGet - gets policy set on a user or group. Since a user may
|
||||
// be a member of multiple groups, this function returns an array of
|
||||
// applicable policies
|
||||
@@ -1863,7 +1891,7 @@ func (sys *IAMSys) IsAllowedLDAPSTS(args iampolicy.Args, parentUser string) bool
|
||||
}
|
||||
|
||||
// Check policy for this LDAP user.
|
||||
ldapPolicies, err := sys.PolicyDBGet(args.AccountName, false)
|
||||
ldapPolicies, err := sys.PolicyDBGetLDAP(args.AccountName, args.Groups...)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user