MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 21:02:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: LDAP groups handling and group mapping (#11855)

Browse Source 
comprehensively handle group mapping for LDAP
users across IAM sub-subsytem.
This commit is contained in:
Harshavardhana
2021-03-23 15:15:51 -07:00
committed by GitHub
parent da70e6ddf6
commit d23485e571
7 changed files with 68 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
cmd/sts-handlers.go
View File

@@ -498,20 +498,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
}
// Check if this user or their groups have a policy applied.
globalIAMSys.Lock()
found := false
if _, ok := globalIAMSys.iamUserPolicyMap[ldapUserDN]; ok {
found = true
}
for _, groupDistName := range groupDistNames {
if _, ok := globalIAMSys.iamGroupPolicyMap[groupDistName]; ok {
found = true
break
}
}
globalIAMSys.Unlock()
if !found {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("expecting a policy to be set for user `%s` or one of their groups: `%s` - rejecting this request", ldapUserDN, strings.Join(groupDistNames, "`,`")))
ldapPolicies, _ := globalIAMSys.PolicyDBGetLDAP(ldapUserDN, groupDistNames...)
if len(ldapPolicies) == 0 {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
fmt.Errorf("expecting a policy to be set for user `%s` or one of their groups: `%s` - rejecting this request",
ldapUserDN, strings.Join(groupDistNames, "`,`")))
return
}