MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-04-25 12:34:03 -04:00
Code Issues Packages Projects Releases Wiki Activity

Remove globalLDAPConfig (#16706)

Browse Source
This commit is contained in:
Aditya Manthramurthy 2023-02-24 18:37:22 -08:00 committed by GitHub
parent 94c6cb1323
commit e05f3d5d84
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 31 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cmd/admin-handlers-idp-config.go
View File

@ -180,7 +180,7 @@ func handleCreateUpdateValidation(s config.Config, subSys, cfgTarget string, isU
case madmin.IdentityOpenIDSubSys: case madmin.IdentityOpenIDSubSys:
cfgInfos, _ = globalOpenIDConfig.GetConfigInfo(s, cfgTarget) cfgInfos, _ = globalOpenIDConfig.GetConfigInfo(s, cfgTarget)
case madmin.IdentityLDAPSubSys: case madmin.IdentityLDAPSubSys:
cfgInfos, _ = globalLDAPConfig.GetConfigInfo(s, cfgTarget) cfgInfos, _ = globalIAMSys.LDAPConfig.GetConfigInfo(s, cfgTarget)
} }
if len(cfgInfos) > 0 && !isUpdate { if len(cfgInfos) > 0 && !isUpdate {
@ -243,7 +243,7 @@ func (a adminAPIHandlers) ListIdentityProviderCfg(w http.ResponseWriter, r *http
cfgList, err = globalOpenIDConfig.GetConfigList(cfg) cfgList, err = globalOpenIDConfig.GetConfigList(cfg)
case madmin.LDAPIDPCfg: case madmin.LDAPIDPCfg:
cfg := globalServerConfig.Clone() cfg := globalServerConfig.Clone()
cfgList, err = globalLDAPConfig.GetConfigList(cfg) cfgList, err = globalIAMSys.LDAPConfig.GetConfigList(cfg)
default: default:
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL) writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL)
@ -298,7 +298,7 @@ func (a adminAPIHandlers) GetIdentityProviderCfg(w http.ResponseWriter, r *http.
case madmin.OpenidIDPCfg: case madmin.OpenidIDPCfg:
cfgInfos, err = globalOpenIDConfig.GetConfigInfo(cfg, cfgName) cfgInfos, err = globalOpenIDConfig.GetConfigInfo(cfg, cfgName)
case madmin.LDAPIDPCfg: case madmin.LDAPIDPCfg:
cfgInfos, err = globalLDAPConfig.GetConfigInfo(cfg, cfgName) cfgInfos, err = globalIAMSys.LDAPConfig.GetConfigInfo(cfg, cfgName)
} }
if err != nil { if err != nil {
if errors.Is(err, openid.ErrProviderConfigNotFound) || errors.Is(err, cfgldap.ErrProviderConfigNotFound) { if errors.Is(err, openid.ErrProviderConfigNotFound) || errors.Is(err, cfgldap.ErrProviderConfigNotFound) {
@ -380,7 +380,7 @@ func (a adminAPIHandlers) DeleteIdentityProviderCfg(w http.ResponseWriter, r *ht
} }
case madmin.LDAPIDPCfg: case madmin.LDAPIDPCfg:
subSys = config.IdentityLDAPSubSys subSys = config.IdentityLDAPSubSys
cfgInfos, err := globalLDAPConfig.GetConfigInfo(cfgCopy, cfgName) cfgInfos, err := globalIAMSys.LDAPConfig.GetConfigInfo(cfgCopy, cfgName)
if err != nil { if err != nil {
if errors.Is(err, openid.ErrProviderConfigNotFound) { if errors.Is(err, openid.ErrProviderConfigNotFound) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminNoSuchConfigTarget), r.URL) writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminNoSuchConfigTarget), r.URL)

8
cmd/admin-handlers-users.go
View File

@ -741,9 +741,9 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
// In case of LDAP we need to resolve the targetUser to a DN and // In case of LDAP we need to resolve the targetUser to a DN and
// query their groups: // query their groups:
if globalLDAPConfig.Enabled() { if globalIAMSys.LDAPConfig.Enabled() {
opts.claims[ldapUserN] = targetUser // simple username opts.claims[ldapUserN] = targetUser // simple username
targetUser, targetGroups, err = globalLDAPConfig.LookupUserDN(targetUser) targetUser, targetGroups, err = globalIAMSys.LDAPConfig.LookupUserDN(targetUser)
if err != nil { if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return return
@ -2455,9 +2455,9 @@ func (a adminAPIHandlers) ImportIAM(w http.ResponseWriter, r *http.Request) {
// In case of LDAP we need to resolve the targetUser to a DN and // In case of LDAP we need to resolve the targetUser to a DN and
// query their groups: // query their groups:
if globalLDAPConfig.Enabled() { if globalIAMSys.LDAPConfig.Enabled() {
opts.claims[ldapUserN] = svcAcctReq.AccessKey // simple username opts.claims[ldapUserN] = svcAcctReq.AccessKey // simple username
targetUser, _, err := globalLDAPConfig.LookupUserDN(svcAcctReq.AccessKey) targetUser, _, err := globalIAMSys.LDAPConfig.LookupUserDN(svcAcctReq.AccessKey)
if err != nil { if err != nil {
writeErrorResponseJSON(ctx, w, importError(ctx, err, allSvcAcctsFile, user), r.URL) writeErrorResponseJSON(ctx, w, importError(ctx, err, allSvcAcctsFile, user), r.URL)
return return

4
cmd/admin-handlers.go
View File

@ -1819,8 +1819,8 @@ func getServerInfo(ctx context.Context, poolsInfoEnabled bool, r *http.Request)
kmsStat := fetchKMSStatus() kmsStat := fetchKMSStatus()
ldap := madmin.LDAP{} ldap := madmin.LDAP{}
if globalLDAPConfig.Enabled() { if globalIAMSys.LDAPConfig.Enabled() {
ldapConn, err := globalLDAPConfig.LDAP.Connect() ldapConn, err := globalIAMSys.LDAPConfig.LDAP.Connect()
//nolint:gocritic //nolint:gocritic
if err != nil { if err != nil {
ldap.Status = string(madmin.ItemOffline) ldap.Status = string(madmin.ItemOffline)

2
cmd/common-main.go
View File

@ -205,7 +205,7 @@ func minioConfigToConsoleFeatures() {
} }
} }
// Enable if LDAP is enabled. // Enable if LDAP is enabled.
if globalLDAPConfig.Enabled() { if globalIAMSys.LDAPConfig.Enabled() {
os.Setenv("CONSOLE_LDAP_ENABLED", config.EnableOn) os.Setenv("CONSOLE_LDAP_ENABLED", config.EnableOn)
} }
os.Setenv("CONSOLE_MINIO_REGION", globalSite.Region) os.Setenv("CONSOLE_MINIO_REGION", globalSite.Region)

2
cmd/globals.go
View File

@ -42,7 +42,6 @@ import (
"github.com/minio/minio/internal/config/callhome" "github.com/minio/minio/internal/config/callhome"
"github.com/minio/minio/internal/config/compress" "github.com/minio/minio/internal/config/compress"
"github.com/minio/minio/internal/config/dns" "github.com/minio/minio/internal/config/dns"
xldap "github.com/minio/minio/internal/config/identity/ldap"
"github.com/minio/minio/internal/config/identity/openid" "github.com/minio/minio/internal/config/identity/openid"
idplugin "github.com/minio/minio/internal/config/identity/plugin" idplugin "github.com/minio/minio/internal/config/identity/plugin"
xtls "github.com/minio/minio/internal/config/identity/tls" xtls "github.com/minio/minio/internal/config/identity/tls"
@ -201,7 +200,6 @@ var (
globalStorageClass storageclass.Config globalStorageClass storageclass.Config
globalLDAPConfig xldap.Config
globalOpenIDConfig openid.Config globalOpenIDConfig openid.Config
globalSTSTLSConfig xtls.Config globalSTSTLSConfig xtls.Config

24
cmd/iam.go
View File

@ -87,7 +87,7 @@ type IAMSys struct {
sync.Mutex sync.Mutex
iamRefreshInterval time.Duration iamRefreshInterval time.Duration
ldapConfig xldap.Config // only valid if usersSysType is LDAPUsers LDAPConfig xldap.Config // only valid if usersSysType is LDAPUsers
openIDConfig openid.Config // only valid if OpenID is configured openIDConfig openid.Config // only valid if OpenID is configured
usersSysType UsersSysType usersSysType UsersSysType
@ -163,7 +163,7 @@ func (sys *IAMSys) LoadServiceAccount(ctx context.Context, accessKey string) err
// initStore initializes IAM stores // initStore initializes IAM stores
func (sys *IAMSys) initStore(objAPI ObjectLayer, etcdClient *etcd.Client) { func (sys *IAMSys) initStore(objAPI ObjectLayer, etcdClient *etcd.Client) {
if sys.ldapConfig.Enabled() { if sys.LDAPConfig.Enabled() {
sys.SetUsersSysType(LDAPUsersSysType) sys.SetUsersSysType(LDAPUsersSysType)
} }
@ -221,7 +221,7 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
} }
// Initialize if LDAP is enabled // Initialize if LDAP is enabled
globalLDAPConfig, err = xldap.Lookup(s, globalRootCAs) ldapConfig, err := xldap.Lookup(s, globalRootCAs)
if err != nil { if err != nil {
logger.LogIf(ctx, fmt.Errorf("Unable to parse LDAP configuration: %w", err)) logger.LogIf(ctx, fmt.Errorf("Unable to parse LDAP configuration: %w", err))
} }
@ -257,7 +257,7 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
sys.Lock() sys.Lock()
defer sys.Unlock() defer sys.Unlock()
sys.ldapConfig = globalLDAPConfig.Clone() sys.LDAPConfig = ldapConfig
sys.openIDConfig = globalOpenIDConfig.Clone() sys.openIDConfig = globalOpenIDConfig.Clone()
sys.iamRefreshInterval = iamRefreshInterval sys.iamRefreshInterval = iamRefreshInterval
@ -337,7 +337,7 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
} }
} }
}() }()
case sys.ldapConfig.Enabled(): case sys.LDAPConfig.Enabled():
go func() { go func() {
timer := time.NewTimer(refreshInterval) timer := time.NewTimer(refreshInterval)
defer timer.Stop() defer timer.Stop()
@ -800,7 +800,7 @@ func (sys *IAMSys) QueryLDAPPolicyEntities(ctx context.Context, q madmin.PolicyE
select { select {
case <-sys.configLoaded: case <-sys.configLoaded:
pe := sys.store.ListLDAPPolicyMappings(q, sys.ldapConfig.IsLDAPUserDN, sys.ldapConfig.IsLDAPGroupDN) pe := sys.store.ListLDAPPolicyMappings(q, sys.LDAPConfig.IsLDAPUserDN, sys.LDAPConfig.IsLDAPGroupDN)
pe.Timestamp = UTCNow() pe.Timestamp = UTCNow()
return &pe, nil return &pe, nil
case <-ctx.Done(): case <-ctx.Done():
@ -1302,14 +1302,14 @@ func (sys *IAMSys) purgeExpiredCredentialsForLDAP(ctx context.Context) {
parentUsers := sys.store.GetAllParentUsers() parentUsers := sys.store.GetAllParentUsers()
var allDistNames []string var allDistNames []string
for parentUser := range parentUsers { for parentUser := range parentUsers {
if !sys.ldapConfig.IsLDAPUserDN(parentUser) { if !sys.LDAPConfig.IsLDAPUserDN(parentUser) {
continue continue
} }
allDistNames = append(allDistNames, parentUser) allDistNames = append(allDistNames, parentUser)
} }
expiredUsers, err := sys.ldapConfig.GetNonEligibleUserDistNames(allDistNames) expiredUsers, err := sys.LDAPConfig.GetNonEligibleUserDistNames(allDistNames)
if err != nil { if err != nil {
// Log and return on error - perhaps it'll work the next time. // Log and return on error - perhaps it'll work the next time.
logger.LogIf(GlobalContext, err) logger.LogIf(GlobalContext, err)
@ -1331,7 +1331,7 @@ func (sys *IAMSys) updateGroupMembershipsForLDAP(ctx context.Context) {
// DN to ldap username mapping for each LDAP user // DN to ldap username mapping for each LDAP user
parentUserToLDAPUsernameMap := make(map[string]string) parentUserToLDAPUsernameMap := make(map[string]string)
for _, cred := range allCreds { for _, cred := range allCreds {
if !sys.ldapConfig.IsLDAPUserDN(cred.ParentUser) { if !sys.LDAPConfig.IsLDAPUserDN(cred.ParentUser) {
continue continue
} }
// Check if this is the first time we are // Check if this is the first time we are
@ -1379,7 +1379,7 @@ func (sys *IAMSys) updateGroupMembershipsForLDAP(ctx context.Context) {
} }
// 2. Query LDAP server for groups of the LDAP users collected. // 2. Query LDAP server for groups of the LDAP users collected.
updatedGroups, err := sys.ldapConfig.LookupGroupMemberships(parentUsers, parentUserToLDAPUsernameMap) updatedGroups, err := sys.LDAPConfig.LookupGroupMemberships(parentUsers, parentUserToLDAPUsernameMap)
if err != nil { if err != nil {
// Log and return on error - perhaps it'll work the next time. // Log and return on error - perhaps it'll work the next time.
logger.LogIf(GlobalContext, err) logger.LogIf(GlobalContext, err)
@ -1566,7 +1566,7 @@ func (sys *IAMSys) PolicyDBUpdateLDAP(ctx context.Context, isAttach bool,
var dn string var dn string
var isGroup bool var isGroup bool
if r.User != "" { if r.User != "" {
dn, err = globalLDAPConfig.DoesUsernameExist(r.User) dn, err = sys.LDAPConfig.DoesUsernameExist(r.User)
if err != nil { if err != nil {
logger.LogIf(ctx, err) logger.LogIf(ctx, err)
return updatedAt, nil, err return updatedAt, nil, err
@ -1576,7 +1576,7 @@ func (sys *IAMSys) PolicyDBUpdateLDAP(ctx context.Context, isAttach bool,
} }
isGroup = false isGroup = false
} else { } else {
if exists, err := globalLDAPConfig.DoesGroupDNExist(r.Group); err != nil { if exists, err := sys.LDAPConfig.DoesGroupDNExist(r.Group); err != nil {
logger.LogIf(ctx, err) logger.LogIf(ctx, err)
return updatedAt, nil, err return updatedAt, nil, err
} else if !exists { } else if !exists {

12
cmd/site-replication.go
View File

@ -599,11 +599,11 @@ func (c *SiteReplicationSys) PeerJoinReq(ctx context.Context, arg madmin.SRPeerJ
func (c *SiteReplicationSys) GetIDPSettings(ctx context.Context) madmin.IDPSettings { func (c *SiteReplicationSys) GetIDPSettings(ctx context.Context) madmin.IDPSettings {
s := madmin.IDPSettings{} s := madmin.IDPSettings{}
s.LDAP = madmin.LDAPSettings{ s.LDAP = madmin.LDAPSettings{
IsLDAPEnabled: globalLDAPConfig.Enabled(), IsLDAPEnabled: globalIAMSys.LDAPConfig.Enabled(),
LDAPUserDNSearchBase: globalLDAPConfig.LDAP.UserDNSearchBaseDistName, LDAPUserDNSearchBase: globalIAMSys.LDAPConfig.LDAP.UserDNSearchBaseDistName,
LDAPUserDNSearchFilter: globalLDAPConfig.LDAP.UserDNSearchFilter, LDAPUserDNSearchFilter: globalIAMSys.LDAPConfig.LDAP.UserDNSearchFilter,
LDAPGroupSearchBase: globalLDAPConfig.LDAP.GroupSearchBaseDistName, LDAPGroupSearchBase: globalIAMSys.LDAPConfig.LDAP.GroupSearchBaseDistName,
LDAPGroupSearchFilter: globalLDAPConfig.LDAP.GroupSearchFilter, LDAPGroupSearchFilter: globalIAMSys.LDAPConfig.LDAP.GroupSearchFilter,
} }
s.OpenID = globalOpenIDConfig.GetSettings() s.OpenID = globalOpenIDConfig.GetSettings()
if s.OpenID.Enabled { if s.OpenID.Enabled {
@ -1328,7 +1328,7 @@ func (c *SiteReplicationSys) PeerSTSAccHandler(ctx context.Context, stsCred *mad
switch { switch {
case isLDAPSTS: case isLDAPSTS:
// Need to lookup the groups from LDAP. // Need to lookup the groups from LDAP.
_, ldapGroups, err := globalLDAPConfig.LookupUserDN(ldapUser) _, ldapGroups, err := globalIAMSys.LDAPConfig.LookupUserDN(ldapUser)
if err != nil { if err != nil {
return fmt.Errorf("unable to query LDAP server for %s: %w", ldapUser, err) return fmt.Errorf("unable to query LDAP server for %s: %w", ldapUser, err)
} }

4
cmd/sts-handlers.go
View File

@ -598,7 +598,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
} }
} }
ldapUserDN, groupDistNames, err := globalLDAPConfig.Bind(ldapUsername, ldapPassword) ldapUserDN, groupDistNames, err := globalIAMSys.LDAPConfig.Bind(ldapUsername, ldapPassword)
if err != nil { if err != nil {
err = fmt.Errorf("LDAP server error: %w", err) err = fmt.Errorf("LDAP server error: %w", err)
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
@ -614,7 +614,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
return return
} }
expiryDur, err := globalLDAPConfig.GetExpiryDuration(r.Form.Get(stsDurationSeconds)) expiryDur, err := globalIAMSys.LDAPConfig.GetExpiryDuration(r.Form.Get(stsDurationSeconds))
if err != nil { if err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
return return