docs: Add policy variables for resource and conditions (#10278)

Bonus fix adds LDAP policy variable and clarifies the
usage of policy variables for temporary credentials.

fixes #10197
This commit is contained in:
Harshavardhana 2020-08-17 17:39:55 -07:00 committed by GitHub
parent e57c742674
commit ede86845e5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 176 additions and 14 deletions

View File

@ -68,6 +68,12 @@ func getConditionValues(r *http.Request, lc string, username string, claims map[
principalType := "Anonymous"
if username != "" {
principalType = "User"
if len(claims) > 0 {
principalType = "AssumedRole"
}
if username == globalActiveCred.AccessKey {
principalType = "Account"
}
}
vid := r.URL.Query().Get("versionId")
@ -143,6 +149,10 @@ func getConditionValues(r *http.Request, lc string, username string, claims map[
for k, v := range claims {
vStr, ok := v.(string)
if ok {
// Special case for AD/LDAP STS users
if k == ldapUser {
args[ldapUserPolicyVariable] = []string{vStr}
}
args[k] = []string{vStr}
}
}

View File

@ -94,13 +94,13 @@ func printStartupSafeModeMessage(apiEndpoints []string, err error) {
if color.IsTerminal() && !globalCLIContext.Anonymous {
logStartupMessage(color.RedBold("\nCommand-line Access: ") + mcAdminQuickStartGuide)
if runtime.GOOS == globalWindowsOSName {
mcMessage := fmt.Sprintf("> mc.exe config host add %s %s %s %s --api s3v4", alias,
mcMessage := fmt.Sprintf("> mc.exe alias set %s %s %s %s --api s3v4", alias,
endPoint, cred.AccessKey, cred.SecretKey)
logStartupMessage(fmt.Sprintf(getFormatStr(len(mcMessage), 3), mcMessage))
mcMessage = "> mc.exe admin config --help"
logStartupMessage(fmt.Sprintf(getFormatStr(len(mcMessage), 3), mcMessage))
} else {
mcMessage := fmt.Sprintf("$ mc config host add %s %s %s %s --api s3v4", alias,
mcMessage := fmt.Sprintf("$ mc alias set %s %s %s %s --api s3v4", alias,
endPoint, cred.AccessKey, cred.SecretKey)
logStartupMessage(fmt.Sprintf(getFormatStr(len(mcMessage), 3), mcMessage))
mcMessage = "$ mc admin config --help"
@ -233,11 +233,11 @@ func printCLIAccessMsg(endPoint string, alias string) {
if color.IsTerminal() && !globalCLIContext.Anonymous {
logStartupMessage(color.Blue("\nCommand-line Access: ") + mcQuickStartGuide)
if runtime.GOOS == globalWindowsOSName {
mcMessage := fmt.Sprintf("$ mc.exe config host add %s %s %s %s", alias,
mcMessage := fmt.Sprintf("$ mc.exe alias set %s %s %s %s", alias,
endPoint, cred.AccessKey, cred.SecretKey)
logStartupMessage(fmt.Sprintf(getFormatStr(len(mcMessage), 3), mcMessage))
} else {
mcMessage := fmt.Sprintf("$ mc config host add %s %s %s %s", alias,
mcMessage := fmt.Sprintf("$ mc alias set %s %s %s %s", alias,
endPoint, cred.AccessKey, cred.SecretKey)
logStartupMessage(fmt.Sprintf(getFormatStr(len(mcMessage), 3), mcMessage))
}

View File

@ -62,6 +62,7 @@ const (
// LDAP claim keys
ldapUser = "ldapUser"
ldapUserPolicyVariable = "ldap:user"
)
// stsAPIHandlers implements and provides http handlers for AWS STS API.

View File

@ -27,7 +27,7 @@ MinIO Gateway comes with an embedded web based object browser. Point your web br
### Configure `mc`
```
mc config host add myazure http://gateway-ip:9000 azureaccountname azureaccountkey
mc alias set myazure http://gateway-ip:9000 azureaccountname azureaccountkey
```
### List containers on Microsoft Azure

View File

@ -53,7 +53,7 @@ MinIO Client is a command-line tool called `mc` that provides UNIX-like commands
Use the following command to configure the gateway:
```sh
mc config host add mygcs http://gateway-ip:9000 minioaccesskey miniosecretkey
mc alias set mygcs http://gateway-ip:9000 minioaccesskey miniosecretkey
```
### 3.2 List Containers on GCS

View File

@ -42,7 +42,7 @@ docker run -p 9000:9000 \
### Configure `mc`
```
mc config host add myhdfs http://gateway-ip:9000 access_key secret_key
mc alias set myhdfs http://gateway-ip:9000 access_key secret_key
```
### List buckets on hdfs

View File

@ -37,7 +37,7 @@ MinIO Gateway comes with an embedded web based object browser. Point your web br
### Configure `mc`
```
mc config host add mynas http://gateway-ip:9000 access_key secret_key
mc alias set mynas http://gateway-ip:9000 access_key secret_key
```
### List buckets on nas

View File

@ -109,10 +109,135 @@ mc admin group list myminio
### 8. Configure `mc`
```
mc config host add myminio-newuser http://localhost:9000 newuser newuser123 --api s3v4
mc alias set myminio-newuser http://localhost:9000 newuser newuser123 --api s3v4
mc cat myminio-newuser/my-bucketname/my-objectname
```
### Policy Variables
You can use policy variables in the *Resource* element and in string comparisons in the *Condition* element.
You can use a policy variable in the Resource element, but only in the resource portion of the ARN. This portion of the ARN appears after the 5th colon (:). You can't use a variable to replace parts of the ARN before the 5th colon, such as the service or account. The following policy might be attached to a group. It gives each of the users in the group full programmatic access to a user-specific object (their own "home directory") in MinIO.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${aws:username}/*"]
}
]
}
```
If the user is authenticating using an STS credential which was authorized from OpenID connect we allow all `jwt:*` variables specified in the JWT specification, custom `jwt:*` or extensions are not supported.
List of policy variables for OpenID based STS.
```
"jwt:sub"
"jwt:iss"
"jwt:aud"
"jwt:jti"
"jwt:upn"
"jwt:name"
"jwt:groups"
"jwt:given_name"
"jwt:family_name"
"jwt:middle_name"
"jwt:nickname"
"jwt:preferred_username"
"jwt:profile"
"jwt:picture"
"jwt:website"
"jwt:email"
"jwt:gender"
"jwt:birthdate"
"jwt:phone_number"
"jwt:address"
"jwt:scope"
"jwt:client_id"
```
Following example shows OpenID users with full programmatic access to a OpenID user-specific directory (their own "home directory") in MinIO.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition": {"StringLike": {"s3:prefix": ["${jwt:preferred_username}/*"]}}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${jwt:preferred_username}/*"]
}
]
}
```
If the user is authenticating using an STS credential which was authorized from AD/LDAP we allow `ldap:*` variables, currently only supports `ldap:user`. Following example shows LDAP users full programmatic access to a LDAP user-specific directory (their own "home directory") in MinIO.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition": {"StringLike": {"s3:prefix": ["${ldap:user}/*"]}}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${ldap:user}/*"]
}
]
}
```
#### Common information available in all requests
- *aws:CurrentTime* - This can be used for conditions that check the date and time.
- *aws:EpochTime* - This is the date in epoch or Unix time, for use with date/time conditions.
- *aws:PrincipalType* - This value indicates whether the principal is an account (Root credential), user (MinIO user), or assumed role (STS)
- *aws:SecureTransport* - This is a Boolean value that represents whether the request was sent over TLS.
- *aws:SourceIp* - This is the requester's IP address, for use with IP address conditions. If running behind Nginx like proxies, MinIO preserve's the source IP.
```
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket*",
"Resource": "arn:aws:s3:::mybucket",
"Condition": {"IpAddress": {"aws:SourceIp": "203.0.113.0/24"}}
}
}
```
- *aws:UserAgent* - This value is a string that contains information about the requester's client application. This string is generated by the client and can be unreliable. You can only use this context key from `mc` or other MinIO SDKs which standardize the User-Agent string.
- *aws:username* - This is a string containing the friendly name of the current user, this value would point to STS temporary credential in `AssumeRole`ed requests, instead use `jwt:preferred_username` in case of OpenID connect and `ldap:user` in case of AD/LDAP connect. *aws:userid* is an alias to *aws:username* in MinIO.
## Explore Further
- [MinIO Client Complete Guide](https://docs.min.io/docs/minio-client-complete-guide)
- [MinIO STS Quickstart Guide](https://docs.min.io/docs/minio-sts-quickstart-guide)

View File

@ -62,7 +62,7 @@ This admin user will then be allowed to perform create/delete user operations vi
### 3. Configure `mc` and create another user user1 with attached policy user1policy
```
mc config host add myminio-admin1 http://localhost:9000 admin1 admin123 --api s3v4
mc alias set myminio-admin1 http://localhost:9000 admin1 admin123 --api s3v4
mc admin user add myminio-admin1 user1 user123
mc admin policy add myminio-admin1 user1policy ~/user1policy.json

View File

@ -26,7 +26,7 @@ MinIO Gateway配有嵌入式网络对象浏览器。 将您的Web浏览器指向
### 配置 `mc`
```
mc config host add myazure http://gateway-ip:9000 azureaccountname azureaccountkey
mc alias set myazure http://gateway-ip:9000 azureaccountname azureaccountkey
```
### 列出微软Azure上的容器

View File

@ -41,7 +41,7 @@ MinIO Gateway配有嵌入式网络对象浏览器。 将您的Web浏览器指向
### 配置 `mc`
```
mc config host add mygcs http://gateway-ip:9000 minioaccesskey miniosecretkey
mc alias set mygcs http://gateway-ip:9000 minioaccesskey miniosecretkey
```
### 列出GCS上的容器

View File

@ -26,7 +26,7 @@ minio gateway nas /shared/nasvol
### 设置`mc`
```
mc config host add mynas http://gateway-ip:9000 access_key secret_key
mc alias set mynas http://gateway-ip:9000 access_key secret_key
```
### 列举nas上的存储桶

View File

@ -137,6 +137,7 @@ var AllSupportedKeys = append([]Key{
AWSPrincipalType,
AWSUserID,
AWSUsername,
LDAPUser,
// Add new supported condition keys.
}, JWTKeys...)
@ -152,6 +153,7 @@ var CommonKeys = append([]Key{
AWSUserID,
AWSUsername,
S3XAmzContentSha256,
LDAPUser,
}, JWTKeys...)
func substFuncFromValues(values map[string][]string) func(string) string {
@ -199,6 +201,8 @@ func (key Key) Name() string {
return strings.TrimPrefix(keyString, "aws:")
} else if strings.HasPrefix(keyString, "jwt:") {
return strings.TrimPrefix(keyString, "jwt:")
} else if strings.HasPrefix(keyString, "ldap:") {
return strings.TrimPrefix(keyString, "ldap:")
}
return strings.TrimPrefix(keyString, "s3:")
}

View File

@ -0,0 +1,22 @@
/*
* MinIO Cloud Storage, (C) 2020 MinIO, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package condition
const (
// LDAPUser - LDAP username, in MinIO this value is equal to your authenticating LDAP user.
LDAPUser Key = "ldap:user"
)