mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
docs: Add policy variables for resource and conditions (#10278)
Bonus fix adds LDAP policy variable and clarifies the usage of policy variables for temporary credentials. fixes #10197
This commit is contained in:
parent
e57c742674
commit
ede86845e5
@ -68,6 +68,12 @@ func getConditionValues(r *http.Request, lc string, username string, claims map[
|
||||
principalType := "Anonymous"
|
||||
if username != "" {
|
||||
principalType = "User"
|
||||
if len(claims) > 0 {
|
||||
principalType = "AssumedRole"
|
||||
}
|
||||
if username == globalActiveCred.AccessKey {
|
||||
principalType = "Account"
|
||||
}
|
||||
}
|
||||
|
||||
vid := r.URL.Query().Get("versionId")
|
||||
@ -143,6 +149,10 @@ func getConditionValues(r *http.Request, lc string, username string, claims map[
|
||||
for k, v := range claims {
|
||||
vStr, ok := v.(string)
|
||||
if ok {
|
||||
// Special case for AD/LDAP STS users
|
||||
if k == ldapUser {
|
||||
args[ldapUserPolicyVariable] = []string{vStr}
|
||||
}
|
||||
args[k] = []string{vStr}
|
||||
}
|
||||
}
|
||||
|
@ -94,13 +94,13 @@ func printStartupSafeModeMessage(apiEndpoints []string, err error) {
|
||||
if color.IsTerminal() && !globalCLIContext.Anonymous {
|
||||
logStartupMessage(color.RedBold("\nCommand-line Access: ") + mcAdminQuickStartGuide)
|
||||
if runtime.GOOS == globalWindowsOSName {
|
||||
mcMessage := fmt.Sprintf("> mc.exe config host add %s %s %s %s --api s3v4", alias,
|
||||
mcMessage := fmt.Sprintf("> mc.exe alias set %s %s %s %s --api s3v4", alias,
|
||||
endPoint, cred.AccessKey, cred.SecretKey)
|
||||
logStartupMessage(fmt.Sprintf(getFormatStr(len(mcMessage), 3), mcMessage))
|
||||
mcMessage = "> mc.exe admin config --help"
|
||||
logStartupMessage(fmt.Sprintf(getFormatStr(len(mcMessage), 3), mcMessage))
|
||||
} else {
|
||||
mcMessage := fmt.Sprintf("$ mc config host add %s %s %s %s --api s3v4", alias,
|
||||
mcMessage := fmt.Sprintf("$ mc alias set %s %s %s %s --api s3v4", alias,
|
||||
endPoint, cred.AccessKey, cred.SecretKey)
|
||||
logStartupMessage(fmt.Sprintf(getFormatStr(len(mcMessage), 3), mcMessage))
|
||||
mcMessage = "$ mc admin config --help"
|
||||
@ -233,11 +233,11 @@ func printCLIAccessMsg(endPoint string, alias string) {
|
||||
if color.IsTerminal() && !globalCLIContext.Anonymous {
|
||||
logStartupMessage(color.Blue("\nCommand-line Access: ") + mcQuickStartGuide)
|
||||
if runtime.GOOS == globalWindowsOSName {
|
||||
mcMessage := fmt.Sprintf("$ mc.exe config host add %s %s %s %s", alias,
|
||||
mcMessage := fmt.Sprintf("$ mc.exe alias set %s %s %s %s", alias,
|
||||
endPoint, cred.AccessKey, cred.SecretKey)
|
||||
logStartupMessage(fmt.Sprintf(getFormatStr(len(mcMessage), 3), mcMessage))
|
||||
} else {
|
||||
mcMessage := fmt.Sprintf("$ mc config host add %s %s %s %s", alias,
|
||||
mcMessage := fmt.Sprintf("$ mc alias set %s %s %s %s", alias,
|
||||
endPoint, cred.AccessKey, cred.SecretKey)
|
||||
logStartupMessage(fmt.Sprintf(getFormatStr(len(mcMessage), 3), mcMessage))
|
||||
}
|
||||
|
@ -62,6 +62,7 @@ const (
|
||||
|
||||
// LDAP claim keys
|
||||
ldapUser = "ldapUser"
|
||||
ldapUserPolicyVariable = "ldap:user"
|
||||
)
|
||||
|
||||
// stsAPIHandlers implements and provides http handlers for AWS STS API.
|
||||
|
@ -27,7 +27,7 @@ MinIO Gateway comes with an embedded web based object browser. Point your web br
|
||||
|
||||
### Configure `mc`
|
||||
```
|
||||
mc config host add myazure http://gateway-ip:9000 azureaccountname azureaccountkey
|
||||
mc alias set myazure http://gateway-ip:9000 azureaccountname azureaccountkey
|
||||
```
|
||||
|
||||
### List containers on Microsoft Azure
|
||||
|
@ -53,7 +53,7 @@ MinIO Client is a command-line tool called `mc` that provides UNIX-like commands
|
||||
Use the following command to configure the gateway:
|
||||
|
||||
```sh
|
||||
mc config host add mygcs http://gateway-ip:9000 minioaccesskey miniosecretkey
|
||||
mc alias set mygcs http://gateway-ip:9000 minioaccesskey miniosecretkey
|
||||
```
|
||||
|
||||
### 3.2 List Containers on GCS
|
||||
|
@ -42,7 +42,7 @@ docker run -p 9000:9000 \
|
||||
### Configure `mc`
|
||||
|
||||
```
|
||||
mc config host add myhdfs http://gateway-ip:9000 access_key secret_key
|
||||
mc alias set myhdfs http://gateway-ip:9000 access_key secret_key
|
||||
```
|
||||
|
||||
### List buckets on hdfs
|
||||
|
@ -37,7 +37,7 @@ MinIO Gateway comes with an embedded web based object browser. Point your web br
|
||||
### Configure `mc`
|
||||
|
||||
```
|
||||
mc config host add mynas http://gateway-ip:9000 access_key secret_key
|
||||
mc alias set mynas http://gateway-ip:9000 access_key secret_key
|
||||
```
|
||||
|
||||
### List buckets on nas
|
||||
|
@ -109,10 +109,135 @@ mc admin group list myminio
|
||||
|
||||
### 8. Configure `mc`
|
||||
```
|
||||
mc config host add myminio-newuser http://localhost:9000 newuser newuser123 --api s3v4
|
||||
mc alias set myminio-newuser http://localhost:9000 newuser newuser123 --api s3v4
|
||||
mc cat myminio-newuser/my-bucketname/my-objectname
|
||||
```
|
||||
|
||||
### Policy Variables
|
||||
You can use policy variables in the *Resource* element and in string comparisons in the *Condition* element.
|
||||
|
||||
You can use a policy variable in the Resource element, but only in the resource portion of the ARN. This portion of the ARN appears after the 5th colon (:). You can't use a variable to replace parts of the ARN before the 5th colon, such as the service or account. The following policy might be attached to a group. It gives each of the users in the group full programmatic access to a user-specific object (their own "home directory") in MinIO.
|
||||
|
||||
```
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Action": ["s3:ListBucket"],
|
||||
"Effect": "Allow",
|
||||
"Resource": ["arn:aws:s3:::mybucket"],
|
||||
"Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}}
|
||||
},
|
||||
{
|
||||
"Action": [
|
||||
"s3:GetObject",
|
||||
"s3:PutObject"
|
||||
],
|
||||
"Effect": "Allow",
|
||||
"Resource": ["arn:aws:s3:::mybucket/${aws:username}/*"]
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
If the user is authenticating using an STS credential which was authorized from OpenID connect we allow all `jwt:*` variables specified in the JWT specification, custom `jwt:*` or extensions are not supported.
|
||||
|
||||
List of policy variables for OpenID based STS.
|
||||
```
|
||||
"jwt:sub"
|
||||
"jwt:iss"
|
||||
"jwt:aud"
|
||||
"jwt:jti"
|
||||
"jwt:upn"
|
||||
"jwt:name"
|
||||
"jwt:groups"
|
||||
"jwt:given_name"
|
||||
"jwt:family_name"
|
||||
"jwt:middle_name"
|
||||
"jwt:nickname"
|
||||
"jwt:preferred_username"
|
||||
"jwt:profile"
|
||||
"jwt:picture"
|
||||
"jwt:website"
|
||||
"jwt:email"
|
||||
"jwt:gender"
|
||||
"jwt:birthdate"
|
||||
"jwt:phone_number"
|
||||
"jwt:address"
|
||||
"jwt:scope"
|
||||
"jwt:client_id"
|
||||
```
|
||||
|
||||
Following example shows OpenID users with full programmatic access to a OpenID user-specific directory (their own "home directory") in MinIO.
|
||||
```
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Action": ["s3:ListBucket"],
|
||||
"Effect": "Allow",
|
||||
"Resource": ["arn:aws:s3:::mybucket"],
|
||||
"Condition": {"StringLike": {"s3:prefix": ["${jwt:preferred_username}/*"]}}
|
||||
},
|
||||
{
|
||||
"Action": [
|
||||
"s3:GetObject",
|
||||
"s3:PutObject"
|
||||
],
|
||||
"Effect": "Allow",
|
||||
"Resource": ["arn:aws:s3:::mybucket/${jwt:preferred_username}/*"]
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
If the user is authenticating using an STS credential which was authorized from AD/LDAP we allow `ldap:*` variables, currently only supports `ldap:user`. Following example shows LDAP users full programmatic access to a LDAP user-specific directory (their own "home directory") in MinIO.
|
||||
```
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Action": ["s3:ListBucket"],
|
||||
"Effect": "Allow",
|
||||
"Resource": ["arn:aws:s3:::mybucket"],
|
||||
"Condition": {"StringLike": {"s3:prefix": ["${ldap:user}/*"]}}
|
||||
},
|
||||
{
|
||||
"Action": [
|
||||
"s3:GetObject",
|
||||
"s3:PutObject"
|
||||
],
|
||||
"Effect": "Allow",
|
||||
"Resource": ["arn:aws:s3:::mybucket/${ldap:user}/*"]
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
#### Common information available in all requests
|
||||
|
||||
- *aws:CurrentTime* - This can be used for conditions that check the date and time.
|
||||
- *aws:EpochTime* - This is the date in epoch or Unix time, for use with date/time conditions.
|
||||
- *aws:PrincipalType* - This value indicates whether the principal is an account (Root credential), user (MinIO user), or assumed role (STS)
|
||||
- *aws:SecureTransport* - This is a Boolean value that represents whether the request was sent over TLS.
|
||||
- *aws:SourceIp* - This is the requester's IP address, for use with IP address conditions. If running behind Nginx like proxies, MinIO preserve's the source IP.
|
||||
|
||||
```
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": {
|
||||
"Effect": "Allow",
|
||||
"Action": "s3:ListBucket*",
|
||||
"Resource": "arn:aws:s3:::mybucket",
|
||||
"Condition": {"IpAddress": {"aws:SourceIp": "203.0.113.0/24"}}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
- *aws:UserAgent* - This value is a string that contains information about the requester's client application. This string is generated by the client and can be unreliable. You can only use this context key from `mc` or other MinIO SDKs which standardize the User-Agent string.
|
||||
- *aws:username* - This is a string containing the friendly name of the current user, this value would point to STS temporary credential in `AssumeRole`ed requests, instead use `jwt:preferred_username` in case of OpenID connect and `ldap:user` in case of AD/LDAP connect. *aws:userid* is an alias to *aws:username* in MinIO.
|
||||
|
||||
|
||||
## Explore Further
|
||||
- [MinIO Client Complete Guide](https://docs.min.io/docs/minio-client-complete-guide)
|
||||
- [MinIO STS Quickstart Guide](https://docs.min.io/docs/minio-sts-quickstart-guide)
|
||||
|
@ -62,7 +62,7 @@ This admin user will then be allowed to perform create/delete user operations vi
|
||||
|
||||
### 3. Configure `mc` and create another user user1 with attached policy user1policy
|
||||
```
|
||||
mc config host add myminio-admin1 http://localhost:9000 admin1 admin123 --api s3v4
|
||||
mc alias set myminio-admin1 http://localhost:9000 admin1 admin123 --api s3v4
|
||||
|
||||
mc admin user add myminio-admin1 user1 user123
|
||||
mc admin policy add myminio-admin1 user1policy ~/user1policy.json
|
||||
|
@ -26,7 +26,7 @@ MinIO Gateway配有嵌入式网络对象浏览器。 将您的Web浏览器指向
|
||||
|
||||
### 配置 `mc`
|
||||
```
|
||||
mc config host add myazure http://gateway-ip:9000 azureaccountname azureaccountkey
|
||||
mc alias set myazure http://gateway-ip:9000 azureaccountname azureaccountkey
|
||||
```
|
||||
|
||||
### 列出微软Azure上的容器
|
||||
|
@ -41,7 +41,7 @@ MinIO Gateway配有嵌入式网络对象浏览器。 将您的Web浏览器指向
|
||||
|
||||
### 配置 `mc`
|
||||
```
|
||||
mc config host add mygcs http://gateway-ip:9000 minioaccesskey miniosecretkey
|
||||
mc alias set mygcs http://gateway-ip:9000 minioaccesskey miniosecretkey
|
||||
```
|
||||
|
||||
### 列出GCS上的容器
|
||||
|
@ -26,7 +26,7 @@ minio gateway nas /shared/nasvol
|
||||
|
||||
### 设置`mc`
|
||||
```
|
||||
mc config host add mynas http://gateway-ip:9000 access_key secret_key
|
||||
mc alias set mynas http://gateway-ip:9000 access_key secret_key
|
||||
```
|
||||
|
||||
### 列举nas上的存储桶
|
||||
|
@ -137,6 +137,7 @@ var AllSupportedKeys = append([]Key{
|
||||
AWSPrincipalType,
|
||||
AWSUserID,
|
||||
AWSUsername,
|
||||
LDAPUser,
|
||||
// Add new supported condition keys.
|
||||
}, JWTKeys...)
|
||||
|
||||
@ -152,6 +153,7 @@ var CommonKeys = append([]Key{
|
||||
AWSUserID,
|
||||
AWSUsername,
|
||||
S3XAmzContentSha256,
|
||||
LDAPUser,
|
||||
}, JWTKeys...)
|
||||
|
||||
func substFuncFromValues(values map[string][]string) func(string) string {
|
||||
@ -199,6 +201,8 @@ func (key Key) Name() string {
|
||||
return strings.TrimPrefix(keyString, "aws:")
|
||||
} else if strings.HasPrefix(keyString, "jwt:") {
|
||||
return strings.TrimPrefix(keyString, "jwt:")
|
||||
} else if strings.HasPrefix(keyString, "ldap:") {
|
||||
return strings.TrimPrefix(keyString, "ldap:")
|
||||
}
|
||||
return strings.TrimPrefix(keyString, "s3:")
|
||||
}
|
||||
|
22
pkg/bucket/policy/condition/ldap.go
Normal file
22
pkg/bucket/policy/condition/ldap.go
Normal file
@ -0,0 +1,22 @@
|
||||
/*
|
||||
* MinIO Cloud Storage, (C) 2020 MinIO, Inc.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package condition
|
||||
|
||||
const (
|
||||
// LDAPUser - LDAP username, in MinIO this value is equal to your authenticating LDAP user.
|
||||
LDAPUser Key = "ldap:user"
|
||||
)
|
Loading…
Reference in New Issue
Block a user