mirror of
https://github.com/minio/minio.git
synced 2025-04-05 20:30:32 -04:00
Removed user and group details from logs (#20072)
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
This commit is contained in:
Shubhendu
GitHub
parent
eff0ea43aa
commit
f944a42886
@ -2308,7 +2308,7 @@ func (a adminAPIHandlers) ImportIAM(w http.ResponseWriter, r *http.Request) {
|
|||||||
// clean import.
|
// clean import.
|
||||||
err := globalIAMSys.DeleteServiceAccount(ctx, svcAcctReq.AccessKey, true)
|
err := globalIAMSys.DeleteServiceAccount(ctx, svcAcctReq.AccessKey, true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
delErr := fmt.Errorf("failed to delete existing service account(%s) before importing it: %w", svcAcctReq.AccessKey, err)
|
delErr := fmt.Errorf("failed to delete existing service account (%s) before importing it: %w", svcAcctReq.AccessKey, err)
|
||||||
writeErrorResponseJSON(ctx, w, importError(ctx, delErr, allSvcAcctsFile, user), r.URL)
|
writeErrorResponseJSON(ctx, w, importError(ctx, delErr, allSvcAcctsFile, user), r.URL)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|||||||
@ -495,7 +495,7 @@ func (iamOS *IAMObjectStore) loadAllFromObjStore(ctx context.Context, cache *iam
|
|||||||
for _, item := range regUsersList {
|
for _, item := range regUsersList {
|
||||||
userName := path.Dir(item)
|
userName := path.Dir(item)
|
||||||
if err := iamOS.loadUser(ctx, userName, regUser, cache.iamUsersMap); err != nil && err != errNoSuchUser {
|
if err := iamOS.loadUser(ctx, userName, regUser, cache.iamUsersMap); err != nil && err != errNoSuchUser {
|
||||||
return fmt.Errorf("unable to load the user `%s`: %w", userName, err)
|
return fmt.Errorf("unable to load the user: %w", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if took := time.Since(regUsersLoadStartTime); took > maxIAMLoadOpTime {
|
if took := time.Since(regUsersLoadStartTime); took > maxIAMLoadOpTime {
|
||||||
@ -510,7 +510,7 @@ func (iamOS *IAMObjectStore) loadAllFromObjStore(ctx context.Context, cache *iam
|
|||||||
for _, item := range groupsList {
|
for _, item := range groupsList {
|
||||||
group := path.Dir(item)
|
group := path.Dir(item)
|
||||||
if err := iamOS.loadGroup(ctx, group, cache.iamGroupsMap); err != nil && err != errNoSuchGroup {
|
if err := iamOS.loadGroup(ctx, group, cache.iamGroupsMap); err != nil && err != errNoSuchGroup {
|
||||||
return fmt.Errorf("unable to load the group `%s`: %w", group, err)
|
return fmt.Errorf("unable to load the group: %w", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if took := time.Since(groupsLoadStartTime); took > maxIAMLoadOpTime {
|
if took := time.Since(groupsLoadStartTime); took > maxIAMLoadOpTime {
|
||||||
@ -524,7 +524,7 @@ func (iamOS *IAMObjectStore) loadAllFromObjStore(ctx context.Context, cache *iam
|
|||||||
for _, item := range userPolicyMappingsList {
|
for _, item := range userPolicyMappingsList {
|
||||||
userName := strings.TrimSuffix(item, ".json")
|
userName := strings.TrimSuffix(item, ".json")
|
||||||
if err := iamOS.loadMappedPolicy(ctx, userName, regUser, false, cache.iamUserPolicyMap); err != nil && !errors.Is(err, errNoSuchPolicy) {
|
if err := iamOS.loadMappedPolicy(ctx, userName, regUser, false, cache.iamUserPolicyMap); err != nil && !errors.Is(err, errNoSuchPolicy) {
|
||||||
return fmt.Errorf("unable to load the policy mapping for the user `%s`: %w", userName, err)
|
return fmt.Errorf("unable to load the policy mapping for the user: %w", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if took := time.Since(userPolicyMappingLoadStartTime); took > maxIAMLoadOpTime {
|
if took := time.Since(userPolicyMappingLoadStartTime); took > maxIAMLoadOpTime {
|
||||||
@ -537,7 +537,7 @@ func (iamOS *IAMObjectStore) loadAllFromObjStore(ctx context.Context, cache *iam
|
|||||||
for _, item := range groupPolicyMappingsList {
|
for _, item := range groupPolicyMappingsList {
|
||||||
groupName := strings.TrimSuffix(item, ".json")
|
groupName := strings.TrimSuffix(item, ".json")
|
||||||
if err := iamOS.loadMappedPolicy(ctx, groupName, regUser, true, cache.iamGroupPolicyMap); err != nil && !errors.Is(err, errNoSuchPolicy) {
|
if err := iamOS.loadMappedPolicy(ctx, groupName, regUser, true, cache.iamGroupPolicyMap); err != nil && !errors.Is(err, errNoSuchPolicy) {
|
||||||
return fmt.Errorf("unable to load the policy mapping for the group `%s`: %w", groupName, err)
|
return fmt.Errorf("unable to load the policy mapping for the group: %w", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if took := time.Since(groupPolicyMappingLoadStartTime); took > maxIAMLoadOpTime {
|
if took := time.Since(groupPolicyMappingLoadStartTime); took > maxIAMLoadOpTime {
|
||||||
@ -551,7 +551,7 @@ func (iamOS *IAMObjectStore) loadAllFromObjStore(ctx context.Context, cache *iam
|
|||||||
for _, item := range svcAccList {
|
for _, item := range svcAccList {
|
||||||
userName := path.Dir(item)
|
userName := path.Dir(item)
|
||||||
if err := iamOS.loadUser(ctx, userName, svcUser, svcUsersMap); err != nil && err != errNoSuchUser {
|
if err := iamOS.loadUser(ctx, userName, svcUser, svcUsersMap); err != nil && err != errNoSuchUser {
|
||||||
return fmt.Errorf("unable to load the service account `%s`: %w", userName, err)
|
return fmt.Errorf("unable to load the service account: %w", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if took := time.Since(svcAccLoadStartTime); took > maxIAMLoadOpTime {
|
if took := time.Since(svcAccLoadStartTime); took > maxIAMLoadOpTime {
|
||||||
@ -580,7 +580,7 @@ func (iamOS *IAMObjectStore) loadAllFromObjStore(ctx context.Context, cache *iam
|
|||||||
// OIDC/AssumeRoleWithCustomToken/AssumeRoleWithCertificate).
|
// OIDC/AssumeRoleWithCustomToken/AssumeRoleWithCertificate).
|
||||||
err := iamOS.loadMappedPolicy(ctx, svcParent, stsUser, false, cache.iamSTSPolicyMap)
|
err := iamOS.loadMappedPolicy(ctx, svcParent, stsUser, false, cache.iamSTSPolicyMap)
|
||||||
if err != nil && !errors.Is(err, errNoSuchPolicy) {
|
if err != nil && !errors.Is(err, errNoSuchPolicy) {
|
||||||
return fmt.Errorf("unable to load the policy mapping for the STS user `%s`: %w", svcParent, err)
|
return fmt.Errorf("unable to load the policy mapping for the STS user: %w", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
10
cmd/iam.go
10
cmd/iam.go
@ -1574,11 +1574,11 @@ func (sys *IAMSys) NormalizeLDAPAccessKeypairs(ctx context.Context, accessKeyMap
|
|||||||
// server and is under a configured base DN.
|
// server and is under a configured base DN.
|
||||||
validatedParent, isUnderBaseDN, err := sys.LDAPConfig.GetValidatedUserDN(conn, parent)
|
validatedParent, isUnderBaseDN, err := sys.LDAPConfig.GetValidatedUserDN(conn, parent)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
collectedErrors = append(collectedErrors, fmt.Errorf("could not validate `%s` exists in LDAP directory: %w", parent, err))
|
collectedErrors = append(collectedErrors, fmt.Errorf("could not validate parent exists in LDAP directory: %w", err))
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
if validatedParent == nil || !isUnderBaseDN {
|
if validatedParent == nil || !isUnderBaseDN {
|
||||||
err := fmt.Errorf("DN `%s` was not found in the LDAP directory", parent)
|
err := fmt.Errorf("DN parent was not found in the LDAP directory")
|
||||||
collectedErrors = append(collectedErrors, err)
|
collectedErrors = append(collectedErrors, err)
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
@ -1593,11 +1593,11 @@ func (sys *IAMSys) NormalizeLDAPAccessKeypairs(ctx context.Context, accessKeyMap
|
|||||||
// configured base DN.
|
// configured base DN.
|
||||||
validatedGroup, _, err := sys.LDAPConfig.GetValidatedGroupDN(conn, group)
|
validatedGroup, _, err := sys.LDAPConfig.GetValidatedGroupDN(conn, group)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
collectedErrors = append(collectedErrors, fmt.Errorf("could not validate `%s` exists in LDAP directory: %w", group, err))
|
collectedErrors = append(collectedErrors, fmt.Errorf("could not validate group exists in LDAP directory: %w", err))
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
if validatedGroup == nil {
|
if validatedGroup == nil {
|
||||||
err := fmt.Errorf("DN `%s` was not found in the LDAP directory", group)
|
err := fmt.Errorf("DN group was not found in the LDAP directory")
|
||||||
collectedErrors = append(collectedErrors, err)
|
collectedErrors = append(collectedErrors, err)
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
@ -1687,7 +1687,7 @@ func (sys *IAMSys) NormalizeLDAPMappingImport(ctx context.Context, isGroup bool,
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
if validatedDN == nil || !underBaseDN {
|
if validatedDN == nil || !underBaseDN {
|
||||||
err := fmt.Errorf("DN `%s` was not found in the LDAP directory", k)
|
err := fmt.Errorf("DN was not found in the LDAP directory")
|
||||||
collectedErrors = append(collectedErrors, err)
|
collectedErrors = append(collectedErrors, err)
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|||||||
@ -5390,7 +5390,7 @@ func (c *SiteReplicationSys) healUserPolicies(ctx context.Context, objAPI Object
|
|||||||
UpdatedAt: lastUpdate,
|
UpdatedAt: lastUpdate,
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
replLogOnceIf(ctx, fmt.Errorf("Unable to heal IAM user policy mapping for %s from peer site %s -> site %s : %w", user, latestPeerName, peerName, err),
|
replLogOnceIf(ctx, fmt.Errorf("Unable to heal IAM user policy mapping from peer site %s -> site %s : %w", latestPeerName, peerName, err),
|
||||||
fmt.Sprintf("heal-user-policy-%s", user))
|
fmt.Sprintf("heal-user-policy-%s", user))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -5455,7 +5455,7 @@ func (c *SiteReplicationSys) healGroupPolicies(ctx context.Context, objAPI Objec
|
|||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
replLogOnceIf(ctx,
|
replLogOnceIf(ctx,
|
||||||
fmt.Errorf("Unable to heal IAM group policy mapping for %s from peer site %s -> site %s : %w", group, latestPeerName, peerName, err),
|
fmt.Errorf("Unable to heal IAM group policy mapping for from peer site %s -> site %s : %w", latestPeerName, peerName, err),
|
||||||
fmt.Sprintf("heal-group-policy-%s", group))
|
fmt.Sprintf("heal-group-policy-%s", group))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -5518,7 +5518,7 @@ func (c *SiteReplicationSys) healUsers(ctx context.Context, objAPI ObjectLayer,
|
|||||||
claims, err := globalIAMSys.GetClaimsForSvcAcc(ctx, creds.AccessKey)
|
claims, err := globalIAMSys.GetClaimsForSvcAcc(ctx, creds.AccessKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
replLogOnceIf(ctx,
|
replLogOnceIf(ctx,
|
||||||
fmt.Errorf("Unable to heal service account %s from peer site %s -> %s : %w", user, latestPeerName, peerName, err),
|
fmt.Errorf("Unable to heal service account from peer site %s -> %s : %w", latestPeerName, peerName, err),
|
||||||
fmt.Sprintf("heal-user-%s", user))
|
fmt.Sprintf("heal-user-%s", user))
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
@ -5526,7 +5526,7 @@ func (c *SiteReplicationSys) healUsers(ctx context.Context, objAPI ObjectLayer,
|
|||||||
_, policy, err := globalIAMSys.GetServiceAccount(ctx, creds.AccessKey)
|
_, policy, err := globalIAMSys.GetServiceAccount(ctx, creds.AccessKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
replLogOnceIf(ctx,
|
replLogOnceIf(ctx,
|
||||||
fmt.Errorf("Unable to heal service account %s from peer site %s -> %s : %w", user, latestPeerName, peerName, err),
|
fmt.Errorf("Unable to heal service account from peer site %s -> %s : %w", latestPeerName, peerName, err),
|
||||||
fmt.Sprintf("heal-user-%s", user))
|
fmt.Sprintf("heal-user-%s", user))
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
@ -5536,7 +5536,7 @@ func (c *SiteReplicationSys) healUsers(ctx context.Context, objAPI ObjectLayer,
|
|||||||
policyJSON, err = json.Marshal(policy)
|
policyJSON, err = json.Marshal(policy)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
replLogOnceIf(ctx,
|
replLogOnceIf(ctx,
|
||||||
fmt.Errorf("Unable to heal service account %s from peer site %s -> %s : %w", user, latestPeerName, peerName, err),
|
fmt.Errorf("Unable to heal service account from peer site %s -> %s : %w", latestPeerName, peerName, err),
|
||||||
fmt.Sprintf("heal-user-%s", user))
|
fmt.Sprintf("heal-user-%s", user))
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
@ -5561,7 +5561,7 @@ func (c *SiteReplicationSys) healUsers(ctx context.Context, objAPI ObjectLayer,
|
|||||||
UpdatedAt: lastUpdate,
|
UpdatedAt: lastUpdate,
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
replLogOnceIf(ctx,
|
replLogOnceIf(ctx,
|
||||||
fmt.Errorf("Unable to heal service account %s from peer site %s -> %s : %w", user, latestPeerName, peerName, err),
|
fmt.Errorf("Unable to heal service account from peer site %s -> %s : %w", latestPeerName, peerName, err),
|
||||||
fmt.Sprintf("heal-user-%s", user))
|
fmt.Sprintf("heal-user-%s", user))
|
||||||
}
|
}
|
||||||
continue
|
continue
|
||||||
@ -5576,7 +5576,7 @@ func (c *SiteReplicationSys) healUsers(ctx context.Context, objAPI ObjectLayer,
|
|||||||
// be applied.
|
// be applied.
|
||||||
if !errors.Is(err, errNoSuchUser) {
|
if !errors.Is(err, errNoSuchUser) {
|
||||||
replLogOnceIf(ctx,
|
replLogOnceIf(ctx,
|
||||||
fmt.Errorf("Unable to heal temporary credentials %s from peer site %s -> %s : %w", user, latestPeerName, peerName, err),
|
fmt.Errorf("Unable to heal temporary credentials from peer site %s -> %s : %w", latestPeerName, peerName, err),
|
||||||
fmt.Sprintf("heal-user-%s", user))
|
fmt.Sprintf("heal-user-%s", user))
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
@ -5596,7 +5596,7 @@ func (c *SiteReplicationSys) healUsers(ctx context.Context, objAPI ObjectLayer,
|
|||||||
UpdatedAt: lastUpdate,
|
UpdatedAt: lastUpdate,
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
replLogOnceIf(ctx,
|
replLogOnceIf(ctx,
|
||||||
fmt.Errorf("Unable to heal temporary credentials %s from peer site %s -> %s : %w", user, latestPeerName, peerName, err),
|
fmt.Errorf("Unable to heal temporary credentials from peer site %s -> %s : %w", latestPeerName, peerName, err),
|
||||||
fmt.Sprintf("heal-user-%s", user))
|
fmt.Sprintf("heal-user-%s", user))
|
||||||
}
|
}
|
||||||
continue
|
continue
|
||||||
@ -5614,7 +5614,7 @@ func (c *SiteReplicationSys) healUsers(ctx context.Context, objAPI ObjectLayer,
|
|||||||
UpdatedAt: lastUpdate,
|
UpdatedAt: lastUpdate,
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
replLogOnceIf(ctx,
|
replLogOnceIf(ctx,
|
||||||
fmt.Errorf("Unable to heal user %s from peer site %s -> %s : %w", user, latestPeerName, peerName, err),
|
fmt.Errorf("Unable to heal user from peer site %s -> %s : %w", latestPeerName, peerName, err),
|
||||||
fmt.Sprintf("heal-user-%s", user))
|
fmt.Sprintf("heal-user-%s", user))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -5680,7 +5680,7 @@ func (c *SiteReplicationSys) healGroups(ctx context.Context, objAPI ObjectLayer,
|
|||||||
UpdatedAt: lastUpdate,
|
UpdatedAt: lastUpdate,
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
replLogOnceIf(ctx,
|
replLogOnceIf(ctx,
|
||||||
fmt.Errorf("Unable to heal group %s from peer site %s -> site %s : %w", group, latestPeerName, peerName, err),
|
fmt.Errorf("Unable to heal group from peer site %s -> site %s : %w", latestPeerName, peerName, err),
|
||||||
fmt.Sprintf("heal-group-%s", group))
|
fmt.Sprintf("heal-group-%s", group))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -117,7 +117,7 @@ func (k *KeycloakProvider) LookupUser(userid string) (User, error) {
|
|||||||
case http.StatusUnauthorized:
|
case http.StatusUnauthorized:
|
||||||
return User{}, ErrAccessTokenExpired
|
return User{}, ErrAccessTokenExpired
|
||||||
}
|
}
|
||||||
return User{}, fmt.Errorf("Unable to lookup %s - keycloak user lookup returned %v", userid, resp.Status)
|
return User{}, fmt.Errorf("Unable to lookup - keycloak user lookup returned %v", resp.Status)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Option is a function type that accepts a pointer Target
|
// Option is a function type that accepts a pointer Target
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user