root
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity
minio/cmd/admin-handlers-users.go

3001 lines
91 KiB
Go
Raw Normal View History

cache usage, prefix-usage, and buckets for AccountInfo up to 10 secs (#18051) AccountInfo is quite frequently called by the Console UI login attempts, when many users are logging in it is important that we provide them with better responsiveness. - ListBuckets information is cached every second - Bucket usage info is cached for up to 10 seconds - Prefix usage (optional) info is cached for up to 10 secs Failure to update after cache expiration, would still allow login which would end up providing information previously cached. This allows for seamless responsiveness for the Console UI logins, and overall responsiveness on a heavily loaded system.
2023-09-19 13:13:03 +08:00
// Copyright (c) 2015-2023 MinIO, Inc.
update license change for MinIO Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 03:41:13 +08:00
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
package cmd
import (
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 23:52:02 +08:00
"bytes"
cache usage, prefix-usage, and buckets for AccountInfo up to 10 secs (#18051) AccountInfo is quite frequently called by the Console UI login attempts, when many users are logging in it is important that we provide them with better responsiveness. - ListBuckets information is cached every second - Bucket usage info is cached for up to 10 seconds - Prefix usage (optional) info is cached for up to 10 secs Failure to update after cache expiration, would still allow login which would end up providing information previously cached. This allows for seamless responsiveness for the Console UI logins, and overall responsiveness on a heavily loaded system.
2023-09-19 13:13:03 +08:00
"context"
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
"encoding/json"
fix: AccountInfo API for LDAP users (#11874) Also, ensure admin APIs auth additionally validates groups
2021-03-24 08:39:20 +08:00
"errors"
Validate if parent user exists for service acct (#16443)
2023-01-24 10:47:18 +08:00
"fmt"
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
"io"
Run modernize (#21546) `go run golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize@latest -fix -test ./...` executed. `go generate ./...` ran afterwards to keep generated.
2025-08-29 10:39:48 +08:00
"maps"
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
"net/http"
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
"os"
Skip non existent ldap entities while import (#20352) Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-09-10 00:59:28 +08:00
"slices"
fix: accountInfo API to cater for federated setups (#11484) when MinIO is deployed in a federated setup, use etcd based listing of buckets to provide appropriate filtering of buckets per user.
2021-02-10 01:53:07 +08:00
"sort"
Convert service account add/update expiration to cond values (#19024) In order to force some users allowed to create or update a service account to provide an expiration satifying the user policy conditions.
2024-02-13 00:36:16 +08:00
"strconv"
Skip non existent ldap entities while import (#20352) Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-09-10 00:59:28 +08:00
"strings"
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
"time"
Restrict access keys for users and groups to not allow '=' or ',' (#19749) * initial commit * Add UTF check --------- Co-authored-by: Harshavardhana <harsha@minio.io>
2024-05-29 01:14:16 +08:00
"unicode/utf8"
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
"github.com/klauspost/compress/zip"
Bump up madmin-go and pkg deps (#17469)
2023-06-20 08:53:08 +08:00
"github.com/minio/madmin-go/v3"
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
"github.com/minio/minio/internal/auth"
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
2021-06-02 05:59:40 +08:00
"github.com/minio/minio/internal/config/dns"
Add the policy name to the audit logs tags when doing policy-based API calls. Add retention settings to tags (#20638) * Add the policy name to the audit log tags when doing policy-based API calls * Audit log the retention settings requested in the API call * Audit log of retention on PutObjectRetention API path too
2024-11-26 01:17:12 +08:00
"github.com/minio/minio/internal/logger"
migrate to minio/mux from gorilla/mux (#16456)
2023-01-23 19:12:47 +08:00
"github.com/minio/mux"
ldap: Add user DN attributes list config param (#19758) This change uses the updated ldap library in minio/pkg (bumped up to v3). A new config parameter is added for LDAP configuration to specify extra user attributes to load from the LDAP server and to store them as additional claims for the user. A test is added in sts_handlers.go that shows how to access the LDAP attributes as a claim. This is in preparation for adding SSH pubkey authentication to MinIO's SFTP integration.
2024-05-25 07:05:23 +08:00
xldap "github.com/minio/pkg/v3/ldap"
"github.com/minio/pkg/v3/policy"
Fix races in IAM cache lazy loading (#19346) Fix races in IAM cache Fixes #19344 On the top level we only grab a read lock, but we write to the cache if we manage to fetch it. https://github.com/minio/minio/blob/a03dac41ebd2c1b9d3f1110ef5d299ffebb8f87b/cmd/iam-store.go#L446 is also flipped to what it should be AFAICT. Change the internal cache structure to a concurrency safe implementation. Bonus: Also switch grid implementation.
2024-03-27 02:12:57 +08:00
"github.com/puzpuzpuz/xsync/v3"
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
)
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// RemoveUser - DELETE /minio/admin/v3/remove-user?accessKey=<access_key>
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) RemoveUser(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, cred := validateAdminReq(ctx, w, r, policy.DeleteUserAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
accessKey := vars["accessKey"]
fix: service account permissions generated from LDAP user (#11637) service accounts generated from LDAP parent user did not inherit correct permissions, this PR fixes this fully.
2021-02-26 05:49:59 +08:00
ok, _, err := globalIAMSys.IsTempUser(accessKey)
fix: temp credentials shouldn't allow policy/group changes (#8675) This PR fixes the issue where we might allow policy changes for temporary credentials out of band, this situation allows privilege escalation for those temporary credentials. We should disallow any external actions on temporary creds as a practice and we should clearly differentiate which are static and which are temporary credentials. Refer #8667
2019-12-20 06:21:21 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
if ok {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errIAMActionNotAllowed), r.URL)
return
}
fix: Remove User should fail for a service account (#20677) The RemoveUser API only removes internal users, and it reports success when it didnt find the internal user account for deletion. When provided with a service account, it should not report success as that is misleading.
2024-11-22 10:24:04 +08:00
// This API only supports removal of internal users not service accounts.
ok, _, err = globalIAMSys.IsServiceAccount(accessKey)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
if ok {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errIAMActionNotAllowed), r.URL)
return
}
allow root user to be disabled via config settings (#17089)
2023-04-29 03:24:14 +08:00
// When the user is root credential you are not allowed to
// remove the root user. Also you cannot delete yourself.
if accessKey == globalActiveCred.AccessKey || accessKey == cred.AccessKey {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errIAMActionNotAllowed), r.URL)
return
}
Move last remaining IAM notification calls into IAMSys methods (#13941)
2021-12-21 18:16:50 +08:00
if err := globalIAMSys.DeleteUser(ctx, accessKey, true); err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
replLogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
Type: madmin.SRIAMItemIAMUser,
IAMUser: &madmin.SRIAMUser{
AccessKey: accessKey,
IsDeleteReq: true,
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: UTCNow(),
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
fix: ListBucketUsers comment doc (#14129)
2022-01-20 02:45:13 +08:00
// ListBucketUsers - GET /minio/admin/v3/list-users?bucket={bucket}
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-28 01:15:02 +08:00
func (a adminAPIHandlers) ListBucketUsers(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-28 01:15:02 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, cred := validateAdminReq(ctx, w, r, policy.ListUsersAdminAction)
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-28 01:15:02 +08:00
if objectAPI == nil {
return
}
bucket := mux.Vars(r)["bucket"]
password := cred.SecretKey
honor client context in IAM user/policy listing calls (#14682)
2022-04-20 00:00:19 +08:00
allCredentials, err := globalIAMSys.ListBucketUsers(ctx, bucket)
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-28 01:15:02 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
data, err := json.Marshal(allCredentials)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
econfigData, err := madmin.EncryptData(password, data)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, econfigData)
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// ListUsers - GET /minio/admin/v3/list-users
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) ListUsers(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, cred := validateAdminReq(ctx, w, r, policy.ListUsersAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
honor the credentials of user admin for encrypt/decrypt (#9194) Fixes #9193
2020-03-24 05:06:00 +08:00
password := cred.SecretKey
honor client context in IAM user/policy listing calls (#14682)
2022-04-20 00:00:19 +08:00
allCredentials, err := globalIAMSys.ListUsers(ctx)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Bring back listing LDAP users temporarly (#14760) In previous releases, mc admin user list would return the list of users that have policies mapped in IAM database. However, this was removed but this commit will bring it back until we revamp this.
2022-04-16 12:26:02 +08:00
// Add ldap users which have mapped policies if in LDAP mode
// FIXME(vadmeste): move this to policy info in the future
fix: heal service accounts for LDAP users in site replication (#15785)
2022-10-05 01:41:47 +08:00
ldapUsers, err := globalIAMSys.ListLDAPUsers(ctx)
Bring back listing LDAP users temporarly (#14760) In previous releases, mc admin user list would return the list of users that have policies mapped in IAM database. However, this was removed but this commit will bring it back until we revamp this.
2022-04-16 12:26:02 +08:00
if err != nil && err != errIAMActionNotAllowed {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Run modernize (#21546) `go run golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize@latest -fix -test ./...` executed. `go generate ./...` ran afterwards to keep generated.
2025-08-29 10:39:48 +08:00
maps.Copy(allCredentials, ldapUsers)
Bring back listing LDAP users temporarly (#14760) In previous releases, mc admin user list would return the list of users that have policies mapped in IAM database. However, this was removed but this commit will bring it back until we revamp this.
2022-04-16 12:26:02 +08:00
// Marshal the response
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
data, err := json.Marshal(allCredentials)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
econfigData, err := madmin.EncryptData(password, data)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, econfigData)
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// GetUserInfo - GET /minio/admin/v3/user-info
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) GetUserInfo(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
vars := mux.Vars(r)
name := vars["accessKey"]
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
return
}
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
Migrate golanglint-ci config to V2 (#21081)
2025-03-30 08:56:02 +08:00
checkDenyOnly := name == cred.AccessKey
Allow OIDC user to query user info if policies permit (#13882)
2021-12-11 07:03:39 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if !globalIAMSys.IsAllowed(policy.Args{
Allow OIDC user to query user info if policies permit (#13882)
2021-12-11 07:03:39 +08:00
AccountName: cred.AccessKey,
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.GetUserAdminAction,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
Allow OIDC user to query user info if policies permit (#13882)
2021-12-11 07:03:39 +08:00
IsOwner: owner,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
Allow OIDC user to query user info if policies permit (#13882)
2021-12-11 07:03:39 +08:00
DenyOnly: checkDenyOnly,
}) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
add thread context in surrounding function into IAM functions (#13658)
2021-11-16 06:14:22 +08:00
userInfo, err := globalIAMSys.GetUserInfo(ctx, name)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
data, err := json.Marshal(userInfo)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, data)
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// UpdateGroupMembers - PUT /minio/admin/v3/update-group-members
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) UpdateGroupMembers(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.AddUserToGroupAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
data, err := io.ReadAll(r.Body)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
var updReq madmin.GroupAddRemove
err = json.Unmarshal(data, &updReq)
if err != nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
allow root user to be disabled via config settings (#17089)
2023-04-29 03:24:14 +08:00
// Reject if the group add and remove are temporary credentials, or root credential.
for _, member := range updReq.Members {
ok, _, err := globalIAMSys.IsTempUser(member)
if err != nil && err != errNoSuchUser {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
if ok {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errIAMActionNotAllowed), r.URL)
return
}
// When the user is root credential you are not allowed to
// add policies for root user.
if member == globalActiveCred.AccessKey {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errIAMActionNotAllowed), r.URL)
return
}
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
var updatedAt time.Time
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if updReq.IsRemove {
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err = globalIAMSys.RemoveUsersFromGroup(ctx, updReq.Group, updReq.Members)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
} else {
fix: disallow newer policies, users & groups with space characters (#14845) space characters at the beginning or at the end can lead to confusion under various UI elements in differentiating the actual name of "policy, user or group" - to avoid this behavior this PR onwards we shall reject such inputs for newer entries. existing saved entries will behave as is and are going to be operable until they are removed/renamed to something more meaningful.
2022-05-03 00:27:35 +08:00
// Check if group already exists
if _, gerr := globalIAMSys.GetGroupDescription(updReq.Group); gerr != nil {
// If group does not exist, then check if the group has beginning and end space characters
// we will reject such group names.
if errors.Is(gerr, errNoSuchGroup) && hasSpaceBE(updReq.Group) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument), r.URL)
return
}
}
fix: avoid some IAM import errors if LDAP enabled (#19591) When LDAP is enabled, previously we were: - rejecting creation of users and groups via the IAM import functionality - throwing a `not a valid DN` error when non-LDAP group mappings are present This change allows for these cases as we need to support situations where the MinIO server contains users, groups and policy mappings created before LDAP was enabled.
2024-04-24 09:23:08 +08:00
if globalIAMSys.LDAPConfig.Enabled() {
// We don't allow internal group manipulation in this API when LDAP
// is enabled for now.
err = errIAMActionNotAllowed
} else {
updatedAt, err = globalIAMSys.AddUsersToGroup(ctx, updReq.Group, updReq.Members)
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
replLogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
Type: madmin.SRIAMItemGroupInfo,
GroupInfo: &madmin.SRGroupInfo{
UpdateReq: updReq,
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// GetGroup - /minio/admin/v3/group?group=mygroup1
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) GetGroup(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.GetGroupAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
group := vars["group"]
gdesc, err := globalIAMSys.GetGroupDescription(group)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
body, err := json.Marshal(gdesc)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, body)
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// ListGroups - GET /minio/admin/v3/groups
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) ListGroups(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.ListGroupsAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
add thread context in surrounding function into IAM functions (#13658)
2021-11-16 06:14:22 +08:00
groups, err := globalIAMSys.ListGroups(ctx)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
body, err := json.Marshal(groups)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, body)
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// SetGroupStatus - PUT /minio/admin/v3/set-group-status?group=mygroup1&status=enabled
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) SetGroupStatus(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.EnableGroupAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
group := vars["group"]
status := vars["status"]
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
var (
err error
updatedAt time.Time
)
add gocritic/ruleguard checks back again, cleanup code. (#13665) - remove some duplicated code - reported a bug, separately fixed in #13664 - using strings.ReplaceAll() when needed - using filepath.ToSlash() use when needed - remove all non-Go style comments from the codebase Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2021-11-17 01:28:29 +08:00
switch status {
case statusEnabled:
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err = globalIAMSys.SetGroupStatus(ctx, group, true)
add gocritic/ruleguard checks back again, cleanup code. (#13665) - remove some duplicated code - reported a bug, separately fixed in #13664 - using strings.ReplaceAll() when needed - using filepath.ToSlash() use when needed - remove all non-Go style comments from the codebase Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2021-11-17 01:28:29 +08:00
case statusDisabled:
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err = globalIAMSys.SetGroupStatus(ctx, group, false)
add gocritic/ruleguard checks back again, cleanup code. (#13665) - remove some duplicated code - reported a bug, separately fixed in #13664 - using strings.ReplaceAll() when needed - using filepath.ToSlash() use when needed - remove all non-Go style comments from the codebase Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2021-11-17 01:28:29 +08:00
default:
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
err = errInvalidArgument
}
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
support site replication to replicate IAM users,groups (#14128) - Site replication was missing replicating users, groups when an empty site was added. - Add site replication for groups and users when they are disabled and enabled. - Add support for replicating bucket quota config.
2022-01-20 12:02:24 +08:00
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
replLogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
support site replication to replicate IAM users,groups (#14128) - Site replication was missing replicating users, groups when an empty site was added. - Add site replication for groups and users when they are disabled and enabled. - Add support for replicating bucket quota config.
2022-01-20 12:02:24 +08:00
Type: madmin.SRIAMItemGroupInfo,
GroupInfo: &madmin.SRGroupInfo{
UpdateReq: madmin.GroupAddRemove{
Group: group,
Status: madmin.GroupStatus(status),
IsRemove: false,
},
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// SetUserStatus - PUT /minio/admin/v3/set-user-status?accessKey=<access_key>&status=[enabled|disabled]
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) SetUserStatus(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, creds := validateAdminReq(ctx, w, r, policy.EnableUserAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
accessKey := vars["accessKey"]
status := vars["status"]
allow root user to be disabled via config settings (#17089)
2023-04-29 03:24:14 +08:00
// you cannot enable or disable yourself.
if accessKey == creds.AccessKey {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errInvalidArgument), r.URL)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
return
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err := globalIAMSys.SetUserStatus(ctx, accessKey, madmin.AccountStatus(status))
if err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
support site replication to replicate IAM users,groups (#14128) - Site replication was missing replicating users, groups when an empty site was added. - Add site replication for groups and users when they are disabled and enabled. - Add support for replicating bucket quota config.
2022-01-20 12:02:24 +08:00
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
replLogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
support site replication to replicate IAM users,groups (#14128) - Site replication was missing replicating users, groups when an empty site was added. - Add site replication for groups and users when they are disabled and enabled. - Add support for replicating bucket quota config.
2022-01-20 12:02:24 +08:00
Type: madmin.SRIAMItemIAMUser,
IAMUser: &madmin.SRIAMUser{
AccessKey: accessKey,
IsDeleteReq: false,
UserReq: &madmin.AddOrUpdateUserReq{
Status: madmin.AccountStatus(status),
},
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// AddUser - PUT /minio/admin/v3/add-user?accessKey=<access_key>
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
vars := mux.Vars(r)
fix: add helper for expected path.Clean behavior (#12068) current usage of path.Clean returns "." for empty strings instead we need `""` string as-is, make relevant changes as needed.
2021-04-16 07:32:13 +08:00
accessKey := vars["accessKey"]
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
return
}
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
fix: allow STS creds for admin accounts to add users (#11138) Allow rotating creds with privileges to add users fixes https://github.com/minio/console/issues/529
2020-12-20 05:24:21 +08:00
// Not allowed to add a user with same access key as root credential
Do not allow adding root user to IAM subsystem (#16803)
2023-03-14 03:46:17 +08:00
if accessKey == globalActiveCred.AccessKey {
fix: allow STS creds for admin accounts to add users (#11138) Allow rotating creds with privileges to add users fixes https://github.com/minio/console/issues/529
2020-12-20 05:24:21 +08:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAddUserInvalidArgument), r.URL)
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
return
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
user, exists := globalIAMSys.GetUser(ctx, accessKey)
if exists && (user.Credentials.IsTemp() || user.Credentials.IsServiceAccount()) {
Allow STS credentials to create users (#13874) - allow any regular user to change their own password - allow STS credentials to create users if permissions allow Bonus: do not allow changes to sts/service account credentials (via add user API)
2021-12-10 09:48:51 +08:00
// Updating STS credential is not allowed, and this API does not
// support updating service accounts.
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAddUserInvalidArgument), r.URL)
return
}
fix: allow STS creds for admin accounts to add users (#11138) Allow rotating creds with privileges to add users fixes https://github.com/minio/console/issues/529
2020-12-20 05:24:21 +08:00
if (cred.IsTemp() || cred.IsServiceAccount()) && cred.ParentUser == accessKey {
// Incoming access key matches parent user then we should
// reject password change requests.
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAddUserInvalidArgument), r.URL)
return
}
fix: disallow newer policies, users & groups with space characters (#14845) space characters at the beginning or at the end can lead to confusion under various UI elements in differentiating the actual name of "policy, user or group" - to avoid this behavior this PR onwards we shall reject such inputs for newer entries. existing saved entries will behave as is and are going to be operable until they are removed/renamed to something more meaningful.
2022-05-03 00:27:35 +08:00
// Check if accessKey has beginning and end space characters, this only applies to new users.
if !exists && hasSpaceBE(accessKey) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument), r.URL)
return
}
Restrict access keys for users and groups to not allow '=' or ',' (#19749) * initial commit * Add UTF check --------- Co-authored-by: Harshavardhana <harsha@minio.io>
2024-05-29 01:14:16 +08:00
if !utf8.ValidString(accessKey) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAddUserValidUTF), r.URL)
return
}
Migrate golanglint-ci config to V2 (#21081)
2025-03-30 08:56:02 +08:00
checkDenyOnly := accessKey == cred.AccessKey
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if !globalIAMSys.IsAllowed(policy.Args{
Allow STS credentials to create users (#13874) - allow any regular user to change their own password - allow STS credentials to create users if permissions allow Bonus: do not allow changes to sts/service account credentials (via add user API)
2021-12-10 09:48:51 +08:00
AccountName: cred.AccessKey,
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.CreateUserAdminAction,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
fix: do not deny admins to change other passwords fixes a regression from #11680
2021-03-03 09:02:29 +08:00
IsOwner: owner,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
Allow STS credentials to create users (#13874) - allow any regular user to change their own password - allow STS credentials to create users if permissions allow Bonus: do not allow changes to sts/service account credentials (via add user API)
2021-12-10 09:48:51 +08:00
DenyOnly: checkDenyOnly,
fix: enforce deny if present for implicit permissions (#11680) Implicit permissions for any user is to be allowed to change their own password, we need to restrict this further even if there is an implicit allow for this scenario - we have to honor Deny statements if they are specified.
2021-03-03 07:35:50 +08:00
}) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if r.ContentLength > maxEConfigJSONSize || r.ContentLength == -1 {
// More than maxConfigSize bytes were available
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigTooLarge), r.URL)
return
}
Add support for multiple admins (#8487) Also define IAM policies for administering MinIO server
2019-11-19 18:03:18 +08:00
password := cred.SecretKey
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
configBytes, err := madmin.DecryptData(password, io.LimitReader(r.Body, r.ContentLength))
if err != nil {
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
adminLogIf(ctx, err)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigBadJSON), r.URL)
return
}
Fix user privilege escalation bug (#13976) The AddUser() API endpoint was accepting a policy field. This API is used to update a user's secret key and account status, and allows a regular user to update their own secret key. The policy update is also applied though does not appear to be used by any existing client-side functionality. This fix changes the accepted request body type and removes the ability to apply policy changes as that is possible via the policy set API. NOTE: Changing passwords can be disabled as a workaround for this issue by adding an explicit "Deny" rule to disable the API for users.
2021-12-24 01:21:21 +08:00
var ureq madmin.AddOrUpdateUserReq
if err = json.Unmarshal(configBytes, &ureq); err != nil {
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
adminLogIf(ctx, err)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigBadJSON), r.URL)
return
}
fix: avoid some IAM import errors if LDAP enabled (#19591) When LDAP is enabled, previously we were: - rejecting creation of users and groups via the IAM import functionality - throwing a `not a valid DN` error when non-LDAP group mappings are present This change allows for these cases as we need to support situations where the MinIO server contains users, groups and policy mappings created before LDAP was enabled.
2024-04-24 09:23:08 +08:00
// We don't allow internal user creation with LDAP enabled for now.
if globalIAMSys.LDAPConfig.Enabled() {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errIAMActionNotAllowed), r.URL)
return
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err := globalIAMSys.CreateUser(ctx, accessKey, ureq)
if err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
replLogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
Type: madmin.SRIAMItemIAMUser,
IAMUser: &madmin.SRIAMUser{
AccessKey: accessKey,
IsDeleteReq: false,
UserReq: &ureq,
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
// TemporaryAccountInfo - GET /minio/admin/v3/temporary-account-info
func (a adminAPIHandlers) TemporaryAccountInfo(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
accessKey := mux.Vars(r)["accessKey"]
if accessKey == "" {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
cleanup handling of STS isAllowed and simplifies the PolicyDBGet() (#18554)
2023-11-30 08:07:35 +08:00
args := policy.Args{
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
AccountName: cred.AccessKey,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.ListTemporaryAccountsAdminAction,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
IsOwner: owner,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
cleanup handling of STS isAllowed and simplifies the PolicyDBGet() (#18554)
2023-11-30 08:07:35 +08:00
}
if !globalIAMSys.IsAllowed(args) {
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
stsAccount, sessionPolicy, err := globalIAMSys.GetTemporaryAccount(ctx, accessKey)
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
var stsAccountPolicy policy.Policy
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if sessionPolicy != nil {
stsAccountPolicy = *sessionPolicy
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
} else {
cleanup handling of STS isAllowed and simplifies the PolicyDBGet() (#18554)
2023-11-30 08:07:35 +08:00
policiesNames, err := globalIAMSys.PolicyDBGet(stsAccount.ParentUser, stsAccount.Groups...)
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
cleanup handling of STS isAllowed and simplifies the PolicyDBGet() (#18554)
2023-11-30 08:07:35 +08:00
if len(policiesNames) == 0 {
policySet, _ := args.GetPolicies(iamPolicyClaimNameOpenID())
policiesNames = policySet.ToSlice()
}
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
stsAccountPolicy = globalIAMSys.GetCombinedPolicy(policiesNames...)
}
policyJSON, err := json.MarshalIndent(stsAccountPolicy, "", " ")
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
infoResp := madmin.TemporaryAccountInfoResp{
ParentUser: stsAccount.ParentUser,
AccountStatus: stsAccount.Status,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
ImpliedPolicy: sessionPolicy == nil,
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
Policy: string(policyJSON),
add missing expiration information from 'sts info' (#16878)
2023-03-23 07:47:02 +08:00
Expiration: &stsAccount.Expiration,
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
}
data, err := json.Marshal(infoResp)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
encryptedData, err := madmin.EncryptData(cred.SecretKey, data)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, encryptedData)
}
fix: deprecate requirement of session token for service accounts (#9320) This PR fixes couple of behaviors with service accounts - not need to have session token for service accounts - service accounts can be generated by any user for themselves implicitly, with a valid signature. - policy input for AddNewServiceAccount API is not fully typed allowing for validation before it is sent to the server. - also bring in additional context for admin API errors if any when replying back to client. - deprecate GetServiceAccount API as we do not need to reply back session tokens
2020-04-15 02:28:56 +08:00
// AddServiceAccount - PUT /minio/admin/v3/add-service-account
Add service account type in IAM (#9029)
2020-03-18 01:36:13 +08:00
func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Request) {
Fix behavior of `AddServiceAccountLDAP` for non-admin users (#20442)
2024-09-17 07:04:51 +08:00
ctx, cred, opts, createReq, targetUser, APIError := commonAddServiceAccount(r, false)
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
if APIError.Code != "" {
writeErrorResponseJSON(ctx, w, APIError, r.URL)
Add "name" and "description" params to service acc (#17172)
2023-05-18 08:05:36 +08:00
return
}
fix: reject service account access key same as root credentials (#19055)
2024-02-15 02:37:12 +08:00
if createReq.AccessKey == globalActiveCred.AccessKey {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAddUserInvalidArgument), r.URL)
return
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
var (
targetGroups []string
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
err error
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
)
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-21 05:28:19 +08:00
// Find the user for the request sender (as it may be sent via a service
// account or STS account):
requestorUser := cred.AccessKey
requestorParentUser := cred.AccessKey
requestorGroups := cred.Groups
requestorIsDerivedCredential := false
if cred.IsServiceAccount() || cred.IsTemp() {
requestorParentUser = cred.ParentUser
requestorIsDerivedCredential = true
}
Validate if parent user exists for service acct (#16443)
2023-01-24 10:47:18 +08:00
if globalIAMSys.GetUsersSysType() == MinIOUsersSysType && targetUser != cred.AccessKey {
// For internal IDP, ensure that the targetUser's parent account exists.
// It could be a regular user account or the root account.
_, isRegularUser := globalIAMSys.GetUser(ctx, targetUser)
if !isRegularUser && targetUser != globalActiveCred.AccessKey {
add missing x-amz-id-2 to event notification date (#16646)
2023-02-20 18:11:47 +08:00
apiErr := toAdminAPIErr(ctx, errNoSuchUser)
apiErr.Description = fmt.Sprintf("Specified target user %s does not exist", targetUser)
writeErrorResponseJSON(ctx, w, apiErr, r.URL)
Validate if parent user exists for service acct (#16443)
2023-01-24 10:47:18 +08:00
return
}
}
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-21 05:28:19 +08:00
// Check if we are creating svc account for request sender.
Migrate golanglint-ci config to V2 (#21081)
2025-03-30 08:56:02 +08:00
isSvcAccForRequestor := targetUser == requestorUser || targetUser == requestorParentUser
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-21 05:28:19 +08:00
// If we are creating svc account for request sender, ensure
// that targetUser is a real user (i.e. not derived
// credentials).
if isSvcAccForRequestor {
if requestorIsDerivedCredential {
if requestorParentUser == "" {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx,
errors.New("service accounts cannot be generated for temporary credentials without parent")), r.URL)
return
}
targetUser = requestorParentUser
}
targetGroups = requestorGroups
feat: create service accounts with same claims as parent (#13357) allow claims from LDAP/OIDC to be inherited to service accounts as well to allow dynamic policies. fixes #13325
2021-10-06 02:49:33 +08:00
// In case of LDAP/OIDC we need to set `opts.claims` to ensure
// it is associated with the LDAP/OIDC user properly.
for k, v := range cred.Claims {
if k == expClaim {
continue
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-21 05:28:19 +08:00
}
feat: create service accounts with same claims as parent (#13357) allow claims from LDAP/OIDC to be inherited to service accounts as well to allow dynamic policies. fixes #13325
2021-10-06 02:49:33 +08:00
opts.claims[k] = v
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-21 05:28:19 +08:00
}
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
} else if globalIAMSys.LDAPConfig.Enabled() {
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-21 05:28:19 +08:00
// In case of LDAP we need to resolve the targetUser to a DN and
// query their groups:
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
opts.claims[ldapUserN] = targetUser // simple username
ldap: Add user DN attributes list config param (#19758) This change uses the updated ldap library in minio/pkg (bumped up to v3). A new config parameter is added for LDAP configuration to specify extra user attributes to load from the LDAP server and to store them as additional claims for the user. A test is added in sts_handlers.go that shows how to access the LDAP attributes as a claim. This is in preparation for adding SSH pubkey authentication to MinIO's SFTP integration.
2024-05-25 07:05:23 +08:00
var lookupResult *xldap.DNSearchResult
lookupResult, targetGroups, err = globalIAMSys.LDAPConfig.LookupUserDN(targetUser)
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
fix: LDAP authentication with groups only (#12283) fixes #12282
2021-05-13 12:25:07 +08:00
}
ldap: Add user DN attributes list config param (#19758) This change uses the updated ldap library in minio/pkg (bumped up to v3). A new config parameter is added for LDAP configuration to specify extra user attributes to load from the LDAP server and to store them as additional claims for the user. A test is added in sts_handlers.go that shows how to access the LDAP attributes as a claim. This is in preparation for adding SSH pubkey authentication to MinIO's SFTP integration.
2024-05-25 07:05:23 +08:00
targetUser = lookupResult.NormDN
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
opts.claims[ldapUser] = targetUser // username DN
fix: authenticate LDAP via actual DN instead of normalized DN (#19805) fix: authenticate LDAP via actual DN instead of normalized DN Normalized DN is only for internal representation, not for external communication, any communication to LDAP must be based on actual user DN. LDAP servers do not understand normalized DN. fixes #19757
2024-05-25 21:43:06 +08:00
opts.claims[ldapActualUser] = lookupResult.ActualDN
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-21 05:28:19 +08:00
ldap: Add user DN attributes list config param (#19758) This change uses the updated ldap library in minio/pkg (bumped up to v3). A new config parameter is added for LDAP configuration to specify extra user attributes to load from the LDAP server and to store them as additional claims for the user. A test is added in sts_handlers.go that shows how to access the LDAP attributes as a claim. This is in preparation for adding SSH pubkey authentication to MinIO's SFTP integration.
2024-05-25 07:05:23 +08:00
// Add LDAP attributes that were looked up into the claims.
for attribKey, attribValue := range lookupResult.Attributes {
opts.claims[ldapAttribPrefix+attribKey] = attribValue
}
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-21 05:28:19 +08:00
// NOTE: if not using LDAP, then internal IDP or open ID is
// being used - in the former, group info is enforced when
// generated credentials are used to make requests, and in the
// latter, a group notion is not supported.
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
newCred, updatedAt, err := globalIAMSys.NewServiceAccount(ctx, targetUser, targetGroups, opts)
Add service account type in IAM (#9029)
2020-03-18 01:36:13 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Relax site replication syncing of service accounts (#14955) Synchronous replication of service/sts accounts can be relaxed as site replication healing should catch up when peer clusters are back online.
2022-05-21 10:09:11 +08:00
createResp := madmin.AddServiceAccountResp{
Credentials: madmin.Credentials{
Support adding service accounts with expiration (#16430) Co-authored-by: Harshavardhana <harsha@minio.io>
2023-02-28 02:10:22 +08:00
AccessKey: newCred.AccessKey,
SecretKey: newCred.SecretKey,
Expiration: newCred.Expiration,
Relax site replication syncing of service accounts (#14955) Synchronous replication of service/sts accounts can be relaxed as site replication healing should catch up when peer clusters are back online.
2022-05-21 10:09:11 +08:00
},
}
data, err := json.Marshal(createResp)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
encryptedData, err := madmin.EncryptData(cred.SecretKey, data)
Relax site replication syncing of service accounts (#14955) Synchronous replication of service/sts accounts can be relaxed as site replication healing should catch up when peer clusters are back online.
2022-05-21 10:09:11 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, encryptedData)
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
// Call hook for cluster-replication if the service account is not for a
// root user.
if newCred.ParentUser != globalActiveCred.AccessKey {
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
replLogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
Type: madmin.SRIAMItemSvcAcc,
SvcAccChange: &madmin.SRSvcAccChange{
Create: &madmin.SRSvcAccCreate{
Parent: newCred.ParentUser,
AccessKey: newCred.AccessKey,
SecretKey: newCred.SecretKey,
Groups: newCred.Groups,
Add "name" and "description" params to service acc (#17172)
2023-05-18 08:05:36 +08:00
Name: newCred.Name,
Description: newCred.Description,
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
Claims: opts.claims,
Update SRSvcAccCreate with new type (#20974)
2025-02-25 09:43:59 +08:00
SessionPolicy: madmin.SRSessionPolicy(createReq.Policy),
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
Status: auth.AccountOn,
Support adding service accounts with expiration (#16430) Co-authored-by: Harshavardhana <harsha@minio.io>
2023-02-28 02:10:22 +08:00
Expiration: createReq.Expiration,
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
},
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
}
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
// UpdateServiceAccount - POST /minio/admin/v3/update-service-account
func (a adminAPIHandlers) UpdateServiceAccount(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
accessKey := mux.Vars(r)["accessKey"]
if accessKey == "" {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
svcAccount, _, err := globalIAMSys.GetServiceAccount(ctx, accessKey)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Convert service account add/update expiration to cond values (#19024) In order to force some users allowed to create or update a service account to provide an expiration satifying the user policy conditions.
2024-02-13 00:36:16 +08:00
password := cred.SecretKey
reqBytes, err := madmin.DecryptData(password, io.LimitReader(r.Body, r.ContentLength))
if err != nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErrWithErr(ErrAdminConfigBadJSON, err), r.URL)
return
}
var updateReq madmin.UpdateServiceAccountReq
if err = json.Unmarshal(reqBytes, &updateReq); err != nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErrWithErr(ErrAdminConfigBadJSON, err), r.URL)
return
}
if err := updateReq.Validate(); err != nil {
// Since this validation would happen client side as well, we only send
// a generic error message here.
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument), r.URL)
return
}
condValues := getConditionValues(r, "", cred)
policy: More defensive code validating svc:DurationSeconds (#19820) This does not fix any current issue, but merging https://github.com/minio/madmin-go/pull/282 can lose the validation of the service account expiration time. Add more defensive code for now. In the future, we should avoid doing validation in another library.
2024-05-29 01:19:04 +08:00
err = addExpirationToCondValues(updateReq.NewExpiration, condValues)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Convert service account add/update expiration to cond values (#19024) In order to force some users allowed to create or update a service account to provide an expiration satifying the user policy conditions.
2024-02-13 00:36:16 +08:00
fix: permission checks for editing access keys (#18928) With this change, only a user with `UpdateServiceAccountAdminAction` permission is able to edit access keys. We would like to let a user edit their own access keys, however the feature needs to be re-designed for better security and integration with external systems like AD/LDAP and OpenID. This change prevents privilege escalation via service accounts.
2024-02-01 02:56:45 +08:00
// Permission checks:
//
// 1. Any type of account (i.e. access keys (previously/still called service
// accounts), STS accounts, internal IDP accounts, etc) with the
// policy.UpdateServiceAccountAdminAction permission can update any service
// account.
//
// 2. We would like to let a user update their own access keys, however it
// is currently blocked pending a re-design. Users are still able to delete
// and re-create them.
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if !globalIAMSys.IsAllowed(policy.Args{
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
AccountName: cred.AccessKey,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.UpdateServiceAccountAdminAction,
Convert service account add/update expiration to cond values (#19024) In order to force some users allowed to create or update a service account to provide an expiration satifying the user policy conditions.
2024-02-13 00:36:16 +08:00
ConditionValues: condValues,
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
IsOwner: owner,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
}) {
fix: permission checks for editing access keys (#18928) With this change, only a user with `UpdateServiceAccountAdminAction` permission is able to edit access keys. We would like to let a user edit their own access keys, however the feature needs to be re-designed for better security and integration with external systems like AD/LDAP and OpenID. This change prevents privilege escalation via service accounts.
2024-02-01 02:56:45 +08:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
var sp *policy.Policy
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 23:52:02 +08:00
if len(updateReq.NewPolicy) > 0 {
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
sp, err = policy.ParseConfig(bytes.NewReader(updateReq.NewPolicy))
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 23:52:02 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Change behavior of service account empty policies (#18346) * Fix embedded/implied policy behavior * assume implied policy if pased to empty * fix for all * Fix failing tests --------- Co-authored-by: Prakash Senthil Vel <23444145+prakashsvmx@users.noreply.github.com>
2023-11-01 03:30:36 +08:00
if sp.Version == "" && len(sp.Statements) == 0 {
sp = nil
}
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 23:52:02 +08:00
}
opts := updateServiceAccountOpts{
secretKey: updateReq.NewSecretKey,
status: updateReq.NewStatus,
Add "name" and "description" params to service acc (#17172)
2023-05-18 08:05:36 +08:00
name: updateReq.NewName,
description: updateReq.NewDescription,
Support adding service accounts with expiration (#16430) Co-authored-by: Harshavardhana <harsha@minio.io>
2023-02-28 02:10:22 +08:00
expiration: updateReq.NewExpiration,
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 23:52:02 +08:00
sessionPolicy: sp,
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err := globalIAMSys.UpdateServiceAccount(ctx, accessKey, opts)
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
fix: progagation of service accounts for site replication (#14054) - Only non-root-owned service accounts are replicated for now. - Add integration tests for OIDC with site replication
2022-01-08 09:41:43 +08:00
// Call site replication hook - non-root user accounts are replicated.
if svcAccount.ParentUser != globalActiveCred.AccessKey {
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
replLogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
Type: madmin.SRIAMItemSvcAcc,
SvcAccChange: &madmin.SRSvcAccChange{
Update: &madmin.SRSvcAccUpdate{
AccessKey: accessKey,
SecretKey: opts.secretKey,
Status: opts.status,
Add "name" and "description" params to service acc (#17172)
2023-05-18 08:05:36 +08:00
Name: opts.name,
Description: opts.description,
Update SRSvcAccCreate with new type (#20974)
2025-02-25 09:43:59 +08:00
SessionPolicy: madmin.SRSessionPolicy(updateReq.NewPolicy),
Support adding service accounts with expiration (#16430) Co-authored-by: Harshavardhana <harsha@minio.io>
2023-02-28 02:10:22 +08:00
Expiration: updateReq.NewExpiration,
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
},
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
}
fix: progagation of service accounts for site replication (#14054) - Only non-root-owned service accounts are replicated for now. - Add integration tests for OIDC with site replication
2022-01-08 09:41:43 +08:00
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
writeSuccessNoContent(w)
}
// InfoServiceAccount - GET /minio/admin/v3/info-service-account
func (a adminAPIHandlers) InfoServiceAccount(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
accessKey := mux.Vars(r)["accessKey"]
if accessKey == "" {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
svcAccount, sessionPolicy, err := globalIAMSys.GetServiceAccount(ctx, accessKey)
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if !globalIAMSys.IsAllowed(policy.Args{
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
AccountName: cred.AccessKey,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.ListServiceAccountsAdminAction,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
IsOwner: owner,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
}) {
requestUser := cred.AccessKey
if cred.ParentUser != "" {
requestUser = cred.ParentUser
}
if requestUser != svcAccount.ParentUser {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
}
Change behavior of service account empty policies (#18346) * Fix embedded/implied policy behavior * assume implied policy if pased to empty * fix for all * Fix failing tests --------- Co-authored-by: Prakash Senthil Vel <23444145+prakashsvmx@users.noreply.github.com>
2023-11-01 03:30:36 +08:00
// if session policy is nil or empty, then it is implied policy
impliedPolicy := sessionPolicy == nil || (sessionPolicy.Version == "" && len(sessionPolicy.Statements) == 0)
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
var svcAccountPolicy policy.Policy
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
Change behavior of service account empty policies (#18346) * Fix embedded/implied policy behavior * assume implied policy if pased to empty * fix for all * Fix failing tests --------- Co-authored-by: Prakash Senthil Vel <23444145+prakashsvmx@users.noreply.github.com>
2023-11-01 03:30:36 +08:00
if !impliedPolicy {
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
svcAccountPolicy = *sessionPolicy
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
} else {
cleanup handling of STS isAllowed and simplifies the PolicyDBGet() (#18554)
2023-11-30 08:07:35 +08:00
policiesNames, err := globalIAMSys.PolicyDBGet(svcAccount.ParentUser, svcAccount.Groups...)
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
do not remove Sid from svcaccount policies (#14064) fixes #13905
2022-01-11 06:26:26 +08:00
svcAccountPolicy = globalIAMSys.GetCombinedPolicy(policiesNames...)
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
}
always indent and reply policy JSON (#12399)
2021-05-30 00:22:22 +08:00
policyJSON, err := json.MarshalIndent(svcAccountPolicy, "", " ")
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Support adding service accounts with expiration (#16430) Co-authored-by: Harshavardhana <harsha@minio.io>
2023-02-28 02:10:22 +08:00
var expiration *time.Time
if !svcAccount.Expiration.IsZero() && !svcAccount.Expiration.Equal(timeSentinel) {
expiration = &svcAccount.Expiration
}
run gofumpt cleanup across code-base (#14015)
2022-01-03 01:15:06 +08:00
infoResp := madmin.InfoServiceAccountResp{
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
ParentUser: svcAccount.ParentUser,
Add "name" and "description" params to service acc (#17172)
2023-05-18 08:05:36 +08:00
Name: svcAccount.Name,
Description: svcAccount.Description,
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
AccountStatus: svcAccount.Status,
Change behavior of service account empty policies (#18346) * Fix embedded/implied policy behavior * assume implied policy if pased to empty * fix for all * Fix failing tests --------- Co-authored-by: Prakash Senthil Vel <23444145+prakashsvmx@users.noreply.github.com>
2023-11-01 03:30:36 +08:00
ImpliedPolicy: impliedPolicy,
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
Policy: string(policyJSON),
Support adding service accounts with expiration (#16430) Co-authored-by: Harshavardhana <harsha@minio.io>
2023-02-28 02:10:22 +08:00
Expiration: expiration,
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
}
data, err := json.Marshal(infoResp)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
encryptedData, err := madmin.EncryptData(cred.SecretKey, data)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, encryptedData)
}
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
// ListServiceAccounts - GET /minio/admin/v3/list-service-accounts
func (a adminAPIHandlers) ListServiceAccounts(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
// Get current object layer instance.
remove safeMode behavior in startup (#10645) In almost all scenarios MinIO now is mostly ready for all sub-systems independently, safe-mode is not useful anymore and do not serve its original intended purpose. allow server to be fully functional even with config partially configured, this is to cater for availability of actual I/O v/s manually fixing the server. In k8s like environments it will never make sense to take pod into safe-mode state, because there is no real access to perform any remote operation on them.
2020-10-10 00:59:52 +08:00
objectAPI := newObjectLayerFn()
initialize IAM as soon as object layer is initialized (#10700) Allow requests to come in for users as soon as object layer and config are initialized, this allows users to be authenticated sooner and would succeed automatically on servers which are yet to fully initialize.
2020-10-20 00:54:40 +08:00
if objectAPI == nil || globalNotificationSys == nil {
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
var targetAccount string
Allow users to list their own service accounts (#13706) Bonus: add extensive tests for svc acc actions by users
2021-11-20 04:35:35 +08:00
// If listing is requested for a specific user (who is not the request
// sender), check that the user has permissions.
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
user := r.Form.Get("user")
Allow users to list their own service accounts (#13706) Bonus: add extensive tests for svc acc actions by users
2021-11-20 04:35:35 +08:00
if user != "" && user != cred.AccessKey {
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if !globalIAMSys.IsAllowed(policy.Args{
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
AccountName: cred.AccessKey,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.ListServiceAccountsAdminAction,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
IsOwner: owner,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
}) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
targetAccount = user
} else {
targetAccount = cred.AccessKey
if cred.ParentUser != "" {
targetAccount = cred.ParentUser
}
fix: assume parentUser correctly for serviceAccounts (#9504) ListServiceAccounts/DeleteServiceAccount didn't work properly with STS credentials yet due to incorrect Parent user.
2020-05-01 23:05:14 +08:00
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
serviceAccounts, err := globalIAMSys.ListServiceAccounts(ctx, targetAccount)
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Add expiration to ListServiceAccounts function (#17249)
2023-06-03 07:17:26 +08:00
var serviceAccountList []madmin.ServiceAccountInfo
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
for _, svc := range serviceAccounts {
Add expiration to ListServiceAccounts function (#17249)
2023-06-03 07:17:26 +08:00
expiryTime := svc.Expiration
serviceAccountList = append(serviceAccountList, madmin.ServiceAccountInfo{
enhance ListSVCs() API to return more info to avoid InfoSvc() (#19642) ConsoleUI like applications rely on combination of ListServiceAccounts() and InfoServiceAccount() to populate UI elements, however individually these calls can be slow causing the entire UI to load sluggishly.
2024-05-01 20:41:13 +08:00
Description: svc.Description,
ParentUser: svc.ParentUser,
Name: svc.Name,
AccountStatus: svc.Status,
AccessKey: svc.AccessKey,
ImpliedPolicy: svc.IsImpliedPolicy(),
Expiration: &expiryTime,
Add expiration to ListServiceAccounts function (#17249)
2023-06-03 07:17:26 +08:00
})
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
}
run gofumpt cleanup across code-base (#14015)
2022-01-03 01:15:06 +08:00
listResp := madmin.ListServiceAccountsResp{
Add expiration to ListServiceAccounts function (#17249)
2023-06-03 07:17:26 +08:00
Accounts: serviceAccountList,
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
}
data, err := json.Marshal(listResp)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
encryptedData, err := madmin.EncryptData(cred.SecretKey, data)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, encryptedData)
}
// DeleteServiceAccount - DELETE /minio/admin/v3/delete-service-account
func (a adminAPIHandlers) DeleteServiceAccount(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
// Get current object layer instance.
remove safeMode behavior in startup (#10645) In almost all scenarios MinIO now is mostly ready for all sub-systems independently, safe-mode is not useful anymore and do not serve its original intended purpose. allow server to be fully functional even with config partially configured, this is to cater for availability of actual I/O v/s manually fixing the server. In k8s like environments it will never make sense to take pod into safe-mode state, because there is no real access to perform any remote operation on them.
2020-10-10 00:59:52 +08:00
objectAPI := newObjectLayerFn()
initialize IAM as soon as object layer is initialized (#10700) Allow requests to come in for users as soon as object layer and config are initialized, this allows users to be authenticated sooner and would succeed automatically on servers which are yet to fully initialize.
2020-10-20 00:54:40 +08:00
if objectAPI == nil || globalNotificationSys == nil {
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
serviceAccount := mux.Vars(r)["accessKey"]
if serviceAccount == "" {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminInvalidArgument), r.URL)
return
}
site replication: Disallow removal of site-replicator account (#19092)
2024-02-21 18:09:33 +08:00
if serviceAccount == siteReplicatorSvcAcc && globalSiteReplicationSys.isEnabled() {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidArgument), r.URL)
return
}
fix: remove embedded-policy as requested by the user (#14847) this PR introduces a few changes such as - sessionPolicyName is not reused in an extracted manner to apply policies for incoming authenticated calls, instead uses a different key to designate this information for the callers. - this differentiation is needed to ensure that service account updates do not accidentally store JSON representation instead of base64 equivalent on the disk. - relax requirements for Deleting a service account, allow deleting a service account that might be unreadable, i.e a situation where the user might have removed session policy which now carries a JSON representation, making it unparsable. - introduce some constants to reuse instead of strings. fixes #14784
2022-05-03 08:56:19 +08:00
// We do not care if service account is readable or not at this point,
// since this is a delete call we shall allow it to be deleted if possible.
fix: DeleteServiceAccount API behavior (#18163)
2023-10-09 03:13:18 +08:00
svcAccount, _, err := globalIAMSys.GetServiceAccount(ctx, serviceAccount)
if errors.Is(err, errNoSuchServiceAccount) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminServiceAccountNotFound), r.URL)
return
}
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
adminPrivilege := globalIAMSys.IsAllowed(policy.Args{
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
AccountName: cred.AccessKey,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.RemoveServiceAccountAdminAction,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
IsOwner: owner,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
})
fix: assume parentUser correctly for serviceAccounts (#9504) ListServiceAccounts/DeleteServiceAccount didn't work properly with STS credentials yet due to incorrect Parent user.
2020-05-01 23:05:14 +08:00
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
if !adminPrivilege {
parentUser := cred.AccessKey
if cred.ParentUser != "" {
parentUser = cred.ParentUser
}
fix: remove embedded-policy as requested by the user (#14847) this PR introduces a few changes such as - sessionPolicyName is not reused in an extracted manner to apply policies for incoming authenticated calls, instead uses a different key to designate this information for the callers. - this differentiation is needed to ensure that service account updates do not accidentally store JSON representation instead of base64 equivalent on the disk. - relax requirements for Deleting a service account, allow deleting a service account that might be unreadable, i.e a situation where the user might have removed session policy which now carries a JSON representation, making it unparsable. - introduce some constants to reuse instead of strings. fixes #14784
2022-05-03 08:56:19 +08:00
if svcAccount.ParentUser != "" && parentUser != svcAccount.ParentUser {
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
// The service account belongs to another user but return not
// found error to mitigate brute force attacks. or the
// serviceAccount doesn't exist.
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminServiceAccountNotFound), r.URL)
return
}
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
}
fix: remove embedded-policy as requested by the user (#14847) this PR introduces a few changes such as - sessionPolicyName is not reused in an extracted manner to apply policies for incoming authenticated calls, instead uses a different key to designate this information for the callers. - this differentiation is needed to ensure that service account updates do not accidentally store JSON representation instead of base64 equivalent on the disk. - relax requirements for Deleting a service account, allow deleting a service account that might be unreadable, i.e a situation where the user might have removed session policy which now carries a JSON representation, making it unparsable. - introduce some constants to reuse instead of strings. fixes #14784
2022-05-03 08:56:19 +08:00
if err := globalIAMSys.DeleteServiceAccount(ctx, serviceAccount, true); err != nil {
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
fix: propagate service account deletes properly (#12717) service account deletes were not propagating to remote peers, fix this.
2021-07-15 12:28:53 +08:00
fix: progagation of service accounts for site replication (#14054) - Only non-root-owned service accounts are replicated for now. - Add integration tests for OIDC with site replication
2022-01-08 09:41:43 +08:00
// Call site replication hook - non-root user accounts are replicated.
fix: remove embedded-policy as requested by the user (#14847) this PR introduces a few changes such as - sessionPolicyName is not reused in an extracted manner to apply policies for incoming authenticated calls, instead uses a different key to designate this information for the callers. - this differentiation is needed to ensure that service account updates do not accidentally store JSON representation instead of base64 equivalent on the disk. - relax requirements for Deleting a service account, allow deleting a service account that might be unreadable, i.e a situation where the user might have removed session policy which now carries a JSON representation, making it unparsable. - introduce some constants to reuse instead of strings. fixes #14784
2022-05-03 08:56:19 +08:00
if svcAccount.ParentUser != "" && svcAccount.ParentUser != globalActiveCred.AccessKey {
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
replLogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
Type: madmin.SRIAMItemSvcAcc,
SvcAccChange: &madmin.SRSvcAccChange{
Delete: &madmin.SRSvcAccDelete{
AccessKey: serviceAccount,
},
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: UTCNow(),
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
}
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
writeSuccessNoContent(w)
Add service account type in IAM (#9029)
2020-03-18 01:36:13 +08:00
}
Add `ListAccessKeysBulk` API for builtin user access keys (#20381)
2024-09-21 19:35:40 +08:00
// ListAccessKeysBulk - GET /minio/admin/v3/list-access-keys-bulk
func (a adminAPIHandlers) ListAccessKeysBulk(w http.ResponseWriter, r *http.Request) {
ctx := r.Context()
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
users := r.Form["users"]
isAll := r.Form.Get("all") == "true"
selfOnly := !isAll && len(users) == 0
if isAll && len(users) > 0 {
// This should be checked on client side, so return generic error
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
// Empty user list and not self, list access keys for all users
if isAll {
if !globalIAMSys.IsAllowed(policy.Args{
AccountName: cred.AccessKey,
Groups: cred.Groups,
Action: policy.ListUsersAdminAction,
ConditionValues: getConditionValues(r, "", cred),
IsOwner: owner,
Claims: cred.Claims,
}) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
} else if len(users) == 1 {
if users[0] == cred.AccessKey || users[0] == cred.ParentUser {
selfOnly = true
}
}
if !globalIAMSys.IsAllowed(policy.Args{
AccountName: cred.AccessKey,
Groups: cred.Groups,
Action: policy.ListServiceAccountsAdminAction,
ConditionValues: getConditionValues(r, "", cred),
IsOwner: owner,
Claims: cred.Claims,
DenyOnly: selfOnly,
}) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
if selfOnly && len(users) == 0 {
selfUser := cred.AccessKey
if cred.ParentUser != "" {
selfUser = cred.ParentUser
}
users = append(users, selfUser)
}
var checkedUserList []string
if isAll {
users, err := globalIAMSys.ListUsers(ctx)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
for user := range users {
checkedUserList = append(checkedUserList, user)
}
Add root user to `ListAccessKeysBulk` (#20517)
2024-10-04 07:11:02 +08:00
checkedUserList = append(checkedUserList, globalActiveCred.AccessKey)
Add `ListAccessKeysBulk` API for builtin user access keys (#20381)
2024-09-21 19:35:40 +08:00
} else {
for _, user := range users {
// Validate the user
_, ok := globalIAMSys.GetUser(ctx, user)
if !ok {
continue
}
checkedUserList = append(checkedUserList, user)
}
}
listType := r.Form.Get("listType")
var listSTSKeys, listServiceAccounts bool
switch listType {
case madmin.AccessKeyListUsersOnly:
listSTSKeys = false
listServiceAccounts = false
case madmin.AccessKeyListSTSOnly:
listSTSKeys = true
listServiceAccounts = false
case madmin.AccessKeyListSvcaccOnly:
listSTSKeys = false
listServiceAccounts = true
case madmin.AccessKeyListAll:
listSTSKeys = true
listServiceAccounts = true
default:
err := errors.New("invalid list type")
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErrWithErr(ErrInvalidRequest, err), r.URL)
return
}
accessKeyMap := make(map[string]madmin.ListAccessKeysResp)
for _, user := range checkedUserList {
accessKeys := madmin.ListAccessKeysResp{}
if listSTSKeys {
stsKeys, err := globalIAMSys.ListSTSAccounts(ctx, user)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
for _, sts := range stsKeys {
accessKeys.STSKeys = append(accessKeys.STSKeys, madmin.ServiceAccountInfo{
AccessKey: sts.AccessKey,
Expiration: &sts.Expiration,
})
}
// if only STS keys, skip if user has no STS keys
if !listServiceAccounts && len(stsKeys) == 0 {
continue
}
}
if listServiceAccounts {
serviceAccounts, err := globalIAMSys.ListServiceAccounts(ctx, user)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
for _, svc := range serviceAccounts {
accessKeys.ServiceAccounts = append(accessKeys.ServiceAccounts, madmin.ServiceAccountInfo{
AccessKey: svc.AccessKey,
Expiration: &svc.Expiration,
})
}
// if only service accounts, skip if user has no service accounts
if !listSTSKeys && len(serviceAccounts) == 0 {
continue
}
}
accessKeyMap[user] = accessKeys
}
data, err := json.Marshal(accessKeyMap)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
encryptedData, err := madmin.EncryptData(cred.SecretKey, data)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, encryptedData)
}
cache usage, prefix-usage, and buckets for AccountInfo up to 10 secs (#18051) AccountInfo is quite frequently called by the Console UI login attempts, when many users are logging in it is important that we provide them with better responsiveness. - ListBuckets information is cached every second - Bucket usage info is cached for up to 10 seconds - Prefix usage (optional) info is cached for up to 10 secs Failure to update after cache expiration, would still allow login which would end up providing information previously cached. This allows for seamless responsiveness for the Console UI logins, and overall responsiveness on a heavily loaded system.
2023-09-19 13:13:03 +08:00
// AccountInfoHandler returns usage, permissions and other bucket metadata for incoming us
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
// Get current object layer instance.
remove safeMode behavior in startup (#10645) In almost all scenarios MinIO now is mostly ready for all sub-systems independently, safe-mode is not useful anymore and do not serve its original intended purpose. allow server to be fully functional even with config partially configured, this is to cater for availability of actual I/O v/s manually fixing the server. In k8s like environments it will never make sense to take pod into safe-mode state, because there is no real access to perform any remote operation on them.
2020-10-10 00:59:52 +08:00
objectAPI := newObjectLayerFn()
initialize IAM as soon as object layer is initialized (#10700) Allow requests to come in for users as soon as object layer and config are initialized, this allows users to be authenticated sooner and would succeed automatically on servers which are yet to fully initialize.
2020-10-20 00:54:40 +08:00
if objectAPI == nil || globalNotificationSys == nil {
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
// Set prefix value for "s3:prefix" policy conditionals.
r.Header.Set("prefix", "")
// Set delimiter value for "s3:delimiter" policy conditionals.
r.Header.Set("delimiter", SlashSeparator)
Move prefix usage in admin AccountInfo API (#12710)
2021-07-14 23:51:10 +08:00
// Check if we are asked to return prefix usage
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
enablePrefixUsage := r.Form.Get("prefix-usage") == "true"
Move prefix usage in admin AccountInfo API (#12710)
2021-07-14 23:51:10 +08:00
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
isAllowedAccess := func(bucketName string) (rd, wr bool) {
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if globalIAMSys.IsAllowed(policy.Args{
fix: allow STS credentials with dynamic policies (#12681) - ParentUser for OIDC auth changed to `openid:` instead of `jwt:` to avoid clashes with variable substitution - Do not pass in random parents into IsAllowed() policy evaluation as it can change the behavior of looking for correct policies underneath. fixes #12676 fixes #12680
2021-07-12 08:39:52 +08:00
AccountName: cred.AccessKey,
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.ListBucketAction,
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
BucketName: bucketName,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
IsOwner: owner,
ObjectName: "",
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
}) {
rd = true
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if globalIAMSys.IsAllowed(policy.Args{
allow bucket to be listed when GetBucketLocation is enabled (#14903) currently, we allowed buckets to be listed from the API call if and when the user has ListObject() permission at the global level, this is okay to be extended to GetBucketLocation() as well since GetBucketLocation() is a "read" call and allowing "reads" on a bucket has an implicit assumption that ListBuckets() should be allowed. This makes discoverability of access for read-only users becomes easier or users with specific restrictions on their policies.
2022-05-13 01:46:20 +08:00
AccountName: cred.AccessKey,
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.GetBucketLocationAction,
allow bucket to be listed when GetBucketLocation is enabled (#14903) currently, we allowed buckets to be listed from the API call if and when the user has ListObject() permission at the global level, this is okay to be extended to GetBucketLocation() as well since GetBucketLocation() is a "read" call and allowing "reads" on a bucket has an implicit assumption that ListBuckets() should be allowed. This makes discoverability of access for read-only users becomes easier or users with specific restrictions on their policies.
2022-05-13 01:46:20 +08:00
BucketName: bucketName,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
allow bucket to be listed when GetBucketLocation is enabled (#14903) currently, we allowed buckets to be listed from the API call if and when the user has ListObject() permission at the global level, this is okay to be extended to GetBucketLocation() as well since GetBucketLocation() is a "read" call and allowing "reads" on a bucket has an implicit assumption that ListBuckets() should be allowed. This makes discoverability of access for read-only users becomes easier or users with specific restrictions on their policies.
2022-05-13 01:46:20 +08:00
IsOwner: owner,
ObjectName: "",
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
allow bucket to be listed when GetBucketLocation is enabled (#14903) currently, we allowed buckets to be listed from the API call if and when the user has ListObject() permission at the global level, this is okay to be extended to GetBucketLocation() as well since GetBucketLocation() is a "read" call and allowing "reads" on a bucket has an implicit assumption that ListBuckets() should be allowed. This makes discoverability of access for read-only users becomes easier or users with specific restrictions on their policies.
2022-05-13 01:46:20 +08:00
}) {
rd = true
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if globalIAMSys.IsAllowed(policy.Args{
fix: allow STS credentials with dynamic policies (#12681) - ParentUser for OIDC auth changed to `openid:` instead of `jwt:` to avoid clashes with variable substitution - Do not pass in random parents into IsAllowed() policy evaluation as it can change the behavior of looking for correct policies underneath. fixes #12676 fixes #12680
2021-07-12 08:39:52 +08:00
AccountName: cred.AccessKey,
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.PutObjectAction,
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
BucketName: bucketName,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
IsOwner: owner,
ObjectName: "",
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
}) {
wr = true
}
return rd, wr
}
fix: accountInfo API to cater for federated setups (#11484) when MinIO is deployed in a federated setup, use etcd based listing of buckets to provide appropriate filtering of buckets per user.
2021-02-10 01:53:07 +08:00
// If etcd, dns federation configured list buckets from etcd.
remove gateway completely (#15929)
2022-10-25 08:44:15 +08:00
var err error
cache usage, prefix-usage, and buckets for AccountInfo up to 10 secs (#18051) AccountInfo is quite frequently called by the Console UI login attempts, when many users are logging in it is important that we provide them with better responsiveness. - ListBuckets information is cached every second - Bucket usage info is cached for up to 10 seconds - Prefix usage (optional) info is cached for up to 10 secs Failure to update after cache expiration, would still allow login which would end up providing information previously cached. This allows for seamless responsiveness for the Console UI logins, and overall responsiveness on a heavily loaded system.
2023-09-19 13:13:03 +08:00
var buckets []BucketInfo
fix: accountInfo API to cater for federated setups (#11484) when MinIO is deployed in a federated setup, use etcd based listing of buckets to provide appropriate filtering of buckets per user.
2021-02-10 01:53:07 +08:00
if globalDNSConfig != nil && globalBucketFederation {
dnsBuckets, err := globalDNSConfig.List()
if err != nil && !IsErrIgnored(err,
dns.ErrNoEntriesFound,
dns.ErrDomainMissing) {
fix: root credentials should be able to create users (#12511)
2021-06-16 09:52:01 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
fix: accountInfo API to cater for federated setups (#11484) when MinIO is deployed in a federated setup, use etcd based listing of buckets to provide appropriate filtering of buckets per user.
2021-02-10 01:53:07 +08:00
return
}
for _, dnsRecords := range dnsBuckets {
buckets = append(buckets, BucketInfo{
Name: dnsRecords[0].Key,
Created: dnsRecords[0].CreationDate,
})
}
sort.Slice(buckets, func(i, j int) bool {
return buckets[i].Name < buckets[j].Name
})
} else {
cache usage, prefix-usage, and buckets for AccountInfo up to 10 secs (#18051) AccountInfo is quite frequently called by the Console UI login attempts, when many users are logging in it is important that we provide them with better responsiveness. - ListBuckets information is cached every second - Bucket usage info is cached for up to 10 seconds - Prefix usage (optional) info is cached for up to 10 secs Failure to update after cache expiration, would still allow login which would end up providing information previously cached. This allows for seamless responsiveness for the Console UI logins, and overall responsiveness on a heavily loaded system.
2023-09-19 13:13:03 +08:00
buckets, err = objectAPI.ListBuckets(ctx, BucketOptions{Cached: true})
fix: accountInfo API to cater for federated setups (#11484) when MinIO is deployed in a federated setup, use etcd based listing of buckets to provide appropriate filtering of buckets per user.
2021-02-10 01:53:07 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
}
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
accountName := cred.AccessKey
Fix regression in STS permissions via group in internal IDP (#13955) - When using MinIO's internal IDP, STS credential permissions did not check the groups of a user. - Also fix bug in policy checking in AccountInfo call
2021-12-21 06:07:16 +08:00
if cred.IsTemp() || cred.IsServiceAccount() {
// For derived credentials, check the parent user's permissions.
accountName = cred.ParentUser
fix: AccountInfo API for LDAP users (#11874) Also, ensure admin APIs auth additionally validates groups
2021-03-24 08:39:20 +08:00
}
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
roleArn := policy.Args{Claims: cred.Claims}.GetRoleArn()
policySetFromClaims, hasPolicyClaim := policy.GetPoliciesFromClaims(cred.Claims, iamPolicyClaimNameOpenID())
var effectivePolicy policy.Policy
fix: AccountInfo API for roleARN based accounts (#15907)
2022-10-20 08:54:41 +08:00
allow root users to return appropriate policy in AccountInfo (#15437) fixes #15436 This fixes a regression caused after the removal of "consoleAdmin" policy usage for 'root users' in PR #15402
2022-07-30 11:58:03 +08:00
var buf []byte
fix: AccountInfo API for roleARN based accounts (#15907)
2022-10-20 08:54:41 +08:00
switch {
fix: allow all console actions with custom authZ (#20489) When custom authorization via plugin is enabled, the console will now render the UI as if all actions are allowed. Since server cannot determine the exact policy allowed for a user via the plugin, this is acceptable to do. If a particular action is actually not allowed by the plugin the call will result in an error. Previously the server was evaluating a policy when custom authZ is enabled - this is fixed now.
2024-09-27 14:44:44 +08:00
case accountName == globalActiveCred.AccessKey || newGlobalAuthZPluginFn() != nil:
// For owner account and when plugin authZ is configured always set
// effective policy as `consoleAdmin`.
//
// In the latter case, we let the UI render everything, but individual
// actions would fail if not permitted by the external authZ service.
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
for _, policy := range policy.DefaultPolicies {
allow root users to return appropriate policy in AccountInfo (#15437) fixes #15436 This fixes a regression caused after the removal of "consoleAdmin" policy usage for 'root users' in PR #15402
2022-07-30 11:58:03 +08:00
if policy.Name == "consoleAdmin" {
fix: AccountInfo API for roleARN based accounts (#15907)
2022-10-20 08:54:41 +08:00
effectivePolicy = policy.Definition
allow root users to return appropriate policy in AccountInfo (#15437) fixes #15436 This fixes a regression caused after the removal of "consoleAdmin" policy usage for 'root users' in PR #15402
2022-07-30 11:58:03 +08:00
break
}
}
feat: Allow at most one claim based OpenID IDP (#16145)
2022-11-30 07:40:49 +08:00
fix: AccountInfo API for roleARN based accounts (#15907)
2022-10-20 08:54:41 +08:00
case roleArn != "":
_, policy, err := globalIAMSys.GetRolePolicy(roleArn)
allow root users to return appropriate policy in AccountInfo (#15437) fixes #15436 This fixes a regression caused after the removal of "consoleAdmin" policy usage for 'root users' in PR #15402
2022-07-30 11:58:03 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
fix: AccountInfo API for roleARN based accounts (#15907)
2022-10-20 08:54:41 +08:00
policySlice := newMappedPolicy(policy).toSlice()
effectivePolicy = globalIAMSys.GetCombinedPolicy(policySlice...)
allow root users to return appropriate policy in AccountInfo (#15437) fixes #15436 This fixes a regression caused after the removal of "consoleAdmin" policy usage for 'root users' in PR #15402
2022-07-30 11:58:03 +08:00
feat: Allow at most one claim based OpenID IDP (#16145)
2022-11-30 07:40:49 +08:00
case hasPolicyClaim:
effectivePolicy = globalIAMSys.GetCombinedPolicy(policySetFromClaims.ToSlice()...)
fix: AccountInfo API for roleARN based accounts (#15907)
2022-10-20 08:54:41 +08:00
default:
cleanup handling of STS isAllowed and simplifies the PolicyDBGet() (#18554)
2023-11-30 08:07:35 +08:00
policies, err := globalIAMSys.PolicyDBGet(accountName, cred.Groups...)
allow root users to return appropriate policy in AccountInfo (#15437) fixes #15436 This fixes a regression caused after the removal of "consoleAdmin" policy usage for 'root users' in PR #15402
2022-07-30 11:58:03 +08:00
if err != nil {
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
adminLogIf(ctx, err)
allow root users to return appropriate policy in AccountInfo (#15437) fixes #15436 This fixes a regression caused after the removal of "consoleAdmin" policy usage for 'root users' in PR #15402
2022-07-30 11:58:03 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
fix: AccountInfo API for roleARN based accounts (#15907)
2022-10-20 08:54:41 +08:00
effectivePolicy = globalIAMSys.GetCombinedPolicy(policies...)
}
tests: Do not allow forced type asserts (#20905)
2025-02-19 00:25:55 +08:00
fix: AccountInfo API for roleARN based accounts (#15907)
2022-10-20 08:54:41 +08:00
buf, err = json.MarshalIndent(effectivePolicy, "", " ")
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 23:52:02 +08:00
}
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
acctInfo := madmin.AccountInfo{
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
AccountName: accountName,
send backendInfo as part AccountInfo (#12733) This is needed for console UI to change the UI behavior for different modes of operation.
2021-07-17 05:37:06 +08:00
Server: objectAPI.BackendInfo(),
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 23:52:02 +08:00
Policy: buf,
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
}
for _, bucket := range buckets {
rd, wr := isAllowedAccess(bucket.Name)
if rd || wr {
// Fetch the data usage of the current bucket
avoid crash when initializing bucket quota cache (#20258)
2024-08-15 08:34:56 +08:00
bui := globalBucketQuotaSys.GetBucketUsageInfo(ctx, bucket.Name)
size := bui.Size
objectsCount := bui.ObjectsCount
objectsHist := bui.ObjectSizesHistogram
versionsHist := bui.ObjectVersionsHistogram
Move prefix usage in admin AccountInfo API (#12710)
2021-07-14 23:51:10 +08:00
// Fetch the prefix usage of the current bucket
var prefixUsage map[string]uint64
if enablePrefixUsage {
ignore configNotFound error in AccountInfo() (#14082) fixes #14081
2022-01-12 00:43:18 +08:00
prefixUsage, _ = loadPrefixUsageFromBackend(ctx, objectAPI, bucket.Name)
Move prefix usage in admin AccountInfo API (#12710)
2021-07-14 23:51:10 +08:00
}
remove ListBucketsMetadata instead add them to AccountInfo() (#13241)
2021-09-18 06:02:21 +08:00
lcfg, _ := globalBucketObjectLockSys.Get(bucket.Name)
Add quota usage as part of prometheus metrics (#14222) Bonus: pass caller context when needed to all bucket metadata handling calls.
2022-02-01 09:27:43 +08:00
quota, _ := globalBucketQuotaSys.Get(ctx, bucket.Name)
Add support for site replication healing (#14572) heal bucket metadata and IAM entries for sites participating in site replication from the site with the most updated entry. Co-authored-by: Harshavardhana <harsha@minio.io> Co-authored-by: Aditya Manthramurthy <aditya@minio.io>
2022-04-24 17:36:31 +08:00
rcfg, _, _ := globalBucketMetadataSys.GetReplicationConfig(ctx, bucket.Name)
tcfg, _, _ := globalBucketMetadataSys.GetTaggingConfig(bucket.Name)
remove ListBucketsMetadata instead add them to AccountInfo() (#13241)
2021-09-18 06:02:21 +08:00
Various improvements in replication (#11949) - collect real time replication metrics for prometheus. - add pending_count, failed_count metric for total pending/failed replication operations. - add API to get replication metrics - add MRF worker to handle spill-over replication operations - multiple issues found with replication - fixes an issue when client sends a bucket name with `/` at the end from SetRemoteTarget API call make sure to trim the bucket name to avoid any extra `/`. - hold write locks in GetObjectNInfo during replication to ensure that object version stack is not overwritten while reading the content. - add additional protection during WriteMetadata() to ensure that we always write a valid FileInfo{} and avoid ever writing empty FileInfo{} to the lowest layers. Co-authored-by: Poorna Krishnamoorthy <poorna@minio.io> Co-authored-by: Harshavardhana <harsha@minio.io>
2021-04-04 00:03:42 +08:00
acctInfo.Buckets = append(acctInfo.Buckets, madmin.BucketAccessInfo{
Add Object Version count histogram (#16739)
2023-03-11 00:53:59 +08:00
Name: bucket.Name,
Created: bucket.Created,
Size: size,
Objects: objectsCount,
ObjectSizesHistogram: objectsHist,
ObjectVersionsHistogram: versionsHist,
PrefixUsage: prefixUsage,
remove ListBucketsMetadata instead add them to AccountInfo() (#13241)
2021-09-18 06:02:21 +08:00
Details: &madmin.BucketDetails{
Versioning: globalBucketVersioningSys.Enabled(bucket.Name),
VersioningSuspended: globalBucketVersioningSys.Suspended(bucket.Name),
Replication: rcfg != nil,
Locking: lcfg.LockEnabled,
Quota: quota,
Tagging: tcfg,
},
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
Access: madmin.AccountAccess{
Read: rd,
Write: wr,
},
})
}
}
usageInfoJSON, err := json.Marshal(acctInfo)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, usageInfoJSON)
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// InfoCannedPolicy - GET /minio/admin/v3/info-canned-policy?name={policyName}
Add option to policy info API to return create/mod timestamps (#13796) - This introduces a new admin API with a query parameter (v=2) to return a response with the timestamps - Older API still works for compatibility/smooth transition in console
2021-12-12 01:03:39 +08:00
//
// Newer API response with policy timestamps is returned with query parameter
// `v=2` like:
//
// GET /minio/admin/v3/info-canned-policy?name={policyName}&v=2
//
// The newer API will eventually become the default (and only) one. The older
// response is to return only the policy JSON. The newer response returns
// timestamps along with the policy JSON. Both versions are supported for now,
// for smooth transition to new API.
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) InfoCannedPolicy(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.GetPolicyAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
Add option to policy info API to return create/mod timestamps (#13796) - This introduces a new admin API with a query parameter (v=2) to return a response with the timestamps - Older API still works for compatibility/smooth transition in console
2021-12-12 01:03:39 +08:00
name := mux.Vars(r)["name"]
policies := newMappedPolicy(name).toSlice()
if len(policies) != 1 {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errTooManyPolicies), r.URL)
return
}
Add the policy name to the audit logs tags when doing policy-based API calls. Add retention settings to tags (#20638) * Add the policy name to the audit log tags when doing policy-based API calls * Audit log the retention settings requested in the API call * Audit log of retention on PutObjectRetention API path too
2024-11-26 01:17:12 +08:00
setReqInfoPolicyName(ctx, name)
Add option to policy info API to return create/mod timestamps (#13796) - This introduces a new admin API with a query parameter (v=2) to return a response with the timestamps - Older API still works for compatibility/smooth transition in console
2021-12-12 01:03:39 +08:00
policyDoc, err := globalIAMSys.InfoPolicy(name)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Add option to policy info API to return create/mod timestamps (#13796) - This introduces a new admin API with a query parameter (v=2) to return a response with the timestamps - Older API still works for compatibility/smooth transition in console
2021-12-12 01:03:39 +08:00
// Is the new API version being requested?
infoPolicyAPIVersion := r.Form.Get("v")
if infoPolicyAPIVersion == "2" {
buf, err := json.MarshalIndent(policyDoc, "", " ")
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
w.Write(buf)
return
} else if infoPolicyAPIVersion != "" {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errors.New("invalid version parameter 'v' supplied")), r.URL)
return
}
// Return the older API response value of just the policy json.
buf, err := json.MarshalIndent(policyDoc.Policy, "", " ")
always indent and reply policy JSON (#12399)
2021-05-30 00:22:22 +08:00
if err != nil {
Handling unhandled errors in the InfoCannedPolicy method. (#10575)
2020-09-28 01:24:04 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
always indent and reply policy JSON (#12399)
2021-05-30 00:22:22 +08:00
w.Write(buf)
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
}
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-28 01:15:02 +08:00
// ListBucketPolicies - GET /minio/admin/v3/list-canned-policies?bucket={bucket}
func (a adminAPIHandlers) ListBucketPolicies(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.ListUserPoliciesAdminAction)
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
if objectAPI == nil {
return
}
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-28 01:15:02 +08:00
bucket := mux.Vars(r)["bucket"]
add thread context in surrounding function into IAM functions (#13658)
2021-11-16 06:14:22 +08:00
policies, err := globalIAMSys.ListPolicies(ctx, bucket)
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
newPolicies := make(map[string]policy.Policy)
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-28 01:15:02 +08:00
for name, p := range policies {
_, err = json.Marshal(p)
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
if err != nil {
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
adminLogIf(ctx, err)
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
continue
}
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-28 01:15:02 +08:00
newPolicies[name] = p
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
}
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-28 01:15:02 +08:00
if err = json.NewEncoder(w).Encode(newPolicies); err != nil {
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// ListCannedPolicies - GET /minio/admin/v3/list-canned-policies
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) ListCannedPolicies(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.ListUserPoliciesAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
add thread context in surrounding function into IAM functions (#13658)
2021-11-16 06:14:22 +08:00
policies, err := globalIAMSys.ListPolicies(ctx, "")
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
newPolicies := make(map[string]policy.Policy)
fix support OBDAdminAction is valid action (#9354)
2020-04-16 03:16:40 +08:00
for name, p := range policies {
_, err = json.Marshal(p)
if err != nil {
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
adminLogIf(ctx, err)
fix support OBDAdminAction is valid action (#9354)
2020-04-16 03:16:40 +08:00
continue
}
newPolicies[name] = p
}
if err = json.NewEncoder(w).Encode(newPolicies); err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// RemoveCannedPolicy - DELETE /minio/admin/v3/remove-canned-policy?name=<policy_name>
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) RemoveCannedPolicy(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.DeletePolicyAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
policyName := vars["name"]
Add the policy name to the audit logs tags when doing policy-based API calls. Add retention settings to tags (#20638) * Add the policy name to the audit log tags when doing policy-based API calls * Audit log the retention settings requested in the API call * Audit log of retention on PutObjectRetention API path too
2024-11-26 01:17:12 +08:00
setReqInfoPolicyName(ctx, policyName)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
Move IAM notifications into IAM system functions (#13780)
2021-11-30 06:38:57 +08:00
if err := globalIAMSys.DeletePolicy(ctx, policyName, true); err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
// Call cluster-replication policy creation hook to replicate policy deletion to
// other minio clusters.
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
replLogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
Type: madmin.SRIAMItemPolicy,
Name: policyName,
UpdatedAt: UTCNow(),
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// AddCannedPolicy - PUT /minio/admin/v3/add-canned-policy?name=<policy_name>
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) AddCannedPolicy(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.CreatePolicyAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
policyName := vars["name"]
fix: disallow newer policies, users & groups with space characters (#14845) space characters at the beginning or at the end can lead to confusion under various UI elements in differentiating the actual name of "policy, user or group" - to avoid this behavior this PR onwards we shall reject such inputs for newer entries. existing saved entries will behave as is and are going to be operable until they are removed/renamed to something more meaningful.
2022-05-03 00:27:35 +08:00
// Policy has space characters in begin and end reject such inputs.
if hasSpaceBE(policyName) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument), r.URL)
return
}
Add the policy name to the audit logs tags when doing policy-based API calls. Add retention settings to tags (#20638) * Add the policy name to the audit log tags when doing policy-based API calls * Audit log the retention settings requested in the API call * Audit log of retention on PutObjectRetention API path too
2024-11-26 01:17:12 +08:00
setReqInfoPolicyName(ctx, policyName)
fix: disallow newer policies, users & groups with space characters (#14845) space characters at the beginning or at the end can lead to confusion under various UI elements in differentiating the actual name of "policy, user or group" - to avoid this behavior this PR onwards we shall reject such inputs for newer entries. existing saved entries will behave as is and are going to be operable until they are removed/renamed to something more meaningful.
2022-05-03 00:27:35 +08:00
Return error when attempting to create a policy with commas in name (#20724)
2024-12-04 19:51:26 +08:00
// Reject policy names with commas.
if strings.Contains(policyName, ",") {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrPolicyInvalidName), r.URL)
return
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
// Error out if Content-Length is missing.
if r.ContentLength <= 0 {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrMissingContentLength), r.URL)
return
}
// Error out if Content-Length is beyond allowed size.
if r.ContentLength > maxBucketPolicySize {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrEntityTooLarge), r.URL)
return
}
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
iamPolicyBytes, err := io.ReadAll(io.LimitReader(r.Body, r.ContentLength))
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
iamPolicy, err := policy.ParseConfig(bytes.NewReader(iamPolicyBytes))
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if err != nil {
Add more context aware error for policy parsing errors (#8726) In existing functionality we simply return a generic error such as "MalformedPolicy" which indicates just a generic string "invalid resource" which is not very meaningful when there might be multiple types of errors during policy parsing. This PR ensures that we send these errors back to client to indicate the actual error, brings in two concrete types such as - iampolicy.Error - policy.Error Refer #8202
2020-01-04 03:28:52 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
return
}
// Version in policy must not be empty
if iamPolicy.Version == "" {
s3: Return correct error when Version is invalid in policy document (#16178)
2022-12-07 00:07:24 +08:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrPolicyInvalidVersion), r.URL)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
return
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err := globalIAMSys.SetPolicy(ctx, policyName, *iamPolicy)
if err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
// Call cluster-replication policy creation hook to replicate policy to
// other minio clusters.
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
replLogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
Type: madmin.SRIAMItemPolicy,
Name: policyName,
Policy: iamPolicyBytes,
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
fix: avoid some IAM import errors if LDAP enabled (#19591) When LDAP is enabled, previously we were: - rejecting creation of users and groups via the IAM import functionality - throwing a `not a valid DN` error when non-LDAP group mappings are present This change allows for these cases as we need to support situations where the MinIO server contains users, groups and policy mappings created before LDAP was enabled.
2024-04-24 09:23:08 +08:00
// SetPolicyForUserOrGroup - sets a policy on a user or a group.
//
// PUT /minio/admin/v3/set-policy?policy=xxx&user-or-group=?[&is-group]
//
// Deprecated: This API is replaced by attach/detach policy APIs for specific
// type of users (builtin or LDAP).
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.AttachPolicyAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
policyName := vars["policyName"]
entityName := vars["userOrGroup"]
isGroup := vars["isGroup"] == "true"
Add the policy name to the audit logs tags when doing policy-based API calls. Add retention settings to tags (#20638) * Add the policy name to the audit log tags when doing policy-based API calls * Audit log the retention settings requested in the API call * Audit log of retention on PutObjectRetention API path too
2024-11-26 01:17:12 +08:00
setReqInfoPolicyName(ctx, policyName)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
fix: temp credentials shouldn't allow policy/group changes (#8675) This PR fixes the issue where we might allow policy changes for temporary credentials out of band, this situation allows privilege escalation for those temporary credentials. We should disallow any external actions on temporary creds as a practice and we should clearly differentiate which are static and which are temporary credentials. Refer #8667
2019-12-20 06:21:21 +08:00
if !isGroup {
fix: service account permissions generated from LDAP user (#11637) service accounts generated from LDAP parent user did not inherit correct permissions, this PR fixes this fully.
2021-02-26 05:49:59 +08:00
ok, _, err := globalIAMSys.IsTempUser(entityName)
Fix policy setting error in LDAP setups (#9303) Fixes #8667 In addition to the above, if the user is mapped to a policy or belongs in a group, the user-info API returns this information, but otherwise, the API will now return a non-existent user error.
2020-04-09 16:04:08 +08:00
if err != nil && err != errNoSuchUser {
fix: temp credentials shouldn't allow policy/group changes (#8675) This PR fixes the issue where we might allow policy changes for temporary credentials out of band, this situation allows privilege escalation for those temporary credentials. We should disallow any external actions on temporary creds as a practice and we should clearly differentiate which are static and which are temporary credentials. Refer #8667
2019-12-20 06:21:21 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
if ok {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errIAMActionNotAllowed), r.URL)
return
}
allow root user to be disabled via config settings (#17089)
2023-04-29 03:24:14 +08:00
// When the user is root credential you are not allowed to
// add policies for root user.
if entityName == globalActiveCred.AccessKey {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errIAMActionNotAllowed), r.URL)
return
}
fix: temp credentials shouldn't allow policy/group changes (#8675) This PR fixes the issue where we might allow policy changes for temporary credentials out of band, this situation allows privilege escalation for those temporary credentials. We should disallow any external actions on temporary creds as a practice and we should clearly differentiate which are static and which are temporary credentials. Refer #8667
2019-12-20 06:21:21 +08:00
}
Properly replicate policy mapping for virtual users (#15558) Currently, replicating policy mapping for STS users does not work. Fix it is by passing user type to PolicyDBSet.
2022-08-24 02:11:45 +08:00
// Validate that user or group exists.
if !isGroup {
if globalIAMSys.GetUsersSysType() == MinIOUsersSysType {
_, ok := globalIAMSys.GetUser(ctx, entityName)
if !ok {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errNoSuchUser), r.URL)
return
}
}
} else {
_, err := globalIAMSys.GetGroupDescription(entityName)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
}
userType := regUser
if globalIAMSys.GetUsersSysType() == LDAPUsersSysType {
userType = stsUser
fix: avoid some IAM import errors if LDAP enabled (#19591) When LDAP is enabled, previously we were: - rejecting creation of users and groups via the IAM import functionality - throwing a `not a valid DN` error when non-LDAP group mappings are present This change allows for these cases as we need to support situations where the MinIO server contains users, groups and policy mappings created before LDAP was enabled.
2024-04-24 09:23:08 +08:00
// Validate that the user or group exists in LDAP and use the normalized
// form of the entityName (which will be an LDAP DN).
var err error
if isGroup {
ldap: Add user DN attributes list config param (#19758) This change uses the updated ldap library in minio/pkg (bumped up to v3). A new config parameter is added for LDAP configuration to specify extra user attributes to load from the LDAP server and to store them as additional claims for the user. A test is added in sts_handlers.go that shows how to access the LDAP attributes as a claim. This is in preparation for adding SSH pubkey authentication to MinIO's SFTP integration.
2024-05-25 07:05:23 +08:00
var foundGroupDN *xldap.DNSearchResult
fix: IAM LDAP access key import bug (#19608) When importing access keys (i.e. service accounts) for LDAP accounts, we are requiring groups to exist under one of the configured group base DNs. This is not correct. This change fixes this by only checking for existence and storing the normalized form of the group DN - we do not return an error if the group is not under a base DN. Test is updated to illustrate an import failure that would happen without this change.
2024-04-25 23:50:16 +08:00
var underBaseDN bool
if foundGroupDN, underBaseDN, err = globalIAMSys.LDAPConfig.GetValidatedGroupDN(nil, entityName); err != nil {
fix: avoid some IAM import errors if LDAP enabled (#19591) When LDAP is enabled, previously we were: - rejecting creation of users and groups via the IAM import functionality - throwing a `not a valid DN` error when non-LDAP group mappings are present This change allows for these cases as we need to support situations where the MinIO server contains users, groups and policy mappings created before LDAP was enabled.
2024-04-24 09:23:08 +08:00
iamLogIf(ctx, err)
ldap: Add user DN attributes list config param (#19758) This change uses the updated ldap library in minio/pkg (bumped up to v3). A new config parameter is added for LDAP configuration to specify extra user attributes to load from the LDAP server and to store them as additional claims for the user. A test is added in sts_handlers.go that shows how to access the LDAP attributes as a claim. This is in preparation for adding SSH pubkey authentication to MinIO's SFTP integration.
2024-05-25 07:05:23 +08:00
} else if foundGroupDN == nil || !underBaseDN {
fix: avoid some IAM import errors if LDAP enabled (#19591) When LDAP is enabled, previously we were: - rejecting creation of users and groups via the IAM import functionality - throwing a `not a valid DN` error when non-LDAP group mappings are present This change allows for these cases as we need to support situations where the MinIO server contains users, groups and policy mappings created before LDAP was enabled.
2024-04-24 09:23:08 +08:00
err = errNoSuchGroup
fix: admin api - SetPolicyForUserOrGroup avoid nil deref (#21400)
2025-07-02 00:00:17 +08:00
} else {
entityName = foundGroupDN.NormDN
fix: avoid some IAM import errors if LDAP enabled (#19591) When LDAP is enabled, previously we were: - rejecting creation of users and groups via the IAM import functionality - throwing a `not a valid DN` error when non-LDAP group mappings are present This change allows for these cases as we need to support situations where the MinIO server contains users, groups and policy mappings created before LDAP was enabled.
2024-04-24 09:23:08 +08:00
}
} else {
ldap: Add user DN attributes list config param (#19758) This change uses the updated ldap library in minio/pkg (bumped up to v3). A new config parameter is added for LDAP configuration to specify extra user attributes to load from the LDAP server and to store them as additional claims for the user. A test is added in sts_handlers.go that shows how to access the LDAP attributes as a claim. This is in preparation for adding SSH pubkey authentication to MinIO's SFTP integration.
2024-05-25 07:05:23 +08:00
var foundUserDN *xldap.DNSearchResult
fix: avoid some IAM import errors if LDAP enabled (#19591) When LDAP is enabled, previously we were: - rejecting creation of users and groups via the IAM import functionality - throwing a `not a valid DN` error when non-LDAP group mappings are present This change allows for these cases as we need to support situations where the MinIO server contains users, groups and policy mappings created before LDAP was enabled.
2024-04-24 09:23:08 +08:00
if foundUserDN, err = globalIAMSys.LDAPConfig.GetValidatedDNForUsername(entityName); err != nil {
iamLogIf(ctx, err)
ldap: Add user DN attributes list config param (#19758) This change uses the updated ldap library in minio/pkg (bumped up to v3). A new config parameter is added for LDAP configuration to specify extra user attributes to load from the LDAP server and to store them as additional claims for the user. A test is added in sts_handlers.go that shows how to access the LDAP attributes as a claim. This is in preparation for adding SSH pubkey authentication to MinIO's SFTP integration.
2024-05-25 07:05:23 +08:00
} else if foundUserDN == nil {
fix: avoid some IAM import errors if LDAP enabled (#19591) When LDAP is enabled, previously we were: - rejecting creation of users and groups via the IAM import functionality - throwing a `not a valid DN` error when non-LDAP group mappings are present This change allows for these cases as we need to support situations where the MinIO server contains users, groups and policy mappings created before LDAP was enabled.
2024-04-24 09:23:08 +08:00
err = errNoSuchUser
fix: admin api - SetPolicyForUserOrGroup avoid nil deref (#21400)
2025-07-02 00:00:17 +08:00
} else {
entityName = foundUserDN.NormDN
fix: avoid some IAM import errors if LDAP enabled (#19591) When LDAP is enabled, previously we were: - rejecting creation of users and groups via the IAM import functionality - throwing a `not a valid DN` error when non-LDAP group mappings are present This change allows for these cases as we need to support situations where the MinIO server contains users, groups and policy mappings created before LDAP was enabled.
2024-04-24 09:23:08 +08:00
}
}
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Properly replicate policy mapping for virtual users (#15558) Currently, replicating policy mapping for STS users does not work. Fix it is by passing user type to PolicyDBSet.
2022-08-24 02:11:45 +08:00
}
updatedAt, err := globalIAMSys.PolicyDBSet(ctx, entityName, policyName, userType, isGroup)
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
if err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
replLogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
Type: madmin.SRIAMItemPolicyMapping,
PolicyMapping: &madmin.SRPolicyMapping{
UserOrGroup: entityName,
Properly replicate policy mapping for virtual users (#15558) Currently, replicating policy mapping for STS users does not work. Fix it is by passing user type to PolicyDBSet.
2022-08-24 02:11:45 +08:00
UserType: int(userType),
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
IsGroup: isGroup,
Policy: policyName,
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
Add the policy name to the audit logs tags when doing policy-based API calls. Add retention settings to tags (#20638) * Add the policy name to the audit log tags when doing policy-based API calls * Audit log the retention settings requested in the API call * Audit log of retention on PutObjectRetention API path too
2024-11-26 01:17:12 +08:00
// ListPolicyMappingEntities - GET /minio/admin/v3/idp/builtin/policy-entities?policy=xxx&user=xxx&group=xxx
Add API to fetch policy user/group associations (#16239)
2022-12-20 02:37:03 +08:00
func (a adminAPIHandlers) ListPolicyMappingEntities(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
Add API to fetch policy user/group associations (#16239)
2022-12-20 02:37:03 +08:00
// Check authorization.
objectAPI, cred := validateAdminReq(ctx, w, r,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
policy.ListGroupsAdminAction, policy.ListUsersAdminAction, policy.ListUserPoliciesAdminAction)
Add API to fetch policy user/group associations (#16239)
2022-12-20 02:37:03 +08:00
if objectAPI == nil {
return
}
// Validate API arguments.
q := madmin.PolicyEntitiesQuery{
Users: r.Form["user"],
Groups: r.Form["group"],
Policy: r.Form["policy"],
}
// Query IAM
res, err := globalIAMSys.QueryPolicyEntities(r.Context(), q)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
// Encode result and send response.
data, err := json.Marshal(res)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
password := cred.SecretKey
econfigData, err := madmin.EncryptData(password, data)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, econfigData)
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
// AttachDetachPolicyBuiltin - POST /minio/admin/v3/idp/builtin/policy/{operation}
func (a adminAPIHandlers) AttachDetachPolicyBuiltin(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, cred := validateAdminReq(ctx, w, r, policy.UpdatePolicyAssociationAction,
policy.AttachPolicyAdminAction)
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
if objectAPI == nil {
return
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
if r.ContentLength > maxEConfigJSONSize || r.ContentLength == -1 {
// More than maxConfigSize bytes were available
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigTooLarge), r.URL)
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
return
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
// Ensure body content type is opaque to ensure that request body has not
// been interpreted as form data.
contentType := r.Header.Get("Content-Type")
if contentType != "application/octet-stream" {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrBadRequest), r.URL)
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
return
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
operation := mux.Vars(r)["operation"]
if operation != "attach" && operation != "detach" {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminInvalidArgument), r.URL)
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
return
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
isAttach := operation == "attach"
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
password := cred.SecretKey
reqBytes, err := madmin.DecryptData(password, io.LimitReader(r.Body, r.ContentLength))
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
var par madmin.PolicyAssociationReq
if err = json.Unmarshal(reqBytes, &par); err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
if err = par.IsValid(); err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
updatedAt, addedOrRemoved, _, err := globalIAMSys.PolicyDBUpdateBuiltin(ctx, isAttach, par)
if err != nil {
if err == errNoSuchUser || err == errNoSuchGroup {
Remove older policy attach behavior for LDAP (#17240)
2023-05-26 21:31:24 +08:00
if globalIAMSys.LDAPConfig.Enabled() {
// When LDAP is enabled, warn user that they are using the wrong
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
// API. FIXME: error can be no such group as well - fix errNoSuchUserLDAPWarn
Remove older policy attach behavior for LDAP (#17240)
2023-05-26 21:31:24 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errNoSuchUserLDAPWarn), r.URL)
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
return
}
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
}
Add the policy name to the audit logs tags when doing policy-based API calls. Add retention settings to tags (#20638) * Add the policy name to the audit log tags when doing policy-based API calls * Audit log the retention settings requested in the API call * Audit log of retention on PutObjectRetention API path too
2024-11-26 01:17:12 +08:00
setReqInfoPolicyName(ctx, strings.Join(addedOrRemoved, ","))
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
respBody := madmin.PolicyAssociationResp{
UpdatedAt: updatedAt,
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
if isAttach {
respBody.PoliciesAttached = addedOrRemoved
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
} else {
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
respBody.PoliciesDetached = addedOrRemoved
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
data, err := json.Marshal(respBody)
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
encryptedData, err := madmin.EncryptData(password, data)
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
writeSuccessResponseJSON(w, encryptedData)
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
}
Add new API endpoint to revoke STS tokens (#21072)
2025-04-01 02:51:24 +08:00
// RevokeTokens - POST /minio/admin/v3/revoke-tokens/{userProvider}
func (a adminAPIHandlers) RevokeTokens(w http.ResponseWriter, r *http.Request) {
ctx := r.Context()
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
userProvider := mux.Vars(r)["userProvider"]
user := r.Form.Get("user")
tokenRevokeType := r.Form.Get("tokenRevokeType")
fullRevoke := r.Form.Get("fullRevoke") == "true"
isTokenSelfRevoke := user == ""
if !isTokenSelfRevoke {
var err error
user, err = getUserWithProvider(ctx, userProvider, user, false)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
}
if (user != "" && tokenRevokeType == "" && !fullRevoke) || (tokenRevokeType != "" && fullRevoke) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
adminPrivilege := globalIAMSys.IsAllowed(policy.Args{
AccountName: cred.AccessKey,
Groups: cred.Groups,
Action: policy.RemoveServiceAccountAdminAction,
ConditionValues: getConditionValues(r, "", cred),
IsOwner: owner,
Claims: cred.Claims,
})
if !adminPrivilege || isTokenSelfRevoke {
parentUser := cred.AccessKey
if cred.ParentUser != "" {
parentUser = cred.ParentUser
}
if !isTokenSelfRevoke && user != parentUser {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
user = parentUser
}
// Infer token revoke type from the request if requestor is STS.
if isTokenSelfRevoke && tokenRevokeType == "" && !fullRevoke {
if cred.IsTemp() {
tokenRevokeType, _ = cred.Claims[tokenRevokeTypeClaim].(string)
}
if tokenRevokeType == "" {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrNoTokenRevokeType), r.URL)
return
}
}
err := globalIAMSys.RevokeTokens(ctx, user, tokenRevokeType)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessNoContent(w)
}
Add New Accesskey Info and OpenID Accesskey List API endpoints (#21097)
2025-04-16 06:06:31 +08:00
// InfoAccessKey - GET /minio/admin/v3/info-access-key?access-key=<access-key>
func (a adminAPIHandlers) InfoAccessKey(w http.ResponseWriter, r *http.Request) {
ctx := r.Context()
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
accessKey := mux.Vars(r)["accessKey"]
if accessKey == "" {
accessKey = cred.AccessKey
}
u, ok := globalIAMSys.GetUser(ctx, accessKey)
targetCred := u.Credentials
if !globalIAMSys.IsAllowed(policy.Args{
AccountName: cred.AccessKey,
Groups: cred.Groups,
Action: policy.ListServiceAccountsAdminAction,
ConditionValues: getConditionValues(r, "", cred),
IsOwner: owner,
Claims: cred.Claims,
}) {
// If requested user does not exist and requestor is not allowed to list service accounts, return access denied.
if !ok {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
requestUser := cred.AccessKey
if cred.ParentUser != "" {
requestUser = cred.ParentUser
}
if requestUser != targetCred.ParentUser {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
}
if !ok {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminNoSuchAccessKey), r.URL)
return
}
var (
sessionPolicy *policy.Policy
err error
userType string
)
switch {
case targetCred.IsTemp():
userType = "STS"
_, sessionPolicy, err = globalIAMSys.GetTemporaryAccount(ctx, accessKey)
if err == errNoSuchTempAccount {
err = errNoSuchAccessKey
}
case targetCred.IsServiceAccount():
userType = "Service Account"
_, sessionPolicy, err = globalIAMSys.GetServiceAccount(ctx, accessKey)
if err == errNoSuchServiceAccount {
err = errNoSuchAccessKey
}
default:
err = errNoSuchAccessKey
}
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
// if session policy is nil or empty, then it is implied policy
impliedPolicy := sessionPolicy == nil || (sessionPolicy.Version == "" && len(sessionPolicy.Statements) == 0)
var svcAccountPolicy policy.Policy
if !impliedPolicy {
svcAccountPolicy = *sessionPolicy
} else {
policiesNames, err := globalIAMSys.PolicyDBGet(targetCred.ParentUser, targetCred.Groups...)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
svcAccountPolicy = globalIAMSys.GetCombinedPolicy(policiesNames...)
}
policyJSON, err := json.MarshalIndent(svcAccountPolicy, "", " ")
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
var expiration *time.Time
if !targetCred.Expiration.IsZero() && !targetCred.Expiration.Equal(timeSentinel) {
expiration = &targetCred.Expiration
}
userProvider := guessUserProvider(targetCred)
infoResp := madmin.InfoAccessKeyResp{
AccessKey: accessKey,
InfoServiceAccountResp: madmin.InfoServiceAccountResp{
ParentUser: targetCred.ParentUser,
Name: targetCred.Name,
Description: targetCred.Description,
AccountStatus: targetCred.Status,
ImpliedPolicy: impliedPolicy,
Policy: string(policyJSON),
Expiration: expiration,
},
UserType: userType,
UserProvider: userProvider,
}
populateProviderInfoFromClaims(targetCred.Claims, userProvider, &infoResp)
data, err := json.Marshal(infoResp)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
encryptedData, err := madmin.EncryptData(cred.SecretKey, data)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, encryptedData)
}
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
const (
fix: IAM import/export: remove sts group handling (#19422) There are no separate STS group mappings to be handled. Also add tests for basic import/export sanity.
2024-04-06 11:13:35 +08:00
allPoliciesFile = "policies.json"
allUsersFile = "users.json"
allGroupsFile = "groups.json"
allSvcAcctsFile = "svcaccts.json"
userPolicyMappingsFile = "user_mappings.json"
groupPolicyMappingsFile = "group_mappings.json"
stsUserPolicyMappingsFile = "stsuser_mappings.json"
ldap: Normalize DNs when importing (#19528) This is a change to IAM export/import functionality. For LDAP enabled setups, it performs additional validations: - for policy mappings on LDAP users and groups, it ensures that the corresponding user or group DN exists and if so uses a normalized form of these DNs for storage - for access keys (service accounts), it updates (i.e. validates existence and normalizes) the internally stored parent user DN and group DNs. This allows for a migration path for setups in which LDAP mappings have been stored in previous versions of the server, where the name of the mapping file stored on drives is not in a normalized form. An administrator needs to execute: `mc admin iam export ALIAS` followed by `mc admin iam import ALIAS /path/to/export/file` The validations are more strict and returns errors when multiple mappings are found for the same user/group DN. This is to ensure the mappings stored by the server are unambiguous and to reduce the potential for confusion. Bonus **bug fix**: IAM export of access keys (service accounts) did not export key name, description and expiration. This is fixed in this change too.
2024-04-18 23:15:02 +08:00
iamAssetsDir = "iam-assets"
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
)
ldap: Normalize DNs when importing (#19528) This is a change to IAM export/import functionality. For LDAP enabled setups, it performs additional validations: - for policy mappings on LDAP users and groups, it ensures that the corresponding user or group DN exists and if so uses a normalized form of these DNs for storage - for access keys (service accounts), it updates (i.e. validates existence and normalizes) the internally stored parent user DN and group DNs. This allows for a migration path for setups in which LDAP mappings have been stored in previous versions of the server, where the name of the mapping file stored on drives is not in a normalized form. An administrator needs to execute: `mc admin iam export ALIAS` followed by `mc admin iam import ALIAS /path/to/export/file` The validations are more strict and returns errors when multiple mappings are found for the same user/group DN. This is to ensure the mappings stored by the server are unambiguous and to reduce the potential for confusion. Bonus **bug fix**: IAM export of access keys (service accounts) did not export key name, description and expiration. This is fixed in this change too.
2024-04-18 23:15:02 +08:00
var iamExportFiles = []string{
allPoliciesFile,
allUsersFile,
allGroupsFile,
allSvcAcctsFile,
userPolicyMappingsFile,
groupPolicyMappingsFile,
stsUserPolicyMappingsFile,
}
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
// ExportIAMHandler - exports all iam info as a zipped file
func (a adminAPIHandlers) ExportIAM(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
// Get current object layer instance.
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.ExportIAMAction)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if objectAPI == nil {
fix: Privilege escalation in IAM import API (#20756) This API had missing permissions checking, allowing a user to change their policy mapping by: 1. Craft iam-info.zip file: Update own user permission in user_mappings.json 2. Upload it via `mc admin cluster iam import nobody iam-info.zip` Here `nobody` can be a user with pretty much any kind of permission (but not anonymous) and this ends up working. Some more detailed steps - start from a fresh setup: ``` ./minio server /tmp/d{1...4} & mc alias set myminio http://localhost:9000 minioadmin minioadmin mc admin user add myminio nobody nobody123 mc admin policy attach myminio readwrite nobody nobody123 mc alias set nobody http://localhost:9000 nobody nobody123 mc admin cluster iam export myminio mkdir /tmp/x && mv myminio-iam-info.zip /tmp/x cd /tmp/x unzip myminio-iam-info.zip echo '{"nobody":{"version":1,"policy":"consoleAdmin","updatedAt":"2024-08-13T19:47:10.1Z"}}' > \ iam-assets/user_mappings.json zip -r myminio-iam-info-updated.zip iam-assets/ mc admin cluster iam import nobody ./myminio-iam-info-updated.zip mc admin service restart nobody ```
2024-12-12 10:09:40 +08:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
return
}
// Initialize a zip writer which will provide a zipped content
// of bucket metadata
zipWriter := zip.NewWriter(w)
defer zipWriter.Close()
rawDataFn := func(r io.Reader, filename string, sz int) error {
header, zerr := zip.FileInfoHeader(dummyFileInfo{
name: filename,
size: int64(sz),
mode: 0o600,
modTime: time.Now(),
isDir: false,
sys: nil,
})
if zerr != nil {
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
adminLogIf(ctx, zerr)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
return nil
}
header.Method = zip.Deflate
zwriter, zerr := zipWriter.CreateHeader(header)
if zerr != nil {
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
adminLogIf(ctx, zerr)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
return nil
}
if _, err := io.Copy(zwriter, r); err != nil {
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
adminLogIf(ctx, err)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
}
return nil
}
ldap: Normalize DNs when importing (#19528) This is a change to IAM export/import functionality. For LDAP enabled setups, it performs additional validations: - for policy mappings on LDAP users and groups, it ensures that the corresponding user or group DN exists and if so uses a normalized form of these DNs for storage - for access keys (service accounts), it updates (i.e. validates existence and normalizes) the internally stored parent user DN and group DNs. This allows for a migration path for setups in which LDAP mappings have been stored in previous versions of the server, where the name of the mapping file stored on drives is not in a normalized form. An administrator needs to execute: `mc admin iam export ALIAS` followed by `mc admin iam import ALIAS /path/to/export/file` The validations are more strict and returns errors when multiple mappings are found for the same user/group DN. This is to ensure the mappings stored by the server are unambiguous and to reduce the potential for confusion. Bonus **bug fix**: IAM export of access keys (service accounts) did not export key name, description and expiration. This is fixed in this change too.
2024-04-18 23:15:02 +08:00
for _, f := range iamExportFiles {
save IAM export assets relative at a folder prefix (#15355)
2022-07-22 08:51:33 +08:00
iamFile := pathJoin(iamAssetsDir, f)
switch f {
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
case allPoliciesFile:
allPolicies, err := globalIAMSys.ListPolicies(ctx, "")
if err != nil {
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
adminLogIf(ctx, err)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
policiesData, err := json.Marshal(allPolicies)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
if err = rawDataFn(bytes.NewReader(policiesData), iamFile, len(policiesData)); err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
case allUsersFile:
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
userIdentities := make(map[string]UserIdentity)
err := globalIAMSys.store.loadUsers(ctx, regUser, userIdentities)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
userAccounts := make(map[string]madmin.AddOrUpdateUserReq)
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
for u, uid := range userIdentities {
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
userAccounts[u] = madmin.AddOrUpdateUserReq{
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
SecretKey: uid.Credentials.SecretKey,
allow root user to be disabled via config settings (#17089)
2023-04-29 03:24:14 +08:00
Status: func() madmin.AccountStatus {
// Export current credential status
if uid.Credentials.Status == auth.AccountOff {
return madmin.AccountDisabled
}
return madmin.AccountEnabled
}(),
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
}
}
userData, err := json.Marshal(userAccounts)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
if err = rawDataFn(bytes.NewReader(userData), iamFile, len(userData)); err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
case allGroupsFile:
groups := make(map[string]GroupInfo)
err := globalIAMSys.store.loadGroups(ctx, groups)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
groupData, err := json.Marshal(groups)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
if err = rawDataFn(bytes.NewReader(groupData), iamFile, len(groupData)); err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
case allSvcAcctsFile:
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
serviceAccounts := make(map[string]UserIdentity)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
err := globalIAMSys.store.loadUsers(ctx, svcUser, serviceAccounts)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
svcAccts := make(map[string]madmin.SRSvcAccCreate)
for user, acc := range serviceAccounts {
allow root user to be disabled via config settings (#17089)
2023-04-29 03:24:14 +08:00
if user == siteReplicatorSvcAcc {
// skip site-replication service account.
continue
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
claims, err := globalIAMSys.GetClaimsForSvcAcc(ctx, acc.Credentials.AccessKey)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
ldap: Normalize DNs when importing (#19528) This is a change to IAM export/import functionality. For LDAP enabled setups, it performs additional validations: - for policy mappings on LDAP users and groups, it ensures that the corresponding user or group DN exists and if so uses a normalized form of these DNs for storage - for access keys (service accounts), it updates (i.e. validates existence and normalizes) the internally stored parent user DN and group DNs. This allows for a migration path for setups in which LDAP mappings have been stored in previous versions of the server, where the name of the mapping file stored on drives is not in a normalized form. An administrator needs to execute: `mc admin iam export ALIAS` followed by `mc admin iam import ALIAS /path/to/export/file` The validations are more strict and returns errors when multiple mappings are found for the same user/group DN. This is to ensure the mappings stored by the server are unambiguous and to reduce the potential for confusion. Bonus **bug fix**: IAM export of access keys (service accounts) did not export key name, description and expiration. This is fixed in this change too.
2024-04-18 23:15:02 +08:00
sa, policy, err := globalIAMSys.GetServiceAccount(ctx, acc.Credentials.AccessKey)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
var policyJSON []byte
if policy != nil {
policyJSON, err = json.Marshal(policy)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
}
svcAccts[user] = madmin.SRSvcAccCreate{
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
Parent: acc.Credentials.ParentUser,
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
AccessKey: user,
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
SecretKey: acc.Credentials.SecretKey,
Groups: acc.Credentials.Groups,
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
Claims: claims,
Update SRSvcAccCreate with new type (#20974)
2025-02-25 09:43:59 +08:00
SessionPolicy: policyJSON,
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
Status: acc.Credentials.Status,
ldap: Normalize DNs when importing (#19528) This is a change to IAM export/import functionality. For LDAP enabled setups, it performs additional validations: - for policy mappings on LDAP users and groups, it ensures that the corresponding user or group DN exists and if so uses a normalized form of these DNs for storage - for access keys (service accounts), it updates (i.e. validates existence and normalizes) the internally stored parent user DN and group DNs. This allows for a migration path for setups in which LDAP mappings have been stored in previous versions of the server, where the name of the mapping file stored on drives is not in a normalized form. An administrator needs to execute: `mc admin iam export ALIAS` followed by `mc admin iam import ALIAS /path/to/export/file` The validations are more strict and returns errors when multiple mappings are found for the same user/group DN. This is to ensure the mappings stored by the server are unambiguous and to reduce the potential for confusion. Bonus **bug fix**: IAM export of access keys (service accounts) did not export key name, description and expiration. This is fixed in this change too.
2024-04-18 23:15:02 +08:00
Name: sa.Name,
Description: sa.Description,
Expiration: &sa.Expiration,
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
}
}
svcAccData, err := json.Marshal(svcAccts)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
if err = rawDataFn(bytes.NewReader(svcAccData), iamFile, len(svcAccData)); err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
case userPolicyMappingsFile:
Fix races in IAM cache lazy loading (#19346) Fix races in IAM cache Fixes #19344 On the top level we only grab a read lock, but we write to the cache if we manage to fetch it. https://github.com/minio/minio/blob/a03dac41ebd2c1b9d3f1110ef5d299ffebb8f87b/cmd/iam-store.go#L446 is also flipped to what it should be AFAICT. Change the internal cache structure to a concurrency safe implementation. Bonus: Also switch grid implementation.
2024-03-27 02:12:57 +08:00
userPolicyMap := xsync.NewMapOf[string, MappedPolicy]()
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
err := globalIAMSys.store.loadMappedPolicies(ctx, regUser, false, userPolicyMap)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
Fix races in IAM cache lazy loading (#19346) Fix races in IAM cache Fixes #19344 On the top level we only grab a read lock, but we write to the cache if we manage to fetch it. https://github.com/minio/minio/blob/a03dac41ebd2c1b9d3f1110ef5d299ffebb8f87b/cmd/iam-store.go#L446 is also flipped to what it should be AFAICT. Change the internal cache structure to a concurrency safe implementation. Bonus: Also switch grid implementation.
2024-03-27 02:12:57 +08:00
userPolData, err := json.Marshal(mappedPoliciesToMap(userPolicyMap))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
if err = rawDataFn(bytes.NewReader(userPolData), iamFile, len(userPolData)); err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
case groupPolicyMappingsFile:
Fix races in IAM cache lazy loading (#19346) Fix races in IAM cache Fixes #19344 On the top level we only grab a read lock, but we write to the cache if we manage to fetch it. https://github.com/minio/minio/blob/a03dac41ebd2c1b9d3f1110ef5d299ffebb8f87b/cmd/iam-store.go#L446 is also flipped to what it should be AFAICT. Change the internal cache structure to a concurrency safe implementation. Bonus: Also switch grid implementation.
2024-03-27 02:12:57 +08:00
groupPolicyMap := xsync.NewMapOf[string, MappedPolicy]()
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
err := globalIAMSys.store.loadMappedPolicies(ctx, regUser, true, groupPolicyMap)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
Fix races in IAM cache lazy loading (#19346) Fix races in IAM cache Fixes #19344 On the top level we only grab a read lock, but we write to the cache if we manage to fetch it. https://github.com/minio/minio/blob/a03dac41ebd2c1b9d3f1110ef5d299ffebb8f87b/cmd/iam-store.go#L446 is also flipped to what it should be AFAICT. Change the internal cache structure to a concurrency safe implementation. Bonus: Also switch grid implementation.
2024-03-27 02:12:57 +08:00
grpPolData, err := json.Marshal(mappedPoliciesToMap(groupPolicyMap))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
if err = rawDataFn(bytes.NewReader(grpPolData), iamFile, len(grpPolData)); err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
case stsUserPolicyMappingsFile:
Fix races in IAM cache lazy loading (#19346) Fix races in IAM cache Fixes #19344 On the top level we only grab a read lock, but we write to the cache if we manage to fetch it. https://github.com/minio/minio/blob/a03dac41ebd2c1b9d3f1110ef5d299ffebb8f87b/cmd/iam-store.go#L446 is also flipped to what it should be AFAICT. Change the internal cache structure to a concurrency safe implementation. Bonus: Also switch grid implementation.
2024-03-27 02:12:57 +08:00
userPolicyMap := xsync.NewMapOf[string, MappedPolicy]()
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
err := globalIAMSys.store.loadMappedPolicies(ctx, stsUser, false, userPolicyMap)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
Fix races in IAM cache lazy loading (#19346) Fix races in IAM cache Fixes #19344 On the top level we only grab a read lock, but we write to the cache if we manage to fetch it. https://github.com/minio/minio/blob/a03dac41ebd2c1b9d3f1110ef5d299ffebb8f87b/cmd/iam-store.go#L446 is also flipped to what it should be AFAICT. Change the internal cache structure to a concurrency safe implementation. Bonus: Also switch grid implementation.
2024-03-27 02:12:57 +08:00
userPolData, err := json.Marshal(mappedPoliciesToMap(userPolicyMap))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
if err = rawDataFn(bytes.NewReader(userPolData), iamFile, len(userPolData)); err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
}
}
}
// ImportIAM - imports all IAM info into MinIO
func (a adminAPIHandlers) ImportIAM(w http.ResponseWriter, r *http.Request) {
Skip non existent ldap entities while import (#20352) Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-09-10 00:59:28 +08:00
a.importIAM(w, r, "")
}
// ImportIAMV2 - imports all IAM info into MinIO
func (a adminAPIHandlers) ImportIAMV2(w http.ResponseWriter, r *http.Request) {
a.importIAM(w, r, "v2")
}
// ImportIAM - imports all IAM info into MinIO
func (a adminAPIHandlers) importIAM(w http.ResponseWriter, r *http.Request, apiVer string) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
fix: Privilege escalation in IAM import API (#20756) This API had missing permissions checking, allowing a user to change their policy mapping by: 1. Craft iam-info.zip file: Update own user permission in user_mappings.json 2. Upload it via `mc admin cluster iam import nobody iam-info.zip` Here `nobody` can be a user with pretty much any kind of permission (but not anonymous) and this ends up working. Some more detailed steps - start from a fresh setup: ``` ./minio server /tmp/d{1...4} & mc alias set myminio http://localhost:9000 minioadmin minioadmin mc admin user add myminio nobody nobody123 mc admin policy attach myminio readwrite nobody nobody123 mc alias set nobody http://localhost:9000 nobody nobody123 mc admin cluster iam export myminio mkdir /tmp/x && mv myminio-iam-info.zip /tmp/x cd /tmp/x unzip myminio-iam-info.zip echo '{"nobody":{"version":1,"policy":"consoleAdmin","updatedAt":"2024-08-13T19:47:10.1Z"}}' > \ iam-assets/user_mappings.json zip -r myminio-iam-info-updated.zip iam-assets/ mc admin cluster iam import nobody ./myminio-iam-info-updated.zip mc admin service restart nobody ```
2024-12-12 10:09:40 +08:00
// Validate signature, permissions and get current object layer instance.
objectAPI, _ := validateAdminReq(ctx, w, r, policy.ImportIAMAction)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
fix: Privilege escalation in IAM import API (#20756) This API had missing permissions checking, allowing a user to change their policy mapping by: 1. Craft iam-info.zip file: Update own user permission in user_mappings.json 2. Upload it via `mc admin cluster iam import nobody iam-info.zip` Here `nobody` can be a user with pretty much any kind of permission (but not anonymous) and this ends up working. Some more detailed steps - start from a fresh setup: ``` ./minio server /tmp/d{1...4} & mc alias set myminio http://localhost:9000 minioadmin minioadmin mc admin user add myminio nobody nobody123 mc admin policy attach myminio readwrite nobody nobody123 mc alias set nobody http://localhost:9000 nobody nobody123 mc admin cluster iam export myminio mkdir /tmp/x && mv myminio-iam-info.zip /tmp/x cd /tmp/x unzip myminio-iam-info.zip echo '{"nobody":{"version":1,"policy":"consoleAdmin","updatedAt":"2024-08-13T19:47:10.1Z"}}' > \ iam-assets/user_mappings.json zip -r myminio-iam-info-updated.zip iam-assets/ mc admin cluster iam import nobody ./myminio-iam-info-updated.zip mc admin service restart nobody ```
2024-12-12 10:09:40 +08:00
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
data, err := io.ReadAll(r.Body)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
reader := bytes.NewReader(data)
zr, err := zip.NewReader(reader, int64(len(data)))
if err != nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
Skip non existent ldap entities while import (#20352) Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-09-10 00:59:28 +08:00
var skipped, removed, added madmin.IAMEntities
var failed madmin.IAMErrEntities
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
// import policies first
{
save IAM export assets relative at a folder prefix (#15355)
2022-07-22 08:51:33 +08:00
f, err := zr.Open(pathJoin(iamAssetsDir, allPoliciesFile))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
switch {
case errors.Is(err, os.ErrNotExist):
case err != nil:
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, allPoliciesFile, ""), r.URL)
return
default:
defer f.Close()
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
var allPolicies map[string]policy.Policy
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
data, err = io.ReadAll(f)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, allPoliciesFile, ""), r.URL)
return
}
err = json.Unmarshal(data, &allPolicies)
if err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminConfigBadJSON, err, allPoliciesFile, ""), r.URL)
return
}
for policyName, policy := range allPolicies {
if policy.IsEmpty() {
err = globalIAMSys.DeletePolicy(ctx, policyName, true)
Skip non existent ldap entities while import (#20352) Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-09-10 00:59:28 +08:00
removed.Policies = append(removed.Policies, policyName)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
} else {
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
_, err = globalIAMSys.SetPolicy(ctx, policyName, policy)
Skip non existent ldap entities while import (#20352) Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-09-10 00:59:28 +08:00
added.Policies = append(added.Policies, policyName)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
}
if err != nil {
writeErrorResponseJSON(ctx, w, importError(ctx, err, allPoliciesFile, policyName), r.URL)
return
}
}
}
}
// import users
{
save IAM export assets relative at a folder prefix (#15355)
2022-07-22 08:51:33 +08:00
f, err := zr.Open(pathJoin(iamAssetsDir, allUsersFile))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
switch {
case errors.Is(err, os.ErrNotExist):
case err != nil:
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, allUsersFile, ""), r.URL)
return
default:
defer f.Close()
var userAccts map[string]madmin.AddOrUpdateUserReq
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
data, err := io.ReadAll(f)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, allUsersFile, ""), r.URL)
return
}
err = json.Unmarshal(data, &userAccts)
if err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminConfigBadJSON, err, allUsersFile, ""), r.URL)
return
}
for accessKey, ureq := range userAccts {
// Not allowed to add a user with same access key as root credential
Do not allow adding root user to IAM subsystem (#16803)
2023-03-14 03:46:17 +08:00
if accessKey == globalActiveCred.AccessKey {
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAddUserInvalidArgument, err, allUsersFile, accessKey), r.URL)
return
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
user, exists := globalIAMSys.GetUser(ctx, accessKey)
if exists && (user.Credentials.IsTemp() || user.Credentials.IsServiceAccount()) {
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
// Updating STS credential is not allowed, and this API does not
// support updating service accounts.
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAddUserInvalidArgument, err, allUsersFile, accessKey), r.URL)
return
}
// Check if accessKey has beginning and end space characters, this only applies to new users.
if !exists && hasSpaceBE(accessKey) {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminResourceInvalidArgument, err, allUsersFile, accessKey), r.URL)
return
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
if _, err = globalIAMSys.CreateUser(ctx, accessKey, ureq); err != nil {
Skip non existent ldap entities while import (#20352) Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-09-10 00:59:28 +08:00
failed.Users = append(failed.Users, madmin.IAMErrEntity{Name: accessKey, Error: err})
} else {
added.Users = append(added.Users, accessKey)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
}
}
}
}
// import groups
{
save IAM export assets relative at a folder prefix (#15355)
2022-07-22 08:51:33 +08:00
f, err := zr.Open(pathJoin(iamAssetsDir, allGroupsFile))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
switch {
case errors.Is(err, os.ErrNotExist):
case err != nil:
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, allGroupsFile, ""), r.URL)
return
default:
defer f.Close()
var grpInfos map[string]GroupInfo
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
data, err := io.ReadAll(f)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, allGroupsFile, ""), r.URL)
return
}
if err = json.Unmarshal(data, &grpInfos); err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminConfigBadJSON, err, allGroupsFile, ""), r.URL)
return
}
for group, grpInfo := range grpInfos {
// Check if group already exists
if _, gerr := globalIAMSys.GetGroupDescription(group); gerr != nil {
// If group does not exist, then check if the group has beginning and end space characters
// we will reject such group names.
if errors.Is(gerr, errNoSuchGroup) && hasSpaceBE(group) {
fix: avoid some IAM import errors if LDAP enabled (#19591) When LDAP is enabled, previously we were: - rejecting creation of users and groups via the IAM import functionality - throwing a `not a valid DN` error when non-LDAP group mappings are present This change allows for these cases as we need to support situations where the MinIO server contains users, groups and policy mappings created before LDAP was enabled.
2024-04-24 09:23:08 +08:00
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminResourceInvalidArgument, gerr, allGroupsFile, group), r.URL)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
return
}
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
if _, gerr := globalIAMSys.AddUsersToGroup(ctx, group, grpInfo.Members); gerr != nil {
Skip non existent ldap entities while import (#20352) Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-09-10 00:59:28 +08:00
failed.Groups = append(failed.Groups, madmin.IAMErrEntity{Name: group, Error: err})
} else {
added.Groups = append(added.Groups, group)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
}
}
}
}
// import service accounts
{
save IAM export assets relative at a folder prefix (#15355)
2022-07-22 08:51:33 +08:00
f, err := zr.Open(pathJoin(iamAssetsDir, allSvcAcctsFile))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
switch {
case errors.Is(err, os.ErrNotExist):
case err != nil:
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, allSvcAcctsFile, ""), r.URL)
return
default:
defer f.Close()
var serviceAcctReqs map[string]madmin.SRSvcAccCreate
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
data, err := io.ReadAll(f)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, allSvcAcctsFile, ""), r.URL)
return
}
if err = json.Unmarshal(data, &serviceAcctReqs); err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminConfigBadJSON, err, allSvcAcctsFile, ""), r.URL)
return
}
ldap: Normalize DNs when importing (#19528) This is a change to IAM export/import functionality. For LDAP enabled setups, it performs additional validations: - for policy mappings on LDAP users and groups, it ensures that the corresponding user or group DN exists and if so uses a normalized form of these DNs for storage - for access keys (service accounts), it updates (i.e. validates existence and normalizes) the internally stored parent user DN and group DNs. This allows for a migration path for setups in which LDAP mappings have been stored in previous versions of the server, where the name of the mapping file stored on drives is not in a normalized form. An administrator needs to execute: `mc admin iam export ALIAS` followed by `mc admin iam import ALIAS /path/to/export/file` The validations are more strict and returns errors when multiple mappings are found for the same user/group DN. This is to ensure the mappings stored by the server are unambiguous and to reduce the potential for confusion. Bonus **bug fix**: IAM export of access keys (service accounts) did not export key name, description and expiration. This is fixed in this change too.
2024-04-18 23:15:02 +08:00
// Validations for LDAP enabled deployments.
if globalIAMSys.LDAPConfig.Enabled() {
Skip non existent ldap entities while import (#20352) Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-09-10 00:59:28 +08:00
skippedAccessKeys, err := globalIAMSys.NormalizeLDAPAccessKeypairs(ctx, serviceAcctReqs)
skipped.ServiceAccounts = append(skipped.ServiceAccounts, skippedAccessKeys...)
ldap: Normalize DNs when importing (#19528) This is a change to IAM export/import functionality. For LDAP enabled setups, it performs additional validations: - for policy mappings on LDAP users and groups, it ensures that the corresponding user or group DN exists and if so uses a normalized form of these DNs for storage - for access keys (service accounts), it updates (i.e. validates existence and normalizes) the internally stored parent user DN and group DNs. This allows for a migration path for setups in which LDAP mappings have been stored in previous versions of the server, where the name of the mapping file stored on drives is not in a normalized form. An administrator needs to execute: `mc admin iam export ALIAS` followed by `mc admin iam import ALIAS /path/to/export/file` The validations are more strict and returns errors when multiple mappings are found for the same user/group DN. This is to ensure the mappings stored by the server are unambiguous and to reduce the potential for confusion. Bonus **bug fix**: IAM export of access keys (service accounts) did not export key name, description and expiration. This is fixed in this change too.
2024-04-18 23:15:02 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importError(ctx, err, allSvcAcctsFile, ""), r.URL)
return
}
}
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
for user, svcAcctReq := range serviceAcctReqs {
Skip non existent ldap entities while import (#20352) Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-09-10 00:59:28 +08:00
if slices.Contains(skipped.ServiceAccounts, user) {
continue
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
var sp *policy.Policy
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
var err error
Update SRSvcAccCreate with new type (#20974)
2025-02-25 09:43:59 +08:00
if len(svcAcctReq.SessionPolicy) > 0 {
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
sp, err = policy.ParseConfig(bytes.NewReader(svcAcctReq.SessionPolicy))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importError(ctx, err, allSvcAcctsFile, user), r.URL)
return
}
}
fix: avoid some IAM import errors if LDAP enabled (#19591) When LDAP is enabled, previously we were: - rejecting creation of users and groups via the IAM import functionality - throwing a `not a valid DN` error when non-LDAP group mappings are present This change allows for these cases as we need to support situations where the MinIO server contains users, groups and policy mappings created before LDAP was enabled.
2024-04-24 09:23:08 +08:00
// service account access key cannot have space characters
// beginning and end of the string.
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if hasSpaceBE(svcAcctReq.AccessKey) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument), r.URL)
return
}
updateReq := true
_, _, err = globalIAMSys.GetServiceAccount(ctx, svcAcctReq.AccessKey)
if err != nil {
if !errors.Is(err, errNoSuchServiceAccount) {
writeErrorResponseJSON(ctx, w, importError(ctx, err, allSvcAcctsFile, user), r.URL)
return
}
updateReq = false
}
if updateReq {
ldap: Normalize DNs when importing (#19528) This is a change to IAM export/import functionality. For LDAP enabled setups, it performs additional validations: - for policy mappings on LDAP users and groups, it ensures that the corresponding user or group DN exists and if so uses a normalized form of these DNs for storage - for access keys (service accounts), it updates (i.e. validates existence and normalizes) the internally stored parent user DN and group DNs. This allows for a migration path for setups in which LDAP mappings have been stored in previous versions of the server, where the name of the mapping file stored on drives is not in a normalized form. An administrator needs to execute: `mc admin iam export ALIAS` followed by `mc admin iam import ALIAS /path/to/export/file` The validations are more strict and returns errors when multiple mappings are found for the same user/group DN. This is to ensure the mappings stored by the server are unambiguous and to reduce the potential for confusion. Bonus **bug fix**: IAM export of access keys (service accounts) did not export key name, description and expiration. This is fixed in this change too.
2024-04-18 23:15:02 +08:00
// If the service account exists, we remove it to ensure a
// clean import.
err := globalIAMSys.DeleteServiceAccount(ctx, svcAcctReq.AccessKey, true)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
Removed user and group details from logs (#20072) Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-07-15 02:12:07 +08:00
delErr := fmt.Errorf("failed to delete existing service account (%s) before importing it: %w", svcAcctReq.AccessKey, err)
ldap: Normalize DNs when importing (#19528) This is a change to IAM export/import functionality. For LDAP enabled setups, it performs additional validations: - for policy mappings on LDAP users and groups, it ensures that the corresponding user or group DN exists and if so uses a normalized form of these DNs for storage - for access keys (service accounts), it updates (i.e. validates existence and normalizes) the internally stored parent user DN and group DNs. This allows for a migration path for setups in which LDAP mappings have been stored in previous versions of the server, where the name of the mapping file stored on drives is not in a normalized form. An administrator needs to execute: `mc admin iam export ALIAS` followed by `mc admin iam import ALIAS /path/to/export/file` The validations are more strict and returns errors when multiple mappings are found for the same user/group DN. This is to ensure the mappings stored by the server are unambiguous and to reduce the potential for confusion. Bonus **bug fix**: IAM export of access keys (service accounts) did not export key name, description and expiration. This is fixed in this change too.
2024-04-18 23:15:02 +08:00
writeErrorResponseJSON(ctx, w, importError(ctx, delErr, allSvcAcctsFile, user), r.URL)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
return
}
}
opts := newServiceAccountOpts{
allow root user to be disabled via config settings (#17089)
2023-04-29 03:24:14 +08:00
accessKey: user,
secretKey: svcAcctReq.SecretKey,
sessionPolicy: sp,
claims: svcAcctReq.Claims,
Add "name" and "description" params to service acc (#17172)
2023-05-18 08:05:36 +08:00
name: svcAcctReq.Name,
description: svcAcctReq.Description,
allow root user to be disabled via config settings (#17089)
2023-04-29 03:24:14 +08:00
expiration: svcAcctReq.Expiration,
allowSiteReplicatorAccount: false,
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
if _, _, err = globalIAMSys.NewServiceAccount(ctx, svcAcctReq.Parent, svcAcctReq.Groups, opts); err != nil {
Skip non existent ldap entities while import (#20352) Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-09-10 00:59:28 +08:00
failed.ServiceAccounts = append(failed.ServiceAccounts, madmin.IAMErrEntity{Name: user, Error: err})
} else {
added.ServiceAccounts = append(added.ServiceAccounts, user)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
}
}
}
}
// import user policy mappings
{
save IAM export assets relative at a folder prefix (#15355)
2022-07-22 08:51:33 +08:00
f, err := zr.Open(pathJoin(iamAssetsDir, userPolicyMappingsFile))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
switch {
case errors.Is(err, os.ErrNotExist):
case err != nil:
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, userPolicyMappingsFile, ""), r.URL)
return
default:
defer f.Close()
var userPolicyMap map[string]MappedPolicy
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
data, err := io.ReadAll(f)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, userPolicyMappingsFile, ""), r.URL)
return
}
if err = json.Unmarshal(data, &userPolicyMap); err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminConfigBadJSON, err, userPolicyMappingsFile, ""), r.URL)
return
}
for u, pm := range userPolicyMap {
// disallow setting policy mapping if user is a temporary user
ok, _, err := globalIAMSys.IsTempUser(u)
if err != nil && err != errNoSuchUser {
writeErrorResponseJSON(ctx, w, importError(ctx, err, userPolicyMappingsFile, u), r.URL)
return
}
if ok {
writeErrorResponseJSON(ctx, w, importError(ctx, errIAMActionNotAllowed, userPolicyMappingsFile, u), r.URL)
return
}
Properly replicate policy mapping for virtual users (#15558) Currently, replicating policy mapping for STS users does not work. Fix it is by passing user type to PolicyDBSet.
2022-08-24 02:11:45 +08:00
if _, err := globalIAMSys.PolicyDBSet(ctx, u, pm.Policies, regUser, false); err != nil {
Skip non existent ldap entities while import (#20352) Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-09-10 00:59:28 +08:00
failed.UserPolicies = append(
failed.UserPolicies,
madmin.IAMErrPolicyEntity{
Name: u,
Policies: strings.Split(pm.Policies, ","),
Error: err,
})
} else {
added.UserPolicies = append(added.UserPolicies, map[string][]string{u: strings.Split(pm.Policies, ",")})
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
}
}
}
}
// import group policy mappings
{
save IAM export assets relative at a folder prefix (#15355)
2022-07-22 08:51:33 +08:00
f, err := zr.Open(pathJoin(iamAssetsDir, groupPolicyMappingsFile))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
switch {
case errors.Is(err, os.ErrNotExist):
case err != nil:
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, groupPolicyMappingsFile, ""), r.URL)
return
default:
defer f.Close()
var grpPolicyMap map[string]MappedPolicy
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
data, err := io.ReadAll(f)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, groupPolicyMappingsFile, ""), r.URL)
return
}
if err = json.Unmarshal(data, &grpPolicyMap); err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminConfigBadJSON, err, groupPolicyMappingsFile, ""), r.URL)
return
}
ldap: Normalize DNs when importing (#19528) This is a change to IAM export/import functionality. For LDAP enabled setups, it performs additional validations: - for policy mappings on LDAP users and groups, it ensures that the corresponding user or group DN exists and if so uses a normalized form of these DNs for storage - for access keys (service accounts), it updates (i.e. validates existence and normalizes) the internally stored parent user DN and group DNs. This allows for a migration path for setups in which LDAP mappings have been stored in previous versions of the server, where the name of the mapping file stored on drives is not in a normalized form. An administrator needs to execute: `mc admin iam export ALIAS` followed by `mc admin iam import ALIAS /path/to/export/file` The validations are more strict and returns errors when multiple mappings are found for the same user/group DN. This is to ensure the mappings stored by the server are unambiguous and to reduce the potential for confusion. Bonus **bug fix**: IAM export of access keys (service accounts) did not export key name, description and expiration. This is fixed in this change too.
2024-04-18 23:15:02 +08:00
// Validations for LDAP enabled deployments.
if globalIAMSys.LDAPConfig.Enabled() {
isGroup := true
Skip non existent ldap entities while import (#20352) Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-09-10 00:59:28 +08:00
skippedDN, err := globalIAMSys.NormalizeLDAPMappingImport(ctx, isGroup, grpPolicyMap)
skipped.Groups = append(skipped.Groups, skippedDN...)
ldap: Normalize DNs when importing (#19528) This is a change to IAM export/import functionality. For LDAP enabled setups, it performs additional validations: - for policy mappings on LDAP users and groups, it ensures that the corresponding user or group DN exists and if so uses a normalized form of these DNs for storage - for access keys (service accounts), it updates (i.e. validates existence and normalizes) the internally stored parent user DN and group DNs. This allows for a migration path for setups in which LDAP mappings have been stored in previous versions of the server, where the name of the mapping file stored on drives is not in a normalized form. An administrator needs to execute: `mc admin iam export ALIAS` followed by `mc admin iam import ALIAS /path/to/export/file` The validations are more strict and returns errors when multiple mappings are found for the same user/group DN. This is to ensure the mappings stored by the server are unambiguous and to reduce the potential for confusion. Bonus **bug fix**: IAM export of access keys (service accounts) did not export key name, description and expiration. This is fixed in this change too.
2024-04-18 23:15:02 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importError(ctx, err, groupPolicyMappingsFile, ""), r.URL)
return
}
}
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
for g, pm := range grpPolicyMap {
Skip non existent ldap entities while import (#20352) Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-09-10 00:59:28 +08:00
if slices.Contains(skipped.Groups, g) {
continue
}
Properly replicate policy mapping for virtual users (#15558) Currently, replicating policy mapping for STS users does not work. Fix it is by passing user type to PolicyDBSet.
2022-08-24 02:11:45 +08:00
if _, err := globalIAMSys.PolicyDBSet(ctx, g, pm.Policies, unknownIAMUserType, true); err != nil {
Skip non existent ldap entities while import (#20352) Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-09-10 00:59:28 +08:00
failed.GroupPolicies = append(
failed.GroupPolicies,
madmin.IAMErrPolicyEntity{
Name: g,
Policies: strings.Split(pm.Policies, ","),
Error: err,
})
} else {
added.GroupPolicies = append(added.GroupPolicies, map[string][]string{g: strings.Split(pm.Policies, ",")})
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
}
}
}
}
// import sts user policy mappings
{
save IAM export assets relative at a folder prefix (#15355)
2022-07-22 08:51:33 +08:00
f, err := zr.Open(pathJoin(iamAssetsDir, stsUserPolicyMappingsFile))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
switch {
case errors.Is(err, os.ErrNotExist):
case err != nil:
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, stsUserPolicyMappingsFile, ""), r.URL)
return
default:
defer f.Close()
var userPolicyMap map[string]MappedPolicy
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
data, err := io.ReadAll(f)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, stsUserPolicyMappingsFile, ""), r.URL)
return
}
if err = json.Unmarshal(data, &userPolicyMap); err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminConfigBadJSON, err, stsUserPolicyMappingsFile, ""), r.URL)
return
}
ldap: Normalize DNs when importing (#19528) This is a change to IAM export/import functionality. For LDAP enabled setups, it performs additional validations: - for policy mappings on LDAP users and groups, it ensures that the corresponding user or group DN exists and if so uses a normalized form of these DNs for storage - for access keys (service accounts), it updates (i.e. validates existence and normalizes) the internally stored parent user DN and group DNs. This allows for a migration path for setups in which LDAP mappings have been stored in previous versions of the server, where the name of the mapping file stored on drives is not in a normalized form. An administrator needs to execute: `mc admin iam export ALIAS` followed by `mc admin iam import ALIAS /path/to/export/file` The validations are more strict and returns errors when multiple mappings are found for the same user/group DN. This is to ensure the mappings stored by the server are unambiguous and to reduce the potential for confusion. Bonus **bug fix**: IAM export of access keys (service accounts) did not export key name, description and expiration. This is fixed in this change too.
2024-04-18 23:15:02 +08:00
// Validations for LDAP enabled deployments.
if globalIAMSys.LDAPConfig.Enabled() {
isGroup := true
Skip non existent ldap entities while import (#20352) Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-09-10 00:59:28 +08:00
skippedDN, err := globalIAMSys.NormalizeLDAPMappingImport(ctx, !isGroup, userPolicyMap)
skipped.Users = append(skipped.Users, skippedDN...)
ldap: Normalize DNs when importing (#19528) This is a change to IAM export/import functionality. For LDAP enabled setups, it performs additional validations: - for policy mappings on LDAP users and groups, it ensures that the corresponding user or group DN exists and if so uses a normalized form of these DNs for storage - for access keys (service accounts), it updates (i.e. validates existence and normalizes) the internally stored parent user DN and group DNs. This allows for a migration path for setups in which LDAP mappings have been stored in previous versions of the server, where the name of the mapping file stored on drives is not in a normalized form. An administrator needs to execute: `mc admin iam export ALIAS` followed by `mc admin iam import ALIAS /path/to/export/file` The validations are more strict and returns errors when multiple mappings are found for the same user/group DN. This is to ensure the mappings stored by the server are unambiguous and to reduce the potential for confusion. Bonus **bug fix**: IAM export of access keys (service accounts) did not export key name, description and expiration. This is fixed in this change too.
2024-04-18 23:15:02 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importError(ctx, err, stsUserPolicyMappingsFile, ""), r.URL)
return
}
}
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
for u, pm := range userPolicyMap {
Skip non existent ldap entities while import (#20352) Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-09-10 00:59:28 +08:00
if slices.Contains(skipped.Users, u) {
continue
}
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
// disallow setting policy mapping if user is a temporary user
ok, _, err := globalIAMSys.IsTempUser(u)
if err != nil && err != errNoSuchUser {
writeErrorResponseJSON(ctx, w, importError(ctx, err, stsUserPolicyMappingsFile, u), r.URL)
return
}
if ok {
writeErrorResponseJSON(ctx, w, importError(ctx, errIAMActionNotAllowed, stsUserPolicyMappingsFile, u), r.URL)
return
}
fix: avoid some IAM import errors if LDAP enabled (#19591) When LDAP is enabled, previously we were: - rejecting creation of users and groups via the IAM import functionality - throwing a `not a valid DN` error when non-LDAP group mappings are present This change allows for these cases as we need to support situations where the MinIO server contains users, groups and policy mappings created before LDAP was enabled.
2024-04-24 09:23:08 +08:00
Properly replicate policy mapping for virtual users (#15558) Currently, replicating policy mapping for STS users does not work. Fix it is by passing user type to PolicyDBSet.
2022-08-24 02:11:45 +08:00
if _, err := globalIAMSys.PolicyDBSet(ctx, u, pm.Policies, stsUser, false); err != nil {
Skip non existent ldap entities while import (#20352) Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-09-10 00:59:28 +08:00
failed.STSPolicies = append(
failed.STSPolicies,
madmin.IAMErrPolicyEntity{
Name: u,
Policies: strings.Split(pm.Policies, ","),
Error: err,
})
} else {
added.STSPolicies = append(added.STSPolicies, map[string][]string{u: strings.Split(pm.Policies, ",")})
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
}
}
}
}
Skip non existent ldap entities while import (#20352) Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-09-10 00:59:28 +08:00
if apiVer == "v2" {
iamr := madmin.ImportIAMResult{
Skipped: skipped,
Removed: removed,
Added: added,
Failed: failed,
}
b, err := json.Marshal(iamr)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, b)
}
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
}
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
policy: More defensive code validating svc:DurationSeconds (#19820) This does not fix any current issue, but merging https://github.com/minio/madmin-go/pull/282 can lose the validation of the service account expiration time. Add more defensive code for now. In the future, we should avoid doing validation in another library.
2024-05-29 01:19:04 +08:00
func addExpirationToCondValues(exp *time.Time, condValues map[string][]string) error {
if exp == nil || exp.IsZero() || exp.Equal(timeSentinel) {
return nil
}
Migrate golanglint-ci config to V2 (#21081)
2025-03-30 08:56:02 +08:00
dur := time.Until(*exp)
policy: More defensive code validating svc:DurationSeconds (#19820) This does not fix any current issue, but merging https://github.com/minio/madmin-go/pull/282 can lose the validation of the service account expiration time. Add more defensive code for now. In the future, we should avoid doing validation in another library.
2024-05-29 01:19:04 +08:00
if dur <= 0 {
return errors.New("unsupported expiration time")
Convert service account add/update expiration to cond values (#19024) In order to force some users allowed to create or update a service account to provide an expiration satifying the user policy conditions.
2024-02-13 00:36:16 +08:00
}
policy: More defensive code validating svc:DurationSeconds (#19820) This does not fix any current issue, but merging https://github.com/minio/madmin-go/pull/282 can lose the validation of the service account expiration time. Add more defensive code for now. In the future, we should avoid doing validation in another library.
2024-05-29 01:19:04 +08:00
condValues["DurationSeconds"] = []string{strconv.FormatInt(int64(dur.Seconds()), 10)}
return nil
Convert service account add/update expiration to cond values (#19024) In order to force some users allowed to create or update a service account to provide an expiration satifying the user policy conditions.
2024-02-13 00:36:16 +08:00
}
Fix behavior of `AddServiceAccountLDAP` for non-admin users (#20442)
2024-09-17 07:04:51 +08:00
func commonAddServiceAccount(r *http.Request, ldap bool) (context.Context, auth.Credentials, newServiceAccountOpts, madmin.AddServiceAccountReq, string, APIError) {
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
ctx := r.Context()
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", errorCodes.ToAPIErr(ErrServerNotInitialized)
}
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
if s3Err != ErrNone {
return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", errorCodes.ToAPIErr(s3Err)
}
password := cred.SecretKey
reqBytes, err := madmin.DecryptData(password, io.LimitReader(r.Body, r.ContentLength))
if err != nil {
return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", errorCodes.ToAPIErrWithErr(ErrAdminConfigBadJSON, err)
}
var createReq madmin.AddServiceAccountReq
if err = json.Unmarshal(reqBytes, &createReq); err != nil {
return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", errorCodes.ToAPIErrWithErr(ErrAdminConfigBadJSON, err)
}
fix: truncate Expiration to second when Add ServiceAccount (#19674) Truncate Expiration at the second when Add ServiceAccount
2024-05-10 02:08:04 +08:00
if createReq.Expiration != nil && !createReq.Expiration.IsZero() {
// truncate expiration at the second.
truncateTime := createReq.Expiration.Truncate(time.Second)
createReq.Expiration = &truncateTime
}
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
// service account access key cannot have space characters beginning and end of the string.
if hasSpaceBE(createReq.AccessKey) {
return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument)
}
if err := createReq.Validate(); err != nil {
// Since this validation would happen client side as well, we only send
// a generic error message here.
return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument)
}
// If the request did not set a TargetUser, the service account is
// created for the request sender.
targetUser := createReq.TargetUser
if targetUser == "" {
targetUser = cred.AccessKey
}
description := createReq.Description
if description == "" {
description = createReq.Comment
}
opts := newServiceAccountOpts{
accessKey: createReq.AccessKey,
secretKey: createReq.SecretKey,
name: createReq.Name,
description: description,
expiration: createReq.Expiration,
Run modernize (#21546) `go run golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize@latest -fix -test ./...` executed. `go generate ./...` ran afterwards to keep generated.
2025-08-29 10:39:48 +08:00
claims: make(map[string]any),
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
}
Convert service account add/update expiration to cond values (#19024) In order to force some users allowed to create or update a service account to provide an expiration satifying the user policy conditions.
2024-02-13 00:36:16 +08:00
condValues := getConditionValues(r, "", cred)
policy: More defensive code validating svc:DurationSeconds (#19820) This does not fix any current issue, but merging https://github.com/minio/madmin-go/pull/282 can lose the validation of the service account expiration time. Add more defensive code for now. In the future, we should avoid doing validation in another library.
2024-05-29 01:19:04 +08:00
err = addExpirationToCondValues(createReq.Expiration, condValues)
if err != nil {
return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", toAdminAPIErr(ctx, err)
}
Convert service account add/update expiration to cond values (#19024) In order to force some users allowed to create or update a service account to provide an expiration satifying the user policy conditions.
2024-02-13 00:36:16 +08:00
Fix behavior of `AddServiceAccountLDAP` for non-admin users (#20442)
2024-09-17 07:04:51 +08:00
denyOnly := (targetUser == cred.AccessKey || targetUser == cred.ParentUser)
if ldap && !denyOnly {
res, _ := globalIAMSys.LDAPConfig.GetValidatedDNForUsername(targetUser)
Fix nil dereference in adding service account (#21235) Fixes #21234
2025-04-25 02:14:00 +08:00
if res != nil && res.NormDN == cred.ParentUser {
Fix behavior of `AddServiceAccountLDAP` for non-admin users (#20442)
2024-09-17 07:04:51 +08:00
denyOnly = true
}
}
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
// Check if action is allowed if creating access key for another user
// Check if action is explicitly denied if for self
if !globalIAMSys.IsAllowed(policy.Args{
AccountName: cred.AccessKey,
Groups: cred.Groups,
Action: policy.CreateServiceAccountAdminAction,
Convert service account add/update expiration to cond values (#19024) In order to force some users allowed to create or update a service account to provide an expiration satifying the user policy conditions.
2024-02-13 00:36:16 +08:00
ConditionValues: condValues,
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
IsOwner: owner,
Claims: cred.Claims,
Fix behavior of `AddServiceAccountLDAP` for non-admin users (#20442)
2024-09-17 07:04:51 +08:00
DenyOnly: denyOnly,
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
}) {
return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", errorCodes.ToAPIErr(ErrAccessDenied)
}
var sp *policy.Policy
if len(createReq.Policy) > 0 {
sp, err = policy.ParseConfig(bytes.NewReader(createReq.Policy))
if err != nil {
return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", toAdminAPIErr(ctx, err)
}
}
opts.sessionPolicy = sp
return ctx, cred, opts, createReq, targetUser, APIError{}
}
Add the policy name to the audit logs tags when doing policy-based API calls. Add retention settings to tags (#20638) * Add the policy name to the audit log tags when doing policy-based API calls * Audit log the retention settings requested in the API call * Audit log of retention on PutObjectRetention API path too
2024-11-26 01:17:12 +08:00
// setReqInfoPolicyName will set the given policyName as a tag on the context's request info,
// so that it appears in audit logs.
func setReqInfoPolicyName(ctx context.Context, policyName string) {
reqInfo := logger.GetReqInfo(ctx)
reqInfo.SetTags("policyName", policyName)
}