root
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity
minio/cmd/admin-handlers-users.go

2498 lines
76 KiB
Go
Raw Normal View History

cache usage, prefix-usage, and buckets for AccountInfo up to 10 secs (#18051) AccountInfo is quite frequently called by the Console UI login attempts, when many users are logging in it is important that we provide them with better responsiveness. - ListBuckets information is cached every second - Bucket usage info is cached for up to 10 seconds - Prefix usage (optional) info is cached for up to 10 secs Failure to update after cache expiration, would still allow login which would end up providing information previously cached. This allows for seamless responsiveness for the Console UI logins, and overall responsiveness on a heavily loaded system.
2023-09-19 13:13:03 +08:00
// Copyright (c) 2015-2023 MinIO, Inc.
update license change for MinIO Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 03:41:13 +08:00
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
package cmd
import (
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 23:52:02 +08:00
"bytes"
cache usage, prefix-usage, and buckets for AccountInfo up to 10 secs (#18051) AccountInfo is quite frequently called by the Console UI login attempts, when many users are logging in it is important that we provide them with better responsiveness. - ListBuckets information is cached every second - Bucket usage info is cached for up to 10 seconds - Prefix usage (optional) info is cached for up to 10 secs Failure to update after cache expiration, would still allow login which would end up providing information previously cached. This allows for seamless responsiveness for the Console UI logins, and overall responsiveness on a heavily loaded system.
2023-09-19 13:13:03 +08:00
"context"
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
"encoding/json"
fix: AccountInfo API for LDAP users (#11874) Also, ensure admin APIs auth additionally validates groups
2021-03-24 08:39:20 +08:00
"errors"
Validate if parent user exists for service acct (#16443)
2023-01-24 10:47:18 +08:00
"fmt"
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
"io"
"net/http"
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
"os"
fix: accountInfo API to cater for federated setups (#11484) when MinIO is deployed in a federated setup, use etcd based listing of buckets to provide appropriate filtering of buckets per user.
2021-02-10 01:53:07 +08:00
"sort"
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
"time"
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
"github.com/klauspost/compress/zip"
Bump up madmin-go and pkg deps (#17469)
2023-06-20 08:53:08 +08:00
"github.com/minio/madmin-go/v3"
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
"github.com/minio/minio/internal/auth"
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
2021-06-02 05:59:40 +08:00
"github.com/minio/minio/internal/config/dns"
"github.com/minio/minio/internal/logger"
migrate to minio/mux from gorilla/mux (#16456)
2023-01-23 19:12:47 +08:00
"github.com/minio/mux"
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
"github.com/minio/pkg/v2/policy"
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
)
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// RemoveUser - DELETE /minio/admin/v3/remove-user?accessKey=<access_key>
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) RemoveUser(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, cred := validateAdminReq(ctx, w, r, policy.DeleteUserAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
accessKey := vars["accessKey"]
fix: service account permissions generated from LDAP user (#11637) service accounts generated from LDAP parent user did not inherit correct permissions, this PR fixes this fully.
2021-02-26 05:49:59 +08:00
ok, _, err := globalIAMSys.IsTempUser(accessKey)
fix: temp credentials shouldn't allow policy/group changes (#8675) This PR fixes the issue where we might allow policy changes for temporary credentials out of band, this situation allows privilege escalation for those temporary credentials. We should disallow any external actions on temporary creds as a practice and we should clearly differentiate which are static and which are temporary credentials. Refer #8667
2019-12-20 06:21:21 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
if ok {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errIAMActionNotAllowed), r.URL)
return
}
allow root user to be disabled via config settings (#17089)
2023-04-29 03:24:14 +08:00
// When the user is root credential you are not allowed to
// remove the root user. Also you cannot delete yourself.
if accessKey == globalActiveCred.AccessKey || accessKey == cred.AccessKey {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errIAMActionNotAllowed), r.URL)
return
}
Move last remaining IAM notification calls into IAMSys methods (#13941)
2021-12-21 18:16:50 +08:00
if err := globalIAMSys.DeleteUser(ctx, accessKey, true); err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
logger.LogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
Type: madmin.SRIAMItemIAMUser,
IAMUser: &madmin.SRIAMUser{
AccessKey: accessKey,
IsDeleteReq: true,
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: UTCNow(),
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
fix: ListBucketUsers comment doc (#14129)
2022-01-20 02:45:13 +08:00
// ListBucketUsers - GET /minio/admin/v3/list-users?bucket={bucket}
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-28 01:15:02 +08:00
func (a adminAPIHandlers) ListBucketUsers(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-28 01:15:02 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, cred := validateAdminReq(ctx, w, r, policy.ListUsersAdminAction)
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-28 01:15:02 +08:00
if objectAPI == nil {
return
}
bucket := mux.Vars(r)["bucket"]
password := cred.SecretKey
honor client context in IAM user/policy listing calls (#14682)
2022-04-20 00:00:19 +08:00
allCredentials, err := globalIAMSys.ListBucketUsers(ctx, bucket)
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-28 01:15:02 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
data, err := json.Marshal(allCredentials)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
econfigData, err := madmin.EncryptData(password, data)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, econfigData)
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// ListUsers - GET /minio/admin/v3/list-users
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) ListUsers(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, cred := validateAdminReq(ctx, w, r, policy.ListUsersAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
honor the credentials of user admin for encrypt/decrypt (#9194) Fixes #9193
2020-03-24 05:06:00 +08:00
password := cred.SecretKey
honor client context in IAM user/policy listing calls (#14682)
2022-04-20 00:00:19 +08:00
allCredentials, err := globalIAMSys.ListUsers(ctx)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Bring back listing LDAP users temporarly (#14760) In previous releases, mc admin user list would return the list of users that have policies mapped in IAM database. However, this was removed but this commit will bring it back until we revamp this.
2022-04-16 12:26:02 +08:00
// Add ldap users which have mapped policies if in LDAP mode
// FIXME(vadmeste): move this to policy info in the future
fix: heal service accounts for LDAP users in site replication (#15785)
2022-10-05 01:41:47 +08:00
ldapUsers, err := globalIAMSys.ListLDAPUsers(ctx)
Bring back listing LDAP users temporarly (#14760) In previous releases, mc admin user list would return the list of users that have policies mapped in IAM database. However, this was removed but this commit will bring it back until we revamp this.
2022-04-16 12:26:02 +08:00
if err != nil && err != errIAMActionNotAllowed {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
for k, v := range ldapUsers {
allCredentials[k] = v
}
// Marshal the response
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
data, err := json.Marshal(allCredentials)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
econfigData, err := madmin.EncryptData(password, data)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, econfigData)
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// GetUserInfo - GET /minio/admin/v3/user-info
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) GetUserInfo(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
vars := mux.Vars(r)
name := vars["accessKey"]
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
return
}
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
Allow OIDC user to query user info if policies permit (#13882)
2021-12-11 07:03:39 +08:00
checkDenyOnly := false
if name == cred.AccessKey {
// Check that there is no explicit deny - otherwise it's allowed
// to view one's own info.
checkDenyOnly = true
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if !globalIAMSys.IsAllowed(policy.Args{
Allow OIDC user to query user info if policies permit (#13882)
2021-12-11 07:03:39 +08:00
AccountName: cred.AccessKey,
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.GetUserAdminAction,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
Allow OIDC user to query user info if policies permit (#13882)
2021-12-11 07:03:39 +08:00
IsOwner: owner,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
Allow OIDC user to query user info if policies permit (#13882)
2021-12-11 07:03:39 +08:00
DenyOnly: checkDenyOnly,
}) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
add thread context in surrounding function into IAM functions (#13658)
2021-11-16 06:14:22 +08:00
userInfo, err := globalIAMSys.GetUserInfo(ctx, name)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
data, err := json.Marshal(userInfo)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, data)
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// UpdateGroupMembers - PUT /minio/admin/v3/update-group-members
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) UpdateGroupMembers(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.AddUserToGroupAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
data, err := io.ReadAll(r.Body)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
var updReq madmin.GroupAddRemove
err = json.Unmarshal(data, &updReq)
if err != nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
allow root user to be disabled via config settings (#17089)
2023-04-29 03:24:14 +08:00
// Reject if the group add and remove are temporary credentials, or root credential.
for _, member := range updReq.Members {
ok, _, err := globalIAMSys.IsTempUser(member)
if err != nil && err != errNoSuchUser {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
if ok {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errIAMActionNotAllowed), r.URL)
return
}
// When the user is root credential you are not allowed to
// add policies for root user.
if member == globalActiveCred.AccessKey {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errIAMActionNotAllowed), r.URL)
return
}
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
var updatedAt time.Time
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if updReq.IsRemove {
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err = globalIAMSys.RemoveUsersFromGroup(ctx, updReq.Group, updReq.Members)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
} else {
fix: disallow newer policies, users & groups with space characters (#14845) space characters at the beginning or at the end can lead to confusion under various UI elements in differentiating the actual name of "policy, user or group" - to avoid this behavior this PR onwards we shall reject such inputs for newer entries. existing saved entries will behave as is and are going to be operable until they are removed/renamed to something more meaningful.
2022-05-03 00:27:35 +08:00
// Check if group already exists
if _, gerr := globalIAMSys.GetGroupDescription(updReq.Group); gerr != nil {
// If group does not exist, then check if the group has beginning and end space characters
// we will reject such group names.
if errors.Is(gerr, errNoSuchGroup) && hasSpaceBE(updReq.Group) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument), r.URL)
return
}
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err = globalIAMSys.AddUsersToGroup(ctx, updReq.Group, updReq.Members)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
logger.LogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
Type: madmin.SRIAMItemGroupInfo,
GroupInfo: &madmin.SRGroupInfo{
UpdateReq: updReq,
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// GetGroup - /minio/admin/v3/group?group=mygroup1
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) GetGroup(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.GetGroupAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
group := vars["group"]
gdesc, err := globalIAMSys.GetGroupDescription(group)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
body, err := json.Marshal(gdesc)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, body)
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// ListGroups - GET /minio/admin/v3/groups
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) ListGroups(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.ListGroupsAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
add thread context in surrounding function into IAM functions (#13658)
2021-11-16 06:14:22 +08:00
groups, err := globalIAMSys.ListGroups(ctx)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
body, err := json.Marshal(groups)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, body)
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// SetGroupStatus - PUT /minio/admin/v3/set-group-status?group=mygroup1&status=enabled
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) SetGroupStatus(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.EnableGroupAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
group := vars["group"]
status := vars["status"]
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
var (
err error
updatedAt time.Time
)
add gocritic/ruleguard checks back again, cleanup code. (#13665) - remove some duplicated code - reported a bug, separately fixed in #13664 - using strings.ReplaceAll() when needed - using filepath.ToSlash() use when needed - remove all non-Go style comments from the codebase Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2021-11-17 01:28:29 +08:00
switch status {
case statusEnabled:
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err = globalIAMSys.SetGroupStatus(ctx, group, true)
add gocritic/ruleguard checks back again, cleanup code. (#13665) - remove some duplicated code - reported a bug, separately fixed in #13664 - using strings.ReplaceAll() when needed - using filepath.ToSlash() use when needed - remove all non-Go style comments from the codebase Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2021-11-17 01:28:29 +08:00
case statusDisabled:
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err = globalIAMSys.SetGroupStatus(ctx, group, false)
add gocritic/ruleguard checks back again, cleanup code. (#13665) - remove some duplicated code - reported a bug, separately fixed in #13664 - using strings.ReplaceAll() when needed - using filepath.ToSlash() use when needed - remove all non-Go style comments from the codebase Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2021-11-17 01:28:29 +08:00
default:
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
err = errInvalidArgument
}
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
support site replication to replicate IAM users,groups (#14128) - Site replication was missing replicating users, groups when an empty site was added. - Add site replication for groups and users when they are disabled and enabled. - Add support for replicating bucket quota config.
2022-01-20 12:02:24 +08:00
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
logger.LogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
support site replication to replicate IAM users,groups (#14128) - Site replication was missing replicating users, groups when an empty site was added. - Add site replication for groups and users when they are disabled and enabled. - Add support for replicating bucket quota config.
2022-01-20 12:02:24 +08:00
Type: madmin.SRIAMItemGroupInfo,
GroupInfo: &madmin.SRGroupInfo{
UpdateReq: madmin.GroupAddRemove{
Group: group,
Status: madmin.GroupStatus(status),
IsRemove: false,
},
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// SetUserStatus - PUT /minio/admin/v3/set-user-status?accessKey=<access_key>&status=[enabled|disabled]
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) SetUserStatus(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, creds := validateAdminReq(ctx, w, r, policy.EnableUserAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
accessKey := vars["accessKey"]
status := vars["status"]
allow root user to be disabled via config settings (#17089)
2023-04-29 03:24:14 +08:00
// you cannot enable or disable yourself.
if accessKey == creds.AccessKey {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errInvalidArgument), r.URL)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
return
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err := globalIAMSys.SetUserStatus(ctx, accessKey, madmin.AccountStatus(status))
if err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
support site replication to replicate IAM users,groups (#14128) - Site replication was missing replicating users, groups when an empty site was added. - Add site replication for groups and users when they are disabled and enabled. - Add support for replicating bucket quota config.
2022-01-20 12:02:24 +08:00
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
logger.LogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
support site replication to replicate IAM users,groups (#14128) - Site replication was missing replicating users, groups when an empty site was added. - Add site replication for groups and users when they are disabled and enabled. - Add support for replicating bucket quota config.
2022-01-20 12:02:24 +08:00
Type: madmin.SRIAMItemIAMUser,
IAMUser: &madmin.SRIAMUser{
AccessKey: accessKey,
IsDeleteReq: false,
UserReq: &madmin.AddOrUpdateUserReq{
Status: madmin.AccountStatus(status),
},
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// AddUser - PUT /minio/admin/v3/add-user?accessKey=<access_key>
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
vars := mux.Vars(r)
fix: add helper for expected path.Clean behavior (#12068) current usage of path.Clean returns "." for empty strings instead we need `""` string as-is, make relevant changes as needed.
2021-04-16 07:32:13 +08:00
accessKey := vars["accessKey"]
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
return
}
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
fix: allow STS creds for admin accounts to add users (#11138) Allow rotating creds with privileges to add users fixes https://github.com/minio/console/issues/529
2020-12-20 05:24:21 +08:00
// Not allowed to add a user with same access key as root credential
Do not allow adding root user to IAM subsystem (#16803)
2023-03-14 03:46:17 +08:00
if accessKey == globalActiveCred.AccessKey {
fix: allow STS creds for admin accounts to add users (#11138) Allow rotating creds with privileges to add users fixes https://github.com/minio/console/issues/529
2020-12-20 05:24:21 +08:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAddUserInvalidArgument), r.URL)
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
return
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
user, exists := globalIAMSys.GetUser(ctx, accessKey)
if exists && (user.Credentials.IsTemp() || user.Credentials.IsServiceAccount()) {
Allow STS credentials to create users (#13874) - allow any regular user to change their own password - allow STS credentials to create users if permissions allow Bonus: do not allow changes to sts/service account credentials (via add user API)
2021-12-10 09:48:51 +08:00
// Updating STS credential is not allowed, and this API does not
// support updating service accounts.
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAddUserInvalidArgument), r.URL)
return
}
fix: allow STS creds for admin accounts to add users (#11138) Allow rotating creds with privileges to add users fixes https://github.com/minio/console/issues/529
2020-12-20 05:24:21 +08:00
if (cred.IsTemp() || cred.IsServiceAccount()) && cred.ParentUser == accessKey {
// Incoming access key matches parent user then we should
// reject password change requests.
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAddUserInvalidArgument), r.URL)
return
}
fix: disallow newer policies, users & groups with space characters (#14845) space characters at the beginning or at the end can lead to confusion under various UI elements in differentiating the actual name of "policy, user or group" - to avoid this behavior this PR onwards we shall reject such inputs for newer entries. existing saved entries will behave as is and are going to be operable until they are removed/renamed to something more meaningful.
2022-05-03 00:27:35 +08:00
// Check if accessKey has beginning and end space characters, this only applies to new users.
if !exists && hasSpaceBE(accessKey) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument), r.URL)
return
}
Allow STS credentials to create users (#13874) - allow any regular user to change their own password - allow STS credentials to create users if permissions allow Bonus: do not allow changes to sts/service account credentials (via add user API)
2021-12-10 09:48:51 +08:00
checkDenyOnly := false
if accessKey == cred.AccessKey {
// Check that there is no explicit deny - otherwise it's allowed
// to change one's own password.
checkDenyOnly = true
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if !globalIAMSys.IsAllowed(policy.Args{
Allow STS credentials to create users (#13874) - allow any regular user to change their own password - allow STS credentials to create users if permissions allow Bonus: do not allow changes to sts/service account credentials (via add user API)
2021-12-10 09:48:51 +08:00
AccountName: cred.AccessKey,
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.CreateUserAdminAction,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
fix: do not deny admins to change other passwords fixes a regression from #11680
2021-03-03 09:02:29 +08:00
IsOwner: owner,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
Allow STS credentials to create users (#13874) - allow any regular user to change their own password - allow STS credentials to create users if permissions allow Bonus: do not allow changes to sts/service account credentials (via add user API)
2021-12-10 09:48:51 +08:00
DenyOnly: checkDenyOnly,
fix: enforce deny if present for implicit permissions (#11680) Implicit permissions for any user is to be allowed to change their own password, we need to restrict this further even if there is an implicit allow for this scenario - we have to honor Deny statements if they are specified.
2021-03-03 07:35:50 +08:00
}) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if r.ContentLength > maxEConfigJSONSize || r.ContentLength == -1 {
// More than maxConfigSize bytes were available
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigTooLarge), r.URL)
return
}
Add support for multiple admins (#8487) Also define IAM policies for administering MinIO server
2019-11-19 18:03:18 +08:00
password := cred.SecretKey
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
configBytes, err := madmin.DecryptData(password, io.LimitReader(r.Body, r.ContentLength))
if err != nil {
logger.LogIf(ctx, err)
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigBadJSON), r.URL)
return
}
Fix user privilege escalation bug (#13976) The AddUser() API endpoint was accepting a policy field. This API is used to update a user's secret key and account status, and allows a regular user to update their own secret key. The policy update is also applied though does not appear to be used by any existing client-side functionality. This fix changes the accepted request body type and removes the ability to apply policy changes as that is possible via the policy set API. NOTE: Changing passwords can be disabled as a workaround for this issue by adding an explicit "Deny" rule to disable the API for users.
2021-12-24 01:21:21 +08:00
var ureq madmin.AddOrUpdateUserReq
if err = json.Unmarshal(configBytes, &ureq); err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
logger.LogIf(ctx, err)
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigBadJSON), r.URL)
return
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err := globalIAMSys.CreateUser(ctx, accessKey, ureq)
if err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
logger.LogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
Type: madmin.SRIAMItemIAMUser,
IAMUser: &madmin.SRIAMUser{
AccessKey: accessKey,
IsDeleteReq: false,
UserReq: &ureq,
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
// TemporaryAccountInfo - GET /minio/admin/v3/temporary-account-info
func (a adminAPIHandlers) TemporaryAccountInfo(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
accessKey := mux.Vars(r)["accessKey"]
if accessKey == "" {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
cleanup handling of STS isAllowed and simplifies the PolicyDBGet() (#18554)
2023-11-30 08:07:35 +08:00
args := policy.Args{
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
AccountName: cred.AccessKey,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.ListTemporaryAccountsAdminAction,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
IsOwner: owner,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
cleanup handling of STS isAllowed and simplifies the PolicyDBGet() (#18554)
2023-11-30 08:07:35 +08:00
}
if !globalIAMSys.IsAllowed(args) {
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
stsAccount, sessionPolicy, err := globalIAMSys.GetTemporaryAccount(ctx, accessKey)
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
var stsAccountPolicy policy.Policy
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if sessionPolicy != nil {
stsAccountPolicy = *sessionPolicy
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
} else {
cleanup handling of STS isAllowed and simplifies the PolicyDBGet() (#18554)
2023-11-30 08:07:35 +08:00
policiesNames, err := globalIAMSys.PolicyDBGet(stsAccount.ParentUser, stsAccount.Groups...)
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
cleanup handling of STS isAllowed and simplifies the PolicyDBGet() (#18554)
2023-11-30 08:07:35 +08:00
if len(policiesNames) == 0 {
policySet, _ := args.GetPolicies(iamPolicyClaimNameOpenID())
policiesNames = policySet.ToSlice()
}
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
stsAccountPolicy = globalIAMSys.GetCombinedPolicy(policiesNames...)
}
policyJSON, err := json.MarshalIndent(stsAccountPolicy, "", " ")
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
infoResp := madmin.TemporaryAccountInfoResp{
ParentUser: stsAccount.ParentUser,
AccountStatus: stsAccount.Status,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
ImpliedPolicy: sessionPolicy == nil,
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
Policy: string(policyJSON),
add missing expiration information from 'sts info' (#16878)
2023-03-23 07:47:02 +08:00
Expiration: &stsAccount.Expiration,
Implement STS account info API (#16115)
2022-12-14 00:38:50 +08:00
}
data, err := json.Marshal(infoResp)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
encryptedData, err := madmin.EncryptData(cred.SecretKey, data)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, encryptedData)
}
fix: deprecate requirement of session token for service accounts (#9320) This PR fixes couple of behaviors with service accounts - not need to have session token for service accounts - service accounts can be generated by any user for themselves implicitly, with a valid signature. - policy input for AddNewServiceAccount API is not fully typed allowing for validation before it is sent to the server. - also bring in additional context for admin API errors if any when replying back to client. - deprecate GetServiceAccount API as we do not need to reply back session tokens
2020-04-15 02:28:56 +08:00
// AddServiceAccount - PUT /minio/admin/v3/add-service-account
Add service account type in IAM (#9029)
2020-03-18 01:36:13 +08:00
func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Request) {
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
ctx, cred, opts, createReq, targetUser, APIError := commonAddServiceAccount(r)
if APIError.Code != "" {
writeErrorResponseJSON(ctx, w, APIError, r.URL)
Add "name" and "description" params to service acc (#17172)
2023-05-18 08:05:36 +08:00
return
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
var (
targetGroups []string
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
err error
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
)
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-21 05:28:19 +08:00
// Find the user for the request sender (as it may be sent via a service
// account or STS account):
requestorUser := cred.AccessKey
requestorParentUser := cred.AccessKey
requestorGroups := cred.Groups
requestorIsDerivedCredential := false
if cred.IsServiceAccount() || cred.IsTemp() {
requestorParentUser = cred.ParentUser
requestorIsDerivedCredential = true
}
Validate if parent user exists for service acct (#16443)
2023-01-24 10:47:18 +08:00
if globalIAMSys.GetUsersSysType() == MinIOUsersSysType && targetUser != cred.AccessKey {
// For internal IDP, ensure that the targetUser's parent account exists.
// It could be a regular user account or the root account.
_, isRegularUser := globalIAMSys.GetUser(ctx, targetUser)
if !isRegularUser && targetUser != globalActiveCred.AccessKey {
add missing x-amz-id-2 to event notification date (#16646)
2023-02-20 18:11:47 +08:00
apiErr := toAdminAPIErr(ctx, errNoSuchUser)
apiErr.Description = fmt.Sprintf("Specified target user %s does not exist", targetUser)
writeErrorResponseJSON(ctx, w, apiErr, r.URL)
Validate if parent user exists for service acct (#16443)
2023-01-24 10:47:18 +08:00
return
}
}
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-21 05:28:19 +08:00
// Check if we are creating svc account for request sender.
isSvcAccForRequestor := false
if targetUser == requestorUser || targetUser == requestorParentUser {
isSvcAccForRequestor = true
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-21 05:28:19 +08:00
// If we are creating svc account for request sender, ensure
// that targetUser is a real user (i.e. not derived
// credentials).
if isSvcAccForRequestor {
if requestorIsDerivedCredential {
if requestorParentUser == "" {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx,
errors.New("service accounts cannot be generated for temporary credentials without parent")), r.URL)
return
}
targetUser = requestorParentUser
}
targetGroups = requestorGroups
feat: create service accounts with same claims as parent (#13357) allow claims from LDAP/OIDC to be inherited to service accounts as well to allow dynamic policies. fixes #13325
2021-10-06 02:49:33 +08:00
// In case of LDAP/OIDC we need to set `opts.claims` to ensure
// it is associated with the LDAP/OIDC user properly.
for k, v := range cred.Claims {
if k == expClaim {
continue
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-21 05:28:19 +08:00
}
feat: create service accounts with same claims as parent (#13357) allow claims from LDAP/OIDC to be inherited to service accounts as well to allow dynamic policies. fixes #13325
2021-10-06 02:49:33 +08:00
opts.claims[k] = v
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-21 05:28:19 +08:00
}
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
} else if globalIAMSys.LDAPConfig.Enabled() {
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-21 05:28:19 +08:00
// In case of LDAP we need to resolve the targetUser to a DN and
// query their groups:
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
opts.claims[ldapUserN] = targetUser // simple username
targetUser, targetGroups, err = globalIAMSys.LDAPConfig.LookupUserDN(targetUser)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
fix: LDAP authentication with groups only (#12283) fixes #12282
2021-05-13 12:25:07 +08:00
}
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
opts.claims[ldapUser] = targetUser // username DN
Allow root user to create service accounts in LDAP (#13221) Additionally, fix a bug in service account creation for LDAP users: the LDAP short username was not associated with the service account.
2021-09-21 05:28:19 +08:00
// NOTE: if not using LDAP, then internal IDP or open ID is
// being used - in the former, group info is enforced when
// generated credentials are used to make requests, and in the
// latter, a group notion is not supported.
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
newCred, updatedAt, err := globalIAMSys.NewServiceAccount(ctx, targetUser, targetGroups, opts)
Add service account type in IAM (#9029)
2020-03-18 01:36:13 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Relax site replication syncing of service accounts (#14955) Synchronous replication of service/sts accounts can be relaxed as site replication healing should catch up when peer clusters are back online.
2022-05-21 10:09:11 +08:00
createResp := madmin.AddServiceAccountResp{
Credentials: madmin.Credentials{
Support adding service accounts with expiration (#16430) Co-authored-by: Harshavardhana <harsha@minio.io>
2023-02-28 02:10:22 +08:00
AccessKey: newCred.AccessKey,
SecretKey: newCred.SecretKey,
Expiration: newCred.Expiration,
Relax site replication syncing of service accounts (#14955) Synchronous replication of service/sts accounts can be relaxed as site replication healing should catch up when peer clusters are back online.
2022-05-21 10:09:11 +08:00
},
}
data, err := json.Marshal(createResp)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
encryptedData, err := madmin.EncryptData(cred.SecretKey, data)
Relax site replication syncing of service accounts (#14955) Synchronous replication of service/sts accounts can be relaxed as site replication healing should catch up when peer clusters are back online.
2022-05-21 10:09:11 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, encryptedData)
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
// Call hook for cluster-replication if the service account is not for a
// root user.
if newCred.ParentUser != globalActiveCred.AccessKey {
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
logger.LogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
Type: madmin.SRIAMItemSvcAcc,
SvcAccChange: &madmin.SRSvcAccChange{
Create: &madmin.SRSvcAccCreate{
Parent: newCred.ParentUser,
AccessKey: newCred.AccessKey,
SecretKey: newCred.SecretKey,
Groups: newCred.Groups,
Add "name" and "description" params to service acc (#17172)
2023-05-18 08:05:36 +08:00
Name: newCred.Name,
Description: newCred.Description,
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
Claims: opts.claims,
SessionPolicy: createReq.Policy,
Status: auth.AccountOn,
Support adding service accounts with expiration (#16430) Co-authored-by: Harshavardhana <harsha@minio.io>
2023-02-28 02:10:22 +08:00
Expiration: createReq.Expiration,
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
},
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
}
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
// UpdateServiceAccount - POST /minio/admin/v3/update-service-account
func (a adminAPIHandlers) UpdateServiceAccount(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
accessKey := mux.Vars(r)["accessKey"]
if accessKey == "" {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
svcAccount, _, err := globalIAMSys.GetServiceAccount(ctx, accessKey)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if !globalIAMSys.IsAllowed(policy.Args{
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
AccountName: cred.AccessKey,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.UpdateServiceAccountAdminAction,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
IsOwner: owner,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
}) {
requestUser := cred.AccessKey
if cred.ParentUser != "" {
requestUser = cred.ParentUser
}
if requestUser != svcAccount.ParentUser {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
}
password := cred.SecretKey
reqBytes, err := madmin.DecryptData(password, io.LimitReader(r.Body, r.ContentLength))
if err != nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErrWithErr(ErrAdminConfigBadJSON, err), r.URL)
return
}
var updateReq madmin.UpdateServiceAccountReq
if err = json.Unmarshal(reqBytes, &updateReq); err != nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErrWithErr(ErrAdminConfigBadJSON, err), r.URL)
return
}
Add "name" and "description" params to service acc (#17172)
2023-05-18 08:05:36 +08:00
if err := updateReq.Validate(); err != nil {
// Since this validation would happen client side as well, we only send
// a generic error message here.
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument), r.URL)
return
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
var sp *policy.Policy
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 23:52:02 +08:00
if len(updateReq.NewPolicy) > 0 {
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
sp, err = policy.ParseConfig(bytes.NewReader(updateReq.NewPolicy))
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 23:52:02 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Change behavior of service account empty policies (#18346) * Fix embedded/implied policy behavior * assume implied policy if pased to empty * fix for all * Fix failing tests --------- Co-authored-by: Prakash Senthil Vel <23444145+prakashsvmx@users.noreply.github.com>
2023-11-01 03:30:36 +08:00
if sp.Version == "" && len(sp.Statements) == 0 {
sp = nil
}
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 23:52:02 +08:00
}
opts := updateServiceAccountOpts{
secretKey: updateReq.NewSecretKey,
status: updateReq.NewStatus,
Add "name" and "description" params to service acc (#17172)
2023-05-18 08:05:36 +08:00
name: updateReq.NewName,
description: updateReq.NewDescription,
Support adding service accounts with expiration (#16430) Co-authored-by: Harshavardhana <harsha@minio.io>
2023-02-28 02:10:22 +08:00
expiration: updateReq.NewExpiration,
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 23:52:02 +08:00
sessionPolicy: sp,
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err := globalIAMSys.UpdateServiceAccount(ctx, accessKey, opts)
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
fix: progagation of service accounts for site replication (#14054) - Only non-root-owned service accounts are replicated for now. - Add integration tests for OIDC with site replication
2022-01-08 09:41:43 +08:00
// Call site replication hook - non-root user accounts are replicated.
if svcAccount.ParentUser != globalActiveCred.AccessKey {
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
logger.LogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
Type: madmin.SRIAMItemSvcAcc,
SvcAccChange: &madmin.SRSvcAccChange{
Update: &madmin.SRSvcAccUpdate{
AccessKey: accessKey,
SecretKey: opts.secretKey,
Status: opts.status,
Add "name" and "description" params to service acc (#17172)
2023-05-18 08:05:36 +08:00
Name: opts.name,
Description: opts.description,
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
SessionPolicy: updateReq.NewPolicy,
Support adding service accounts with expiration (#16430) Co-authored-by: Harshavardhana <harsha@minio.io>
2023-02-28 02:10:22 +08:00
Expiration: updateReq.NewExpiration,
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
},
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
}
fix: progagation of service accounts for site replication (#14054) - Only non-root-owned service accounts are replicated for now. - Add integration tests for OIDC with site replication
2022-01-08 09:41:43 +08:00
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
writeSuccessNoContent(w)
}
// InfoServiceAccount - GET /minio/admin/v3/info-service-account
func (a adminAPIHandlers) InfoServiceAccount(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
accessKey := mux.Vars(r)["accessKey"]
if accessKey == "" {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
svcAccount, sessionPolicy, err := globalIAMSys.GetServiceAccount(ctx, accessKey)
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if !globalIAMSys.IsAllowed(policy.Args{
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
AccountName: cred.AccessKey,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.ListServiceAccountsAdminAction,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
IsOwner: owner,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
}) {
requestUser := cred.AccessKey
if cred.ParentUser != "" {
requestUser = cred.ParentUser
}
if requestUser != svcAccount.ParentUser {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
}
Change behavior of service account empty policies (#18346) * Fix embedded/implied policy behavior * assume implied policy if pased to empty * fix for all * Fix failing tests --------- Co-authored-by: Prakash Senthil Vel <23444145+prakashsvmx@users.noreply.github.com>
2023-11-01 03:30:36 +08:00
// if session policy is nil or empty, then it is implied policy
impliedPolicy := sessionPolicy == nil || (sessionPolicy.Version == "" && len(sessionPolicy.Statements) == 0)
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
var svcAccountPolicy policy.Policy
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
Change behavior of service account empty policies (#18346) * Fix embedded/implied policy behavior * assume implied policy if pased to empty * fix for all * Fix failing tests --------- Co-authored-by: Prakash Senthil Vel <23444145+prakashsvmx@users.noreply.github.com>
2023-11-01 03:30:36 +08:00
if !impliedPolicy {
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
svcAccountPolicy = *sessionPolicy
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
} else {
cleanup handling of STS isAllowed and simplifies the PolicyDBGet() (#18554)
2023-11-30 08:07:35 +08:00
policiesNames, err := globalIAMSys.PolicyDBGet(svcAccount.ParentUser, svcAccount.Groups...)
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
do not remove Sid from svcaccount policies (#14064) fixes #13905
2022-01-11 06:26:26 +08:00
svcAccountPolicy = globalIAMSys.GetCombinedPolicy(policiesNames...)
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
}
always indent and reply policy JSON (#12399)
2021-05-30 00:22:22 +08:00
policyJSON, err := json.MarshalIndent(svcAccountPolicy, "", " ")
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Support adding service accounts with expiration (#16430) Co-authored-by: Harshavardhana <harsha@minio.io>
2023-02-28 02:10:22 +08:00
var expiration *time.Time
if !svcAccount.Expiration.IsZero() && !svcAccount.Expiration.Equal(timeSentinel) {
expiration = &svcAccount.Expiration
}
run gofumpt cleanup across code-base (#14015)
2022-01-03 01:15:06 +08:00
infoResp := madmin.InfoServiceAccountResp{
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
ParentUser: svcAccount.ParentUser,
Add "name" and "description" params to service acc (#17172)
2023-05-18 08:05:36 +08:00
Name: svcAccount.Name,
Description: svcAccount.Description,
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
AccountStatus: svcAccount.Status,
Change behavior of service account empty policies (#18346) * Fix embedded/implied policy behavior * assume implied policy if pased to empty * fix for all * Fix failing tests --------- Co-authored-by: Prakash Senthil Vel <23444145+prakashsvmx@users.noreply.github.com>
2023-11-01 03:30:36 +08:00
ImpliedPolicy: impliedPolicy,
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
Policy: string(policyJSON),
Support adding service accounts with expiration (#16430) Co-authored-by: Harshavardhana <harsha@minio.io>
2023-02-28 02:10:22 +08:00
Expiration: expiration,
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
}
data, err := json.Marshal(infoResp)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
encryptedData, err := madmin.EncryptData(cred.SecretKey, data)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, encryptedData)
}
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
// ListServiceAccounts - GET /minio/admin/v3/list-service-accounts
func (a adminAPIHandlers) ListServiceAccounts(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
// Get current object layer instance.
remove safeMode behavior in startup (#10645) In almost all scenarios MinIO now is mostly ready for all sub-systems independently, safe-mode is not useful anymore and do not serve its original intended purpose. allow server to be fully functional even with config partially configured, this is to cater for availability of actual I/O v/s manually fixing the server. In k8s like environments it will never make sense to take pod into safe-mode state, because there is no real access to perform any remote operation on them.
2020-10-10 00:59:52 +08:00
objectAPI := newObjectLayerFn()
initialize IAM as soon as object layer is initialized (#10700) Allow requests to come in for users as soon as object layer and config are initialized, this allows users to be authenticated sooner and would succeed automatically on servers which are yet to fully initialize.
2020-10-20 00:54:40 +08:00
if objectAPI == nil || globalNotificationSys == nil {
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
var targetAccount string
Allow users to list their own service accounts (#13706) Bonus: add extensive tests for svc acc actions by users
2021-11-20 04:35:35 +08:00
// If listing is requested for a specific user (who is not the request
// sender), check that the user has permissions.
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
user := r.Form.Get("user")
Allow users to list their own service accounts (#13706) Bonus: add extensive tests for svc acc actions by users
2021-11-20 04:35:35 +08:00
if user != "" && user != cred.AccessKey {
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if !globalIAMSys.IsAllowed(policy.Args{
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
AccountName: cred.AccessKey,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.ListServiceAccountsAdminAction,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
IsOwner: owner,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
}) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return
}
targetAccount = user
} else {
targetAccount = cred.AccessKey
if cred.ParentUser != "" {
targetAccount = cred.ParentUser
}
fix: assume parentUser correctly for serviceAccounts (#9504) ListServiceAccounts/DeleteServiceAccount didn't work properly with STS credentials yet due to incorrect Parent user.
2020-05-01 23:05:14 +08:00
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
serviceAccounts, err := globalIAMSys.ListServiceAccounts(ctx, targetAccount)
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Add expiration to ListServiceAccounts function (#17249)
2023-06-03 07:17:26 +08:00
var serviceAccountList []madmin.ServiceAccountInfo
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
for _, svc := range serviceAccounts {
Add expiration to ListServiceAccounts function (#17249)
2023-06-03 07:17:26 +08:00
expiryTime := svc.Expiration
serviceAccountList = append(serviceAccountList, madmin.ServiceAccountInfo{
AccessKey: svc.AccessKey,
Expiration: &expiryTime,
})
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
}
run gofumpt cleanup across code-base (#14015)
2022-01-03 01:15:06 +08:00
listResp := madmin.ListServiceAccountsResp{
Add expiration to ListServiceAccounts function (#17249)
2023-06-03 07:17:26 +08:00
Accounts: serviceAccountList,
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
}
data, err := json.Marshal(listResp)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
encryptedData, err := madmin.EncryptData(cred.SecretKey, data)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, encryptedData)
}
// DeleteServiceAccount - DELETE /minio/admin/v3/delete-service-account
func (a adminAPIHandlers) DeleteServiceAccount(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
// Get current object layer instance.
remove safeMode behavior in startup (#10645) In almost all scenarios MinIO now is mostly ready for all sub-systems independently, safe-mode is not useful anymore and do not serve its original intended purpose. allow server to be fully functional even with config partially configured, this is to cater for availability of actual I/O v/s manually fixing the server. In k8s like environments it will never make sense to take pod into safe-mode state, because there is no real access to perform any remote operation on them.
2020-10-10 00:59:52 +08:00
objectAPI := newObjectLayerFn()
initialize IAM as soon as object layer is initialized (#10700) Allow requests to come in for users as soon as object layer and config are initialized, this allows users to be authenticated sooner and would succeed automatically on servers which are yet to fully initialize.
2020-10-20 00:54:40 +08:00
if objectAPI == nil || globalNotificationSys == nil {
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
serviceAccount := mux.Vars(r)["accessKey"]
if serviceAccount == "" {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminInvalidArgument), r.URL)
return
}
fix: remove embedded-policy as requested by the user (#14847) this PR introduces a few changes such as - sessionPolicyName is not reused in an extracted manner to apply policies for incoming authenticated calls, instead uses a different key to designate this information for the callers. - this differentiation is needed to ensure that service account updates do not accidentally store JSON representation instead of base64 equivalent on the disk. - relax requirements for Deleting a service account, allow deleting a service account that might be unreadable, i.e a situation where the user might have removed session policy which now carries a JSON representation, making it unparsable. - introduce some constants to reuse instead of strings. fixes #14784
2022-05-03 08:56:19 +08:00
// We do not care if service account is readable or not at this point,
// since this is a delete call we shall allow it to be deleted if possible.
fix: DeleteServiceAccount API behavior (#18163)
2023-10-09 03:13:18 +08:00
svcAccount, _, err := globalIAMSys.GetServiceAccount(ctx, serviceAccount)
if errors.Is(err, errNoSuchServiceAccount) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminServiceAccountNotFound), r.URL)
return
}
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
adminPrivilege := globalIAMSys.IsAllowed(policy.Args{
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
AccountName: cred.AccessKey,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.RemoveServiceAccountAdminAction,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
IsOwner: owner,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
})
fix: assume parentUser correctly for serviceAccounts (#9504) ListServiceAccounts/DeleteServiceAccount didn't work properly with STS credentials yet due to incorrect Parent user.
2020-05-01 23:05:14 +08:00
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
if !adminPrivilege {
parentUser := cred.AccessKey
if cred.ParentUser != "" {
parentUser = cred.ParentUser
}
fix: remove embedded-policy as requested by the user (#14847) this PR introduces a few changes such as - sessionPolicyName is not reused in an extracted manner to apply policies for incoming authenticated calls, instead uses a different key to designate this information for the callers. - this differentiation is needed to ensure that service account updates do not accidentally store JSON representation instead of base64 equivalent on the disk. - relax requirements for Deleting a service account, allow deleting a service account that might be unreadable, i.e a situation where the user might have removed session policy which now carries a JSON representation, making it unparsable. - introduce some constants to reuse instead of strings. fixes #14784
2022-05-03 08:56:19 +08:00
if svcAccount.ParentUser != "" && parentUser != svcAccount.ParentUser {
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
// The service account belongs to another user but return not
// found error to mitigate brute force attacks. or the
// serviceAccount doesn't exist.
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminServiceAccountNotFound), r.URL)
return
}
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
}
fix: remove embedded-policy as requested by the user (#14847) this PR introduces a few changes such as - sessionPolicyName is not reused in an extracted manner to apply policies for incoming authenticated calls, instead uses a different key to designate this information for the callers. - this differentiation is needed to ensure that service account updates do not accidentally store JSON representation instead of base64 equivalent on the disk. - relax requirements for Deleting a service account, allow deleting a service account that might be unreadable, i.e a situation where the user might have removed session policy which now carries a JSON representation, making it unparsable. - introduce some constants to reuse instead of strings. fixes #14784
2022-05-03 08:56:19 +08:00
if err := globalIAMSys.DeleteServiceAccount(ctx, serviceAccount, true); err != nil {
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
fix: propagate service account deletes properly (#12717) service account deletes were not propagating to remote peers, fix this.
2021-07-15 12:28:53 +08:00
fix: progagation of service accounts for site replication (#14054) - Only non-root-owned service accounts are replicated for now. - Add integration tests for OIDC with site replication
2022-01-08 09:41:43 +08:00
// Call site replication hook - non-root user accounts are replicated.
fix: remove embedded-policy as requested by the user (#14847) this PR introduces a few changes such as - sessionPolicyName is not reused in an extracted manner to apply policies for incoming authenticated calls, instead uses a different key to designate this information for the callers. - this differentiation is needed to ensure that service account updates do not accidentally store JSON representation instead of base64 equivalent on the disk. - relax requirements for Deleting a service account, allow deleting a service account that might be unreadable, i.e a situation where the user might have removed session policy which now carries a JSON representation, making it unparsable. - introduce some constants to reuse instead of strings. fixes #14784
2022-05-03 08:56:19 +08:00
if svcAccount.ParentUser != "" && svcAccount.ParentUser != globalActiveCred.AccessKey {
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
logger.LogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
Type: madmin.SRIAMItemSvcAcc,
SvcAccChange: &madmin.SRSvcAccChange{
Delete: &madmin.SRSvcAccDelete{
AccessKey: serviceAccount,
},
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: UTCNow(),
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
}
add list/delete API service accounts admin API (#9402)
2020-04-25 03:10:09 +08:00
writeSuccessNoContent(w)
Add service account type in IAM (#9029)
2020-03-18 01:36:13 +08:00
}
cache usage, prefix-usage, and buckets for AccountInfo up to 10 secs (#18051) AccountInfo is quite frequently called by the Console UI login attempts, when many users are logging in it is important that we provide them with better responsiveness. - ListBuckets information is cached every second - Bucket usage info is cached for up to 10 seconds - Prefix usage (optional) info is cached for up to 10 secs Failure to update after cache expiration, would still allow login which would end up providing information previously cached. This allows for seamless responsiveness for the Console UI logins, and overall responsiveness on a heavily loaded system.
2023-09-19 13:13:03 +08:00
// AccountInfoHandler returns usage, permissions and other bucket metadata for incoming us
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
// Get current object layer instance.
remove safeMode behavior in startup (#10645) In almost all scenarios MinIO now is mostly ready for all sub-systems independently, safe-mode is not useful anymore and do not serve its original intended purpose. allow server to be fully functional even with config partially configured, this is to cater for availability of actual I/O v/s manually fixing the server. In k8s like environments it will never make sense to take pod into safe-mode state, because there is no real access to perform any remote operation on them.
2020-10-10 00:59:52 +08:00
objectAPI := newObjectLayerFn()
initialize IAM as soon as object layer is initialized (#10700) Allow requests to come in for users as soon as object layer and config are initialized, this allows users to be authenticated sooner and would succeed automatically on servers which are yet to fully initialize.
2020-10-20 00:54:40 +08:00
if objectAPI == nil || globalNotificationSys == nil {
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
// Set prefix value for "s3:prefix" policy conditionals.
r.Header.Set("prefix", "")
// Set delimiter value for "s3:delimiter" policy conditionals.
r.Header.Set("delimiter", SlashSeparator)
Move prefix usage in admin AccountInfo API (#12710)
2021-07-14 23:51:10 +08:00
// Check if we are asked to return prefix usage
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
enablePrefixUsage := r.Form.Get("prefix-usage") == "true"
Move prefix usage in admin AccountInfo API (#12710)
2021-07-14 23:51:10 +08:00
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
isAllowedAccess := func(bucketName string) (rd, wr bool) {
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if globalIAMSys.IsAllowed(policy.Args{
fix: allow STS credentials with dynamic policies (#12681) - ParentUser for OIDC auth changed to `openid:` instead of `jwt:` to avoid clashes with variable substitution - Do not pass in random parents into IsAllowed() policy evaluation as it can change the behavior of looking for correct policies underneath. fixes #12676 fixes #12680
2021-07-12 08:39:52 +08:00
AccountName: cred.AccessKey,
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.ListBucketAction,
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
BucketName: bucketName,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
IsOwner: owner,
ObjectName: "",
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
}) {
rd = true
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if globalIAMSys.IsAllowed(policy.Args{
allow bucket to be listed when GetBucketLocation is enabled (#14903) currently, we allowed buckets to be listed from the API call if and when the user has ListObject() permission at the global level, this is okay to be extended to GetBucketLocation() as well since GetBucketLocation() is a "read" call and allowing "reads" on a bucket has an implicit assumption that ListBuckets() should be allowed. This makes discoverability of access for read-only users becomes easier or users with specific restrictions on their policies.
2022-05-13 01:46:20 +08:00
AccountName: cred.AccessKey,
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.GetBucketLocationAction,
allow bucket to be listed when GetBucketLocation is enabled (#14903) currently, we allowed buckets to be listed from the API call if and when the user has ListObject() permission at the global level, this is okay to be extended to GetBucketLocation() as well since GetBucketLocation() is a "read" call and allowing "reads" on a bucket has an implicit assumption that ListBuckets() should be allowed. This makes discoverability of access for read-only users becomes easier or users with specific restrictions on their policies.
2022-05-13 01:46:20 +08:00
BucketName: bucketName,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
allow bucket to be listed when GetBucketLocation is enabled (#14903) currently, we allowed buckets to be listed from the API call if and when the user has ListObject() permission at the global level, this is okay to be extended to GetBucketLocation() as well since GetBucketLocation() is a "read" call and allowing "reads" on a bucket has an implicit assumption that ListBuckets() should be allowed. This makes discoverability of access for read-only users becomes easier or users with specific restrictions on their policies.
2022-05-13 01:46:20 +08:00
IsOwner: owner,
ObjectName: "",
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
allow bucket to be listed when GetBucketLocation is enabled (#14903) currently, we allowed buckets to be listed from the API call if and when the user has ListObject() permission at the global level, this is okay to be extended to GetBucketLocation() as well since GetBucketLocation() is a "read" call and allowing "reads" on a bucket has an implicit assumption that ListBuckets() should be allowed. This makes discoverability of access for read-only users becomes easier or users with specific restrictions on their policies.
2022-05-13 01:46:20 +08:00
}) {
rd = true
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if globalIAMSys.IsAllowed(policy.Args{
fix: allow STS credentials with dynamic policies (#12681) - ParentUser for OIDC auth changed to `openid:` instead of `jwt:` to avoid clashes with variable substitution - Do not pass in random parents into IsAllowed() policy evaluation as it can change the behavior of looking for correct policies underneath. fixes #12676 fixes #12680
2021-07-12 08:39:52 +08:00
AccountName: cred.AccessKey,
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.PutObjectAction,
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
BucketName: bucketName,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
IsOwner: owner,
ObjectName: "",
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
}) {
wr = true
}
return rd, wr
}
cache usage, prefix-usage, and buckets for AccountInfo up to 10 secs (#18051) AccountInfo is quite frequently called by the Console UI login attempts, when many users are logging in it is important that we provide them with better responsiveness. - ListBuckets information is cached every second - Bucket usage info is cached for up to 10 seconds - Prefix usage (optional) info is cached for up to 10 secs Failure to update after cache expiration, would still allow login which would end up providing information previously cached. This allows for seamless responsiveness for the Console UI logins, and overall responsiveness on a heavily loaded system.
2023-09-19 13:13:03 +08:00
bucketStorageCache.Once.Do(func() {
// Set this to 10 secs since its enough, as scanner
// does not update the bucket usage values frequently.
bucketStorageCache.TTL = 10 * time.Second
// Rely on older value if usage loading fails from disk.
bucketStorageCache.Relax = true
bucketStorageCache.Update = func() (interface{}, error) {
ctx, done := context.WithTimeout(context.Background(), 2*time.Second)
defer done()
return loadDataUsageFromBackend(ctx, objectAPI)
}
})
var dataUsageInfo DataUsageInfo
v, _ := bucketStorageCache.Get()
if v != nil {
dataUsageInfo, _ = v.(DataUsageInfo)
}
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
fix: accountInfo API to cater for federated setups (#11484) when MinIO is deployed in a federated setup, use etcd based listing of buckets to provide appropriate filtering of buckets per user.
2021-02-10 01:53:07 +08:00
// If etcd, dns federation configured list buckets from etcd.
remove gateway completely (#15929)
2022-10-25 08:44:15 +08:00
var err error
cache usage, prefix-usage, and buckets for AccountInfo up to 10 secs (#18051) AccountInfo is quite frequently called by the Console UI login attempts, when many users are logging in it is important that we provide them with better responsiveness. - ListBuckets information is cached every second - Bucket usage info is cached for up to 10 seconds - Prefix usage (optional) info is cached for up to 10 secs Failure to update after cache expiration, would still allow login which would end up providing information previously cached. This allows for seamless responsiveness for the Console UI logins, and overall responsiveness on a heavily loaded system.
2023-09-19 13:13:03 +08:00
var buckets []BucketInfo
fix: accountInfo API to cater for federated setups (#11484) when MinIO is deployed in a federated setup, use etcd based listing of buckets to provide appropriate filtering of buckets per user.
2021-02-10 01:53:07 +08:00
if globalDNSConfig != nil && globalBucketFederation {
dnsBuckets, err := globalDNSConfig.List()
if err != nil && !IsErrIgnored(err,
dns.ErrNoEntriesFound,
dns.ErrDomainMissing) {
fix: root credentials should be able to create users (#12511)
2021-06-16 09:52:01 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
fix: accountInfo API to cater for federated setups (#11484) when MinIO is deployed in a federated setup, use etcd based listing of buckets to provide appropriate filtering of buckets per user.
2021-02-10 01:53:07 +08:00
return
}
for _, dnsRecords := range dnsBuckets {
buckets = append(buckets, BucketInfo{
Name: dnsRecords[0].Key,
Created: dnsRecords[0].CreationDate,
})
}
sort.Slice(buckets, func(i, j int) bool {
return buckets[i].Name < buckets[j].Name
})
} else {
cache usage, prefix-usage, and buckets for AccountInfo up to 10 secs (#18051) AccountInfo is quite frequently called by the Console UI login attempts, when many users are logging in it is important that we provide them with better responsiveness. - ListBuckets information is cached every second - Bucket usage info is cached for up to 10 seconds - Prefix usage (optional) info is cached for up to 10 secs Failure to update after cache expiration, would still allow login which would end up providing information previously cached. This allows for seamless responsiveness for the Console UI logins, and overall responsiveness on a heavily loaded system.
2023-09-19 13:13:03 +08:00
buckets, err = objectAPI.ListBuckets(ctx, BucketOptions{Cached: true})
fix: accountInfo API to cater for federated setups (#11484) when MinIO is deployed in a federated setup, use etcd based listing of buckets to provide appropriate filtering of buckets per user.
2021-02-10 01:53:07 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
}
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
accountName := cred.AccessKey
Fix regression in STS permissions via group in internal IDP (#13955) - When using MinIO's internal IDP, STS credential permissions did not check the groups of a user. - Also fix bug in policy checking in AccountInfo call
2021-12-21 06:07:16 +08:00
if cred.IsTemp() || cred.IsServiceAccount() {
// For derived credentials, check the parent user's permissions.
accountName = cred.ParentUser
fix: AccountInfo API for LDAP users (#11874) Also, ensure admin APIs auth additionally validates groups
2021-03-24 08:39:20 +08:00
}
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
roleArn := policy.Args{Claims: cred.Claims}.GetRoleArn()
policySetFromClaims, hasPolicyClaim := policy.GetPoliciesFromClaims(cred.Claims, iamPolicyClaimNameOpenID())
var effectivePolicy policy.Policy
fix: AccountInfo API for roleARN based accounts (#15907)
2022-10-20 08:54:41 +08:00
allow root users to return appropriate policy in AccountInfo (#15437) fixes #15436 This fixes a regression caused after the removal of "consoleAdmin" policy usage for 'root users' in PR #15402
2022-07-30 11:58:03 +08:00
var buf []byte
fix: AccountInfo API for roleARN based accounts (#15907)
2022-10-20 08:54:41 +08:00
switch {
case accountName == globalActiveCred.AccessKey:
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
for _, policy := range policy.DefaultPolicies {
allow root users to return appropriate policy in AccountInfo (#15437) fixes #15436 This fixes a regression caused after the removal of "consoleAdmin" policy usage for 'root users' in PR #15402
2022-07-30 11:58:03 +08:00
if policy.Name == "consoleAdmin" {
fix: AccountInfo API for roleARN based accounts (#15907)
2022-10-20 08:54:41 +08:00
effectivePolicy = policy.Definition
allow root users to return appropriate policy in AccountInfo (#15437) fixes #15436 This fixes a regression caused after the removal of "consoleAdmin" policy usage for 'root users' in PR #15402
2022-07-30 11:58:03 +08:00
break
}
}
feat: Allow at most one claim based OpenID IDP (#16145)
2022-11-30 07:40:49 +08:00
fix: AccountInfo API for roleARN based accounts (#15907)
2022-10-20 08:54:41 +08:00
case roleArn != "":
_, policy, err := globalIAMSys.GetRolePolicy(roleArn)
allow root users to return appropriate policy in AccountInfo (#15437) fixes #15436 This fixes a regression caused after the removal of "consoleAdmin" policy usage for 'root users' in PR #15402
2022-07-30 11:58:03 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
fix: AccountInfo API for roleARN based accounts (#15907)
2022-10-20 08:54:41 +08:00
policySlice := newMappedPolicy(policy).toSlice()
effectivePolicy = globalIAMSys.GetCombinedPolicy(policySlice...)
allow root users to return appropriate policy in AccountInfo (#15437) fixes #15436 This fixes a regression caused after the removal of "consoleAdmin" policy usage for 'root users' in PR #15402
2022-07-30 11:58:03 +08:00
feat: Allow at most one claim based OpenID IDP (#16145)
2022-11-30 07:40:49 +08:00
case hasPolicyClaim:
effectivePolicy = globalIAMSys.GetCombinedPolicy(policySetFromClaims.ToSlice()...)
fix: AccountInfo API for roleARN based accounts (#15907)
2022-10-20 08:54:41 +08:00
default:
cleanup handling of STS isAllowed and simplifies the PolicyDBGet() (#18554)
2023-11-30 08:07:35 +08:00
policies, err := globalIAMSys.PolicyDBGet(accountName, cred.Groups...)
allow root users to return appropriate policy in AccountInfo (#15437) fixes #15436 This fixes a regression caused after the removal of "consoleAdmin" policy usage for 'root users' in PR #15402
2022-07-30 11:58:03 +08:00
if err != nil {
fix: AccountInfo API for roleARN based accounts (#15907)
2022-10-20 08:54:41 +08:00
logger.LogIf(ctx, err)
allow root users to return appropriate policy in AccountInfo (#15437) fixes #15436 This fixes a regression caused after the removal of "consoleAdmin" policy usage for 'root users' in PR #15402
2022-07-30 11:58:03 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
fix: AccountInfo API for roleARN based accounts (#15907)
2022-10-20 08:54:41 +08:00
effectivePolicy = globalIAMSys.GetCombinedPolicy(policies...)
}
buf, err = json.MarshalIndent(effectivePolicy, "", " ")
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 23:52:02 +08:00
}
fix: allow accountInfo, addUser and getUserInfo implicit (#10978) - accountInfo API that returns information about user, access to buckets and the size per bucket - addUser - user is allowed to change their secretKey - getUserInfo - returns user info if the incoming is the same user requesting their information
2020-11-28 09:23:57 +08:00
acctInfo := madmin.AccountInfo{
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
AccountName: accountName,
send backendInfo as part AccountInfo (#12733) This is needed for console UI to change the UI behavior for different modes of operation.
2021-07-17 05:37:06 +08:00
Server: objectAPI.BackendInfo(),
move madmin to github.com/minio/madmin-go (#12239)
2021-05-06 23:52:02 +08:00
Policy: buf,
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
}
for _, bucket := range buckets {
rd, wr := isAllowedAccess(bucket.Name)
if rd || wr {
// Fetch the data usage of the current bucket
Move prefix usage in admin AccountInfo API (#12710)
2021-07-14 23:51:10 +08:00
var size uint64
remove ListBucketsMetadata instead add them to AccountInfo() (#13241)
2021-09-18 06:02:21 +08:00
var objectsCount uint64
Add Object Version count histogram (#16739)
2023-03-11 00:53:59 +08:00
var objectsHist, versionsHist map[string]uint64
Export bucket usage counts as part of bucket metrics (#9710) Bonus fixes in quota enforcement to use the new datastructure and use timedValue to cache a value/reload automatically avoids one less global variable.
2020-05-27 21:45:43 +08:00
if !dataUsageInfo.LastUpdate.IsZero() {
size = dataUsageInfo.BucketsUsage[bucket.Name].Size
remove ListBucketsMetadata instead add them to AccountInfo() (#13241)
2021-09-18 06:02:21 +08:00
objectsCount = dataUsageInfo.BucketsUsage[bucket.Name].ObjectsCount
objectsHist = dataUsageInfo.BucketsUsage[bucket.Name].ObjectSizesHistogram
Add Object Version count histogram (#16739)
2023-03-11 00:53:59 +08:00
versionsHist = dataUsageInfo.BucketsUsage[bucket.Name].ObjectVersionsHistogram
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
}
Move prefix usage in admin AccountInfo API (#12710)
2021-07-14 23:51:10 +08:00
// Fetch the prefix usage of the current bucket
var prefixUsage map[string]uint64
if enablePrefixUsage {
ignore configNotFound error in AccountInfo() (#14082) fixes #14081
2022-01-12 00:43:18 +08:00
prefixUsage, _ = loadPrefixUsageFromBackend(ctx, objectAPI, bucket.Name)
Move prefix usage in admin AccountInfo API (#12710)
2021-07-14 23:51:10 +08:00
}
remove ListBucketsMetadata instead add them to AccountInfo() (#13241)
2021-09-18 06:02:21 +08:00
lcfg, _ := globalBucketObjectLockSys.Get(bucket.Name)
Add quota usage as part of prometheus metrics (#14222) Bonus: pass caller context when needed to all bucket metadata handling calls.
2022-02-01 09:27:43 +08:00
quota, _ := globalBucketQuotaSys.Get(ctx, bucket.Name)
Add support for site replication healing (#14572) heal bucket metadata and IAM entries for sites participating in site replication from the site with the most updated entry. Co-authored-by: Harshavardhana <harsha@minio.io> Co-authored-by: Aditya Manthramurthy <aditya@minio.io>
2022-04-24 17:36:31 +08:00
rcfg, _, _ := globalBucketMetadataSys.GetReplicationConfig(ctx, bucket.Name)
tcfg, _, _ := globalBucketMetadataSys.GetTaggingConfig(bucket.Name)
remove ListBucketsMetadata instead add them to AccountInfo() (#13241)
2021-09-18 06:02:21 +08:00
Various improvements in replication (#11949) - collect real time replication metrics for prometheus. - add pending_count, failed_count metric for total pending/failed replication operations. - add API to get replication metrics - add MRF worker to handle spill-over replication operations - multiple issues found with replication - fixes an issue when client sends a bucket name with `/` at the end from SetRemoteTarget API call make sure to trim the bucket name to avoid any extra `/`. - hold write locks in GetObjectNInfo during replication to ensure that object version stack is not overwritten while reading the content. - add additional protection during WriteMetadata() to ensure that we always write a valid FileInfo{} and avoid ever writing empty FileInfo{} to the lowest layers. Co-authored-by: Poorna Krishnamoorthy <poorna@minio.io> Co-authored-by: Harshavardhana <harsha@minio.io>
2021-04-04 00:03:42 +08:00
acctInfo.Buckets = append(acctInfo.Buckets, madmin.BucketAccessInfo{
Add Object Version count histogram (#16739)
2023-03-11 00:53:59 +08:00
Name: bucket.Name,
Created: bucket.Created,
Size: size,
Objects: objectsCount,
ObjectSizesHistogram: objectsHist,
ObjectVersionsHistogram: versionsHist,
PrefixUsage: prefixUsage,
remove ListBucketsMetadata instead add them to AccountInfo() (#13241)
2021-09-18 06:02:21 +08:00
Details: &madmin.BucketDetails{
Versioning: globalBucketVersioningSys.Enabled(bucket.Name),
VersioningSuspended: globalBucketVersioningSys.Suspended(bucket.Name),
Replication: rcfg != nil,
Locking: lcfg.LockEnabled,
Quota: quota,
Tagging: tcfg,
},
add missing admin actions, enhance AccountUsageInfo (#9607)
2020-05-16 09:16:45 +08:00
Access: madmin.AccountAccess{
Read: rd,
Write: wr,
},
})
}
}
usageInfoJSON, err := json.Marshal(acctInfo)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, usageInfoJSON)
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// InfoCannedPolicy - GET /minio/admin/v3/info-canned-policy?name={policyName}
Add option to policy info API to return create/mod timestamps (#13796) - This introduces a new admin API with a query parameter (v=2) to return a response with the timestamps - Older API still works for compatibility/smooth transition in console
2021-12-12 01:03:39 +08:00
//
// Newer API response with policy timestamps is returned with query parameter
// `v=2` like:
//
// GET /minio/admin/v3/info-canned-policy?name={policyName}&v=2
//
// The newer API will eventually become the default (and only) one. The older
// response is to return only the policy JSON. The newer response returns
// timestamps along with the policy JSON. Both versions are supported for now,
// for smooth transition to new API.
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) InfoCannedPolicy(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.GetPolicyAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
Add option to policy info API to return create/mod timestamps (#13796) - This introduces a new admin API with a query parameter (v=2) to return a response with the timestamps - Older API still works for compatibility/smooth transition in console
2021-12-12 01:03:39 +08:00
name := mux.Vars(r)["name"]
policies := newMappedPolicy(name).toSlice()
if len(policies) != 1 {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errTooManyPolicies), r.URL)
return
}
policyDoc, err := globalIAMSys.InfoPolicy(name)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Add option to policy info API to return create/mod timestamps (#13796) - This introduces a new admin API with a query parameter (v=2) to return a response with the timestamps - Older API still works for compatibility/smooth transition in console
2021-12-12 01:03:39 +08:00
// Is the new API version being requested?
infoPolicyAPIVersion := r.Form.Get("v")
if infoPolicyAPIVersion == "2" {
buf, err := json.MarshalIndent(policyDoc, "", " ")
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
w.Write(buf)
return
} else if infoPolicyAPIVersion != "" {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errors.New("invalid version parameter 'v' supplied")), r.URL)
return
}
// Return the older API response value of just the policy json.
buf, err := json.MarshalIndent(policyDoc.Policy, "", " ")
always indent and reply policy JSON (#12399)
2021-05-30 00:22:22 +08:00
if err != nil {
Handling unhandled errors in the InfoCannedPolicy method. (#10575)
2020-09-28 01:24:04 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
always indent and reply policy JSON (#12399)
2021-05-30 00:22:22 +08:00
w.Write(buf)
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
}
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-28 01:15:02 +08:00
// ListBucketPolicies - GET /minio/admin/v3/list-canned-policies?bucket={bucket}
func (a adminAPIHandlers) ListBucketPolicies(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.ListUserPoliciesAdminAction)
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
if objectAPI == nil {
return
}
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-28 01:15:02 +08:00
bucket := mux.Vars(r)["bucket"]
add thread context in surrounding function into IAM functions (#13658)
2021-11-16 06:14:22 +08:00
policies, err := globalIAMSys.ListPolicies(ctx, bucket)
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
newPolicies := make(map[string]policy.Policy)
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-28 01:15:02 +08:00
for name, p := range policies {
_, err = json.Marshal(p)
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
if err != nil {
logger.LogIf(ctx, err)
continue
}
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-28 01:15:02 +08:00
newPolicies[name] = p
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
}
feat: introduce listUsers, listPolicies for any bucket (#12372) Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
2021-05-28 01:15:02 +08:00
if err = json.NewEncoder(w).Encode(newPolicies); err != nil {
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// ListCannedPolicies - GET /minio/admin/v3/list-canned-policies
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) ListCannedPolicies(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.ListUserPoliciesAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
add thread context in surrounding function into IAM functions (#13658)
2021-11-16 06:14:22 +08:00
policies, err := globalIAMSys.ListPolicies(ctx, "")
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
newPolicies := make(map[string]policy.Policy)
fix support OBDAdminAction is valid action (#9354)
2020-04-16 03:16:40 +08:00
for name, p := range policies {
_, err = json.Marshal(p)
if err != nil {
logger.LogIf(ctx, err)
continue
}
newPolicies[name] = p
}
if err = json.NewEncoder(w).Encode(newPolicies); err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// RemoveCannedPolicy - DELETE /minio/admin/v3/remove-canned-policy?name=<policy_name>
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) RemoveCannedPolicy(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.DeletePolicyAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
policyName := vars["name"]
Move IAM notifications into IAM system functions (#13780)
2021-11-30 06:38:57 +08:00
if err := globalIAMSys.DeletePolicy(ctx, policyName, true); err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
// Call cluster-replication policy creation hook to replicate policy deletion to
// other minio clusters.
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
logger.LogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
Type: madmin.SRIAMItemPolicy,
Name: policyName,
UpdatedAt: UTCNow(),
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// AddCannedPolicy - PUT /minio/admin/v3/add-canned-policy?name=<policy_name>
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) AddCannedPolicy(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.CreatePolicyAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
policyName := vars["name"]
fix: disallow newer policies, users & groups with space characters (#14845) space characters at the beginning or at the end can lead to confusion under various UI elements in differentiating the actual name of "policy, user or group" - to avoid this behavior this PR onwards we shall reject such inputs for newer entries. existing saved entries will behave as is and are going to be operable until they are removed/renamed to something more meaningful.
2022-05-03 00:27:35 +08:00
// Policy has space characters in begin and end reject such inputs.
if hasSpaceBE(policyName) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument), r.URL)
return
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
// Error out if Content-Length is missing.
if r.ContentLength <= 0 {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrMissingContentLength), r.URL)
return
}
// Error out if Content-Length is beyond allowed size.
if r.ContentLength > maxBucketPolicySize {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrEntityTooLarge), r.URL)
return
}
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
iamPolicyBytes, err := io.ReadAll(io.LimitReader(r.Body, r.ContentLength))
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
iamPolicy, err := policy.ParseConfig(bytes.NewReader(iamPolicyBytes))
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if err != nil {
Add more context aware error for policy parsing errors (#8726) In existing functionality we simply return a generic error such as "MalformedPolicy" which indicates just a generic string "invalid resource" which is not very meaningful when there might be multiple types of errors during policy parsing. This PR ensures that we send these errors back to client to indicate the actual error, brings in two concrete types such as - iampolicy.Error - policy.Error Refer #8202
2020-01-04 03:28:52 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
return
}
// Version in policy must not be empty
if iamPolicy.Version == "" {
s3: Return correct error when Version is invalid in policy document (#16178)
2022-12-07 00:07:24 +08:00
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrPolicyInvalidVersion), r.URL)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
return
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err := globalIAMSys.SetPolicy(ctx, policyName, *iamPolicy)
if err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
// Call cluster-replication policy creation hook to replicate policy to
// other minio clusters.
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
logger.LogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
Type: madmin.SRIAMItemPolicy,
Name: policyName,
Policy: iamPolicyBytes,
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
fix: change policies API to return and take struct (#9181) This allows for order guarantees in returned values can be consumed safely by the caller to avoid any additional parsing and validation. Fixes #9171
2020-04-08 10:30:59 +08:00
// SetPolicyForUserOrGroup - PUT /minio/admin/v3/set-policy?policy=xxx&user-or-group=?[&is-group]
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
add audit logging for all admin calls (#9568) - add ServiceRestart/ServiceStop actions - audit log appropriately in all admin handlers fixes #9522
2020-05-12 01:34:08 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.AttachPolicyAdminAction)
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
if objectAPI == nil {
return
}
vars := mux.Vars(r)
policyName := vars["policyName"]
entityName := vars["userOrGroup"]
isGroup := vars["isGroup"] == "true"
fix: temp credentials shouldn't allow policy/group changes (#8675) This PR fixes the issue where we might allow policy changes for temporary credentials out of band, this situation allows privilege escalation for those temporary credentials. We should disallow any external actions on temporary creds as a practice and we should clearly differentiate which are static and which are temporary credentials. Refer #8667
2019-12-20 06:21:21 +08:00
if !isGroup {
fix: service account permissions generated from LDAP user (#11637) service accounts generated from LDAP parent user did not inherit correct permissions, this PR fixes this fully.
2021-02-26 05:49:59 +08:00
ok, _, err := globalIAMSys.IsTempUser(entityName)
Fix policy setting error in LDAP setups (#9303) Fixes #8667 In addition to the above, if the user is mapped to a policy or belongs in a group, the user-info API returns this information, but otherwise, the API will now return a non-existent user error.
2020-04-09 16:04:08 +08:00
if err != nil && err != errNoSuchUser {
fix: temp credentials shouldn't allow policy/group changes (#8675) This PR fixes the issue where we might allow policy changes for temporary credentials out of band, this situation allows privilege escalation for those temporary credentials. We should disallow any external actions on temporary creds as a practice and we should clearly differentiate which are static and which are temporary credentials. Refer #8667
2019-12-20 06:21:21 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
if ok {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errIAMActionNotAllowed), r.URL)
return
}
allow root user to be disabled via config settings (#17089)
2023-04-29 03:24:14 +08:00
// When the user is root credential you are not allowed to
// add policies for root user.
if entityName == globalActiveCred.AccessKey {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errIAMActionNotAllowed), r.URL)
return
}
fix: temp credentials shouldn't allow policy/group changes (#8675) This PR fixes the issue where we might allow policy changes for temporary credentials out of band, this situation allows privilege escalation for those temporary credentials. We should disallow any external actions on temporary creds as a practice and we should clearly differentiate which are static and which are temporary credentials. Refer #8667
2019-12-20 06:21:21 +08:00
}
Properly replicate policy mapping for virtual users (#15558) Currently, replicating policy mapping for STS users does not work. Fix it is by passing user type to PolicyDBSet.
2022-08-24 02:11:45 +08:00
// Validate that user or group exists.
if !isGroup {
if globalIAMSys.GetUsersSysType() == MinIOUsersSysType {
_, ok := globalIAMSys.GetUser(ctx, entityName)
if !ok {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errNoSuchUser), r.URL)
return
}
}
} else {
_, err := globalIAMSys.GetGroupDescription(entityName)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
}
userType := regUser
if globalIAMSys.GetUsersSysType() == LDAPUsersSysType {
userType = stsUser
}
updatedAt, err := globalIAMSys.PolicyDBSet(ctx, entityName, policyName, userType, isGroup)
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
if err != nil {
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
logger.LogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
Type: madmin.SRIAMItemPolicyMapping,
PolicyMapping: &madmin.SRPolicyMapping{
UserOrGroup: entityName,
Properly replicate policy mapping for virtual users (#15558) Currently, replicating policy mapping for STS users does not work. Fix it is by passing user type to PolicyDBSet.
2022-08-24 02:11:45 +08:00
UserType: int(userType),
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
IsGroup: isGroup,
Policy: policyName,
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-10 01:27:23 +08:00
}
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
Add API to fetch policy user/group associations (#16239)
2022-12-20 02:37:03 +08:00
// ListPolicyMappingEntities - GET /minio/admin/v3/idp/builtin/polciy-entities?policy=xxx&user=xxx&group=xxx
func (a adminAPIHandlers) ListPolicyMappingEntities(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
Add API to fetch policy user/group associations (#16239)
2022-12-20 02:37:03 +08:00
// Check authorization.
objectAPI, cred := validateAdminReq(ctx, w, r,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
policy.ListGroupsAdminAction, policy.ListUsersAdminAction, policy.ListUserPoliciesAdminAction)
Add API to fetch policy user/group associations (#16239)
2022-12-20 02:37:03 +08:00
if objectAPI == nil {
return
}
// Validate API arguments.
q := madmin.PolicyEntitiesQuery{
Users: r.Form["user"],
Groups: r.Form["group"],
Policy: r.Form["policy"],
}
// Query IAM
res, err := globalIAMSys.QueryPolicyEntities(r.Context(), q)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
// Encode result and send response.
data, err := json.Marshal(res)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
password := cred.SecretKey
econfigData, err := madmin.EncryptData(password, data)
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
writeSuccessResponseJSON(w, econfigData)
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
// AttachDetachPolicyBuiltin - POST /minio/admin/v3/idp/builtin/policy/{operation}
func (a adminAPIHandlers) AttachDetachPolicyBuiltin(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, cred := validateAdminReq(ctx, w, r, policy.UpdatePolicyAssociationAction,
policy.AttachPolicyAdminAction)
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
if objectAPI == nil {
return
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
if r.ContentLength > maxEConfigJSONSize || r.ContentLength == -1 {
// More than maxConfigSize bytes were available
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigTooLarge), r.URL)
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
return
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
// Ensure body content type is opaque to ensure that request body has not
// been interpreted as form data.
contentType := r.Header.Get("Content-Type")
if contentType != "application/octet-stream" {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrBadRequest), r.URL)
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
return
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
operation := mux.Vars(r)["operation"]
if operation != "attach" && operation != "detach" {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminInvalidArgument), r.URL)
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
return
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
isAttach := operation == "attach"
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
password := cred.SecretKey
reqBytes, err := madmin.DecryptData(password, io.LimitReader(r.Body, r.ContentLength))
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
var par madmin.PolicyAssociationReq
if err = json.Unmarshal(reqBytes, &par); err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
if err = par.IsValid(); err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
updatedAt, addedOrRemoved, _, err := globalIAMSys.PolicyDBUpdateBuiltin(ctx, isAttach, par)
if err != nil {
if err == errNoSuchUser || err == errNoSuchGroup {
Remove older policy attach behavior for LDAP (#17240)
2023-05-26 21:31:24 +08:00
if globalIAMSys.LDAPConfig.Enabled() {
// When LDAP is enabled, warn user that they are using the wrong
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
// API. FIXME: error can be no such group as well - fix errNoSuchUserLDAPWarn
Remove older policy attach behavior for LDAP (#17240)
2023-05-26 21:31:24 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errNoSuchUserLDAPWarn), r.URL)
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
return
}
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
respBody := madmin.PolicyAssociationResp{
UpdatedAt: updatedAt,
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
if isAttach {
respBody.PoliciesAttached = addedOrRemoved
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
} else {
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
respBody.PoliciesDetached = addedOrRemoved
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
data, err := json.Marshal(respBody)
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
encryptedData, err := madmin.EncryptData(password, data)
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
Fix locking in policy attach API (#17426) For policy attach/detach API to work correctly the server should hold a lock before reading existing policy mapping and until after writing the updated policy mapping. This is fixed in this change. A site replication bug, where LDAP policy attach/detach were not correctly propagated is also fixed in this change. Bonus: Additionally, the server responds with the actual (or net) changes performed in the attach/detach API call. For e.g. if a user already has policy A applied, and a call to attach policies A and B is performed, the server will respond that B was attached successfully.
2023-06-22 13:44:50 +08:00
writeSuccessResponseJSON(w, encryptedData)
Add endpoints for managing IAM policies (#15897) Co-authored-by: Taran <taran@minio.io> Co-authored-by: ¨taran-p¨ <¨taran@minio.io¨> Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-12-14 04:13:23 +08:00
}
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
const (
allPoliciesFile = "policies.json"
allUsersFile = "users.json"
allGroupsFile = "groups.json"
allSvcAcctsFile = "svcaccts.json"
userPolicyMappingsFile = "user_mappings.json"
groupPolicyMappingsFile = "group_mappings.json"
stsUserPolicyMappingsFile = "stsuser_mappings.json"
stsGroupPolicyMappingsFile = "stsgroup_mappings.json"
save IAM export assets relative at a folder prefix (#15355)
2022-07-22 08:51:33 +08:00
iamAssetsDir = "iam-assets"
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
)
// ExportIAMHandler - exports all iam info as a zipped file
func (a adminAPIHandlers) ExportIAM(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
// Get current object layer instance.
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
objectAPI, _ := validateAdminReq(ctx, w, r, policy.ExportIAMAction)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if objectAPI == nil {
return
}
// Initialize a zip writer which will provide a zipped content
// of bucket metadata
zipWriter := zip.NewWriter(w)
defer zipWriter.Close()
rawDataFn := func(r io.Reader, filename string, sz int) error {
header, zerr := zip.FileInfoHeader(dummyFileInfo{
name: filename,
size: int64(sz),
mode: 0o600,
modTime: time.Now(),
isDir: false,
sys: nil,
})
if zerr != nil {
logger.LogIf(ctx, zerr)
return nil
}
header.Method = zip.Deflate
zwriter, zerr := zipWriter.CreateHeader(header)
if zerr != nil {
logger.LogIf(ctx, zerr)
return nil
}
if _, err := io.Copy(zwriter, r); err != nil {
logger.LogIf(ctx, err)
}
return nil
}
iamFiles := []string{
allPoliciesFile,
allUsersFile,
allGroupsFile,
allSvcAcctsFile,
userPolicyMappingsFile,
groupPolicyMappingsFile,
stsUserPolicyMappingsFile,
stsGroupPolicyMappingsFile,
}
save IAM export assets relative at a folder prefix (#15355)
2022-07-22 08:51:33 +08:00
for _, f := range iamFiles {
iamFile := pathJoin(iamAssetsDir, f)
switch f {
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
case allPoliciesFile:
allPolicies, err := globalIAMSys.ListPolicies(ctx, "")
if err != nil {
logger.LogIf(ctx, err)
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
policiesData, err := json.Marshal(allPolicies)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
if err = rawDataFn(bytes.NewReader(policiesData), iamFile, len(policiesData)); err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
case allUsersFile:
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
userIdentities := make(map[string]UserIdentity)
err := globalIAMSys.store.loadUsers(ctx, regUser, userIdentities)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
userAccounts := make(map[string]madmin.AddOrUpdateUserReq)
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
for u, uid := range userIdentities {
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
userAccounts[u] = madmin.AddOrUpdateUserReq{
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
SecretKey: uid.Credentials.SecretKey,
allow root user to be disabled via config settings (#17089)
2023-04-29 03:24:14 +08:00
Status: func() madmin.AccountStatus {
// Export current credential status
if uid.Credentials.Status == auth.AccountOff {
return madmin.AccountDisabled
}
return madmin.AccountEnabled
}(),
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
}
}
userData, err := json.Marshal(userAccounts)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
if err = rawDataFn(bytes.NewReader(userData), iamFile, len(userData)); err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
case allGroupsFile:
groups := make(map[string]GroupInfo)
err := globalIAMSys.store.loadGroups(ctx, groups)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
groupData, err := json.Marshal(groups)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
if err = rawDataFn(bytes.NewReader(groupData), iamFile, len(groupData)); err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
case allSvcAcctsFile:
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
serviceAccounts := make(map[string]UserIdentity)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
err := globalIAMSys.store.loadUsers(ctx, svcUser, serviceAccounts)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
svcAccts := make(map[string]madmin.SRSvcAccCreate)
for user, acc := range serviceAccounts {
allow root user to be disabled via config settings (#17089)
2023-04-29 03:24:14 +08:00
if user == siteReplicatorSvcAcc {
// skip site-replication service account.
continue
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
claims, err := globalIAMSys.GetClaimsForSvcAcc(ctx, acc.Credentials.AccessKey)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
_, policy, err := globalIAMSys.GetServiceAccount(ctx, acc.Credentials.AccessKey)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
var policyJSON []byte
if policy != nil {
policyJSON, err = json.Marshal(policy)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
}
svcAccts[user] = madmin.SRSvcAccCreate{
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
Parent: acc.Credentials.ParentUser,
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
AccessKey: user,
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
SecretKey: acc.Credentials.SecretKey,
Groups: acc.Credentials.Groups,
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
Claims: claims,
SessionPolicy: json.RawMessage(policyJSON),
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
Status: acc.Credentials.Status,
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
}
}
svcAccData, err := json.Marshal(svcAccts)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
if err = rawDataFn(bytes.NewReader(svcAccData), iamFile, len(svcAccData)); err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
case userPolicyMappingsFile:
userPolicyMap := make(map[string]MappedPolicy)
err := globalIAMSys.store.loadMappedPolicies(ctx, regUser, false, userPolicyMap)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
userPolData, err := json.Marshal(userPolicyMap)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
if err = rawDataFn(bytes.NewReader(userPolData), iamFile, len(userPolData)); err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
case groupPolicyMappingsFile:
groupPolicyMap := make(map[string]MappedPolicy)
err := globalIAMSys.store.loadMappedPolicies(ctx, regUser, true, groupPolicyMap)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
grpPolData, err := json.Marshal(groupPolicyMap)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
if err = rawDataFn(bytes.NewReader(grpPolData), iamFile, len(grpPolData)); err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
case stsUserPolicyMappingsFile:
userPolicyMap := make(map[string]MappedPolicy)
err := globalIAMSys.store.loadMappedPolicies(ctx, stsUser, false, userPolicyMap)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
userPolData, err := json.Marshal(userPolicyMap)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
if err = rawDataFn(bytes.NewReader(userPolData), iamFile, len(userPolData)); err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
case stsGroupPolicyMappingsFile:
groupPolicyMap := make(map[string]MappedPolicy)
err := globalIAMSys.store.loadMappedPolicies(ctx, stsUser, true, groupPolicyMap)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
grpPolData, err := json.Marshal(groupPolicyMap)
if err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
if err = rawDataFn(bytes.NewReader(grpPolData), iamFile, len(grpPolData)); err != nil {
writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
return
}
}
}
}
// ImportIAM - imports all IAM info into MinIO
func (a adminAPIHandlers) ImportIAM(w http.ResponseWriter, r *http.Request) {
Send AuditLog via new middleware fn for admin APIs (#17632) A new middleware function is added for admin handlers, including options for modifying certain behaviors. This admin middleware: - sets the handler context via reflection in the request and sends AuditLog - checks for object API availability (skipping it if a flag is passed) - enables gzip compression (skipping it if a flag is passed) - enables header tracing (adding body tracing if a flag is passed) While the new function is a middleware, due to the flags used for conditional behavior modification, which is used in each route registration call. To try to ensure that no regressions are introduced, the following changes were done mechanically mostly with `sed` and regexp: - Remove defer logger.AuditLog in admin handlers - Replace newContext() calls with r.Context() - Update admin routes registration calls Bonus: remove unused NetSpeedtestHandler Since the new adminMiddleware function checks for object layer presence by default, we need to pass the `noObjLayerFlag` explicitly to admin handlers that should work even when it is not available. The following admin handlers do not require it: - ServerInfoHandler - StartProfilingHandler - DownloadProfilingHandler - ProfileHandler - SiteReplicationDevNull - SiteReplicationNetPerf - TraceHandler For these handlers adminMiddleware does not check for the object layer presence (disabled by passing the `noObjLayerFlag`), and for all other handlers, the pre-check ensures that the handler is not called when the object layer is not available - the client would get a ErrServerNotInitialized and can retry later. This `noObjLayerFlag` is added based on existing behavior for these handlers only.
2023-07-14 05:52:21 +08:00
ctx := r.Context()
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
return
}
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if s3Err != ErrNone {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
data, err := io.ReadAll(r.Body)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
reader := bytes.NewReader(data)
zr, err := zip.NewReader(reader, int64(len(data)))
if err != nil {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
// import policies first
{
save IAM export assets relative at a folder prefix (#15355)
2022-07-22 08:51:33 +08:00
f, err := zr.Open(pathJoin(iamAssetsDir, allPoliciesFile))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
switch {
case errors.Is(err, os.ErrNotExist):
case err != nil:
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, allPoliciesFile, ""), r.URL)
return
default:
defer f.Close()
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
var allPolicies map[string]policy.Policy
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
data, err = io.ReadAll(f)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, allPoliciesFile, ""), r.URL)
return
}
err = json.Unmarshal(data, &allPolicies)
if err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminConfigBadJSON, err, allPoliciesFile, ""), r.URL)
return
}
for policyName, policy := range allPolicies {
if policy.IsEmpty() {
err = globalIAMSys.DeletePolicy(ctx, policyName, true)
} else {
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
_, err = globalIAMSys.SetPolicy(ctx, policyName, policy)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
}
if err != nil {
writeErrorResponseJSON(ctx, w, importError(ctx, err, allPoliciesFile, policyName), r.URL)
return
}
}
}
}
// import users
{
save IAM export assets relative at a folder prefix (#15355)
2022-07-22 08:51:33 +08:00
f, err := zr.Open(pathJoin(iamAssetsDir, allUsersFile))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
switch {
case errors.Is(err, os.ErrNotExist):
case err != nil:
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, allUsersFile, ""), r.URL)
return
default:
defer f.Close()
var userAccts map[string]madmin.AddOrUpdateUserReq
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
data, err := io.ReadAll(f)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, allUsersFile, ""), r.URL)
return
}
err = json.Unmarshal(data, &userAccts)
if err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminConfigBadJSON, err, allUsersFile, ""), r.URL)
return
}
for accessKey, ureq := range userAccts {
// Not allowed to add a user with same access key as root credential
Do not allow adding root user to IAM subsystem (#16803)
2023-03-14 03:46:17 +08:00
if accessKey == globalActiveCred.AccessKey {
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAddUserInvalidArgument, err, allUsersFile, accessKey), r.URL)
return
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
user, exists := globalIAMSys.GetUser(ctx, accessKey)
if exists && (user.Credentials.IsTemp() || user.Credentials.IsServiceAccount()) {
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
// Updating STS credential is not allowed, and this API does not
// support updating service accounts.
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAddUserInvalidArgument, err, allUsersFile, accessKey), r.URL)
return
}
if (cred.IsTemp() || cred.IsServiceAccount()) && cred.ParentUser == accessKey {
// Incoming access key matches parent user then we should
// reject password change requests.
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAddUserInvalidArgument, err, allUsersFile, accessKey), r.URL)
return
}
// Check if accessKey has beginning and end space characters, this only applies to new users.
if !exists && hasSpaceBE(accessKey) {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminResourceInvalidArgument, err, allUsersFile, accessKey), r.URL)
return
}
checkDenyOnly := false
if accessKey == cred.AccessKey {
// Check that there is no explicit deny - otherwise it's allowed
// to change one's own password.
checkDenyOnly = true
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if !globalIAMSys.IsAllowed(policy.Args{
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
AccountName: cred.AccessKey,
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.CreateUserAdminAction,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
IsOwner: owner,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
DenyOnly: checkDenyOnly,
}) {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAccessDenied, err, allUsersFile, accessKey), r.URL)
return
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
if _, err = globalIAMSys.CreateUser(ctx, accessKey, ureq); err != nil {
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, toAdminAPIErrCode(ctx, err), err, allUsersFile, accessKey), r.URL)
return
}
}
}
}
// import groups
{
save IAM export assets relative at a folder prefix (#15355)
2022-07-22 08:51:33 +08:00
f, err := zr.Open(pathJoin(iamAssetsDir, allGroupsFile))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
switch {
case errors.Is(err, os.ErrNotExist):
case err != nil:
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, allGroupsFile, ""), r.URL)
return
default:
defer f.Close()
var grpInfos map[string]GroupInfo
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
data, err := io.ReadAll(f)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, allGroupsFile, ""), r.URL)
return
}
if err = json.Unmarshal(data, &grpInfos); err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminConfigBadJSON, err, allGroupsFile, ""), r.URL)
return
}
for group, grpInfo := range grpInfos {
// Check if group already exists
if _, gerr := globalIAMSys.GetGroupDescription(group); gerr != nil {
// If group does not exist, then check if the group has beginning and end space characters
// we will reject such group names.
if errors.Is(gerr, errNoSuchGroup) && hasSpaceBE(group) {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminResourceInvalidArgument, err, allGroupsFile, group), r.URL)
return
}
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
if _, gerr := globalIAMSys.AddUsersToGroup(ctx, group, grpInfo.Members); gerr != nil {
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
writeErrorResponseJSON(ctx, w, importError(ctx, err, allGroupsFile, group), r.URL)
return
}
}
}
}
// import service accounts
{
save IAM export assets relative at a folder prefix (#15355)
2022-07-22 08:51:33 +08:00
f, err := zr.Open(pathJoin(iamAssetsDir, allSvcAcctsFile))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
switch {
case errors.Is(err, os.ErrNotExist):
case err != nil:
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, allSvcAcctsFile, ""), r.URL)
return
default:
defer f.Close()
var serviceAcctReqs map[string]madmin.SRSvcAccCreate
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
data, err := io.ReadAll(f)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, allSvcAcctsFile, ""), r.URL)
return
}
if err = json.Unmarshal(data, &serviceAcctReqs); err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminConfigBadJSON, err, allSvcAcctsFile, ""), r.URL)
return
}
for user, svcAcctReq := range serviceAcctReqs {
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
var sp *policy.Policy
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
var err error
if len(svcAcctReq.SessionPolicy) > 0 {
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
sp, err = policy.ParseConfig(bytes.NewReader(svcAcctReq.SessionPolicy))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importError(ctx, err, allSvcAcctsFile, user), r.URL)
return
}
}
// service account access key cannot have space characters beginning and end of the string.
if hasSpaceBE(svcAcctReq.AccessKey) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument), r.URL)
return
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
if !globalIAMSys.IsAllowed(policy.Args{
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
AccountName: cred.AccessKey,
Groups: cred.Groups,
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
Action: policy.CreateServiceAccountAdminAction,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
ConditionValues: getConditionValues(r, "", cred),
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
IsOwner: owner,
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
2023-02-07 01:27:29 +08:00
Claims: cred.Claims,
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
}) {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAccessDenied, err, allSvcAcctsFile, user), r.URL)
return
}
updateReq := true
_, _, err = globalIAMSys.GetServiceAccount(ctx, svcAcctReq.AccessKey)
if err != nil {
if !errors.Is(err, errNoSuchServiceAccount) {
writeErrorResponseJSON(ctx, w, importError(ctx, err, allSvcAcctsFile, user), r.URL)
return
}
updateReq = false
}
if updateReq {
opts := updateServiceAccountOpts{
secretKey: svcAcctReq.SecretKey,
status: svcAcctReq.Status,
Add "name" and "description" params to service acc (#17172)
2023-05-18 08:05:36 +08:00
name: svcAcctReq.Name,
description: svcAcctReq.Description,
Support adding service accounts with expiration (#16430) Co-authored-by: Harshavardhana <harsha@minio.io>
2023-02-28 02:10:22 +08:00
expiration: svcAcctReq.Expiration,
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
sessionPolicy: sp,
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
_, err = globalIAMSys.UpdateServiceAccount(ctx, svcAcctReq.AccessKey, opts)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importError(ctx, err, allSvcAcctsFile, user), r.URL)
return
}
continue
}
opts := newServiceAccountOpts{
allow root user to be disabled via config settings (#17089)
2023-04-29 03:24:14 +08:00
accessKey: user,
secretKey: svcAcctReq.SecretKey,
sessionPolicy: sp,
claims: svcAcctReq.Claims,
Add "name" and "description" params to service acc (#17172)
2023-05-18 08:05:36 +08:00
name: svcAcctReq.Name,
description: svcAcctReq.Description,
allow root user to be disabled via config settings (#17089)
2023-04-29 03:24:14 +08:00
expiration: svcAcctReq.Expiration,
allowSiteReplicatorAccount: false,
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
}
// In case of LDAP we need to resolve the targetUser to a DN and
// query their groups:
Remove globalLDAPConfig (#16706)
2023-02-25 10:37:22 +08:00
if globalIAMSys.LDAPConfig.Enabled() {
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
opts.claims[ldapUserN] = svcAcctReq.AccessKey // simple username
Remove globalLDAPConfig (#16706)
2023-02-25 10:37:22 +08:00
targetUser, _, err := globalIAMSys.LDAPConfig.LookupUserDN(svcAcctReq.AccessKey)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importError(ctx, err, allSvcAcctsFile, user), r.URL)
return
}
opts.claims[ldapUser] = targetUser // username DN
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
if _, _, err = globalIAMSys.NewServiceAccount(ctx, svcAcctReq.Parent, svcAcctReq.Groups, opts); err != nil {
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
writeErrorResponseJSON(ctx, w, importError(ctx, err, allSvcAcctsFile, user), r.URL)
return
}
}
}
}
// import user policy mappings
{
save IAM export assets relative at a folder prefix (#15355)
2022-07-22 08:51:33 +08:00
f, err := zr.Open(pathJoin(iamAssetsDir, userPolicyMappingsFile))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
switch {
case errors.Is(err, os.ErrNotExist):
case err != nil:
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, userPolicyMappingsFile, ""), r.URL)
return
default:
defer f.Close()
var userPolicyMap map[string]MappedPolicy
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
data, err := io.ReadAll(f)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, userPolicyMappingsFile, ""), r.URL)
return
}
if err = json.Unmarshal(data, &userPolicyMap); err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminConfigBadJSON, err, userPolicyMappingsFile, ""), r.URL)
return
}
for u, pm := range userPolicyMap {
// disallow setting policy mapping if user is a temporary user
ok, _, err := globalIAMSys.IsTempUser(u)
if err != nil && err != errNoSuchUser {
writeErrorResponseJSON(ctx, w, importError(ctx, err, userPolicyMappingsFile, u), r.URL)
return
}
if ok {
writeErrorResponseJSON(ctx, w, importError(ctx, errIAMActionNotAllowed, userPolicyMappingsFile, u), r.URL)
return
}
Properly replicate policy mapping for virtual users (#15558) Currently, replicating policy mapping for STS users does not work. Fix it is by passing user type to PolicyDBSet.
2022-08-24 02:11:45 +08:00
if _, err := globalIAMSys.PolicyDBSet(ctx, u, pm.Policies, regUser, false); err != nil {
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
writeErrorResponseJSON(ctx, w, importError(ctx, err, userPolicyMappingsFile, u), r.URL)
return
}
}
}
}
// import group policy mappings
{
save IAM export assets relative at a folder prefix (#15355)
2022-07-22 08:51:33 +08:00
f, err := zr.Open(pathJoin(iamAssetsDir, groupPolicyMappingsFile))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
switch {
case errors.Is(err, os.ErrNotExist):
case err != nil:
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, groupPolicyMappingsFile, ""), r.URL)
return
default:
defer f.Close()
var grpPolicyMap map[string]MappedPolicy
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
data, err := io.ReadAll(f)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, groupPolicyMappingsFile, ""), r.URL)
return
}
if err = json.Unmarshal(data, &grpPolicyMap); err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminConfigBadJSON, err, groupPolicyMappingsFile, ""), r.URL)
return
}
for g, pm := range grpPolicyMap {
Properly replicate policy mapping for virtual users (#15558) Currently, replicating policy mapping for STS users does not work. Fix it is by passing user type to PolicyDBSet.
2022-08-24 02:11:45 +08:00
if _, err := globalIAMSys.PolicyDBSet(ctx, g, pm.Policies, unknownIAMUserType, true); err != nil {
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
writeErrorResponseJSON(ctx, w, importError(ctx, err, groupPolicyMappingsFile, g), r.URL)
return
}
}
}
}
// import sts user policy mappings
{
save IAM export assets relative at a folder prefix (#15355)
2022-07-22 08:51:33 +08:00
f, err := zr.Open(pathJoin(iamAssetsDir, stsUserPolicyMappingsFile))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
switch {
case errors.Is(err, os.ErrNotExist):
case err != nil:
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, stsUserPolicyMappingsFile, ""), r.URL)
return
default:
defer f.Close()
var userPolicyMap map[string]MappedPolicy
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
data, err := io.ReadAll(f)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, stsUserPolicyMappingsFile, ""), r.URL)
return
}
if err = json.Unmarshal(data, &userPolicyMap); err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminConfigBadJSON, err, stsUserPolicyMappingsFile, ""), r.URL)
return
}
for u, pm := range userPolicyMap {
// disallow setting policy mapping if user is a temporary user
ok, _, err := globalIAMSys.IsTempUser(u)
if err != nil && err != errNoSuchUser {
writeErrorResponseJSON(ctx, w, importError(ctx, err, stsUserPolicyMappingsFile, u), r.URL)
return
}
if ok {
writeErrorResponseJSON(ctx, w, importError(ctx, errIAMActionNotAllowed, stsUserPolicyMappingsFile, u), r.URL)
return
}
Properly replicate policy mapping for virtual users (#15558) Currently, replicating policy mapping for STS users does not work. Fix it is by passing user type to PolicyDBSet.
2022-08-24 02:11:45 +08:00
if _, err := globalIAMSys.PolicyDBSet(ctx, u, pm.Policies, stsUser, false); err != nil {
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
writeErrorResponseJSON(ctx, w, importError(ctx, err, stsUserPolicyMappingsFile, u), r.URL)
return
}
}
}
}
// import sts group policy mappings
{
save IAM export assets relative at a folder prefix (#15355)
2022-07-22 08:51:33 +08:00
f, err := zr.Open(pathJoin(iamAssetsDir, stsGroupPolicyMappingsFile))
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
switch {
case errors.Is(err, os.ErrNotExist):
case err != nil:
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, stsGroupPolicyMappingsFile, ""), r.URL)
return
default:
defer f.Close()
var grpPolicyMap map[string]MappedPolicy
Remove deprecated io/ioutil (#15707)
2022-09-20 02:05:16 +08:00
data, err := io.ReadAll(f)
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
if err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, stsGroupPolicyMappingsFile, ""), r.URL)
return
}
if err = json.Unmarshal(data, &grpPolicyMap); err != nil {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminConfigBadJSON, err, stsGroupPolicyMappingsFile, ""), r.URL)
return
}
for g, pm := range grpPolicyMap {
Properly replicate policy mapping for virtual users (#15558) Currently, replicating policy mapping for STS users does not work. Fix it is by passing user type to PolicyDBSet.
2022-08-24 02:11:45 +08:00
if _, err := globalIAMSys.PolicyDBSet(ctx, g, pm.Policies, unknownIAMUserType, true); err != nil {
Add APIs to import/export IAM data (#15014)
2022-06-24 00:25:15 +08:00
writeErrorResponseJSON(ctx, w, importError(ctx, err, stsGroupPolicyMappingsFile, g), r.URL)
return
}
}
}
}
}
Add APIs to create and list access keys for LDAP (#18402)
2023-12-16 05:00:43 +08:00
func commonAddServiceAccount(r *http.Request) (context.Context, auth.Credentials, newServiceAccountOpts, madmin.AddServiceAccountReq, string, APIError) {
ctx := r.Context()
// Get current object layer instance.
objectAPI := newObjectLayerFn()
if objectAPI == nil || globalNotificationSys == nil {
return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", errorCodes.ToAPIErr(ErrServerNotInitialized)
}
cred, owner, s3Err := validateAdminSignature(ctx, r, "")
if s3Err != ErrNone {
return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", errorCodes.ToAPIErr(s3Err)
}
password := cred.SecretKey
reqBytes, err := madmin.DecryptData(password, io.LimitReader(r.Body, r.ContentLength))
if err != nil {
return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", errorCodes.ToAPIErrWithErr(ErrAdminConfigBadJSON, err)
}
var createReq madmin.AddServiceAccountReq
if err = json.Unmarshal(reqBytes, &createReq); err != nil {
return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", errorCodes.ToAPIErrWithErr(ErrAdminConfigBadJSON, err)
}
// service account access key cannot have space characters beginning and end of the string.
if hasSpaceBE(createReq.AccessKey) {
return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument)
}
if err := createReq.Validate(); err != nil {
// Since this validation would happen client side as well, we only send
// a generic error message here.
return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument)
}
// If the request did not set a TargetUser, the service account is
// created for the request sender.
targetUser := createReq.TargetUser
if targetUser == "" {
targetUser = cred.AccessKey
}
description := createReq.Description
if description == "" {
description = createReq.Comment
}
opts := newServiceAccountOpts{
accessKey: createReq.AccessKey,
secretKey: createReq.SecretKey,
name: createReq.Name,
description: description,
expiration: createReq.Expiration,
claims: make(map[string]interface{}),
}
// Check if action is allowed if creating access key for another user
// Check if action is explicitly denied if for self
if !globalIAMSys.IsAllowed(policy.Args{
AccountName: cred.AccessKey,
Groups: cred.Groups,
Action: policy.CreateServiceAccountAdminAction,
ConditionValues: getConditionValues(r, "", cred),
IsOwner: owner,
Claims: cred.Claims,
DenyOnly: (targetUser == cred.AccessKey || targetUser == cred.ParentUser),
}) {
return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", errorCodes.ToAPIErr(ErrAccessDenied)
}
var sp *policy.Policy
if len(createReq.Policy) > 0 {
sp, err = policy.ParseConfig(bytes.NewReader(createReq.Policy))
if err != nil {
return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", toAdminAPIErr(ctx, err)
}
}
opts.sessionPolicy = sp
return ctx, cred, opts, createReq, targetUser, APIError{}
}