mirror of https://github.com/minio/minio.git
Compare commits
8 Commits
646be7ba29
...
6e94208d24
| Author | SHA1 | Date |
|---|---|---|
Allan Roger Reid
|
6e94208d24 | |
Minio Trusted
|
b9f0e8c712 | |
M Alvee
|
7ced9663e6 | |
MagicPig
|
50fcf9b670 | |
Harshavardhana
|
64f5c6103f | |
|
Allan Roger Reid
|
e0182b85e0 | |
|
Allan Roger Reid
|
9611aa9b15 | |
|
Allan Reid
|
bebf04e2b6 |
|
|
@ -524,6 +524,7 @@ func lookupConfigs(s config.Config, objAPI ObjectLayer) {
|
|||
configLogIf(ctx, fmt.Errorf("Invalid site configuration: %w", err))
|
||||
}
|
||||
globalSite.Update(siteCfg)
|
||||
xhttp.SetSiteName(globalSite.Name())
|
||||
|
||||
globalAutoEncryption = crypto.LookupAutoEncryption() // Enable auto-encryption if enabled
|
||||
if globalAutoEncryption && GlobalKMS == nil {
|
||||
|
|
|
|||
|
|
@ -828,6 +828,13 @@ func (er erasureObjects) getObjectFileInfo(ctx context.Context, bucket, object s
|
|||
minDisks = er.setDriveCount - er.defaultParityCount
|
||||
}
|
||||
|
||||
if minDisks == er.setDriveCount/2 {
|
||||
// when data and parity are same we must atleast
|
||||
// wait for response from 1 extra drive to avoid
|
||||
// split-brain.
|
||||
minDisks++
|
||||
}
|
||||
|
||||
calcQuorum := func(metaArr []FileInfo, errs []error) (FileInfo, []FileInfo, []StorageAPI, time.Time, string, error) {
|
||||
readQuorum, _, err := objectQuorumFromMeta(ctx, metaArr, errs, er.defaultParityCount)
|
||||
if err != nil {
|
||||
|
|
|
|||
35
cmd/iam.go
35
cmd/iam.go
|
|
@ -24,6 +24,7 @@ import (
|
|||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"maps"
|
||||
"math/rand"
|
||||
"path"
|
||||
"sort"
|
||||
|
|
@ -366,14 +367,11 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
|
|||
sys.rolesMap = make(map[arn.ARN]string)
|
||||
|
||||
// From OpenID
|
||||
if riMap := sys.OpenIDConfig.GetRoleInfo(); riMap != nil {
|
||||
sys.validateAndAddRolePolicyMappings(ctx, riMap)
|
||||
}
|
||||
maps.Copy(sys.rolesMap, sys.OpenIDConfig.GetRoleInfo())
|
||||
|
||||
// From AuthN plugin if enabled.
|
||||
if authn := newGlobalAuthNPluginFn(); authn != nil {
|
||||
riMap := authn.GetRoleInfo()
|
||||
sys.validateAndAddRolePolicyMappings(ctx, riMap)
|
||||
maps.Copy(sys.rolesMap, authn.GetRoleInfo())
|
||||
}
|
||||
|
||||
sys.printIAMRoles()
|
||||
|
|
@ -501,33 +499,6 @@ func (sys *IAMSys) periodicRoutines(ctx context.Context, baseInterval time.Durat
|
|||
}
|
||||
}
|
||||
|
||||
func (sys *IAMSys) validateAndAddRolePolicyMappings(ctx context.Context, m map[arn.ARN]string) {
|
||||
// Validate that policies associated with roles are defined. If
|
||||
// authZ plugin is set, role policies are just claims sent to
|
||||
// the plugin and they need not exist.
|
||||
//
|
||||
// If some mapped policies do not exist, we print some error
|
||||
// messages but continue any way - they can be fixed in the
|
||||
// running server by creating the policies after start up.
|
||||
for arn, rolePolicies := range m {
|
||||
specifiedPoliciesSet := newMappedPolicy(rolePolicies).policySet()
|
||||
validPolicies, _ := sys.store.MergePolicies(rolePolicies)
|
||||
knownPoliciesSet := newMappedPolicy(validPolicies).policySet()
|
||||
unknownPoliciesSet := specifiedPoliciesSet.Difference(knownPoliciesSet)
|
||||
if len(unknownPoliciesSet) > 0 {
|
||||
authz := newGlobalAuthZPluginFn()
|
||||
if authz == nil {
|
||||
// Print a warning that some policies mapped to a role are not defined.
|
||||
errMsg := fmt.Errorf(
|
||||
"The policies \"%s\" mapped to role ARN %s are not defined - this role may not work as expected.",
|
||||
unknownPoliciesSet.ToSlice(), arn.String())
|
||||
authZLogIf(ctx, errMsg, logger.WarningKind)
|
||||
}
|
||||
}
|
||||
sys.rolesMap[arn] = rolePolicies
|
||||
}
|
||||
}
|
||||
|
||||
// Prints IAM role ARNs.
|
||||
func (sys *IAMSys) printIAMRoles() {
|
||||
if len(sys.rolesMap) == 0 {
|
||||
|
|
|
|||
|
|
@ -331,7 +331,7 @@ func checkPreconditions(ctx context.Context, w http.ResponseWriter, r *http.Requ
|
|||
func ifModifiedSince(objTime time.Time, givenTime time.Time) bool {
|
||||
// The Date-Modified header truncates sub-second precision, so
|
||||
// use mtime < t+1s instead of mtime <= t to check for unmodified.
|
||||
return objTime.After(givenTime.Add(1 * time.Second))
|
||||
return !objTime.Before(givenTime.Add(1 * time.Second))
|
||||
}
|
||||
|
||||
// canonicalizeETag returns ETag with leading and trailing double-quotes removed,
|
||||
|
|
|
|||
|
|
@ -545,6 +545,14 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
|
|||
writeSTSErrorResponse(ctx, w, ErrSTSAccessDenied, err)
|
||||
return
|
||||
}
|
||||
if newGlobalAuthZPluginFn() == nil {
|
||||
// if authZ is not set - we expect the policies to be present.
|
||||
if globalIAMSys.CurrentPolicies(p) == "" {
|
||||
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
|
||||
fmt.Errorf("None of the given policies (`%s`) are defined, credentials will not be generated", p))
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if !globalIAMSys.doesPolicyAllow(p, policy.Args{
|
||||
|
|
@ -1003,6 +1011,20 @@ func (sts *stsAPIHandlers) AssumeRoleWithCustomToken(w http.ResponseWriter, r *h
|
|||
return
|
||||
}
|
||||
|
||||
_, policyName, err := globalIAMSys.GetRolePolicy(roleArnStr)
|
||||
if err != nil {
|
||||
writeSTSErrorResponse(ctx, w, ErrSTSAccessDenied, err)
|
||||
return
|
||||
}
|
||||
|
||||
if newGlobalAuthZPluginFn() == nil { // if authZ is not set - we expect the policyname to be present.
|
||||
if globalIAMSys.CurrentPolicies(policyName) == "" {
|
||||
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
|
||||
fmt.Errorf("None of the given policies (`%s`) are defined, credentials will not be generated", policyName))
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
res, err := authn.Authenticate(roleArn, token)
|
||||
if err != nil {
|
||||
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ version: '3.7'
|
|||
|
||||
# Settings and configurations that are common for all containers
|
||||
x-minio-common: &minio-common
|
||||
image: quay.io/minio/minio:RELEASE.2025-07-18T21-56-31Z
|
||||
image: quay.io/minio/minio:RELEASE.2025-07-23T15-54-02Z
|
||||
command: server --console-address ":9001" http://minio{1...4}/data{1...2}
|
||||
expose:
|
||||
- "9000"
|
||||
|
|
|
|||
|
|
@ -37,6 +37,9 @@ var (
|
|||
|
||||
// GlobalDeploymentID - is sent in the header to all http targets
|
||||
GlobalDeploymentID string
|
||||
|
||||
// GlobalSiteName - is sent in the header to all http targets
|
||||
GlobalSiteName string
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
@ -236,3 +239,8 @@ func SetMinIOVersion(version string) {
|
|||
func SetDeploymentID(deploymentID string) {
|
||||
GlobalDeploymentID = deploymentID
|
||||
}
|
||||
|
||||
// SetSiteName -- user defined site from environment variable `MINIO_SITE_NAME` or from configuration `site.name`
|
||||
func SetSiteName(siteName string) {
|
||||
GlobalSiteName = siteName
|
||||
}
|
||||
|
|
|
|||
|
|
@ -52,6 +52,7 @@ func GetAuditEntry(ctx context.Context) *audit.Entry {
|
|||
r = &audit.Entry{
|
||||
Version: internalAudit.Version,
|
||||
DeploymentID: xhttp.GlobalDeploymentID,
|
||||
SiteName: xhttp.GlobalSiteName,
|
||||
Time: time.Now().UTC(),
|
||||
}
|
||||
return r
|
||||
|
|
|
|||
|
|
@ -36,6 +36,7 @@ func NewEntry(deploymentID string) audit.Entry {
|
|||
return audit.Entry{
|
||||
Version: Version,
|
||||
DeploymentID: deploymentID,
|
||||
SiteName: xhttp.GlobalSiteName,
|
||||
Time: time.Now().UTC(),
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue