oyd
/
minio
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

support 'ldap:user' variable replacement properly (#10391)

Browse Source 
also update `ldap.go` examples with latest
minio-go changes

Fixes #10367
master
Harshavardhana 4 years ago committed by GitHub
parent 9ffad7fceb
commit 4b6585d249
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 36 additions and 26 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 5
      cmd/bucket-policy.go
  2. 1
      cmd/sts-handlers.go
  3. 36
      docs/sts/ldap.go
  4. 14
      docs/sts/list-objects-with-ldap-user.json

5
cmd/bucket-policy.go
Unescape View File

@ -151,11 +151,12 @@ func getConditionValues(r *http.Request, lc string, username string, claims map[
if ok { if ok {
// Special case for AD/LDAP STS users // Special case for AD/LDAP STS users
if k == ldapUser { if k == ldapUser {
args[ldapUserPolicyVariable] = []string{vStr} args["user"] = []string{vStr}
} } else {
args[k] = []string{vStr} args[k] = []string{vStr}
} }
} }
}
return args return args
} }

1
cmd/sts-handlers.go
Unescape View File

@ -62,7 +62,6 @@ const (
// LDAP claim keys // LDAP claim keys
ldapUser = "ldapUser" ldapUser = "ldapUser"
ldapUserPolicyVariable = "ldap:user"
) )
// stsAPIHandlers implements and provides http handlers for AWS STS API. // stsAPIHandlers implements and provides http handlers for AWS STS API.

36
docs/sts/ldap.go
Unescape View File

@ -18,12 +18,13 @@
package main package main
import ( import (
"context"
"flag" "flag"
"fmt" "fmt"
"log" "log"
"net/url" "net/url"
miniogo "github.com/minio/minio-go/v7" "github.com/minio/minio-go/v7"
cr "github.com/minio/minio-go/v7/pkg/credentials" cr "github.com/minio/minio-go/v7/pkg/credentials"
) )
@ -53,39 +54,34 @@ func main() {
// LDAP STS API. // LDAP STS API.
// Initialize LDAP credentials // Initialize LDAP credentials
li, err := cr.NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword) li, _ := cr.NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword)
if err != nil {
log.Fatalf("INIT Err: %v", err)
}
// Generate temporary STS credentials stsEndpointURL, err := url.Parse(stsEndpoint)
v, err := li.Get()
if err != nil {
log.Fatalf("GET Err: %v", err)
}
fmt.Printf("%#v\n", v)
stsEndpointUrl, err := url.Parse(stsEndpoint)
if err != nil { if err != nil {
log.Fatalf("Err: %v", err) log.Fatalf("Err: %v", err)
} }
secure := false opts := &minio.Options{
if stsEndpointUrl.Scheme == "https" { Creds: li,
secure = true Secure: stsEndpointURL.Scheme == "https",
} }
fmt.Println(li.Get())
// Use generated credentials to authenticate with MinIO server // Use generated credentials to authenticate with MinIO server
minioClient, err := miniogo.NewWithCredentials(stsEndpointUrl.Host, li, secure, "") minioClient, err := minio.New(stsEndpointURL.Host, opts)
if err != nil { if err != nil {
log.Fatalln(err) log.Fatalln(err)
} }
// Use minIO Client object normally like the regular client. // Use minIO Client object normally like the regular client.
fmt.Println("Calling list buckets with temp creds:") fmt.Println("Calling list objects with temp creds: ")
b, err := minioClient.ListBuckets() objCh := minioClient.ListObjects(context.Background(), ldapUsername, minio.ListObjectsOptions{})
for obj := range objCh {
if obj.Err != nil {
if err != nil { if err != nil {
log.Fatalln(err) log.Fatalln(err)
} }
fmt.Println(b) }
fmt.Println(obj)
}
} }

14
docs/sts/list-objects-with-ldap-user.json
Unescape View File

@ -0,0 +1,14 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::${ldap:user}"
]
}
]
}
Write Preview
Loading…
Cancel
Save