@ -129,13 +129,40 @@ func (a adminAPIHandlers) GetUserInfo(w http.ResponseWriter, r *http.Request) {
defer logger . AuditLog ( w , r , "GetUserInfo" , mustGetClaimsFromToken ( r ) )
defer logger . AuditLog ( w , r , "GetUserInfo" , mustGetClaimsFromToken ( r ) )
objectAPI , _ := validateAdminUsersReq ( ctx , w , r , iampolicy . GetUserAdminAction )
vars := mux . Vars ( r )
if objectAPI == nil {
name := vars [ "accessKey" ]
// Get current object layer instance.
objectAPI := newObjectLayerFn ( )
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON ( ctx , w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) , r . URL )
return
return
}
}
vars := mux . Vars ( r )
cred , claims , owner , s3Err := validateAdminSignature ( ctx , r , "" )
name := vars [ "accessKey" ]
if s3Err != ErrNone {
writeErrorResponseJSON ( ctx , w , errorCodes . ToAPIErr ( s3Err ) , r . URL )
return
}
accessKey := cred . AccessKey
if cred . ParentUser != "" {
accessKey = cred . ParentUser
}
implicitPerm := name == accessKey
if ! implicitPerm {
if ! globalIAMSys . IsAllowed ( iampolicy . Args {
AccountName : accessKey ,
Action : iampolicy . GetUserAdminAction ,
ConditionValues : getConditionValues ( r , "" , accessKey , claims ) ,
IsOwner : owner ,
Claims : claims ,
} ) {
writeErrorResponseJSON ( ctx , w , errorCodes . ToAPIErr ( ErrAccessDenied ) , r . URL )
return
}
}
userInfo , err := globalIAMSys . GetUserInfo ( name )
userInfo , err := globalIAMSys . GetUserInfo ( name )
if err != nil {
if err != nil {
@ -304,7 +331,7 @@ func (a adminAPIHandlers) SetUserStatus(w http.ResponseWriter, r *http.Request)
accessKey := vars [ "accessKey" ]
accessKey := vars [ "accessKey" ]
status := vars [ "status" ]
status := vars [ "status" ]
// Custom IAM policies not allowed for admin user.
// This API is not allowed to lookup accessKey user status
if accessKey == globalActiveCred . AccessKey {
if accessKey == globalActiveCred . AccessKey {
writeErrorResponseJSON ( ctx , w , errorCodes . ToAPIErr ( ErrInvalidRequest ) , r . URL )
writeErrorResponseJSON ( ctx , w , errorCodes . ToAPIErr ( ErrInvalidRequest ) , r . URL )
return
return
@ -330,20 +357,47 @@ func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) {
defer logger . AuditLog ( w , r , "AddUser" , mustGetClaimsFromToken ( r ) )
defer logger . AuditLog ( w , r , "AddUser" , mustGetClaimsFromToken ( r ) )
objectAPI , cred := validateAdminUsersReq ( ctx , w , r , iampolicy . CreateUserAdminAction )
vars := mux . Vars ( r )
if objectAPI == nil {
accessKey := vars [ "accessKey" ]
// Get current object layer instance.
objectAPI := newObjectLayerFn ( )
if objectAPI == nil || globalNotificationSys == nil {
writeErrorResponseJSON ( ctx , w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) , r . URL )
return
return
}
}
vars := mux . Vars ( r )
cred , claims , owner , s3Err := validateAdminSignature ( ctx , r , "" )
accessKey := vars [ "accessKey" ]
if s3Err != ErrNone {
writeErrorResponseJSON ( ctx , w , errorCodes . ToAPIErr ( s3Err ) , r . URL )
return
}
// Custom IAM policies not allowed for admin user.
if cred . IsTemp ( ) || cred . IsServiceAccount ( ) {
if accessKey == globalActiveCred . AccessKey {
writeErrorResponseJSON ( ctx , w , errorCodes . ToAPIErr ( ErrAccountNotEligible ) , r . URL )
return
}
// Not allowed to add a user with same access key as root credential
if owner {
writeErrorResponseJSON ( ctx , w , errorCodes . ToAPIErr ( ErrAddUserInvalidArgument ) , r . URL )
writeErrorResponseJSON ( ctx , w , errorCodes . ToAPIErr ( ErrAddUserInvalidArgument ) , r . URL )
return
return
}
}
implicitPerm := accessKey == cred . AccessKey
if ! implicitPerm {
if ! globalIAMSys . IsAllowed ( iampolicy . Args {
AccountName : accessKey ,
Action : iampolicy . CreateUserAdminAction ,
ConditionValues : getConditionValues ( r , "" , accessKey , claims ) ,
IsOwner : owner ,
Claims : claims ,
} ) {
writeErrorResponseJSON ( ctx , w , errorCodes . ToAPIErr ( ErrAccessDenied ) , r . URL )
return
}
}
if r . ContentLength > maxEConfigJSONSize || r . ContentLength == - 1 {
if r . ContentLength > maxEConfigJSONSize || r . ContentLength == - 1 {
// More than maxConfigSize bytes were available
// More than maxConfigSize bytes were available
writeErrorResponseJSON ( ctx , w , errorCodes . ToAPIErr ( ErrAdminConfigTooLarge ) , r . URL )
writeErrorResponseJSON ( ctx , w , errorCodes . ToAPIErr ( ErrAdminConfigTooLarge ) , r . URL )
@ -398,6 +452,12 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
return
return
}
}
// Disallow creating service accounts by root user.
if owner {
writeErrorResponseJSON ( ctx , w , errorCodes . ToAPIErr ( ErrAdminAccountNotEligible ) , r . URL )
return
}
password := cred . SecretKey
password := cred . SecretKey
reqBytes , err := madmin . DecryptData ( password , io . LimitReader ( r . Body , r . ContentLength ) )
reqBytes , err := madmin . DecryptData ( password , io . LimitReader ( r . Body , r . ContentLength ) )
if err != nil {
if err != nil {
@ -411,12 +471,6 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
return
return
}
}
// Disallow creating service accounts by root user.
if owner {
writeErrorResponseJSON ( ctx , w , errorCodes . ToAPIErr ( ErrAdminAccountNotEligible ) , r . URL )
return
}
parentUser := cred . AccessKey
parentUser := cred . AccessKey
if cred . ParentUser != "" {
if cred . ParentUser != "" {
parentUser = cred . ParentUser
parentUser = cred . ParentUser
@ -572,11 +626,11 @@ func (a adminAPIHandlers) DeleteServiceAccount(w http.ResponseWriter, r *http.Re
writeSuccessNoContent ( w )
writeSuccessNoContent ( w )
}
}
// AccountUsage InfoHandler returns usage
// AccountInfoHandler returns usage
func ( a adminAPIHandlers ) AccountUsage InfoHandler ( w http . ResponseWriter , r * http . Request ) {
func ( a adminAPIHandlers ) AccountInfoHandler ( w http . ResponseWriter , r * http . Request ) {
ctx := newContext ( r , w , "AccountUsage Info" )
ctx := newContext ( r , w , "AccountInfo" )
defer logger . AuditLog ( w , r , "AccountUsage Info" , mustGetClaimsFromToken ( r ) )
defer logger . AuditLog ( w , r , "AccountInfo" , mustGetClaimsFromToken ( r ) )
// Get current object layer instance.
// Get current object layer instance.
objectAPI := newObjectLayerFn ( )
objectAPI := newObjectLayerFn ( )
@ -645,8 +699,16 @@ func (a adminAPIHandlers) AccountUsageInfoHandler(w http.ResponseWriter, r *http
accountName = cred . ParentUser
accountName = cred . ParentUser
}
}
acctInfo := madmin . AccountUsageInfo {
policies , err := globalIAMSys . PolicyDBGet ( accountName , false )
if err != nil {
logger . LogIf ( ctx , err )
writeErrorResponseJSON ( ctx , w , toAdminAPIErr ( ctx , err ) , r . URL )
return
}
acctInfo := madmin . AccountInfo {
AccountName : accountName ,
AccountName : accountName ,
Policy : globalIAMSys . GetCombinedPolicy ( policies ... ) ,
}
}
for _ , bucket := range buckets {
for _ , bucket := range buckets {