mirror of
https://github.com/pgsty/minio.git
synced 2026-07-19 12:10:24 +03:00
feat: introduce listUsers, listPolicies for any bucket (#12372)
Bonus change LDAP settings such as user, group mappings are now listed as part of `mc admin user list` and `mc admin group list` Additionally this PR also deprecates the `/v2` API that is no longer in use.
This commit is contained in:
+80
-14
@@ -747,7 +747,7 @@ func (sys *IAMSys) InfoPolicy(policyName string) (iampolicy.Policy, error) {
|
||||
}
|
||||
|
||||
// ListPolicies - lists all canned policies.
|
||||
func (sys *IAMSys) ListPolicies() (map[string]iampolicy.Policy, error) {
|
||||
func (sys *IAMSys) ListPolicies(bucketName string) (map[string]iampolicy.Policy, error) {
|
||||
if !sys.Initialized() {
|
||||
return nil, errServerNotInitialized
|
||||
}
|
||||
@@ -759,7 +759,11 @@ func (sys *IAMSys) ListPolicies() (map[string]iampolicy.Policy, error) {
|
||||
|
||||
policyDocsMap := make(map[string]iampolicy.Policy, len(sys.iamPolicyDocsMap))
|
||||
for k, v := range sys.iamPolicyDocsMap {
|
||||
policyDocsMap[k] = v
|
||||
if bucketName != "" && v.MatchResource(bucketName) {
|
||||
policyDocsMap[k] = v
|
||||
} else {
|
||||
policyDocsMap[k] = v
|
||||
}
|
||||
}
|
||||
|
||||
return policyDocsMap, nil
|
||||
@@ -921,16 +925,60 @@ func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyNa
|
||||
return nil
|
||||
}
|
||||
|
||||
// ListBucketUsers - list all users who can access this 'bucket'
|
||||
func (sys *IAMSys) ListBucketUsers(bucket string) (map[string]madmin.UserInfo, error) {
|
||||
if bucket == "" {
|
||||
return nil, errInvalidArgument
|
||||
}
|
||||
|
||||
sys.store.rlock()
|
||||
defer sys.store.runlock()
|
||||
|
||||
var users = make(map[string]madmin.UserInfo)
|
||||
|
||||
for k, v := range sys.iamUsersMap {
|
||||
if v.IsTemp() || v.IsServiceAccount() {
|
||||
continue
|
||||
}
|
||||
var policies []string
|
||||
mp, ok := sys.iamUserPolicyMap[k]
|
||||
if ok {
|
||||
policies = append(policies, mp.toSlice()...)
|
||||
for _, group := range sys.iamUserGroupMemberships[k].ToSlice() {
|
||||
if nmp, ok := sys.iamGroupPolicyMap[group]; ok {
|
||||
policies = append(policies, nmp.toSlice()...)
|
||||
}
|
||||
}
|
||||
}
|
||||
var matchesPolices []string
|
||||
for _, p := range policies {
|
||||
if sys.iamPolicyDocsMap[p].MatchResource(bucket) {
|
||||
matchesPolices = append(matchesPolices, p)
|
||||
}
|
||||
}
|
||||
if len(matchesPolices) > 0 {
|
||||
users[k] = madmin.UserInfo{
|
||||
PolicyName: strings.Join(matchesPolices, ","),
|
||||
Status: func() madmin.AccountStatus {
|
||||
if v.IsValid() {
|
||||
return madmin.AccountEnabled
|
||||
}
|
||||
return madmin.AccountDisabled
|
||||
}(),
|
||||
MemberOf: sys.iamUserGroupMemberships[k].ToSlice(),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return users, nil
|
||||
}
|
||||
|
||||
// ListUsers - list all users.
|
||||
func (sys *IAMSys) ListUsers() (map[string]madmin.UserInfo, error) {
|
||||
if !sys.Initialized() {
|
||||
return nil, errServerNotInitialized
|
||||
}
|
||||
|
||||
if sys.usersSysType != MinIOUsersSysType {
|
||||
return nil, errIAMActionNotAllowed
|
||||
}
|
||||
|
||||
<-sys.configLoaded
|
||||
|
||||
sys.store.rlock()
|
||||
@@ -948,6 +996,16 @@ func (sys *IAMSys) ListUsers() (map[string]madmin.UserInfo, error) {
|
||||
}
|
||||
return madmin.AccountDisabled
|
||||
}(),
|
||||
MemberOf: sys.iamUserGroupMemberships[k].ToSlice(),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if sys.usersSysType == LDAPUsersSysType {
|
||||
for k, v := range sys.iamUserPolicyMap {
|
||||
users[k] = madmin.UserInfo{
|
||||
PolicyName: v.Policies,
|
||||
Status: madmin.AccountEnabled,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1013,15 +1071,21 @@ func (sys *IAMSys) GetUserInfo(name string) (u madmin.UserInfo, err error) {
|
||||
sys.store.rlock()
|
||||
// If the user has a mapped policy or is a member of a group, we
|
||||
// return that info. Otherwise we return error.
|
||||
mappedPolicy, ok1 := sys.iamUserPolicyMap[name]
|
||||
memberships, ok2 := sys.iamUserGroupMemberships[name]
|
||||
var groups []string
|
||||
for _, v := range sys.iamUsersMap {
|
||||
if v.ParentUser == name {
|
||||
groups = v.Groups
|
||||
break
|
||||
}
|
||||
}
|
||||
mappedPolicy, ok := sys.iamUserPolicyMap[name]
|
||||
sys.store.runlock()
|
||||
if !ok1 && !ok2 {
|
||||
if !ok {
|
||||
return u, errNoSuchUser
|
||||
}
|
||||
return madmin.UserInfo{
|
||||
PolicyName: mappedPolicy.Policies,
|
||||
MemberOf: memberships.ToSlice(),
|
||||
MemberOf: groups,
|
||||
}, nil
|
||||
}
|
||||
|
||||
@@ -1741,10 +1805,6 @@ func (sys *IAMSys) ListGroups() (r []string, err error) {
|
||||
return r, errServerNotInitialized
|
||||
}
|
||||
|
||||
if sys.usersSysType != MinIOUsersSysType {
|
||||
return nil, errIAMActionNotAllowed
|
||||
}
|
||||
|
||||
<-sys.configLoaded
|
||||
|
||||
sys.store.rlock()
|
||||
@@ -1755,6 +1815,12 @@ func (sys *IAMSys) ListGroups() (r []string, err error) {
|
||||
r = append(r, k)
|
||||
}
|
||||
|
||||
if sys.usersSysType == LDAPUsersSysType {
|
||||
for k := range sys.iamGroupPolicyMap {
|
||||
r = append(r, k)
|
||||
}
|
||||
}
|
||||
|
||||
return r, nil
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user