support ldap:username for policy substitution (#12390)

LDAPusername is the simpler form of LDAPUser (userDN), using a simpler version is convenient from policy conditions point of view, since these are unique id's used for LDAP login.
2024-07-20 18:04:21 +00:00 · 2021-05-28 10:33:07 -07:00 · 2021-05-28 10:33:07 -07:00 · 4444ba13a4
parent fa8e3151bc
commit 4444ba13a4
6 changed files with 19 additions and 10 deletions
--- a/cmd/bucket-policy.go
+++ b/cmd/bucket-policy.go
@ -174,6 +174,8 @@ func getConditionValues(r *http.Request, lc string, username string, claims map[
 			// Special case for AD/LDAP STS users
 			if k == ldapUser {
 				args["user"] = []string{vStr}
+			} else if k == ldapUsername {
+				args["username"] = []string{vStr}
 			} else {
 				args[k] = []string{vStr}
 			}
--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@ -64,7 +64,8 @@ const (
 	parentClaim = "parent"

 	// LDAP claim keys
-	ldapUser = "ldapUser"
+	ldapUser     = "ldapUser"
+	ldapUsername = "ldapUsername"
 )

 // stsAPIHandlers implements and provides http handlers for AWS STS API.
@ -525,8 +526,9 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *

 	expiryDur := globalLDAPConfig.GetExpiryDuration()
 	m := map[string]interface{}{
-		expClaim: UTCNow().Add(expiryDur).Unix(),
-		ldapUser: ldapUserDN,
+		expClaim:     UTCNow().Add(expiryDur).Unix(),
+		ldapUsername: ldapUsername,
+		ldapUser:     ldapUserDN,
 	}

 	if len(sessionPolicyStr) > 0 {
--- a/docs/multi-user/README.md
+++ b/docs/multi-user/README.md
@ -191,7 +191,7 @@ Following example shows OpenID users with full programmatic access to a OpenID u
 }
 ```

-If the user is authenticating using an STS credential which was authorized from AD/LDAP we allow `ldap:*` variables, currently only supports `ldap:user`. Following example shows LDAP users full programmatic access to a LDAP user-specific directory (their own "home directory") in MinIO.
+If the user is authenticating using an STS credential which was authorized from AD/LDAP we allow `ldap:*` variables, currently only supports `ldap:username`. Following example shows LDAP users full programmatic access to a LDAP user-specific directory (their own "home directory") in MinIO.
 ```
 {
  "Version": "2012-10-17",
@ -200,7 +200,7 @@ If the user is authenticating using an STS credential which was authorized from
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::mybucket"],
-      "Condition": {"StringLike": {"s3:prefix": ["${ldap:user}/*"]}}
+      "Condition": {"StringLike": {"s3:prefix": ["${ldap:username}/*"]}}
    },
    {
      "Action": [
@ -208,7 +208,7 @@ If the user is authenticating using an STS credential which was authorized from
        "s3:PutObject"
      ],
      "Effect": "Allow",
-      "Resource": ["arn:aws:s3:::mybucket/${ldap:user}/*"]
+      "Resource": ["arn:aws:s3:::mybucket/${ldap:username}/*"]
    }
  ]
 }
@ -235,7 +235,7 @@ If the user is authenticating using an STS credential which was authorized from
 ```

 - *aws:UserAgent* - This value is a string that contains information about the requester's client application. This string is generated by the client and can be unreliable. You can only use this context key from `mc` or other MinIO SDKs which standardize the User-Agent string.
- *aws:username* - This is a string containing the friendly name of the current user, this value would point to STS temporary credential in `AssumeRole`ed requests, instead use `jwt:preferred_username` in case of OpenID connect and `ldap:user` in case of AD/LDAP connect. *aws:userid* is an alias to *aws:username* in MinIO.
+- *aws:username* - This is a string containing the friendly name of the current user, this value would point to STS temporary credential in `AssumeRole`ed requests, instead use `jwt:preferred_username` in case of OpenID connect and `ldap:username` in case of AD/LDAP connect. *aws:userid* is an alias to *aws:username* in MinIO.


 ## Explore Further
--- a/docs/sts/list-objects-with-ldap-user.json
+++ b/docs/sts/list-objects-with-ldap-user.json
@ -4,10 +4,10 @@
    {
      "Effect": "Allow",
      "Action": [
-        "s3:ListBucket"
+        "s3:*"
      ],
      "Resource": [
-        "arn:aws:s3:::${ldap:user}"
+        "arn:aws:s3:::${ldap:username}/*"
      ]
    }
  ]
--- a/pkg/bucket/policy/condition/key.go
+++ b/pkg/bucket/policy/condition/key.go
@ -148,6 +148,7 @@ var AllSupportedKeys = append([]Key{
 	AWSUserID,
 	AWSUsername,
 	LDAPUser,
+	LDAPUsername,
 	// Add new supported condition keys.
 }, JWTKeys...)

@ -167,6 +168,7 @@ var CommonKeys = append([]Key{
 	AWSUserID,
 	AWSUsername,
 	LDAPUser,
+	LDAPUsername,
 }, JWTKeys...)

 func substFuncFromValues(values map[string][]string) func(string) string {
--- a/pkg/bucket/policy/condition/ldap.go
+++ b/pkg/bucket/policy/condition/ldap.go
@ -18,6 +18,9 @@
 package condition

 const (
-	// LDAPUser - LDAP username, in MinIO this value is equal to your authenticating LDAP user.
+	// LDAPUser - LDAP user DN, in MinIO this value is equal to user DN of the authenticated user.
 	LDAPUser Key = "ldap:user"
+
+	// LDAPUsername - LDAP username, in MinIO is the authenticated simply user.
+	LDAPUsername Key = "ldap:username"
 )