From 4444ba13a4c5ed9923a4a9b32faeff45effb1235 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Fri, 28 May 2021 10:33:07 -0700 Subject: [PATCH] support ldap:username for policy substitution (#12390) LDAPusername is the simpler form of LDAPUser (userDN), using a simpler version is convenient from policy conditions point of view, since these are unique id's used for LDAP login. --- cmd/bucket-policy.go | 2 ++ cmd/sts-handlers.go | 8 +++++--- docs/multi-user/README.md | 8 ++++---- ...-objects-with-ldap-user.json => rw-ldap-username.json} | 4 ++-- pkg/bucket/policy/condition/key.go | 2 ++ pkg/bucket/policy/condition/ldap.go | 5 ++++- 6 files changed, 19 insertions(+), 10 deletions(-) rename docs/sts/{list-objects-with-ldap-user.json => rw-ldap-username.json} (70%) diff --git a/cmd/bucket-policy.go b/cmd/bucket-policy.go index 5134c5211..dcc8c87e7 100644 --- a/cmd/bucket-policy.go +++ b/cmd/bucket-policy.go @@ -174,6 +174,8 @@ func getConditionValues(r *http.Request, lc string, username string, claims map[ // Special case for AD/LDAP STS users if k == ldapUser { args["user"] = []string{vStr} + } else if k == ldapUsername { + args["username"] = []string{vStr} } else { args[k] = []string{vStr} } diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go index 3aff49ed3..5010b955f 100644 --- a/cmd/sts-handlers.go +++ b/cmd/sts-handlers.go @@ -64,7 +64,8 @@ const ( parentClaim = "parent" // LDAP claim keys - ldapUser = "ldapUser" + ldapUser = "ldapUser" + ldapUsername = "ldapUsername" ) // stsAPIHandlers implements and provides http handlers for AWS STS API. @@ -525,8 +526,9 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r * expiryDur := globalLDAPConfig.GetExpiryDuration() m := map[string]interface{}{ - expClaim: UTCNow().Add(expiryDur).Unix(), - ldapUser: ldapUserDN, + expClaim: UTCNow().Add(expiryDur).Unix(), + ldapUsername: ldapUsername, + ldapUser: ldapUserDN, } if len(sessionPolicyStr) > 0 { diff --git a/docs/multi-user/README.md b/docs/multi-user/README.md index e46e8db95..c0119c366 100644 --- a/docs/multi-user/README.md +++ b/docs/multi-user/README.md @@ -191,7 +191,7 @@ Following example shows OpenID users with full programmatic access to a OpenID u } ``` -If the user is authenticating using an STS credential which was authorized from AD/LDAP we allow `ldap:*` variables, currently only supports `ldap:user`. Following example shows LDAP users full programmatic access to a LDAP user-specific directory (their own "home directory") in MinIO. +If the user is authenticating using an STS credential which was authorized from AD/LDAP we allow `ldap:*` variables, currently only supports `ldap:username`. Following example shows LDAP users full programmatic access to a LDAP user-specific directory (their own "home directory") in MinIO. ``` { "Version": "2012-10-17", @@ -200,7 +200,7 @@ If the user is authenticating using an STS credential which was authorized from "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::mybucket"], - "Condition": {"StringLike": {"s3:prefix": ["${ldap:user}/*"]}} + "Condition": {"StringLike": {"s3:prefix": ["${ldap:username}/*"]}} }, { "Action": [ @@ -208,7 +208,7 @@ If the user is authenticating using an STS credential which was authorized from "s3:PutObject" ], "Effect": "Allow", - "Resource": ["arn:aws:s3:::mybucket/${ldap:user}/*"] + "Resource": ["arn:aws:s3:::mybucket/${ldap:username}/*"] } ] } @@ -235,7 +235,7 @@ If the user is authenticating using an STS credential which was authorized from ``` - *aws:UserAgent* - This value is a string that contains information about the requester's client application. This string is generated by the client and can be unreliable. You can only use this context key from `mc` or other MinIO SDKs which standardize the User-Agent string. -- *aws:username* - This is a string containing the friendly name of the current user, this value would point to STS temporary credential in `AssumeRole`ed requests, instead use `jwt:preferred_username` in case of OpenID connect and `ldap:user` in case of AD/LDAP connect. *aws:userid* is an alias to *aws:username* in MinIO. +- *aws:username* - This is a string containing the friendly name of the current user, this value would point to STS temporary credential in `AssumeRole`ed requests, instead use `jwt:preferred_username` in case of OpenID connect and `ldap:username` in case of AD/LDAP connect. *aws:userid* is an alias to *aws:username* in MinIO. ## Explore Further diff --git a/docs/sts/list-objects-with-ldap-user.json b/docs/sts/rw-ldap-username.json similarity index 70% rename from docs/sts/list-objects-with-ldap-user.json rename to docs/sts/rw-ldap-username.json index 6a3de7a0e..a203afada 100644 --- a/docs/sts/list-objects-with-ldap-user.json +++ b/docs/sts/rw-ldap-username.json @@ -4,10 +4,10 @@ { "Effect": "Allow", "Action": [ - "s3:ListBucket" + "s3:*" ], "Resource": [ - "arn:aws:s3:::${ldap:user}" + "arn:aws:s3:::${ldap:username}/*" ] } ] diff --git a/pkg/bucket/policy/condition/key.go b/pkg/bucket/policy/condition/key.go index ad273ae99..6550a74b4 100644 --- a/pkg/bucket/policy/condition/key.go +++ b/pkg/bucket/policy/condition/key.go @@ -148,6 +148,7 @@ var AllSupportedKeys = append([]Key{ AWSUserID, AWSUsername, LDAPUser, + LDAPUsername, // Add new supported condition keys. }, JWTKeys...) @@ -167,6 +168,7 @@ var CommonKeys = append([]Key{ AWSUserID, AWSUsername, LDAPUser, + LDAPUsername, }, JWTKeys...) func substFuncFromValues(values map[string][]string) func(string) string { diff --git a/pkg/bucket/policy/condition/ldap.go b/pkg/bucket/policy/condition/ldap.go index 5fb98176e..43f6eb30d 100644 --- a/pkg/bucket/policy/condition/ldap.go +++ b/pkg/bucket/policy/condition/ldap.go @@ -18,6 +18,9 @@ package condition const ( - // LDAPUser - LDAP username, in MinIO this value is equal to your authenticating LDAP user. + // LDAPUser - LDAP user DN, in MinIO this value is equal to user DN of the authenticated user. LDAPUser Key = "ldap:user" + + // LDAPUsername - LDAP username, in MinIO is the authenticated simply user. + LDAPUsername Key = "ldap:username" )