Remove older policy attach behavior for LDAP (#17240)

2024-10-02 22:24:00 +00:00 · 2023-05-26 06:31:24 -07:00 · 2023-05-26 06:31:24 -07:00 · 65cba212e8
parent 7a69c9c75a
commit 65cba212e8
5 changed files with 174 additions and 157 deletions
--- a/cmd/admin-handlers-users.go
+++ b/cmd/admin-handlers-users.go
@ -1767,7 +1767,7 @@ func (a adminAPIHandlers) ListPolicyMappingEntities(w http.ResponseWriter, r *ht
 	writeSuccessResponseJSON(w, econfigData)
 }

-// AttachPolicyBuiltin - POST /minio/admin/v3/idp/builtin/attach
+// AttachPolicyBuiltin - POST /minio/admin/v3/idp/builtin/policy/attach
 func (a adminAPIHandlers) AttachPolicyBuiltin(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "AttachPolicyBuiltin")

@ -1835,20 +1835,19 @@ func (a adminAPIHandlers) AttachPolicyBuiltin(w http.ResponseWriter, r *http.Req
 		}

 		// Validate that user exists.
-		if globalIAMSys.GetUsersSysType() == MinIOUsersSysType {
-			_, ok := globalIAMSys.GetUser(ctx, userOrGroup)
-			if !ok {
-				writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errNoSuchUser), r.URL)
+		_, ok = globalIAMSys.GetUser(ctx, userOrGroup)
+		if !ok {
+			if globalIAMSys.LDAPConfig.Enabled() {
+				// When LDAP is enabled, warn user that they are using the wrong
+				// API.
+				writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errNoSuchUserLDAPWarn), r.URL)
 				return
 			}
+			writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errNoSuchUser), r.URL)
+			return
 		}
 	}

-	userType := regUser
-	if globalIAMSys.GetUsersSysType() == LDAPUsersSysType {
-		userType = stsUser
-	}
-
 	var existingPolicies []string
 	if isGroup {
 		existingPolicies, err = globalIAMSys.PolicyDBGet(userOrGroup, true)
@ -1878,6 +1877,7 @@ func (a adminAPIHandlers) AttachPolicyBuiltin(w http.ResponseWriter, r *http.Req
 	existingPolicies = append(existingPolicies, policiesToAttach...)
 	newPolicies := strings.Join(existingPolicies, ",")

+	userType := regUser
 	updatedAt, err := globalIAMSys.PolicyDBSet(ctx, userOrGroup, newPolicies, userType, isGroup)
 	if err != nil {
 		writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
@ -1898,7 +1898,7 @@ func (a adminAPIHandlers) AttachPolicyBuiltin(w http.ResponseWriter, r *http.Req
 	writeResponse(w, http.StatusCreated, nil, mimeNone)
 }

-// DetachPolicyBuiltin - POST /minio/admin/v3/idp/builtin/detach
+// DetachPolicyBuiltin - POST /minio/admin/v3/idp/builtin/policy/detach
 func (a adminAPIHandlers) DetachPolicyBuiltin(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "DetachPolicyBuiltin")

@ -1959,12 +1959,16 @@ func (a adminAPIHandlers) DetachPolicyBuiltin(w http.ResponseWriter, r *http.Req
 		}

 		// Validate that user exists.
-		if globalIAMSys.GetUsersSysType() == MinIOUsersSysType {
-			_, ok := globalIAMSys.GetUser(ctx, userOrGroup)
-			if !ok {
-				writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errNoSuchUser), r.URL)
+		_, ok = globalIAMSys.GetUser(ctx, userOrGroup)
+		if !ok {
+			if globalIAMSys.LDAPConfig.Enabled() {
+				// When LDAP is enabled, warn user that they are using the wrong
+				// API.
+				writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errNoSuchUserLDAPWarn), r.URL)
 				return
 			}
+			writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errNoSuchUser), r.URL)
+			return
 		}
 	}

--- a/cmd/api-errors.go
+++ b/cmd/api-errors.go
@ -269,6 +269,7 @@ const (

 	ErrMalformedJSON
 	ErrAdminNoSuchUser
+	ErrAdminNoSuchUserLDAPWarn
 	ErrAdminNoSuchGroup
 	ErrAdminGroupNotEmpty
 	ErrAdminGroupDisabled
@ -1266,6 +1267,11 @@ var errorCodes = errorCodeMap{
 		Description:    "The specified user does not exist.",
 		HTTPStatusCode: http.StatusNotFound,
 	},
+	ErrAdminNoSuchUserLDAPWarn: {
+		Code:           "XMinioAdminNoSuchUser",
+		Description:    "The specified user does not exist. If you meant a user in LDAP, use `mc idp ldap`",
+		HTTPStatusCode: http.StatusNotFound,
+	},
 	ErrAdminNoSuchGroup: {
 		Code:           "XMinioAdminNoSuchGroup",
 		Description:    "The specified group does not exist.",
@ -2036,6 +2042,8 @@ func toAPIErrorCode(ctx context.Context, err error) (apiErr APIErrorCode) {
 		apiErr = ErrAdminNoSuchPolicy
 	case errNoSuchUser:
 		apiErr = ErrAdminNoSuchUser
+	case errNoSuchUserLDAPWarn:
+		apiErr = ErrAdminNoSuchUserLDAPWarn
 	case errNoSuchServiceAccount:
 		apiErr = ErrAdminServiceAccountNotFound
 	case errNoSuchGroup:
--- a/cmd/apierrorcode_string.go
+++ b/cmd/apierrorcode_string.go
--- a/cmd/typed-errors.go
+++ b/cmd/typed-errors.go
@ -65,6 +65,10 @@ var errInvalidDecompressedSize = errors.New("Invalid Decompressed Size")
 // error returned in IAM subsystem when user doesn't exist.
 var errNoSuchUser = errors.New("Specified user does not exist")

+// error returned by IAM when a use a builtin IDP command when they could mean
+// to use a LDAP command.
+var errNoSuchUserLDAPWarn = errors.New("Specified user does not exist. If you meant a user in LDAP please use command under `mc idp ldap`")
+
 // error returned when service account is not found
 var errNoSuchServiceAccount = errors.New("Specified service account does not exist")

--- a/docs/site-replication/run-multi-site-ldap.sh
+++ b/docs/site-replication/run-multi-site-ldap.sh
@ -64,7 +64,7 @@ export MC_HOST_minio3=http://minio:minio123@localhost:9003

 ./mc admin replicate add minio1 minio2 minio3

-./mc admin policy attach minio1 consoleAdmin --user="uid=dillon,ou=people,ou=swengg,dc=min,dc=io"
+./mc admin idp ldap policy attach minio1 consoleAdmin --user="uid=dillon,ou=people,ou=swengg,dc=min,dc=io"
 sleep 5

 ./mc admin user info minio2 "uid=dillon,ou=people,ou=swengg,dc=min,dc=io"