mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

STS integration, JWT auth and Stateless MCS (#70)

Browse Source 
This commit changes the authentication mechanism between mcs and minio to an sts
(security token service) schema using the user provided credentials, previously
mcs was using master credentials. With that said in order for you to
login to MCS as an admin your user must exists first on minio and have enough
privileges to do administrative operations.

```
./mc admin user add myminio alevsk alevsk12345
```

```
cat admin.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "admin:*",
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ]
    }
  ]
}

./mc admin policy add myminio admin admin.json
```

```
./mc admin policy set myminio admin user=alevsk
```
This commit is contained in:
Lenin Alevski
2020-04-22 23:43:17 -07:00
committed by GitHub
parent 605b80037a
commit 0f52136fd2
29 changed files with 916 additions and 303 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
restapi/user_logout.go
View File

@@ -17,14 +17,13 @@
package restapi
import (
"errors"
"log"
"github.com/go-openapi/runtime/middleware"
"github.com/go-openapi/swag"
"github.com/minio/mcs/models"
"github.com/minio/mcs/restapi/operations"
"github.com/minio/mcs/restapi/operations/user_api"
"github.com/minio/mcs/restapi/sessions"
)
func registerLogoutHandlers(api *operations.McsAPI) {
@@ -38,21 +37,23 @@ func registerLogoutHandlers(api *operations.McsAPI) {
})
}
// logout() deletes provided bearer token from in memory sessions map
// then checks that the session actually got removed
func logout(sessionID string) error {
sessionsMap := sessions.GetInstance()
sessionsMap.DeleteSession(sessionID)
if sessionsMap.ValidSession(sessionID) {
return errors.New("something went wrong deleting your session, please try again")
}
return nil
// logout() call Expire() on the provided minioCredentials
func logout(credentials MCSCredentials) {
credentials.Expire()
}
// getLogoutResponse performs logout() and returns nil or error
func getLogoutResponse(sessionID string) error {
if err := logout(sessionID); err != nil {
func getLogoutResponse(jwt string) error {
creds, err := getMcsCredentialsFromJWT(jwt)
if err != nil {
log.Println(err)
return err
}
credentials := mcsCredentials{minioCredentials: creds}
if err != nil {
log.Println("error creating MinIO Client:", err)
return err
}
logout(credentials)
return nil
}