Disable Users and Groups Menu options when LDAP is enabled on MinIO (#614)

2021-02-26 11:20:17 -08:00
parent 7853aa6bb9
commit 34bcd25c9f
4 changed files with 29 additions and 1 deletions
--- a/pkg/acl/config.go
+++ b/pkg/acl/config.go
@@ -26,3 +26,7 @@ import (
 func GetOperatorMode() bool {
 	return strings.ToLower(env.Get(consoleOperatorMode, "off")) == "on"
 }
+
+func GetLDAPEnabled() bool {
+	return strings.ToLower(env.Get(ConsoleLDAPEnabled, "off")) == "on"
+}
--- a/pkg/acl/const.go
+++ b/pkg/acl/const.go
@@ -18,4 +18,6 @@ package acl

 const (
 	consoleOperatorMode = "CONSOLE_OPERATOR_MODE"
+	// const for ldap configuration
+	ConsoleLDAPEnabled = "CONSOLE_LDAP_ENABLED"
 )
--- a/pkg/acl/endpoints.go
+++ b/pkg/acl/endpoints.go
@@ -243,6 +243,17 @@ var healthInfoActionSet = ConfigurationActionSet{
 	),
 }

+var displayRules = map[string]func() bool{
+	// disable users page if LDAP is enabled
+	users: func() bool {
+		return !GetLDAPEnabled()
+	},
+	// disable groups page if LDAP is enabled
+	groups: func() bool {
+		return !GetLDAPEnabled()
+	},
+}
+
 // endpointRules contains the mapping between endpoints and ActionSets, additional rules can be added here
 var endpointRules = map[string]ConfigurationActionSet{
 	configuration:       configurationActionSet,
@@ -337,6 +348,15 @@ func GetAuthorizedEndpoints(actions []string) []string {
 	userAllowedAction := actionsStringToActionSet(actions)
 	var allowedEndpoints []string
 	for endpoint, rules := range rangeTake {
+
+		// check if display rule exists for this endpoint, this will control
+		// what user sees on the console UI
+		if rule, ok := displayRules[endpoint]; ok {
+			if rule != nil && !rule() {
+				continue
+			}
+		}
+
 		// check if user policy matches s3:* or admin:* typesIntersection
 		endpointActionTypes := rules.actionTypes
 		typesIntersection := endpointActionTypes.Intersection(userAllowedAction)
--- a/restapi/user_service_accounts.go
+++ b/restapi/user_service_accounts.go
@@ -58,7 +58,9 @@ func registerServiceAccountsHandlers(api *operations.ConsoleAPI) {

 // createServiceAccount adds a service account to the userClient and assigns a policy to him if defined.
 func createServiceAccount(ctx context.Context, userClient MinioAdmin, policy string) (*models.ServiceAccountCreds, error) {
-	iamPolicy := &iampolicy.Policy{}
+	// By default a nil policy will be used so the service account inherit the parent account policy, otherwise
+	// we override with the user provided iam policy
+	var iamPolicy *iampolicy.Policy
 	if strings.TrimSpace(policy) != "" {
 		iamp, err := iampolicy.ParseConfig(bytes.NewReader([]byte(policy)))
 		if err != nil {