From 34bcd25c9fd894baf37019c10d59eceb89a038e5 Mon Sep 17 00:00:00 2001 From: Lenin Alevski Date: Fri, 26 Feb 2021 11:20:17 -0800 Subject: [PATCH] Disable Users and Groups Menu options when LDAP is enabled on MinIO (#614) --- pkg/acl/config.go | 4 ++++ pkg/acl/const.go | 2 ++ pkg/acl/endpoints.go | 20 ++++++++++++++++++++ restapi/user_service_accounts.go | 4 +++- 4 files changed, 29 insertions(+), 1 deletion(-) diff --git a/pkg/acl/config.go b/pkg/acl/config.go index a0dbb47d3..062c9c398 100644 --- a/pkg/acl/config.go +++ b/pkg/acl/config.go @@ -26,3 +26,7 @@ import ( func GetOperatorMode() bool { return strings.ToLower(env.Get(consoleOperatorMode, "off")) == "on" } + +func GetLDAPEnabled() bool { + return strings.ToLower(env.Get(ConsoleLDAPEnabled, "off")) == "on" +} diff --git a/pkg/acl/const.go b/pkg/acl/const.go index 39f39a3ef..7d4815bd4 100644 --- a/pkg/acl/const.go +++ b/pkg/acl/const.go @@ -18,4 +18,6 @@ package acl const ( consoleOperatorMode = "CONSOLE_OPERATOR_MODE" + // const for ldap configuration + ConsoleLDAPEnabled = "CONSOLE_LDAP_ENABLED" ) diff --git a/pkg/acl/endpoints.go b/pkg/acl/endpoints.go index f09ccd112..ac2a55dd9 100644 --- a/pkg/acl/endpoints.go +++ b/pkg/acl/endpoints.go @@ -243,6 +243,17 @@ var healthInfoActionSet = ConfigurationActionSet{ ), } +var displayRules = map[string]func() bool{ + // disable users page if LDAP is enabled + users: func() bool { + return !GetLDAPEnabled() + }, + // disable groups page if LDAP is enabled + groups: func() bool { + return !GetLDAPEnabled() + }, +} + // endpointRules contains the mapping between endpoints and ActionSets, additional rules can be added here var endpointRules = map[string]ConfigurationActionSet{ configuration: configurationActionSet, @@ -337,6 +348,15 @@ func GetAuthorizedEndpoints(actions []string) []string { userAllowedAction := actionsStringToActionSet(actions) var allowedEndpoints []string for endpoint, rules := range rangeTake { + + // check if display rule exists for this endpoint, this will control + // what user sees on the console UI + if rule, ok := displayRules[endpoint]; ok { + if rule != nil && !rule() { + continue + } + } + // check if user policy matches s3:* or admin:* typesIntersection endpointActionTypes := rules.actionTypes typesIntersection := endpointActionTypes.Intersection(userAllowedAction) diff --git a/restapi/user_service_accounts.go b/restapi/user_service_accounts.go index a5a61f59f..6b30b899a 100644 --- a/restapi/user_service_accounts.go +++ b/restapi/user_service_accounts.go @@ -58,7 +58,9 @@ func registerServiceAccountsHandlers(api *operations.ConsoleAPI) { // createServiceAccount adds a service account to the userClient and assigns a policy to him if defined. func createServiceAccount(ctx context.Context, userClient MinioAdmin, policy string) (*models.ServiceAccountCreds, error) { - iamPolicy := &iampolicy.Policy{} + // By default a nil policy will be used so the service account inherit the parent account policy, otherwise + // we override with the user provided iam policy + var iamPolicy *iampolicy.Policy if strings.TrimSpace(policy) != "" { iamp, err := iampolicy.ParseConfig(bytes.NewReader([]byte(policy))) if err != nil {