LDAP authentication support for MCS (#114)

This PR adds ldap authentication support for mcs based on https://github.com/minio/minio/blob/master/docs/sts/ldap.md How to test: ``` $ docker run --rm -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.3.0 ``` Run the `billy.ldif` file using `ldapadd` command to create a new user and assign it to a group. ``` $ cat > billy.ldif << EOF dn: uid=billy,dc=example,dc=org uid: billy cn: billy sn: 3 objectClass: top objectClass: posixAccount objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/billy uidNumber: 14583102 gidNumber: 14564100 userPassword: {SSHA}j3lBh1Seqe4rqF1+NuWmjhvtAni1JC5A mail: billy@example.org gecos: Billy User dn: ou=groups,dc=example,dc=org objectclass:organizationalunit ou: groups description: generic groups branch of s3::*) dn: cn=mcsAdmin,ou=groups,dc=example,dc=org objectClass: top objectClass: posixGroup gidNumber: 678 dn: cn=mcsAdmin,ou=groups,dc=example,dc=org changetype: modify add: memberuid memberuid: billy EOF $ docker cp billy.ldif my-openldap-container:/container/service/slapd/assets/test/billy.ldif $ docker exec my-openldap-container ldapadd -x -D "cn=admin,dc=example,dc=org" -w admin -f /container/service/slapd/assets/test/billy.ldif -H ldap://localhost -ZZ ``` Query the ldap server to check the user billy was created correctly and got assigned to the mcsAdmin group, you should get a list containing ldap users and groups. ``` $ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin ``` Query the ldap server again, this time filtering only for the user `billy`, you should see only 1 record. ``` $ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b uid=billy,dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin ``` Change the password for user billy Set the new password for `billy` to `minio123` and enter `admin` as the default `LDAP Password` ``` $ docker exec -it my-openldap-container /bin/bash ldappasswd -H ldap://localhost -x -D "cn=admin,dc=example,dc=org" -W -S "uid=billy,dc=example,dc=org" New password: Re-enter new password: Enter LDAP Password: ``` Add the mcsAdmin policy to user billy on MinIO ``` $ cat > mcsAdmin.json << EOF { "Version": "2012-10-17", "Statement": [ { "Action": [ "admin:*" ], "Effect": "Allow", "Sid": "" }, { "Action": [ "s3:*" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::*" ], "Sid": "" } ] } EOF $ mc admin policy add myminio mcsAdmin mcsAdmin.json $ mc admin policy set myminio mcsAdmin user=billy ``` Run MinIO ``` export MINIO_ACCESS_KEY=minio export MINIO_SECRET_KEY=minio123 export MINIO_IDENTITY_LDAP_SERVER_ADDR='localhost:389' export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='uid=%s,dc=example,dc=org' export MINIO_IDENTITY_LDAP_USERNAME_SEARCH_FILTER='(|(objectclass=posixAccount)(uid=%s))' export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on export MINIO_IDENTITY_LDAP_SERVER_INSECURE=on ./minio server ~/Data ``` Run MCS ``` export MCS_ACCESS_KEY=minio export MCS_SECRET_KEY=minio123 ... export MCS_LDAP_ENABLED=on ./mcs server ```
2020-05-12 10:26:38 -07:00
parent 0f77a32656
commit 438211199d
7 changed files with 252 additions and 17 deletions
--- a/restapi/client.go
+++ b/restapi/client.go
@@ -18,13 +18,15 @@ package restapi

 import (
 	"context"
-	"errors"
 	"fmt"

+	"errors"
+
 	mc "github.com/minio/mc/cmd"
 	"github.com/minio/mc/pkg/probe"
 	"github.com/minio/mcs/pkg/auth"
 	xjwt "github.com/minio/mcs/pkg/auth/jwt"
+	"github.com/minio/mcs/pkg/auth/ldap"
 	"github.com/minio/minio-go/v6"
 	"github.com/minio/minio-go/v6/pkg/credentials"
 )
@@ -153,26 +155,43 @@ func (s mcsSTSAssumeRole) IsExpired() bool {
 var STSClient = PrepareSTSClient()

 func newMcsCredentials(accessKey, secretKey, location string) (*credentials.Credentials, error) {
-	stsEndpoint := getMinIOServer()
-	if stsEndpoint == "" {
+	mcsEndpoint := getMinIOServer()
+	if mcsEndpoint == "" {
 		return nil, errors.New("STS endpoint cannot be empty")
 	}
 	if accessKey == "" || secretKey == "" {
 		return nil, errors.New("AssumeRole credentials access/secretkey is mandatory")
 	}
-	opts := credentials.STSAssumeRoleOptions{
-		AccessKey:       accessKey,
-		SecretKey:       secretKey,
-		Location:        location,
-		DurationSeconds: xjwt.GetMcsSTSAndJWTDurationInSeconds(),
+
+	// Future authentication methods can be added under this switch statement
+	switch {
+	// LDAP authentication for MCS
+	case ldap.GetLDAPEnabled():
+		{
+			creds, err := auth.GetMcsCredentialsFromLDAP(mcsEndpoint, accessKey, secretKey)
+			if err != nil {
+				return nil, err
+			}
+			return creds, nil
+		}
+	// default authentication for MCS is via STS (Security Token Service) against MinIO
+	default:
+		{
+			opts := credentials.STSAssumeRoleOptions{
+				AccessKey:       accessKey,
+				SecretKey:       secretKey,
+				Location:        location,
+				DurationSeconds: xjwt.GetMcsSTSAndJWTDurationInSeconds(),
+			}
+			stsAssumeRole := &credentials.STSAssumeRole{
+				Client:      STSClient,
+				STSEndpoint: mcsEndpoint,
+				Options:     opts,
+			}
+			mcsSTSWrapper := mcsSTSAssumeRole{stsAssumeRole: stsAssumeRole}
+			return credentials.New(mcsSTSWrapper), nil
+		}
 	}
-	stsAssumeRole := &credentials.STSAssumeRole{
-		Client:      STSClient,
-		STSEndpoint: stsEndpoint,
-		Options:     opts,
-	}
-	mcsSTSWrapper := mcsSTSAssumeRole{stsAssumeRole: stsAssumeRole}
-	return credentials.New(mcsSTSWrapper), nil
 }

 // getMcsCredentialsFromJWT returns the *minioCredentials.Credentials associated to the
--- a/restapi/user_login.go
+++ b/restapi/user_login.go
@@ -49,14 +49,14 @@ func registerLoginHandlers(api *operations.McsAPI) {
 	api.UserAPILoginHandler = user_api.LoginHandlerFunc(func(params user_api.LoginParams) middleware.Responder {
 		loginResponse, err := getLoginResponse(params.Body)
 		if err != nil {
-			return user_api.NewLoginDefault(500).WithPayload(&models.Error{Code: 500, Message: swag.String(err.Error())})
+			return user_api.NewLoginDefault(401).WithPayload(&models.Error{Code: 401, Message: swag.String(err.Error())})
 		}
 		return user_api.NewLoginCreated().WithPayload(loginResponse)
 	})
 	api.UserAPILoginOauth2AuthHandler = user_api.LoginOauth2AuthHandlerFunc(func(params user_api.LoginOauth2AuthParams) middleware.Responder {
 		loginResponse, err := getLoginOauth2AuthResponse(params.Body)
 		if err != nil {
-			return user_api.NewLoginOauth2AuthDefault(500).WithPayload(&models.Error{Code: 500, Message: swag.String(err.Error())})
+			return user_api.NewLoginOauth2AuthDefault(401).WithPayload(&models.Error{Code: 401, Message: swag.String(err.Error())})
 		}
 		return user_api.NewLoginOauth2AuthCreated().WithPayload(loginResponse)
 	})