This PR sets the initial version of the ACL for mcs, the idea behind
this is to start using the principle of least privileges when assigning
policies to users when creating users through mcs, currently mcsAdmin policy uses admin:*
and s3:* and by default a user with that policy will have access to everything, if want to limit
that we can create a policy with least privileges.
We need to start validating explicitly if users has acccess to an
specific endpoint based on IAM policy actions.
In this first version every endpoint (you can see it as a page to),
defines a set of well defined admin/s3 actions to work properly, ie:
```
// corresponds to /groups endpoint used by the groups page
var groupsActionSet = iampolicy.NewActionSet(
iampolicy.ListGroupsAdminAction,
iampolicy.AddUserToGroupAdminAction,
//iampolicy.GetGroupAdminAction,
iampolicy.EnableGroupAdminAction,
iampolicy.DisableGroupAdminAction,
)
// corresponds to /policies endpoint used by the policies page
var iamPoliciesActionSet = iampolicy.NewActionSet(
iampolicy.GetPolicyAdminAction,
iampolicy.DeletePolicyAdminAction,
iampolicy.CreatePolicyAdminAction,
iampolicy.AttachPolicyAdminAction,
iampolicy.ListUserPoliciesAdminAction,
)
```
With that said, for this initial version, now the sessions endpoint will
return a list of authorized pages to be render on the UI, on subsequent
prs we will add this verification of authorization via a server
middleware.
This PR adds support for oidc in mcs, to enable idp
authentication you need to pass the following environment variables and
restart mcs.
```
MCS_IDP_URL=""
MCS_IDP_CLIENT_ID=""
MCS_IDP_SECRET=""
MCS_IDP_CALLBACK=""
```
Trace Api uses websocket to send trace information, a
valid jwt token needs to be sent either on the header
or as a cookie of the ws request to start.
Three goroutines are needed to ensure communication
if read hearbeat fails all trace should stop by cancelling
the context. WaitGroups are needed to ensure all
goroutines finish gracefully.
adds new functionality for creating a service
account for a user, for this, an admin client
is created with the user credentials so that
the service account can be assigned to him.
This also updates to minio RELEASE.2020-04-28T23-56-56Z
updates code to be compatible with:
- github.com/minio/mc v0.0.0-20200415193718-68b638f2f96c
- github.com/minio/minio v0.0.0-20200415191640-bde0f444dbab
Note: admin_config api is patched temporarily now to
return the target configuration as a raw string due to the
changes done on minio.
Implemented user-groups integration for mcs, this allows to store the user groups during the user creation.
Co-authored-by: Benjamin Perez <benjamin@bexsoft.net>
* Added structure to swagger
* Added updateUserGroups handlers
* Updated return definition for user groups.
* Logic rewrite
* Removed logs
* Added some tests to updateUserGroups
* lint fix
* Updated tests for the new API
* Lint
* Added comment about why we are setting this groups individually. & more lint fixes
* Updated tests page
* Added more tests & fixed comments for PR
* Lint utils file
* Fixed import orders
* Changed import order
Co-authored-by: Benjamin Perez <benjamin@bexsoft.net>
Delete in memory session when user logout from mcs
lint fixes
Click logout button triggers logout request
Clicking the actual logout button send the POST /logout request on mcs
UI
Co-authored-by: Daniel Valdivia <hola@danielvaldivia.com>
addPolicy endpoint will read policies as json string, this to allow
s3 iam policy compatibility (uppercase in json attributes) and to be
consistent with other mcs apis, once https://github.com/minio/minio/pull/9181
is merged we can return a type struct{}
fix policies test to new refactor
goimports
more golint fixes
* Implementation of RemoveUser from madmin
* Added removeUser structure.
* Added removeUserResponse actions
* Added delete API to swagger
* Added tests to removeUser functions
* Removed extra space at EOF
* Changed context to be a parameter in admin_users functions
Co-authored-by: Benjamin Perez <benjamin@bexsoft.net>
