update to v0.6.2

Disable Users and Groups Menu options when LDAP is enabled on MinIO (#614 )
update to v0.6.1
2021-02-26 13:01:28 -08:00 · 2021-02-26 11:20:17 -08:00 · 2021-02-25 10:20:32 -08:00
9 changed files with 35 additions and 7 deletions
--- a/Dockerfile.release
+++ b/Dockerfile.release
@@ -6,8 +6,8 @@ COPY LICENSE /licenses/LICENSE
 LABEL name="MinIO" \
      vendor="MinIO Inc <dev@min.io>" \
      maintainer="MinIO Inc <dev@min.io>" \
-      version="v0.6.0" \
-      release="v0.6.0" \
+      version="v0.6.2" \
+      release="v0.6.2" \
      summary="A graphical user interface for MinIO" \
      description="MinIO object storage is fundamentally different. Designed for performance and the S3 API, it is 100% open-source. MinIO is ideal for large, private cloud environments with stringent security requirements and delivers mission-critical availability across a diverse range of workloads."

--- a/k8s/console/base/console-deployment.yaml
+++ b/k8s/console/base/console-deployment.yaml
@@ -15,7 +15,7 @@ spec:
      serviceAccountName: console-sa
      containers:
        - name: console
-          image: minio/console:v0.6.0
+          image: minio/console:v0.6.2
          imagePullPolicy: "IfNotPresent"
          args:
            - server
--- a/k8s/operator-console/base/console-deployment.yaml
+++ b/k8s/operator-console/base/console-deployment.yaml
@@ -15,7 +15,7 @@ spec:
      serviceAccountName: console-sa
      containers:
        - name: console
-          image: minio/console:v0.6.0
+          image: minio/console:v0.6.2
          imagePullPolicy: "IfNotPresent"
          env:
            - name: CONSOLE_OPERATOR_MODE
--- a/pkg/acl/config.go
+++ b/pkg/acl/config.go
@@ -26,3 +26,7 @@ import (
 func GetOperatorMode() bool {
 	return strings.ToLower(env.Get(consoleOperatorMode, "off")) == "on"
 }
+
+func GetLDAPEnabled() bool {
+	return strings.ToLower(env.Get(ConsoleLDAPEnabled, "off")) == "on"
+}
--- a/pkg/acl/const.go
+++ b/pkg/acl/const.go
@@ -18,4 +18,6 @@ package acl

 const (
 	consoleOperatorMode = "CONSOLE_OPERATOR_MODE"
+	// const for ldap configuration
+	ConsoleLDAPEnabled = "CONSOLE_LDAP_ENABLED"
 )
--- a/pkg/acl/endpoints.go
+++ b/pkg/acl/endpoints.go
@@ -243,6 +243,17 @@ var healthInfoActionSet = ConfigurationActionSet{
 	),
 }

+var displayRules = map[string]func() bool{
+	// disable users page if LDAP is enabled
+	users: func() bool {
+		return !GetLDAPEnabled()
+	},
+	// disable groups page if LDAP is enabled
+	groups: func() bool {
+		return !GetLDAPEnabled()
+	},
+}
+
 // endpointRules contains the mapping between endpoints and ActionSets, additional rules can be added here
 var endpointRules = map[string]ConfigurationActionSet{
 	configuration:       configurationActionSet,
@@ -337,6 +348,15 @@ func GetAuthorizedEndpoints(actions []string) []string {
 	userAllowedAction := actionsStringToActionSet(actions)
 	var allowedEndpoints []string
 	for endpoint, rules := range rangeTake {
+
+		// check if display rule exists for this endpoint, this will control
+		// what user sees on the console UI
+		if rule, ok := displayRules[endpoint]; ok {
+			if rule != nil && !rule() {
+				continue
+			}
+		}
+
 		// check if user policy matches s3:* or admin:* typesIntersection
 		endpointActionTypes := rules.actionTypes
 		typesIntersection := endpointActionTypes.Intersection(userAllowedAction)
--- a/restapi/admin_tenants_test.go
+++ b/restapi/admin_tenants_test.go
@@ -1028,7 +1028,7 @@ func Test_UpdateTenantAction(t *testing.T) {
 				},
 				params: admin_api.UpdateTenantParams{
 					Body: &models.UpdateTenantRequest{
-						ConsoleImage: "minio/console:v0.6.0",
+						ConsoleImage: "minio/console:v0.6.2",
 					},
 				},
 			},
--- a/restapi/consts.go
+++ b/restapi/consts.go
@@ -63,7 +63,7 @@ const (
 // Image versions
 const (
 	KESImageVersion            = "minio/kes:v0.13.4"
-	ConsoleImageDefaultVersion = "minio/console:v0.6.0"
+	ConsoleImageDefaultVersion = "minio/console:v0.6.2"
 )

 // K8s
--- a/restapi/user_service_accounts.go
+++ b/restapi/user_service_accounts.go
@@ -58,7 +58,9 @@ func registerServiceAccountsHandlers(api *operations.ConsoleAPI) {

 // createServiceAccount adds a service account to the userClient and assigns a policy to him if defined.
 func createServiceAccount(ctx context.Context, userClient MinioAdmin, policy string) (*models.ServiceAccountCreds, error) {
-	iamPolicy := &iampolicy.Policy{}
+	// By default a nil policy will be used so the service account inherit the parent account policy, otherwise
+	// we override with the user provided iam policy
+	var iamPolicy *iampolicy.Policy
 	if strings.TrimSpace(policy) != "" {
 		iamp, err := iampolicy.ParseConfig(bytes.NewReader([]byte(policy)))
 		if err != nil {
Author	SHA1	Message	Date
Minio Trusted	8a4139c8e7	update to v0.6.2	2021-02-26 13:01:28 -08:00
Lenin Alevski	34bcd25c9f	Disable Users and Groups Menu options when LDAP is enabled on MinIO (#614 )	2021-02-26 11:20:17 -08:00
Minio Trusted	7853aa6bb9	update to v0.6.1	2021-02-25 10:20:32 -08:00