mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2026-05-14 05:41:29 +00:00
d50889002b
* shell: add s3.iam.*, s3.config.show, s3.user.provision; hide legacy commands Add import/export, configuration summary, and a convenience provisioning command: - s3.iam.export: dump full IAM state as JSON (stdout or file) - s3.iam.import: replace IAM state from a JSON file - s3.config.show: human-readable summary (users, policies, service accounts, groups with status and counts) - s3.user.provision: one-step user+policy+credentials creation for common readonly/readwrite/admin roles Hide legacy commands from help listing: - s3.configure: still works but hidden from help output - s3.bucket.access: still works but hidden from help output Both hidden commands remain fully functional for existing scripts. Also adds a Hidden command tag and filters it from printGenericHelp. * shell: address review feedback for s3.iam.*, s3.config.show, s3.user.provision - Simplify joinMax using strings.Join - Fix rolePolicies: remove s3:ListBucket from object-level actions (already covered by bucket-level statement) - Fix admin role: grant s3:* on bucket resource too - Return flag parse errors instead of swallowing them * shell: address missed review feedback for PR 3 - s3.iam.import: require -force flag for destructive IAM overwrite - s3.config.show: add nil guard for resp.Configuration - s3.user.provision: check if user exists before creating policy - s3.user.provision: reject wildcard bucket names (* ?) * shell: distinguish NotFound from transient errors in provision, use %w wrapping - s3.user.provision: check gRPC status code on GetUser error — only proceed on NotFound, abort on transient/network errors - s3.iam.import: use %w for error wrapping to preserve error chains, wrap PutConfiguration error with context * shell: remove duplicate joinMax after PR 8954 merge command_s3_helpers.go defined joinMax which is already in command_s3_user_list.go from the merged PR 8954. * shell: restrict export file permissions, rollback policy on user create failure - s3.iam.export: use os.OpenFile with mode 0600 instead of os.Create to protect exported credentials from other users - s3.user.provision: rollback the created policy if CreateUser fails, with a warning if the rollback itself fails
117 lines
2.9 KiB
Go
117 lines
2.9 KiB
Go
package shell
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"io"
|
|
"text/tabwriter"
|
|
"time"
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/pb"
|
|
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
|
|
"google.golang.org/grpc"
|
|
)
|
|
|
|
func init() {
|
|
Commands = append(Commands, &commandS3ConfigShow{})
|
|
}
|
|
|
|
type commandS3ConfigShow struct {
|
|
}
|
|
|
|
func (c *commandS3ConfigShow) Name() string {
|
|
return "s3.config.show"
|
|
}
|
|
|
|
func (c *commandS3ConfigShow) Help() string {
|
|
return `show a summary of the current S3 IAM configuration
|
|
|
|
s3.config.show
|
|
|
|
Displays counts and a brief listing of users, policies, service accounts,
|
|
and groups. Use s3.iam.export for the full JSON dump.
|
|
`
|
|
}
|
|
|
|
func (c *commandS3ConfigShow) HasTag(CommandTag) bool {
|
|
return false
|
|
}
|
|
|
|
func (c *commandS3ConfigShow) Do(args []string, commandEnv *CommandEnv, writer io.Writer) error {
|
|
return pb.WithGrpcClient(false, 0, func(conn *grpc.ClientConn) error {
|
|
client := iam_pb.NewSeaweedIdentityAccessManagementClient(conn)
|
|
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
|
defer cancel()
|
|
|
|
resp, err := client.GetConfiguration(ctx, &iam_pb.GetConfigurationRequest{})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
cfg := resp.Configuration
|
|
if cfg == nil {
|
|
fmt.Fprintln(writer, "No S3 IAM configuration found.")
|
|
return nil
|
|
}
|
|
|
|
fmt.Fprintf(writer, "S3 IAM Configuration Summary\n")
|
|
fmt.Fprintf(writer, "============================\n\n")
|
|
|
|
// Users
|
|
fmt.Fprintf(writer, "Users: %d\n", len(cfg.Identities))
|
|
if len(cfg.Identities) > 0 {
|
|
tw := tabwriter.NewWriter(writer, 0, 4, 2, ' ', 0)
|
|
fmt.Fprintln(tw, " NAME\tSTATUS\tSOURCE\tKEYS\tPOLICIES")
|
|
for _, id := range cfg.Identities {
|
|
status := "enabled"
|
|
if id.Disabled {
|
|
status = "disabled"
|
|
}
|
|
source := "dynamic"
|
|
if id.IsStatic {
|
|
source = "static"
|
|
}
|
|
policies := "-"
|
|
if len(id.PolicyNames) > 0 {
|
|
policies = joinMax(id.PolicyNames, 3)
|
|
}
|
|
fmt.Fprintf(tw, " %s\t%s\t%s\t%d\t%s\n",
|
|
id.Name, status, source, len(id.Credentials), policies)
|
|
}
|
|
tw.Flush()
|
|
}
|
|
fmt.Fprintln(writer)
|
|
|
|
// Policies
|
|
fmt.Fprintf(writer, "Policies: %d\n", len(cfg.Policies))
|
|
if len(cfg.Policies) > 0 {
|
|
for _, p := range cfg.Policies {
|
|
fmt.Fprintf(writer, " %s\n", p.Name)
|
|
}
|
|
}
|
|
fmt.Fprintln(writer)
|
|
|
|
// Service Accounts
|
|
fmt.Fprintf(writer, "Service Accounts: %d\n", len(cfg.ServiceAccounts))
|
|
if len(cfg.ServiceAccounts) > 0 {
|
|
for _, sa := range cfg.ServiceAccounts {
|
|
status := "enabled"
|
|
if sa.Disabled {
|
|
status = "disabled"
|
|
}
|
|
fmt.Fprintf(writer, " %s (parent: %s, %s)\n", sa.Id, sa.ParentUser, status)
|
|
}
|
|
}
|
|
fmt.Fprintln(writer)
|
|
|
|
// Groups
|
|
fmt.Fprintf(writer, "Groups: %d\n", len(cfg.Groups))
|
|
if len(cfg.Groups) > 0 {
|
|
for _, g := range cfg.Groups {
|
|
fmt.Fprintf(writer, " %s (%d members)\n", g.Name, len(g.Members))
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}, commandEnv.option.FilerAddress.ToGrpcAddress(), false, commandEnv.option.GrpcDialOption)
|
|
}
|