mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2026-05-22 01:31:34 +00:00
d50889002b
* shell: add s3.iam.*, s3.config.show, s3.user.provision; hide legacy commands Add import/export, configuration summary, and a convenience provisioning command: - s3.iam.export: dump full IAM state as JSON (stdout or file) - s3.iam.import: replace IAM state from a JSON file - s3.config.show: human-readable summary (users, policies, service accounts, groups with status and counts) - s3.user.provision: one-step user+policy+credentials creation for common readonly/readwrite/admin roles Hide legacy commands from help listing: - s3.configure: still works but hidden from help output - s3.bucket.access: still works but hidden from help output Both hidden commands remain fully functional for existing scripts. Also adds a Hidden command tag and filters it from printGenericHelp. * shell: address review feedback for s3.iam.*, s3.config.show, s3.user.provision - Simplify joinMax using strings.Join - Fix rolePolicies: remove s3:ListBucket from object-level actions (already covered by bucket-level statement) - Fix admin role: grant s3:* on bucket resource too - Return flag parse errors instead of swallowing them * shell: address missed review feedback for PR 3 - s3.iam.import: require -force flag for destructive IAM overwrite - s3.config.show: add nil guard for resp.Configuration - s3.user.provision: check if user exists before creating policy - s3.user.provision: reject wildcard bucket names (* ?) * shell: distinguish NotFound from transient errors in provision, use %w wrapping - s3.user.provision: check gRPC status code on GetUser error — only proceed on NotFound, abort on transient/network errors - s3.iam.import: use %w for error wrapping to preserve error chains, wrap PutConfiguration error with context * shell: remove duplicate joinMax after PR 8954 merge command_s3_helpers.go defined joinMax which is already in command_s3_user_list.go from the merged PR 8954. * shell: restrict export file permissions, rollback policy on user create failure - s3.iam.export: use os.OpenFile with mode 0600 instead of os.Create to protect exported credentials from other users - s3.user.provision: rollback the created policy if CreateUser fails, with a warning if the rollback itself fails
81 lines
1.9 KiB
Go
81 lines
1.9 KiB
Go
package shell
|
|
|
|
import (
|
|
"context"
|
|
"flag"
|
|
"fmt"
|
|
"io"
|
|
"os"
|
|
"time"
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/filer"
|
|
"github.com/seaweedfs/seaweedfs/weed/pb"
|
|
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
|
|
"google.golang.org/grpc"
|
|
)
|
|
|
|
func init() {
|
|
Commands = append(Commands, &commandS3IAMExport{})
|
|
}
|
|
|
|
type commandS3IAMExport struct {
|
|
}
|
|
|
|
func (c *commandS3IAMExport) Name() string {
|
|
return "s3.iam.export"
|
|
}
|
|
|
|
func (c *commandS3IAMExport) Help() string {
|
|
return `export the full S3 IAM configuration as JSON
|
|
|
|
s3.iam.export
|
|
s3.iam.export -file backup.json
|
|
|
|
Exports all users, credentials, policies, service accounts, and groups.
|
|
Without -file, prints to stdout.
|
|
`
|
|
}
|
|
|
|
func (c *commandS3IAMExport) HasTag(CommandTag) bool {
|
|
return false
|
|
}
|
|
|
|
func (c *commandS3IAMExport) Do(args []string, commandEnv *CommandEnv, writer io.Writer) error {
|
|
f := flag.NewFlagSet(c.Name(), flag.ContinueOnError)
|
|
file := f.String("file", "", "output file path (stdout if omitted)")
|
|
if err := f.Parse(args); err != nil {
|
|
return err
|
|
}
|
|
|
|
return pb.WithGrpcClient(false, 0, func(conn *grpc.ClientConn) error {
|
|
client := iam_pb.NewSeaweedIdentityAccessManagementClient(conn)
|
|
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
|
defer cancel()
|
|
|
|
resp, err := client.GetConfiguration(ctx, &iam_pb.GetConfigurationRequest{})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
var out io.Writer = writer
|
|
if *file != "" {
|
|
fp, err := os.OpenFile(*file, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
|
if err != nil {
|
|
return fmt.Errorf("create file: %v", err)
|
|
}
|
|
defer fp.Close()
|
|
out = fp
|
|
}
|
|
|
|
if err := filer.ProtoToText(out, resp.Configuration); err != nil {
|
|
return err
|
|
}
|
|
fmt.Fprintln(out)
|
|
|
|
if *file != "" {
|
|
fmt.Fprintf(writer, "Exported IAM configuration to %s\n", *file)
|
|
}
|
|
return nil
|
|
}, commandEnv.option.FilerAddress.ToGrpcAddress(), false, commandEnv.option.GrpcDialOption)
|
|
}
|