mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2026-05-22 17:51:30 +00:00
37e6263efe
When jwt.filer_signing.key is set, the filer's IamGrpcServer requires a Bearer token on every IAM RPC. The shell's s3.* IAM commands dialed without that header and failed with Unauthenticated. Route them through a small helper that mints a token from the same key viper-loaded from security.toml and appends it as outgoing metadata, matching the credential grpc_store pattern.
87 lines
2.1 KiB
Go
87 lines
2.1 KiB
Go
package shell
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"flag"
|
|
"fmt"
|
|
"io"
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
|
|
)
|
|
|
|
func init() {
|
|
Commands = append(Commands, &commandS3PolicyAttach{})
|
|
}
|
|
|
|
type commandS3PolicyAttach struct {
|
|
}
|
|
|
|
func (c *commandS3PolicyAttach) Name() string {
|
|
return "s3.policy.attach"
|
|
}
|
|
|
|
func (c *commandS3PolicyAttach) Help() string {
|
|
return `attach a policy to an S3 IAM user
|
|
|
|
s3.policy.attach -policy <policy_name> -user <username>
|
|
|
|
The policy must already exist (create it with s3.policy -put).
|
|
`
|
|
}
|
|
|
|
func (c *commandS3PolicyAttach) HasTag(CommandTag) bool {
|
|
return false
|
|
}
|
|
|
|
func (c *commandS3PolicyAttach) Do(args []string, commandEnv *CommandEnv, writer io.Writer) error {
|
|
f := flag.NewFlagSet(c.Name(), flag.ContinueOnError)
|
|
policy := f.String("policy", "", "policy name")
|
|
user := f.String("user", "", "user name")
|
|
if err := f.Parse(args); err != nil {
|
|
return err
|
|
}
|
|
|
|
if *policy == "" {
|
|
return fmt.Errorf("-policy is required")
|
|
}
|
|
if *user == "" {
|
|
return fmt.Errorf("-user is required")
|
|
}
|
|
|
|
return commandEnv.withIamClient(func(ctx context.Context, client iam_pb.SeaweedIdentityAccessManagementClient) error {
|
|
// Verify the policy exists
|
|
_, err := client.GetPolicy(ctx, &iam_pb.GetPolicyRequest{Name: *policy})
|
|
if err != nil {
|
|
return fmt.Errorf("get policy %q: %w", *policy, err)
|
|
}
|
|
|
|
// Get the user
|
|
resp, err := client.GetUser(ctx, &iam_pb.GetUserRequest{Username: *user})
|
|
if err != nil {
|
|
return fmt.Errorf("get user %q: %w", *user, err)
|
|
}
|
|
if resp.Identity == nil {
|
|
return fmt.Errorf("user %q returned empty identity", *user)
|
|
}
|
|
|
|
// Check if already attached
|
|
for _, p := range resp.Identity.PolicyNames {
|
|
if p == *policy {
|
|
return json.NewEncoder(writer).Encode(map[string]string{"policy": *policy, "user": *user})
|
|
}
|
|
}
|
|
|
|
resp.Identity.PolicyNames = append(resp.Identity.PolicyNames, *policy)
|
|
_, err = client.UpdateUser(ctx, &iam_pb.UpdateUserRequest{
|
|
Username: *user,
|
|
Identity: resp.Identity,
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return json.NewEncoder(writer).Encode(map[string]string{"policy": *policy, "user": *user})
|
|
})
|
|
}
|