feat: Added userplus role in IAM, who has the same opportunities as the user, but may also create a bucket

2026-01-04 11:03:57 +00:00 · 2024-02-20 14:24:26 -05:00
parent 8d229b5878
commit fa54dfeb9f
7 changed files with 23 additions and 15 deletions
--- a/auth/acl.go
+++ b/auth/acl.go
@@ -239,14 +239,14 @@ func VerifyACL(acl ACL, access string, permission types.Permission, isRoot bool)
 	return s3err.GetAPIError(s3err.ErrAccessDenied)
 }

-func IsAdmin(acct Account, isRoot bool) error {
+func MayCreateBucket(acct Account, isRoot bool) error {
 	if isRoot {
 		return nil
 	}

-	if acct.Role == "admin" {
-		return nil
+	if acct.Role == RoleUser {
+		return s3err.GetAPIError(s3err.ErrAccessDenied)
 	}

-	return s3err.GetAPIError(s3err.ErrAccessDenied)
+	return nil
 }
--- a/auth/iam.go
+++ b/auth/iam.go
@@ -20,11 +20,19 @@ import (
 	"time"
 )

+type Role string
+
+const (
+	RoleUser     Role = "user"
+	RoleAdmin    Role = "admin"
+	RoleUserPlus Role = "userplus"
+)
+
 // Account is a gateway IAM account
 type Account struct {
 	Access    string `json:"access"`
 	Secret    string `json:"secret"`
-	Role      string `json:"role"`
+	Role      Role   `json:"role"`
 	UserID    int    `json:"userID"`
 	GroupID   int    `json:"groupID"`
 	ProjectID int    `json:"projectID"`
--- a/auth/iam_cache.go
+++ b/auth/iam_cache.go
@@ -130,7 +130,7 @@ func (c *IAMCache) CreateAccount(account Account) error {
 	acct := Account{
 		Access: strings.Clone(account.Access),
 		Secret: strings.Clone(account.Secret),
-		Role:   strings.Clone(account.Role),
+		Role:   Role(strings.Clone(string(account.Role))),
 	}

 	c.iamcache.set(acct.Access, acct)
--- a/auth/iam_ldap.go
+++ b/auth/iam_ldap.go
@@ -46,7 +46,7 @@ func (ld *LdapIAMService) CreateAccount(account Account) error {
 	userEntry.Attribute("objectClass", ld.objClasses)
 	userEntry.Attribute(ld.accessAtr, []string{account.Access})
 	userEntry.Attribute(ld.secretAtr, []string{account.Secret})
-	userEntry.Attribute(ld.roleAtr, []string{account.Role})
+	userEntry.Attribute(ld.roleAtr, []string{string(account.Role)})

 	err := ld.conn.Add(userEntry)
 	if err != nil {
@@ -78,7 +78,7 @@ func (ld *LdapIAMService) GetUserAccount(access string) (Account, error) {
 	return Account{
 		Access: entry.GetAttributeValue(ld.accessAtr),
 		Secret: entry.GetAttributeValue(ld.secretAtr),
-		Role:   entry.GetAttributeValue(ld.roleAtr),
+		Role:   Role(entry.GetAttributeValue(ld.roleAtr)),
 	}, nil
 }

@@ -120,7 +120,7 @@ func (ld *LdapIAMService) ListUserAccounts() ([]Account, error) {
 		result = append(result, Account{
 			Access: el.GetAttributeValue(ld.accessAtr),
 			Secret: el.GetAttributeValue(ld.secretAtr),
-			Role:   el.GetAttributeValue(ld.roleAtr),
+			Role:   Role(el.GetAttributeValue(ld.roleAtr)),
 		})
 	}

--- a/cmd/versitygw/admin.go
+++ b/cmd/versitygw/admin.go
@@ -164,14 +164,14 @@ func createUser(ctx *cli.Context) error {
 	if access == "" || secret == "" {
 		return fmt.Errorf("invalid input parameters for the new user")
 	}
-	if role != "admin" && role != "user" {
-		return fmt.Errorf("invalid input parameter for role")
+	if role != string(auth.RoleAdmin) && role != string(auth.RoleUser) && role != string(auth.RoleUserPlus) {
+		return fmt.Errorf("invalid input parameter for role: %v", role)
 	}

 	acc := auth.Account{
 		Access:    access,
 		Secret:    secret,
-		Role:      role,
+		Role:      auth.Role(role),
 		UserID:    userID,
 		GroupID:   groupID,
 		ProjectID: projectID,
--- a/s3api/controllers/admin.go
+++ b/s3api/controllers/admin.go
@@ -43,8 +43,8 @@ func (c AdminController) CreateUser(ctx *fiber.Ctx) error {
 		return fmt.Errorf("failed to parse request body: %w", err)
 	}

-	if usr.Role != "user" && usr.Role != "admin" {
-		return fmt.Errorf("invalid parameters: user role have to be one of the following: 'user', 'admin'")
+	if usr.Role != auth.RoleAdmin && usr.Role != auth.RoleUser && usr.Role != auth.RoleUserPlus {
+		return fmt.Errorf("invalid parameters: user role have to be one of the following: 'user', 'admin', 'userplus'")
 	}

 	err = c.iam.CreateAccount(usr)
--- a/s3api/middlewares/acl-parser.go
+++ b/s3api/middlewares/acl-parser.go
@@ -39,7 +39,7 @@ func AclParser(be backend.Backend, logger s3log.AuditLogger) fiber.Handler {
 			return ctx.Next()
 		}
 		if len(pathParts) == 2 && pathParts[1] != "" && ctx.Method() == http.MethodPut && !ctx.Request().URI().QueryArgs().Has("acl") && !ctx.Request().URI().QueryArgs().Has("tagging") {
-			if err := auth.IsAdmin(acct, isRoot); err != nil {
+			if err := auth.MayCreateBucket(acct, isRoot); err != nil {
 				return controllers.SendXMLResponse(ctx, nil, err, &controllers.MetaOpts{Logger: logger, Action: "CreateBucket"})
 			}
 			return ctx.Next()