Explicit IAM gRPC APIs for S3 Server (#8126)

* Update IAM and S3 protobuf definitions for explicit IAM gRPC APIs * Refactor s3api: Extract generic ExecuteAction method for IAM operations * Implement explicit IAM gRPC APIs in S3 server * iam: remove deprecated GetConfiguration and PutConfiguration RPCs * iamapi: refactor handlers to use CredentialManager directly * s3api: refactor embedded IAM to use CredentialManager directly * server: remove deprecated configuration gRPC handlers * credential/grpc: refactor configuration calls to return error * shell: update s3.configure to list users instead of full config * s3api: fix CreateServiceAccount gRPC handler to map required fields * s3api: fix UpdateServiceAccount gRPC handler to map fields and safe status * s3api: enforce UserName in embedded IAM ListAccessKeys * test: fix test_config.json structure to match proto definition * Revert "credential/grpc: refactor configuration calls to return error" This reverts commit cde707dd8b88c7d1bd730271518542eceb5ed069. * Revert "server: remove deprecated configuration gRPC handlers" This reverts commit 7307e205a083c8315cf84ddc2614b3e50eda2e33. * Revert "s3api: enforce UserName in embedded IAM ListAccessKeys" This reverts commit adf727ba52b4f3ffb911f0d0df85db858412ff83. * Revert "s3api: fix UpdateServiceAccount gRPC handler to map fields and safe status" This reverts commit 6a4be3314d43b6c8fda8d5e0558e83e87a19df3f. * Revert "s3api: fix CreateServiceAccount gRPC handler to map required fields" This reverts commit 9bb4425f07fbad38fb68d33e5c0aa573d8912a37. * Revert "shell: update s3.configure to list users instead of full config" This reverts commit f3304ead537b3e6be03d46df4cb55983ab931726. * Revert "s3api: refactor embedded IAM to use CredentialManager directly" This reverts commit 9012f27af82d11f0e824877712a5ae2505a65f86. * Revert "iamapi: refactor handlers to use CredentialManager directly" This reverts commit 3a148212236576b0a3aa4d991c2abb014fb46091. * Revert "iam: remove deprecated GetConfiguration and PutConfiguration RPCs" This reverts commit e16e08aa0099699338d3155bc7428e1051ce0a6a. * s3api: address IAM code review comments (error handling, logging, gRPC response mapping) * s3api: add robustness to startup by retrying KEK and IAM config loading from Filer * s3api: address IAM gRPC code review comments (safety, validation, status logic) * fix return
2026-01-26 13:38:15 -08:00
parent c5b53397c6
commit 43229b05ce
11 changed files with 1844 additions and 669 deletions
--- a/test/s3/iam/test_config.json
+++ b/test/s3/iam/test_config.json
@@ -37,274 +37,6 @@
      ]
    }
  ],
-  "iam": {
-    "enabled": true,
-    "sts": {
-      "tokenDuration": "15m",
-      "issuer": "seaweedfs-sts",
-      "signingKey": "dGVzdC1zaWduaW5nLWtleS0zMi1jaGFyYWN0ZXJzLWxvbmc="
-    },
-    "policy": {
-      "defaultEffect": "Deny"
-    },
-    "providers": {
-      "oidc": {
-        "test-oidc": {
-          "issuer": "http://localhost:8080/.well-known/openid_configuration",
-          "clientId": "test-client-id",
-          "jwksUri": "http://localhost:8080/jwks",
-          "userInfoUri": "http://localhost:8080/userinfo",
-          "roleMapping": {
-            "rules": [
-              {
-                "claim": "groups",
-                "claimValue": "admins",
-                "roleName": "S3AdminRole"
-              },
-              {
-                "claim": "groups",
-                "claimValue": "users",
-                "roleName": "S3ReadOnlyRole"
-              },
-              {
-                "claim": "groups",
-                "claimValue": "writers",
-                "roleName": "S3WriteOnlyRole"
-              }
-            ]
-          },
-          "claimsMapping": {
-            "email": "email",
-            "displayName": "name",
-            "groups": "groups"
-          }
-        }
-      },
-      "ldap": {
-        "test-ldap": {
-          "server": "ldap://localhost:389",
-          "baseDN": "dc=example,dc=com",
-          "bindDN": "cn=admin,dc=example,dc=com",
-          "bindPassword": "admin-password",
-          "userFilter": "(uid=%s)",
-          "groupFilter": "(memberUid=%s)",
-          "attributes": {
-            "email": "mail",
-            "displayName": "cn",
-            "groups": "memberOf"
-          },
-          "roleMapping": {
-            "rules": [
-              {
-                "claim": "groups",
-                "claimValue": "cn=admins,ou=groups,dc=example,dc=com",
-                "roleName": "S3AdminRole"
-              },
-              {
-                "claim": "groups",
-                "claimValue": "cn=users,ou=groups,dc=example,dc=com",
-                "roleName": "S3ReadOnlyRole"
-              }
-            ]
-          }
-        }
-      }
-    },
-    "policyStore": {}
-  },
-  "roles": {
-    "S3AdminRole": {
-      "trustPolicy": {
-        "Version": "2012-10-17",
-        "Statement": [
-          {
-            "Effect": "Allow",
-            "Principal": {
-              "Federated": [
-                "test-oidc",
-                "test-ldap"
-              ]
-            },
-            "Action": "sts:AssumeRoleWithWebIdentity"
-          }
-        ]
-      },
-      "attachedPolicies": [
-        "S3AdminPolicy"
-      ],
-      "description": "Full administrative access to S3 resources"
-    },
-    "S3ReadOnlyRole": {
-      "trustPolicy": {
-        "Version": "2012-10-17",
-        "Statement": [
-          {
-            "Effect": "Allow",
-            "Principal": {
-              "Federated": [
-                "test-oidc",
-                "test-ldap"
-              ]
-            },
-            "Action": "sts:AssumeRoleWithWebIdentity"
-          }
-        ]
-      },
-      "attachedPolicies": [
-        "S3ReadOnlyPolicy"
-      ],
-      "description": "Read-only access to S3 resources"
-    },
-    "S3WriteOnlyRole": {
-      "trustPolicy": {
-        "Version": "2012-10-17",
-        "Statement": [
-          {
-            "Effect": "Allow",
-            "Principal": {
-              "Federated": [
-                "test-oidc",
-                "test-ldap"
-              ]
-            },
-            "Action": "sts:AssumeRoleWithWebIdentity"
-          }
-        ]
-      },
-      "attachedPolicies": [
-        "S3WriteOnlyPolicy"
-      ],
-      "description": "Write-only access to S3 resources"
-    }
-  },
-  "policies": {
-    "S3AdminPolicy": {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Action": [
-            "s3:*",
-            "iam:*"
-          ],
-          "Resource": [
-            "arn:aws:s3:::*",
-            "arn:aws:s3:::*/*",
-            "arn:aws:iam:::*"
-          ]
-        }
-      ]
-    },
-    "S3ReadOnlyPolicy": {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Action": [
-            "s3:GetObject",
-            "s3:GetObjectVersion",
-            "s3:ListBucket",
-            "s3:ListBucketVersions",
-            "s3:GetBucketLocation",
-            "s3:GetBucketVersioning"
-          ],
-          "Resource": [
-            "arn:aws:s3:::*",
-            "arn:aws:s3:::*/*"
-          ]
-        }
-      ]
-    },
-    "S3WriteOnlyPolicy": {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Action": [
-            "s3:PutObject",
-            "s3:PutObjectAcl",
-            "s3:DeleteObject",
-            "s3:DeleteObjectVersion",
-            "s3:InitiateMultipartUpload",
-            "s3:UploadPart",
-            "s3:CompleteMultipartUpload",
-            "s3:AbortMultipartUpload",
-            "s3:ListMultipartUploadParts"
-          ],
-          "Resource": [
-            "arn:aws:s3:::*/*"
-          ]
-        }
-      ]
-    },
-    "S3BucketManagementPolicy": {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Action": [
-            "s3:CreateBucket",
-            "s3:DeleteBucket",
-            "s3:GetBucketPolicy",
-            "s3:PutBucketPolicy",
-            "s3:DeleteBucketPolicy",
-            "s3:GetBucketVersioning",
-            "s3:PutBucketVersioning"
-          ],
-          "Resource": [
-            "arn:aws:s3:::*"
-          ]
-        }
-      ]
-    },
-    "S3IPRestrictedPolicy": {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Action": [
-            "s3:*"
-          ],
-          "Resource": [
-            "arn:aws:s3:::*",
-            "arn:aws:s3:::*/*"
-          ],
-          "Condition": {
-            "IpAddress": {
-              "aws:SourceIp": [
-                "192.168.1.0/24",
-                "10.0.0.0/8"
-              ]
-            }
-          }
-        }
-      ]
-    },
-    "S3TimeBasedPolicy": {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Action": [
-            "s3:GetObject",
-            "s3:ListBucket"
-          ],
-          "Resource": [
-            "arn:aws:s3:::*",
-            "arn:aws:s3:::*/*"
-          ],
-          "Condition": {
-            "DateGreaterThan": {
-              "aws:CurrentTime": "2023-01-01T00:00:00Z"
-            },
-            "DateLessThan": {
-              "aws:CurrentTime": "2025-12-31T23:59:59Z"
-            }
-          }
-        }
-      ]
-    }
-  },
  "bucketPolicyExamples": {
    "PublicReadPolicy": {
      "Version": "2012-10-17",