Admin UI: Add policies (#6968)
* add policies to UI, accessing filer directly * view, edit policies * add back buttons for "users" page * remove unused * fix ui dark mode when modal is closed * bucket view details button * fix browser buttons * filer action button works * clean up masters page * fix volume servers action buttons * fix collections page action button * fix properties page * more obvious * fix directory creation file mode * Update file_browser_handlers.go * directory permission
This commit is contained in:
Chris Lu
188
weed/credential/filer_etc/filer_etc_identity.go
Normal file
188
weed/credential/filer_etc/filer_etc_identity.go
Normal file
@@ -0,0 +1,188 @@
|
||||
package filer_etc
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/seaweedfs/seaweedfs/weed/credential"
|
||||
"github.com/seaweedfs/seaweedfs/weed/filer"
|
||||
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
|
||||
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
|
||||
)
|
||||
|
||||
func (store *FilerEtcStore) LoadConfiguration(ctx context.Context) (*iam_pb.S3ApiConfiguration, error) {
|
||||
s3cfg := &iam_pb.S3ApiConfiguration{}
|
||||
|
||||
err := store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
|
||||
var buf bytes.Buffer
|
||||
if err := filer.ReadEntry(nil, client, filer.IamConfigDirectory, filer.IamIdentityFile, &buf); err != nil {
|
||||
if err != filer_pb.ErrNotFound {
|
||||
return err
|
||||
}
|
||||
}
|
||||
if buf.Len() > 0 {
|
||||
return filer.ParseS3ConfigurationFromBytes(buf.Bytes(), s3cfg)
|
||||
}
|
||||
return nil
|
||||
})
|
||||
|
||||
return s3cfg, err
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) SaveConfiguration(ctx context.Context, config *iam_pb.S3ApiConfiguration) error {
|
||||
return store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
|
||||
var buf bytes.Buffer
|
||||
if err := filer.ProtoToText(&buf, config); err != nil {
|
||||
return fmt.Errorf("failed to marshal configuration: %v", err)
|
||||
}
|
||||
return filer.SaveInsideFiler(client, filer.IamConfigDirectory, filer.IamIdentityFile, buf.Bytes())
|
||||
})
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) CreateUser(ctx context.Context, identity *iam_pb.Identity) error {
|
||||
// Load existing configuration
|
||||
config, err := store.LoadConfiguration(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to load configuration: %v", err)
|
||||
}
|
||||
|
||||
// Check if user already exists
|
||||
for _, existingIdentity := range config.Identities {
|
||||
if existingIdentity.Name == identity.Name {
|
||||
return credential.ErrUserAlreadyExists
|
||||
}
|
||||
}
|
||||
|
||||
// Add new identity
|
||||
config.Identities = append(config.Identities, identity)
|
||||
|
||||
// Save configuration
|
||||
return store.SaveConfiguration(ctx, config)
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) GetUser(ctx context.Context, username string) (*iam_pb.Identity, error) {
|
||||
config, err := store.LoadConfiguration(ctx)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to load configuration: %v", err)
|
||||
}
|
||||
|
||||
for _, identity := range config.Identities {
|
||||
if identity.Name == username {
|
||||
return identity, nil
|
||||
}
|
||||
}
|
||||
|
||||
return nil, credential.ErrUserNotFound
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) UpdateUser(ctx context.Context, username string, identity *iam_pb.Identity) error {
|
||||
config, err := store.LoadConfiguration(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to load configuration: %v", err)
|
||||
}
|
||||
|
||||
// Find and update the user
|
||||
for i, existingIdentity := range config.Identities {
|
||||
if existingIdentity.Name == username {
|
||||
config.Identities[i] = identity
|
||||
return store.SaveConfiguration(ctx, config)
|
||||
}
|
||||
}
|
||||
|
||||
return credential.ErrUserNotFound
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) DeleteUser(ctx context.Context, username string) error {
|
||||
config, err := store.LoadConfiguration(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to load configuration: %v", err)
|
||||
}
|
||||
|
||||
// Find and remove the user
|
||||
for i, identity := range config.Identities {
|
||||
if identity.Name == username {
|
||||
config.Identities = append(config.Identities[:i], config.Identities[i+1:]...)
|
||||
return store.SaveConfiguration(ctx, config)
|
||||
}
|
||||
}
|
||||
|
||||
return credential.ErrUserNotFound
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) ListUsers(ctx context.Context) ([]string, error) {
|
||||
config, err := store.LoadConfiguration(ctx)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to load configuration: %v", err)
|
||||
}
|
||||
|
||||
var usernames []string
|
||||
for _, identity := range config.Identities {
|
||||
usernames = append(usernames, identity.Name)
|
||||
}
|
||||
|
||||
return usernames, nil
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) GetUserByAccessKey(ctx context.Context, accessKey string) (*iam_pb.Identity, error) {
|
||||
config, err := store.LoadConfiguration(ctx)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to load configuration: %v", err)
|
||||
}
|
||||
|
||||
for _, identity := range config.Identities {
|
||||
for _, credential := range identity.Credentials {
|
||||
if credential.AccessKey == accessKey {
|
||||
return identity, nil
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil, credential.ErrAccessKeyNotFound
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) CreateAccessKey(ctx context.Context, username string, cred *iam_pb.Credential) error {
|
||||
config, err := store.LoadConfiguration(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to load configuration: %v", err)
|
||||
}
|
||||
|
||||
// Find the user and add the credential
|
||||
for _, identity := range config.Identities {
|
||||
if identity.Name == username {
|
||||
// Check if access key already exists
|
||||
for _, existingCred := range identity.Credentials {
|
||||
if existingCred.AccessKey == cred.AccessKey {
|
||||
return fmt.Errorf("access key %s already exists", cred.AccessKey)
|
||||
}
|
||||
}
|
||||
|
||||
identity.Credentials = append(identity.Credentials, cred)
|
||||
return store.SaveConfiguration(ctx, config)
|
||||
}
|
||||
}
|
||||
|
||||
return credential.ErrUserNotFound
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) DeleteAccessKey(ctx context.Context, username string, accessKey string) error {
|
||||
config, err := store.LoadConfiguration(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to load configuration: %v", err)
|
||||
}
|
||||
|
||||
// Find the user and remove the credential
|
||||
for _, identity := range config.Identities {
|
||||
if identity.Name == username {
|
||||
for i, cred := range identity.Credentials {
|
||||
if cred.AccessKey == accessKey {
|
||||
identity.Credentials = append(identity.Credentials[:i], identity.Credentials[i+1:]...)
|
||||
return store.SaveConfiguration(ctx, config)
|
||||
}
|
||||
}
|
||||
return credential.ErrAccessKeyNotFound
|
||||
}
|
||||
}
|
||||
|
||||
return credential.ErrUserNotFound
|
||||
}
|
||||
114
weed/credential/filer_etc/filer_etc_policy.go
Normal file
114
weed/credential/filer_etc/filer_etc_policy.go
Normal file
@@ -0,0 +1,114 @@
|
||||
package filer_etc
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"encoding/json"
|
||||
|
||||
"github.com/seaweedfs/seaweedfs/weed/credential"
|
||||
"github.com/seaweedfs/seaweedfs/weed/filer"
|
||||
"github.com/seaweedfs/seaweedfs/weed/glog"
|
||||
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
|
||||
)
|
||||
|
||||
type PoliciesCollection struct {
|
||||
Policies map[string]credential.PolicyDocument `json:"policies"`
|
||||
}
|
||||
|
||||
// GetPolicies retrieves all IAM policies from the filer
|
||||
func (store *FilerEtcStore) GetPolicies(ctx context.Context) (map[string]credential.PolicyDocument, error) {
|
||||
policiesCollection := &PoliciesCollection{
|
||||
Policies: make(map[string]credential.PolicyDocument),
|
||||
}
|
||||
|
||||
// Check if filer client is configured
|
||||
if store.filerGrpcAddress == "" {
|
||||
glog.V(1).Infof("Filer client not configured for policy retrieval, returning empty policies")
|
||||
// Return empty policies if filer client is not configured
|
||||
return policiesCollection.Policies, nil
|
||||
}
|
||||
|
||||
err := store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
|
||||
var buf bytes.Buffer
|
||||
if err := filer.ReadEntry(nil, client, filer.IamConfigDirectory, filer.IamPoliciesFile, &buf); err != nil {
|
||||
if err == filer_pb.ErrNotFound {
|
||||
glog.V(1).Infof("Policies file not found at %s/%s, returning empty policies", filer.IamConfigDirectory, filer.IamPoliciesFile)
|
||||
// If file doesn't exist, return empty collection
|
||||
return nil
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
if buf.Len() > 0 {
|
||||
return json.Unmarshal(buf.Bytes(), policiesCollection)
|
||||
}
|
||||
return nil
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return policiesCollection.Policies, nil
|
||||
}
|
||||
|
||||
// CreatePolicy creates a new IAM policy in the filer
|
||||
func (store *FilerEtcStore) CreatePolicy(ctx context.Context, name string, document credential.PolicyDocument) error {
|
||||
return store.updatePolicies(ctx, func(policies map[string]credential.PolicyDocument) {
|
||||
policies[name] = document
|
||||
})
|
||||
}
|
||||
|
||||
// UpdatePolicy updates an existing IAM policy in the filer
|
||||
func (store *FilerEtcStore) UpdatePolicy(ctx context.Context, name string, document credential.PolicyDocument) error {
|
||||
return store.updatePolicies(ctx, func(policies map[string]credential.PolicyDocument) {
|
||||
policies[name] = document
|
||||
})
|
||||
}
|
||||
|
||||
// DeletePolicy deletes an IAM policy from the filer
|
||||
func (store *FilerEtcStore) DeletePolicy(ctx context.Context, name string) error {
|
||||
return store.updatePolicies(ctx, func(policies map[string]credential.PolicyDocument) {
|
||||
delete(policies, name)
|
||||
})
|
||||
}
|
||||
|
||||
// updatePolicies is a helper method to update policies atomically
|
||||
func (store *FilerEtcStore) updatePolicies(ctx context.Context, updateFunc func(map[string]credential.PolicyDocument)) error {
|
||||
// Load existing policies
|
||||
policies, err := store.GetPolicies(ctx)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Apply update
|
||||
updateFunc(policies)
|
||||
|
||||
// Save back to filer
|
||||
policiesCollection := &PoliciesCollection{
|
||||
Policies: policies,
|
||||
}
|
||||
|
||||
data, err := json.Marshal(policiesCollection)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
|
||||
return filer.SaveInsideFiler(client, filer.IamConfigDirectory, filer.IamPoliciesFile, data)
|
||||
})
|
||||
}
|
||||
|
||||
// GetPolicy retrieves a specific IAM policy by name from the filer
|
||||
func (store *FilerEtcStore) GetPolicy(ctx context.Context, name string) (*credential.PolicyDocument, error) {
|
||||
policies, err := store.GetPolicies(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if policy, exists := policies[name]; exists {
|
||||
return &policy, nil
|
||||
}
|
||||
|
||||
return nil, nil // Policy not found
|
||||
}
|
||||
@@ -1,15 +1,11 @@
|
||||
package filer_etc
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/seaweedfs/seaweedfs/weed/credential"
|
||||
"github.com/seaweedfs/seaweedfs/weed/filer"
|
||||
"github.com/seaweedfs/seaweedfs/weed/pb"
|
||||
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
|
||||
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
|
||||
"github.com/seaweedfs/seaweedfs/weed/util"
|
||||
"google.golang.org/grpc"
|
||||
)
|
||||
@@ -54,182 +50,6 @@ func (store *FilerEtcStore) withFilerClient(fn func(client filer_pb.SeaweedFiler
|
||||
return pb.WithGrpcFilerClient(false, 0, pb.ServerAddress(store.filerGrpcAddress), store.grpcDialOption, fn)
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) LoadConfiguration(ctx context.Context) (*iam_pb.S3ApiConfiguration, error) {
|
||||
s3cfg := &iam_pb.S3ApiConfiguration{}
|
||||
|
||||
err := store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
|
||||
var buf bytes.Buffer
|
||||
if err := filer.ReadEntry(nil, client, filer.IamConfigDirectory, filer.IamIdentityFile, &buf); err != nil {
|
||||
if err != filer_pb.ErrNotFound {
|
||||
return err
|
||||
}
|
||||
}
|
||||
if buf.Len() > 0 {
|
||||
return filer.ParseS3ConfigurationFromBytes(buf.Bytes(), s3cfg)
|
||||
}
|
||||
return nil
|
||||
})
|
||||
|
||||
return s3cfg, err
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) SaveConfiguration(ctx context.Context, config *iam_pb.S3ApiConfiguration) error {
|
||||
return store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
|
||||
var buf bytes.Buffer
|
||||
if err := filer.ProtoToText(&buf, config); err != nil {
|
||||
return fmt.Errorf("failed to marshal configuration: %v", err)
|
||||
}
|
||||
return filer.SaveInsideFiler(client, filer.IamConfigDirectory, filer.IamIdentityFile, buf.Bytes())
|
||||
})
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) CreateUser(ctx context.Context, identity *iam_pb.Identity) error {
|
||||
// Load existing configuration
|
||||
config, err := store.LoadConfiguration(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to load configuration: %v", err)
|
||||
}
|
||||
|
||||
// Check if user already exists
|
||||
for _, existingIdentity := range config.Identities {
|
||||
if existingIdentity.Name == identity.Name {
|
||||
return credential.ErrUserAlreadyExists
|
||||
}
|
||||
}
|
||||
|
||||
// Add new identity
|
||||
config.Identities = append(config.Identities, identity)
|
||||
|
||||
// Save configuration
|
||||
return store.SaveConfiguration(ctx, config)
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) GetUser(ctx context.Context, username string) (*iam_pb.Identity, error) {
|
||||
config, err := store.LoadConfiguration(ctx)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to load configuration: %v", err)
|
||||
}
|
||||
|
||||
for _, identity := range config.Identities {
|
||||
if identity.Name == username {
|
||||
return identity, nil
|
||||
}
|
||||
}
|
||||
|
||||
return nil, credential.ErrUserNotFound
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) UpdateUser(ctx context.Context, username string, identity *iam_pb.Identity) error {
|
||||
config, err := store.LoadConfiguration(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to load configuration: %v", err)
|
||||
}
|
||||
|
||||
// Find and update the user
|
||||
for i, existingIdentity := range config.Identities {
|
||||
if existingIdentity.Name == username {
|
||||
config.Identities[i] = identity
|
||||
return store.SaveConfiguration(ctx, config)
|
||||
}
|
||||
}
|
||||
|
||||
return credential.ErrUserNotFound
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) DeleteUser(ctx context.Context, username string) error {
|
||||
config, err := store.LoadConfiguration(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to load configuration: %v", err)
|
||||
}
|
||||
|
||||
// Find and remove the user
|
||||
for i, identity := range config.Identities {
|
||||
if identity.Name == username {
|
||||
config.Identities = append(config.Identities[:i], config.Identities[i+1:]...)
|
||||
return store.SaveConfiguration(ctx, config)
|
||||
}
|
||||
}
|
||||
|
||||
return credential.ErrUserNotFound
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) ListUsers(ctx context.Context) ([]string, error) {
|
||||
config, err := store.LoadConfiguration(ctx)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to load configuration: %v", err)
|
||||
}
|
||||
|
||||
var usernames []string
|
||||
for _, identity := range config.Identities {
|
||||
usernames = append(usernames, identity.Name)
|
||||
}
|
||||
|
||||
return usernames, nil
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) GetUserByAccessKey(ctx context.Context, accessKey string) (*iam_pb.Identity, error) {
|
||||
config, err := store.LoadConfiguration(ctx)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to load configuration: %v", err)
|
||||
}
|
||||
|
||||
for _, identity := range config.Identities {
|
||||
for _, credential := range identity.Credentials {
|
||||
if credential.AccessKey == accessKey {
|
||||
return identity, nil
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil, credential.ErrAccessKeyNotFound
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) CreateAccessKey(ctx context.Context, username string, cred *iam_pb.Credential) error {
|
||||
config, err := store.LoadConfiguration(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to load configuration: %v", err)
|
||||
}
|
||||
|
||||
// Find the user and add the credential
|
||||
for _, identity := range config.Identities {
|
||||
if identity.Name == username {
|
||||
// Check if access key already exists
|
||||
for _, existingCred := range identity.Credentials {
|
||||
if existingCred.AccessKey == cred.AccessKey {
|
||||
return fmt.Errorf("access key %s already exists", cred.AccessKey)
|
||||
}
|
||||
}
|
||||
|
||||
identity.Credentials = append(identity.Credentials, cred)
|
||||
return store.SaveConfiguration(ctx, config)
|
||||
}
|
||||
}
|
||||
|
||||
return credential.ErrUserNotFound
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) DeleteAccessKey(ctx context.Context, username string, accessKey string) error {
|
||||
config, err := store.LoadConfiguration(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to load configuration: %v", err)
|
||||
}
|
||||
|
||||
// Find the user and remove the credential
|
||||
for _, identity := range config.Identities {
|
||||
if identity.Name == username {
|
||||
for i, cred := range identity.Credentials {
|
||||
if cred.AccessKey == accessKey {
|
||||
identity.Credentials = append(identity.Credentials[:i], identity.Credentials[i+1:]...)
|
||||
return store.SaveConfiguration(ctx, config)
|
||||
}
|
||||
}
|
||||
return credential.ErrAccessKeyNotFound
|
||||
}
|
||||
}
|
||||
|
||||
return credential.ErrUserNotFound
|
||||
}
|
||||
|
||||
func (store *FilerEtcStore) Shutdown() {
|
||||
// No cleanup needed for file store
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user