s3api: add AttachUserPolicy/DetachUserPolicy/ListAttachedUserPolicies (#8379)
* iam: add XML responses for managed user policy APIs * s3api: implement attach/detach/list attached user policies * s3api: add embedded IAM tests for managed user policies * iam: update CredentialStore interface and Manager for managed policies Updated the `CredentialStore` interface to include `AttachUserPolicy`, `DetachUserPolicy`, and `ListAttachedUserPolicies` methods. The `CredentialManager` was updated to delegate these calls to the store. Added common error variables for policy management. * iam: implement managed policy methods in MemoryStore Implemented `AttachUserPolicy`, `DetachUserPolicy`, and `ListAttachedUserPolicies` in the MemoryStore. Also ensured deep copying of identities includes PolicyNames. * iam: implement managed policy methods in PostgresStore Modified Postgres schema to include `policy_names` JSONB column in `users`. Implemented `AttachUserPolicy`, `DetachUserPolicy`, and `ListAttachedUserPolicies`. Updated user CRUD operations to handle policy names persistence. * iam: implement managed policy methods in remaining stores Implemented user policy management in: - `FilerEtcStore` (partial implementation) - `IamGrpcStore` (delegated via GetUser/UpdateUser) - `PropagatingCredentialStore` (to broadcast updates) Ensures cluster-wide consistency for policy attachments. * s3api: refactor EmbeddedIamApi to use managed policy APIs - Refactored `AttachUserPolicy`, `DetachUserPolicy`, and `ListAttachedUserPolicies` to use `e.credentialManager` directly. - Fixed a critical error suppression bug in `ExecuteAction` that always returned success even on failure. - Implemented robust error matching using string comparison fallbacks. - Improved consistency by reloading configuration after policy changes. * s3api: update and refine IAM integration tests - Updated tests to use a real `MemoryStore`-backed `CredentialManager`. - Refined test configuration synchronization using `sync.Once` and manual deep-copying to prevent state corruption. - Improved `extractEmbeddedIamErrorCodeAndMessage` to handle more XML formats robustly. - Adjusted test expectations to match current AWS IAM behavior. * fix compilation * visibility * ensure 10 policies * reload * add integration tests * Guard raft command registration * Allow IAM actions in policy tests * Validate gRPC policy attachments * Revert Validate gRPC policy attachments * Tighten gRPC policy attach/detach * Improve IAM managed policy handling * Improve managed policy filters
This commit is contained in:
Chris Lu
@@ -62,26 +62,30 @@ const (
|
||||
// Operational limits (AWS IAM compatible)
|
||||
MaxServiceAccountsPerUser = 100 // Maximum service accounts per user
|
||||
MaxDescriptionLength = 1000 // Maximum description length in characters
|
||||
MaxManagedPoliciesPerUser = 10 // Maximum managed policies attached to a user
|
||||
)
|
||||
|
||||
// Type aliases for IAM response types from shared package
|
||||
type (
|
||||
iamListUsersResponse = iamlib.ListUsersResponse
|
||||
iamListAccessKeysResponse = iamlib.ListAccessKeysResponse
|
||||
iamDeleteAccessKeyResponse = iamlib.DeleteAccessKeyResponse
|
||||
iamCreatePolicyResponse = iamlib.CreatePolicyResponse
|
||||
iamCreateUserResponse = iamlib.CreateUserResponse
|
||||
iamDeleteUserResponse = iamlib.DeleteUserResponse
|
||||
iamGetUserResponse = iamlib.GetUserResponse
|
||||
iamUpdateUserResponse = iamlib.UpdateUserResponse
|
||||
iamCreateAccessKeyResponse = iamlib.CreateAccessKeyResponse
|
||||
iamPutUserPolicyResponse = iamlib.PutUserPolicyResponse
|
||||
iamDeleteUserPolicyResponse = iamlib.DeleteUserPolicyResponse
|
||||
iamGetUserPolicyResponse = iamlib.GetUserPolicyResponse
|
||||
iamSetUserStatusResponse = iamlib.SetUserStatusResponse
|
||||
iamUpdateAccessKeyResponse = iamlib.UpdateAccessKeyResponse
|
||||
iamErrorResponse = iamlib.ErrorResponse
|
||||
iamError = iamlib.Error
|
||||
iamListUsersResponse = iamlib.ListUsersResponse
|
||||
iamListAccessKeysResponse = iamlib.ListAccessKeysResponse
|
||||
iamDeleteAccessKeyResponse = iamlib.DeleteAccessKeyResponse
|
||||
iamCreatePolicyResponse = iamlib.CreatePolicyResponse
|
||||
iamCreateUserResponse = iamlib.CreateUserResponse
|
||||
iamDeleteUserResponse = iamlib.DeleteUserResponse
|
||||
iamGetUserResponse = iamlib.GetUserResponse
|
||||
iamUpdateUserResponse = iamlib.UpdateUserResponse
|
||||
iamCreateAccessKeyResponse = iamlib.CreateAccessKeyResponse
|
||||
iamPutUserPolicyResponse = iamlib.PutUserPolicyResponse
|
||||
iamDeleteUserPolicyResponse = iamlib.DeleteUserPolicyResponse
|
||||
iamGetUserPolicyResponse = iamlib.GetUserPolicyResponse
|
||||
iamAttachUserPolicyResponse = iamlib.AttachUserPolicyResponse
|
||||
iamDetachUserPolicyResponse = iamlib.DetachUserPolicyResponse
|
||||
iamListAttachedUserPoliciesResponse = iamlib.ListAttachedUserPoliciesResponse
|
||||
iamSetUserStatusResponse = iamlib.SetUserStatusResponse
|
||||
iamUpdateAccessKeyResponse = iamlib.UpdateAccessKeyResponse
|
||||
iamErrorResponse = iamlib.ErrorResponse
|
||||
iamError = iamlib.Error
|
||||
// Service account response types
|
||||
iamServiceAccountInfo = iamlib.ServiceAccountInfo
|
||||
iamCreateServiceAccountResponse = iamlib.CreateServiceAccountResponse
|
||||
@@ -166,6 +170,8 @@ func (e *EmbeddedIamApi) writeIamErrorResponse(w http.ResponseWriter, r *http.Re
|
||||
s3err.WriteXMLResponse(w, r, http.StatusForbidden, errorResp)
|
||||
case iam.ErrCodeServiceFailureException:
|
||||
s3err.WriteXMLResponse(w, r, http.StatusInternalServerError, internalErrorResponse)
|
||||
case "NotImplemented":
|
||||
s3err.WriteXMLResponse(w, r, http.StatusNotImplemented, errorResp)
|
||||
default:
|
||||
s3err.WriteXMLResponse(w, r, http.StatusInternalServerError, internalErrorResponse)
|
||||
}
|
||||
@@ -375,7 +381,7 @@ func (e *EmbeddedIamApi) GetPolicyDocument(policy *string) (policy_engine.Policy
|
||||
// NOTE: Currently this only validates the policy document and returns policy metadata.
|
||||
// The policy is not persisted to a managed policy store. To apply permissions to a user,
|
||||
// use PutUserPolicy which stores the policy inline on the user's identity.
|
||||
// TODO: Implement managed policy storage for full AWS IAM compatibility (ListPolicies, GetPolicy, AttachUserPolicy).
|
||||
// TODO: Implement managed policy storage for full AWS IAM compatibility (ListPolicies, GetPolicy).
|
||||
func (e *EmbeddedIamApi) CreatePolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (iamCreatePolicyResponse, *iamError) {
|
||||
var resp iamCreatePolicyResponse
|
||||
policyName := values.Get("PolicyName")
|
||||
@@ -392,6 +398,31 @@ func (e *EmbeddedIamApi) CreatePolicy(s3cfg *iam_pb.S3ApiConfiguration, values u
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
func iamPolicyNameFromArn(policyArn string) (string, error) {
|
||||
const policyPathDelimiter = ":policy/"
|
||||
idx := strings.Index(policyArn, policyPathDelimiter)
|
||||
if idx < 0 {
|
||||
return "", fmt.Errorf("invalid policy arn: %s", policyArn)
|
||||
}
|
||||
|
||||
policyPath := strings.Trim(policyArn[idx+len(policyPathDelimiter):], "/")
|
||||
if policyPath == "" {
|
||||
return "", fmt.Errorf("invalid policy arn: %s", policyArn)
|
||||
}
|
||||
|
||||
parts := strings.Split(policyPath, "/")
|
||||
policyName := parts[len(parts)-1]
|
||||
if policyName == "" {
|
||||
return "", fmt.Errorf("invalid policy arn: %s", policyArn)
|
||||
}
|
||||
|
||||
return policyName, nil
|
||||
}
|
||||
|
||||
func iamPolicyArn(policyName string) string {
|
||||
return fmt.Sprintf("arn:aws:iam:::policy/%s", policyName)
|
||||
}
|
||||
|
||||
// getActions extracts actions from a policy document.
|
||||
// S3 ARN format: arn:aws:s3:::bucket or arn:aws:s3:::bucket/path/*
|
||||
// res[5] contains the bucket and optional path after :::
|
||||
@@ -559,6 +590,192 @@ func (e *EmbeddedIamApi) DeleteUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, valu
|
||||
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, userName)}
|
||||
}
|
||||
|
||||
// AttachUserPolicy attaches a managed policy to a user.
|
||||
func (e *EmbeddedIamApi) AttachUserPolicy(ctx context.Context, values url.Values) (iamAttachUserPolicyResponse, *iamError) {
|
||||
var resp iamAttachUserPolicyResponse
|
||||
|
||||
userName := values.Get("UserName")
|
||||
if userName == "" {
|
||||
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("UserName is required")}
|
||||
}
|
||||
|
||||
policyArn := values.Get("PolicyArn")
|
||||
policyName, err := iamPolicyNameFromArn(policyArn)
|
||||
if err != nil {
|
||||
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: err}
|
||||
}
|
||||
|
||||
if e.credentialManager == nil {
|
||||
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("credential manager not configured")}
|
||||
}
|
||||
|
||||
policy, err := e.credentialManager.GetPolicy(ctx, policyName)
|
||||
if err != nil {
|
||||
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
||||
}
|
||||
if policy == nil {
|
||||
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)}
|
||||
}
|
||||
|
||||
attachedPolicies, err := e.credentialManager.ListAttachedUserPolicies(ctx, userName)
|
||||
if err != nil {
|
||||
if errors.Is(err, credential.ErrUserNotFound) {
|
||||
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, userName)}
|
||||
}
|
||||
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
||||
}
|
||||
for _, attached := range attachedPolicies {
|
||||
if attached == policyName {
|
||||
return resp, nil
|
||||
}
|
||||
}
|
||||
if len(attachedPolicies) >= MaxManagedPoliciesPerUser {
|
||||
return resp, &iamError{
|
||||
Code: iam.ErrCodeLimitExceededException,
|
||||
Error: fmt.Errorf("cannot attach more than %d managed policies to user %s", MaxManagedPoliciesPerUser, userName),
|
||||
}
|
||||
}
|
||||
|
||||
if err := e.credentialManager.AttachUserPolicy(ctx, userName, policyName); err != nil {
|
||||
if errors.Is(err, credential.ErrUserNotFound) {
|
||||
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, userName)}
|
||||
}
|
||||
if errors.Is(err, credential.ErrPolicyNotFound) {
|
||||
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)}
|
||||
}
|
||||
if errors.Is(err, credential.ErrPolicyAlreadyAttached) {
|
||||
// AWS IAM is idempotent for AttachUserPolicy
|
||||
return resp, nil
|
||||
}
|
||||
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
||||
}
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
// DetachUserPolicy detaches a managed policy from a user.
|
||||
func (e *EmbeddedIamApi) DetachUserPolicy(ctx context.Context, values url.Values) (iamDetachUserPolicyResponse, *iamError) {
|
||||
var resp iamDetachUserPolicyResponse
|
||||
|
||||
userName := values.Get("UserName")
|
||||
if userName == "" {
|
||||
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("UserName is required")}
|
||||
}
|
||||
|
||||
policyArn := values.Get("PolicyArn")
|
||||
policyName, err := iamPolicyNameFromArn(policyArn)
|
||||
if err != nil {
|
||||
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: err}
|
||||
}
|
||||
|
||||
if e.credentialManager == nil {
|
||||
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("credential manager not configured")}
|
||||
}
|
||||
|
||||
policy, err := e.credentialManager.GetPolicy(ctx, policyName)
|
||||
if err != nil {
|
||||
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
||||
}
|
||||
if policy == nil {
|
||||
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)}
|
||||
}
|
||||
|
||||
if err := e.credentialManager.DetachUserPolicy(ctx, userName, policyName); err != nil {
|
||||
if errors.Is(err, credential.ErrUserNotFound) {
|
||||
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, userName)}
|
||||
}
|
||||
if errors.Is(err, credential.ErrPolicyNotAttached) {
|
||||
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not attached to user %s", policyName, userName)}
|
||||
}
|
||||
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
||||
}
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
// ListAttachedUserPolicies lists managed policies attached to a user.
|
||||
func (e *EmbeddedIamApi) ListAttachedUserPolicies(ctx context.Context, values url.Values) (iamListAttachedUserPoliciesResponse, *iamError) {
|
||||
var resp iamListAttachedUserPoliciesResponse
|
||||
|
||||
userName := values.Get("UserName")
|
||||
if userName == "" {
|
||||
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("UserName is required")}
|
||||
}
|
||||
|
||||
pathPrefix := values.Get("PathPrefix")
|
||||
if pathPrefix == "" {
|
||||
pathPrefix = "/"
|
||||
}
|
||||
|
||||
maxItems := 0
|
||||
if maxItemsStr := values.Get("MaxItems"); maxItemsStr != "" {
|
||||
parsedMaxItems, err := strconv.Atoi(maxItemsStr)
|
||||
if err != nil || parsedMaxItems <= 0 {
|
||||
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("MaxItems must be a positive integer")}
|
||||
}
|
||||
maxItems = parsedMaxItems
|
||||
}
|
||||
marker := values.Get("Marker")
|
||||
|
||||
if e.credentialManager == nil {
|
||||
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("credential manager not configured")}
|
||||
}
|
||||
|
||||
policyNames, err := e.credentialManager.ListAttachedUserPolicies(ctx, userName)
|
||||
if err != nil {
|
||||
if errors.Is(err, credential.ErrUserNotFound) {
|
||||
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, userName)}
|
||||
}
|
||||
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
||||
}
|
||||
|
||||
var attachedPolicies []*iam.AttachedPolicy
|
||||
for _, attachedPolicyName := range policyNames {
|
||||
// Policy paths are not tracked in the current configuration, so PathPrefix
|
||||
// filtering is not supported yet. Always return the policy for now.
|
||||
policyNameCopy := attachedPolicyName
|
||||
policyArn := iamPolicyArn(attachedPolicyName)
|
||||
policyArnCopy := policyArn
|
||||
attachedPolicies = append(attachedPolicies, &iam.AttachedPolicy{
|
||||
PolicyName: &policyNameCopy,
|
||||
PolicyArn: &policyArnCopy,
|
||||
})
|
||||
}
|
||||
|
||||
start := 0
|
||||
markerFound := false
|
||||
if marker != "" {
|
||||
for i, p := range attachedPolicies {
|
||||
if p.PolicyName != nil && *p.PolicyName == marker {
|
||||
start = i + 1
|
||||
markerFound = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !markerFound && len(attachedPolicies) > 0 {
|
||||
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("marker %s not found", marker)}
|
||||
}
|
||||
}
|
||||
if start > 0 && start < len(attachedPolicies) {
|
||||
attachedPolicies = attachedPolicies[start:]
|
||||
} else if start >= len(attachedPolicies) {
|
||||
attachedPolicies = nil
|
||||
}
|
||||
|
||||
if maxItems > 0 && len(attachedPolicies) > maxItems {
|
||||
resp.ListAttachedUserPoliciesResult.AttachedPolicies = attachedPolicies[:maxItems]
|
||||
resp.ListAttachedUserPoliciesResult.IsTruncated = true
|
||||
if name := resp.ListAttachedUserPoliciesResult.AttachedPolicies[maxItems-1].PolicyName; name != nil {
|
||||
resp.ListAttachedUserPoliciesResult.Marker = *name
|
||||
}
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
resp.ListAttachedUserPoliciesResult.AttachedPolicies = attachedPolicies
|
||||
resp.ListAttachedUserPoliciesResult.IsTruncated = false
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
// SetUserStatus enables or disables a user without deleting them.
|
||||
// This is a SeaweedFS extension for temporary user suspension, offboarding, etc.
|
||||
// When a user is disabled, all API requests using their credentials will return AccessDenied.
|
||||
@@ -1049,7 +1266,7 @@ func (e *EmbeddedIamApi) AuthIam(f http.HandlerFunc, _ Action) http.HandlerFunc
|
||||
|
||||
// ExecuteAction executes an IAM action with the given values.
|
||||
// If skipPersist is true, the changed configuration is not saved to the persistent store.
|
||||
func (e *EmbeddedIamApi) ExecuteAction(values url.Values, skipPersist bool) (interface{}, *iamError) {
|
||||
func (e *EmbeddedIamApi) ExecuteAction(ctx context.Context, values url.Values, skipPersist bool) (interface{}, *iamError) {
|
||||
// Lock to prevent concurrent read-modify-write race conditions
|
||||
e.policyLock.Lock()
|
||||
defer e.policyLock.Unlock()
|
||||
@@ -1057,7 +1274,7 @@ func (e *EmbeddedIamApi) ExecuteAction(values url.Values, skipPersist bool) (int
|
||||
action := values.Get("Action")
|
||||
if e.readOnly {
|
||||
switch action {
|
||||
case "ListUsers", "ListAccessKeys", "GetUser", "GetUserPolicy", "ListServiceAccounts", "GetServiceAccount":
|
||||
case "ListUsers", "ListAccessKeys", "GetUser", "GetUserPolicy", "ListAttachedUserPolicies", "ListServiceAccounts", "GetServiceAccount":
|
||||
// Allowed read-only actions
|
||||
default:
|
||||
return nil, &iamError{Code: s3err.GetAPIError(s3err.ErrAccessDenied).Code, Error: fmt.Errorf("IAM write operations are disabled on this server")}
|
||||
@@ -1141,6 +1358,24 @@ func (e *EmbeddedIamApi) ExecuteAction(values url.Values, skipPersist bool) (int
|
||||
if iamErr != nil {
|
||||
return nil, iamErr
|
||||
}
|
||||
case "AttachUserPolicy":
|
||||
response, iamErr = e.AttachUserPolicy(ctx, values)
|
||||
if iamErr != nil {
|
||||
return nil, iamErr
|
||||
}
|
||||
changed = false
|
||||
case "DetachUserPolicy":
|
||||
response, iamErr = e.DetachUserPolicy(ctx, values)
|
||||
if iamErr != nil {
|
||||
return nil, iamErr
|
||||
}
|
||||
changed = false
|
||||
case "ListAttachedUserPolicies":
|
||||
response, iamErr = e.ListAttachedUserPolicies(ctx, values)
|
||||
if iamErr != nil {
|
||||
return nil, iamErr
|
||||
}
|
||||
changed = false
|
||||
case "SetUserStatus":
|
||||
response, iamErr = e.SetUserStatus(s3cfg, values)
|
||||
if iamErr != nil {
|
||||
@@ -1193,8 +1428,14 @@ func (e *EmbeddedIamApi) ExecuteAction(values url.Values, skipPersist bool) (int
|
||||
glog.Errorf("Failed to reload IAM configuration after mutation: %v", err)
|
||||
// Don't fail the request since the persistent save succeeded
|
||||
}
|
||||
} else if iamErr == nil && (action == "AttachUserPolicy" || action == "DetachUserPolicy") {
|
||||
// Even if changed=false (persisted via credentialManager), we should still reload
|
||||
// if we are utilizing the local in-memory cache for speed
|
||||
if err := e.ReloadConfiguration(); err != nil {
|
||||
glog.Errorf("Failed to reload IAM configuration after managed policy mutation: %v", err)
|
||||
}
|
||||
}
|
||||
return response, nil
|
||||
return response, iamErr
|
||||
}
|
||||
|
||||
// DoActions handles IAM API actions.
|
||||
@@ -1214,7 +1455,7 @@ func (e *EmbeddedIamApi) DoActions(w http.ResponseWriter, r *http.Request) {
|
||||
values.Set("CreatedBy", createdBy)
|
||||
}
|
||||
|
||||
response, iamErr := e.ExecuteAction(values, false)
|
||||
response, iamErr := e.ExecuteAction(r.Context(), values, false)
|
||||
if iamErr != nil {
|
||||
e.writeIamErrorResponse(w, r, iamErr)
|
||||
return
|
||||
|
||||
Reference in New Issue
Block a user