object store users

weed/admin/dash/admin_server.go

@@ -1,6 +1,7 @@
 package dash
 
 import (
+	"bytes"
 	"context"
 	"fmt"
 	"net/http"
@@ -8,10 +9,12 @@ import (
 	"time"
 
 	"github.com/seaweedfs/seaweedfs/weed/cluster"
+	"github.com/seaweedfs/seaweedfs/weed/filer"
 	"github.com/seaweedfs/seaweedfs/weed/glog"
 	"github.com/seaweedfs/seaweedfs/weed/operation"
 	"github.com/seaweedfs/seaweedfs/weed/pb"
 	"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
+	"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
 	"github.com/seaweedfs/seaweedfs/weed/pb/master_pb"
 	"github.com/seaweedfs/seaweedfs/weed/pb/volume_server_pb"
 	"github.com/seaweedfs/seaweedfs/weed/security"
@@ -651,41 +654,57 @@ func (s *AdminServer) DeleteS3Bucket(bucketName string) error {
 	})
 }
 
-// GetObjectStoreUsers retrieves object store users data
+// GetObjectStoreUsers retrieves object store users from identity.json
 func (s *AdminServer) GetObjectStoreUsers() ([]ObjectStoreUser, error) {
-	// For now, return mock data since SeaweedFS doesn't have built-in user management
-	// In a real implementation, this would query the IAM system or user database
-	users := []ObjectStoreUser{
-		{
-			Username:    "admin",
-			Email:       "admin@example.com",
-			AccessKey:   "AKIAIOSFODNN7EXAMPLE",
-			SecretKey:   "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
-			Status:      "active",
-			CreatedAt:   time.Now().AddDate(0, -1, 0),
-			LastLogin:   time.Now().AddDate(0, 0, -1),
-			Permissions: []string{"s3:*", "iam:*"},
-		},
-		{
-			Username:    "readonly",
-			Email:       "readonly@example.com",
-			AccessKey:   "AKIAI44QH8DHBEXAMPLE",
-			SecretKey:   "je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY",
-			Status:      "active",
-			CreatedAt:   time.Now().AddDate(0, -2, 0),
-			LastLogin:   time.Now().AddDate(0, 0, -3),
-			Permissions: []string{"s3:GetObject", "s3:ListBucket"},
-		},
-		{
-			Username:    "backup",
-			Email:       "backup@example.com",
-			AccessKey:   "AKIAIGCEVSQ6C2EXAMPLE",
-			SecretKey:   "BnL1dIqRF/+WoWcouZ5e3qthJhEXAMPLEKEY",
-			Status:      "inactive",
-			CreatedAt:   time.Now().AddDate(0, -3, 0),
-			LastLogin:   time.Now().AddDate(0, -1, -15),
-			Permissions: []string{"s3:PutObject", "s3:GetObject"},
-		},
+	s3cfg := &iam_pb.S3ApiConfiguration{}
+
+	// Load IAM configuration from filer
+	err := s.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error {
+		var buf bytes.Buffer
+		if err := filer.ReadEntry(nil, client, filer.IamConfigDirectory, filer.IamIdentityFile, &buf); err != nil {
+			if err == filer_pb.ErrNotFound {
+				// If file doesn't exist, return empty configuration
+				return nil
+			}
+			return err
+		}
+		if buf.Len() > 0 {
+			return filer.ParseS3ConfigurationFromBytes(buf.Bytes(), s3cfg)
+		}
+		return nil
+	})
+
+	if err != nil {
+		glog.Errorf("Failed to load IAM configuration: %v", err)
+		return []ObjectStoreUser{}, nil // Return empty list instead of error for UI
+	}
+
+	var users []ObjectStoreUser
+
+	// Convert IAM identities to ObjectStoreUser format
+	for _, identity := range s3cfg.Identities {
+		// Skip anonymous identity
+		if identity.Name == "anonymous" {
+			continue
+		}
+
+		user := ObjectStoreUser{
+			Username:    identity.Name,
+			Permissions: identity.Actions,
+		}
+
+		// Set email from account if available
+		if identity.Account != nil {
+			user.Email = identity.Account.EmailAddress
+		}
+
+		// Get first access key for display
+		if len(identity.Credentials) > 0 {
+			user.AccessKey = identity.Credentials[0].AccessKey
+			user.SecretKey = identity.Credentials[0].SecretKey
+		}
+
+		users = append(users, user)
 	}
 
 	return users, nil

weed/admin/dash/handler_admin.go

@@ -27,14 +27,11 @@ type AdminData struct {
 
 // Object Store Users management structures
 type ObjectStoreUser struct {
-	Username    string    `json:"username"`
-	Email       string    `json:"email"`
-	AccessKey   string    `json:"access_key"`
-	SecretKey   string    `json:"secret_key"`
-	Status      string    `json:"status"`
-	CreatedAt   time.Time `json:"created_at"`
-	LastLogin   time.Time `json:"last_login"`
-	Permissions []string  `json:"permissions"`
+	Username    string   `json:"username"`
+	Email       string   `json:"email"`
+	AccessKey   string   `json:"access_key"`
+	SecretKey   string   `json:"secret_key"`
+	Permissions []string `json:"permissions"`
 }
 
 type ObjectStoreUsersData struct {
@@ -44,6 +41,36 @@ type ObjectStoreUsersData struct {
 	LastUpdated time.Time         `json:"last_updated"`
 }
 
+// User management request structures
+type CreateUserRequest struct {
+	Username    string   `json:"username" binding:"required"`
+	Email       string   `json:"email"`
+	Actions     []string `json:"actions"`
+	GenerateKey bool     `json:"generate_key"`
+}
+
+type UpdateUserRequest struct {
+	Email   string   `json:"email"`
+	Actions []string `json:"actions"`
+}
+
+type UpdateUserPoliciesRequest struct {
+	Actions []string `json:"actions" binding:"required"`
+}
+
+type AccessKeyInfo struct {
+	AccessKey string    `json:"access_key"`
+	SecretKey string    `json:"secret_key"`
+	CreatedAt time.Time `json:"created_at"`
+}
+
+type UserDetails struct {
+	Username   string          `json:"username"`
+	Email      string          `json:"email"`
+	Actions    []string        `json:"actions"`
+	AccessKeys []AccessKeyInfo `json:"access_keys"`
+}
+
 type FilerNode struct {
 	Address     string    `json:"address"`
 	DataCenter  string    `json:"datacenter"`

weed/admin/dash/user_management.go

@@ -0,0 +1,447 @@
+package dash
+
+import (
+	"bytes"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"time"
+
+	"github.com/seaweedfs/seaweedfs/weed/filer"
+	"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
+	"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
+)
+
+// CreateObjectStoreUser creates a new user in identity.json
+func (s *AdminServer) CreateObjectStoreUser(req CreateUserRequest) (*ObjectStoreUser, error) {
+	s3cfg := &iam_pb.S3ApiConfiguration{}
+
+	// Load existing configuration
+	err := s.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error {
+		var buf bytes.Buffer
+		if err := filer.ReadEntry(nil, client, filer.IamConfigDirectory, filer.IamIdentityFile, &buf); err != nil {
+			if err != filer_pb.ErrNotFound {
+				return err
+			}
+		}
+		if buf.Len() > 0 {
+			return filer.ParseS3ConfigurationFromBytes(buf.Bytes(), s3cfg)
+		}
+		return nil
+	})
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to load IAM configuration: %v", err)
+	}
+
+	// Check if user already exists
+	for _, identity := range s3cfg.Identities {
+		if identity.Name == req.Username {
+			return nil, fmt.Errorf("user %s already exists", req.Username)
+		}
+	}
+
+	// Create new identity
+	newIdentity := &iam_pb.Identity{
+		Name:    req.Username,
+		Actions: req.Actions,
+	}
+
+	// Add account if email is provided
+	if req.Email != "" {
+		newIdentity.Account = &iam_pb.Account{
+			Id:           generateAccountId(),
+			DisplayName:  req.Username,
+			EmailAddress: req.Email,
+		}
+	}
+
+	// Generate access key if requested
+	var accessKey, secretKey string
+	if req.GenerateKey {
+		accessKey = generateAccessKey()
+		secretKey = generateSecretKey()
+		newIdentity.Credentials = []*iam_pb.Credential{
+			{
+				AccessKey: accessKey,
+				SecretKey: secretKey,
+			},
+		}
+	}
+
+	// Add to configuration
+	s3cfg.Identities = append(s3cfg.Identities, newIdentity)
+
+	// Save configuration
+	err = s.saveS3Configuration(s3cfg)
+	if err != nil {
+		return nil, fmt.Errorf("failed to save IAM configuration: %v", err)
+	}
+
+	// Return created user
+	user := &ObjectStoreUser{
+		Username:    req.Username,
+		Email:       req.Email,
+		AccessKey:   accessKey,
+		SecretKey:   secretKey,
+		Permissions: req.Actions,
+	}
+
+	return user, nil
+}
+
+// UpdateObjectStoreUser updates an existing user
+func (s *AdminServer) UpdateObjectStoreUser(username string, req UpdateUserRequest) (*ObjectStoreUser, error) {
+	s3cfg := &iam_pb.S3ApiConfiguration{}
+
+	// Load existing configuration
+	err := s.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error {
+		var buf bytes.Buffer
+		if err := filer.ReadEntry(nil, client, filer.IamConfigDirectory, filer.IamIdentityFile, &buf); err != nil {
+			return err
+		}
+		if buf.Len() > 0 {
+			return filer.ParseS3ConfigurationFromBytes(buf.Bytes(), s3cfg)
+		}
+		return nil
+	})
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to load IAM configuration: %v", err)
+	}
+
+	// Find and update user
+	var updatedIdentity *iam_pb.Identity
+	for _, identity := range s3cfg.Identities {
+		if identity.Name == username {
+			updatedIdentity = identity
+			break
+		}
+	}
+
+	if updatedIdentity == nil {
+		return nil, fmt.Errorf("user %s not found", username)
+	}
+
+	// Update actions if provided
+	if len(req.Actions) > 0 {
+		updatedIdentity.Actions = req.Actions
+	}
+
+	// Update email if provided
+	if req.Email != "" {
+		if updatedIdentity.Account == nil {
+			updatedIdentity.Account = &iam_pb.Account{
+				Id:          generateAccountId(),
+				DisplayName: username,
+			}
+		}
+		updatedIdentity.Account.EmailAddress = req.Email
+	}
+
+	// Save configuration
+	err = s.saveS3Configuration(s3cfg)
+	if err != nil {
+		return nil, fmt.Errorf("failed to save IAM configuration: %v", err)
+	}
+
+	// Return updated user
+	user := &ObjectStoreUser{
+		Username:    username,
+		Email:       req.Email,
+		Permissions: updatedIdentity.Actions,
+	}
+
+	// Get first access key for display
+	if len(updatedIdentity.Credentials) > 0 {
+		user.AccessKey = updatedIdentity.Credentials[0].AccessKey
+		user.SecretKey = updatedIdentity.Credentials[0].SecretKey
+	}
+
+	return user, nil
+}
+
+// DeleteObjectStoreUser deletes a user from identity.json
+func (s *AdminServer) DeleteObjectStoreUser(username string) error {
+	s3cfg := &iam_pb.S3ApiConfiguration{}
+
+	// Load existing configuration
+	err := s.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error {
+		var buf bytes.Buffer
+		if err := filer.ReadEntry(nil, client, filer.IamConfigDirectory, filer.IamIdentityFile, &buf); err != nil {
+			return err
+		}
+		if buf.Len() > 0 {
+			return filer.ParseS3ConfigurationFromBytes(buf.Bytes(), s3cfg)
+		}
+		return nil
+	})
+
+	if err != nil {
+		return fmt.Errorf("failed to load IAM configuration: %v", err)
+	}
+
+	// Find and remove user
+	found := false
+	for i, identity := range s3cfg.Identities {
+		if identity.Name == username {
+			s3cfg.Identities = append(s3cfg.Identities[:i], s3cfg.Identities[i+1:]...)
+			found = true
+			break
+		}
+	}
+
+	if !found {
+		return fmt.Errorf("user %s not found", username)
+	}
+
+	// Save configuration
+	return s.saveS3Configuration(s3cfg)
+}
+
+// GetObjectStoreUserDetails returns detailed information about a user
+func (s *AdminServer) GetObjectStoreUserDetails(username string) (*UserDetails, error) {
+	s3cfg := &iam_pb.S3ApiConfiguration{}
+
+	// Load existing configuration
+	err := s.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error {
+		var buf bytes.Buffer
+		if err := filer.ReadEntry(nil, client, filer.IamConfigDirectory, filer.IamIdentityFile, &buf); err != nil {
+			return err
+		}
+		if buf.Len() > 0 {
+			return filer.ParseS3ConfigurationFromBytes(buf.Bytes(), s3cfg)
+		}
+		return nil
+	})
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to load IAM configuration: %v", err)
+	}
+
+	// Find user
+	for _, identity := range s3cfg.Identities {
+		if identity.Name == username {
+			details := &UserDetails{
+				Username: username,
+				Actions:  identity.Actions,
+			}
+
+			// Set email from account if available
+			if identity.Account != nil {
+				details.Email = identity.Account.EmailAddress
+			}
+
+			// Convert credentials to access key info
+			for _, cred := range identity.Credentials {
+				details.AccessKeys = append(details.AccessKeys, AccessKeyInfo{
+					AccessKey: cred.AccessKey,
+					SecretKey: cred.SecretKey,
+					CreatedAt: time.Now().AddDate(0, -1, 0), // Mock creation date
+				})
+			}
+
+			return details, nil
+		}
+	}
+
+	return nil, fmt.Errorf("user %s not found", username)
+}
+
+// CreateAccessKey creates a new access key for a user
+func (s *AdminServer) CreateAccessKey(username string) (*AccessKeyInfo, error) {
+	s3cfg := &iam_pb.S3ApiConfiguration{}
+
+	// Load existing configuration
+	err := s.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error {
+		var buf bytes.Buffer
+		if err := filer.ReadEntry(nil, client, filer.IamConfigDirectory, filer.IamIdentityFile, &buf); err != nil {
+			return err
+		}
+		if buf.Len() > 0 {
+			return filer.ParseS3ConfigurationFromBytes(buf.Bytes(), s3cfg)
+		}
+		return nil
+	})
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to load IAM configuration: %v", err)
+	}
+
+	// Find user
+	var targetIdentity *iam_pb.Identity
+	for _, identity := range s3cfg.Identities {
+		if identity.Name == username {
+			targetIdentity = identity
+			break
+		}
+	}
+
+	if targetIdentity == nil {
+		return nil, fmt.Errorf("user %s not found", username)
+	}
+
+	// Generate new access key
+	accessKey := generateAccessKey()
+	secretKey := generateSecretKey()
+
+	newCredential := &iam_pb.Credential{
+		AccessKey: accessKey,
+		SecretKey: secretKey,
+	}
+
+	// Add to user's credentials
+	targetIdentity.Credentials = append(targetIdentity.Credentials, newCredential)
+
+	// Save configuration
+	err = s.saveS3Configuration(s3cfg)
+	if err != nil {
+		return nil, fmt.Errorf("failed to save IAM configuration: %v", err)
+	}
+
+	return &AccessKeyInfo{
+		AccessKey: accessKey,
+		SecretKey: secretKey,
+		CreatedAt: time.Now(),
+	}, nil
+}
+
+// DeleteAccessKey deletes an access key for a user
+func (s *AdminServer) DeleteAccessKey(username, accessKeyId string) error {
+	s3cfg := &iam_pb.S3ApiConfiguration{}
+
+	// Load existing configuration
+	err := s.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error {
+		var buf bytes.Buffer
+		if err := filer.ReadEntry(nil, client, filer.IamConfigDirectory, filer.IamIdentityFile, &buf); err != nil {
+			return err
+		}
+		if buf.Len() > 0 {
+			return filer.ParseS3ConfigurationFromBytes(buf.Bytes(), s3cfg)
+		}
+		return nil
+	})
+
+	if err != nil {
+		return fmt.Errorf("failed to load IAM configuration: %v", err)
+	}
+
+	// Find user and remove access key
+	for _, identity := range s3cfg.Identities {
+		if identity.Name == username {
+			for i, cred := range identity.Credentials {
+				if cred.AccessKey == accessKeyId {
+					identity.Credentials = append(identity.Credentials[:i], identity.Credentials[i+1:]...)
+					return s.saveS3Configuration(s3cfg)
+				}
+			}
+			return fmt.Errorf("access key %s not found for user %s", accessKeyId, username)
+		}
+	}
+
+	return fmt.Errorf("user %s not found", username)
+}
+
+// GetUserPolicies returns the policies for a user (actions)
+func (s *AdminServer) GetUserPolicies(username string) ([]string, error) {
+	s3cfg := &iam_pb.S3ApiConfiguration{}
+
+	// Load existing configuration
+	err := s.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error {
+		var buf bytes.Buffer
+		if err := filer.ReadEntry(nil, client, filer.IamConfigDirectory, filer.IamIdentityFile, &buf); err != nil {
+			return err
+		}
+		if buf.Len() > 0 {
+			return filer.ParseS3ConfigurationFromBytes(buf.Bytes(), s3cfg)
+		}
+		return nil
+	})
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to load IAM configuration: %v", err)
+	}
+
+	// Find user and return policies
+	for _, identity := range s3cfg.Identities {
+		if identity.Name == username {
+			return identity.Actions, nil
+		}
+	}
+
+	return nil, fmt.Errorf("user %s not found", username)
+}
+
+// UpdateUserPolicies updates the policies (actions) for a user
+func (s *AdminServer) UpdateUserPolicies(username string, actions []string) error {
+	s3cfg := &iam_pb.S3ApiConfiguration{}
+
+	// Load existing configuration
+	err := s.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error {
+		var buf bytes.Buffer
+		if err := filer.ReadEntry(nil, client, filer.IamConfigDirectory, filer.IamIdentityFile, &buf); err != nil {
+			return err
+		}
+		if buf.Len() > 0 {
+			return filer.ParseS3ConfigurationFromBytes(buf.Bytes(), s3cfg)
+		}
+		return nil
+	})
+
+	if err != nil {
+		return fmt.Errorf("failed to load IAM configuration: %v", err)
+	}
+
+	// Find user and update policies
+	for _, identity := range s3cfg.Identities {
+		if identity.Name == username {
+			identity.Actions = actions
+			return s.saveS3Configuration(s3cfg)
+		}
+	}
+
+	return fmt.Errorf("user %s not found", username)
+}
+
+// saveS3Configuration saves the S3 configuration to identity.json
+func (s *AdminServer) saveS3Configuration(s3cfg *iam_pb.S3ApiConfiguration) error {
+	return s.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error {
+		var buf bytes.Buffer
+		if err := filer.ProtoToText(&buf, s3cfg); err != nil {
+			return fmt.Errorf("failed to marshal configuration: %v", err)
+		}
+
+		return filer.SaveInsideFiler(client, filer.IamConfigDirectory, filer.IamIdentityFile, buf.Bytes())
+	})
+}
+
+// Helper functions for generating keys and IDs
+func generateAccessKey() string {
+	// Generate 20-character access key (AWS standard)
+	const charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+	b := make([]byte, 20)
+	for i := range b {
+		b[i] = charset[randomInt(len(charset))]
+	}
+	return string(b)
+}
+
+func generateSecretKey() string {
+	// Generate 40-character secret key (AWS standard)
+	b := make([]byte, 30) // 30 bytes = 40 characters in base64
+	rand.Read(b)
+	return base64.StdEncoding.EncodeToString(b)
+}
+
+func generateAccountId() string {
+	// Generate 12-digit account ID
+	b := make([]byte, 8)
+	rand.Read(b)
+	return fmt.Sprintf("%012d", b[0]<<24|b[1]<<16|b[2]<<8|b[3])
+}
+
+func randomInt(max int) int {
+	b := make([]byte, 1)
+	rand.Read(b)
+	return int(b[0]) % max
+}