gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(iam): add SetUserStatus and UpdateAccessKey actions (#7750)

Browse Source 
feat(iam): add SetUserStatus and UpdateAccessKey actions (#7745)

Add ability to enable/disable users and access keys without deleting them.

## Changes

### Protocol Buffer Updates
- Add `disabled` field (bool) to Identity message for user status
  - false (default) = enabled, true = disabled
  - No backward compatibility hack needed since zero value is correct
- Add `status` field (string: Active/Inactive) to Credential message

### New IAM Actions
- SetUserStatus: Enable or disable a user (requires admin)
- UpdateAccessKey: Change access key status (self-service or admin)

### Behavior
- Disabled users: All API requests return AccessDenied
- Inactive access keys: Signature validation fails
- Status check happens early in auth flow for performance
- Backward compatible: existing configs default to enabled (disabled=false)

### Use Cases
1. Temporary suspension: Disable user access during investigation
2. Key rotation: Deactivate old key before deletion
3. Offboarding: Disable rather than delete for audit purposes
4. Emergency response: Quickly disable compromised credentials

Fixes #7745
This commit is contained in:
Chris Lu
2025-12-14 18:48:39 -08:00
committed by GitHub
parent 7ed7578424
commit f64ce759e0
9 changed files with 647 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
weed/pb/iam.proto
View File

@@ -24,13 +24,13 @@ message Identity {
repeated Credential credentials = 2;
repeated string actions = 3;
Account account = 4;
bool disabled = 5; // User status: false = enabled (default), true = disabled
}
message Credential {
string access_key = 1;
string secret_key = 2;
// uint64 expiration = 3;
// bool is_disabled = 4;
string status = 3; // Access key status: "Active" or "Inactive"
}
message Account {