Disable Users and Groups Menu options when LDAP is enabled on MinIO (#614)

Alevsk · web-flow · commit 34bcd25c9fd8 · 2021-02-26T11:20:17.000-08:00
diff --git a/pkg/acl/config.go b/pkg/acl/config.go
@@ -26,3 +26,7 @@ import (
 func GetOperatorMode() bool {
 	return strings.ToLower(env.Get(consoleOperatorMode, "off")) == "on"
 }
+
+func GetLDAPEnabled() bool {
+	return strings.ToLower(env.Get(ConsoleLDAPEnabled, "off")) == "on"
+}
diff --git a/pkg/acl/const.go b/pkg/acl/const.go
@@ -18,4 +18,6 @@ package acl
 
 const (
 	consoleOperatorMode = "CONSOLE_OPERATOR_MODE"
+	// const for ldap configuration
+	ConsoleLDAPEnabled = "CONSOLE_LDAP_ENABLED"
 )
diff --git a/pkg/acl/endpoints.go b/pkg/acl/endpoints.go
@@ -243,6 +243,17 @@ var healthInfoActionSet = ConfigurationActionSet{
 	),
 }
 
+var displayRules = map[string]func() bool{
+	// disable users page if LDAP is enabled
+	users: func() bool {
+		return !GetLDAPEnabled()
+	},
+	// disable groups page if LDAP is enabled
+	groups: func() bool {
+		return !GetLDAPEnabled()
+	},
+}
+
 // endpointRules contains the mapping between endpoints and ActionSets, additional rules can be added here
 var endpointRules = map[string]ConfigurationActionSet{
 	configuration:       configurationActionSet,
@@ -337,6 +348,15 @@ func GetAuthorizedEndpoints(actions []string) []string {
 	userAllowedAction := actionsStringToActionSet(actions)
 	var allowedEndpoints []string
 	for endpoint, rules := range rangeTake {
+
+		// check if display rule exists for this endpoint, this will control
+		// what user sees on the console UI
+		if rule, ok := displayRules[endpoint]; ok {
+			if rule != nil && !rule() {
+				continue
+			}
+		}
+
 		// check if user policy matches s3:* or admin:* typesIntersection
 		endpointActionTypes := rules.actionTypes
 		typesIntersection := endpointActionTypes.Intersection(userAllowedAction)
diff --git a/restapi/user_service_accounts.go b/restapi/user_service_accounts.go
@@ -58,7 +58,9 @@ func registerServiceAccountsHandlers(api *operations.ConsoleAPI) {
 
 // createServiceAccount adds a service account to the userClient and assigns a policy to him if defined.
 func createServiceAccount(ctx context.Context, userClient MinioAdmin, policy string) (*models.ServiceAccountCreds, error) {
-	iamPolicy := &iampolicy.Policy{}
+	// By default a nil policy will be used so the service account inherit the parent account policy, otherwise
+	// we override with the user provided iam policy
+	var iamPolicy *iampolicy.Policy
 	if strings.TrimSpace(policy) != "" {
 		iamp, err := iampolicy.ParseConfig(bytes.NewReader([]byte(policy)))
 		if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -26,3 +26,7 @@ import (`
`26`	`26`	`func GetOperatorMode() bool {`
`27`	`27`	`return strings.ToLower(env.Get(consoleOperatorMode, "off")) == "on"`
`28`	`28`	`}`
	`29`	`+`
	`30`	`+func GetLDAPEnabled() bool {`
	`31`	`+ return strings.ToLower(env.Get(ConsoleLDAPEnabled, "off")) == "on"`
	`32`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -18,4 +18,6 @@ package acl`
`18`	`18`
`19`	`19`	`const (`
`20`	`20`	`consoleOperatorMode = "CONSOLE_OPERATOR_MODE"`
	`21`	`+ // const for ldap configuration`
	`22`	`+ ConsoleLDAPEnabled = "CONSOLE_LDAP_ENABLED"`
`21`	`23`	`)`