Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

iam: add IAM group management (#8560) 

* iam: add Group message to protobuf schema

Add Group message (name, members, policy_names, disabled) and
add groups field to S3ApiConfiguration for IAM group management
support (issue #7742).

* iam: add group CRUD to CredentialStore interface and all backends

Add group management methods (CreateGroup, GetGroup, DeleteGroup,
ListGroups, UpdateGroup) to the CredentialStore interface with
implementations for memory, filer_etc, postgres, and grpc stores.
Wire group loading/saving into filer_etc LoadConfiguration and
SaveConfiguration.

* iam: add group IAM response types

Add XML response types for group management IAM actions:
CreateGroup, DeleteGroup, GetGroup, ListGroups, AddUserToGroup,
RemoveUserFromGroup, AttachGroupPolicy, DetachGroupPolicy,
ListAttachedGroupPolicies, ListGroupsForUser.

* iam: add group management handlers to embedded IAM API

Add CreateGroup, DeleteGroup, GetGroup, ListGroups, AddUserToGroup,
RemoveUserFromGroup, AttachGroupPolicy, DetachGroupPolicy,
ListAttachedGroupPolicies, and ListGroupsForUser handlers with
dispatch in ExecuteAction.

* iam: add group management handlers to standalone IAM API

Add group handlers (CreateGroup, DeleteGroup, GetGroup, ListGroups,
AddUserToGroup, RemoveUserFromGroup, AttachGroupPolicy, DetachGroupPolicy,
ListAttachedGroupPolicies, ListGroupsForUser) and wire into DoActions
dispatch. Also add helper functions for user/policy side effects.

* iam: integrate group policies into authorization

Add groups and userGroups reverse index to IdentityAccessManagement.
Populate both maps during ReplaceS3ApiConfiguration and
MergeS3ApiConfiguration. Modify evaluateIAMPolicies to evaluate
policies from user's enabled groups in addition to user policies.
Update VerifyActionPermission to consider group policies when
checking hasAttachedPolicies.

* iam: add group side effects on user deletion and rename

When a user is deleted, remove them from all groups they belong to.
When a user is renamed, update group membership references. Applied
to both embedded and standalone IAM handlers.

* iam: watch /etc/iam/groups directory for config changes

Add groups directory to the filer subscription watcher so group
file changes trigger IAM configuration reloads.

* admin: add group management page to admin UI

Add groups page with CRUD operations, member management, policy
attachment, and enable/disable toggle. Register routes in admin
handlers and add Groups entry to sidebar navigation.

* test: add IAM group management integration tests

Add comprehensive integration tests for group CRUD, membership,
policy attachment, policy enforcement, disabled group behavior,
user deletion side effects, and multi-group membership. Add
"group" test type to CI matrix in s3-iam-tests workflow.

* iam: address PR review comments for group management

- Fix XSS vulnerability in groups.templ: replace innerHTML string
  concatenation with DOM APIs (createElement/textContent) for rendering
  member and policy lists
- Use userGroups reverse index in embedded IAM ListGroupsForUser for
  O(1) lookup instead of iterating all groups
- Add buildUserGroupsIndex helper in standalone IAM handlers; use it
  in ListGroupsForUser and removeUserFromAllGroups for efficient lookup
- Add note about gRPC store load-modify-save race condition limitation

* iam: add defensive copies, validation, and XSS fixes for group management

- Memory store: clone groups on store/retrieve to prevent mutation
- Admin dash: deep copy groups before mutation, validate user/policy exists
- HTTP handlers: translate credential errors to proper HTTP status codes,
  use *bool for Enabled field to distinguish missing vs false
- Groups templ: use data attributes + event delegation instead of inline
  onclick for XSS safety, prevent stale async responses

* iam: add explicit group methods to PropagatingCredentialStore

Add CreateGroup, GetGroup, DeleteGroup, ListGroups, and UpdateGroup
methods instead of relying on embedded interface fallthrough. Group
changes propagate via filer subscription so no RPC propagation needed.

* iam: detect postgres unique constraint violation and add groups index

Return ErrGroupAlreadyExists when INSERT hits SQLState 23505 instead of
a generic error. Add index on groups(disabled) for filtered queries.

* iam: add Marker field to group list response types

Add Marker string field to GetGroupResult, ListGroupsResult,
ListAttachedGroupPoliciesResult, and ListGroupsForUserResult to
match AWS IAM pagination response format.

* iam: check group attachment before policy deletion

Reject DeletePolicy if the policy is attached to any group, matching
AWS IAM behavior. Add PolicyArn to ListAttachedGroupPolicies response.

* iam: include group policies in IAM authorization

Merge policy names from user's enabled groups into the IAMIdentity
used for authorization, so group-attached policies are evaluated
alongside user-attached policies.

* iam: check for name collision before renaming user in UpdateUser

Scan identities and inline policies for newUserName before mutating,
returning EntityAlreadyExists if a collision is found. Reuse the
already-loaded policies instead of loading them again inside the loop.

* test: use t.Cleanup for bucket cleanup in group policy test

* iam: wrap ErrUserNotInGroup sentinel in RemoveGroupMember error

Wrap credential.ErrUserNotInGroup so errors.Is works in
groupErrorToHTTPStatus, returning proper 400 instead of 500.

* admin: regenerate groups_templ.go with XSS-safe data attributes

Regenerated from groups.templ which uses data-group-name attributes
instead of inline onclick with string interpolation.

* iam: add input validation and persist groups during migration

- Validate nil/empty group name in CreateGroup and UpdateGroup
- Save groups in migrateToMultiFile so they survive legacy migration

* admin: use groupErrorToHTTPStatus in GetGroupMembers and GetGroupPolicies

* iam: short-circuit UpdateUser when newUserName equals current name

* iam: require empty PolicyNames before group deletion

Reject DeleteGroup when group has attached policies, matching the
existing members check. Also fix GetGroup error handling in
DeletePolicy to only skip ErrGroupNotFound, not all errors.

* ci: add weed/pb/** to S3 IAM test trigger paths

* test: replace time.Sleep with require.Eventually for propagation waits

Use polling with timeout instead of fixed sleeps to reduce flakiness
in integration tests waiting for IAM policy propagation.

* fix: use credentialManager.GetPolicy for AttachGroupPolicy validation

Policies created via CreatePolicy through credentialManager are stored
in the credential store, not in s3cfg.Policies (which only has static
config policies). Change AttachGroupPolicy to use credentialManager.GetPolicy()
for policy existence validation.

* feat: add UpdateGroup handler to embedded IAM API

Add UpdateGroup action to enable/disable groups and rename groups
via the IAM API. This is a SeaweedFS extension (not in AWS SDK) used
by tests to toggle group disabled status.

* fix: authenticate raw IAM API calls in group tests

The embedded IAM endpoint rejects anonymous requests. Replace
callIAMAPI with callIAMAPIAuthenticated that uses JWT bearer token
authentication via the test framework.

* feat: add UpdateGroup handler to standalone IAM API

Mirror the embedded IAM UpdateGroup handler in the standalone IAM API
for parity.

* fix: add omitempty to Marker XML tags in group responses

Non-truncated responses should not emit an empty <Marker/> element.

* fix: distinguish backend errors from missing policies in AttachGroupPolicy

Return ServiceFailure for credential manager errors instead of masking
them as NoSuchEntity. Also switch ListGroupsForUser to use s3cfg.Groups
instead of in-memory reverse index to avoid stale data. Add duplicate
name check to UpdateGroup rename.

* fix: standalone IAM AttachGroupPolicy uses persisted policy store

Check managed policies from GetPolicies() instead of s3cfg.Policies
so dynamically created policies are found. Also add duplicate name
check to UpdateGroup rename.

* fix: rollback inline policies on UpdateUser PutPolicies failure

If PutPolicies fails after moving inline policies to the new username,
restore both the identity name and the inline policies map to their
original state to avoid a partial-write window.

* fix: correct test cleanup ordering for group tests

Replace scattered defers with single ordered t.Cleanup in each test
to ensure resources are torn down in reverse-creation order:
remove membership, detach policies, delete access keys, delete users,
delete groups, delete policies. Move bucket cleanup to parent test
scope and delete objects before bucket.

* fix: move identity nil check before map lookup and refine hasAttachedPolicies

Move the nil check on identity before accessing identity.Name to
prevent panic. Also refine hasAttachedPolicies to only consider groups
that are enabled and have actual policies attached, so membership in
a no-policy group doesn't incorrectly trigger IAM authorization.

* fix: fail group reload on unreadable or corrupt group files

Return errors instead of logging and continuing when group files
cannot be read or unmarshaled. This prevents silently applying a
partial IAM config with missing group memberships or policies.

* fix: use errors.Is for sql.ErrNoRows comparison in postgres group store

* docs: explain why group methods skip propagateChange

Group changes propagate to S3 servers via filer subscription
(watching /etc/iam/groups/) rather than gRPC RPCs, since there
are no group-specific RPCs in the S3 cache protocol.

* fix: remove unused policyNameFromArn and strings import

* fix: update service account ParentUser on user rename

When renaming a user via UpdateUser, also update ParentUser references
in service accounts to prevent them from becoming orphaned after the
next configuration reload.

* fix: wrap DetachGroupPolicy error with ErrPolicyNotAttached sentinel

Use credential.ErrPolicyNotAttached so groupErrorToHTTPStatus maps
it to 400 instead of falling back to 500.

* fix: use admin S3 client for bucket cleanup in enforcement test

The user S3 client may lack permissions by cleanup time since the
user is removed from the group in an earlier subtest. Use the admin
S3 client to ensure bucket and object cleanup always succeeds.

* fix: add nil guard for group param in propagating store log calls

Prevent potential nil dereference when logging group.Name in
CreateGroup and UpdateGroup of PropagatingCredentialStore.

* fix: validate Disabled field in UpdateGroup handlers

Reject values other than "true" or "false" with InvalidInputException
instead of silently treating them as false.

* fix: seed mergedGroups from existing groups in MergeS3ApiConfiguration

Previously the merge started with empty group maps, dropping any
static-file groups. Now seeds from existing iam.groups before
overlaying dynamic config, and builds the reverse index after
merging to avoid stale entries from overridden groups.

* fix: use errors.Is for filer_pb.ErrNotFound comparison in group loading

Replace direct equality (==) with errors.Is() to correctly match
wrapped errors, consistent with the rest of the codebase.

* fix: add ErrUserNotFound and ErrPolicyNotFound to groupErrorToHTTPStatus

Map these sentinel errors to 404 so AddGroupMember and
AttachGroupPolicy return proper HTTP status codes.

* fix: log cleanup errors in group integration tests

Replace fire-and-forget cleanup calls with error-checked versions
that log failures via t.Logf for debugging visibility.

* fix: prevent duplicate group test runs in CI matrix

The basic lane's -run "TestIAM" regex also matched TestIAMGroup*
tests, causing them to run in both the basic and group lanes.
Replace with explicit test function names.

* fix: add GIN index on groups.members JSONB for membership lookups

Without this index, ListGroupsForUser and membership queries
require full table scans on the groups table.

* fix: handle cross-directory moves in IAM config subscription

When a file is moved out of an IAM directory (e.g., /etc/iam/groups),
the dir variable was overwritten with NewParentPath, causing the
source directory change to be missed. Now also notifies handlers
about the source directory for cross-directory moves.

* fix: validate members/policies before deleting group in admin handler

AdminServer.DeleteGroup now checks for attached members and policies
before delegating to credentialManager, matching the IAM handler guards.

* fix: merge groups by name instead of blind append during filer load

Match the identity loader's merge behavior: find existing group
by name and replace, only append when no match exists. Prevents
duplicates when legacy and multi-file configs overlap.

* fix: check DeleteEntry response error when cleaning obsolete group files

Capture and log resp.Error from filer DeleteEntry calls during
group file cleanup, matching the pattern used in deleteGroupFile.

* fix: verify source user exists before no-op check in UpdateUser

Reorder UpdateUser to find the source identity first and return
NoSuchEntityException if not found, before checking if the rename
is a no-op. Previously a non-existent user renamed to itself
would incorrectly return success.

* fix: update service account parent refs on user rename in embedded IAM

The embedded IAM UpdateUser handler updated group membership but
not service account ParentUser fields, unlike the standalone handler.

* fix: replay source-side events for all handlers on cross-dir moves

Pass nil newEntry to bucket, IAM, and circuit-breaker handlers for
the source directory during cross-directory moves, so all watchers
can clear caches for the moved-away resource.

* fix: don't seed mergedGroups from existing iam.groups in merge

Groups are always dynamic (from filer), never static (from s3.config).
Seeding from iam.groups caused stale deleted groups to persist.
Now only uses config.Groups from the dynamic filer config.

* fix: add deferred user cleanup in TestIAMGroupUserDeletionSideEffect

Register t.Cleanup for the created user so it gets cleaned up
even if the test fails before the inline DeleteUser call.

* fix: assert UpdateGroup HTTP status in disabled group tests

Add require.Equal checks for 200 status after UpdateGroup calls
so the test fails immediately on API errors rather than relying
on the subsequent Eventually timeout.

* fix: trim whitespace from group name in filer store operations

Trim leading/trailing whitespace from group.Name before validation
in CreateGroup and UpdateGroup to prevent whitespace-only filenames.
Also merge groups by name during multi-file load to prevent duplicates.

* fix: add nil/empty group validation in gRPC store

Guard CreateGroup and UpdateGroup against nil group or empty name
to prevent panics and invalid persistence.

* fix: add nil/empty group validation in postgres store

Guard CreateGroup and UpdateGroup against nil group or empty name
to prevent panics from nil member access and empty-name row inserts.

* fix: add name collision check in embedded IAM UpdateUser

The embedded IAM handler renamed users without checking if the
target name already existed, unlike the standalone handler.

* fix: add ErrGroupNotEmpty sentinel and map to HTTP 409

AdminServer.DeleteGroup now wraps conflict errors with
ErrGroupNotEmpty, and groupErrorToHTTPStatus maps it to
409 Conflict instead of 500.

* fix: use appropriate error message in GetGroupDetails based on status

Return "Group not found" only for 404, use "Failed to retrieve group"
for other error statuses instead of always saying "Group not found".

* fix: use backend-normalized group.Name in CreateGroup response

After credentialManager.CreateGroup may normalize the name (e.g.,
trim whitespace), use group.Name instead of the raw input for
the returned GroupData to ensure consistency.

* fix: add nil/empty group validation in memory store

Guard CreateGroup and UpdateGroup against nil group or empty name
to prevent panics from nil pointer dereference on map access.

* fix: reorder embedded IAM UpdateUser to verify source first

Find the source identity before checking for collisions, matching
the standalone handler's logic. Previously a non-existent user
renamed to an existing name would get EntityAlreadyExists instead
of NoSuchEntity.

* fix: handle same-directory renames in metadata subscription

Replay a delete event for the old entry name during same-directory
renames so handlers like onBucketMetadataChange can clean up stale
state for the old name.

* fix: abort GetGroups on non-ErrGroupNotFound errors

Only skip groups that return ErrGroupNotFound. Other errors (e.g.,
transient backend failures) now abort the handler and return the
error to the caller instead of silently producing partial results.

* fix: add aria-label and title to icon-only group action buttons

Add accessible labels to View and Delete buttons so screen readers
and tooltips provide meaningful context.

* fix: validate group name in saveGroup to prevent invalid filenames

Trim whitespace and reject empty names before writing group JSON
files, preventing creation of files like ".json".

* fix: add /etc/iam/groups to filer subscription watched directories

The groups directory was missing from the watched directories list,
so S3 servers in a cluster would not detect group changes made by
other servers via filer. The onIamConfigChange handler already had
code to handle group directory changes but it was never triggered.

* add direct gRPC propagation for group changes to S3 servers

Groups now have the same dual propagation as identities and policies:
direct gRPC push via propagateChange + async filer subscription.

- Add PutGroup/RemoveGroup proto messages and RPCs
- Add PutGroup/RemoveGroup in-memory cache methods on IAM
- Add PutGroup/RemoveGroup gRPC server handlers
- Update PropagatingCredentialStore to call propagateChange on group mutations

* reduce log verbosity for config load summary

Change ReplaceS3ApiConfiguration log from Infof to V(1).Infof
to avoid noisy output on every config reload.

* admin: show user groups in view and edit user modals

- Add Groups field to UserDetails and populate from credential manager
- Show groups as badges in user details view modal
- Add group management to edit user modal: display current groups,
  add to group via dropdown, remove from group via badge x button

* fix: remove duplicate showAlert that broke modal-alerts.js

admin.js defined showAlert(type, message) which overwrote the
modal-alerts.js version showAlert(message, type), causing broken
unstyled alert boxes. Remove the duplicate and swap all callers
in admin.js to use the correct (message, type) argument order.

* fix: unwrap groups API response in edit user modal

The /api/groups endpoint returns {"groups": [...]}, not a bare array.

* Update object_store_users_templ.go

* test: assert AccessDenied error code in group denial tests

Replace plain assert.Error checks with awserr.Error type assertion
and AccessDenied code verification, matching the pattern used in
other IAM integration tests.

* fix: propagate GetGroups errors in ShowGroups handler

getGroupsPageData was swallowing errors and returning an empty page
with 200 status. Now returns the error so ShowGroups can respond
with a proper error status.

* fix: reject AttachGroupPolicy when credential manager is nil

Previously skipped policy existence validation when credentialManager
was nil, allowing attachment of nonexistent policies. Now returns
a ServiceFailureException error.

* fix: preserve groups during partial MergeS3ApiConfiguration updates

UpsertIdentity calls MergeS3ApiConfiguration with a partial config
containing only the updated identity (nil Groups). This was wiping
all in-memory group state. Now only replaces groups when
config.Groups is non-nil (full config reload).

* fix: propagate errors from group lookup in GetObjectStoreUserDetails

ListGroups and GetGroup errors were silently ignored, potentially
showing incomplete group data in the UI.

* fix: use DOM APIs for group badge remove button to prevent XSS

Replace innerHTML with onclick string interpolation with DOM
createElement + addEventListener pattern. Also add aria-label
and title to the add-to-group button.

* fix: snapshot group policies under RLock to prevent concurrent map access

evaluateIAMPolicies was copying the map reference via groupMap :=
iam.groups under RLock then iterating after RUnlock, while PutGroup
mutates the map in-place. Now copies the needed policy names into
a slice while holding the lock.

* fix: add nil IAM check to PutGroup and RemoveGroup gRPC handlers

Match the nil guard pattern used by PutPolicy/DeletePolicy to
prevent nil pointer dereference when IAM is not initialized.
pull/8580/head
Chris Lu 1 day ago
committed by GitHub
parent
115dcb5ada
commit
992db11d2b
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
41 changed files with 4766 additions and 329 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 13
      .github/workflows/s3-iam-tests.yml
  2. 5
      test/s3/iam/Makefile
  3. 792
      test/s3/iam/s3_iam_group_test.go
  4. 1
      weed/admin/dash/admin_data.go
  5. 250
      weed/admin/dash/group_management.go
  6. 24
      weed/admin/dash/types.go
  7. 18
      weed/admin/dash/user_management.go
  8. 17
      weed/admin/handlers/admin_handlers.go
  9. 271
      weed/admin/handlers/group_handlers.go
  10. 107
      weed/admin/static/js/admin.js
  11. 23
      weed/admin/static/js/iam-utils.js
  12. 443
      weed/admin/view/app/groups.templ
  13. 300
      weed/admin/view/app/groups_templ.go
  14. 125
      weed/admin/view/app/object_store_users.templ
  15. 2
      weed/admin/view/app/object_store_users_templ.go
  16. 5
      weed/admin/view/layout/layout.templ
  17. 14
      weed/admin/view/layout/layout_templ.go
  18. 22
      weed/credential/credential_manager.go
  19. 11
      weed/credential/credential_store.go
  20. 182
      weed/credential/filer_etc/filer_etc_group.go
  21. 55
      weed/credential/filer_etc/filer_etc_identity.go
  22. 87
      weed/credential/grpc/grpc_group.go
  23. 89
      weed/credential/memory/memory_group.go
  24. 4
      weed/credential/memory/memory_store.go
  25. 127
      weed/credential/postgres/postgres_group.go
  26. 28
      weed/credential/postgres/postgres_store.go
  27. 48
      weed/credential/propagating_store.go
  28. 90
      weed/iam/responses.go
  29. 329
      weed/iamapi/iamapi_group_handlers.go
  30. 174
      weed/iamapi/iamapi_management_handlers.go
  31. 12
      weed/iamapi/iamapi_response.go
  32. 22
      weed/pb/iam.proto
  33. 628
      weed/pb/iam_pb/iam.pb.go
  34. 2
      weed/pb/s3.proto
  35. 42
      weed/pb/s3_pb/s3.pb.go
  36. 76
      weed/pb/s3_pb/s3_grpc.pb.go
  37. 174
      weed/s3api/auth_credentials.go
  38. 23
      weed/s3api/auth_credentials_subscribe.go
  39. 432
      weed/s3api/s3api_embedded_iam.go
  40. 1
      weed/s3api/s3api_server.go
  41. 27
      weed/s3api/s3api_server_grpc.go

13
.github/workflows/s3-iam-tests.yml
View File

@ -5,6 +5,8 @@ on:
paths:
- 'weed/iam/**'
- 'weed/s3api/**'
- 'weed/credential/**'
- 'weed/pb/**'
- 'test/s3/iam/**'
- '.github/workflows/s3-iam-tests.yml'
push:
@ -12,6 +14,8 @@ on:
paths:
- 'weed/iam/**'
- 'weed/s3api/**'
- 'weed/credential/**'
- 'weed/pb/**'
- 'test/s3/iam/**'
- '.github/workflows/s3-iam-tests.yml'
@ -80,7 +84,7 @@ jobs:
timeout-minutes: 25
strategy:
matrix:
test-type: ["basic", "advanced", "policy-enforcement"]
test-type: ["basic", "advanced", "policy-enforcement", "group"]
steps:
- name: Check out code
@ -117,7 +121,7 @@ jobs:
"basic")
echo "Running basic IAM functionality tests..."
make clean setup start-services wait-for-services
go test -v -timeout 15m -run "TestS3IAMAuthentication|TestS3IAMBasicWorkflow|TestS3IAMTokenValidation|TestIAM" ./...
go test -v -timeout 15m -run "TestS3IAMAuthentication|TestS3IAMBasicWorkflow|TestS3IAMTokenValidation|TestIAMUserManagement|TestIAMAccessKeyManagement|TestIAMPolicyManagement" ./...
;;
"advanced")
echo "Running advanced IAM feature tests..."
@ -129,6 +133,11 @@ jobs:
make clean setup start-services wait-for-services
go test -v -timeout 15m -run "TestS3IAMPolicyEnforcement|TestS3IAMBucketPolicy|TestS3IAMContextual" ./...
;;
"group")
echo "Running IAM group management tests..."
make clean setup start-services wait-for-services
go test -v -timeout 15m -run "TestIAMGroup" ./...
;;
*)
echo "Unknown test type: ${{ matrix.test-type }}"
exit 1

5
test/s3/iam/Makefile
View File

@ -185,6 +185,9 @@ test-context: ## Test only contextual policy enforcement
test-presigned: ## Test only presigned URL integration
go test -v -run TestS3IAMPresignedURLIntegration ./...
test-group: ## Run IAM group management tests
go test -v -run "TestIAMGroup" ./...
test-sts: ## Run all STS tests
go test -v -run "TestSTS" ./...
@ -263,7 +266,7 @@ docker-build: ## Build custom SeaweedFS image for Docker tests
# All PHONY targets
.PHONY: test test-quick run-tests setup start-services stop-services wait-for-services clean logs status debug
.PHONY: test-auth test-policy test-expiration test-multipart test-bucket-policy test-context test-presigned test-sts test-sts-assume-role test-sts-ldap
.PHONY: test-auth test-policy test-expiration test-multipart test-bucket-policy test-context test-presigned test-group test-sts test-sts-assume-role test-sts-ldap
.PHONY: benchmark ci watch install-deps docker-test docker-up docker-down docker-logs docker-build
.PHONY: test-distributed test-performance test-stress test-versioning-stress test-keycloak-full test-all-previously-skipped setup-all-tests help-advanced

792
test/s3/iam/s3_iam_group_test.go
View File

@ -0,0 +1,792 @@
package iam
import (
"encoding/xml"
"io"
"net/http"
"net/url"
"strings"
"testing"
"time"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/aws/aws-sdk-go/service/s3"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
// TestIAMGroupLifecycle tests the full lifecycle of group management:
// CreateGroup, GetGroup, ListGroups, DeleteGroup
func TestIAMGroupLifecycle(t *testing.T) {
framework := NewS3IAMTestFramework(t)
defer framework.Cleanup()
iamClient, err := framework.CreateIAMClientWithJWT("admin-user", "TestAdminRole")
require.NoError(t, err)
groupName := "test-group-lifecycle"
t.Run("create_group", func(t *testing.T) {
resp, err := iamClient.CreateGroup(&iam.CreateGroupInput{
GroupName: aws.String(groupName),
})
require.NoError(t, err)
assert.Equal(t, groupName, *resp.Group.GroupName)
})
t.Run("get_group", func(t *testing.T) {
resp, err := iamClient.GetGroup(&iam.GetGroupInput{
GroupName: aws.String(groupName),
})
require.NoError(t, err)
assert.Equal(t, groupName, *resp.Group.GroupName)
})
t.Run("list_groups_contains_created", func(t *testing.T) {
resp, err := iamClient.ListGroups(&iam.ListGroupsInput{})
require.NoError(t, err)
found := false
for _, g := range resp.Groups {
if *g.GroupName == groupName {
found = true
break
}
}
assert.True(t, found, "Created group should appear in ListGroups")
})
t.Run("create_duplicate_group_fails", func(t *testing.T) {
_, err := iamClient.CreateGroup(&iam.CreateGroupInput{
GroupName: aws.String(groupName),
})
assert.Error(t, err, "Creating a duplicate group should fail")
})
t.Run("delete_group", func(t *testing.T) {
_, err := iamClient.DeleteGroup(&iam.DeleteGroupInput{
GroupName: aws.String(groupName),
})
require.NoError(t, err)
// Verify it's gone
resp, err := iamClient.ListGroups(&iam.ListGroupsInput{})
require.NoError(t, err)
for _, g := range resp.Groups {
assert.NotEqual(t, groupName, *g.GroupName,
"Deleted group should not appear in ListGroups")
}
})
t.Run("delete_nonexistent_group_fails", func(t *testing.T) {
_, err := iamClient.DeleteGroup(&iam.DeleteGroupInput{
GroupName: aws.String("nonexistent-group-xyz"),
})
assert.Error(t, err)
})
}
// TestIAMGroupMembership tests adding and removing users from groups
func TestIAMGroupMembership(t *testing.T) {
framework := NewS3IAMTestFramework(t)
defer framework.Cleanup()
iamClient, err := framework.CreateIAMClientWithJWT("admin-user", "TestAdminRole")
require.NoError(t, err)
groupName := "test-group-members"
userName := "test-user-for-group"
// Setup: create group and user
_, err = iamClient.CreateGroup(&iam.CreateGroupInput{
GroupName: aws.String(groupName),
})
require.NoError(t, err)
defer iamClient.DeleteGroup(&iam.DeleteGroupInput{GroupName: aws.String(groupName)})
_, err = iamClient.CreateUser(&iam.CreateUserInput{
UserName: aws.String(userName),
})
require.NoError(t, err)
defer iamClient.DeleteUser(&iam.DeleteUserInput{UserName: aws.String(userName)})
t.Run("add_user_to_group", func(t *testing.T) {
_, err := iamClient.AddUserToGroup(&iam.AddUserToGroupInput{
GroupName: aws.String(groupName),
UserName: aws.String(userName),
})
require.NoError(t, err)
})
t.Run("get_group_shows_member", func(t *testing.T) {
resp, err := iamClient.GetGroup(&iam.GetGroupInput{
GroupName: aws.String(groupName),
})
require.NoError(t, err)
found := false
for _, u := range resp.Users {
if *u.UserName == userName {
found = true
break
}
}
assert.True(t, found, "Added user should appear in GetGroup members")
})
t.Run("list_groups_for_user", func(t *testing.T) {
resp, err := iamClient.ListGroupsForUser(&iam.ListGroupsForUserInput{
UserName: aws.String(userName),
})
require.NoError(t, err)
found := false
for _, g := range resp.Groups {
if *g.GroupName == groupName {
found = true
break
}
}
assert.True(t, found, "Group should appear in ListGroupsForUser")
})
t.Run("add_duplicate_member_is_idempotent", func(t *testing.T) {
_, err := iamClient.AddUserToGroup(&iam.AddUserToGroupInput{
GroupName: aws.String(groupName),
UserName: aws.String(userName),
})
// Should succeed (idempotent) or return a benign error
// AWS IAM allows duplicate add without error
assert.NoError(t, err)
})
t.Run("remove_user_from_group", func(t *testing.T) {
_, err := iamClient.RemoveUserFromGroup(&iam.RemoveUserFromGroupInput{
GroupName: aws.String(groupName),
UserName: aws.String(userName),
})
require.NoError(t, err)
// Verify removal
resp, err := iamClient.GetGroup(&iam.GetGroupInput{
GroupName: aws.String(groupName),
})
require.NoError(t, err)
for _, u := range resp.Users {
assert.NotEqual(t, userName, *u.UserName,
"Removed user should not appear in group members")
}
})
}
// TestIAMGroupPolicyAttachment tests attaching and detaching policies from groups
func TestIAMGroupPolicyAttachment(t *testing.T) {
framework := NewS3IAMTestFramework(t)
defer framework.Cleanup()
iamClient, err := framework.CreateIAMClientWithJWT("admin-user", "TestAdminRole")
require.NoError(t, err)
groupName := "test-group-policies"
policyName := "test-group-attach-policy"
policyDoc := `{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"*"}]}`
// Setup: create group and policy
_, err = iamClient.CreateGroup(&iam.CreateGroupInput{
GroupName: aws.String(groupName),
})
require.NoError(t, err)
createPolicyResp, err := iamClient.CreatePolicy(&iam.CreatePolicyInput{
PolicyName: aws.String(policyName),
PolicyDocument: aws.String(policyDoc),
})
require.NoError(t, err)
policyArn := createPolicyResp.Policy.Arn
// Cleanup in correct order: detach policy, delete group, delete policy
t.Cleanup(func() {
if _, err := iamClient.DetachGroupPolicy(&iam.DetachGroupPolicyInput{
GroupName: aws.String(groupName),
PolicyArn: policyArn,
}); err != nil {
t.Logf("cleanup: failed to detach group policy: %v", err)
}
if _, err := iamClient.DeleteGroup(&iam.DeleteGroupInput{GroupName: aws.String(groupName)}); err != nil {
t.Logf("cleanup: failed to delete group: %v", err)
}
if _, err := iamClient.DeletePolicy(&iam.DeletePolicyInput{PolicyArn: policyArn}); err != nil {
t.Logf("cleanup: failed to delete policy: %v", err)
}
})
t.Run("attach_group_policy", func(t *testing.T) {
_, err := iamClient.AttachGroupPolicy(&iam.AttachGroupPolicyInput{
GroupName: aws.String(groupName),
PolicyArn: policyArn,
})
require.NoError(t, err)
})
t.Run("list_attached_group_policies", func(t *testing.T) {
resp, err := iamClient.ListAttachedGroupPolicies(&iam.ListAttachedGroupPoliciesInput{
GroupName: aws.String(groupName),
})
require.NoError(t, err)
found := false
for _, p := range resp.AttachedPolicies {
if *p.PolicyName == policyName {
found = true
break
}
}
assert.True(t, found, "Attached policy should appear in ListAttachedGroupPolicies")
})
t.Run("detach_group_policy", func(t *testing.T) {
_, err := iamClient.DetachGroupPolicy(&iam.DetachGroupPolicyInput{
GroupName: aws.String(groupName),
PolicyArn: policyArn,
})
require.NoError(t, err)
// Verify detachment
resp, err := iamClient.ListAttachedGroupPolicies(&iam.ListAttachedGroupPoliciesInput{
GroupName: aws.String(groupName),
})
require.NoError(t, err)
for _, p := range resp.AttachedPolicies {
assert.NotEqual(t, policyName, *p.PolicyName,
"Detached policy should not appear in ListAttachedGroupPolicies")
}
})
}
// TestIAMGroupPolicyEnforcement tests that group policies are enforced during S3 operations.
// Creates a user with no direct policies, adds them to a group with S3 access,
// and verifies they can access S3 through the group policy.
func TestIAMGroupPolicyEnforcement(t *testing.T) {
framework := NewS3IAMTestFramework(t)
defer framework.Cleanup()
iamClient, err := framework.CreateIAMClientWithJWT("admin-user", "TestAdminRole")
require.NoError(t, err)
groupName := "test-enforcement-group"
userName := "test-enforcement-user"
policyName := "test-enforcement-policy"
bucketName := "test-group-enforce-bucket"
policyDoc := `{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:*"],"Resource":["arn:aws:s3:::` + bucketName + `","arn:aws:s3:::` + bucketName + `/*"]}]}`
// Create user
_, err = iamClient.CreateUser(&iam.CreateUserInput{
UserName: aws.String(userName),
})
require.NoError(t, err)
// Create access key for the user
keyResp, err := iamClient.CreateAccessKey(&iam.CreateAccessKeyInput{
UserName: aws.String(userName),
})
require.NoError(t, err)
accessKeyId := *keyResp.AccessKey.AccessKeyId
secretKey := *keyResp.AccessKey.SecretAccessKey
// Create an S3 client with the user's credentials
userS3Client := createS3Client(t, accessKeyId, secretKey)
// Create group
_, err = iamClient.CreateGroup(&iam.CreateGroupInput{
GroupName: aws.String(groupName),
})
require.NoError(t, err)
// Create policy
createPolicyResp, err := iamClient.CreatePolicy(&iam.CreatePolicyInput{
PolicyName: aws.String(policyName),
PolicyDocument: aws.String(policyDoc),
})
require.NoError(t, err)
policyArn := createPolicyResp.Policy.Arn
// Cleanup in correct order: remove user from group, detach policy,
// delete access key, delete user, delete group, delete policy
t.Cleanup(func() {
if _, err := iamClient.RemoveUserFromGroup(&iam.RemoveUserFromGroupInput{
GroupName: aws.String(groupName),
UserName: aws.String(userName),
}); err != nil {
t.Logf("cleanup: failed to remove user from group: %v", err)
}
if _, err := iamClient.DetachGroupPolicy(&iam.DetachGroupPolicyInput{
GroupName: aws.String(groupName),
PolicyArn: policyArn,
}); err != nil {
t.Logf("cleanup: failed to detach group policy: %v", err)
}
if _, err := iamClient.DeleteAccessKey(&iam.DeleteAccessKeyInput{
UserName: aws.String(userName),
AccessKeyId: keyResp.AccessKey.AccessKeyId,
}); err != nil {
t.Logf("cleanup: failed to delete access key: %v", err)
}
if _, err := iamClient.DeleteUser(&iam.DeleteUserInput{UserName: aws.String(userName)}); err != nil {
t.Logf("cleanup: failed to delete user: %v", err)
}
if _, err := iamClient.DeleteGroup(&iam.DeleteGroupInput{GroupName: aws.String(groupName)}); err != nil {
t.Logf("cleanup: failed to delete group: %v", err)
}
if _, err := iamClient.DeletePolicy(&iam.DeletePolicyInput{PolicyArn: policyArn}); err != nil {
t.Logf("cleanup: failed to delete policy: %v", err)
}
})
// Register bucket cleanup on parent test with admin credentials
// (userS3Client may lack permissions by cleanup time)
adminS3, err := framework.CreateS3ClientWithJWT("admin-user", "TestAdminRole")
require.NoError(t, err)
t.Cleanup(func() {
if _, err := adminS3.DeleteObject(&s3.DeleteObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String("test-key"),
}); err != nil {
t.Logf("cleanup: failed to delete object: %v", err)
}
if _, err := adminS3.DeleteBucket(&s3.DeleteBucketInput{Bucket: aws.String(bucketName)}); err != nil {
t.Logf("cleanup: failed to delete bucket: %v", err)
}
})
t.Run("user_without_group_denied", func(t *testing.T) {
// User has no policies and is not in any group — should be denied
_, err := userS3Client.CreateBucket(&s3.CreateBucketInput{
Bucket: aws.String(bucketName),
})
require.Error(t, err, "User without any policies should be denied")
awsErr, ok := err.(awserr.Error)
require.True(t, ok, "Expected awserr.Error")
assert.Equal(t, "AccessDenied", awsErr.Code())
})
t.Run("user_with_group_policy_allowed", func(t *testing.T) {
// Attach policy to group
_, err := iamClient.AttachGroupPolicy(&iam.AttachGroupPolicyInput{
GroupName: aws.String(groupName),
PolicyArn: policyArn,
})
require.NoError(t, err)
// Add user to group
_, err = iamClient.AddUserToGroup(&iam.AddUserToGroupInput{
GroupName: aws.String(groupName),
UserName: aws.String(userName),
})
require.NoError(t, err)
// Wait for policy propagation, then create bucket
require.Eventually(t, func() bool {
_, err = userS3Client.CreateBucket(&s3.CreateBucketInput{
Bucket: aws.String(bucketName),
})
return err == nil
}, 10*time.Second, 500*time.Millisecond, "User with group policy should be allowed")
// Should also be able to put/get objects
_, err = userS3Client.PutObject(&s3.PutObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String("test-key"),
Body: aws.ReadSeekCloser(strings.NewReader("test-data")),
})
require.NoError(t, err, "User should be able to put objects through group policy")
})
t.Run("user_removed_from_group_denied", func(t *testing.T) {
// Remove user from group
_, err := iamClient.RemoveUserFromGroup(&iam.RemoveUserFromGroupInput{
GroupName: aws.String(groupName),
UserName: aws.String(userName),
})
require.NoError(t, err)
// Wait for policy propagation — user should now be denied
var lastErr error
require.Eventually(t, func() bool {
_, lastErr = userS3Client.ListObjects(&s3.ListObjectsInput{
Bucket: aws.String(bucketName),
})
return lastErr != nil
}, 10*time.Second, 500*time.Millisecond, "User removed from group should be denied")
awsErr, ok := lastErr.(awserr.Error)
require.True(t, ok, "Expected awserr.Error")
assert.Equal(t, "AccessDenied", awsErr.Code())
})
}
// TestIAMGroupDisabledPolicyEnforcement tests that disabled groups do not contribute policies.
// Uses the raw IAM API (callIAMAPI) since the AWS SDK doesn't support custom group status.
func TestIAMGroupDisabledPolicyEnforcement(t *testing.T) {
if testing.Short() {
t.Skip("Skipping integration test in short mode")
}
if !isSeaweedFSRunning(t) {
t.Skip("SeaweedFS is not running at", TestIAMEndpoint)
}
framework := NewS3IAMTestFramework(t)
defer framework.Cleanup()
iamClient, err := framework.CreateIAMClientWithJWT("admin-user", "TestAdminRole")
require.NoError(t, err)
groupName := "test-disabled-group"
userName := "test-disabled-grp-user"
policyName := "test-disabled-grp-policy"
bucketName := "test-disabled-grp-bucket"
policyDoc := `{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:*"],"Resource":["arn:aws:s3:::` + bucketName + `","arn:aws:s3:::` + bucketName + `/*"]}]}`
// Create user, group, policy
_, err = iamClient.CreateUser(&iam.CreateUserInput{UserName: aws.String(userName)})
require.NoError(t, err)
keyResp, err := iamClient.CreateAccessKey(&iam.CreateAccessKeyInput{UserName: aws.String(userName)})
require.NoError(t, err)
_, err = iamClient.CreateGroup(&iam.CreateGroupInput{GroupName: aws.String(groupName)})
require.NoError(t, err)
createPolicyResp, err := iamClient.CreatePolicy(&iam.CreatePolicyInput{
PolicyName: aws.String(policyName), PolicyDocument: aws.String(policyDoc),
})
require.NoError(t, err)
// Cleanup in correct order: remove user from group, detach policy,
// delete access key, delete user, delete group, delete policy
t.Cleanup(func() {
if _, err := iamClient.RemoveUserFromGroup(&iam.RemoveUserFromGroupInput{
GroupName: aws.String(groupName), UserName: aws.String(userName),
}); err != nil {
t.Logf("cleanup: failed to remove user from group: %v", err)
}
if _, err := iamClient.DetachGroupPolicy(&iam.DetachGroupPolicyInput{
GroupName: aws.String(groupName),
PolicyArn: aws.String("arn:aws:iam:::policy/" + policyName),
}); err != nil {
t.Logf("cleanup: failed to detach group policy: %v", err)
}
if _, err := iamClient.DeleteAccessKey(&iam.DeleteAccessKeyInput{
UserName: aws.String(userName), AccessKeyId: keyResp.AccessKey.AccessKeyId,
}); err != nil {
t.Logf("cleanup: failed to delete access key: %v", err)
}
if _, err := iamClient.DeleteUser(&iam.DeleteUserInput{UserName: aws.String(userName)}); err != nil {
t.Logf("cleanup: failed to delete user: %v", err)
}
if _, err := iamClient.DeleteGroup(&iam.DeleteGroupInput{GroupName: aws.String(groupName)}); err != nil {
t.Logf("cleanup: failed to delete group: %v", err)
}
if _, err := iamClient.DeletePolicy(&iam.DeletePolicyInput{PolicyArn: createPolicyResp.Policy.Arn}); err != nil {
t.Logf("cleanup: failed to delete policy: %v", err)
}
})
// Setup: attach policy, add user, create bucket with admin
_, err = iamClient.AttachGroupPolicy(&iam.AttachGroupPolicyInput{
GroupName: aws.String(groupName), PolicyArn: createPolicyResp.Policy.Arn,
})
require.NoError(t, err)
_, err = iamClient.AddUserToGroup(&iam.AddUserToGroupInput{
GroupName: aws.String(groupName), UserName: aws.String(userName),
})
require.NoError(t, err)
userS3Client := createS3Client(t, *keyResp.AccessKey.AccessKeyId, *keyResp.AccessKey.SecretAccessKey)
// Create bucket using admin first so we can test listing
adminS3, err := framework.CreateS3ClientWithJWT("admin-user", "TestAdminRole")
require.NoError(t, err)
_, err = adminS3.CreateBucket(&s3.CreateBucketInput{Bucket: aws.String(bucketName)})
require.NoError(t, err)
defer adminS3.DeleteBucket(&s3.DeleteBucketInput{Bucket: aws.String(bucketName)})
t.Run("enabled_group_allows_access", func(t *testing.T) {
require.Eventually(t, func() bool {
_, err := userS3Client.ListObjects(&s3.ListObjectsInput{
Bucket: aws.String(bucketName),
})
return err == nil
}, 10*time.Second, 500*time.Millisecond, "User in enabled group should have access")
})
t.Run("disabled_group_denies_access", func(t *testing.T) {
// Disable group via raw IAM API (no SDK support for this extension)
resp, err := callIAMAPIAuthenticated(t, framework, "UpdateGroup", url.Values{
"GroupName": {groupName},
"Disabled": {"true"},
})
require.NoError(t, err)
defer resp.Body.Close()
require.Equal(t, http.StatusOK, resp.StatusCode, "UpdateGroup (disable) should return 200")
// Wait for propagation — user should be denied
var lastErr error
require.Eventually(t, func() bool {
_, lastErr = userS3Client.ListObjects(&s3.ListObjectsInput{
Bucket: aws.String(bucketName),
})
return lastErr != nil
}, 10*time.Second, 500*time.Millisecond, "User in disabled group should be denied access")
awsErr, ok := lastErr.(awserr.Error)
require.True(t, ok, "Expected awserr.Error")
assert.Equal(t, "AccessDenied", awsErr.Code())
})
t.Run("re_enabled_group_restores_access", func(t *testing.T) {
// Re-enable the group
resp, err := callIAMAPIAuthenticated(t, framework, "UpdateGroup", url.Values{
"GroupName": {groupName},
"Disabled": {"false"},
})
require.NoError(t, err)
defer resp.Body.Close()
require.Equal(t, http.StatusOK, resp.StatusCode, "UpdateGroup (re-enable) should return 200")
// Wait for propagation — user should have access again
require.Eventually(t, func() bool {
_, err = userS3Client.ListObjects(&s3.ListObjectsInput{
Bucket: aws.String(bucketName),
})
return err == nil
}, 10*time.Second, 500*time.Millisecond, "User in re-enabled group should have access again")
})
}
// TestIAMGroupUserDeletionSideEffect tests that deleting a user removes them from all groups.
func TestIAMGroupUserDeletionSideEffect(t *testing.T) {
framework := NewS3IAMTestFramework(t)
defer framework.Cleanup()
iamClient, err := framework.CreateIAMClientWithJWT("admin-user", "TestAdminRole")
require.NoError(t, err)
groupName := "test-deletion-group"
userName := "test-deletion-user"
// Create group and user
_, err = iamClient.CreateGroup(&iam.CreateGroupInput{GroupName: aws.String(groupName)})
require.NoError(t, err)
defer iamClient.DeleteGroup(&iam.DeleteGroupInput{GroupName: aws.String(groupName)})
_, err = iamClient.CreateUser(&iam.CreateUserInput{UserName: aws.String(userName)})
require.NoError(t, err)
t.Cleanup(func() {
// Best-effort: user may already be deleted by the test
iamClient.DeleteUser(&iam.DeleteUserInput{UserName: aws.String(userName)})
})
// Add user to group
_, err = iamClient.AddUserToGroup(&iam.AddUserToGroupInput{
GroupName: aws.String(groupName),
UserName: aws.String(userName),
})
require.NoError(t, err)
// Verify user is in group
getResp, err := iamClient.GetGroup(&iam.GetGroupInput{GroupName: aws.String(groupName)})
require.NoError(t, err)
assert.Len(t, getResp.Users, 1, "Group should have 1 member before deletion")
// Delete the user
_, err = iamClient.DeleteUser(&iam.DeleteUserInput{UserName: aws.String(userName)})
require.NoError(t, err)
// Verify user was removed from the group
getResp, err = iamClient.GetGroup(&iam.GetGroupInput{GroupName: aws.String(groupName)})
require.NoError(t, err)
assert.Empty(t, getResp.Users, "Group should have no members after user deletion")
}
// TestIAMGroupMultipleGroups tests that a user can belong to multiple groups
// and inherits policies from all of them.
func TestIAMGroupMultipleGroups(t *testing.T) {
framework := NewS3IAMTestFramework(t)
defer framework.Cleanup()
iamClient, err := framework.CreateIAMClientWithJWT("admin-user", "TestAdminRole")
require.NoError(t, err)
group1 := "test-multi-group-1"
group2 := "test-multi-group-2"
userName := "test-multi-group-user"
// Create two groups
_, err = iamClient.CreateGroup(&iam.CreateGroupInput{GroupName: aws.String(group1)})
require.NoError(t, err)
defer iamClient.DeleteGroup(&iam.DeleteGroupInput{GroupName: aws.String(group1)})
_, err = iamClient.CreateGroup(&iam.CreateGroupInput{GroupName: aws.String(group2)})
require.NoError(t, err)
defer iamClient.DeleteGroup(&iam.DeleteGroupInput{GroupName: aws.String(group2)})
// Create user
_, err = iamClient.CreateUser(&iam.CreateUserInput{UserName: aws.String(userName)})
require.NoError(t, err)
defer func() {
iamClient.RemoveUserFromGroup(&iam.RemoveUserFromGroupInput{
GroupName: aws.String(group1), UserName: aws.String(userName),
})
iamClient.RemoveUserFromGroup(&iam.RemoveUserFromGroupInput{
GroupName: aws.String(group2), UserName: aws.String(userName),
})
iamClient.DeleteUser(&iam.DeleteUserInput{UserName: aws.String(userName)})
}()
// Add user to both groups
_, err = iamClient.AddUserToGroup(&iam.AddUserToGroupInput{
GroupName: aws.String(group1), UserName: aws.String(userName),
})
require.NoError(t, err)
_, err = iamClient.AddUserToGroup(&iam.AddUserToGroupInput{
GroupName: aws.String(group2), UserName: aws.String(userName),
})
require.NoError(t, err)
// Verify user appears in both groups
resp, err := iamClient.ListGroupsForUser(&iam.ListGroupsForUserInput{
UserName: aws.String(userName),
})
require.NoError(t, err)
groupNames := make(map[string]bool)
for _, g := range resp.Groups {
groupNames[*g.GroupName] = true
}
assert.True(t, groupNames[group1], "User should be in group 1")
assert.True(t, groupNames[group2], "User should be in group 2")
}
// --- Response types for raw IAM API calls ---
type CreateGroupResponse struct {
XMLName xml.Name `xml:"CreateGroupResponse"`
CreateGroupResult struct {
Group struct {
GroupName string `xml:"GroupName"`
} `xml:"Group"`
} `xml:"CreateGroupResult"`
}
type ListGroupsResponse struct {
XMLName xml.Name `xml:"ListGroupsResponse"`
ListGroupsResult struct {
Groups []struct {
GroupName string `xml:"GroupName"`
} `xml:"Groups>member"`
} `xml:"ListGroupsResult"`
}
// callIAMAPIAuthenticated sends an authenticated raw IAM API request using the
// framework's JWT token. This is needed for custom extensions not in the AWS SDK
// (like UpdateGroup with Disabled parameter).
func callIAMAPIAuthenticated(_ *testing.T, framework *S3IAMTestFramework, action string, params url.Values) (*http.Response, error) {
params.Set("Action", action)
req, err := http.NewRequest(http.MethodPost, TestIAMEndpoint+"/",
strings.NewReader(params.Encode()))
if err != nil {
return nil, err
}
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
token, err := framework.generateSTSSessionToken("admin-user", "TestAdminRole", time.Hour, "", nil)
if err != nil {
return nil, err
}
client := &http.Client{
Timeout: 30 * time.Second,
Transport: &BearerTokenTransport{Token: token},
}
return client.Do(req)
}
// TestIAMGroupRawAPI tests group operations using raw HTTP IAM API calls,
// verifying XML response format for group operations.
func TestIAMGroupRawAPI(t *testing.T) {
if testing.Short() {
t.Skip("Skipping integration test in short mode")
}
if !isSeaweedFSRunning(t) {
t.Skip("SeaweedFS is not running at", TestIAMEndpoint)
}
framework := NewS3IAMTestFramework(t)
defer framework.Cleanup()
groupName := "test-raw-api-group"
t.Run("create_group_raw", func(t *testing.T) {
resp, err := callIAMAPIAuthenticated(t, framework, "CreateGroup", url.Values{
"GroupName": {groupName},
})
require.NoError(t, err)
defer resp.Body.Close()
assert.Equal(t, http.StatusOK, resp.StatusCode)
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
var createResp CreateGroupResponse
err = xml.Unmarshal(body, &createResp)
require.NoError(t, err)
assert.Equal(t, groupName, createResp.CreateGroupResult.Group.GroupName)
})
t.Run("list_groups_raw", func(t *testing.T) {
resp, err := callIAMAPIAuthenticated(t, framework, "ListGroups", url.Values{})
require.NoError(t, err)
defer resp.Body.Close()
assert.Equal(t, http.StatusOK, resp.StatusCode)
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
var listResp ListGroupsResponse
err = xml.Unmarshal(body, &listResp)
require.NoError(t, err)
found := false
for _, g := range listResp.ListGroupsResult.Groups {
if g.GroupName == groupName {
found = true
break
}
}
assert.True(t, found, "Created group should appear in raw ListGroups")
})
t.Run("delete_group_raw", func(t *testing.T) {
resp, err := callIAMAPIAuthenticated(t, framework, "DeleteGroup", url.Values{
"GroupName": {groupName},
})
require.NoError(t, err)
defer resp.Body.Close()
assert.Equal(t, http.StatusOK, resp.StatusCode)
})
}
// createS3Client creates an S3 client with static credentials
func createS3Client(t *testing.T, accessKey, secretKey string) *s3.S3 {
sess, err := session.NewSession(&aws.Config{
Region: aws.String("us-east-1"),
Endpoint: aws.String(TestS3Endpoint),
Credentials: credentials.NewStaticCredentials(accessKey, secretKey, ""),
DisableSSL: aws.Bool(true),
S3ForcePathStyle: aws.Bool(true),
})
require.NoError(t, err)
return s3.New(sess)
}

1
weed/admin/dash/admin_data.go
View File

@ -90,6 +90,7 @@ type UserDetails struct {
Actions []string `json:"actions"`
PolicyNames []string `json:"policy_names"`
AccessKeys []AccessKeyInfo `json:"access_keys"`
Groups []string `json:"groups"`
}
type FilerNode struct {

250
weed/admin/dash/group_management.go
View File

@ -0,0 +1,250 @@
package dash
import (
"context"
"errors"
"fmt"
"github.com/seaweedfs/seaweedfs/weed/credential"
"github.com/seaweedfs/seaweedfs/weed/glog"
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
)
// cloneGroup creates a deep copy of an iam_pb.Group to avoid mutating stored state.
func cloneGroup(g *iam_pb.Group) *iam_pb.Group {
clone := &iam_pb.Group{
Name: g.Name,
Disabled: g.Disabled,
}
if g.Members != nil {
clone.Members = make([]string, len(g.Members))
copy(clone.Members, g.Members)
}
if g.PolicyNames != nil {
clone.PolicyNames = make([]string, len(g.PolicyNames))
copy(clone.PolicyNames, g.PolicyNames)
}
return clone
}
func (s *AdminServer) GetGroups(ctx context.Context) ([]GroupData, error) {
if s.credentialManager == nil {
return nil, fmt.Errorf("credential manager not available")
}
groupNames, err := s.credentialManager.ListGroups(ctx)
if err != nil {
return nil, fmt.Errorf("failed to list groups: %w", err)
}
var groups []GroupData
for _, name := range groupNames {
g, err := s.credentialManager.GetGroup(ctx, name)
if err != nil {
if errors.Is(err, credential.ErrGroupNotFound) {
glog.V(1).Infof("Group %s listed but not found, skipping", name)
continue
}
return nil, fmt.Errorf("failed to get group %s: %w", name, err)
}
status := "enabled"
if g.Disabled {
status = "disabled"
}
groups = append(groups, GroupData{
Name: g.Name,
MemberCount: len(g.Members),
PolicyCount: len(g.PolicyNames),
Status: status,
Members: g.Members,
PolicyNames: g.PolicyNames,
})
}
return groups, nil
}
func (s *AdminServer) GetGroupDetails(ctx context.Context, name string) (*GroupData, error) {
if s.credentialManager == nil {
return nil, fmt.Errorf("credential manager not available")
}
g, err := s.credentialManager.GetGroup(ctx, name)
if err != nil {
return nil, fmt.Errorf("failed to get group: %w", err)
}
status := "enabled"
if g.Disabled {
status = "disabled"
}
return &GroupData{
Name: g.Name,
MemberCount: len(g.Members),
PolicyCount: len(g.PolicyNames),
Status: status,
Members: g.Members,
PolicyNames: g.PolicyNames,
}, nil
}
func (s *AdminServer) CreateGroup(ctx context.Context, name string) (*GroupData, error) {
if s.credentialManager == nil {
return nil, fmt.Errorf("credential manager not available")
}
group := &iam_pb.Group{Name: name}
if err := s.credentialManager.CreateGroup(ctx, group); err != nil {
return nil, fmt.Errorf("failed to create group: %w", err)
}
glog.V(1).Infof("Created group %s", group.Name)
return &GroupData{
Name: group.Name,
Status: "enabled",
}, nil
}
func (s *AdminServer) DeleteGroup(ctx context.Context, name string) error {
if s.credentialManager == nil {
return fmt.Errorf("credential manager not available")
}
// Check for members and attached policies before deleting (same guards as IAM handlers)
g, err := s.credentialManager.GetGroup(ctx, name)
if err != nil {
return fmt.Errorf("failed to get group: %w", err)
}
if len(g.Members) > 0 {
return fmt.Errorf("cannot delete group %s: group has %d member(s): %w", name, len(g.Members), credential.ErrGroupNotEmpty)
}
if len(g.PolicyNames) > 0 {
return fmt.Errorf("cannot delete group %s: group has %d attached policy(ies): %w", name, len(g.PolicyNames), credential.ErrGroupNotEmpty)
}
if err := s.credentialManager.DeleteGroup(ctx, name); err != nil {
return fmt.Errorf("failed to delete group: %w", err)
}
glog.V(1).Infof("Deleted group %s", name)
return nil
}
func (s *AdminServer) AddGroupMember(ctx context.Context, groupName, username string) error {
if s.credentialManager == nil {
return fmt.Errorf("credential manager not available")
}
g, err := s.credentialManager.GetGroup(ctx, groupName)
if err != nil {
return fmt.Errorf("failed to get group: %w", err)
}
g = cloneGroup(g)
if _, err := s.credentialManager.GetUser(ctx, username); err != nil {
return fmt.Errorf("user %s not found: %w", username, err)
}
for _, m := range g.Members {
if m == username {
return nil // already a member
}
}
g.Members = append(g.Members, username)
if err := s.credentialManager.UpdateGroup(ctx, g); err != nil {
return fmt.Errorf("failed to update group: %w", err)
}
glog.V(1).Infof("Added user %s to group %s", username, groupName)
return nil
}
func (s *AdminServer) RemoveGroupMember(ctx context.Context, groupName, username string) error {
if s.credentialManager == nil {
return fmt.Errorf("credential manager not available")
}
g, err := s.credentialManager.GetGroup(ctx, groupName)
if err != nil {
return fmt.Errorf("failed to get group: %w", err)
}
g = cloneGroup(g)
found := false
var newMembers []string
for _, m := range g.Members {
if m == username {
found = true
} else {
newMembers = append(newMembers, m)
}
}
if !found {
return fmt.Errorf("user %s is not a member of group %s: %w", username, groupName, credential.ErrUserNotInGroup)
}
g.Members = newMembers
if err := s.credentialManager.UpdateGroup(ctx, g); err != nil {
return fmt.Errorf("failed to update group: %w", err)
}
glog.V(1).Infof("Removed user %s from group %s", username, groupName)
return nil
}
func (s *AdminServer) AttachGroupPolicy(ctx context.Context, groupName, policyName string) error {
if s.credentialManager == nil {
return fmt.Errorf("credential manager not available")
}
g, err := s.credentialManager.GetGroup(ctx, groupName)
if err != nil {
return fmt.Errorf("failed to get group: %w", err)
}
g = cloneGroup(g)
if _, err := s.credentialManager.GetPolicy(ctx, policyName); err != nil {
return fmt.Errorf("policy %s not found: %w", policyName, err)
}
for _, p := range g.PolicyNames {
if p == policyName {
return nil // already attached
}
}
g.PolicyNames = append(g.PolicyNames, policyName)
if err := s.credentialManager.UpdateGroup(ctx, g); err != nil {
return fmt.Errorf("failed to update group: %w", err)
}
glog.V(1).Infof("Attached policy %s to group %s", policyName, groupName)
return nil
}
func (s *AdminServer) DetachGroupPolicy(ctx context.Context, groupName, policyName string) error {
if s.credentialManager == nil {
return fmt.Errorf("credential manager not available")
}
g, err := s.credentialManager.GetGroup(ctx, groupName)
if err != nil {
return fmt.Errorf("failed to get group: %w", err)
}
g = cloneGroup(g)
found := false
var newPolicies []string
for _, p := range g.PolicyNames {
if p == policyName {
found = true
} else {
newPolicies = append(newPolicies, p)
}
}
if !found {
return fmt.Errorf("policy %s is not attached to group %s: %w", policyName, groupName, credential.ErrPolicyNotAttached)
}
g.PolicyNames = newPolicies
if err := s.credentialManager.UpdateGroup(ctx, g); err != nil {
return fmt.Errorf("failed to update group: %w", err)
}
glog.V(1).Infof("Detached policy %s from group %s", policyName, groupName)
return nil
}
func (s *AdminServer) SetGroupStatus(ctx context.Context, groupName string, enabled bool) error {
if s.credentialManager == nil {
return fmt.Errorf("credential manager not available")
}
g, err := s.credentialManager.GetGroup(ctx, groupName)
if err != nil {
return fmt.Errorf("failed to get group: %w", err)
}
g = cloneGroup(g)
g.Disabled = !enabled
if err := s.credentialManager.UpdateGroup(ctx, g); err != nil {
return fmt.Errorf("failed to update group: %w", err)
}
glog.V(1).Infof("Set group %s status to enabled=%v", groupName, enabled)
return nil
}

24
weed/admin/dash/types.go
View File

@ -589,6 +589,30 @@ type UpdateServiceAccountRequest struct {
Expiration string `json:"expiration,omitempty"`
}
// Group management structures
type GroupData struct {
Name string `json:"name"`
MemberCount int `json:"member_count"`
PolicyCount int `json:"policy_count"`
Status string `json:"status"` // "enabled" or "disabled"
Members []string `json:"members"`
PolicyNames []string `json:"policy_names"`
}
type GroupsPageData struct {
Username string `json:"username"`
Groups []GroupData `json:"groups"`
TotalGroups int `json:"total_groups"`
ActiveGroups int `json:"active_groups"`
AvailableUsers []string `json:"available_users"`
AvailablePolicies []string `json:"available_policies"`
LastUpdated time.Time `json:"last_updated"`
}
type CreateGroupRequest struct {
Name string `json:"name"`
}
// STS Configuration display types
type STSConfigData struct {
Enabled bool `json:"enabled"`

18
weed/admin/dash/user_management.go
View File

@ -187,6 +187,24 @@ func (s *AdminServer) GetObjectStoreUserDetails(username string) (*UserDetails,
details.Email = identity.Account.EmailAddress
}
// Look up groups the user belongs to
groupNames, err := s.credentialManager.ListGroups(ctx)
if err != nil {
return nil, fmt.Errorf("failed to list groups: %w", err)
}
for _, gName := range groupNames {
g, err := s.credentialManager.GetGroup(ctx, gName)
if err != nil {
return nil, fmt.Errorf("failed to get group %s: %w", gName, err)
}
for _, member := range g.Members {
if member == username {
details.Groups = append(details.Groups, gName)
break
}
}
}
// Convert credentials to access key info
for _, cred := range identity.Credentials {
details.AccessKeys = append(details.AccessKeys, AccessKeyInfo{

17
weed/admin/handlers/admin_handlers.go
View File

@ -28,6 +28,7 @@ type AdminHandlers struct {
pluginHandlers *PluginHandlers
mqHandlers *MessageQueueHandlers
serviceAccountHandlers *ServiceAccountHandlers
groupHandlers *GroupHandlers
}
// NewAdminHandlers creates a new instance of AdminHandlers
@ -40,6 +41,7 @@ func NewAdminHandlers(adminServer *dash.AdminServer, store sessions.Store) *Admi
pluginHandlers := NewPluginHandlers(adminServer)
mqHandlers := NewMessageQueueHandlers(adminServer)
serviceAccountHandlers := NewServiceAccountHandlers(adminServer)
groupHandlers := NewGroupHandlers(adminServer)
return &AdminHandlers{
adminServer: adminServer,
sessionStore: store,
@ -51,6 +53,7 @@ func NewAdminHandlers(adminServer *dash.AdminServer, store sessions.Store) *Admi
pluginHandlers: pluginHandlers,
mqHandlers: mqHandlers,
serviceAccountHandlers: serviceAccountHandlers,
groupHandlers: groupHandlers,
}
}
@ -104,6 +107,7 @@ func (h *AdminHandlers) registerUIRoutes(r *mux.Router) {
r.HandleFunc("/object-store/buckets/{bucket}", h.ShowBucketDetails).Methods(http.MethodGet)
r.HandleFunc("/object-store/users", h.userHandlers.ShowObjectStoreUsers).Methods(http.MethodGet)
r.HandleFunc("/object-store/policies", h.policyHandlers.ShowPolicies).Methods(http.MethodGet)
r.HandleFunc("/object-store/groups", h.groupHandlers.ShowGroups).Methods(http.MethodGet)
r.HandleFunc("/object-store/service-accounts", h.serviceAccountHandlers.ShowServiceAccounts).Methods(http.MethodGet)
r.HandleFunc("/object-store/s3tables/buckets", h.ShowS3TablesBuckets).Methods(http.MethodGet)
r.HandleFunc("/object-store/s3tables/buckets/{bucket}/namespaces", h.ShowS3TablesNamespaces).Methods(http.MethodGet)
@ -185,6 +189,19 @@ func (h *AdminHandlers) registerAPIRoutes(api *mux.Router, enforceWrite bool) {
saApi.Handle("/{id}", wrapWrite(h.serviceAccountHandlers.UpdateServiceAccount)).Methods(http.MethodPut)
saApi.Handle("/{id}", wrapWrite(h.serviceAccountHandlers.DeleteServiceAccount)).Methods(http.MethodDelete)
groupsApi := api.PathPrefix("/groups").Subrouter()
groupsApi.HandleFunc("", h.groupHandlers.GetGroups).Methods(http.MethodGet)
groupsApi.Handle("", wrapWrite(h.groupHandlers.CreateGroup)).Methods(http.MethodPost)
groupsApi.HandleFunc("/{name}", h.groupHandlers.GetGroupDetails).Methods(http.MethodGet)
groupsApi.Handle("/{name}", wrapWrite(h.groupHandlers.DeleteGroup)).Methods(http.MethodDelete)
groupsApi.Handle("/{name}/status", wrapWrite(h.groupHandlers.SetGroupStatus)).Methods(http.MethodPut)
groupsApi.HandleFunc("/{name}/members", h.groupHandlers.GetGroupMembers).Methods(http.MethodGet)
groupsApi.Handle("/{name}/members", wrapWrite(h.groupHandlers.AddGroupMember)).Methods(http.MethodPost)
groupsApi.Handle("/{name}/members/{username}", wrapWrite(h.groupHandlers.RemoveGroupMember)).Methods(http.MethodDelete)
groupsApi.HandleFunc("/{name}/policies", h.groupHandlers.GetGroupPolicies).Methods(http.MethodGet)
groupsApi.Handle("/{name}/policies", wrapWrite(h.groupHandlers.AttachGroupPolicy)).Methods(http.MethodPost)
groupsApi.Handle("/{name}/policies/{policyName}", wrapWrite(h.groupHandlers.DetachGroupPolicy)).Methods(http.MethodDelete)
policyApi := api.PathPrefix("/object-store/policies").Subrouter()
policyApi.HandleFunc("", h.policyHandlers.GetPolicies).Methods(http.MethodGet)
policyApi.Handle("", wrapWrite(h.policyHandlers.CreatePolicy)).Methods(http.MethodPost)

271
weed/admin/handlers/group_handlers.go
View File

@ -0,0 +1,271 @@
package handlers
import (
"bytes"
"errors"
"net/http"
"time"
"github.com/gorilla/mux"
"github.com/seaweedfs/seaweedfs/weed/admin/dash"
"github.com/seaweedfs/seaweedfs/weed/admin/view/app"
"github.com/seaweedfs/seaweedfs/weed/admin/view/layout"
"github.com/seaweedfs/seaweedfs/weed/credential"
"github.com/seaweedfs/seaweedfs/weed/glog"
)
func groupErrorToHTTPStatus(err error) int {
if errors.Is(err, credential.ErrGroupNotFound) {
return http.StatusNotFound
}
if errors.Is(err, credential.ErrGroupAlreadyExists) {
return http.StatusConflict
}
if errors.Is(err, credential.ErrUserNotInGroup) {
return http.StatusBadRequest
}
if errors.Is(err, credential.ErrPolicyNotAttached) {
return http.StatusBadRequest
}
if errors.Is(err, credential.ErrUserNotFound) {
return http.StatusNotFound
}
if errors.Is(err, credential.ErrPolicyNotFound) {
return http.StatusNotFound
}
if errors.Is(err, credential.ErrGroupNotEmpty) {
return http.StatusConflict
}
return http.StatusInternalServerError
}
type GroupHandlers struct {
adminServer *dash.AdminServer
}
func NewGroupHandlers(adminServer *dash.AdminServer) *GroupHandlers {
return &GroupHandlers{adminServer: adminServer}
}
func (h *GroupHandlers) ShowGroups(w http.ResponseWriter, r *http.Request) {
data, err := h.getGroupsPageData(r)
if err != nil {
glog.Errorf("Failed to get groups data: %v", err)
writeJSONError(w, http.StatusInternalServerError, "Failed to load groups: "+err.Error())
return
}
var buf bytes.Buffer
component := app.Groups(data)
viewCtx := layout.NewViewContext(r, dash.UsernameFromContext(r.Context()), dash.CSRFTokenFromContext(r.Context()))
layoutComponent := layout.Layout(viewCtx, component)
if err := layoutComponent.Render(r.Context(), &buf); err != nil {
glog.Errorf("Failed to render groups template: %v", err)
w.WriteHeader(http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "text/html")
_, _ = w.Write(buf.Bytes())
}
func (h *GroupHandlers) GetGroups(w http.ResponseWriter, r *http.Request) {
groups, err := h.adminServer.GetGroups(r.Context())
if err != nil {
glog.Errorf("Failed to get groups: %v", err)
writeJSONError(w, http.StatusInternalServerError, "Failed to get groups")
return
}
writeJSON(w, http.StatusOK, map[string]interface{}{"groups": groups})
}
func (h *GroupHandlers) CreateGroup(w http.ResponseWriter, r *http.Request) {
var req dash.CreateGroupRequest
if err := decodeJSONBody(newJSONMaxReader(w, r), &req); err != nil {
writeJSONError(w, http.StatusBadRequest, "Invalid request: "+err.Error())
return
}
if req.Name == "" {
writeJSONError(w, http.StatusBadRequest, "Group name is required")
return
}
group, err := h.adminServer.CreateGroup(r.Context(), req.Name)
if err != nil {
glog.Errorf("Failed to create group: %v", err)
writeJSONError(w, groupErrorToHTTPStatus(err), "Failed to create group: "+err.Error())
return
}
writeJSON(w, http.StatusOK, group)
}
func (h *GroupHandlers) GetGroupDetails(w http.ResponseWriter, r *http.Request) {
name := mux.Vars(r)["name"]
group, err := h.adminServer.GetGroupDetails(r.Context(), name)
if err != nil {
glog.Errorf("Failed to get group details: %v", err)
status := groupErrorToHTTPStatus(err)
msg := "Failed to retrieve group"
if status == http.StatusNotFound {
msg = "Group not found"
}
writeJSONError(w, status, msg)
return
}
writeJSON(w, http.StatusOK, group)
}
func (h *GroupHandlers) DeleteGroup(w http.ResponseWriter, r *http.Request) {
name := mux.Vars(r)["name"]
if err := h.adminServer.DeleteGroup(r.Context(), name); err != nil {
glog.Errorf("Failed to delete group: %v", err)
writeJSONError(w, groupErrorToHTTPStatus(err), "Failed to delete group: "+err.Error())
return
}
writeJSON(w, http.StatusOK, map[string]string{"message": "Group deleted successfully"})
}
func (h *GroupHandlers) GetGroupMembers(w http.ResponseWriter, r *http.Request) {
name := mux.Vars(r)["name"]
group, err := h.adminServer.GetGroupDetails(r.Context(), name)
if err != nil {
writeJSONError(w, groupErrorToHTTPStatus(err), "Failed to get group: "+err.Error())
return
}
writeJSON(w, http.StatusOK, map[string]interface{}{"members": group.Members})
}
func (h *GroupHandlers) AddGroupMember(w http.ResponseWriter, r *http.Request) {
name := mux.Vars(r)["name"]
var req struct {
Username string `json:"username"`
}
if err := decodeJSONBody(newJSONMaxReader(w, r), &req); err != nil {
writeJSONError(w, http.StatusBadRequest, "Invalid request: "+err.Error())
return
}
if req.Username == "" {
writeJSONError(w, http.StatusBadRequest, "Username is required")
return
}
if err := h.adminServer.AddGroupMember(r.Context(), name, req.Username); err != nil {
writeJSONError(w, groupErrorToHTTPStatus(err), "Failed to add member: "+err.Error())
return
}
writeJSON(w, http.StatusOK, map[string]string{"message": "Member added successfully"})
}
func (h *GroupHandlers) RemoveGroupMember(w http.ResponseWriter, r *http.Request) {
name := mux.Vars(r)["name"]
username := mux.Vars(r)["username"]
if err := h.adminServer.RemoveGroupMember(r.Context(), name, username); err != nil {
writeJSONError(w, groupErrorToHTTPStatus(err), "Failed to remove member: "+err.Error())
return
}
writeJSON(w, http.StatusOK, map[string]string{"message": "Member removed successfully"})
}
func (h *GroupHandlers) GetGroupPolicies(w http.ResponseWriter, r *http.Request) {
name := mux.Vars(r)["name"]
group, err := h.adminServer.GetGroupDetails(r.Context(), name)
if err != nil {
writeJSONError(w, groupErrorToHTTPStatus(err), "Failed to get group: "+err.Error())
return
}
writeJSON(w, http.StatusOK, map[string]interface{}{"policies": group.PolicyNames})
}
func (h *GroupHandlers) AttachGroupPolicy(w http.ResponseWriter, r *http.Request) {
name := mux.Vars(r)["name"]
var req struct {
PolicyName string `json:"policy_name"`
}
if err := decodeJSONBody(newJSONMaxReader(w, r), &req); err != nil {
writeJSONError(w, http.StatusBadRequest, "Invalid request: "+err.Error())
return
}
if req.PolicyName == "" {
writeJSONError(w, http.StatusBadRequest, "Policy name is required")
return
}
if err := h.adminServer.AttachGroupPolicy(r.Context(), name, req.PolicyName); err != nil {
writeJSONError(w, groupErrorToHTTPStatus(err), "Failed to attach policy: "+err.Error())
return
}
writeJSON(w, http.StatusOK, map[string]string{"message": "Policy attached successfully"})
}
func (h *GroupHandlers) DetachGroupPolicy(w http.ResponseWriter, r *http.Request) {
name := mux.Vars(r)["name"]
policyName := mux.Vars(r)["policyName"]
if err := h.adminServer.DetachGroupPolicy(r.Context(), name, policyName); err != nil {
writeJSONError(w, groupErrorToHTTPStatus(err), "Failed to detach policy: "+err.Error())
return
}
writeJSON(w, http.StatusOK, map[string]string{"message": "Policy detached successfully"})
}
func (h *GroupHandlers) SetGroupStatus(w http.ResponseWriter, r *http.Request) {
name := mux.Vars(r)["name"]
var req struct {
Enabled *bool `json:"enabled"`
}
if err := decodeJSONBody(newJSONMaxReader(w, r), &req); err != nil {
writeJSONError(w, http.StatusBadRequest, "Invalid request: "+err.Error())
return
}
if req.Enabled == nil {
writeJSONError(w, http.StatusBadRequest, "enabled field is required")
return
}
if err := h.adminServer.SetGroupStatus(r.Context(), name, *req.Enabled); err != nil {
writeJSONError(w, groupErrorToHTTPStatus(err), "Failed to update group status: "+err.Error())
return
}
writeJSON(w, http.StatusOK, map[string]string{"message": "Group status updated"})
}
func (h *GroupHandlers) getGroupsPageData(r *http.Request) (dash.GroupsPageData, error) {
username := dash.UsernameFromContext(r.Context())
if username == "" {
username = "admin"
}
groups, err := h.adminServer.GetGroups(r.Context())
if err != nil {
return dash.GroupsPageData{}, err
}
activeCount := 0
for _, g := range groups {
if g.Status == "enabled" {
activeCount++
}
}
// Get available users for dropdown
var availableUsers []string
users, err := h.adminServer.GetObjectStoreUsers(r.Context())
if err == nil {
for _, user := range users {
availableUsers = append(availableUsers, user.Username)
}
}
// Get available policies for dropdown
var availablePolicies []string
policies, err := h.adminServer.GetPolicies()
if err == nil {
for _, p := range policies {
availablePolicies = append(availablePolicies, p.Name)
}
}
return dash.GroupsPageData{
Username: username,
Groups: groups,
TotalGroups: len(groups),
ActiveGroups: activeCount,
AvailableUsers: availableUsers,
AvailablePolicies: availablePolicies,
LastUpdated: time.Now(),
}, nil
}

107
weed/admin/static/js/admin.js
View File

@ -478,7 +478,7 @@ async function handleCreateBucket(event) {
if (response.ok) {
// Success
showAlert('success', `Bucket "${bucketData.name}" created successfully!`);
showAlert(`Bucket "${bucketData.name}" created successfully!`, 'success');
// Close modal
const modal = bootstrap.Modal.getInstance(document.getElementById('createBucketModal'));
@ -493,11 +493,11 @@ async function handleCreateBucket(event) {
}, 1500);
} else {
// Error
showAlert('danger', result.error || 'Failed to create bucket');
showAlert(result.error || 'Failed to create bucket', 'danger');
}
} catch (error) {
console.error('Error creating bucket:', error);
showAlert('danger', 'Network error occurred while creating bucket');
showAlert('Network error occurred while creating bucket', 'danger');
}
}
@ -538,7 +538,7 @@ async function deleteBucket() {
if (response.ok) {
// Success
showAlert('success', `Bucket "${bucketToDelete}" deleted successfully!`);
showAlert(`Bucket "${bucketToDelete}" deleted successfully!`, 'success');
// Close modal
const modal = bootstrap.Modal.getInstance(document.getElementById('deleteBucketModal'));
@ -550,11 +550,11 @@ async function deleteBucket() {
}, 1500);
} else {
// Error
showAlert('danger', result.error || 'Failed to delete bucket');
showAlert(result.error || 'Failed to delete bucket', 'danger');
}
} catch (error) {
console.error('Error deleting bucket:', error);
showAlert('danger', 'Network error occurred while deleting bucket');
showAlert('Network error occurred while deleting bucket', 'danger');
}
bucketToDelete = '';
@ -609,38 +609,7 @@ function exportBucketList() {
window.URL.revokeObjectURL(url);
}
// Show alert message
function showAlert(type, message) {
// Remove existing alerts
const existingAlerts = document.querySelectorAll('.alert-floating');
existingAlerts.forEach(alert => alert.remove());
// Create new alert
const alert = document.createElement('div');
alert.className = `alert alert-${type} alert-dismissible fade show alert-floating`;
alert.style.cssText = `
position: fixed;
top: 20px;
right: 20px;
z-index: 9999;
min-width: 300px;
box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
`;
alert.innerHTML = `
${message}
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
`;
document.body.appendChild(alert);
// Auto-remove after 5 seconds
setTimeout(() => {
if (alert.parentNode) {
alert.remove();
}
}, 5000);
}
// showAlert is provided by modal-alerts.js with signature: showAlert(message, type)
// Format date for display
function formatDate(date) {
@ -651,7 +620,7 @@ function formatDate(date) {
function adminCopyToClipboard(text) {
if (navigator.clipboard && navigator.clipboard.writeText) {
navigator.clipboard.writeText(text).then(() => {
showAlert('success', 'Copied to clipboard!');
showAlert('Copied to clipboard!', 'success');
}).catch(err => {
console.error('Failed to copy text: ', err);
fallbackCopyText(text);
@ -677,13 +646,13 @@ function fallbackCopyText(text) {
try {
const successful = document.execCommand('copy');
if (successful) {
showAlert('success', 'Copied to clipboard!');
showAlert('Copied to clipboard!', 'success');
} else {
showAlert('danger', 'Failed to copy to clipboard');
showAlert('Failed to copy to clipboard', 'danger');
}
} catch (err) {
console.error('Fallback copy failed: ', err);
showAlert('danger', 'Failed to copy to clipboard');
showAlert('Failed to copy to clipboard', 'danger');
}
document.body.removeChild(textArea);
@ -764,7 +733,7 @@ function exportVolumes() {
function exportCollections() {
const table = document.getElementById('collectionsTable');
if (!table) {
showAlert('error', 'Collections table not found');
showAlert('Collections table not found', 'error');
return;
}
@ -800,7 +769,7 @@ function exportCollections() {
function exportMasters() {
const table = document.getElementById('mastersTable');
if (!table) {
showAlert('error', 'Masters table not found');
showAlert('Masters table not found', 'error');
return;
}
@ -834,7 +803,7 @@ function exportMasters() {
function exportFilers() {
const table = document.getElementById('filersTable');
if (!table) {
showAlert('error', 'Filers table not found');
showAlert('Filers table not found', 'error');
return;
}
@ -870,7 +839,7 @@ function exportFilers() {
function exportUsers() {
const table = document.getElementById('usersTable');
if (!table) {
showAlert('error', 'Users table not found');
showAlert('Users table not found', 'error');
return;
}
@ -1020,7 +989,7 @@ function confirmDeleteSelected() {
const selectedPaths = getSelectedFilePaths();
if (selectedPaths.length === 0) {
showAlert('warning', 'No files selected');
showAlert('No files selected', 'warning');
return;
}
@ -1041,7 +1010,7 @@ function confirmDeleteSelected() {
// Delete multiple selected files
async function deleteSelectedFiles(filePaths) {
if (!filePaths || filePaths.length === 0) {
showAlert('warning', 'No files selected');
showAlert('No files selected', 'warning');
return;
}
@ -1065,9 +1034,9 @@ async function deleteSelectedFiles(filePaths) {
if (result.deleted > 0) {
if (result.failed === 0) {
showAlert('success', `Successfully deleted ${result.deleted} item(s)`);
showAlert(`Successfully deleted ${result.deleted} item(s)`, 'success');
} else {
showAlert('warning', `Deleted ${result.deleted} item(s), failed to delete ${result.failed} item(s)`);
showAlert(`Deleted ${result.deleted} item(s), failed to delete ${result.failed} item(s)`, 'warning');
if (result.errors && result.errors.length > 0) {
console.warn('Deletion errors:', result.errors);
}
@ -1082,15 +1051,15 @@ async function deleteSelectedFiles(filePaths) {
if (result.errors && result.errors.length > 0) {
errorMessage += ': ' + result.errors.join(', ');
}
showAlert('error', errorMessage);
showAlert(errorMessage, 'error');
}
} else {
const error = await response.json();
showAlert('error', `Failed to delete files: ${error.error || 'Unknown error'}`);
showAlert(`Failed to delete files: ${error.error || 'Unknown error'}`, 'error');
}
} catch (error) {
console.error('Delete error:', error);
showAlert('error', 'Failed to delete files');
showAlert('Failed to delete files', 'error');
} finally {
// Re-enable the button
deleteBtn.disabled = false;
@ -1311,7 +1280,7 @@ async function submitUploadFile() {
function exportFileList() {
const table = document.getElementById('fileTable');
if (!table) {
showAlert('error', 'File table not found');
showAlert('File table not found', 'error');
return;
}
@ -1357,7 +1326,7 @@ async function viewFile(filePath) {
if (!response.ok) {
const error = await response.json();
showAlert('error', `Failed to view file: ${error.error || 'Unknown error'}`);
showAlert(`Failed to view file: ${error.error || 'Unknown error'}`, 'error');
return;
}
@ -1366,7 +1335,7 @@ async function viewFile(filePath) {
} catch (error) {
console.error('View file error:', error);
showAlert('error', 'Failed to view file');
showAlert('Failed to view file', 'error');
}
}
@ -1377,7 +1346,7 @@ async function showProperties(filePath) {
if (!response.ok) {
const error = await response.json();
showAlert('error', `Failed to get file properties: ${error.error || 'Unknown error'}`);
showAlert(`Failed to get file properties: ${error.error || 'Unknown error'}`, 'error');
return;
}
@ -1386,7 +1355,7 @@ async function showProperties(filePath) {
} catch (error) {
console.error('Properties error:', error);
showAlert('error', 'Failed to get file properties');
showAlert('Failed to get file properties', 'error');
}
}
@ -1413,16 +1382,16 @@ async function deleteFile(filePath) {
});
if (response.ok) {
showAlert('success', `Successfully deleted "${filePath}"`);
showAlert(`Successfully deleted "${filePath}"`, 'success');
// Reload the page to update the file list
window.location.reload();
} else {
const error = await response.json();
showAlert('error', `Failed to delete file: ${error.error || 'Unknown error'}`);
showAlert(`Failed to delete file: ${error.error || 'Unknown error'}`, 'error');
}
} catch (error) {
console.error('Delete error:', error);
showAlert('error', 'Failed to delete file');
showAlert('Failed to delete file', 'error');
}
}
@ -1737,7 +1706,7 @@ async function handleUpdateQuota(event) {
if (response.ok) {
// Success
showAlert('success', `Quota for bucket "${bucketName}" updated successfully!`);
showAlert(`Quota for bucket "${bucketName}" updated successfully!`, 'success');
// Close modal
const modal = bootstrap.Modal.getInstance(document.getElementById('manageQuotaModal'));
@ -1749,11 +1718,11 @@ async function handleUpdateQuota(event) {
}, 1500);
} else {
// Error
showAlert('danger', result.error || 'Failed to update bucket quota');
showAlert(result.error || 'Failed to update bucket quota', 'danger');
}
} catch (error) {
console.error('Error updating bucket quota:', error);
showAlert('danger', 'Network error occurred while updating bucket quota');
showAlert('Network error occurred while updating bucket quota', 'danger');
}
}
@ -2274,21 +2243,21 @@ function copyFromInput(inputId) {
try {
const successful = document.execCommand('copy');
if (successful) {
showAlert('success', 'Copied to clipboard!');
showAlert('Copied to clipboard!', 'success');
} else {
// Try modern clipboard API as fallback
navigator.clipboard.writeText(input.value).then(() => {
showAlert('success', 'Copied to clipboard!');
showAlert('Copied to clipboard!', 'success');
}).catch(() => {
showAlert('danger', 'Failed to copy');
showAlert('Failed to copy', 'danger');
});
}
} catch (err) {
// Try modern clipboard API as fallback
navigator.clipboard.writeText(input.value).then(() => {
showAlert('success', 'Copied to clipboard!');
showAlert('Copied to clipboard!', 'success');
}).catch(() => {
showAlert('danger', 'Failed to copy');
showAlert('Failed to copy', 'danger');
});
}
}

23
weed/admin/static/js/iam-utils.js
View File

@ -25,6 +25,29 @@ async function deleteUser(username) {
}, 'Are you sure you want to delete this user? This action cannot be undone.');
}
// Delete group function
async function deleteGroup(name) {
showDeleteConfirm(name, async function () {
try {
const encodedName = encodeURIComponent(name);
const response = await fetch(`/api/groups/${encodedName}`, {
method: 'DELETE'
});
if (response.ok) {
showAlert('Group deleted successfully', 'success');
setTimeout(() => window.location.reload(), 1000);
} else {
const error = await response.json().catch(() => ({}));
showAlert('Failed to delete group: ' + (error.error || 'Unknown error'), 'error');
}
} catch (error) {
console.error('Error deleting group:', error);
showAlert('Failed to delete group: ' + error.message, 'error');
}
}, 'Are you sure you want to delete this group? This action cannot be undone.');
}
// Delete access key function
async function deleteAccessKey(username, accessKey) {
showDeleteConfirm(accessKey, async function () {

443
weed/admin/view/app/groups.templ
View File

@ -0,0 +1,443 @@
package app
import (
"fmt"
"github.com/seaweedfs/seaweedfs/weed/admin/dash"
)
templ Groups(data dash.GroupsPageData) {
<div class="container-fluid">
<!-- Page Header -->
<div class="d-sm-flex align-items-center justify-content-between mb-4">
<div>
<h1 class="h3 mb-0 text-gray-800">
<i class="fas fa-users-cog me-2"></i>Groups
</h1>
<p class="mb-0 text-muted">Manage IAM groups for organizing users and policies</p>
</div>
<div class="d-flex gap-2">
<button type="button" class="btn btn-primary"
data-bs-toggle="modal"
data-bs-target="#createGroupModal">
<i class="fas fa-plus me-1"></i>Create Group
</button>
</div>
</div>
<!-- Summary Cards -->
<div class="row mb-4">
<div class="col-xl-3 col-md-6 mb-4">
<div class="card border-left-primary shadow h-100 py-2">
<div class="card-body">
<div class="row no-gutters align-items-center">
<div class="col mr-2">
<div class="text-xs font-weight-bold text-primary text-uppercase mb-1">
Total Groups
</div>
<div class="h5 mb-0 font-weight-bold text-gray-800">
{fmt.Sprintf("%d", data.TotalGroups)}
</div>
</div>
<div class="col-auto">
<i class="fas fa-users-cog fa-2x text-gray-300"></i>
</div>
</div>
</div>
</div>
</div>
<div class="col-xl-3 col-md-6 mb-4">
<div class="card border-left-success shadow h-100 py-2">
<div class="card-body">
<div class="row no-gutters align-items-center">
<div class="col mr-2">
<div class="text-xs font-weight-bold text-success text-uppercase mb-1">
Active Groups
</div>
<div class="h5 mb-0 font-weight-bold text-gray-800">
{fmt.Sprintf("%d", data.ActiveGroups)}
</div>
</div>
<div class="col-auto">
<i class="fas fa-check-circle fa-2x text-gray-300"></i>
</div>
</div>
</div>
</div>
</div>
</div>
<!-- Groups Table -->
<div class="card shadow mb-4">
<div class="card-header py-3">
<h6 class="m-0 font-weight-bold text-primary">Groups</h6>
</div>
<div class="card-body">
if len(data.Groups) == 0 {
<div class="text-center py-5 text-muted">
<i class="fas fa-users-cog fa-3x mb-3"></i>
<p>No groups found. Create a group to get started.</p>
</div>
} else {
<div class="table-responsive">
<table class="table table-bordered table-hover" id="groupsTable" width="100%" cellspacing="0">
<thead>
<tr>
<th>Name</th>
<th>Members</th>
<th>Policies</th>
<th>Status</th>
<th>Actions</th>
</tr>
</thead>
<tbody>
for _, group := range data.Groups {
<tr>
<td>
<strong>{group.Name}</strong>
</td>
<td>
<span class="badge bg-info">{fmt.Sprintf("%d", group.MemberCount)}</span>
</td>
<td>
<span class="badge bg-secondary">{fmt.Sprintf("%d", group.PolicyCount)}</span>
</td>
<td>
if group.Status == "enabled" {
<span class="badge bg-success">Enabled</span>
} else {
<span class="badge bg-danger">Disabled</span>
}
</td>
<td>
<button class="btn btn-sm btn-outline-primary me-1"
data-group-name={group.Name}
data-action="view"
aria-label={"View group " + group.Name}
title={"View " + group.Name}>
<i class="fas fa-eye"></i>
</button>
<button class="btn btn-sm btn-outline-danger"
data-group-name={group.Name}
data-action="delete"
aria-label={"Delete group " + group.Name}
title={"Delete " + group.Name}>
<i class="fas fa-trash"></i>
</button>
</td>
</tr>
}
</tbody>
</table>
</div>
}
</div>
</div>
<!-- Create Group Modal -->
<div class="modal fade" id="createGroupModal" tabindex="-1">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<h5 class="modal-title">Create Group</h5>
<button type="button" class="btn-close" data-bs-dismiss="modal"></button>
</div>
<div class="modal-body">
<form id="createGroupForm">
<div class="mb-3">
<label for="groupName" class="form-label">Group Name</label>
<input type="text" class="form-control" id="groupName" name="name" required
placeholder="Enter group name"/>
</div>
</form>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Cancel</button>
<button type="button" class="btn btn-primary" onclick="createGroup()">Create</button>
</div>
</div>
</div>
</div>
<!-- View Group Modal -->
<div class="modal fade" id="viewGroupModal" tabindex="-1">
<div class="modal-dialog modal-lg">
<div class="modal-content">
<div class="modal-header">
<h5 class="modal-title" id="viewGroupTitle">Group Details</h5>
<button type="button" class="btn-close" data-bs-dismiss="modal"></button>
</div>
<div class="modal-body">
<ul class="nav nav-tabs" id="groupTabs" role="tablist">
<li class="nav-item">
<a class="nav-link active" id="members-tab" data-bs-toggle="tab" href="#membersPane" role="tab">Members</a>
</li>
<li class="nav-item">
<a class="nav-link" id="policies-tab" data-bs-toggle="tab" href="#policiesPane" role="tab">Policies</a>
</li>
<li class="nav-item">
<a class="nav-link" id="settings-tab" data-bs-toggle="tab" href="#settingsPane" role="tab">Settings</a>
</li>
</ul>
<div class="tab-content mt-3" id="groupTabContent">
<!-- Members Tab -->
<div class="tab-pane fade show active" id="membersPane" role="tabpanel">
<div class="mb-3">
<div class="input-group">
<select class="form-select" id="addMemberSelect">
<option value="">Select user to add...</option>
for _, user := range data.AvailableUsers {
<option value={user}>{user}</option>
}
</select>
<button class="btn btn-outline-primary" type="button" onclick="addMemberToGroup()">
<i class="fas fa-plus"></i> Add
</button>
</div>
</div>
<div id="membersList"></div>
</div>
<!-- Policies Tab -->
<div class="tab-pane fade" id="policiesPane" role="tabpanel">
<div class="mb-3">
<div class="input-group">
<select class="form-select" id="attachPolicySelect">
<option value="">Select policy to attach...</option>
for _, policy := range data.AvailablePolicies {
<option value={policy}>{policy}</option>
}
</select>
<button class="btn btn-outline-primary" type="button" onclick="attachPolicyToGroup()">
<i class="fas fa-plus"></i> Attach
</button>
</div>
</div>
<div id="policiesList"></div>
</div>
<!-- Settings Tab -->
<div class="tab-pane fade" id="settingsPane" role="tabpanel">
<div class="form-check form-switch mb-3">
<input class="form-check-input" type="checkbox" id="groupEnabledSwitch" checked
onchange="toggleGroupStatus()"/>
<label class="form-check-label" for="groupEnabledSwitch">Group Enabled</label>
</div>
</div>
</div>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Close</button>
</div>
</div>
</div>
</div>
</div>
<script src="/static/js/iam-utils.js"></script>
<script>
// Groups page JavaScript
let currentGroupName = '';
async function createGroup() {
const name = document.getElementById('groupName').value.trim();
if (!name) {
showAlert('Group name is required', 'error');
return;
}
try {
const response = await fetch('/api/groups', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ name: name })
});
if (response.ok) {
showAlert('Group created successfully', 'success');
setTimeout(() => window.location.reload(), 1000);
} else {
const error = await response.json().catch(() => ({}));
showAlert('Failed to create group: ' + (error.error || 'Unknown error'), 'error');
}
} catch (error) {
showAlert('Failed to create group: ' + error.message, 'error');
}
}
async function viewGroup(name) {
currentGroupName = name;
document.getElementById('viewGroupTitle').textContent = 'Group: ' + name;
await refreshGroupDetails(name);
new bootstrap.Modal(document.getElementById('viewGroupModal')).show();
}
async function refreshGroupDetails(requestedName) {
try {
const response = await fetch('/api/groups/' + encodeURIComponent(requestedName));
if (!response.ok) throw new Error('Failed to fetch group');
if (requestedName !== currentGroupName) return; // stale response
const group = await response.json();
// Render members using DOM APIs to prevent XSS
const membersList = document.getElementById('membersList');
membersList.innerHTML = '';
const membersTable = document.createElement('table');
membersTable.className = 'table table-sm';
const membersTbody = document.createElement('tbody');
if (group.members && group.members.length > 0) {
for (const member of group.members) {
const tr = membersTbody.insertRow();
const td1 = tr.insertCell();
td1.textContent = member;
const td2 = tr.insertCell();
const btn = document.createElement('button');
btn.className = 'btn btn-sm btn-outline-danger';
btn.onclick = () => removeMember(member);
btn.innerHTML = '<i class="fas fa-times"></i>';
td2.appendChild(btn);
}
} else {
const tr = membersTbody.insertRow();
const td = tr.insertCell();
td.className = 'text-muted';
td.textContent = 'No members';
}
membersTable.appendChild(membersTbody);
membersList.appendChild(membersTable);
// Render policies using DOM APIs to prevent XSS
const policiesList = document.getElementById('policiesList');
policiesList.innerHTML = '';
const policiesTable = document.createElement('table');
policiesTable.className = 'table table-sm';
const policiesTbody = document.createElement('tbody');
if (group.policy_names && group.policy_names.length > 0) {
for (const policy of group.policy_names) {
const tr = policiesTbody.insertRow();
const td1 = tr.insertCell();
td1.textContent = policy;
const td2 = tr.insertCell();
const btn = document.createElement('button');
btn.className = 'btn btn-sm btn-outline-danger';
btn.onclick = () => detachPolicy(policy);
btn.innerHTML = '<i class="fas fa-times"></i>';
td2.appendChild(btn);
}
} else {
const tr = policiesTbody.insertRow();
const td = tr.insertCell();
td.className = 'text-muted';
td.textContent = 'No policies attached';
}
policiesTable.appendChild(policiesTbody);
policiesList.appendChild(policiesTable);
// Update status toggle
document.getElementById('groupEnabledSwitch').checked = (group.status === 'enabled');
} catch (error) {
console.error('Error fetching group details:', error);
}
}
async function addMemberToGroup() {
const username = document.getElementById('addMemberSelect').value;
if (!username) return;
try {
const response = await fetch('/api/groups/' + encodeURIComponent(currentGroupName) + '/members', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ username: username })
});
if (response.ok) {
await refreshGroupDetails(currentGroupName);
showAlert('Member added', 'success');
} else {
const error = await response.json().catch(() => ({}));
showAlert('Failed to add member: ' + (error.error || 'Unknown error'), 'error');
}
} catch (error) {
showAlert('Failed to add member: ' + error.message, 'error');
}
}
async function removeMember(username) {
try {
const response = await fetch('/api/groups/' + encodeURIComponent(currentGroupName) + '/members/' + encodeURIComponent(username), {
method: 'DELETE'
});
if (response.ok) {
await refreshGroupDetails(currentGroupName);
showAlert('Member removed', 'success');
} else {
const error = await response.json().catch(() => ({}));
showAlert('Failed to remove member: ' + (error.error || 'Unknown error'), 'error');
}
} catch (error) {
showAlert('Failed to remove member: ' + error.message, 'error');
}
}
async function attachPolicyToGroup() {
const policyName = document.getElementById('attachPolicySelect').value;
if (!policyName) return;
try {
const response = await fetch('/api/groups/' + encodeURIComponent(currentGroupName) + '/policies', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ policy_name: policyName })
});
if (response.ok) {
await refreshGroupDetails(currentGroupName);
showAlert('Policy attached', 'success');
} else {
const error = await response.json().catch(() => ({}));
showAlert('Failed to attach policy: ' + (error.error || 'Unknown error'), 'error');
}
} catch (error) {
showAlert('Failed to attach policy: ' + error.message, 'error');
}
}
async function detachPolicy(policyName) {
try {
const response = await fetch('/api/groups/' + encodeURIComponent(currentGroupName) + '/policies/' + encodeURIComponent(policyName), {
method: 'DELETE'
});
if (response.ok) {
await refreshGroupDetails(currentGroupName);
showAlert('Policy detached', 'success');
} else {
const error = await response.json().catch(() => ({}));
showAlert('Failed to detach policy: ' + (error.error || 'Unknown error'), 'error');
}
} catch (error) {
showAlert('Failed to detach policy: ' + error.message, 'error');
}
}
async function toggleGroupStatus() {
const enabled = document.getElementById('groupEnabledSwitch').checked;
try {
const response = await fetch('/api/groups/' + encodeURIComponent(currentGroupName) + '/status', {
method: 'PUT',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ enabled: enabled })
});
if (response.ok) {
showAlert('Group status updated', 'success');
} else {
const error = await response.json().catch(() => ({}));
showAlert('Failed to update status: ' + (error.error || 'Unknown error'), 'error');
}
} catch (error) {
showAlert('Failed to update status: ' + error.message, 'error');
}
}
// Event delegation for group action buttons
document.addEventListener('click', function(e) {
const btn = e.target.closest('[data-action]');
if (!btn) return;
const name = btn.dataset.groupName;
if (!name) return;
if (btn.dataset.action === 'view') viewGroup(name);
else if (btn.dataset.action === 'delete') deleteGroup(name);
});
</script>
}

300
weed/admin/view/app/groups_templ.go
File diff suppressed because it is too large
View File

125
weed/admin/view/app/object_store_users.templ
View File

@ -384,6 +384,21 @@ templ ObjectStoreUsers(data dash.ObjectStoreUsersData) {
<!-- Options loaded dynamically -->
</select>
</div>
<div class="mb-3">
<label class="form-label">Groups</label>
<div id="editUserGroups">
<!-- Groups loaded dynamically -->
</div>
<div class="input-group mt-2">
<select class="form-select" id="editGroupSelect">
<option value="">Add to group...</option>
</select>
<button class="btn btn-outline-primary" type="button" onclick="addUserToGroupFromEdit()"
aria-label="Add user to group" title="Add user to group">
<i class="fas fa-plus"></i>
</button>
</div>
</div>
</form>
</div>
<div class="modal-footer">
@ -912,6 +927,9 @@ templ ObjectStoreUsers(data dash.ObjectStoreUsersData) {
}
}
// Populate groups
await populateEditUserGroups(username);
// Show modal
const modal = new bootstrap.Modal(document.getElementById('editUserModal'));
modal.show();
@ -1027,6 +1045,103 @@ templ ObjectStoreUsers(data dash.ObjectStoreUsersData) {
}
// Populate groups in the edit user modal
async function populateEditUserGroups(username) {
const container = document.getElementById('editUserGroups');
const groupSelect = document.getElementById('editGroupSelect');
container.innerHTML = '';
groupSelect.innerHTML = '<option value="">Add to group...</option>';
try {
// Fetch all groups
const groupsResp = await fetch('/api/groups');
if (!groupsResp.ok) return;
const groupsData = await groupsResp.json();
const allGroups = groupsData.groups || [];
// Fetch user details to get current groups
const userResp = await fetch(`/api/users/${encodeURIComponent(username)}`);
if (!userResp.ok) return;
const user = await userResp.json();
const userGroups = user.groups || [];
// Show current group badges with remove button
if (userGroups.length > 0) {
userGroups.forEach(function(group) {
const badge = document.createElement('span');
badge.className = 'badge bg-primary me-1 mb-1';
badge.textContent = group + ' ';
const removeIcon = document.createElement('i');
removeIcon.className = 'fas fa-times ms-1';
removeIcon.style.cursor = 'pointer';
removeIcon.setAttribute('aria-label', 'Remove from group ' + group);
removeIcon.setAttribute('title', 'Remove from group');
removeIcon.addEventListener('click', function() {
removeUserFromGroupInEdit(group);
});
badge.appendChild(removeIcon);
container.appendChild(badge);
});
} else {
container.innerHTML = '<span class="text-muted">No groups</span>';
}
// Populate dropdown with groups the user is NOT in
allGroups.forEach(function(g) {
if (!userGroups.includes(g.name)) {
const opt = document.createElement('option');
opt.value = g.name;
opt.textContent = g.name;
groupSelect.appendChild(opt);
}
});
} catch (error) {
console.error('Error loading groups:', error);
}
}
// Add user to group from edit modal
async function addUserToGroupFromEdit() {
const username = document.getElementById('editUsername').value;
const groupSelect = document.getElementById('editGroupSelect');
const groupName = groupSelect.value;
if (!groupName) return;
try {
const response = await fetch(`/api/groups/${encodeURIComponent(groupName)}/members`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ username: username })
});
if (response.ok) {
await populateEditUserGroups(username);
} else {
const error = await response.json();
showAlert('Failed to add to group: ' + (error.error || 'Unknown error'), 'error');
}
} catch (error) {
showAlert('Failed to add to group: ' + error.message, 'error');
}
}
// Remove user from group in edit modal
async function removeUserFromGroupInEdit(groupName) {
const username = document.getElementById('editUsername').value;
try {
const response = await fetch(`/api/groups/${encodeURIComponent(groupName)}/members/${encodeURIComponent(username)}`, {
method: 'DELETE'
});
if (response.ok) {
await populateEditUserGroups(username);
} else {
const error = await response.json();
showAlert('Failed to remove from group: ' + (error.error || 'Unknown error'), 'error');
}
} catch (error) {
showAlert('Failed to remove from group: ' + error.message, 'error');
}
}
// Handle update user form submission
async function handleUpdateUser() {
const username = document.getElementById('editUsername').value;
@ -1115,6 +1230,16 @@ templ ObjectStoreUsers(data dash.ObjectStoreUsersData) {
detailsHtml += '<span class="text-muted">No policies attached</span>';
}
detailsHtml += '</div>';
detailsHtml += '<h6 class="text-muted">Groups</h6>';
detailsHtml += '<div class="mb-3">';
if (user.groups && user.groups.length > 0) {
detailsHtml += user.groups.map(function(group) {
return '<span class="badge bg-primary me-1">' + escapeHtml(group) + '</span>';
}).join('');
} else {
detailsHtml += '<span class="text-muted">No groups</span>';
}
detailsHtml += '</div>';
detailsHtml += '<h6 class="text-muted">Access Keys</h6>';
if (user.access_keys && user.access_keys.length > 0) {
detailsHtml += '<div class="mb-2">';

2
weed/admin/view/app/object_store_users_templ.go
File diff suppressed because it is too large
View File

5
weed/admin/view/layout/layout.templ
View File

@ -168,6 +168,11 @@ templ Layout(view ViewContext, content templ.Component) {
<i class="fas fa-users me-2"></i>Users
</a>
</li>
<li class="nav-item">
<a class="nav-link" href="/object-store/groups">
<i class="fas fa-users-cog me-2"></i>Groups
</a>
</li>
<li class="nav-item">
<a class="nav-link" href="/object-store/service-accounts">
<i class="fas fa-robot me-2"></i>Service Accounts

14
weed/admin/view/layout/layout_templ.go
View File

@ -198,7 +198,7 @@ func Layout(view ViewContext, content templ.Component) templ.Component {
if templ_7745c5c3_Err != nil {
return templ_7745c5c3_Err
}
templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 13, "\" id=\"storageSubmenu\"><ul class=\"nav flex-column ms-3\"><li class=\"nav-item\"><a class=\"nav-link py-2\" href=\"/storage/volumes\"><i class=\"fas fa-database me-2\"></i>Volumes</a></li><li class=\"nav-item\"><a class=\"nav-link py-2\" href=\"/storage/ec-shards\"><i class=\"fas fa-th-large me-2\"></i>EC Volumes</a></li><li class=\"nav-item\"><a class=\"nav-link py-2\" href=\"/storage/collections\"><i class=\"fas fa-layer-group me-2\"></i>Collections</a></li></ul></div></li></ul><h6 class=\"sidebar-heading px-3 mt-4 mb-1 text-muted\"><span>OBJECT STORE</span></h6><ul class=\"nav flex-column\"><li class=\"nav-item\"><a class=\"nav-link\" href=\"/object-store/buckets\"><i class=\"fas fa-cube me-2\"></i>Buckets</a></li><li class=\"nav-item\"><a class=\"nav-link\" href=\"/object-store/s3tables/buckets\"><i class=\"fas fa-table me-2\"></i>Table Buckets</a></li><li class=\"nav-item\"><a class=\"nav-link\" href=\"/object-store/users\"><i class=\"fas fa-users me-2\"></i>Users</a></li><li class=\"nav-item\"><a class=\"nav-link\" href=\"/object-store/service-accounts\"><i class=\"fas fa-robot me-2\"></i>Service Accounts</a></li><li class=\"nav-item\"><a class=\"nav-link\" href=\"/object-store/policies\"><i class=\"fas fa-shield-alt me-2\"></i>Policies</a></li></ul><h6 class=\"sidebar-heading px-3 mt-4 mb-1 text-muted\"><span>MANAGEMENT</span></h6><ul class=\"nav flex-column\"><li class=\"nav-item\"><a class=\"nav-link\" href=\"/files\"><i class=\"fas fa-folder me-2\"></i>File Browser</a></li><li class=\"nav-item\">")
templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 13, "\" id=\"storageSubmenu\"><ul class=\"nav flex-column ms-3\"><li class=\"nav-item\"><a class=\"nav-link py-2\" href=\"/storage/volumes\"><i class=\"fas fa-database me-2\"></i>Volumes</a></li><li class=\"nav-item\"><a class=\"nav-link py-2\" href=\"/storage/ec-shards\"><i class=\"fas fa-th-large me-2\"></i>EC Volumes</a></li><li class=\"nav-item\"><a class=\"nav-link py-2\" href=\"/storage/collections\"><i class=\"fas fa-layer-group me-2\"></i>Collections</a></li></ul></div></li></ul><h6 class=\"sidebar-heading px-3 mt-4 mb-1 text-muted\"><span>OBJECT STORE</span></h6><ul class=\"nav flex-column\"><li class=\"nav-item\"><a class=\"nav-link\" href=\"/object-store/buckets\"><i class=\"fas fa-cube me-2\"></i>Buckets</a></li><li class=\"nav-item\"><a class=\"nav-link\" href=\"/object-store/s3tables/buckets\"><i class=\"fas fa-table me-2\"></i>Table Buckets</a></li><li class=\"nav-item\"><a class=\"nav-link\" href=\"/object-store/users\"><i class=\"fas fa-users me-2\"></i>Users</a></li><li class=\"nav-item\"><a class=\"nav-link\" href=\"/object-store/groups\"><i class=\"fas fa-users-cog me-2\"></i>Groups</a></li><li class=\"nav-item\"><a class=\"nav-link\" href=\"/object-store/service-accounts\"><i class=\"fas fa-robot me-2\"></i>Service Accounts</a></li><li class=\"nav-item\"><a class=\"nav-link\" href=\"/object-store/policies\"><i class=\"fas fa-shield-alt me-2\"></i>Policies</a></li></ul><h6 class=\"sidebar-heading px-3 mt-4 mb-1 text-muted\"><span>MANAGEMENT</span></h6><ul class=\"nav flex-column\"><li class=\"nav-item\"><a class=\"nav-link\" href=\"/files\"><i class=\"fas fa-folder me-2\"></i>File Browser</a></li><li class=\"nav-item\">")
if templ_7745c5c3_Err != nil {
return templ_7745c5c3_Err
}
@ -344,7 +344,7 @@ func Layout(view ViewContext, content templ.Component) templ.Component {
var templ_7745c5c3_Var14 string
templ_7745c5c3_Var14, templ_7745c5c3_Err = templ.JoinStringErrs(fmt.Sprintf("%d", time.Now().Year()))
if templ_7745c5c3_Err != nil {
return templ.Error{Err: templ_7745c5c3_Err, FileName: `view/layout/layout.templ`, Line: 331, Col: 60}
return templ.Error{Err: templ_7745c5c3_Err, FileName: `view/layout/layout.templ`, Line: 336, Col: 60}
}
_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var14))
if templ_7745c5c3_Err != nil {
@ -357,7 +357,7 @@ func Layout(view ViewContext, content templ.Component) templ.Component {
var templ_7745c5c3_Var15 string
templ_7745c5c3_Var15, templ_7745c5c3_Err = templ.JoinStringErrs(version.VERSION_NUMBER)
if templ_7745c5c3_Err != nil {
return templ.Error{Err: templ_7745c5c3_Err, FileName: `view/layout/layout.templ`, Line: 331, Col: 102}
return templ.Error{Err: templ_7745c5c3_Err, FileName: `view/layout/layout.templ`, Line: 336, Col: 102}
}
_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var15))
if templ_7745c5c3_Err != nil {
@ -409,7 +409,7 @@ func LoginForm(title string, errorMessage string, csrfToken string) templ.Compon
var templ_7745c5c3_Var17 string
templ_7745c5c3_Var17, templ_7745c5c3_Err = templ.JoinStringErrs(title)
if templ_7745c5c3_Err != nil {
return templ.Error{Err: templ_7745c5c3_Err, FileName: `view/layout/layout.templ`, Line: 359, Col: 17}
return templ.Error{Err: templ_7745c5c3_Err, FileName: `view/layout/layout.templ`, Line: 364, Col: 17}
}
_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var17))
if templ_7745c5c3_Err != nil {
@ -422,7 +422,7 @@ func LoginForm(title string, errorMessage string, csrfToken string) templ.Compon
var templ_7745c5c3_Var18 string
templ_7745c5c3_Var18, templ_7745c5c3_Err = templ.JoinStringErrs(title)
if templ_7745c5c3_Err != nil {
return templ.Error{Err: templ_7745c5c3_Err, FileName: `view/layout/layout.templ`, Line: 373, Col: 57}
return templ.Error{Err: templ_7745c5c3_Err, FileName: `view/layout/layout.templ`, Line: 378, Col: 57}
}
_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var18))
if templ_7745c5c3_Err != nil {
@ -440,7 +440,7 @@ func LoginForm(title string, errorMessage string, csrfToken string) templ.Compon
var templ_7745c5c3_Var19 string
templ_7745c5c3_Var19, templ_7745c5c3_Err = templ.JoinStringErrs(errorMessage)
if templ_7745c5c3_Err != nil {
return templ.Error{Err: templ_7745c5c3_Err, FileName: `view/layout/layout.templ`, Line: 380, Col: 45}
return templ.Error{Err: templ_7745c5c3_Err, FileName: `view/layout/layout.templ`, Line: 385, Col: 45}
}
_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var19))
if templ_7745c5c3_Err != nil {
@ -458,7 +458,7 @@ func LoginForm(title string, errorMessage string, csrfToken string) templ.Compon
var templ_7745c5c3_Var20 string
templ_7745c5c3_Var20, templ_7745c5c3_Err = templ.JoinStringErrs(csrfToken)
if templ_7745c5c3_Err != nil {
return templ.Error{Err: templ_7745c5c3_Err, FileName: `view/layout/layout.templ`, Line: 385, Col: 84}
return templ.Error{Err: templ_7745c5c3_Err, FileName: `view/layout/layout.templ`, Line: 390, Col: 84}
}
_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var20))
if templ_7745c5c3_Err != nil {

22
weed/credential/credential_manager.go
View File

@ -236,3 +236,25 @@ func (cm *CredentialManager) DetachUserPolicy(ctx context.Context, username stri
func (cm *CredentialManager) ListAttachedUserPolicies(ctx context.Context, username string) ([]string, error) {
return cm.Store.ListAttachedUserPolicies(ctx, username)
}
// Group Management
func (cm *CredentialManager) CreateGroup(ctx context.Context, group *iam_pb.Group) error {
return cm.Store.CreateGroup(ctx, group)
}
func (cm *CredentialManager) GetGroup(ctx context.Context, groupName string) (*iam_pb.Group, error) {
return cm.Store.GetGroup(ctx, groupName)
}
func (cm *CredentialManager) DeleteGroup(ctx context.Context, groupName string) error {
return cm.Store.DeleteGroup(ctx, groupName)
}
func (cm *CredentialManager) ListGroups(ctx context.Context) ([]string, error) {
return cm.Store.ListGroups(ctx)
}
func (cm *CredentialManager) UpdateGroup(ctx context.Context, group *iam_pb.Group) error {
return cm.Store.UpdateGroup(ctx, group)
}

11
weed/credential/credential_store.go
View File

@ -18,6 +18,10 @@ var (
ErrPolicyNotFound = errors.New("policy not found")
ErrPolicyAlreadyAttached = errors.New("policy already attached")
ErrPolicyNotAttached = errors.New("policy not attached to user")
ErrGroupNotFound = errors.New("group not found")
ErrGroupAlreadyExists = errors.New("group already exists")
ErrGroupNotEmpty = errors.New("group is not empty")
ErrUserNotInGroup = errors.New("user is not a member of the group")
)
// CredentialStoreTypeName represents the type name of a credential store
@ -94,6 +98,13 @@ type CredentialStore interface {
// ListAttachedUserPolicies returns the list of policy names attached to a user
ListAttachedUserPolicies(ctx context.Context, username string) ([]string, error)
// Group Management
CreateGroup(ctx context.Context, group *iam_pb.Group) error
GetGroup(ctx context.Context, groupName string) (*iam_pb.Group, error)
DeleteGroup(ctx context.Context, groupName string) error
ListGroups(ctx context.Context) ([]string, error)
UpdateGroup(ctx context.Context, group *iam_pb.Group) error
// Shutdown performs cleanup when the store is being shut down
Shutdown()
}

182
weed/credential/filer_etc/filer_etc_group.go
View File

@ -0,0 +1,182 @@
package filer_etc
import (
"context"
"encoding/json"
"errors"
"fmt"
"strings"
"github.com/seaweedfs/seaweedfs/weed/credential"
"github.com/seaweedfs/seaweedfs/weed/filer"
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
)
const IamGroupsDirectory = "groups"
func (store *FilerEtcStore) loadGroupsFromMultiFile(ctx context.Context, s3cfg *iam_pb.S3ApiConfiguration) error {
return store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
dir := filer.IamConfigDirectory + "/" + IamGroupsDirectory
entries, err := listEntries(ctx, client, dir)
if err != nil {
if errors.Is(err, filer_pb.ErrNotFound) {
return nil
}
return err
}
for _, entry := range entries {
if entry.IsDirectory {
continue
}
var content []byte
if len(entry.Content) > 0 {
content = entry.Content
} else {
c, err := filer.ReadInsideFiler(ctx, client, dir, entry.Name)
if err != nil {
return fmt.Errorf("failed to read group file %s: %w", entry.Name, err)
}
content = c
}
if len(content) > 0 {
g := &iam_pb.Group{}
if err := json.Unmarshal(content, g); err != nil {
return fmt.Errorf("failed to unmarshal group %s: %w", entry.Name, err)
}
// Merge: overwrite existing group with same name or append
found := false
for i, existing := range s3cfg.Groups {
if existing.Name == g.Name {
s3cfg.Groups[i] = g
found = true
break
}
}
if !found {
s3cfg.Groups = append(s3cfg.Groups, g)
}
}
}
return nil
})
}
func (store *FilerEtcStore) saveGroup(ctx context.Context, group *iam_pb.Group) error {
if group == nil {
return fmt.Errorf("group is nil")
}
group.Name = strings.TrimSpace(group.Name)
if group.Name == "" {
return fmt.Errorf("group name is required")
}
return store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
data, err := json.MarshalIndent(group, "", " ")
if err != nil {
return err
}
return filer.SaveInsideFiler(client, filer.IamConfigDirectory+"/"+IamGroupsDirectory, group.Name+".json", data)
})
}
func (store *FilerEtcStore) deleteGroupFile(ctx context.Context, groupName string) error {
return store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
resp, err := client.DeleteEntry(ctx, &filer_pb.DeleteEntryRequest{
Directory: filer.IamConfigDirectory + "/" + IamGroupsDirectory,
Name: groupName + ".json",
})
if err != nil {
if strings.Contains(err.Error(), filer_pb.ErrNotFound.Error()) {
return credential.ErrGroupNotFound
}
return err
}
if resp != nil && resp.Error != "" {
if strings.Contains(resp.Error, filer_pb.ErrNotFound.Error()) {
return credential.ErrGroupNotFound
}
return fmt.Errorf("delete group %s: %s", groupName, resp.Error)
}
return nil
})
}
func (store *FilerEtcStore) CreateGroup(ctx context.Context, group *iam_pb.Group) error {
if group != nil {
group.Name = strings.TrimSpace(group.Name)
}
if group == nil || group.Name == "" {
return fmt.Errorf("group name is required")
}
existing, err := store.GetGroup(ctx, group.Name)
if err != nil {
if !errors.Is(err, credential.ErrGroupNotFound) {
return err
}
} else if existing != nil {
return credential.ErrGroupAlreadyExists
}
return store.saveGroup(ctx, group)
}
func (store *FilerEtcStore) GetGroup(ctx context.Context, groupName string) (*iam_pb.Group, error) {
var group *iam_pb.Group
err := store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
data, err := filer.ReadInsideFiler(ctx, client, filer.IamConfigDirectory+"/"+IamGroupsDirectory, groupName+".json")
if err != nil {
if errors.Is(err, filer_pb.ErrNotFound) {
return credential.ErrGroupNotFound
}
return err
}
if len(data) == 0 {
return credential.ErrGroupNotFound
}
group = &iam_pb.Group{}
return json.Unmarshal(data, group)
})
return group, err
}
func (store *FilerEtcStore) DeleteGroup(ctx context.Context, groupName string) error {
if _, err := store.GetGroup(ctx, groupName); err != nil {
return err
}
return store.deleteGroupFile(ctx, groupName)
}
func (store *FilerEtcStore) ListGroups(ctx context.Context) ([]string, error) {
var names []string
err := store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
entries, err := listEntries(ctx, client, filer.IamConfigDirectory+"/"+IamGroupsDirectory)
if err != nil {
if errors.Is(err, filer_pb.ErrNotFound) {
return nil
}
return err
}
for _, entry := range entries {
if !entry.IsDirectory && strings.HasSuffix(entry.Name, ".json") {
names = append(names, strings.TrimSuffix(entry.Name, ".json"))
}
}
return nil
})
return names, err
}
func (store *FilerEtcStore) UpdateGroup(ctx context.Context, group *iam_pb.Group) error {
if group != nil {
group.Name = strings.TrimSpace(group.Name)
}
if group == nil || group.Name == "" {
return fmt.Errorf("group name is required")
}
if _, err := store.GetGroup(ctx, group.Name); err != nil {
return err
}
return store.saveGroup(ctx, group)
}

55
weed/credential/filer_etc/filer_etc_identity.go
View File

@ -45,6 +45,11 @@ func (store *FilerEtcStore) LoadConfiguration(ctx context.Context) (*iam_pb.S3Ap
return s3cfg, fmt.Errorf("failed to load service accounts: %w", err)
}
// 3b. Load groups
if err := store.loadGroupsFromMultiFile(ctx, s3cfg); err != nil {
return s3cfg, fmt.Errorf("failed to load groups: %w", err)
}
// 4. Perform migration if we loaded legacy config
// This ensures that all identities (including legacy ones) are written to individual files
// and the legacy file is renamed.
@ -144,7 +149,14 @@ func (store *FilerEtcStore) migrateToMultiFile(ctx context.Context, s3cfg *iam_p
}
}
// 3. Rename legacy file
// 3. Save all groups
for _, g := range s3cfg.Groups {
if err := store.saveGroup(ctx, g); err != nil {
return err
}
}
// 4. Rename legacy file
return store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
_, err := client.AtomicRenameEntry(ctx, &filer_pb.AtomicRenameEntryRequest{
OldDirectory: filer.IamConfigDirectory,
@ -171,6 +183,13 @@ func (store *FilerEtcStore) SaveConfiguration(ctx context.Context, config *iam_p
}
}
// 2b. Save all groups
for _, g := range config.Groups {
if err := store.saveGroup(ctx, g); err != nil {
return err
}
}
// 3. Cleanup removed identities (Full Sync)
if err := store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
dir := filer.IamConfigDirectory + "/" + IamIdentitiesDirectory
@ -234,6 +253,40 @@ func (store *FilerEtcStore) SaveConfiguration(ctx context.Context, config *iam_p
return err
}
// 5. Cleanup removed groups (Full Sync)
if err := store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
dir := filer.IamConfigDirectory + "/" + IamGroupsDirectory
entries, err := listEntries(ctx, client, dir)
if err != nil {
if err == filer_pb.ErrNotFound {
return nil
}
return err
}
validNames := make(map[string]bool)
for _, g := range config.Groups {
validNames[g.Name+".json"] = true
}
for _, entry := range entries {
if !entry.IsDirectory && !validNames[entry.Name] {
resp, err := client.DeleteEntry(ctx, &filer_pb.DeleteEntryRequest{
Directory: dir,
Name: entry.Name,
})
if err != nil {
glog.Warningf("Failed to delete obsolete group file %s: %v", entry.Name, err)
} else if resp != nil && resp.Error != "" {
glog.Warningf("Failed to delete obsolete group file %s: %s", entry.Name, resp.Error)
}
}
}
return nil
}); err != nil {
return err
}
return nil
}

87
weed/credential/grpc/grpc_group.go
View File

@ -0,0 +1,87 @@
package grpc
import (
"context"
"fmt"
"github.com/seaweedfs/seaweedfs/weed/credential"
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
)
// NOTE: The gRPC store uses a load-modify-save pattern for all operations,
// which is inherently subject to race conditions under concurrent access.
// This matches the existing pattern used for identities and policies.
// A future improvement would add dedicated gRPC RPCs for atomic group operations.
func (store *IamGrpcStore) CreateGroup(ctx context.Context, group *iam_pb.Group) error {
if group == nil || group.Name == "" {
return fmt.Errorf("group name is required")
}
config, err := store.LoadConfiguration(ctx)
if err != nil {
return err
}
for _, g := range config.Groups {
if g.Name == group.Name {
return credential.ErrGroupAlreadyExists
}
}
config.Groups = append(config.Groups, group)
return store.SaveConfiguration(ctx, config)
}
func (store *IamGrpcStore) GetGroup(ctx context.Context, groupName string) (*iam_pb.Group, error) {
config, err := store.LoadConfiguration(ctx)
if err != nil {
return nil, err
}
for _, g := range config.Groups {
if g.Name == groupName {
return g, nil
}
}
return nil, credential.ErrGroupNotFound
}
func (store *IamGrpcStore) DeleteGroup(ctx context.Context, groupName string) error {
config, err := store.LoadConfiguration(ctx)
if err != nil {
return err
}
for i, g := range config.Groups {
if g.Name == groupName {
config.Groups = append(config.Groups[:i], config.Groups[i+1:]...)
return store.SaveConfiguration(ctx, config)
}
}
return credential.ErrGroupNotFound
}
func (store *IamGrpcStore) ListGroups(ctx context.Context) ([]string, error) {
config, err := store.LoadConfiguration(ctx)
if err != nil {
return nil, err
}
var names []string
for _, g := range config.Groups {
names = append(names, g.Name)
}
return names, nil
}
func (store *IamGrpcStore) UpdateGroup(ctx context.Context, group *iam_pb.Group) error {
if group == nil || group.Name == "" {
return fmt.Errorf("group name is required")
}
config, err := store.LoadConfiguration(ctx)
if err != nil {
return err
}
for i, g := range config.Groups {
if g.Name == group.Name {
config.Groups[i] = group
return store.SaveConfiguration(ctx, config)
}
}
return credential.ErrGroupNotFound
}

89
weed/credential/memory/memory_group.go
View File

@ -0,0 +1,89 @@
package memory
import (
"context"
"fmt"
"github.com/seaweedfs/seaweedfs/weed/credential"
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
)
// cloneGroup creates a deep copy of an iam_pb.Group.
func cloneGroup(g *iam_pb.Group) *iam_pb.Group {
if g == nil {
return nil
}
clone := &iam_pb.Group{
Name: g.Name,
Disabled: g.Disabled,
}
if g.Members != nil {
clone.Members = make([]string, len(g.Members))
copy(clone.Members, g.Members)
}
if g.PolicyNames != nil {
clone.PolicyNames = make([]string, len(g.PolicyNames))
copy(clone.PolicyNames, g.PolicyNames)
}
return clone
}
func (store *MemoryStore) CreateGroup(ctx context.Context, group *iam_pb.Group) error {
if group == nil || group.Name == "" {
return fmt.Errorf("group name is required")
}
store.mu.Lock()
defer store.mu.Unlock()
if _, exists := store.groups[group.Name]; exists {
return credential.ErrGroupAlreadyExists
}
store.groups[group.Name] = cloneGroup(group)
return nil
}
func (store *MemoryStore) GetGroup(ctx context.Context, groupName string) (*iam_pb.Group, error) {
store.mu.RLock()
defer store.mu.RUnlock()
if g, exists := store.groups[groupName]; exists {
return cloneGroup(g), nil
}
return nil, credential.ErrGroupNotFound
}
func (store *MemoryStore) DeleteGroup(ctx context.Context, groupName string) error {
store.mu.Lock()
defer store.mu.Unlock()
if _, exists := store.groups[groupName]; !exists {
return credential.ErrGroupNotFound
}
delete(store.groups, groupName)
return nil
}
func (store *MemoryStore) ListGroups(ctx context.Context) ([]string, error) {
store.mu.RLock()
defer store.mu.RUnlock()
var names []string
for name := range store.groups {
names = append(names, name)
}
return names, nil
}
func (store *MemoryStore) UpdateGroup(ctx context.Context, group *iam_pb.Group) error {
if group == nil || group.Name == "" {
return fmt.Errorf("group name is required")
}
store.mu.Lock()
defer store.mu.Unlock()
if _, exists := store.groups[group.Name]; !exists {
return credential.ErrGroupNotFound
}
store.groups[group.Name] = cloneGroup(group)
return nil
}

4
weed/credential/memory/memory_store.go
View File

@ -23,6 +23,7 @@ type MemoryStore struct {
serviceAccounts map[string]*iam_pb.ServiceAccount // id -> service_account
serviceAccountAccessKeys map[string]string // access_key -> id
policies map[string]policy_engine.PolicyDocument // policy_name -> policy_document
groups map[string]*iam_pb.Group // group_name -> group
initialized bool
}
@ -43,6 +44,7 @@ func (store *MemoryStore) Initialize(configuration util.Configuration, prefix st
store.serviceAccounts = make(map[string]*iam_pb.ServiceAccount)
store.serviceAccountAccessKeys = make(map[string]string)
store.policies = make(map[string]policy_engine.PolicyDocument)
store.groups = make(map[string]*iam_pb.Group)
store.initialized = true
return nil
@ -57,6 +59,7 @@ func (store *MemoryStore) Shutdown() {
store.serviceAccounts = nil
store.serviceAccountAccessKeys = nil
store.policies = nil
store.groups = nil
store.initialized = false
}
@ -71,6 +74,7 @@ func (store *MemoryStore) Reset() {
store.serviceAccounts = make(map[string]*iam_pb.ServiceAccount)
store.serviceAccountAccessKeys = make(map[string]string)
store.policies = make(map[string]policy_engine.PolicyDocument)
store.groups = make(map[string]*iam_pb.Group)
}
}

127
weed/credential/postgres/postgres_group.go
View File

@ -0,0 +1,127 @@
package postgres
import (
"context"
"database/sql"
"encoding/json"
"errors"
"fmt"
"github.com/jackc/pgx/v5/pgconn"
"github.com/seaweedfs/seaweedfs/weed/credential"
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
)
func (store *PostgresStore) CreateGroup(ctx context.Context, group *iam_pb.Group) error {
if group == nil || group.Name == "" {
return fmt.Errorf("group name is required")
}
membersJSON, err := json.Marshal(group.Members)
if err != nil {
return fmt.Errorf("failed to marshal members: %w", err)
}
policyNamesJSON, err := json.Marshal(group.PolicyNames)
if err != nil {
return fmt.Errorf("failed to marshal policy_names: %w", err)
}
_, err = store.db.ExecContext(ctx,
`INSERT INTO groups (name, members, policy_names, disabled) VALUES ($1, $2, $3, $4)`,
group.Name, membersJSON, policyNamesJSON, group.Disabled)
if err != nil {
var pgErr *pgconn.PgError
if errors.As(err, &pgErr) && pgErr.Code == "23505" {
return credential.ErrGroupAlreadyExists
}
return fmt.Errorf("failed to create group: %w", err)
}
return nil
}
func (store *PostgresStore) GetGroup(ctx context.Context, groupName string) (*iam_pb.Group, error) {
var membersJSON, policyNamesJSON []byte
var disabled bool
err := store.db.QueryRowContext(ctx,
`SELECT members, policy_names, disabled FROM groups WHERE name = $1`, groupName).
Scan(&membersJSON, &policyNamesJSON, &disabled)
if err != nil {
if errors.Is(err, sql.ErrNoRows) {
return nil, credential.ErrGroupNotFound
}
return nil, fmt.Errorf("failed to get group: %w", err)
}
group := &iam_pb.Group{
Name: groupName,
Disabled: disabled,
}
if err := json.Unmarshal(membersJSON, &group.Members); err != nil {
return nil, fmt.Errorf("failed to unmarshal members: %w", err)
}
if err := json.Unmarshal(policyNamesJSON, &group.PolicyNames); err != nil {
return nil, fmt.Errorf("failed to unmarshal policy_names: %w", err)
}
return group, nil
}
func (store *PostgresStore) DeleteGroup(ctx context.Context, groupName string) error {
result, err := store.db.ExecContext(ctx, `DELETE FROM groups WHERE name = $1`, groupName)
if err != nil {
return fmt.Errorf("failed to delete group: %w", err)
}
rows, err := result.RowsAffected()
if err != nil {
return fmt.Errorf("failed to get rows affected: %w", err)
}
if rows == 0 {
return credential.ErrGroupNotFound
}
return nil
}
func (store *PostgresStore) ListGroups(ctx context.Context) ([]string, error) {
rows, err := store.db.QueryContext(ctx, `SELECT name FROM groups ORDER BY name`)
if err != nil {
return nil, fmt.Errorf("failed to list groups: %w", err)
}
defer rows.Close()
var names []string
for rows.Next() {
var name string
if err := rows.Scan(&name); err != nil {
return nil, fmt.Errorf("failed to scan group name: %w", err)
}
names = append(names, name)
}
return names, rows.Err()
}
func (store *PostgresStore) UpdateGroup(ctx context.Context, group *iam_pb.Group) error {
if group == nil || group.Name == "" {
return fmt.Errorf("group name is required")
}
membersJSON, err := json.Marshal(group.Members)
if err != nil {
return fmt.Errorf("failed to marshal members: %w", err)
}
policyNamesJSON, err := json.Marshal(group.PolicyNames)
if err != nil {
return fmt.Errorf("failed to marshal policy_names: %w", err)
}
result, err := store.db.ExecContext(ctx,
`UPDATE groups SET members = $1, policy_names = $2, disabled = $3, updated_at = CURRENT_TIMESTAMP WHERE name = $4`,
membersJSON, policyNamesJSON, group.Disabled, group.Name)
if err != nil {
return fmt.Errorf("failed to update group: %w", err)
}
rows, err := result.RowsAffected()
if err != nil {
return fmt.Errorf("failed to get rows affected: %w", err)
}
if rows == 0 {
return credential.ErrGroupNotFound
}
return nil
}

28
weed/credential/postgres/postgres_store.go
View File

@ -140,6 +140,18 @@ func (store *PostgresStore) createTables() error {
);
`
// Create groups table
groupsTable := `
CREATE TABLE IF NOT EXISTS groups (
name VARCHAR(255) PRIMARY KEY,
members JSONB DEFAULT '[]',
policy_names JSONB DEFAULT '[]',
disabled BOOLEAN DEFAULT FALSE,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
`
// Execute table creation
if _, err := store.db.Exec(usersTable); err != nil {
return fmt.Errorf("failed to create users table: %w", err)
@ -162,6 +174,22 @@ func (store *PostgresStore) createTables() error {
return fmt.Errorf("failed to create service_accounts table: %w", err)
}
if _, err := store.db.Exec(groupsTable); err != nil {
return fmt.Errorf("failed to create groups table: %w", err)
}
// Create index on groups disabled column for filtering
groupsDisabledIndex := `CREATE INDEX IF NOT EXISTS idx_groups_disabled ON groups (disabled);`
if _, err := store.db.Exec(groupsDisabledIndex); err != nil {
return fmt.Errorf("failed to create groups disabled index: %w", err)
}
// Create GIN index on groups members JSONB for membership lookups
groupsMembersIndex := `CREATE INDEX IF NOT EXISTS idx_groups_members_gin ON groups USING GIN (members);`
if _, err := store.db.Exec(groupsMembersIndex); err != nil {
return fmt.Errorf("failed to create groups members index: %w", err)
}
return nil
}

48
weed/credential/propagating_store.go
View File

@ -385,3 +385,51 @@ func (s *PropagatingCredentialStore) DeleteServiceAccount(ctx context.Context, i
})
return nil
}
func (s *PropagatingCredentialStore) CreateGroup(ctx context.Context, group *iam_pb.Group) error {
if group != nil {
glog.V(4).Infof("IAM: PropagatingCredentialStore.CreateGroup %s", group.Name)
}
if err := s.CredentialStore.CreateGroup(ctx, group); err != nil {
return err
}
s.propagateChange(ctx, func(tx context.Context, client s3_pb.SeaweedS3IamCacheClient) error {
_, err := client.PutGroup(tx, &iam_pb.PutGroupRequest{Group: group})
return err
})
return nil
}
func (s *PropagatingCredentialStore) GetGroup(ctx context.Context, groupName string) (*iam_pb.Group, error) {
return s.CredentialStore.GetGroup(ctx, groupName)
}
func (s *PropagatingCredentialStore) DeleteGroup(ctx context.Context, groupName string) error {
glog.V(4).Infof("IAM: PropagatingCredentialStore.DeleteGroup %s", groupName)
if err := s.CredentialStore.DeleteGroup(ctx, groupName); err != nil {
return err
}
s.propagateChange(ctx, func(tx context.Context, client s3_pb.SeaweedS3IamCacheClient) error {
_, err := client.RemoveGroup(tx, &iam_pb.RemoveGroupRequest{GroupName: groupName})
return err
})
return nil
}
func (s *PropagatingCredentialStore) ListGroups(ctx context.Context) ([]string, error) {
return s.CredentialStore.ListGroups(ctx)
}
func (s *PropagatingCredentialStore) UpdateGroup(ctx context.Context, group *iam_pb.Group) error {
if group != nil {
glog.V(4).Infof("IAM: PropagatingCredentialStore.UpdateGroup %s", group.Name)
}
if err := s.CredentialStore.UpdateGroup(ctx, group); err != nil {
return err
}
s.propagateChange(ctx, func(tx context.Context, client s3_pb.SeaweedS3IamCacheClient) error {
_, err := client.PutGroup(tx, &iam_pb.PutGroupRequest{Group: group})
return err
})
return nil
}

90
weed/iam/responses.go
View File

@ -280,3 +280,93 @@ type UpdateServiceAccountResponse struct {
XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ UpdateServiceAccountResponse"`
CommonResponse
}
// CreateGroupResponse is the response for CreateGroup action.
type CreateGroupResponse struct {
XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ CreateGroupResponse"`
CreateGroupResult struct {
Group iam.Group `xml:"Group"`
} `xml:"CreateGroupResult"`
CommonResponse
}
// DeleteGroupResponse is the response for DeleteGroup action.
type DeleteGroupResponse struct {
XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ DeleteGroupResponse"`
CommonResponse
}
// UpdateGroupResponse is the response for UpdateGroup action.
type UpdateGroupResponse struct {
XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ UpdateGroupResponse"`
CommonResponse
}
// GetGroupResponse is the response for GetGroup action.
type GetGroupResponse struct {
XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ GetGroupResponse"`
GetGroupResult struct {
Group iam.Group `xml:"Group"`
Users []*iam.User `xml:"Users>member"`
IsTruncated bool `xml:"IsTruncated"`
Marker string `xml:"Marker,omitempty"`
} `xml:"GetGroupResult"`
CommonResponse
}
// ListGroupsResponse is the response for ListGroups action.
type ListGroupsResponse struct {
XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ ListGroupsResponse"`
ListGroupsResult struct {
Groups []*iam.Group `xml:"Groups>member"`
IsTruncated bool `xml:"IsTruncated"`
Marker string `xml:"Marker,omitempty"`
} `xml:"ListGroupsResult"`
CommonResponse
}
// AddUserToGroupResponse is the response for AddUserToGroup action.
type AddUserToGroupResponse struct {
XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ AddUserToGroupResponse"`
CommonResponse
}
// RemoveUserFromGroupResponse is the response for RemoveUserFromGroup action.
type RemoveUserFromGroupResponse struct {
XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ RemoveUserFromGroupResponse"`
CommonResponse
}
// AttachGroupPolicyResponse is the response for AttachGroupPolicy action.
type AttachGroupPolicyResponse struct {
XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ AttachGroupPolicyResponse"`
CommonResponse
}
// DetachGroupPolicyResponse is the response for DetachGroupPolicy action.
type DetachGroupPolicyResponse struct {
XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ DetachGroupPolicyResponse"`
CommonResponse
}
// ListAttachedGroupPoliciesResponse is the response for ListAttachedGroupPolicies action.
type ListAttachedGroupPoliciesResponse struct {
XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ ListAttachedGroupPoliciesResponse"`
ListAttachedGroupPoliciesResult struct {
AttachedPolicies []*iam.AttachedPolicy `xml:"AttachedPolicies>member"`
IsTruncated bool `xml:"IsTruncated"`
Marker string `xml:"Marker,omitempty"`
} `xml:"ListAttachedGroupPoliciesResult"`
CommonResponse
}
// ListGroupsForUserResponse is the response for ListGroupsForUser action.
type ListGroupsForUserResponse struct {
XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ ListGroupsForUserResponse"`
ListGroupsForUserResult struct {
Groups []*iam.Group `xml:"Groups>member"`
IsTruncated bool `xml:"IsTruncated"`
Marker string `xml:"Marker,omitempty"`
} `xml:"ListGroupsForUserResult"`
CommonResponse
}

329
weed/iamapi/iamapi_group_handlers.go
View File

@ -0,0 +1,329 @@
package iamapi
import (
"errors"
"fmt"
"net/url"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
)
func (iama *IamApiServer) CreateGroup(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*CreateGroupResponse, *IamError) {
resp := &CreateGroupResponse{}
groupName := values.Get("GroupName")
if groupName == "" {
return resp, &IamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("GroupName is required")}
}
for _, g := range s3cfg.Groups {
if g.Name == groupName {
return resp, &IamError{Code: iam.ErrCodeEntityAlreadyExistsException, Error: fmt.Errorf("group %s already exists", groupName)}
}
}
s3cfg.Groups = append(s3cfg.Groups, &iam_pb.Group{Name: groupName})
resp.CreateGroupResult.Group.GroupName = &groupName
return resp, nil
}
func (iama *IamApiServer) DeleteGroup(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*DeleteGroupResponse, *IamError) {
resp := &DeleteGroupResponse{}
groupName := values.Get("GroupName")
if groupName == "" {
return resp, &IamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("GroupName is required")}
}
for i, g := range s3cfg.Groups {
if g.Name == groupName {
if len(g.Members) > 0 {
return resp, &IamError{Code: iam.ErrCodeDeleteConflictException, Error: fmt.Errorf("cannot delete group %s: group has %d member(s)", groupName, len(g.Members))}
}
if len(g.PolicyNames) > 0 {
return resp, &IamError{Code: iam.ErrCodeDeleteConflictException, Error: fmt.Errorf("cannot delete group %s: group has %d attached policy(ies)", groupName, len(g.PolicyNames))}
}
s3cfg.Groups = append(s3cfg.Groups[:i], s3cfg.Groups[i+1:]...)
return resp, nil
}
}
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("group %s does not exist", groupName)}
}
func (iama *IamApiServer) UpdateGroup(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*UpdateGroupResponse, *IamError) {
resp := &UpdateGroupResponse{}
groupName := values.Get("GroupName")
if groupName == "" {
return resp, &IamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("GroupName is required")}
}
for _, g := range s3cfg.Groups {
if g.Name == groupName {
if disabled := values.Get("Disabled"); disabled != "" {
if disabled != "true" && disabled != "false" {
return resp, &IamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("Disabled must be 'true' or 'false'")}
}
g.Disabled = disabled == "true"
}
if newName := values.Get("NewGroupName"); newName != "" && newName != g.Name {
for _, other := range s3cfg.Groups {
if other.Name == newName {
return resp, &IamError{Code: iam.ErrCodeEntityAlreadyExistsException, Error: fmt.Errorf("group %s already exists", newName)}
}
}
g.Name = newName
}
return resp, nil
}
}
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("group %s does not exist", groupName)}
}
func (iama *IamApiServer) GetGroup(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*GetGroupResponse, *IamError) {
resp := &GetGroupResponse{}
groupName := values.Get("GroupName")
if groupName == "" {
return resp, &IamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("GroupName is required")}
}
for _, g := range s3cfg.Groups {
if g.Name == groupName {
resp.GetGroupResult.Group.GroupName = &g.Name
for _, member := range g.Members {
m := member
resp.GetGroupResult.Users = append(resp.GetGroupResult.Users, &iam.User{UserName: &m})
}
return resp, nil
}
}
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("group %s does not exist", groupName)}
}
func (iama *IamApiServer) ListGroups(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) *ListGroupsResponse {
resp := &ListGroupsResponse{}
for _, g := range s3cfg.Groups {
name := g.Name
resp.ListGroupsResult.Groups = append(resp.ListGroupsResult.Groups, &iam.Group{GroupName: &name})
}
return resp
}
func (iama *IamApiServer) AddUserToGroup(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*AddUserToGroupResponse, *IamError) {
resp := &AddUserToGroupResponse{}
groupName := values.Get("GroupName")
userName := values.Get("UserName")
if groupName == "" {
return resp, &IamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("GroupName is required")}
}
if userName == "" {
return resp, &IamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("UserName is required")}
}
userFound := false
for _, ident := range s3cfg.Identities {
if ident.Name == userName {
userFound = true
break
}
}
if !userFound {
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("user %s does not exist", userName)}
}
for _, g := range s3cfg.Groups {
if g.Name == groupName {
for _, m := range g.Members {
if m == userName {
return resp, nil
}
}
g.Members = append(g.Members, userName)
return resp, nil
}
}
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("group %s does not exist", groupName)}
}
func (iama *IamApiServer) RemoveUserFromGroup(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*RemoveUserFromGroupResponse, *IamError) {
resp := &RemoveUserFromGroupResponse{}
groupName := values.Get("GroupName")
userName := values.Get("UserName")
if groupName == "" {
return resp, &IamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("GroupName is required")}
}
if userName == "" {
return resp, &IamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("UserName is required")}
}
for _, g := range s3cfg.Groups {
if g.Name == groupName {
for i, m := range g.Members {
if m == userName {
g.Members = append(g.Members[:i], g.Members[i+1:]...)
return resp, nil
}
}
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("user %s is not a member of group %s", userName, groupName)}
}
}
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("group %s does not exist", groupName)}
}
func (iama *IamApiServer) AttachGroupPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*AttachGroupPolicyResponse, *IamError) {
resp := &AttachGroupPolicyResponse{}
groupName := values.Get("GroupName")
policyArn := values.Get("PolicyArn")
if groupName == "" {
return resp, &IamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("GroupName is required")}
}
policyName, iamErr := parsePolicyArn(policyArn)
if iamErr != nil {
return resp, iamErr
}
// Verify policy exists in the persisted policies store
policies := Policies{}
if pErr := iama.s3ApiConfig.GetPolicies(&policies); pErr != nil && !errors.Is(pErr, filer_pb.ErrNotFound) {
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: pErr}
}
if _, exists := policies.Policies[policyName]; !exists {
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)}
}
for _, g := range s3cfg.Groups {
if g.Name == groupName {
for _, p := range g.PolicyNames {
if p == policyName {
return resp, nil
}
}
g.PolicyNames = append(g.PolicyNames, policyName)
return resp, nil
}
}
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("group %s does not exist", groupName)}
}
func (iama *IamApiServer) DetachGroupPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*DetachGroupPolicyResponse, *IamError) {
resp := &DetachGroupPolicyResponse{}
groupName := values.Get("GroupName")
policyArn := values.Get("PolicyArn")
if groupName == "" {
return resp, &IamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("GroupName is required")}
}
policyName, iamErr := parsePolicyArn(policyArn)
if iamErr != nil {
return resp, iamErr
}
for _, g := range s3cfg.Groups {
if g.Name == groupName {
for i, p := range g.PolicyNames {
if p == policyName {
g.PolicyNames = append(g.PolicyNames[:i], g.PolicyNames[i+1:]...)
return resp, nil
}
}
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s is not attached to group %s", policyName, groupName)}
}
}
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("group %s does not exist", groupName)}
}
func (iama *IamApiServer) ListAttachedGroupPolicies(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*ListAttachedGroupPoliciesResponse, *IamError) {
resp := &ListAttachedGroupPoliciesResponse{}
groupName := values.Get("GroupName")
if groupName == "" {
return resp, &IamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("GroupName is required")}
}
for _, g := range s3cfg.Groups {
if g.Name == groupName {
for _, policyName := range g.PolicyNames {
pn := policyName
policyArn := policyArnPrefix + pn
resp.ListAttachedGroupPoliciesResult.AttachedPolicies = append(resp.ListAttachedGroupPoliciesResult.AttachedPolicies, &iam.AttachedPolicy{
PolicyName: &pn,
PolicyArn: &policyArn,
})
}
return resp, nil
}
}
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("group %s does not exist", groupName)}
}
func (iama *IamApiServer) ListGroupsForUser(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*ListGroupsForUserResponse, *IamError) {
resp := &ListGroupsForUserResponse{}
userName := values.Get("UserName")
if userName == "" {
return resp, &IamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("UserName is required")}
}
userFound := false
for _, ident := range s3cfg.Identities {
if ident.Name == userName {
userFound = true
break
}
}
if !userFound {
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("user %s does not exist", userName)}
}
// Build reverse index for efficient lookup
userGroupsIndex := buildUserGroupsIndex(s3cfg)
for _, gName := range userGroupsIndex[userName] {
name := gName
resp.ListGroupsForUserResult.Groups = append(resp.ListGroupsForUserResult.Groups, &iam.Group{GroupName: &name})
}
return resp, nil
}
// removeUserFromAllGroups removes a user from all groups they belong to.
// Uses a reverse index for efficient lookup of which groups to modify.
func removeUserFromAllGroups(s3cfg *iam_pb.S3ApiConfiguration, userName string) {
userGroupsIndex := buildUserGroupsIndex(s3cfg)
groupNames, found := userGroupsIndex[userName]
if !found {
return
}
// Build a set for fast group name lookup
targetGroups := make(map[string]bool, len(groupNames))
for _, gn := range groupNames {
targetGroups[gn] = true
}
for _, g := range s3cfg.Groups {
if !targetGroups[g.Name] {
continue
}
for i, m := range g.Members {
if m == userName {
g.Members = append(g.Members[:i], g.Members[i+1:]...)
break
}
}
}
}
// updateUserInGroups updates group membership references when a user is renamed.
func updateUserInGroups(s3cfg *iam_pb.S3ApiConfiguration, oldUserName, newUserName string) {
for _, g := range s3cfg.Groups {
for i, m := range g.Members {
if m == oldUserName {
g.Members[i] = newUserName
break
}
}
}
}
// isPolicyAttachedToAnyGroup checks if a policy is attached to any group.
func isPolicyAttachedToAnyGroup(s3cfg *iam_pb.S3ApiConfiguration, policyName string) (string, bool) {
for _, g := range s3cfg.Groups {
for _, p := range g.PolicyNames {
if p == policyName {
return g.Name, true
}
}
}
return "", false
}
// buildUserGroupsIndex builds a reverse index mapping usernames to group names.
func buildUserGroupsIndex(s3cfg *iam_pb.S3ApiConfiguration) map[string][]string {
index := make(map[string][]string)
for _, g := range s3cfg.Groups {
for _, m := range g.Members {
index[m] = append(index[m], g.Name)
}
}
return index
}

174
weed/iamapi/iamapi_management_handlers.go
View File

@ -219,6 +219,8 @@ func (iama *IamApiServer) DeleteUser(s3cfg *iam_pb.S3ApiConfiguration, userName
}
}
s3cfg.Identities = append(s3cfg.Identities[:i], s3cfg.Identities[i+1:]...)
// Remove user from all groups
removeUserFromAllGroups(s3cfg, userName)
return resp, nil
}
}
@ -240,31 +242,74 @@ func (iama *IamApiServer) UpdateUser(s3cfg *iam_pb.S3ApiConfiguration, values ur
resp = &UpdateUserResponse{}
userName := values.Get("UserName")
newUserName := values.Get("NewUserName")
if newUserName != "" {
for _, ident := range s3cfg.Identities {
if userName == ident.Name {
ident.Name = newUserName
// Move any inline policies from old username to new username
policies := Policies{}
if pErr := iama.s3ApiConfig.GetPolicies(&policies); pErr != nil && !errors.Is(pErr, filer_pb.ErrNotFound) {
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: pErr}
}
if policies.InlinePolicies != nil {
if userPolicies, exists := policies.InlinePolicies[userName]; exists {
delete(policies.InlinePolicies, userName)
policies.InlinePolicies[newUserName] = userPolicies
if pErr := iama.s3ApiConfig.PutPolicies(&policies); pErr != nil {
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: pErr}
}
}
}
return resp, nil
}
if newUserName == "" {
return resp, nil
}
// Find the source identity first
var sourceIdent *iam_pb.Identity
for _, ident := range s3cfg.Identities {
if ident.Name == userName {
sourceIdent = ident
break
}
} else {
}
if sourceIdent == nil {
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(USER_DOES_NOT_EXIST, userName)}
}
// No-op if renaming to the same name
if newUserName == userName {
return resp, nil
}
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(USER_DOES_NOT_EXIST, userName)}
// Check for name collision before renaming
for _, ident := range s3cfg.Identities {
if ident.Name == newUserName {
return resp, &IamError{
Code: iam.ErrCodeEntityAlreadyExistsException,
Error: fmt.Errorf("user %s already exists", newUserName),
}
}
}
// Check for inline policy collision
policies := Policies{}
if pErr := iama.s3ApiConfig.GetPolicies(&policies); pErr != nil && !errors.Is(pErr, filer_pb.ErrNotFound) {
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: pErr}
}
if policies.InlinePolicies != nil {
if _, exists := policies.InlinePolicies[newUserName]; exists {
return resp, &IamError{
Code: iam.ErrCodeEntityAlreadyExistsException,
Error: fmt.Errorf("inline policies already exist for user %s", newUserName),
}
}
}
sourceIdent.Name = newUserName
// Move any inline policies from old username to new username
if policies.InlinePolicies != nil {
if userPolicies, exists := policies.InlinePolicies[userName]; exists {
delete(policies.InlinePolicies, userName)
policies.InlinePolicies[newUserName] = userPolicies
if pErr := iama.s3ApiConfig.PutPolicies(&policies); pErr != nil {
// Rollback: restore identity name and inline policies
sourceIdent.Name = userName
delete(policies.InlinePolicies, newUserName)
policies.InlinePolicies[userName] = userPolicies
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: pErr}
}
}
}
// Update group membership references
updateUserInGroups(s3cfg, userName, newUserName)
// Update service account parent references
for _, sa := range s3cfg.ServiceAccounts {
if sa.ParentUser == userName {
sa.ParentUser = newUserName
}
}
return resp, nil
}
func GetPolicyDocument(policy *string) (policy_engine.PolicyDocument, error) {
@ -540,6 +585,14 @@ func (iama *IamApiServer) DeletePolicy(s3cfg *iam_pb.S3ApiConfiguration, values
}
}
// Reject deletion if the policy is attached to any group
if groupName, attached := isPolicyAttachedToAnyGroup(s3cfg, policyName); attached {
return resp, &IamError{
Code: iam.ErrCodeDeleteConflictException,
Error: fmt.Errorf("policy %s is still attached to group %s", policyName, groupName),
}
}
delete(policies.Policies, policyName)
if err := iama.s3ApiConfig.PutPolicies(&policies); err != nil {
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
@ -1055,6 +1108,83 @@ func (iama *IamApiServer) DoActions(w http.ResponseWriter, r *http.Request) {
return
}
changed = false
// Group actions
case "CreateGroup":
var err *IamError
response, err = iama.CreateGroup(s3cfg, values)
if err != nil {
writeIamErrorResponse(w, r, reqID, err)
return
}
case "DeleteGroup":
var err *IamError
response, err = iama.DeleteGroup(s3cfg, values)
if err != nil {
writeIamErrorResponse(w, r, reqID, err)
return
}
case "UpdateGroup":
var err *IamError
response, err = iama.UpdateGroup(s3cfg, values)
if err != nil {
writeIamErrorResponse(w, r, reqID, err)
return
}
case "GetGroup":
var err *IamError
response, err = iama.GetGroup(s3cfg, values)
if err != nil {
writeIamErrorResponse(w, r, reqID, err)
return
}
changed = false
case "ListGroups":
response = iama.ListGroups(s3cfg, values)
changed = false
case "AddUserToGroup":
var err *IamError
response, err = iama.AddUserToGroup(s3cfg, values)
if err != nil {
writeIamErrorResponse(w, r, reqID, err)
return
}
case "RemoveUserFromGroup":
var err *IamError
response, err = iama.RemoveUserFromGroup(s3cfg, values)
if err != nil {
writeIamErrorResponse(w, r, reqID, err)
return
}
case "AttachGroupPolicy":
var err *IamError
response, err = iama.AttachGroupPolicy(s3cfg, values)
if err != nil {
writeIamErrorResponse(w, r, reqID, err)
return
}
case "DetachGroupPolicy":
var err *IamError
response, err = iama.DetachGroupPolicy(s3cfg, values)
if err != nil {
writeIamErrorResponse(w, r, reqID, err)
return
}
case "ListAttachedGroupPolicies":
var err *IamError
response, err = iama.ListAttachedGroupPolicies(s3cfg, values)
if err != nil {
writeIamErrorResponse(w, r, reqID, err)
return
}
changed = false
case "ListGroupsForUser":
var err *IamError
response, err = iama.ListGroupsForUser(s3cfg, values)
if err != nil {
writeIamErrorResponse(w, r, reqID, err)
return
}
changed = false
default:
errNotImplemented := s3err.GetAPIError(s3err.ErrNotImplemented)
errorResponse := newErrorResponse(errNotImplemented.Code, errNotImplemented.Description, reqID)

12
weed/iamapi/iamapi_response.go
View File

@ -36,4 +36,16 @@ type (
ListServiceAccountsResponse = iamlib.ListServiceAccountsResponse
GetServiceAccountResponse = iamlib.GetServiceAccountResponse
UpdateServiceAccountResponse = iamlib.UpdateServiceAccountResponse
// Group response types
CreateGroupResponse = iamlib.CreateGroupResponse
DeleteGroupResponse = iamlib.DeleteGroupResponse
UpdateGroupResponse = iamlib.UpdateGroupResponse
GetGroupResponse = iamlib.GetGroupResponse
ListGroupsResponse = iamlib.ListGroupsResponse
AddUserToGroupResponse = iamlib.AddUserToGroupResponse
RemoveUserFromGroupResponse = iamlib.RemoveUserFromGroupResponse
AttachGroupPolicyResponse = iamlib.AttachGroupPolicyResponse
DetachGroupPolicyResponse = iamlib.DetachGroupPolicyResponse
ListAttachedGroupPoliciesResponse = iamlib.ListAttachedGroupPoliciesResponse
ListGroupsForUserResponse = iamlib.ListGroupsForUserResponse
)

22
weed/pb/iam.proto
View File

@ -168,6 +168,14 @@ message S3ApiConfiguration {
repeated Account accounts = 2;
repeated ServiceAccount service_accounts = 3;
repeated Policy policies = 4;
repeated Group groups = 5;
}
message Group {
string name = 1;
repeated string members = 2; // usernames
repeated string policy_names = 3; // attached managed policy names
bool disabled = 4;
}
message Identity {
@ -309,3 +317,17 @@ message RemoveIdentityRequest {
message RemoveIdentityResponse {
}
message PutGroupRequest {
Group group = 1;
}
message PutGroupResponse {
}
message RemoveGroupRequest {
string group_name = 1;
}
message RemoveGroupResponse {
}

628
weed/pb/iam_pb/iam.pb.go
File diff suppressed because it is too large
View File

2
weed/pb/s3.proto
View File

@ -18,6 +18,8 @@ service SeaweedS3IamCache {
rpc GetPolicy (iam_pb.GetPolicyRequest) returns (iam_pb.GetPolicyResponse);
rpc ListPolicies (iam_pb.ListPoliciesRequest) returns (iam_pb.ListPoliciesResponse);
rpc DeletePolicy (iam_pb.DeletePolicyRequest) returns (iam_pb.DeletePolicyResponse);
rpc PutGroup (iam_pb.PutGroupRequest) returns (iam_pb.PutGroupResponse);
rpc RemoveGroup (iam_pb.RemoveGroupRequest) returns (iam_pb.RemoveGroupResponse);
}
//////////////////////////////////////////////////

42
weed/pb/s3_pb/s3.pb.go
View File

@ -414,14 +414,16 @@ const file_s3_proto_rawDesc = "" +
"\rsse_algorithm\x18\x01 \x01(\tR\fsseAlgorithm\x12\x1c\n" +
"\n" +
"kms_key_id\x18\x02 \x01(\tR\bkmsKeyId\x12,\n" +
"\x12bucket_key_enabled\x18\x03 \x01(\bR\x10bucketKeyEnabled2\xc6\x03\n" +
"\x12bucket_key_enabled\x18\x03 \x01(\bR\x10bucketKeyEnabled2\xcd\x04\n" +
"\x11SeaweedS3IamCache\x12F\n" +
"\vPutIdentity\x12\x1a.iam_pb.PutIdentityRequest\x1a\x1b.iam_pb.PutIdentityResponse\x12O\n" +
"\x0eRemoveIdentity\x12\x1d.iam_pb.RemoveIdentityRequest\x1a\x1e.iam_pb.RemoveIdentityResponse\x12@\n" +
"\tPutPolicy\x12\x18.iam_pb.PutPolicyRequest\x1a\x19.iam_pb.PutPolicyResponse\x12@\n" +
"\tGetPolicy\x12\x18.iam_pb.GetPolicyRequest\x1a\x19.iam_pb.GetPolicyResponse\x12I\n" +
"\fListPolicies\x12\x1b.iam_pb.ListPoliciesRequest\x1a\x1c.iam_pb.ListPoliciesResponse\x12I\n" +
"\fDeletePolicy\x12\x1b.iam_pb.DeletePolicyRequest\x1a\x1c.iam_pb.DeletePolicyResponseBI\n" +
"\fDeletePolicy\x12\x1b.iam_pb.DeletePolicyRequest\x1a\x1c.iam_pb.DeletePolicyResponse\x12=\n" +
"\bPutGroup\x12\x17.iam_pb.PutGroupRequest\x1a\x18.iam_pb.PutGroupResponse\x12F\n" +
"\vRemoveGroup\x12\x1a.iam_pb.RemoveGroupRequest\x1a\x1b.iam_pb.RemoveGroupResponseBI\n" +
"\x10seaweedfs.clientB\aS3ProtoZ,github.com/seaweedfs/seaweedfs/weed/pb/s3_pbb\x06proto3"
var (
@ -453,12 +455,16 @@ var file_s3_proto_goTypes = []any{
(*iam_pb.GetPolicyRequest)(nil), // 12: iam_pb.GetPolicyRequest
(*iam_pb.ListPoliciesRequest)(nil), // 13: iam_pb.ListPoliciesRequest
(*iam_pb.DeletePolicyRequest)(nil), // 14: iam_pb.DeletePolicyRequest
(*iam_pb.PutIdentityResponse)(nil), // 15: iam_pb.PutIdentityResponse
(*iam_pb.RemoveIdentityResponse)(nil), // 16: iam_pb.RemoveIdentityResponse
(*iam_pb.PutPolicyResponse)(nil), // 17: iam_pb.PutPolicyResponse
(*iam_pb.GetPolicyResponse)(nil), // 18: iam_pb.GetPolicyResponse
(*iam_pb.ListPoliciesResponse)(nil), // 19: iam_pb.ListPoliciesResponse
(*iam_pb.DeletePolicyResponse)(nil), // 20: iam_pb.DeletePolicyResponse
(*iam_pb.PutGroupRequest)(nil), // 15: iam_pb.PutGroupRequest
(*iam_pb.RemoveGroupRequest)(nil), // 16: iam_pb.RemoveGroupRequest
(*iam_pb.PutIdentityResponse)(nil), // 17: iam_pb.PutIdentityResponse
(*iam_pb.RemoveIdentityResponse)(nil), // 18: iam_pb.RemoveIdentityResponse
(*iam_pb.PutPolicyResponse)(nil), // 19: iam_pb.PutPolicyResponse
(*iam_pb.GetPolicyResponse)(nil), // 20: iam_pb.GetPolicyResponse
(*iam_pb.ListPoliciesResponse)(nil), // 21: iam_pb.ListPoliciesResponse
(*iam_pb.DeletePolicyResponse)(nil), // 22: iam_pb.DeletePolicyResponse
(*iam_pb.PutGroupResponse)(nil), // 23: iam_pb.PutGroupResponse
(*iam_pb.RemoveGroupResponse)(nil), // 24: iam_pb.RemoveGroupResponse
}
var file_s3_proto_depIdxs = []int32{
1, // 0: messaging_pb.S3CircuitBreakerConfig.global:type_name -> messaging_pb.S3CircuitBreakerOptions
@ -475,14 +481,18 @@ var file_s3_proto_depIdxs = []int32{
12, // 11: messaging_pb.SeaweedS3IamCache.GetPolicy:input_type -> iam_pb.GetPolicyRequest
13, // 12: messaging_pb.SeaweedS3IamCache.ListPolicies:input_type -> iam_pb.ListPoliciesRequest
14, // 13: messaging_pb.SeaweedS3IamCache.DeletePolicy:input_type -> iam_pb.DeletePolicyRequest
15, // 14: messaging_pb.SeaweedS3IamCache.PutIdentity:output_type -> iam_pb.PutIdentityResponse
16, // 15: messaging_pb.SeaweedS3IamCache.RemoveIdentity:output_type -> iam_pb.RemoveIdentityResponse
17, // 16: messaging_pb.SeaweedS3IamCache.PutPolicy:output_type -> iam_pb.PutPolicyResponse
18, // 17: messaging_pb.SeaweedS3IamCache.GetPolicy:output_type -> iam_pb.GetPolicyResponse
19, // 18: messaging_pb.SeaweedS3IamCache.ListPolicies:output_type -> iam_pb.ListPoliciesResponse
20, // 19: messaging_pb.SeaweedS3IamCache.DeletePolicy:output_type -> iam_pb.DeletePolicyResponse
14, // [14:20] is the sub-list for method output_type
8, // [8:14] is the sub-list for method input_type
15, // 14: messaging_pb.SeaweedS3IamCache.PutGroup:input_type -> iam_pb.PutGroupRequest
16, // 15: messaging_pb.SeaweedS3IamCache.RemoveGroup:input_type -> iam_pb.RemoveGroupRequest
17, // 16: messaging_pb.SeaweedS3IamCache.PutIdentity:output_type -> iam_pb.PutIdentityResponse
18, // 17: messaging_pb.SeaweedS3IamCache.RemoveIdentity:output_type -> iam_pb.RemoveIdentityResponse
19, // 18: messaging_pb.SeaweedS3IamCache.PutPolicy:output_type -> iam_pb.PutPolicyResponse
20, // 19: messaging_pb.SeaweedS3IamCache.GetPolicy:output_type -> iam_pb.GetPolicyResponse
21, // 20: messaging_pb.SeaweedS3IamCache.ListPolicies:output_type -> iam_pb.ListPoliciesResponse
22, // 21: messaging_pb.SeaweedS3IamCache.DeletePolicy:output_type -> iam_pb.DeletePolicyResponse
23, // 22: messaging_pb.SeaweedS3IamCache.PutGroup:output_type -> iam_pb.PutGroupResponse
24, // 23: messaging_pb.SeaweedS3IamCache.RemoveGroup:output_type -> iam_pb.RemoveGroupResponse
16, // [16:24] is the sub-list for method output_type
8, // [8:16] is the sub-list for method input_type
8, // [8:8] is the sub-list for extension type_name
8, // [8:8] is the sub-list for extension extendee
0, // [0:8] is the sub-list for field type_name

76
weed/pb/s3_pb/s3_grpc.pb.go
View File

@ -26,6 +26,8 @@ const (
SeaweedS3IamCache_GetPolicy_FullMethodName = "/messaging_pb.SeaweedS3IamCache/GetPolicy"
SeaweedS3IamCache_ListPolicies_FullMethodName = "/messaging_pb.SeaweedS3IamCache/ListPolicies"
SeaweedS3IamCache_DeletePolicy_FullMethodName = "/messaging_pb.SeaweedS3IamCache/DeletePolicy"
SeaweedS3IamCache_PutGroup_FullMethodName = "/messaging_pb.SeaweedS3IamCache/PutGroup"
SeaweedS3IamCache_RemoveGroup_FullMethodName = "/messaging_pb.SeaweedS3IamCache/RemoveGroup"
)
// SeaweedS3IamCacheClient is the client API for SeaweedS3IamCache service.
@ -40,6 +42,8 @@ type SeaweedS3IamCacheClient interface {
GetPolicy(ctx context.Context, in *iam_pb.GetPolicyRequest, opts ...grpc.CallOption) (*iam_pb.GetPolicyResponse, error)
ListPolicies(ctx context.Context, in *iam_pb.ListPoliciesRequest, opts ...grpc.CallOption) (*iam_pb.ListPoliciesResponse, error)
DeletePolicy(ctx context.Context, in *iam_pb.DeletePolicyRequest, opts ...grpc.CallOption) (*iam_pb.DeletePolicyResponse, error)
PutGroup(ctx context.Context, in *iam_pb.PutGroupRequest, opts ...grpc.CallOption) (*iam_pb.PutGroupResponse, error)
RemoveGroup(ctx context.Context, in *iam_pb.RemoveGroupRequest, opts ...grpc.CallOption) (*iam_pb.RemoveGroupResponse, error)
}
type seaweedS3IamCacheClient struct {
@ -110,6 +114,26 @@ func (c *seaweedS3IamCacheClient) DeletePolicy(ctx context.Context, in *iam_pb.D
return out, nil
}
func (c *seaweedS3IamCacheClient) PutGroup(ctx context.Context, in *iam_pb.PutGroupRequest, opts ...grpc.CallOption) (*iam_pb.PutGroupResponse, error) {
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
out := new(iam_pb.PutGroupResponse)
err := c.cc.Invoke(ctx, SeaweedS3IamCache_PutGroup_FullMethodName, in, out, cOpts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *seaweedS3IamCacheClient) RemoveGroup(ctx context.Context, in *iam_pb.RemoveGroupRequest, opts ...grpc.CallOption) (*iam_pb.RemoveGroupResponse, error) {
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
out := new(iam_pb.RemoveGroupResponse)
err := c.cc.Invoke(ctx, SeaweedS3IamCache_RemoveGroup_FullMethodName, in, out, cOpts...)
if err != nil {
return nil, err
}
return out, nil
}
// SeaweedS3IamCacheServer is the server API for SeaweedS3IamCache service.
// All implementations must embed UnimplementedSeaweedS3IamCacheServer
// for forward compatibility.
@ -122,6 +146,8 @@ type SeaweedS3IamCacheServer interface {
GetPolicy(context.Context, *iam_pb.GetPolicyRequest) (*iam_pb.GetPolicyResponse, error)
ListPolicies(context.Context, *iam_pb.ListPoliciesRequest) (*iam_pb.ListPoliciesResponse, error)
DeletePolicy(context.Context, *iam_pb.DeletePolicyRequest) (*iam_pb.DeletePolicyResponse, error)
PutGroup(context.Context, *iam_pb.PutGroupRequest) (*iam_pb.PutGroupResponse, error)
RemoveGroup(context.Context, *iam_pb.RemoveGroupRequest) (*iam_pb.RemoveGroupResponse, error)
mustEmbedUnimplementedSeaweedS3IamCacheServer()
}
@ -150,6 +176,12 @@ func (UnimplementedSeaweedS3IamCacheServer) ListPolicies(context.Context, *iam_p
func (UnimplementedSeaweedS3IamCacheServer) DeletePolicy(context.Context, *iam_pb.DeletePolicyRequest) (*iam_pb.DeletePolicyResponse, error) {
return nil, status.Errorf(codes.Unimplemented, "method DeletePolicy not implemented")
}
func (UnimplementedSeaweedS3IamCacheServer) PutGroup(context.Context, *iam_pb.PutGroupRequest) (*iam_pb.PutGroupResponse, error) {
return nil, status.Errorf(codes.Unimplemented, "method PutGroup not implemented")
}
func (UnimplementedSeaweedS3IamCacheServer) RemoveGroup(context.Context, *iam_pb.RemoveGroupRequest) (*iam_pb.RemoveGroupResponse, error) {
return nil, status.Errorf(codes.Unimplemented, "method RemoveGroup not implemented")
}
func (UnimplementedSeaweedS3IamCacheServer) mustEmbedUnimplementedSeaweedS3IamCacheServer() {}
func (UnimplementedSeaweedS3IamCacheServer) testEmbeddedByValue() {}
@ -279,6 +311,42 @@ func _SeaweedS3IamCache_DeletePolicy_Handler(srv interface{}, ctx context.Contex
return interceptor(ctx, in, info, handler)
}
func _SeaweedS3IamCache_PutGroup_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(iam_pb.PutGroupRequest)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(SeaweedS3IamCacheServer).PutGroup(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: SeaweedS3IamCache_PutGroup_FullMethodName,
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(SeaweedS3IamCacheServer).PutGroup(ctx, req.(*iam_pb.PutGroupRequest))
}
return interceptor(ctx, in, info, handler)
}
func _SeaweedS3IamCache_RemoveGroup_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(iam_pb.RemoveGroupRequest)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(SeaweedS3IamCacheServer).RemoveGroup(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: SeaweedS3IamCache_RemoveGroup_FullMethodName,
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(SeaweedS3IamCacheServer).RemoveGroup(ctx, req.(*iam_pb.RemoveGroupRequest))
}
return interceptor(ctx, in, info, handler)
}
// SeaweedS3IamCache_ServiceDesc is the grpc.ServiceDesc for SeaweedS3IamCache service.
// It's only intended for direct use with grpc.RegisterService,
// and not to be introspected or modified (even as a copy)
@ -310,6 +378,14 @@ var SeaweedS3IamCache_ServiceDesc = grpc.ServiceDesc{
MethodName: "DeletePolicy",
Handler: _SeaweedS3IamCache_DeletePolicy_Handler,
},
{
MethodName: "PutGroup",
Handler: _SeaweedS3IamCache_PutGroup_Handler,
},
{
MethodName: "RemoveGroup",
Handler: _SeaweedS3IamCache_RemoveGroup_Handler,
},
},
Streams: []grpc.StreamDesc{},
Metadata: "s3.proto",

174
weed/s3api/auth_credentials.go
View File

@ -49,6 +49,8 @@ type IdentityAccessManagement struct {
accessKeyIdent map[string]*Identity
nameToIdentity map[string]*Identity // O(1) lookup by identity name
policies map[string]*iam_pb.Policy
groups map[string]*iam_pb.Group // group name -> group
userGroups map[string][]string // user name -> group names (reverse index)
accounts map[string]*Account
emailAccount map[string]*Account
hashes map[string]*sync.Pool
@ -563,6 +565,16 @@ func (iam *IdentityAccessManagement) ReplaceS3ApiConfiguration(config *iam_pb.S3
for _, policy := range config.Policies {
policies[policy.Name] = policy
}
groups := make(map[string]*iam_pb.Group)
userGroupsMap := make(map[string][]string)
for _, g := range config.Groups {
groups[g.Name] = g
if !g.Disabled {
for _, member := range g.Members {
userGroupsMap[member] = append(userGroupsMap[member], g.Name)
}
}
}
for _, ident := range config.Identities {
glog.V(3).Infof("loading identity %s (disabled=%v)", ident.Name, ident.Disabled)
t := &Identity{
@ -663,6 +675,8 @@ func (iam *IdentityAccessManagement) ReplaceS3ApiConfiguration(config *iam_pb.S3
iam.nameToIdentity = nameToIdentity
iam.accessKeyIdent = accessKeyIdent
iam.policies = policies
iam.groups = groups
iam.userGroups = userGroupsMap
iam.rebuildIAMPolicyEngineLocked()
// Re-add environment-based identities that were preserved
@ -699,7 +713,7 @@ func (iam *IdentityAccessManagement) ReplaceS3ApiConfiguration(config *iam_pb.S3
iam.loadEnvironmentVariableCredentials()
// Log configuration summary - always log to help debugging
glog.Infof("Loaded %d identities, %d accounts, %d access keys. Auth enabled: %v",
glog.V(1).Infof("Loaded %d identities, %d accounts, %d access keys. Auth enabled: %v",
len(iam.identities), len(iam.accounts), len(iam.accessKeyIdent), iam.isAuthEnabled)
if glog.V(2) {
@ -920,6 +934,23 @@ func (iam *IdentityAccessManagement) MergeS3ApiConfiguration(config *iam_pb.S3Ap
iam.nameToIdentity = nameToIdentity
iam.accessKeyIdent = accessKeyIdent
iam.policies = policies
// Process groups: only replace if config.Groups is non-nil (full config reload).
// Partial updates (e.g., UpsertIdentity) pass nil Groups and should preserve existing state.
if config.Groups != nil {
mergedGroups := make(map[string]*iam_pb.Group)
mergedUserGroups := make(map[string][]string)
for _, g := range config.Groups {
mergedGroups[g.Name] = g
if !g.Disabled {
for _, member := range g.Members {
mergedUserGroups[member] = append(mergedUserGroups[member], g.Name)
}
}
}
iam.groups = mergedGroups
iam.userGroups = mergedUserGroups
}
iam.rebuildIAMPolicyEngineLocked()
// Update authentication state based on whether identities exist
// Once enabled, keep it enabled (one-way toggle)
@ -1837,14 +1868,32 @@ func determineIAMAuthPath(sessionToken, principal, principalArn string) iamAuthP
// Returns true if any matching statement explicitly allows the action.
// Uses the cached iamPolicyEngine to avoid re-parsing policy JSON on every request.
func (iam *IdentityAccessManagement) evaluateIAMPolicies(r *http.Request, identity *Identity, action Action, bucket, object string) bool {
if identity == nil || len(identity.PolicyNames) == 0 {
if identity == nil {
return false
}
iam.m.RLock()
engine := iam.iamPolicyEngine
groupNames := iam.userGroups[identity.Name]
// Snapshot group policy names to avoid holding the lock during evaluation.
// We copy the needed data since PutGroup/RemoveGroup mutate iam.groups in-place.
var groupPolicies [][]string
for _, gName := range groupNames {
g, ok := iam.groups[gName]
if !ok || g.Disabled {
continue
}
policyNames := make([]string, len(g.PolicyNames))
copy(policyNames, g.PolicyNames)
groupPolicies = append(groupPolicies, policyNames)
}
iam.m.RUnlock()
// Collect all policy names: user policies + group policies
if len(identity.PolicyNames) == 0 && len(groupPolicies) == 0 {
return false
}
if engine == nil {
return false
}
@ -1858,15 +1907,17 @@ func (iam *IdentityAccessManagement) evaluateIAMPolicies(r *http.Request, identi
conditions[k] = v
}
for _, policyName := range identity.PolicyNames {
result := engine.EvaluatePolicy(policyName, &policy_engine.PolicyEvaluationArgs{
Action: s3Action,
Resource: resource,
Principal: principal,
Conditions: conditions,
Claims: identity.Claims,
})
evalArgs := &policy_engine.PolicyEvaluationArgs{
Action: s3Action,
Resource: resource,
Principal: principal,
Conditions: conditions,
Claims: identity.Claims,
}
// Evaluate user's own policies
for _, policyName := range identity.PolicyNames {
result := engine.EvaluatePolicy(policyName, evalArgs)
if result == policy_engine.PolicyResultDeny {
return false
}
@ -1875,6 +1926,19 @@ func (iam *IdentityAccessManagement) evaluateIAMPolicies(r *http.Request, identi
}
}
// Evaluate policies from user's groups
for _, policyNames := range groupPolicies {
for _, policyName := range policyNames {
result := engine.EvaluatePolicy(policyName, evalArgs)
if result == policy_engine.PolicyResultDeny {
return false
}
if result == policy_engine.PolicyResultAllow {
explicitAllow = true
}
}
}
return explicitAllow
}
@ -1894,7 +1958,17 @@ func (iam *IdentityAccessManagement) VerifyActionPermission(r *http.Request, ide
hasSessionToken := r.Header.Get("X-SeaweedFS-Session-Token") != "" ||
r.Header.Get("X-Amz-Security-Token") != "" ||
r.URL.Query().Get("X-Amz-Security-Token") != ""
hasAttachedPolicies := len(identity.PolicyNames) > 0
iam.m.RLock()
userGroupNames := iam.userGroups[identity.Name]
groupsHavePolicies := false
for _, gn := range userGroupNames {
if g, ok := iam.groups[gn]; ok && !g.Disabled && len(g.PolicyNames) > 0 {
groupsHavePolicies = true
break
}
}
iam.m.RUnlock()
hasAttachedPolicies := len(identity.PolicyNames) > 0 || groupsHavePolicies
if (len(identity.Actions) == 0 || hasSessionToken || hasAttachedPolicies) && iam.iamIntegration != nil {
return iam.authorizeWithIAM(r, identity, action, bucket, object)
@ -1942,11 +2016,25 @@ func (iam *IdentityAccessManagement) authorizeWithIAM(r *http.Request, identity
}
}
// Create IAMIdentity for authorization
// Create IAMIdentity for authorization — copy PolicyNames to avoid mutating shared identity
policyNames := make([]string, len(identity.PolicyNames))
copy(policyNames, identity.PolicyNames)
// Include policies inherited from user's groups
iam.m.RLock()
if groupNames, ok := iam.userGroups[identity.Name]; ok {
for _, gn := range groupNames {
if g, exists := iam.groups[gn]; exists && !g.Disabled {
policyNames = append(policyNames, g.PolicyNames...)
}
}
}
iam.m.RUnlock()
iamIdentity := &IAMIdentity{
Name: identity.Name,
Account: identity.Account,
PolicyNames: identity.PolicyNames,
PolicyNames: policyNames,
Claims: identity.Claims, // Copy claims for policy variable substitution
}
@ -2015,6 +2103,66 @@ func (iam *IdentityAccessManagement) DeletePolicy(name string) error {
return nil
}
func (iam *IdentityAccessManagement) PutGroup(group *iam_pb.Group) error {
if group == nil {
return fmt.Errorf("put group failed: nil group")
}
if group.Name == "" {
return fmt.Errorf("put group failed: empty group name")
}
glog.V(1).Infof("IAM: put group %s", group.Name)
iam.m.Lock()
defer iam.m.Unlock()
// Remove old reverse index entries for this group
if old, ok := iam.groups[group.Name]; ok && !old.Disabled {
for _, member := range old.Members {
iam.removeUserGroupLocked(member, group.Name)
}
}
iam.groups[group.Name] = group
// Add new reverse index entries if group is enabled
if !group.Disabled {
for _, member := range group.Members {
iam.userGroups[member] = append(iam.userGroups[member], group.Name)
}
}
return nil
}
func (iam *IdentityAccessManagement) RemoveGroup(groupName string) {
glog.V(1).Infof("IAM: remove group %s", groupName)
iam.m.Lock()
defer iam.m.Unlock()
if g, ok := iam.groups[groupName]; ok && !g.Disabled {
for _, member := range g.Members {
iam.removeUserGroupLocked(member, groupName)
}
}
delete(iam.groups, groupName)
}
// removeUserGroupLocked removes a group from a user's group list.
// Must be called with iam.m held.
func (iam *IdentityAccessManagement) removeUserGroupLocked(username, groupName string) {
groups := iam.userGroups[username]
for i, g := range groups {
if g == groupName {
iam.userGroups[username] = append(groups[:i], groups[i+1:]...)
if len(iam.userGroups[username]) == 0 {
delete(iam.userGroups, username)
}
return
}
}
}
// ensureIAMPolicyEngine lazily initializes the shared IAM policy engine.
// Must be called with iam.m held.
func (iam *IdentityAccessManagement) ensureIAMPolicyEngine() {

23
weed/s3api/auth_credentials_subscribe.go
View File

@ -19,7 +19,9 @@ func (s3a *S3ApiServer) subscribeMetaEvents(clientName string, lastTsNs int64, p
message := resp.EventNotification
// For rename/move operations, NewParentPath contains the destination directory
// For rename/move operations, NewParentPath contains the destination directory.
// We process both source and destination dirs so moves out of watched
// directories (e.g., IAM config dirs) are not missed.
dir := resp.Directory
if message.NewParentPath != "" {
dir = message.NewParentPath
@ -31,6 +33,22 @@ func (s3a *S3ApiServer) subscribeMetaEvents(clientName string, lastTsNs int64, p
_ = s3a.onIamConfigChange(dir, message.OldEntry, message.NewEntry)
_ = s3a.onCircuitBreakerConfigChange(dir, message.OldEntry, message.NewEntry)
// For moves across directories, replay a delete event for the source directory
if message.NewParentPath != "" && resp.Directory != message.NewParentPath {
_ = s3a.onBucketMetadataChange(resp.Directory, message.OldEntry, nil)
_ = s3a.onIamConfigChange(resp.Directory, message.OldEntry, nil)
_ = s3a.onCircuitBreakerConfigChange(resp.Directory, message.OldEntry, nil)
}
// For same-directory renames, replay a delete event for the old name
// so handlers can clean up stale state (e.g., old bucket names)
if message.OldEntry != nil && message.NewEntry != nil &&
(message.NewParentPath == "" || message.NewParentPath == resp.Directory) &&
message.OldEntry.Name != message.NewEntry.Name {
_ = s3a.onBucketMetadataChange(dir, message.OldEntry, nil)
_ = s3a.onCircuitBreakerConfigChange(dir, message.OldEntry, nil)
}
return nil
}
@ -93,8 +111,9 @@ func (s3a *S3ApiServer) onIamConfigChange(dir string, oldEntry *filer_pb.Entry,
isIdentityDir := dir == filer.IamConfigDirectory+"/identities" || strings.HasPrefix(dir, filer.IamConfigDirectory+"/identities/")
isPolicyDir := dir == filer.IamConfigDirectory+"/policies" || strings.HasPrefix(dir, filer.IamConfigDirectory+"/policies/")
isServiceAccountDir := dir == filer.IamConfigDirectory+"/service_accounts" || strings.HasPrefix(dir, filer.IamConfigDirectory+"/service_accounts/")
isGroupDir := dir == filer.IamConfigDirectory+"/groups" || strings.HasPrefix(dir, filer.IamConfigDirectory+"/groups/")
if isIdentityDir || isPolicyDir || isServiceAccountDir {
if isIdentityDir || isPolicyDir || isServiceAccountDir || isGroupDir {
// For multiple-file mode, any change in these directories should trigger a full reload
// from the credential manager (which handles the details of loading from multiple files).
if err := reloadIamConfig(dir); err != nil {

432
weed/s3api/s3api_embedded_iam.go
View File

@ -113,6 +113,18 @@ type (
iamListServiceAccountsResponse = iamlib.ListServiceAccountsResponse
iamGetServiceAccountResponse = iamlib.GetServiceAccountResponse
iamUpdateServiceAccountResponse = iamlib.UpdateServiceAccountResponse
// Group response types
iamCreateGroupResponse = iamlib.CreateGroupResponse
iamDeleteGroupResponse = iamlib.DeleteGroupResponse
iamUpdateGroupResponse = iamlib.UpdateGroupResponse
iamGetGroupResponse = iamlib.GetGroupResponse
iamListGroupsResponse = iamlib.ListGroupsResponse
iamAddUserToGroupResponse = iamlib.AddUserToGroupResponse
iamRemoveUserFromGroupResponse = iamlib.RemoveUserFromGroupResponse
iamAttachGroupPolicyResponse = iamlib.AttachGroupPolicyResponse
iamDetachGroupPolicyResponse = iamlib.DetachGroupPolicyResponse
iamListAttachedGroupPoliciesResponse = iamlib.ListAttachedGroupPoliciesResponse
iamListGroupsForUserResponse = iamlib.ListGroupsForUserResponse
)
// Helper function wrappers using shared package
@ -304,6 +316,15 @@ func (e *EmbeddedIamApi) DeleteUser(s3cfg *iam_pb.S3ApiConfiguration, userName s
}
}
s3cfg.Identities = append(s3cfg.Identities[:i], s3cfg.Identities[i+1:]...)
// Remove user from all groups
for _, g := range s3cfg.Groups {
for j, m := range g.Members {
if m == userName {
g.Members = append(g.Members[:j], g.Members[j+1:]...)
break
}
}
}
return resp, nil
}
}
@ -327,17 +348,51 @@ func (e *EmbeddedIamApi) UpdateUser(s3cfg *iam_pb.S3ApiConfiguration, values url
resp := &iamUpdateUserResponse{}
userName := values.Get("UserName")
newUserName := values.Get("NewUserName")
if newUserName != "" {
for _, ident := range s3cfg.Identities {
if userName == ident.Name {
ident.Name = newUserName
return resp, nil
}
if newUserName == "" {
return resp, nil
}
// Find the source identity first
var sourceIdent *iam_pb.Identity
for _, ident := range s3cfg.Identities {
if ident.Name == userName {
sourceIdent = ident
break
}
} else {
}
if sourceIdent == nil {
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, userName)}
}
// No-op if renaming to the same name
if newUserName == userName {
return resp, nil
}
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, userName)}
// Check for name collision before renaming
for _, ident := range s3cfg.Identities {
if ident.Name == newUserName {
return resp, &iamError{Code: iam.ErrCodeEntityAlreadyExistsException, Error: fmt.Errorf("user %s already exists", newUserName)}
}
}
sourceIdent.Name = newUserName
// Update group membership references
for _, g := range s3cfg.Groups {
for j, m := range g.Members {
if m == userName {
g.Members[j] = newUserName
break
}
}
}
// Update service account parent references
for _, sa := range s3cfg.ServiceAccounts {
if sa.ParentUser == userName {
sa.ParentUser = newUserName
}
}
return resp, nil
}
// CreateAccessKey creates an access key for a user.
@ -481,6 +536,28 @@ func (e *EmbeddedIamApi) DeletePolicy(ctx context.Context, values url.Values) (*
}
}
}
// Check if policy is attached to any group
groupNames, err := e.credentialManager.ListGroups(ctx)
if err != nil {
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
}
for _, gn := range groupNames {
g, err := e.credentialManager.GetGroup(ctx, gn)
if err != nil {
if errors.Is(err, credential.ErrGroupNotFound) {
continue
}
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("failed to get group %s: %w", gn, err)}
}
for _, pn := range g.PolicyNames {
if pn == policyName {
return resp, &iamError{
Code: iam.ErrCodeDeleteConflictException,
Error: fmt.Errorf("policy %s is attached to group %s", policyName, gn),
}
}
}
}
if err := e.credentialManager.DeletePolicy(ctx, policyName); err != nil {
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
}
@ -1405,6 +1482,275 @@ func (e *EmbeddedIamApi) UpdateServiceAccount(s3cfg *iam_pb.S3ApiConfiguration,
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("service account %s not found", saId)}
}
// Group Management Handlers
func (e *EmbeddedIamApi) CreateGroup(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamCreateGroupResponse, *iamError) {
resp := &iamCreateGroupResponse{}
groupName := values.Get("GroupName")
if groupName == "" {
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("GroupName is required")}
}
for _, g := range s3cfg.Groups {
if g.Name == groupName {
return resp, &iamError{Code: iam.ErrCodeEntityAlreadyExistsException, Error: fmt.Errorf("group %s already exists", groupName)}
}
}
s3cfg.Groups = append(s3cfg.Groups, &iam_pb.Group{Name: groupName})
resp.CreateGroupResult.Group.GroupName = &groupName
return resp, nil
}
func (e *EmbeddedIamApi) DeleteGroup(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamDeleteGroupResponse, *iamError) {
resp := &iamDeleteGroupResponse{}
groupName := values.Get("GroupName")
if groupName == "" {
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("GroupName is required")}
}
for i, g := range s3cfg.Groups {
if g.Name == groupName {
if len(g.Members) > 0 {
return resp, &iamError{Code: iam.ErrCodeDeleteConflictException, Error: fmt.Errorf("cannot delete group %s: group has %d member(s). Remove all members first", groupName, len(g.Members))}
}
if len(g.PolicyNames) > 0 {
return resp, &iamError{Code: iam.ErrCodeDeleteConflictException, Error: fmt.Errorf("cannot delete group %s: group has %d attached policy(ies). Detach all policies first", groupName, len(g.PolicyNames))}
}
s3cfg.Groups = append(s3cfg.Groups[:i], s3cfg.Groups[i+1:]...)
return resp, nil
}
}
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("group %s does not exist", groupName)}
}
func (e *EmbeddedIamApi) UpdateGroup(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamUpdateGroupResponse, *iamError) {
resp := &iamUpdateGroupResponse{}
groupName := values.Get("GroupName")
if groupName == "" {
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("GroupName is required")}
}
for _, g := range s3cfg.Groups {
if g.Name == groupName {
if disabled := values.Get("Disabled"); disabled != "" {
if disabled != "true" && disabled != "false" {
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("Disabled must be 'true' or 'false'")}
}
g.Disabled = disabled == "true"
}
if newName := values.Get("NewGroupName"); newName != "" && newName != g.Name {
for _, other := range s3cfg.Groups {
if other.Name == newName {
return resp, &iamError{Code: iam.ErrCodeEntityAlreadyExistsException, Error: fmt.Errorf("group %s already exists", newName)}
}
}
g.Name = newName
}
return resp, nil
}
}
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("group %s does not exist", groupName)}
}
func (e *EmbeddedIamApi) GetGroup(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamGetGroupResponse, *iamError) {
resp := &iamGetGroupResponse{}
groupName := values.Get("GroupName")
if groupName == "" {
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("GroupName is required")}
}
for _, g := range s3cfg.Groups {
if g.Name == groupName {
resp.GetGroupResult.Group.GroupName = &g.Name
for _, member := range g.Members {
memberName := member
resp.GetGroupResult.Users = append(resp.GetGroupResult.Users, &iam.User{UserName: &memberName})
}
return resp, nil
}
}
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("group %s does not exist", groupName)}
}
func (e *EmbeddedIamApi) ListGroups(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) *iamListGroupsResponse {
resp := &iamListGroupsResponse{}
for _, g := range s3cfg.Groups {
name := g.Name
resp.ListGroupsResult.Groups = append(resp.ListGroupsResult.Groups, &iam.Group{GroupName: &name})
}
return resp
}
func (e *EmbeddedIamApi) AddUserToGroup(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamAddUserToGroupResponse, *iamError) {
resp := &iamAddUserToGroupResponse{}
groupName := values.Get("GroupName")
userName := values.Get("UserName")
if groupName == "" {
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("GroupName is required")}
}
if userName == "" {
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("UserName is required")}
}
// Verify user exists
userFound := false
for _, ident := range s3cfg.Identities {
if ident.Name == userName {
userFound = true
break
}
}
if !userFound {
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("user %s does not exist", userName)}
}
for _, g := range s3cfg.Groups {
if g.Name == groupName {
// Check if already a member (idempotent)
for _, m := range g.Members {
if m == userName {
return resp, nil
}
}
g.Members = append(g.Members, userName)
return resp, nil
}
}
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("group %s does not exist", groupName)}
}
func (e *EmbeddedIamApi) RemoveUserFromGroup(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamRemoveUserFromGroupResponse, *iamError) {
resp := &iamRemoveUserFromGroupResponse{}
groupName := values.Get("GroupName")
userName := values.Get("UserName")
if groupName == "" {
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("GroupName is required")}
}
if userName == "" {
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("UserName is required")}
}
for _, g := range s3cfg.Groups {
if g.Name == groupName {
for i, m := range g.Members {
if m == userName {
g.Members = append(g.Members[:i], g.Members[i+1:]...)
return resp, nil
}
}
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("user %s is not a member of group %s", userName, groupName)}
}
}
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("group %s does not exist", groupName)}
}
func (e *EmbeddedIamApi) AttachGroupPolicy(ctx context.Context, s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamAttachGroupPolicyResponse, *iamError) {
resp := &iamAttachGroupPolicyResponse{}
groupName := values.Get("GroupName")
policyArn := values.Get("PolicyArn")
if groupName == "" {
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("GroupName is required")}
}
policyName, err := iamPolicyNameFromArn(policyArn)
if err != nil {
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: err}
}
// Verify policy exists via credential manager
if e.credentialManager == nil {
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("credential manager not available to validate policy %s", policyName)}
}
policy, pErr := e.credentialManager.GetPolicy(ctx, policyName)
if pErr != nil {
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("failed to look up policy %s: %w", policyName, pErr)}
}
if policy == nil {
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)}
}
for _, g := range s3cfg.Groups {
if g.Name == groupName {
// Check if already attached (idempotent)
for _, p := range g.PolicyNames {
if p == policyName {
return resp, nil
}
}
g.PolicyNames = append(g.PolicyNames, policyName)
return resp, nil
}
}
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("group %s does not exist", groupName)}
}
func (e *EmbeddedIamApi) DetachGroupPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamDetachGroupPolicyResponse, *iamError) {
resp := &iamDetachGroupPolicyResponse{}
groupName := values.Get("GroupName")
policyArn := values.Get("PolicyArn")
if groupName == "" {
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("GroupName is required")}
}
policyName, err := iamPolicyNameFromArn(policyArn)
if err != nil {
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: err}
}
for _, g := range s3cfg.Groups {
if g.Name == groupName {
for i, p := range g.PolicyNames {
if p == policyName {
g.PolicyNames = append(g.PolicyNames[:i], g.PolicyNames[i+1:]...)
return resp, nil
}
}
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s is not attached to group %s", policyName, groupName)}
}
}
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("group %s does not exist", groupName)}
}
func (e *EmbeddedIamApi) ListAttachedGroupPolicies(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamListAttachedGroupPoliciesResponse, *iamError) {
resp := &iamListAttachedGroupPoliciesResponse{}
groupName := values.Get("GroupName")
if groupName == "" {
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("GroupName is required")}
}
for _, g := range s3cfg.Groups {
if g.Name == groupName {
for _, policyName := range g.PolicyNames {
pn := policyName
policyArn := fmt.Sprintf("arn:aws:iam:::policy/%s", policyName)
resp.ListAttachedGroupPoliciesResult.AttachedPolicies = append(resp.ListAttachedGroupPoliciesResult.AttachedPolicies, &iam.AttachedPolicy{
PolicyName: &pn,
PolicyArn: &policyArn,
})
}
return resp, nil
}
}
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("group %s does not exist", groupName)}
}
func (e *EmbeddedIamApi) ListGroupsForUser(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamListGroupsForUserResponse, *iamError) {
resp := &iamListGroupsForUserResponse{}
userName := values.Get("UserName")
if userName == "" {
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("UserName is required")}
}
// Verify user exists
userFound := false
for _, ident := range s3cfg.Identities {
if ident.Name == userName {
userFound = true
break
}
}
if !userFound {
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("user %s does not exist", userName)}
}
// Build from s3cfg.Groups for consistency with freshly loaded config
for _, g := range s3cfg.Groups {
for _, m := range g.Members {
if m == userName {
name := g.Name
resp.ListGroupsForUserResult.Groups = append(resp.ListGroupsForUserResult.Groups, &iam.Group{GroupName: &name})
break
}
}
}
return resp, nil
}
// handleImplicitUsername adds username who signs the request to values if 'username' is not specified.
// According to AWS documentation: "If you do not specify a user name, IAM determines the user name
// implicitly based on the Amazon Web Services access key ID signing the request."
@ -1558,7 +1904,8 @@ func (e *EmbeddedIamApi) ExecuteAction(ctx context.Context, values url.Values, s
action := values.Get("Action")
if e.readOnly {
switch action {
case "ListUsers", "ListAccessKeys", "GetUser", "GetUserPolicy", "ListAttachedUserPolicies", "ListPolicies", "GetPolicy", "ListPolicyVersions", "GetPolicyVersion", "ListServiceAccounts", "GetServiceAccount":
case "ListUsers", "ListAccessKeys", "GetUser", "GetUserPolicy", "ListAttachedUserPolicies", "ListPolicies", "GetPolicy", "ListPolicyVersions", "GetPolicyVersion", "ListServiceAccounts", "GetServiceAccount",
"GetGroup", "ListGroups", "ListAttachedGroupPolicies", "ListGroupsForUser":
// Allowed read-only actions
default:
return nil, &iamError{Code: s3err.GetAPIError(s3err.ErrAccessDenied).Code, Error: fmt.Errorf("IAM write operations are disabled on this server")}
@ -1745,6 +2092,73 @@ func (e *EmbeddedIamApi) ExecuteAction(ctx context.Context, values url.Values, s
if iamErr != nil {
return nil, iamErr
}
// Group actions
case "CreateGroup":
var iamErr *iamError
response, iamErr = e.CreateGroup(s3cfg, values)
if iamErr != nil {
return nil, iamErr
}
case "DeleteGroup":
var iamErr *iamError
response, iamErr = e.DeleteGroup(s3cfg, values)
if iamErr != nil {
return nil, iamErr
}
case "UpdateGroup":
var iamErr *iamError
response, iamErr = e.UpdateGroup(s3cfg, values)
if iamErr != nil {
return nil, iamErr
}
case "GetGroup":
var iamErr *iamError
response, iamErr = e.GetGroup(s3cfg, values)
if iamErr != nil {
return nil, iamErr
}
changed = false
case "ListGroups":
response = e.ListGroups(s3cfg, values)
changed = false
case "AddUserToGroup":
var iamErr *iamError
response, iamErr = e.AddUserToGroup(s3cfg, values)
if iamErr != nil {
return nil, iamErr
}
case "RemoveUserFromGroup":
var iamErr *iamError
response, iamErr = e.RemoveUserFromGroup(s3cfg, values)
if iamErr != nil {
return nil, iamErr
}
case "AttachGroupPolicy":
var iamErr *iamError
response, iamErr = e.AttachGroupPolicy(ctx, s3cfg, values)
if iamErr != nil {
return nil, iamErr
}
case "DetachGroupPolicy":
var iamErr *iamError
response, iamErr = e.DetachGroupPolicy(s3cfg, values)
if iamErr != nil {
return nil, iamErr
}
case "ListAttachedGroupPolicies":
var iamErr *iamError
response, iamErr = e.ListAttachedGroupPolicies(s3cfg, values)
if iamErr != nil {
return nil, iamErr
}
changed = false
case "ListGroupsForUser":
var iamErr *iamError
response, iamErr = e.ListGroupsForUser(s3cfg, values)
if iamErr != nil {
return nil, iamErr
}
changed = false
default:
return nil, &iamError{Code: s3err.GetAPIError(s3err.ErrNotImplemented).Code, Error: errors.New(s3err.GetAPIError(s3err.ErrNotImplemented).Description)}
}

1
weed/s3api/s3api_server.go
View File

@ -276,6 +276,7 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl
filer.IamConfigDirectory + "/identities",
filer.IamConfigDirectory + "/policies",
filer.IamConfigDirectory + "/service_accounts",
filer.IamConfigDirectory + "/groups",
})
// Start bucket size metrics collection in background

27
weed/s3api/s3api_server_grpc.go
View File

@ -92,6 +92,33 @@ func (s3a *S3ApiServer) GetPolicy(ctx context.Context, req *iam_pb.GetPolicyRequ
}, nil
}
func (s3a *S3ApiServer) PutGroup(ctx context.Context, req *iam_pb.PutGroupRequest) (*iam_pb.PutGroupResponse, error) {
if req.Group == nil {
return nil, status.Errorf(codes.InvalidArgument, "group is required")
}
glog.V(1).Infof("IAM: received group update for %s", req.Group.Name)
if s3a.iam == nil {
return nil, status.Errorf(codes.Internal, "IAM not initialized")
}
if err := s3a.iam.PutGroup(req.Group); err != nil {
glog.Errorf("failed to update group cache for %s: %v", req.Group.Name, err)
return nil, status.Errorf(codes.Internal, "failed to update group cache: %v", err)
}
return &iam_pb.PutGroupResponse{}, nil
}
func (s3a *S3ApiServer) RemoveGroup(ctx context.Context, req *iam_pb.RemoveGroupRequest) (*iam_pb.RemoveGroupResponse, error) {
if req.GroupName == "" {
return nil, status.Errorf(codes.InvalidArgument, "group name is required")
}
glog.V(1).Infof("IAM: received group removal for %s", req.GroupName)
if s3a.iam == nil {
return nil, status.Errorf(codes.Internal, "IAM not initialized")
}
s3a.iam.RemoveGroup(req.GroupName)
return &iam_pb.RemoveGroupResponse{}, nil
}
func (s3a *S3ApiServer) ListPolicies(ctx context.Context, req *iam_pb.ListPoliciesRequest) (*iam_pb.ListPoliciesResponse, error) {
resp := &iam_pb.ListPoliciesResponse{}
if s3a.iam == nil {

Write Preview
Loading…
Cancel
Save