Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

chore(iam): cleanup debug prints and fix test config port

pull/8003/head
Chris Lu 1 day ago
parent
22e76a5dc9
commit
b963b31a19
3 changed files with 84 additions and 38 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 114
      test/s3/iam/iam_config.json
  2. 2
      test/s3/iam/iam_config.local.json
  3. 6
      weed/iam/integration/iam_manager.go

114
test/s3/iam/iam_config.json
View File

@ -1,7 +1,7 @@
{
"sts": {
"tokenDuration": "1h",
"maxSessionLength": "12h",
"maxSessionLength": "12h",
"issuer": "seaweedfs-sts",
"signingKey": "dGVzdC1zaWduaW5nLWtleS0zMi1jaGFyYWN0ZXJzLWxvbmc="
},
@ -24,7 +24,11 @@
"clientSecret": "seaweedfs-s3-secret",
"jwksUri": "http://localhost:8080/realms/seaweedfs-test/protocol/openid-connect/certs",
"userInfoUri": "http://localhost:8080/realms/seaweedfs-test/protocol/openid-connect/userinfo",
"scopes": ["openid", "profile", "email"],
"scopes": [
"openid",
"profile",
"email"
],
"claimsMapping": {
"username": "preferred_username",
"email": "email",
@ -38,13 +42,13 @@
"role": "arn:aws:iam::role/KeycloakAdminRole"
},
{
"claim": "roles",
"claim": "roles",
"value": "s3-read-only",
"role": "arn:aws:iam::role/KeycloakReadOnlyRole"
},
{
"claim": "roles",
"value": "s3-write-only",
"value": "s3-write-only",
"role": "arn:aws:iam::role/KeycloakWriteOnlyRole"
},
{
@ -73,15 +77,19 @@
"Principal": {
"Federated": "test-oidc"
},
"Action": ["sts:AssumeRoleWithWebIdentity"]
"Action": [
"sts:AssumeRoleWithWebIdentity"
]
}
]
},
"attachedPolicies": ["S3AdminPolicy"],
"attachedPolicies": [
"S3AdminPolicy"
],
"description": "Admin role for testing"
},
{
"roleName": "TestReadOnlyRole",
"roleName": "TestReadOnlyRole",
"roleArn": "arn:aws:iam::role/TestReadOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
@ -91,15 +99,19 @@
"Principal": {
"Federated": "test-oidc"
},
"Action": ["sts:AssumeRoleWithWebIdentity"]
"Action": [
"sts:AssumeRoleWithWebIdentity"
]
}
]
},
"attachedPolicies": ["S3ReadOnlyPolicy"],
"attachedPolicies": [
"S3ReadOnlyPolicy"
],
"description": "Read-only role for testing"
},
{
"roleName": "TestWriteOnlyRole",
"roleName": "TestWriteOnlyRole",
"roleArn": "arn:aws:iam::role/TestWriteOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
@ -109,11 +121,15 @@
"Principal": {
"Federated": "test-oidc"
},
"Action": ["sts:AssumeRoleWithWebIdentity"]
"Action": [
"sts:AssumeRoleWithWebIdentity"
]
}
]
},
"attachedPolicies": ["S3WriteOnlyPolicy"],
"attachedPolicies": [
"S3WriteOnlyPolicy"
],
"description": "Write-only role for testing"
},
{
@ -127,11 +143,15 @@
"Principal": {
"Federated": "keycloak"
},
"Action": ["sts:AssumeRoleWithWebIdentity"]
"Action": [
"sts:AssumeRoleWithWebIdentity"
]
}
]
},
"attachedPolicies": ["S3AdminPolicy"],
"attachedPolicies": [
"S3AdminPolicy"
],
"description": "Admin role for Keycloak users"
},
{
@ -145,11 +165,15 @@
"Principal": {
"Federated": "keycloak"
},
"Action": ["sts:AssumeRoleWithWebIdentity"]
"Action": [
"sts:AssumeRoleWithWebIdentity"
]
}
]
},
"attachedPolicies": ["S3ReadOnlyPolicy"],
"attachedPolicies": [
"S3ReadOnlyPolicy"
],
"description": "Read-only role for Keycloak users"
},
{
@ -163,11 +187,15 @@
"Principal": {
"Federated": "keycloak"
},
"Action": ["sts:AssumeRoleWithWebIdentity"]
"Action": [
"sts:AssumeRoleWithWebIdentity"
]
}
]
},
"attachedPolicies": ["S3WriteOnlyPolicy"],
"attachedPolicies": [
"S3WriteOnlyPolicy"
],
"description": "Write-only role for Keycloak users"
},
{
@ -181,11 +209,15 @@
"Principal": {
"Federated": "keycloak"
},
"Action": ["sts:AssumeRoleWithWebIdentity"]
"Action": [
"sts:AssumeRoleWithWebIdentity"
]
}
]
},
"attachedPolicies": ["S3ReadWritePolicy"],
"attachedPolicies": [
"S3ReadWritePolicy"
],
"description": "Read-write role for Keycloak users"
}
],
@ -197,13 +229,21 @@
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["*"]
"Action": [
"s3:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": ["sts:ValidateSession"],
"Resource": ["*"]
"Action": [
"sts:ValidateSession"
],
"Resource": [
"*"
]
}
]
}
@ -211,7 +251,7 @@
{
"name": "S3ReadOnlyPolicy",
"document": {
"Version": "2012-10-17",
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
@ -226,8 +266,12 @@
},
{
"Effect": "Allow",
"Action": ["sts:ValidateSession"],
"Resource": ["*"]
"Action": [
"sts:ValidateSession"
],
"Resource": [
"*"
]
}
]
}
@ -260,8 +304,12 @@
},
{
"Effect": "Allow",
"Action": ["sts:ValidateSession"],
"Resource": ["*"]
"Action": [
"sts:ValidateSession"
],
"Resource": [
"*"
]
}
]
}
@ -283,8 +331,12 @@
},
{
"Effect": "Allow",
"Action": ["sts:ValidateSession"],
"Resource": ["*"]
"Action": [
"sts:ValidateSession"
],
"Resource": [
"*"
]
}
]
}

2
test/s3/iam/iam_config.local.json
View File

@ -342,4 +342,4 @@
}
}
]
}
}

6
weed/iam/integration/iam_manager.go
View File

@ -395,26 +395,20 @@ func (m *IAMManager) validateTrustPolicyForWebIdentity(ctx context.Context, role
requestContext["aws:FederatedProvider"] = iss
requestContext["oidc:iss"] = iss
fmt.Printf("DEBUG: validateTrustPolicyForWebIdentity - Issuer: %s\n", iss)
// Try to resolve provider name from issuer for better policy matching
// This allows policies to reference the provider name (e.g. "keycloak") instead of the full issuer URL
if m.stsService != nil {
for name, provider := range m.stsService.GetProviders() {
if oidcProvider, ok := provider.(interface{ GetIssuer() string }); ok {
confIssuer := oidcProvider.GetIssuer()
fmt.Printf("DEBUG: Checking provider %s: config_issuer='%s' vs token_issuer='%s'\n", name, confIssuer, iss)
if confIssuer == iss {
requestContext["aws:FederatedProvider"] = name
fmt.Printf("DEBUG: MATCH FOUND! aws:FederatedProvider set to: %s\n", name)
break
}
}
}
}
fmt.Printf("DEBUG: Final aws:FederatedProvider: %v\n", requestContext["aws:FederatedProvider"])
}
if sub, ok := tokenClaims["sub"].(string); ok {

Write Preview
Loading…
Cancel
Save