Get LDAP identity for console access/secret keys (#398)

- If MinIO is configured with LDAP then users and groups are external, and the credentials provided in the CONSOLE_ACCESS_KEY and CONSOLE_SECRET_KEY env vars will belong to an existing user in the active directory, therefore we need to authenticate first with `credentials.NewLDAPIdentity` - Fixed race condition bug in which TLS RootCAs certs were not loading correctly (certPool was always null) - Fixed TLS bug in which if Console was deployed without TLS enabled RootCAs certs were not loading - Initialize LDAP Admin credentials once - Initialize stsClient once
minio · Nov 20, 2020 · 7a23582 · 7a23582
1 parent 8a6a75b
commit 7a23582
Show file tree

Hide file tree

Showing 12 changed files with 136 additions and 233 deletions.
diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
@@ -11,40 +11,7 @@ $ docker run --rm -p 389:389 -p 636:636 --name my-openldap-container --detach os
 Run the `billy.ldif` file using `ldapadd` command to create a new user and assign it to a group.
 
 ```
-$ cat > billy.ldif << EOF
-# LDIF fragment to create group branch under root
-dn: uid=billy,dc=example,dc=org
-uid: billy
-cn: billy
-sn: 3
-objectClass: top
-objectClass: posixAccount
-objectClass: inetOrgPerson
-loginShell: /bin/bash
-homeDirectory: /home/billy
-uidNumber: 14583102
-gidNumber: 14564100
-userPassword: {SSHA}j3lBh1Seqe4rqF1+NuWmjhvtAni1JC5A
-mail: billy@example.org
-gecos: Billy User
-# Create base group
-dn: ou=groups,dc=example,dc=org
-objectclass:organizationalunit
-ou: groups
-description: generic groups branch
-# create consoleAdmin group (this already exists on minio and have a policy of s3::*)
-dn: cn=consoleAdmin,ou=groups,dc=example,dc=org
-objectClass: top
-objectClass: posixGroup
-gidNumber: 678
-# Assing group to new user
-dn: cn=consoleAdmin,ou=groups,dc=example,dc=org
-changetype: modify
-add: memberuid
-memberuid: billy
-EOF
-
-$ docker cp billy.ldif my-openldap-container:/container/service/slapd/assets/test/billy.ldif
+$ docker cp console/docs/ldap/billy.ldif my-openldap-container:/container/service/slapd/assets/test/billy.ldif
 $ docker exec my-openldap-container ldapadd -x -D "cn=admin,dc=example,dc=org" -w admin -f /container/service/slapd/assets/test/billy.ldif -H ldap://localhost -ZZ
 ```
 

diff --git a/cmd/console/server.go b/cmd/console/server.go
@@ -28,8 +28,6 @@ import (
 	"github.com/minio/console/pkg/certs"
 	"github.com/minio/console/restapi"
 	"github.com/minio/console/restapi/operations"
-	"github.com/minio/minio/cmd/logger"
-	certsx "github.com/minio/minio/pkg/certs"
 )
 
 // starts the server
@@ -107,22 +105,18 @@ func startServer(ctx *cli.Context) error {
 	restapi.Hostname = ctx.String("host")
 	restapi.Port = fmt.Sprintf("%v", ctx.Int("port"))
 
-	// Set all certs and CAs directories.
+	// Set all certs and CAs directories path
 	certs.GlobalCertsDir, _ = certs.NewConfigDirFromCtx(ctx, "certs-dir", certs.DefaultCertsDir.Get)
 	certs.GlobalCertsCADir = &certs.ConfigDir{Path: filepath.Join(certs.GlobalCertsDir.Get(), certs.CertsCADir)}
 
+	// check if certs and CAs directories exists or can be created
 	if err := certs.MkdirAllIgnorePerm(certs.GlobalCertsCADir.Get()); err != nil {
 		log.Println(fmt.Sprintf("Unable to create certs CA directory at %s", certs.GlobalCertsCADir.Get()))
 	}
+	// load the certificates and the CAs
+	restapi.GlobalRootCAs, restapi.GlobalPublicCerts, restapi.GlobalTLSCertsManager = certs.GetAllCertificatesAndCAs()
 
-	// load all CAs from ~/.console/certs/CAs
-	restapi.GlobalRootCAs, err = certsx.GetRootCAs(certs.GlobalCertsCADir.Get())
-	logger.FatalIf(err, "Failed to read root CAs (%v)", err)
-	// load all certs from ~/.console/certs
-	restapi.GlobalPublicCerts, restapi.GlobalTLSCertsManager, err = certs.GetTLSConfig()
-	logger.FatalIf(err, "Unable to load the TLS configuration")
-
-	if len(restapi.GlobalPublicCerts) > 0 && restapi.GlobalRootCAs != nil {
+	if len(restapi.GlobalPublicCerts) > 0 {
 		// If TLS certificates are provided enforce the HTTPS schema, meaning console will redirect
 		// plain HTTP connections to HTTPS server
 		server.EnabledListeners = []string{"http", "https"}

diff --git a/docs/ldap/billy.ldif b/docs/ldap/billy.ldif
@@ -0,0 +1,35 @@
+# LDIF fragment to create group branch under root
+dn: uid=billy,dc=example,dc=org
+uid: billy
+cn: billy
+sn: 3
+objectClass: top
+objectClass: posixAccount
+objectClass: inetOrgPerson
+loginShell: /bin/bash
+homeDirectory: /home/billy
+uidNumber: 14583102
+gidNumber: 14564100
+userPassword: {SSHA}j3lBh1Seqe4rqF1+NuWmjhvtAni1JC5A
+mail: billy@example.org
+gecos: Billy User
+
+# Create base group
+dn: ou=groups,dc=example,dc=org
+objectclass:organizationalunit
+ou: groups
+description: generic groups branch
+
+# create consoleAdmin group (this already exists on minio and have a policy of s3::*)
+dn: cn=consoleAdmin,ou=groups,dc=example,dc=org
+objectClass: top
+objectClass: posixGroup
+gidNumber: 678
+
+# Assing group to new user
+dn: cn=consoleAdmin,ou=groups,dc=example,dc=org
+changetype: modify
+add: memberuid
+memberuid: billy
+
+
diff --git a/go.mod b/go.mod
@@ -18,7 +18,7 @@ require (
 	github.com/minio/kes v0.11.0
 	github.com/minio/mc v0.0.0-20201119214335-d4f9ea859d6c
 	github.com/minio/minio v0.0.0-20201102034248-d8e07f2c41c8
-	github.com/minio/minio-go/v7 v7.0.6-0.20200929220449-755b5633803a
+	github.com/minio/minio-go/v7 v7.0.6-0.20201119032702-6914cb678dde
 	github.com/minio/operator v0.0.0-20201022162018-527e5c32132b
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect