Skip to content
This repository was archived by the owner on Dec 3, 2024. It is now read-only.

Grant Bucket Access [WIP] #54

Closed
wants to merge 1 commit into from
Closed

Grant Bucket Access [WIP] #54

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 42 additions & 1 deletion cmd/minio-cosi-driver/internal/minio/bucket.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,11 @@ package minio

import (
"context"
"github.com/minio/minio/pkg/auth"
"github.com/minio/minio/pkg/bucket/policy"
"github.com/minio/minio/pkg/bucket/policy/condition"
iampolicy "github.com/minio/minio/pkg/iam/policy"
"k8s.io/klog/v2"

"github.com/minio/minio-go/v7"
"github.com/pkg/errors"
Expand All @@ -25,7 +30,7 @@ var ErrBucketAlreadyExists = errors.New("Bucket Already Exists")
type MakeBucketOptions minio.MakeBucketOptions

func (x *C) CreateBucket(ctx context.Context, bucketName string, options MakeBucketOptions) (string, error) {
if err := x.client.MakeBucket(ctx, bucketName, minio.MakeBucketOptions(options)); err != nil {
if err := x.minioClients.client.MakeBucket(ctx, bucketName, minio.MakeBucketOptions(options)); err != nil {
errCode := minio.ToErrorResponse(err).Code
if errCode == "BucketAlreadyExists" || errCode == "BucketAlreadyOwnedByYou" {
return bucketName, ErrBucketAlreadyExists
Expand All @@ -34,3 +39,39 @@ func (x *C) CreateBucket(ctx context.Context, bucketName string, options MakeBuc
}
return bucketName, nil
}

func (x *C) AddUser(ctx context.Context, bucket string) (*auth.Credentials, error){
creds, err := auth.GetNewCredentials()
if err != nil {
klog.Error("failed to generate new credentails")
return nil, err
}

if err := x.minioClients.adminClient.AddUser(ctx, creds.AccessKey, creds.SecretKey); err != nil {
klog.Error("failed to create user", err)
return nil, err
}

// Create policy
p := iampolicy.Policy{
Version: iampolicy.DefaultVersion,
Statements: []iampolicy.Statement{
iampolicy.NewStatement(
policy.Allow,
iampolicy.NewActionSet("s3:*"),
iampolicy.NewResourceSet(iampolicy.NewResource(bucket+"/*", "")),
condition.NewFunctions(),
)},
}

if err := x.minioClients.adminClient.AddCannedPolicy(context.Background(), "s3:*", &p); err != nil {
klog.Error("failed to add canned policy", err)
return nil, err
}

if err := x.minioClients.adminClient.SetPolicy(context.Background(), "s3:*", creds.AccessKey, false); err != nil {
klog.Error("failed to set policy", err)
return nil, err
}
return &creds,nil
}
33 changes: 26 additions & 7 deletions cmd/minio-cosi-driver/internal/minio/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,22 @@ import (

min "github.com/minio/minio-go/v7"
"github.com/minio/minio-go/v7/pkg/credentials"
"github.com/minio/minio/pkg/madmin"

"k8s.io/klog/v2"
)

type MinioClients struct {
client *min.Client
adminClient *madmin.AdminClient
}

type C struct {
accessKey string
secretKey string
host *url.URL

client *min.Client
minioClients MinioClients
}

func NewClient(ctx context.Context, minioHost, accessKey, secretKey string) (*C, error) {
Expand All @@ -52,23 +58,26 @@ func NewClient(ctx context.Context, minioHost, accessKey, secretKey string) (*C,
return nil, errors.New("invalid url scheme for minio endpoint")
}

clChan := make(chan *min.Client)
clChan := make(chan MinioClients)
errChan := make(chan error)
go func() {
klog.V(3).InfoS("Connecting to MinIO", "endpoint", host.Host)

cl, err := min.New(host.Host, &min.Options{
client, err := min.New(host.Host, &min.Options{
Creds: credentials.NewStaticV4(accessKey, secretKey, ""),
Secure: secure,
})
if err != nil {
errChan <- err
Copy link
Contributor

@wlan0 wlan0 Apr 16, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

errChan <- errors.Wrap(err, "Creating an MinIO client failed")
return

}
_, err = cl.BucketExists(ctx, uuid.New().String())
Copy link
Contributor

@wlan0 wlan0 Apr 16, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

		adminClient, err := madmin.New(host.Host, accessKey, secretKey, secure)
		if err != nil {
			errChan <- errors.Wrap(err, "Creating an admin client failed")
			return
		}

_, err = client.BucketExists(ctx, uuid.New().String())
Copy link
Contributor

@wlan0 wlan0 Apr 16, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

check both regular client and admin client here

Copy link
Contributor

@wlan0 wlan0 Apr 16, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for the admin client, call ServerInfo and check that err is nil

if err != nil {
if errResp, ok := err.(min.ErrorResponse); ok {
if errResp.Code == "NoSuchBucket" {
clChan <- cl
clChan <- MinioClients{
client: client,
adminClient: nil,
}
return
}
if errResp.StatusCode == 403 {
Expand All @@ -80,8 +89,18 @@ func NewClient(ctx context.Context, minioHost, accessKey, secretKey string) (*C,
return
}

clChan <- cl
klog.InfoS("Successfully connected to MinIO")

adminClient, err := madmin.New(host.Host, accessKey, secretKey, secure)
if err != nil {
errChan <- errors.Wrap(err, "Connection to MinIO as admin Failed")
return
}
klog.InfoS("Successfully connected to MinIO")
clChan <- MinioClients{
client: client,
adminClient: adminClient,
}
}()

select {
Expand All @@ -93,7 +112,7 @@ func NewClient(ctx context.Context, minioHost, accessKey, secretKey string) (*C,
secretKey: secretKey,
host: host,

client: cl,
minioClients: cl,
}, nil
case err := <-errChan:
return nil, err
Expand Down
13 changes: 11 additions & 2 deletions cmd/minio-cosi-driver/internal/provisioner.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ package internal

import (
"context"

"fmt"
"k8s.io/klog/v2"
"sigs.k8s.io/container-object-storage-interface-provisioner-sidecar/cmd/minio-cosi-driver/internal/minio"
cosi "sigs.k8s.io/container-object-storage-interface-spec"
Expand Down Expand Up @@ -111,7 +111,16 @@ func (s *ProvisionerServer) ProvisionerDeleteBucket(ctx context.Context,
func (s *ProvisionerServer) ProvisionerGrantBucketAccess(ctx context.Context,
req *cosi.ProvisionerGrantBucketAccessRequest) (*cosi.ProvisionerGrantBucketAccessResponse, error) {

return &cosi.ProvisionerGrantBucketAccessResponse{}, nil
//TODO bucketID? how do we get the name
creds, err := s.mc.AddUser(ctx, req.GetBucketId())
if (err!=nil){
return nil, err
}

return &cosi.ProvisionerGrantBucketAccessResponse{
CredentialsFileContents: fmt.Sprintf("[default]\naws_access_key %s\naws_secret_key %s", creds.AccessKey, creds.SecretKey),
CredentialsFilePath: ".aws/credentials",
}, nil
}

func (s *ProvisionerServer) ProvisionerRevokeBucketAccess(ctx context.Context,
Expand Down
14 changes: 2 additions & 12 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,25 +3,15 @@ module sigs.k8s.io/container-object-storage-interface-provisioner-sidecar
go 1.15

require (
github.com/google/go-cmp v0.5.2 // indirect
github.com/google/uuid v1.2.0
github.com/kr/text v0.2.0 // indirect
github.com/mailru/easyjson v0.7.6 // indirect
github.com/minio/minio-go/v7 v7.0.10
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
github.com/minio/minio v0.0.0-20210415233244-ca9b48b3b423
github.com/minio/minio-go/v7 v7.0.11-0.20210302210017-6ae69c73ce78
github.com/pkg/errors v0.9.1
github.com/smartystreets/assertions v1.1.1 // indirect
github.com/spf13/cobra v1.1.3
github.com/spf13/pflag v1.0.5
github.com/spf13/viper v1.7.0
github.com/stretchr/testify v1.6.1 // indirect
golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392 // indirect
golang.org/x/net v0.0.0-20201216054612-986b41b23924 // indirect
golang.org/x/time v0.0.0-20201208040808-7e3f01d25324 // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
google.golang.org/grpc v1.35.0
gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b // indirect
gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect
k8s.io/api v0.19.4
k8s.io/apimachinery v0.19.4
k8s.io/client-go v0.19.4
Expand Down
Loading