diff options
| author | chrislu <chris.lu@gmail.com> | 2025-12-14 16:31:06 -0800 |
|---|---|---|
| committer | chrislu <chris.lu@gmail.com> | 2025-12-14 17:43:57 -0800 |
| commit | e03b2ee8bbeb6e23bf46bcc26cb72ada615a24c2 (patch) | |
| tree | 2688ad5cb600bbeef7f760184cfa5044711930a6 /weed/pb/iam_pb/iam.pb.go | |
| parent | 8bdc4390a04604af79f91c7dce94e3b2b58442f7 (diff) | |
| download | seaweedfs-origin/feature/iam-user-status-management-7745.tar.xz seaweedfs-origin/feature/iam-user-status-management-7745.zip | |
feat(iam): add SetUserStatus and UpdateAccessKey actions (#7745)origin/feature/iam-user-status-management-7745
Add ability to enable/disable users and access keys without deleting them.
## Changes
### Protocol Buffer Updates
- Add `disabled` field (bool) to Identity message for user status
- false (default) = enabled, true = disabled
- No backward compatibility hack needed since zero value is correct
- Add `status` field (string: Active/Inactive) to Credential message
### New IAM Actions
- SetUserStatus: Enable or disable a user (requires admin)
- UpdateAccessKey: Change access key status (self-service or admin)
### Behavior
- Disabled users: All API requests return AccessDenied
- Inactive access keys: Signature validation fails
- Status check happens early in auth flow for performance
- Backward compatible: existing configs default to enabled (disabled=false)
### Use Cases
1. Temporary suspension: Disable user access during investigation
2. Key rotation: Deactivate old key before deletion
3. Offboarding: Disable rather than delete for audit purposes
4. Emergency response: Quickly disable compromised credentials
Fixes #7745
Diffstat (limited to 'weed/pb/iam_pb/iam.pb.go')
| -rw-r--r-- | weed/pb/iam_pb/iam.pb.go | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/weed/pb/iam_pb/iam.pb.go b/weed/pb/iam_pb/iam.pb.go index 4eabf8dc3..8eeaf8488 100644 --- a/weed/pb/iam_pb/iam.pb.go +++ b/weed/pb/iam_pb/iam.pb.go @@ -79,6 +79,7 @@ type Identity struct { Credentials []*Credential `protobuf:"bytes,2,rep,name=credentials,proto3" json:"credentials,omitempty"` Actions []string `protobuf:"bytes,3,rep,name=actions,proto3" json:"actions,omitempty"` Account *Account `protobuf:"bytes,4,opt,name=account,proto3" json:"account,omitempty"` + Disabled bool `protobuf:"varint,5,opt,name=disabled,proto3" json:"disabled,omitempty"` // User status: false = enabled (default), true = disabled unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -141,10 +142,18 @@ func (x *Identity) GetAccount() *Account { return nil } +func (x *Identity) GetDisabled() bool { + if x != nil { + return x.Disabled + } + return false +} + type Credential struct { state protoimpl.MessageState `protogen:"open.v1"` AccessKey string `protobuf:"bytes,1,opt,name=access_key,json=accessKey,proto3" json:"access_key,omitempty"` SecretKey string `protobuf:"bytes,2,opt,name=secret_key,json=secretKey,proto3" json:"secret_key,omitempty"` + Status string `protobuf:"bytes,3,opt,name=status,proto3" json:"status,omitempty"` // Access key status: "Active" or "Inactive" unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -193,6 +202,13 @@ func (x *Credential) GetSecretKey() string { return "" } +func (x *Credential) GetStatus() string { + if x != nil { + return x.Status + } + return "" +} + type Account struct { state protoimpl.MessageState `protogen:"open.v1"` Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` @@ -262,18 +278,20 @@ const file_iam_proto_rawDesc = "" + "\n" + "identities\x18\x01 \x03(\v2\x10.iam_pb.IdentityR\n" + "identities\x12+\n" + - "\baccounts\x18\x02 \x03(\v2\x0f.iam_pb.AccountR\baccounts\"\x99\x01\n" + + "\baccounts\x18\x02 \x03(\v2\x0f.iam_pb.AccountR\baccounts\"\xb5\x01\n" + "\bIdentity\x12\x12\n" + "\x04name\x18\x01 \x01(\tR\x04name\x124\n" + "\vcredentials\x18\x02 \x03(\v2\x12.iam_pb.CredentialR\vcredentials\x12\x18\n" + "\aactions\x18\x03 \x03(\tR\aactions\x12)\n" + - "\aaccount\x18\x04 \x01(\v2\x0f.iam_pb.AccountR\aaccount\"J\n" + + "\aaccount\x18\x04 \x01(\v2\x0f.iam_pb.AccountR\aaccount\x12\x1a\n" + + "\bdisabled\x18\x05 \x01(\bR\bdisabled\"b\n" + "\n" + "Credential\x12\x1d\n" + "\n" + "access_key\x18\x01 \x01(\tR\taccessKey\x12\x1d\n" + "\n" + - "secret_key\x18\x02 \x01(\tR\tsecretKey\"a\n" + + "secret_key\x18\x02 \x01(\tR\tsecretKey\x12\x16\n" + + "\x06status\x18\x03 \x01(\tR\x06status\"a\n" + "\aAccount\x12\x0e\n" + "\x02id\x18\x01 \x01(\tR\x02id\x12!\n" + "\fdisplay_name\x18\x02 \x01(\tR\vdisplayName\x12#\n" + |