diff options
| author | chrislu <chris.lu@gmail.com> | 2025-12-14 16:31:06 -0800 |
|---|---|---|
| committer | chrislu <chris.lu@gmail.com> | 2025-12-14 17:43:57 -0800 |
| commit | e03b2ee8bbeb6e23bf46bcc26cb72ada615a24c2 (patch) | |
| tree | 2688ad5cb600bbeef7f760184cfa5044711930a6 /weed/s3api/s3api_bucket_handlers_test.go | |
| parent | 8bdc4390a04604af79f91c7dce94e3b2b58442f7 (diff) | |
| download | seaweedfs-e03b2ee8bbeb6e23bf46bcc26cb72ada615a24c2.tar.xz seaweedfs-e03b2ee8bbeb6e23bf46bcc26cb72ada615a24c2.zip | |
feat(iam): add SetUserStatus and UpdateAccessKey actions (#7745)origin/feature/iam-user-status-management-7745
Add ability to enable/disable users and access keys without deleting them.
## Changes
### Protocol Buffer Updates
- Add `disabled` field (bool) to Identity message for user status
- false (default) = enabled, true = disabled
- No backward compatibility hack needed since zero value is correct
- Add `status` field (string: Active/Inactive) to Credential message
### New IAM Actions
- SetUserStatus: Enable or disable a user (requires admin)
- UpdateAccessKey: Change access key status (self-service or admin)
### Behavior
- Disabled users: All API requests return AccessDenied
- Inactive access keys: Signature validation fails
- Status check happens early in auth flow for performance
- Backward compatible: existing configs default to enabled (disabled=false)
### Use Cases
1. Temporary suspension: Disable user access during investigation
2. Key rotation: Deactivate old key before deletion
3. Offboarding: Disable rather than delete for audit purposes
4. Emergency response: Quickly disable compromised credentials
Fixes #7745
Diffstat (limited to 'weed/s3api/s3api_bucket_handlers_test.go')
| -rw-r--r-- | weed/s3api/s3api_bucket_handlers_test.go | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/weed/s3api/s3api_bucket_handlers_test.go b/weed/s3api/s3api_bucket_handlers_test.go index 40357a2b7..c2870b15e 100644 --- a/weed/s3api/s3api_bucket_handlers_test.go +++ b/weed/s3api/s3api_bucket_handlers_test.go @@ -670,7 +670,7 @@ func TestListBucketsIssue7647(t *testing.T) { t.Run("admin user can see their created buckets", func(t *testing.T) { // Simulate the exact scenario from issue #7647: // User "root" with ["Admin", "Read", "Write", "Tagging", "List"] permissions - + // Create identity for root user with Admin action rootIdentity := &Identity{ Name: "root", @@ -730,7 +730,7 @@ func TestListBucketsIssue7647(t *testing.T) { t.Run("admin user sees buckets without owner metadata", func(t *testing.T) { // Admin users should see buckets even if they don't have owner metadata // (this can happen with legacy buckets or manual creation) - + rootIdentity := &Identity{ Name: "root", Actions: []Action{ @@ -754,7 +754,7 @@ func TestListBucketsIssue7647(t *testing.T) { t.Run("non-admin user cannot see buckets without owner", func(t *testing.T) { // Non-admin users should not see buckets without owner metadata - + regularUser := &Identity{ Name: "user1", Actions: []Action{ |