From e03b2ee8bbeb6e23bf46bcc26cb72ada615a24c2 Mon Sep 17 00:00:00 2001
From: chrislu <chris.lu@gmail.com>
Date: Sun, 14 Dec 2025 16:31:06 -0800
Subject: feat(iam): add SetUserStatus and UpdateAccessKey actions (#7745)

Add ability to enable/disable users and access keys without deleting them.

## Changes

### Protocol Buffer Updates
- Add `disabled` field (bool) to Identity message for user status
  - false (default) = enabled, true = disabled
  - No backward compatibility hack needed since zero value is correct
- Add `status` field (string: Active/Inactive) to Credential message

### New IAM Actions
- SetUserStatus: Enable or disable a user (requires admin)
- UpdateAccessKey: Change access key status (self-service or admin)

### Behavior
- Disabled users: All API requests return AccessDenied
- Inactive access keys: Signature validation fails
- Status check happens early in auth flow for performance
- Backward compatible: existing configs default to enabled (disabled=false)

### Use Cases
1. Temporary suspension: Disable user access during investigation
2. Key rotation: Deactivate old key before deletion
3. Offboarding: Disable rather than delete for audit purposes
4. Emergency response: Quickly disable compromised credentials

Fixes #7745
---
 weed/iam/constants.go | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'weed/iam/constants.go')

diff --git a/weed/iam/constants.go b/weed/iam/constants.go
index 206132201..7dea524e8 100644
--- a/weed/iam/constants.go
+++ b/weed/iam/constants.go
@@ -29,3 +29,9 @@ const (
 	AccessKeyIdLength     = 21
 	SecretAccessKeyLength = 42
 )
+
+// Access key status values (AWS IAM compatible)
+const (
+	AccessKeyStatusActive   = "Active"
+	AccessKeyStatusInactive = "Inactive"
+)
-- 
cgit v1.2.3