Remove applying custom policies with STS access keys (#6626)
Move away from allowing custom policies, all policies in STS come from OPA otherwise they fail.
This commit is contained in:
Harshavardhana
Dee Koder
parent
81a481e098
commit
23b166b318
16
cmd/iam.go
16
cmd/iam.go
|
|
@ -326,20 +326,16 @@ func (sys *IAMSys) IsAllowed(args iampolicy.Args) bool {
|
|||
sys.RLock()
|
||||
defer sys.RUnlock()
|
||||
|
||||
// If policy is available for given user, check the policy.
|
||||
if p, found := sys.iamPolicyMap[args.AccountName]; found {
|
||||
// If opa is configured, use OPA in conjunction with IAM policies.
|
||||
if globalPolicyOPA != nil {
|
||||
return p.IsAllowed(args) && globalPolicyOPA.IsAllowed(args)
|
||||
}
|
||||
return p.IsAllowed(args)
|
||||
}
|
||||
|
||||
// If no policies are set, let the policy arrive from OPA if any.
|
||||
// If opa is configured, use OPA always.
|
||||
if globalPolicyOPA != nil {
|
||||
return globalPolicyOPA.IsAllowed(args)
|
||||
}
|
||||
|
||||
// If policy is available for given user, check the policy.
|
||||
if p, found := sys.iamPolicyMap[args.AccountName]; found {
|
||||
return p.IsAllowed(args)
|
||||
}
|
||||
|
||||
// As policy is not available and OPA is not configured, return the owner value.
|
||||
return args.IsOwner
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,15 +17,12 @@
|
|||
package cmd
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/base64"
|
||||
"encoding/xml"
|
||||
"net/http"
|
||||
|
||||
"github.com/gorilla/mux"
|
||||
"github.com/minio/minio/cmd/logger"
|
||||
"github.com/minio/minio/pkg/auth"
|
||||
"github.com/minio/minio/pkg/iam/policy"
|
||||
"github.com/minio/minio/pkg/iam/validator"
|
||||
)
|
||||
|
||||
|
|
@ -142,22 +139,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *
|
|||
return
|
||||
}
|
||||
|
||||
policyStr := r.URL.Query().Get("Policy")
|
||||
var p *iampolicy.Policy
|
||||
if policyStr != "" {
|
||||
var data []byte
|
||||
data, err = base64.URLEncoding.DecodeString(policyStr)
|
||||
if err != nil {
|
||||
writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)
|
||||
return
|
||||
}
|
||||
p, err = iampolicy.ParseConfig(bytes.NewReader(data))
|
||||
if err != nil {
|
||||
writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
vars := mux.Vars(r)
|
||||
m, err := v.Validate(vars["Token"], r.URL.Query().Get("DurationSeconds"))
|
||||
if err != nil {
|
||||
|
|
@ -187,13 +168,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *
|
|||
writeSTSErrorResponse(w, ErrSTSInternalError)
|
||||
return
|
||||
}
|
||||
if p != nil {
|
||||
if err = globalIAMSys.SetPolicy(cred.AccessKey, *p); err != nil {
|
||||
logger.LogIf(ctx, err)
|
||||
writeSTSErrorResponse(w, ErrSTSInternalError)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
encodedSuccessResponse := encodeResponse(&AssumeRoleWithClientGrantsResponse{
|
||||
Result: ClientGrantsResult{Credentials: cred},
|
||||
|
|
|
|||
Loading…
Reference in a new issue