fix: allow root credentials to generate STS, service accounts (#12210)
This commit is contained in:
Harshavardhana
GitHub
parent
804a23a06d
commit
67001e3ce9
|
|
@ -490,12 +490,6 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
|
|||
return
|
||||
}
|
||||
|
||||
// Disallow creating service accounts by root user.
|
||||
if createReq.TargetUser == globalActiveCred.AccessKey {
|
||||
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminAccountNotEligible), r.URL)
|
||||
return
|
||||
}
|
||||
|
||||
var (
|
||||
targetUser string
|
||||
targetGroups []string
|
||||
|
|
|
|||
23
cmd/iam.go
23
cmd/iam.go
|
|
@ -880,7 +880,7 @@ func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyNa
|
|||
// This mapping is necessary to ensure that valid credentials
|
||||
// have necessary ParentUser present - this is mainly for only
|
||||
// webIdentity based STS tokens.
|
||||
if cred.IsTemp() && cred.ParentUser != "" {
|
||||
if cred.IsTemp() && cred.ParentUser != "" && cred.ParentUser != globalActiveCred.AccessKey {
|
||||
if _, ok := sys.iamUserPolicyMap[cred.ParentUser]; !ok {
|
||||
if err := sys.store.saveMappedPolicy(context.Background(), accessKey, stsUser, false, mp, options{ttl: ttl}); err != nil {
|
||||
sys.store.unlock()
|
||||
|
|
@ -1114,14 +1114,10 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro
|
|||
sys.store.lock()
|
||||
defer sys.store.unlock()
|
||||
|
||||
if parentUser == globalActiveCred.AccessKey {
|
||||
return auth.Credentials{}, errIAMActionNotAllowed
|
||||
}
|
||||
|
||||
cr, ok := sys.iamUsersMap[parentUser]
|
||||
if !ok {
|
||||
// For LDAP users we would need this fallback
|
||||
if sys.usersSysType != MinIOUsersSysType {
|
||||
// For LDAP/OpenID users we would need this fallback
|
||||
if sys.usersSysType != MinIOUsersSysType && parentUser != globalActiveCred.ParentUser {
|
||||
_, ok = sys.iamUserPolicyMap[parentUser]
|
||||
if !ok {
|
||||
var found bool
|
||||
|
|
@ -1479,7 +1475,12 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
|
|||
if cred.IsServiceAccount() || cred.IsTemp() {
|
||||
// temporary credentials or service accounts
|
||||
// must have their parent in UsersMap
|
||||
_, ok = sys.iamUserPolicyMap[cred.ParentUser]
|
||||
if cred.ParentUser == globalActiveCred.AccessKey {
|
||||
// parent exists, so allow temporary and service accounts.
|
||||
ok = true
|
||||
} else {
|
||||
_, ok = sys.iamUserPolicyMap[cred.ParentUser]
|
||||
}
|
||||
}
|
||||
// for LDAP service accounts with ParentUser set
|
||||
// we have no way to validate, either because user
|
||||
|
|
@ -1865,13 +1866,17 @@ func (sys *IAMSys) policyDBGet(name string, isGroup bool) (policies []string, er
|
|||
var u auth.Credentials
|
||||
var ok bool
|
||||
if sys.usersSysType == MinIOUsersSysType {
|
||||
if name == globalActiveCred.AccessKey {
|
||||
return []string{"consoleAdmin"}, nil
|
||||
}
|
||||
|
||||
// When looking for a user's policies, we also check if the user
|
||||
// and the groups they are member of are enabled.
|
||||
|
||||
u, ok = sys.iamUsersMap[name]
|
||||
if !ok {
|
||||
return nil, errNoSuchUser
|
||||
}
|
||||
|
||||
if !u.IsValid() {
|
||||
return nil, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -122,13 +122,14 @@ func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Creden
|
|||
if APIErrorCode(s3Err) != ErrNone {
|
||||
return user, false, STSErrorCode(s3Err)
|
||||
}
|
||||
var owner bool
|
||||
user, owner, s3Err = getReqAccessKeyV4(r, globalServerRegion, serviceSTS)
|
||||
|
||||
user, _, s3Err = getReqAccessKeyV4(r, globalServerRegion, serviceSTS)
|
||||
if APIErrorCode(s3Err) != ErrNone {
|
||||
return user, false, STSErrorCode(s3Err)
|
||||
}
|
||||
// Root credentials are not allowed to use STS API
|
||||
if owner {
|
||||
|
||||
// Temporary credentials or Service accounts cannot generate further temporary credentials.
|
||||
if user.IsTemp() || user.IsServiceAccount() {
|
||||
return user, true, ErrSTSAccessDenied
|
||||
}
|
||||
}
|
||||
|
|
@ -138,11 +139,6 @@ func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Creden
|
|||
return user, true, ErrSTSAccessDenied
|
||||
}
|
||||
|
||||
// Temporary credentials or Service accounts cannot generate further temporary credentials.
|
||||
if user.IsTemp() || user.IsServiceAccount() {
|
||||
return user, true, ErrSTSAccessDenied
|
||||
}
|
||||
|
||||
return user, true, ErrSTSNone
|
||||
}
|
||||
|
||||
|
|
@ -157,6 +153,7 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
|
|||
writeSTSErrorResponse(ctx, w, isErrCodeSTS, stsErr, nil)
|
||||
return
|
||||
}
|
||||
|
||||
if err := r.ParseForm(); err != nil {
|
||||
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
|
||||
return
|
||||
|
|
|
|||
Loading…
Reference in a new issue