From 67001e3ce9c9003fddfd54bc868386c1b68de792 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Tue, 4 May 2021 11:58:19 -0700
Subject: [PATCH] fix: allow root credentials to generate STS, service accounts
 (#12210)

---
 cmd/admin-handlers-users.go |  6 ------
 cmd/iam.go                  | 23 ++++++++++++++---------
 cmd/sts-handlers.go         | 15 ++++++---------
 3 files changed, 20 insertions(+), 24 deletions(-)

diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go
index cdfcdd209..37c3907ad 100644
--- a/cmd/admin-handlers-users.go
+++ b/cmd/admin-handlers-users.go
@@ -490,12 +490,6 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
 		return
 	}
 
-	// Disallow creating service accounts by root user.
-	if createReq.TargetUser == globalActiveCred.AccessKey {
-		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminAccountNotEligible), r.URL)
-		return
-	}
-
 	var (
 		targetUser   string
 		targetGroups []string
diff --git a/cmd/iam.go b/cmd/iam.go
index 3557ff93e..2bcd6e766 100644
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -880,7 +880,7 @@ func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyNa
 		// This mapping is necessary to ensure that valid credentials
 		// have necessary ParentUser present - this is mainly for only
 		// webIdentity based STS tokens.
-		if cred.IsTemp() && cred.ParentUser != "" {
+		if cred.IsTemp() && cred.ParentUser != "" && cred.ParentUser != globalActiveCred.AccessKey {
 			if _, ok := sys.iamUserPolicyMap[cred.ParentUser]; !ok {
 				if err := sys.store.saveMappedPolicy(context.Background(), accessKey, stsUser, false, mp, options{ttl: ttl}); err != nil {
 					sys.store.unlock()
@@ -1114,14 +1114,10 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro
 	sys.store.lock()
 	defer sys.store.unlock()
 
-	if parentUser == globalActiveCred.AccessKey {
-		return auth.Credentials{}, errIAMActionNotAllowed
-	}
-
 	cr, ok := sys.iamUsersMap[parentUser]
 	if !ok {
-		// For LDAP users we would need this fallback
-		if sys.usersSysType != MinIOUsersSysType {
+		// For LDAP/OpenID users we would need this fallback
+		if sys.usersSysType != MinIOUsersSysType && parentUser != globalActiveCred.ParentUser {
 			_, ok = sys.iamUserPolicyMap[parentUser]
 			if !ok {
 				var found bool
@@ -1479,7 +1475,12 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
 		if cred.IsServiceAccount() || cred.IsTemp() {
 			// temporary credentials or service accounts
 			// must have their parent in UsersMap
-			_, ok = sys.iamUserPolicyMap[cred.ParentUser]
+			if cred.ParentUser == globalActiveCred.AccessKey {
+				// parent exists, so allow temporary and service accounts.
+				ok = true
+			} else {
+				_, ok = sys.iamUserPolicyMap[cred.ParentUser]
+			}
 		}
 		// for LDAP service accounts with ParentUser set
 		// we have no way to validate, either because user
@@ -1865,13 +1866,17 @@ func (sys *IAMSys) policyDBGet(name string, isGroup bool) (policies []string, er
 	var u auth.Credentials
 	var ok bool
 	if sys.usersSysType == MinIOUsersSysType {
+		if name == globalActiveCred.AccessKey {
+			return []string{"consoleAdmin"}, nil
+		}
+
 		// When looking for a user's policies, we also check if the user
 		// and the groups they are member of are enabled.
-
 		u, ok = sys.iamUsersMap[name]
 		if !ok {
 			return nil, errNoSuchUser
 		}
+
 		if !u.IsValid() {
 			return nil, nil
 		}
diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go
index 7e3bbf99a..797332db3 100644
--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@@ -122,13 +122,14 @@ func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Creden
 		if APIErrorCode(s3Err) != ErrNone {
 			return user, false, STSErrorCode(s3Err)
 		}
-		var owner bool
-		user, owner, s3Err = getReqAccessKeyV4(r, globalServerRegion, serviceSTS)
+
+		user, _, s3Err = getReqAccessKeyV4(r, globalServerRegion, serviceSTS)
 		if APIErrorCode(s3Err) != ErrNone {
 			return user, false, STSErrorCode(s3Err)
 		}
-		// Root credentials are not allowed to use STS API
-		if owner {
+
+		// Temporary credentials or Service accounts cannot generate further temporary credentials.
+		if user.IsTemp() || user.IsServiceAccount() {
 			return user, true, ErrSTSAccessDenied
 		}
 	}
@@ -138,11 +139,6 @@ func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Creden
 		return user, true, ErrSTSAccessDenied
 	}
 
-	// Temporary credentials or Service accounts cannot generate further temporary credentials.
-	if user.IsTemp() || user.IsServiceAccount() {
-		return user, true, ErrSTSAccessDenied
-	}
-
 	return user, true, ErrSTSNone
 }
 
@@ -157,6 +153,7 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
 		writeSTSErrorResponse(ctx, w, isErrCodeSTS, stsErr, nil)
 		return
 	}
+
 	if err := r.ParseForm(); err != nil {
 		writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
 		return