Add policy claim support for JWT (#6660)
This way temporary credentials can use canned policies on the server without configuring OPA.
This commit is contained in:
Harshavardhana
kannappanr
parent
1c911c5f40
commit
7e879a45d5
39
cmd/iam.go
39
cmd/iam.go
|
|
@ -269,12 +269,46 @@ func (sys *IAMSys) DeleteUser(accessKey string) error {
|
|||
}
|
||||
|
||||
// SetTempUser - set temporary user credentials, these credentials have an expiry.
|
||||
func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials) error {
|
||||
func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyName string) error {
|
||||
objectAPI := newObjectLayerFn()
|
||||
if objectAPI == nil {
|
||||
return errServerNotInitialized
|
||||
}
|
||||
|
||||
sys.Lock()
|
||||
defer sys.Unlock()
|
||||
|
||||
// If OPA is not set we honor any policy claims for this
|
||||
// temporary user which match with pre-configured canned
|
||||
// policies for this server.
|
||||
if globalPolicyOPA == nil && policyName != "" {
|
||||
p, ok := sys.iamCannedPolicyMap[policyName]
|
||||
if !ok {
|
||||
return errInvalidArgument
|
||||
}
|
||||
if p.IsEmpty() {
|
||||
delete(sys.iamPolicyMap, accessKey)
|
||||
return nil
|
||||
}
|
||||
|
||||
data, err := json.Marshal(policyName)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
configFile := pathJoin(iamConfigSTSPrefix, accessKey, iamPolicyFile)
|
||||
if globalEtcdClient != nil {
|
||||
err = saveConfigEtcd(context.Background(), globalEtcdClient, configFile, data)
|
||||
} else {
|
||||
err = saveConfig(context.Background(), objectAPI, configFile, data)
|
||||
}
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
sys.iamPolicyMap[accessKey] = policyName
|
||||
}
|
||||
|
||||
configFile := pathJoin(iamConfigSTSPrefix, accessKey, iamIdentityFile)
|
||||
data, err := json.Marshal(cred)
|
||||
if err != nil {
|
||||
|
|
@ -291,9 +325,6 @@ func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials) error {
|
|||
return err
|
||||
}
|
||||
|
||||
sys.Lock()
|
||||
defer sys.Unlock()
|
||||
|
||||
sys.iamUsersMap[accessKey] = cred
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -162,8 +162,17 @@ func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *
|
|||
return
|
||||
}
|
||||
|
||||
// JWT has requested a custom claim with policy value set.
|
||||
// This is a Minio STS API specific value, this value should
|
||||
// be set and configured on your identity provider as part of
|
||||
// JWT custom claims.
|
||||
var policyName string
|
||||
if v, ok := m["policy"]; ok {
|
||||
policyName, _ = v.(string)
|
||||
}
|
||||
|
||||
// Set the newly generated credentials.
|
||||
if err = globalIAMSys.SetTempUser(cred.AccessKey, cred); err != nil {
|
||||
if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, policyName); err != nil {
|
||||
logger.LogIf(ctx, err)
|
||||
writeSTSErrorResponse(w, ErrSTSInternalError)
|
||||
return
|
||||
|
|
|
|||
|
|
@ -54,15 +54,18 @@ The access token received is a signed JSON Web Token (JWT). Use a JWT decoder to
|
|||
|
||||
|Claim Name|Type|Claim Value|
|
||||
|:--:|:--:|:--:|
|
||||
|iss| string | The issuer of the JWT. The '> Identity Provider Entity Id ' value of the OAuth2/OpenID Connect Inbound Authentication configuration of the Resident Identity Provider is returned here. |
|
||||
|aud| string array | The token audience list. The client identifier of the OAuth clients that the JWT is intended for, is sent herewith. |
|
||||
|azp| string | The authorized party for which the token is issued to. The client identifier of the OAuth client that the token is issued for, is sent herewith. |
|
||||
|iat| integer | The token issue time. |
|
||||
|exp| integer | The token expiration time. |
|
||||
|jti| string | Unique identifier for the JWT token. |
|
||||
|iss| _string_ | The issuer of the JWT. The '> Identity Provider Entity Id ' value of the OAuth2/OpenID Connect Inbound Authentication configuration of the Resident Identity Provider is returned here. |
|
||||
|aud| _string array_ | The token audience list. The client identifier of the OAuth clients that the JWT is intended for, is sent herewith. |
|
||||
|azp| _string_ | The authorized party for which the token is issued to. The client identifier of the OAuth client that the token is issued for, is sent herewith. |
|
||||
|iat| _integer_ | The token issue time. |
|
||||
|exp| _integer_ | The token expiration time. |
|
||||
|jti| _string_ | Unique identifier for the JWT token. |
|
||||
|policy| _string_ | Canned policy name to be applied for STS credentials. (Optional) |
|
||||
|
||||
Using the above `access_token` we can perform an STS request to Minio to get temporary credentials for Minio API operations. Minio STS API uses [JSON Web Key Set Endpoint](https://docs.wso2.com/display/IS541/JSON+Web+Key+Set+Endpoint) to validate if JWT is valid and is properly signed.
|
||||
|
||||
Optionally you can also configure `policy` as a custom claim for the JWT service provider follow [here](https://docs.wso2.com/display/IS550/Configuring+Claims+for+a+Service+Provider) and [here](https://docs.wso2.com/display/IS550/Handling+Custom+Claims+with+the+JWT+Bearer+Grant+Type) for relevant docs on how to configure claims for a service provider.
|
||||
|
||||
### 5. Setup Minio with JWKS URL
|
||||
Minio server expects environment variable for JWKS url as `MINIO_IAM_JWKS_URL`, this environment variable takes a single entry.
|
||||
```
|
||||
|
|
|
|||
Loading…
Reference in a new issue