maxmustermann/minio
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

fix: svc accounts cannot have same name as parent/targetUser (#13082)

Browse source 
Currently in master this can cause existing
parent users to stop working and lead to
credentials getting overwritten.

```
~ mc admin user add alias/ minio123 minio123456
```

```
~ mc admin user svcacct add alias/ minio123 \
    --access-key minio123 --secret-key minio123456
```

This PR rejects all such scenarios.
This commit is contained in:
Harshavardhana 2021-08-26 21:57:30 -07:00 committed by GitHub
parent ed16ce9b73
commit ae8f7f11d5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 31 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
cmd/iam.go
View file

@ -1177,6 +1177,10 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro
return auth.Credentials{}, errServerNotInitialized
}
if parentUser == "" {
return auth.Credentials{}, errInvalidArgument
}
var policyBuf []byte
if opts.sessionPolicy != nil {
err := opts.sessionPolicy.Validate()
@ -1192,9 +1196,35 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro
}
}
// found newly requested service account, to be same as
// parentUser, reject such operations.
if parentUser == opts.accessKey {
return auth.Credentials{}, errIAMActionNotAllowed
}
sys.store.lock()
defer sys.store.unlock()
// Handle validation of incoming service accounts.
{
cr, found := sys.iamUsersMap[opts.accessKey]
// found newly requested service account, to be an existing
// user, reject such operations.
if found && !cr.IsTemp() && !cr.IsServiceAccount() {
return auth.Credentials{}, errIAMActionNotAllowed
}
// found newly requested service account, to be an existing
// temporary user, reject such operations.
if found && cr.IsTemp() {
return auth.Credentials{}, errIAMActionNotAllowed
}
// found newly requested service account, to be an existing
// service account for another parentUser, reject such operations.
if found && cr.IsServiceAccount() && cr.ParentUser != parentUser {
return auth.Credentials{}, errIAMActionNotAllowed
}
}
cr, found := sys.iamUsersMap[parentUser]
// Disallow service accounts to further create more service accounts.
if found && cr.IsServiceAccount() {

2
cmd/typed-errors.go
View file

@ -82,7 +82,7 @@ var errGroupNotEmpty = errors.New("Specified group is not empty - cannot remove
var errNoSuchPolicy = errors.New("Specified canned policy does not exist")
// error returned in IAM subsystem when an external users systems is configured.
var errIAMActionNotAllowed = errors.New("Specified IAM action is not allowed with LDAP configuration")
var errIAMActionNotAllowed = errors.New("Specified IAM action is not allowed")
// error returned in IAM subsystem when IAM sub-system is still being initialized.
var errIAMNotInitialized = errors.New("IAM sub-system is being initialized, please try again")