mirror of
https://github.com/minio/minio.git
synced 2024-12-24 22:25:54 -05:00
fix: checking for stale STS account under site replication (#16109)
This commit is contained in:
parent
98ba622679
commit
04948b4d55
40
cmd/iam.go
40
cmd/iam.go
@ -1025,7 +1025,7 @@ func (sys *IAMSys) ListTempAccounts(ctx context.Context, accessKey string) ([]Us
|
|||||||
func (sys *IAMSys) GetServiceAccount(ctx context.Context, accessKey string) (auth.Credentials, *iampolicy.Policy, error) {
|
func (sys *IAMSys) GetServiceAccount(ctx context.Context, accessKey string) (auth.Credentials, *iampolicy.Policy, error) {
|
||||||
sa, embeddedPolicy, err := sys.getServiceAccount(ctx, accessKey)
|
sa, embeddedPolicy, err := sys.getServiceAccount(ctx, accessKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return auth.Credentials{}, embeddedPolicy, err
|
return auth.Credentials{}, nil, err
|
||||||
}
|
}
|
||||||
// Hide secret & session keys
|
// Hide secret & session keys
|
||||||
sa.Credentials.SecretKey = ""
|
sa.Credentials.SecretKey = ""
|
||||||
@ -1033,15 +1033,45 @@ func (sys *IAMSys) GetServiceAccount(ctx context.Context, accessKey string) (aut
|
|||||||
return sa.Credentials, embeddedPolicy, nil
|
return sa.Credentials, embeddedPolicy, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// getServiceAccount - gets information about a service account
|
func (sys *IAMSys) getServiceAccount(ctx context.Context, accessKey string) (UserIdentity, *iampolicy.Policy, error) {
|
||||||
func (sys *IAMSys) getServiceAccount(ctx context.Context, accessKey string) (u UserIdentity, p *iampolicy.Policy, err error) {
|
sa, embeddedPolicy, err := sys.getAccountWithEmbeddedPolicy(ctx, accessKey)
|
||||||
|
if err != nil {
|
||||||
|
if err == errNoSuchAccount {
|
||||||
|
return UserIdentity{}, nil, errNoSuchServiceAccount
|
||||||
|
}
|
||||||
|
return UserIdentity{}, nil, err
|
||||||
|
}
|
||||||
|
if !sa.Credentials.IsServiceAccount() {
|
||||||
|
return UserIdentity{}, nil, errNoSuchServiceAccount
|
||||||
|
}
|
||||||
|
|
||||||
|
return sa, embeddedPolicy, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (sys *IAMSys) getTempAccount(ctx context.Context, accessKey string) (UserIdentity, *iampolicy.Policy, error) {
|
||||||
|
tmpAcc, embeddedPolicy, err := sys.getAccountWithEmbeddedPolicy(ctx, accessKey)
|
||||||
|
if err != nil {
|
||||||
|
if err == errNoSuchAccount {
|
||||||
|
return UserIdentity{}, nil, errNoSuchTempAccount
|
||||||
|
}
|
||||||
|
return UserIdentity{}, nil, err
|
||||||
|
}
|
||||||
|
if !tmpAcc.Credentials.IsTemp() {
|
||||||
|
return UserIdentity{}, nil, errNoSuchTempAccount
|
||||||
|
}
|
||||||
|
|
||||||
|
return tmpAcc, embeddedPolicy, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// getAccountWithEmbeddedPolicy - gets information about an account with its embedded policy if found
|
||||||
|
func (sys *IAMSys) getAccountWithEmbeddedPolicy(ctx context.Context, accessKey string) (u UserIdentity, p *iampolicy.Policy, err error) {
|
||||||
if !sys.Initialized() {
|
if !sys.Initialized() {
|
||||||
return u, nil, errServerNotInitialized
|
return u, nil, errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
sa, ok := sys.store.GetUser(accessKey)
|
sa, ok := sys.store.GetUser(accessKey)
|
||||||
if !ok || !sa.Credentials.IsServiceAccount() {
|
if !ok {
|
||||||
return u, nil, errNoSuchServiceAccount
|
return u, nil, errNoSuchAccount
|
||||||
}
|
}
|
||||||
|
|
||||||
var embeddedPolicy *iampolicy.Policy
|
var embeddedPolicy *iampolicy.Policy
|
||||||
|
@ -1257,9 +1257,8 @@ func (c *SiteReplicationSys) PeerSTSAccHandler(ctx context.Context, stsCred *mad
|
|||||||
}
|
}
|
||||||
// skip overwrite of local update if peer sent stale info
|
// skip overwrite of local update if peer sent stale info
|
||||||
if !updatedAt.IsZero() {
|
if !updatedAt.IsZero() {
|
||||||
if u, err := globalIAMSys.GetUserInfo(ctx, stsCred.AccessKey); err == nil {
|
if u, _, err := globalIAMSys.getTempAccount(ctx, stsCred.AccessKey); err == nil {
|
||||||
ok, _, _ := globalIAMSys.IsTempUser(stsCred.AccessKey)
|
if u.UpdatedAt.After(updatedAt) {
|
||||||
if ok && u.UpdatedAt.After(updatedAt) {
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -71,6 +71,12 @@ var errNoSuchUser = errors.New("Specified user does not exist")
|
|||||||
// error returned when service account is not found
|
// error returned when service account is not found
|
||||||
var errNoSuchServiceAccount = errors.New("Specified service account does not exist")
|
var errNoSuchServiceAccount = errors.New("Specified service account does not exist")
|
||||||
|
|
||||||
|
// error returned when temporary account is not found
|
||||||
|
var errNoSuchTempAccount = errors.New("Specified temporary account does not exist")
|
||||||
|
|
||||||
|
// error returned in IAM subsystem when an account doesn't exist.
|
||||||
|
var errNoSuchAccount = errors.New("Specified account does not exist")
|
||||||
|
|
||||||
// error returned in IAM subsystem when groups doesn't exist.
|
// error returned in IAM subsystem when groups doesn't exist.
|
||||||
var errNoSuchGroup = errors.New("Specified group does not exist")
|
var errNoSuchGroup = errors.New("Specified group does not exist")
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user