mirror of
https://github.com/minio/minio.git
synced 2025-01-11 15:03:22 -05:00
Better error when setting up replication with a service account alias (#16472)
This commit is contained in:
parent
441babdc41
commit
0a0416b6ea
@ -154,15 +154,9 @@ func toAdminAPIErr(ctx context.Context, err error) APIError {
|
|||||||
Description: err.Error(),
|
Description: err.Error(),
|
||||||
HTTPStatusCode: http.StatusForbidden,
|
HTTPStatusCode: http.StatusForbidden,
|
||||||
}
|
}
|
||||||
case errors.Is(err, errIAMServiceAccount):
|
case errors.Is(err, errIAMServiceAccountNotAllowed):
|
||||||
apiErr = APIError{
|
apiErr = APIError{
|
||||||
Code: "XMinioIAMServiceAccount",
|
Code: "XMinioIAMServiceAccountNotAllowed",
|
||||||
Description: err.Error(),
|
|
||||||
HTTPStatusCode: http.StatusBadRequest,
|
|
||||||
}
|
|
||||||
case errors.Is(err, errIAMServiceAccountUsed):
|
|
||||||
apiErr = APIError{
|
|
||||||
Code: "XMinioIAMServiceAccountUsed",
|
|
||||||
Description: err.Error(),
|
Description: err.Error(),
|
||||||
HTTPStatusCode: http.StatusBadRequest,
|
HTTPStatusCode: http.StatusBadRequest,
|
||||||
}
|
}
|
||||||
|
@ -2093,14 +2093,14 @@ func (store *IAMStoreSys) AddServiceAccount(ctx context.Context, cred auth.Crede
|
|||||||
if su, found := cache.iamUsersMap[accessKey]; found {
|
if su, found := cache.iamUsersMap[accessKey]; found {
|
||||||
scred := su.Credentials
|
scred := su.Credentials
|
||||||
if scred.ParentUser != parentUser {
|
if scred.ParentUser != parentUser {
|
||||||
return updatedAt, errIAMServiceAccountUsed
|
return updatedAt, fmt.Errorf("%w: the service account access key is taken by another user", errIAMServiceAccountNotAllowed)
|
||||||
}
|
}
|
||||||
return updatedAt, errIAMServiceAccount
|
return updatedAt, fmt.Errorf("%w: the service account access key already taken", errIAMServiceAccountNotAllowed)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Parent user must not be a service account.
|
// Parent user must not be a service account.
|
||||||
if u, found := cache.iamUsersMap[parentUser]; found && u.Credentials.IsServiceAccount() {
|
if u, found := cache.iamUsersMap[parentUser]; found && u.Credentials.IsServiceAccount() {
|
||||||
return updatedAt, errIAMServiceAccount
|
return updatedAt, fmt.Errorf("%w: unable to create a service account for another service account", errIAMServiceAccountNotAllowed)
|
||||||
}
|
}
|
||||||
|
|
||||||
u := newUserIdentity(cred)
|
u := newUserIdentity(cred)
|
||||||
|
@ -102,10 +102,7 @@ var errTooManyPolicies = errors.New("Only a single policy may be specified here.
|
|||||||
var errIAMActionNotAllowed = errors.New("Specified IAM action is not allowed")
|
var errIAMActionNotAllowed = errors.New("Specified IAM action is not allowed")
|
||||||
|
|
||||||
// error returned in IAM service account
|
// error returned in IAM service account
|
||||||
var errIAMServiceAccount = errors.New("Specified service account cannot be updated in this API call")
|
var errIAMServiceAccountNotAllowed = errors.New("Specified service account action is not allowed")
|
||||||
|
|
||||||
// error returned in IAM service account is already used.
|
|
||||||
var errIAMServiceAccountUsed = errors.New("Specified service account is used by another user")
|
|
||||||
|
|
||||||
// error returned in IAM subsystem when IAM sub-system is still being initialized.
|
// error returned in IAM subsystem when IAM sub-system is still being initialized.
|
||||||
var errIAMNotInitialized = errors.New("IAM sub-system is being initialized, please try again")
|
var errIAMNotInitialized = errors.New("IAM sub-system is being initialized, please try again")
|
||||||
|
Loading…
Reference in New Issue
Block a user