mirror of
https://github.com/minio/minio.git
synced 2024-12-25 14:45:54 -05:00
cleanup handling of STS isAllowed and simplifies the PolicyDBGet() (#18554)
This commit is contained in:
Harshavardhana
GitHub
parent
b7d11141e1
commit
0ee722f8c3
@ -545,14 +545,16 @@ func (a adminAPIHandlers) TemporaryAccountInfo(w http.ResponseWriter, r *http.Re
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if !globalIAMSys.IsAllowed(policy.Args{
|
args := policy.Args{
|
||||||
AccountName: cred.AccessKey,
|
AccountName: cred.AccessKey,
|
||||||
Groups: cred.Groups,
|
Groups: cred.Groups,
|
||||||
Action: policy.ListTemporaryAccountsAdminAction,
|
Action: policy.ListTemporaryAccountsAdminAction,
|
||||||
ConditionValues: getConditionValues(r, "", cred),
|
ConditionValues: getConditionValues(r, "", cred),
|
||||||
IsOwner: owner,
|
IsOwner: owner,
|
||||||
Claims: cred.Claims,
|
Claims: cred.Claims,
|
||||||
}) {
|
}
|
||||||
|
|
||||||
|
if !globalIAMSys.IsAllowed(args) {
|
||||||
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -568,11 +570,16 @@ func (a adminAPIHandlers) TemporaryAccountInfo(w http.ResponseWriter, r *http.Re
|
|||||||
if sessionPolicy != nil {
|
if sessionPolicy != nil {
|
||||||
stsAccountPolicy = *sessionPolicy
|
stsAccountPolicy = *sessionPolicy
|
||||||
} else {
|
} else {
|
||||||
policiesNames, err := globalIAMSys.PolicyDBGet(stsAccount.ParentUser, false)
|
policiesNames, err := globalIAMSys.PolicyDBGet(stsAccount.ParentUser, stsAccount.Groups...)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
if len(policiesNames) == 0 {
|
||||||
|
policySet, _ := args.GetPolicies(iamPolicyClaimNameOpenID())
|
||||||
|
policiesNames = policySet.ToSlice()
|
||||||
|
}
|
||||||
|
|
||||||
stsAccountPolicy = globalIAMSys.GetCombinedPolicy(policiesNames...)
|
stsAccountPolicy = globalIAMSys.GetCombinedPolicy(policiesNames...)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1010,7 +1017,7 @@ func (a adminAPIHandlers) InfoServiceAccount(w http.ResponseWriter, r *http.Requ
|
|||||||
if !impliedPolicy {
|
if !impliedPolicy {
|
||||||
svcAccountPolicy = *sessionPolicy
|
svcAccountPolicy = *sessionPolicy
|
||||||
} else {
|
} else {
|
||||||
policiesNames, err := globalIAMSys.PolicyDBGet(svcAccount.ParentUser, false)
|
policiesNames, err := globalIAMSys.PolicyDBGet(svcAccount.ParentUser, svcAccount.Groups...)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
||||||
return
|
return
|
||||||
@ -1357,7 +1364,7 @@ func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Requ
|
|||||||
effectivePolicy = globalIAMSys.GetCombinedPolicy(policySetFromClaims.ToSlice()...)
|
effectivePolicy = globalIAMSys.GetCombinedPolicy(policySetFromClaims.ToSlice()...)
|
||||||
|
|
||||||
default:
|
default:
|
||||||
policies, err := globalIAMSys.PolicyDBGet(accountName, false, cred.Groups...)
|
policies, err := globalIAMSys.PolicyDBGet(accountName, cred.Groups...)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.LogIf(ctx, err)
|
logger.LogIf(ctx, err)
|
||||||
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
||||||
|
|||||||
@ -252,7 +252,7 @@ func (driver *ftpDriver) CheckPasswd(c *ftp.Context, username, password string)
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return false, err
|
return false, err
|
||||||
}
|
}
|
||||||
ldapPolicies, _ := globalIAMSys.PolicyDBGet(ldapUserDN, false, groupDistNames...)
|
ldapPolicies, _ := globalIAMSys.PolicyDBGet(ldapUserDN, groupDistNames...)
|
||||||
return len(ldapPolicies) > 0, nil
|
return len(ldapPolicies) > 0, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -273,7 +273,7 @@ func (driver *ftpDriver) getMinIOClient(ctx *ftp.Context) (*minio.Client, error)
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
ldapPolicies, _ := globalIAMSys.PolicyDBGet(targetUser, false, targetGroups...)
|
ldapPolicies, _ := globalIAMSys.PolicyDBGet(targetUser, targetGroups...)
|
||||||
if len(ldapPolicies) == 0 {
|
if len(ldapPolicies) == 0 {
|
||||||
return nil, errAuthentication
|
return nil, errAuthentication
|
||||||
}
|
}
|
||||||
|
|||||||
@ -655,7 +655,7 @@ func (store *IAMStoreSys) GroupNotificationHandler(ctx context.Context, group st
|
|||||||
|
|
||||||
// PolicyDBGet - fetches policies associated with the given user or group, and
|
// PolicyDBGet - fetches policies associated with the given user or group, and
|
||||||
// additional groups if provided.
|
// additional groups if provided.
|
||||||
func (store *IAMStoreSys) PolicyDBGet(name string, isGroup bool, groups ...string) ([]string, error) {
|
func (store *IAMStoreSys) PolicyDBGet(name string, groups ...string) ([]string, error) {
|
||||||
if name == "" {
|
if name == "" {
|
||||||
return nil, errInvalidArgument
|
return nil, errInvalidArgument
|
||||||
}
|
}
|
||||||
@ -663,12 +663,11 @@ func (store *IAMStoreSys) PolicyDBGet(name string, isGroup bool, groups ...strin
|
|||||||
cache := store.rlock()
|
cache := store.rlock()
|
||||||
defer store.runlock()
|
defer store.runlock()
|
||||||
|
|
||||||
policies, _, err := cache.policyDBGet(store, name, isGroup)
|
policies, _, err := cache.policyDBGet(store, name, false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if !isGroup {
|
|
||||||
for _, group := range groups {
|
for _, group := range groups {
|
||||||
ps, _, err := cache.policyDBGet(store, group, true)
|
ps, _, err := cache.policyDBGet(store, group, true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -676,7 +675,6 @@ func (store *IAMStoreSys) PolicyDBGet(name string, isGroup bool, groups ...strin
|
|||||||
}
|
}
|
||||||
policies = append(policies, ps...)
|
policies = append(policies, ps...)
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
return policies, nil
|
return policies, nil
|
||||||
}
|
}
|
||||||
@ -1219,6 +1217,9 @@ func (store *IAMStoreSys) GetPolicy(name string) (policy.Policy, error) {
|
|||||||
}
|
}
|
||||||
toMerge = append(toMerge, v.Policy)
|
toMerge = append(toMerge, v.Policy)
|
||||||
}
|
}
|
||||||
|
if len(toMerge) == 0 {
|
||||||
|
return policy.Policy{}, errNoSuchPolicy
|
||||||
|
}
|
||||||
return policy.MergePolicies(toMerge...), nil
|
return policy.MergePolicies(toMerge...), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
10
cmd/iam.go
10
cmd/iam.go
@ -1720,12 +1720,12 @@ func (sys *IAMSys) PolicyDBUpdateLDAP(ctx context.Context, isAttach bool,
|
|||||||
|
|
||||||
// PolicyDBGet - gets policy set on a user or group. If a list of groups is
|
// PolicyDBGet - gets policy set on a user or group. If a list of groups is
|
||||||
// given, policies associated with them are included as well.
|
// given, policies associated with them are included as well.
|
||||||
func (sys *IAMSys) PolicyDBGet(name string, isGroup bool, groups ...string) ([]string, error) {
|
func (sys *IAMSys) PolicyDBGet(name string, groups ...string) ([]string, error) {
|
||||||
if !sys.Initialized() {
|
if !sys.Initialized() {
|
||||||
return nil, errServerNotInitialized
|
return nil, errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
return sys.store.PolicyDBGet(name, isGroup, groups...)
|
return sys.store.PolicyDBGet(name, groups...)
|
||||||
}
|
}
|
||||||
|
|
||||||
const sessionPolicyNameExtracted = policy.SessionPolicyName + "-extracted"
|
const sessionPolicyNameExtracted = policy.SessionPolicyName + "-extracted"
|
||||||
@ -1774,7 +1774,7 @@ func (sys *IAMSys) IsAllowedServiceAccount(args policy.Args, parentUser string)
|
|||||||
|
|
||||||
default:
|
default:
|
||||||
// Check policy for parent user of service account.
|
// Check policy for parent user of service account.
|
||||||
svcPolicies, err = sys.PolicyDBGet(parentUser, false, args.Groups...)
|
svcPolicies, err = sys.PolicyDBGet(parentUser, args.Groups...)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.LogIf(GlobalContext, err)
|
logger.LogIf(GlobalContext, err)
|
||||||
return false
|
return false
|
||||||
@ -1882,7 +1882,7 @@ func (sys *IAMSys) IsAllowedSTS(args policy.Args, parentUser string) bool {
|
|||||||
default:
|
default:
|
||||||
// Otherwise, inherit parent user's policy
|
// Otherwise, inherit parent user's policy
|
||||||
var err error
|
var err error
|
||||||
policies, err = sys.store.PolicyDBGet(parentUser, false, args.Groups...)
|
policies, err = sys.store.PolicyDBGet(parentUser, args.Groups...)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.LogIf(GlobalContext, fmt.Errorf("error fetching policies on %s: %v", parentUser, err))
|
logger.LogIf(GlobalContext, fmt.Errorf("error fetching policies on %s: %v", parentUser, err))
|
||||||
return false
|
return false
|
||||||
@ -2019,7 +2019,7 @@ func (sys *IAMSys) IsAllowed(args policy.Args) bool {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Continue with the assumption of a regular user
|
// Continue with the assumption of a regular user
|
||||||
policies, err := sys.PolicyDBGet(args.AccountName, false, args.Groups...)
|
policies, err := sys.PolicyDBGet(args.AccountName, args.Groups...)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|||||||
@ -114,7 +114,7 @@ func startSFTPServer(c *cli.Context) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
ldapPolicies, _ := globalIAMSys.PolicyDBGet(targetUser, false, targetGroups...)
|
ldapPolicies, _ := globalIAMSys.PolicyDBGet(targetUser, targetGroups...)
|
||||||
if len(ldapPolicies) == 0 {
|
if len(ldapPolicies) == 0 {
|
||||||
return nil, errAuthentication
|
return nil, errAuthentication
|
||||||
}
|
}
|
||||||
|
|||||||
@ -267,7 +267,7 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
|
|||||||
|
|
||||||
// Validate that user.AccessKey's policies can be retrieved - it may not
|
// Validate that user.AccessKey's policies can be retrieved - it may not
|
||||||
// be in case the user is disabled.
|
// be in case the user is disabled.
|
||||||
if _, err = globalIAMSys.PolicyDBGet(user.AccessKey, false); err != nil {
|
if _, err = globalIAMSys.PolicyDBGet(user.AccessKey, user.Groups...); err != nil {
|
||||||
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
|
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -630,7 +630,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Check if this user or their groups have a policy applied.
|
// Check if this user or their groups have a policy applied.
|
||||||
ldapPolicies, _ := globalIAMSys.PolicyDBGet(ldapUserDN, false, groupDistNames...)
|
ldapPolicies, _ := globalIAMSys.PolicyDBGet(ldapUserDN, groupDistNames...)
|
||||||
if len(ldapPolicies) == 0 && newGlobalAuthZPluginFn() == nil {
|
if len(ldapPolicies) == 0 && newGlobalAuthZPluginFn() == nil {
|
||||||
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
|
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
|
||||||
fmt.Errorf("expecting a policy to be set for user `%s` or one of their groups: `%s` - rejecting this request",
|
fmt.Errorf("expecting a policy to be set for user `%s` or one of their groups: `%s` - rejecting this request",
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user