MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-01-27 14:43:18 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: LDAP derivative accounts parentUser validation is not needed (#9573)

Browse Source 
* fix: LDAP derivative accounts parentUser validation is not needed

fixes #9435

* Update cmd/iam.go

Co-authored-by: Lenin Alevski <alevsk.8772@gmail.com>

Co-authored-by: Lenin Alevski <alevsk.8772@gmail.com>
This commit is contained in:
Harshavardhana 2020-05-12 09:21:08 -07:00 committed by GitHub
parent e25ace2151
commit 1756b7c6ff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 66 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
cmd/iam.go
View File

@ -1023,9 +1023,15 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
cred, ok = sys.iamUsersMap[accessKey] cred, ok = sys.iamUsersMap[accessKey]
if ok && cred.IsValid() { if ok && cred.IsValid() {
if cred.ParentUser != "" { if cred.ParentUser != "" && sys.usersSysType == MinIOUsersSysType {
_, ok = sys.iamUsersMap[cred.ParentUser] _, ok = sys.iamUsersMap[cred.ParentUser]
} }
// for LDAP service accounts with ParentUser set
// we have no way to validate, either because user
// doesn't need an explicit policy as it can come
// automatically from a group. We are safe to ignore
// this and continue as policies would fail eventually
// the policies are missing or not configured.
} }
return cred, ok && cred.IsValid() return cred, ok && cred.IsValid()
} }
@ -1617,6 +1623,7 @@ func (sys *IAMSys) IsAllowedServiceAccount(args iampolicy.Args, parent string) b
func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args) bool { func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args) bool {
// If it is an LDAP request, check that user and group // If it is an LDAP request, check that user and group
// policies allow the request. // policies allow the request.
if sys.usersSysType == LDAPUsersSysType {
if userIface, ok := args.Claims[ldapUser]; ok { if userIface, ok := args.Claims[ldapUser]; ok {
var user string var user string
if u, ok := userIface.(string); ok { if u, ok := userIface.(string); ok {
@ -1633,8 +1640,6 @@ func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args) bool {
groups = append(groups, eachGStr) groups = append(groups, eachGStr)
} }
} }
} else {
return false
} }
sys.store.rlock() sys.store.rlock()
@ -1644,19 +1649,33 @@ func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args) bool {
// users exists, group exists validations that do not // users exists, group exists validations that do not
// apply here. // apply here.
var policies []iampolicy.Policy var policies []iampolicy.Policy
if policy, ok := sys.iamUserPolicyMap[user]; ok { if mp, ok := sys.iamUserPolicyMap[user]; ok {
p, found := sys.iamPolicyDocsMap[policy.Policy] for _, pname := range strings.Split(mp.Policy, ",") {
if found { pname = strings.TrimSpace(pname)
if pname == "" {
continue
}
p, found := sys.iamPolicyDocsMap[pname]
if !found {
return false
}
policies = append(policies, p) policies = append(policies, p)
} }
} }
for _, group := range groups { for _, group := range groups {
policy, ok := sys.iamGroupPolicyMap[group] mp, ok := sys.iamGroupPolicyMap[group]
if !ok { if !ok {
continue continue
} }
p, found := sys.iamPolicyDocsMap[policy.Policy] for _, pname := range strings.Split(mp.Policy, ",") {
if found { pname = strings.TrimSpace(pname)
if pname == "" {
continue
}
p, found := sys.iamPolicyDocsMap[pname]
if !found {
return false
}
policies = append(policies, p) policies = append(policies, p)
} }
} }
@ -1671,6 +1690,8 @@ func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args) bool {
} }
return combinedPolicy.IsAllowed(args) return combinedPolicy.IsAllowed(args)
} }
return false
}
policies, ok := args.GetPolicies(iamPolicyClaimNameOpenID()) policies, ok := args.GetPolicies(iamPolicyClaimNameOpenID())
if !ok { if !ok {