MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-04-10 14:37:53 -04:00
Code Issues Packages Projects Releases Wiki Activity

Remove applying custom policies with STS access keys (#6626)

Browse Source 
Move away from allowing custom policies, all policies in
STS come from OPA otherwise they fail.
This commit is contained in:
Harshavardhana 2018-10-15 12:44:03 -07:00 committed by Dee Koder
parent 81a481e098
commit 23b166b318
2 changed files with 6 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
cmd/iam.go
View File

@ -326,20 +326,16 @@ func (sys *IAMSys) IsAllowed(args iampolicy.Args) bool {
sys.RLock() sys.RLock()
defer sys.RUnlock() defer sys.RUnlock()
// If policy is available for given user, check the policy. // If opa is configured, use OPA always.
if p, found := sys.iamPolicyMap[args.AccountName]; found {
// If opa is configured, use OPA in conjunction with IAM policies.
if globalPolicyOPA != nil {
return p.IsAllowed(args) && globalPolicyOPA.IsAllowed(args)
}
return p.IsAllowed(args)
}
// If no policies are set, let the policy arrive from OPA if any.
if globalPolicyOPA != nil { if globalPolicyOPA != nil {
return globalPolicyOPA.IsAllowed(args) return globalPolicyOPA.IsAllowed(args)
} }
// If policy is available for given user, check the policy.
if p, found := sys.iamPolicyMap[args.AccountName]; found {
return p.IsAllowed(args)
}
// As policy is not available and OPA is not configured, return the owner value. // As policy is not available and OPA is not configured, return the owner value.
return args.IsOwner return args.IsOwner
} }

26
cmd/sts-handlers.go
View File

@ -17,15 +17,12 @@
package cmd package cmd
import ( import (
"bytes"
"encoding/base64"
"encoding/xml" "encoding/xml"
"net/http" "net/http"
"github.com/gorilla/mux" "github.com/gorilla/mux"
"github.com/minio/minio/cmd/logger" "github.com/minio/minio/cmd/logger"
"github.com/minio/minio/pkg/auth" "github.com/minio/minio/pkg/auth"
"github.com/minio/minio/pkg/iam/policy"
"github.com/minio/minio/pkg/iam/validator" "github.com/minio/minio/pkg/iam/validator"
) )
@ -142,22 +139,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *
return return
} }
policyStr := r.URL.Query().Get("Policy")
var p *iampolicy.Policy
if policyStr != "" {
var data []byte
data, err = base64.URLEncoding.DecodeString(policyStr)
if err != nil {
writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)
return
}
p, err = iampolicy.ParseConfig(bytes.NewReader(data))
if err != nil {
writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)
return
}
}
vars := mux.Vars(r) vars := mux.Vars(r)
m, err := v.Validate(vars["Token"], r.URL.Query().Get("DurationSeconds")) m, err := v.Validate(vars["Token"], r.URL.Query().Get("DurationSeconds"))
if err != nil { if err != nil {
@ -187,13 +168,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *
writeSTSErrorResponse(w, ErrSTSInternalError) writeSTSErrorResponse(w, ErrSTSInternalError)
return return
} }
if p != nil {
if err = globalIAMSys.SetPolicy(cred.AccessKey, *p); err != nil {
logger.LogIf(ctx, err)
writeSTSErrorResponse(w, ErrSTSInternalError)
return
}
}
encodedSuccessResponse := encodeResponse(&AssumeRoleWithClientGrantsResponse{ encodedSuccessResponse := encodeResponse(&AssumeRoleWithClientGrantsResponse{
Result: ClientGrantsResult{Credentials: cred}, Result: ClientGrantsResult{Credentials: cred},