mirror of
https://github.com/minio/minio.git
synced 2024-12-24 22:25:54 -05:00
fix: if OPA set do not enforce policy claim (#10149)
This commit is contained in:
parent
1b6ba0d062
commit
27266f8a54
@ -92,7 +92,7 @@ func initHelp() {
|
|||||||
},
|
},
|
||||||
config.HelpKV{
|
config.HelpKV{
|
||||||
Key: config.PolicyOPASubSys,
|
Key: config.PolicyOPASubSys,
|
||||||
Description: "enable external OPA for policy enforcement",
|
Description: "[DEPRECATED] enable external OPA for policy enforcement",
|
||||||
},
|
},
|
||||||
config.HelpKV{
|
config.HelpKV{
|
||||||
Key: config.KmsVaultSubSys,
|
Key: config.KmsVaultSubSys,
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* MinIO Cloud Storage, (C) 2019 MinIO, Inc.
|
* MinIO Cloud Storage, (C) 2019,2020 MinIO, Inc.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
@ -23,12 +23,12 @@ var (
|
|||||||
Help = config.HelpKVS{
|
Help = config.HelpKVS{
|
||||||
config.HelpKV{
|
config.HelpKV{
|
||||||
Key: URL,
|
Key: URL,
|
||||||
Description: `OPA HTTP(s) endpoint e.g. "http://localhost:8181/v1/data/httpapi/authz/allow"`,
|
Description: `[DEPRECATED] OPA HTTP(s) endpoint e.g. "http://localhost:8181/v1/data/httpapi/authz/allow"`,
|
||||||
Type: "url",
|
Type: "url",
|
||||||
},
|
},
|
||||||
config.HelpKV{
|
config.HelpKV{
|
||||||
Key: AuthToken,
|
Key: AuthToken,
|
||||||
Description: "authorization token for OPA endpoint",
|
Description: "[DEPRECATED] authorization token for OPA endpoint",
|
||||||
Optional: true,
|
Optional: true,
|
||||||
Type: "string",
|
Type: "string",
|
||||||
},
|
},
|
||||||
|
@ -328,7 +328,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
|
|||||||
policyName = globalIAMSys.currentPolicies(strings.Join(policySet.ToSlice(), ","))
|
policyName = globalIAMSys.currentPolicies(strings.Join(policySet.ToSlice(), ","))
|
||||||
}
|
}
|
||||||
|
|
||||||
if policyName == "" {
|
if policyName == "" && globalPolicyOPA == nil {
|
||||||
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("%s claim missing from the JWT token, credentials will not be generated", iamPolicyClaimNameOpenID()))
|
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("%s claim missing from the JWT token, credentials will not be generated", iamPolicyClaimNameOpenID()))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -1,5 +0,0 @@
|
|||||||
export MINIO_ACCESS_KEY=minio
|
|
||||||
export MINIO_SECRET_KEY=minio123
|
|
||||||
export MINIO_IDENTITY_OPENID_CONFIG_URL=https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration
|
|
||||||
export MINIO_POLICY_OPA_URL=http://localhost:8181/v1/data/httpapi/authz
|
|
||||||
export MINIO_ETCD_ENDPOINTS=http://localhost:2379
|
|
Loading…
Reference in New Issue
Block a user