fix: if OPA set do not enforce policy claim (#10149)

This commit is contained in:
Harshavardhana 2020-07-28 11:47:57 -07:00 committed by GitHub
parent 1b6ba0d062
commit 27266f8a54
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 5 additions and 10 deletions

View File

@ -92,7 +92,7 @@ func initHelp() {
}, },
config.HelpKV{ config.HelpKV{
Key: config.PolicyOPASubSys, Key: config.PolicyOPASubSys,
Description: "enable external OPA for policy enforcement", Description: "[DEPRECATED] enable external OPA for policy enforcement",
}, },
config.HelpKV{ config.HelpKV{
Key: config.KmsVaultSubSys, Key: config.KmsVaultSubSys,

View File

@ -1,5 +1,5 @@
/* /*
* MinIO Cloud Storage, (C) 2019 MinIO, Inc. * MinIO Cloud Storage, (C) 2019,2020 MinIO, Inc.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -23,12 +23,12 @@ var (
Help = config.HelpKVS{ Help = config.HelpKVS{
config.HelpKV{ config.HelpKV{
Key: URL, Key: URL,
Description: `OPA HTTP(s) endpoint e.g. "http://localhost:8181/v1/data/httpapi/authz/allow"`, Description: `[DEPRECATED] OPA HTTP(s) endpoint e.g. "http://localhost:8181/v1/data/httpapi/authz/allow"`,
Type: "url", Type: "url",
}, },
config.HelpKV{ config.HelpKV{
Key: AuthToken, Key: AuthToken,
Description: "authorization token for OPA endpoint", Description: "[DEPRECATED] authorization token for OPA endpoint",
Optional: true, Optional: true,
Type: "string", Type: "string",
}, },

View File

@ -328,7 +328,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
policyName = globalIAMSys.currentPolicies(strings.Join(policySet.ToSlice(), ",")) policyName = globalIAMSys.currentPolicies(strings.Join(policySet.ToSlice(), ","))
} }
if policyName == "" { if policyName == "" && globalPolicyOPA == nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("%s claim missing from the JWT token, credentials will not be generated", iamPolicyClaimNameOpenID())) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("%s claim missing from the JWT token, credentials will not be generated", iamPolicyClaimNameOpenID()))
return return
} }

View File

@ -1,5 +0,0 @@
export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=minio123
export MINIO_IDENTITY_OPENID_CONFIG_URL=https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration
export MINIO_POLICY_OPA_URL=http://localhost:8181/v1/data/httpapi/authz
export MINIO_ETCD_ENDPOINTS=http://localhost:2379