mirror of
https://github.com/minio/minio.git
synced 2025-01-12 15:33:22 -05:00
fix: assume parentUser correctly for serviceAccounts (#9504)
ListServiceAccounts/DeleteServiceAccount didn't work properly with STS credentials yet due to incorrect Parent user.
This commit is contained in:
parent
09571d03a5
commit
28f9c477a8
@ -461,7 +461,12 @@ func (a adminAPIHandlers) ListServiceAccounts(w http.ResponseWriter, r *http.Req
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
serviceAccounts, err := globalIAMSys.ListServiceAccounts(ctx, cred.AccessKey)
|
parentUser := cred.AccessKey
|
||||||
|
if cred.ParentUser != "" {
|
||||||
|
parentUser = cred.ParentUser
|
||||||
|
}
|
||||||
|
|
||||||
|
serviceAccounts, err := globalIAMSys.ListServiceAccounts(ctx, parentUser)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
||||||
return
|
return
|
||||||
@ -521,8 +526,15 @@ func (a adminAPIHandlers) DeleteServiceAccount(w http.ResponseWriter, r *http.Re
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if cred.AccessKey != user || cred.ParentUser != user {
|
parentUser := cred.AccessKey
|
||||||
// The service account belongs to another user but return not found error to mitigate brute force attacks.
|
if cred.ParentUser != "" {
|
||||||
|
parentUser = cred.ParentUser
|
||||||
|
}
|
||||||
|
|
||||||
|
if parentUser != user || user == "" {
|
||||||
|
// The service account belongs to another user but return not
|
||||||
|
// found error to mitigate brute force attacks. or the
|
||||||
|
// serviceAccount doesn't exist.
|
||||||
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServiceAccountNotFound), r.URL)
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServiceAccountNotFound), r.URL)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -889,11 +889,10 @@ func (sys *IAMSys) GetServiceAccountParent(ctx context.Context, accessKey string
|
|||||||
defer sys.store.runlock()
|
defer sys.store.runlock()
|
||||||
|
|
||||||
sa, ok := sys.iamUsersMap[accessKey]
|
sa, ok := sys.iamUsersMap[accessKey]
|
||||||
if !ok || !sa.IsServiceAccount() {
|
if ok && sa.IsServiceAccount() {
|
||||||
return "", errNoSuchServiceAccount
|
return sa.ParentUser, nil
|
||||||
}
|
}
|
||||||
|
return "", nil
|
||||||
return sa.ParentUser, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// DeleteServiceAccount - delete a service account
|
// DeleteServiceAccount - delete a service account
|
||||||
@ -908,7 +907,7 @@ func (sys *IAMSys) DeleteServiceAccount(ctx context.Context, accessKey string) e
|
|||||||
|
|
||||||
sa, ok := sys.iamUsersMap[accessKey]
|
sa, ok := sys.iamUsersMap[accessKey]
|
||||||
if !ok || !sa.IsServiceAccount() {
|
if !ok || !sa.IsServiceAccount() {
|
||||||
return errNoSuchServiceAccount
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// It is ok to ignore deletion error on the mapped policy
|
// It is ok to ignore deletion error on the mapped policy
|
||||||
|
@ -77,9 +77,6 @@ var errInvalidDecompressedSize = errors.New("Invalid Decompressed Size")
|
|||||||
// error returned in IAM subsystem when user doesn't exist.
|
// error returned in IAM subsystem when user doesn't exist.
|
||||||
var errNoSuchUser = errors.New("Specified user does not exist")
|
var errNoSuchUser = errors.New("Specified user does not exist")
|
||||||
|
|
||||||
// error returned in IAM subsystem when the service account doesn't exist.
|
|
||||||
var errNoSuchServiceAccount = errors.New("Specified service account does not exist")
|
|
||||||
|
|
||||||
// error returned in IAM subsystem when groups doesn't exist.
|
// error returned in IAM subsystem when groups doesn't exist.
|
||||||
var errNoSuchGroup = errors.New("Specified group does not exist")
|
var errNoSuchGroup = errors.New("Specified group does not exist")
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user