mirror of
https://github.com/minio/minio.git
synced 2025-11-09 13:39:46 -05:00
fix: deprecate requirement of session token for service accounts (#9320)
This PR fixes couple of behaviors with service accounts - not need to have session token for service accounts - service accounts can be generated by any user for themselves implicitly, with a valid signature. - policy input for AddNewServiceAccount API is not fully typed allowing for validation before it is sent to the server. - also bring in additional context for admin API errors if any when replying back to client. - deprecate GetServiceAccount API as we do not need to reply back session tokens
This commit is contained in:
Harshavardhana
GitHub
@@ -102,7 +102,7 @@ func (cred Credentials) String() string {
|
||||
s.WriteString("\n")
|
||||
s.WriteString(cred.SessionToken)
|
||||
}
|
||||
if !cred.Expiration.IsZero() && cred.Expiration != timeSentinel {
|
||||
if !cred.Expiration.IsZero() && !cred.Expiration.Equal(timeSentinel) {
|
||||
s.WriteString("\n")
|
||||
s.WriteString(cred.Expiration.String())
|
||||
}
|
||||
@@ -111,7 +111,7 @@ func (cred Credentials) String() string {
|
||||
|
||||
// IsExpired - returns whether Credential is expired or not.
|
||||
func (cred Credentials) IsExpired() bool {
|
||||
if cred.Expiration.IsZero() || cred.Expiration == timeSentinel {
|
||||
if cred.Expiration.IsZero() || cred.Expiration.Equal(timeSentinel) {
|
||||
return false
|
||||
}
|
||||
|
||||
@@ -120,12 +120,12 @@ func (cred Credentials) IsExpired() bool {
|
||||
|
||||
// IsTemp - returns whether credential is temporary or not.
|
||||
func (cred Credentials) IsTemp() bool {
|
||||
return cred.SessionToken != "" && cred.ParentUser == ""
|
||||
return cred.SessionToken != "" && cred.ParentUser == "" && !cred.Expiration.IsZero() && !cred.Expiration.Equal(timeSentinel)
|
||||
}
|
||||
|
||||
// IsServiceAccount - returns whether credential is a service account or not
|
||||
func (cred Credentials) IsServiceAccount() bool {
|
||||
return cred.ParentUser != ""
|
||||
return cred.ParentUser != "" && (cred.Expiration.IsZero() || cred.Expiration.Equal(timeSentinel))
|
||||
}
|
||||
|
||||
// IsValid - returns whether credential is valid or not.
|
||||
|
||||
@@ -62,6 +62,7 @@ const (
|
||||
|
||||
// CreateUserAdminAction - allow creating MinIO user
|
||||
CreateUserAdminAction = "admin:CreateUser"
|
||||
|
||||
// DeleteUserAdminAction - allow deleting MinIO user
|
||||
DeleteUserAdminAction = "admin:DeleteUser"
|
||||
// ListUsersAdminAction - allow list users permission
|
||||
|
||||
@@ -24,6 +24,9 @@ import (
|
||||
"fmt"
|
||||
"log"
|
||||
|
||||
"github.com/minio/minio/pkg/bucket/policy"
|
||||
"github.com/minio/minio/pkg/bucket/policy/condition"
|
||||
iampolicy "github.com/minio/minio/pkg/iam/policy"
|
||||
"github.com/minio/minio/pkg/madmin"
|
||||
)
|
||||
|
||||
@@ -41,10 +44,18 @@ func main() {
|
||||
log.Fatalln(err)
|
||||
}
|
||||
|
||||
// Create policy
|
||||
policy := `{"Version": "2012-10-17","Statement": [{"Action": ["s3:GetObject"],"Effect": "Allow","Resource": ["arn:aws:s3:::testbucket/*"],"Sid": ""}]}`
|
||||
p := iampolicy.Policy{
|
||||
Version: iampolicy.DefaultVersion,
|
||||
Statements: []Statement{
|
||||
iampolicy.NewStatement(
|
||||
policy.Allow,
|
||||
iampolicy.NewActionSet(iampolicy.GetObjectAction),
|
||||
iampolicy.NewResourceSet(iampolicy.NewResource("testbucket/*", "")),
|
||||
condition.NewFunctions(),
|
||||
)},
|
||||
}
|
||||
|
||||
creds, err := madmClnt.AddServiceAccount(context.Background(), "parentuser", policy)
|
||||
creds, err := madmClnt.AddServiceAccount(context.Background(), "parentuser", &p)
|
||||
if err != nil {
|
||||
log.Fatalln(err)
|
||||
}
|
||||
|
||||
@@ -23,6 +23,9 @@ import (
|
||||
"context"
|
||||
"log"
|
||||
|
||||
"github.com/minio/minio/pkg/bucket/policy"
|
||||
"github.com/minio/minio/pkg/bucket/policy/condition"
|
||||
iampolicy "github.com/minio/minio/pkg/iam/policy"
|
||||
"github.com/minio/minio/pkg/madmin"
|
||||
)
|
||||
|
||||
@@ -45,9 +48,18 @@ func main() {
|
||||
}
|
||||
|
||||
// Create policy
|
||||
policy := `{"Version": "2012-10-17","Statement": [{"Action": ["s3:GetObject"],"Effect": "Allow","Resource": ["arn:aws:s3:::my-bucketname/*"],"Sid": ""}]}`
|
||||
p := iampolicy.Policy{
|
||||
Version: iampolicy.DefaultVersion,
|
||||
Statements: []iampolicy.Statement{
|
||||
iampolicy.NewStatement(
|
||||
policy.Allow,
|
||||
iampolicy.NewActionSet(iampolicy.GetObjectAction),
|
||||
iampolicy.NewResourceSet(iampolicy.NewResource("testbucket/*", "")),
|
||||
condition.NewFunctions(),
|
||||
)},
|
||||
}
|
||||
|
||||
if err = madmClnt.AddCannedPolicy(context.Background(), "get-only", policy); err != nil {
|
||||
if err = madmClnt.AddCannedPolicy(context.Background(), "get-only", &p); err != nil {
|
||||
log.Fatalln(err)
|
||||
}
|
||||
|
||||
|
||||
@@ -1,50 +0,0 @@
|
||||
// +build ignore
|
||||
|
||||
/*
|
||||
* MinIO Cloud Storage, (C) 2020 MinIO, Inc.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"log"
|
||||
|
||||
"github.com/minio/minio/pkg/madmin"
|
||||
)
|
||||
|
||||
func main() {
|
||||
// Note: YOUR-ACCESSKEYID, YOUR-SECRETACCESSKEY are
|
||||
// dummy values, please replace them with original values.
|
||||
|
||||
// Note: YOUR-ACCESSKEYID, YOUR-SECRETACCESSKEY are
|
||||
// dummy values, please replace them with original values.
|
||||
|
||||
// API requests are secure (HTTPS) if secure=true and insecure (HTTP) otherwise.
|
||||
// New returns an MinIO Admin client object.
|
||||
madmClnt, err := madmin.New("your-minio.example.com:9000", "YOUR-ACCESSKEYID", "YOUR-SECRETACCESSKEY", true)
|
||||
if err != nil {
|
||||
log.Fatalln(err)
|
||||
}
|
||||
|
||||
creds, err := madmClnt.GetServiceAccount(context.Background(), "service-account-access-key")
|
||||
if err != nil {
|
||||
log.Fatalln(err)
|
||||
}
|
||||
|
||||
fmt.Println(creds)
|
||||
}
|
||||
@@ -114,6 +114,10 @@ func (adm *AdminClient) AddCannedPolicy(ctx context.Context, policyName string,
|
||||
return ErrInvalidArgument("policy input cannot be empty")
|
||||
}
|
||||
|
||||
if err := policy.Validate(); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
buf, err := json.Marshal(policy)
|
||||
if err != nil {
|
||||
return err
|
||||
|
||||
@@ -25,6 +25,7 @@ import (
|
||||
"net/url"
|
||||
|
||||
"github.com/minio/minio/pkg/auth"
|
||||
iampolicy "github.com/minio/minio/pkg/iam/policy"
|
||||
)
|
||||
|
||||
// AccountStatus - account status.
|
||||
@@ -214,8 +215,8 @@ func (adm *AdminClient) SetUserStatus(ctx context.Context, accessKey string, sta
|
||||
|
||||
// AddServiceAccountReq is the request body of the add service account admin call
|
||||
type AddServiceAccountReq struct {
|
||||
Parent string `json:"parent"`
|
||||
Policy string `json:"policy"`
|
||||
Parent string `json:"parent"`
|
||||
Policy *iampolicy.Policy `json:"policy,omitempty"`
|
||||
}
|
||||
|
||||
// AddServiceAccountResp is the response body of the add service account admin call
|
||||
@@ -225,12 +226,17 @@ type AddServiceAccountResp struct {
|
||||
|
||||
// AddServiceAccount - creates a new service account belonging to the given parent user
|
||||
// while restricting the service account permission by the given policy document.
|
||||
func (adm *AdminClient) AddServiceAccount(ctx context.Context, parentUser string, policy string) (auth.Credentials, error) {
|
||||
|
||||
func (adm *AdminClient) AddServiceAccount(ctx context.Context, parentUser string, policy *iampolicy.Policy) (auth.Credentials, error) {
|
||||
if !auth.IsAccessKeyValid(parentUser) {
|
||||
return auth.Credentials{}, auth.ErrInvalidAccessKeyLength
|
||||
}
|
||||
|
||||
if policy != nil {
|
||||
if err := policy.Validate(); err != nil {
|
||||
return auth.Credentials{}, err
|
||||
}
|
||||
}
|
||||
|
||||
data, err := json.Marshal(AddServiceAccountReq{
|
||||
Parent: parentUser,
|
||||
Policy: policy,
|
||||
@@ -271,41 +277,3 @@ func (adm *AdminClient) AddServiceAccount(ctx context.Context, parentUser string
|
||||
}
|
||||
return serviceAccountResp.Credentials, nil
|
||||
}
|
||||
|
||||
// GetServiceAccount returns the credential of the service account
|
||||
func (adm *AdminClient) GetServiceAccount(ctx context.Context, serviceAccountAccessKey string) (auth.Credentials, error) {
|
||||
|
||||
if !auth.IsAccessKeyValid(serviceAccountAccessKey) {
|
||||
return auth.Credentials{}, auth.ErrInvalidAccessKeyLength
|
||||
}
|
||||
|
||||
queryValues := url.Values{}
|
||||
queryValues.Set("accessKey", serviceAccountAccessKey)
|
||||
|
||||
reqData := requestData{
|
||||
relPath: adminAPIPrefix + "/get-service-account",
|
||||
queryValues: queryValues,
|
||||
}
|
||||
|
||||
// Execute GET on /minio/admin/v3/get-service-account to set a user.
|
||||
resp, err := adm.executeMethod(ctx, http.MethodGet, reqData)
|
||||
defer closeResponse(resp)
|
||||
if err != nil {
|
||||
return auth.Credentials{}, err
|
||||
}
|
||||
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
return auth.Credentials{}, httpRespToErrorResponse(resp)
|
||||
}
|
||||
|
||||
data, err := DecryptData(adm.getSecretKey(), resp.Body)
|
||||
if err != nil {
|
||||
return auth.Credentials{}, err
|
||||
}
|
||||
|
||||
var creds auth.Credentials
|
||||
if err = json.Unmarshal(data, &creds); err != nil {
|
||||
return auth.Credentials{}, err
|
||||
}
|
||||
return creds, nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user