mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
parent
57aed841dd
commit
5c0a7189c7
@ -523,6 +523,7 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
|
||||
return
|
||||
}
|
||||
// targerUser is set to bindDN at this point in time.
|
||||
// targetGroups is set to the groups at this point in time.
|
||||
} else {
|
||||
if cred.IsServiceAccount() || cred.IsTemp() {
|
||||
if cred.ParentUser == "" {
|
||||
@ -534,7 +535,10 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
|
||||
targetUser = cred.ParentUser
|
||||
}
|
||||
}
|
||||
targetGroups = cred.Groups
|
||||
// targetGroups not yet set, so set this to cred.Groups
|
||||
if len(targetGroups) == 0 {
|
||||
targetGroups = cred.Groups
|
||||
}
|
||||
}
|
||||
|
||||
var sp *iampolicy.Policy
|
||||
|
28
cmd/iam.go
28
cmd/iam.go
@ -1502,21 +1502,23 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
|
||||
|
||||
if ok && cred.IsValid() {
|
||||
if cred.IsServiceAccount() || cred.IsTemp() {
|
||||
// temporary credentials or service accounts
|
||||
// must have their parent in UsersMap
|
||||
if cred.ParentUser == globalActiveCred.AccessKey {
|
||||
// parent exists, so allow temporary and service accounts.
|
||||
ok = true
|
||||
} else {
|
||||
_, ok = sys.iamUserPolicyMap[cred.ParentUser]
|
||||
policies, err := sys.policyDBGet(cred.ParentUser, false)
|
||||
if err != nil {
|
||||
// Reject if the policy map for user doesn't exist anymore.
|
||||
logger.LogIf(context.Background(), fmt.Errorf("'%s' user does not have a policy present", cred.ParentUser))
|
||||
return auth.Credentials{}, false
|
||||
}
|
||||
for _, group := range cred.Groups {
|
||||
ps, err := sys.policyDBGet(group, true)
|
||||
if err != nil {
|
||||
// Reject if the policy map for group doesn't exist anymore.
|
||||
logger.LogIf(context.Background(), fmt.Errorf("'%s' group does not have a policy present", group))
|
||||
return auth.Credentials{}, false
|
||||
}
|
||||
policies = append(policies, ps...)
|
||||
}
|
||||
ok = len(policies) > 0
|
||||
}
|
||||
// for LDAP service accounts with ParentUser set
|
||||
// we have no way to validate, either because user
|
||||
// doesn't need an explicit policy as it can come
|
||||
// automatically from a group. We are safe to ignore
|
||||
// this and continue as policies would fail eventually
|
||||
// the policies are missing or not configured.
|
||||
}
|
||||
return cred, ok && cred.IsValid()
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user