MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-04-19 10:07:30 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix: LDAP authentication with groups only (#12283)

Browse Source 
fixes #12282
This commit is contained in:
Harshavardhana 2021-05-12 21:25:07 -07:00 committed by GitHub
parent 57aed841dd
commit 5c0a7189c7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/admin-handlers-users.go
View File

@ -523,6 +523,7 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
return return
} }
// targerUser is set to bindDN at this point in time. // targerUser is set to bindDN at this point in time.
// targetGroups is set to the groups at this point in time.
} else { } else {
if cred.IsServiceAccount() || cred.IsTemp() { if cred.IsServiceAccount() || cred.IsTemp() {
if cred.ParentUser == "" { if cred.ParentUser == "" {
@ -534,8 +535,11 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
targetUser = cred.ParentUser targetUser = cred.ParentUser
} }
} }
// targetGroups not yet set, so set this to cred.Groups
if len(targetGroups) == 0 {
targetGroups = cred.Groups targetGroups = cred.Groups
} }
}
var sp *iampolicy.Policy var sp *iampolicy.Policy
if len(createReq.Policy) > 0 { if len(createReq.Policy) > 0 {

28
cmd/iam.go
View File

@ -1502,21 +1502,23 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
if ok && cred.IsValid() { if ok && cred.IsValid() {
if cred.IsServiceAccount() || cred.IsTemp() { if cred.IsServiceAccount() || cred.IsTemp() {
// temporary credentials or service accounts policies, err := sys.policyDBGet(cred.ParentUser, false)
// must have their parent in UsersMap if err != nil {
if cred.ParentUser == globalActiveCred.AccessKey { // Reject if the policy map for user doesn't exist anymore.
// parent exists, so allow temporary and service accounts. logger.LogIf(context.Background(), fmt.Errorf("'%s' user does not have a policy present", cred.ParentUser))
ok = true return auth.Credentials{}, false
} else {
_, ok = sys.iamUserPolicyMap[cred.ParentUser]
} }
for _, group := range cred.Groups {
ps, err := sys.policyDBGet(group, true)
if err != nil {
// Reject if the policy map for group doesn't exist anymore.
logger.LogIf(context.Background(), fmt.Errorf("'%s' group does not have a policy present", group))
return auth.Credentials{}, false
}
policies = append(policies, ps...)
}
ok = len(policies) > 0
} }
// for LDAP service accounts with ParentUser set
// we have no way to validate, either because user
// doesn't need an explicit policy as it can come
// automatically from a group. We are safe to ignore
// this and continue as policies would fail eventually
// the policies are missing or not configured.
} }
return cred, ok && cred.IsValid() return cred, ok && cred.IsValid()
} }