fix: LDAP authentication with groups only (#12283)

fixes #12282
This commit is contained in:
Harshavardhana 2021-05-12 21:25:07 -07:00 committed by GitHub
parent 57aed841dd
commit 5c0a7189c7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 14 deletions

View File

@ -523,6 +523,7 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
return
}
// targerUser is set to bindDN at this point in time.
// targetGroups is set to the groups at this point in time.
} else {
if cred.IsServiceAccount() || cred.IsTemp() {
if cred.ParentUser == "" {
@ -534,8 +535,11 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
targetUser = cred.ParentUser
}
}
// targetGroups not yet set, so set this to cred.Groups
if len(targetGroups) == 0 {
targetGroups = cred.Groups
}
}
var sp *iampolicy.Policy
if len(createReq.Policy) > 0 {

View File

@ -1502,21 +1502,23 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
if ok && cred.IsValid() {
if cred.IsServiceAccount() || cred.IsTemp() {
// temporary credentials or service accounts
// must have their parent in UsersMap
if cred.ParentUser == globalActiveCred.AccessKey {
// parent exists, so allow temporary and service accounts.
ok = true
} else {
_, ok = sys.iamUserPolicyMap[cred.ParentUser]
policies, err := sys.policyDBGet(cred.ParentUser, false)
if err != nil {
// Reject if the policy map for user doesn't exist anymore.
logger.LogIf(context.Background(), fmt.Errorf("'%s' user does not have a policy present", cred.ParentUser))
return auth.Credentials{}, false
}
for _, group := range cred.Groups {
ps, err := sys.policyDBGet(group, true)
if err != nil {
// Reject if the policy map for group doesn't exist anymore.
logger.LogIf(context.Background(), fmt.Errorf("'%s' group does not have a policy present", group))
return auth.Credentials{}, false
}
policies = append(policies, ps...)
}
ok = len(policies) > 0
}
// for LDAP service accounts with ParentUser set
// we have no way to validate, either because user
// doesn't need an explicit policy as it can come
// automatically from a group. We are safe to ignore
// this and continue as policies would fail eventually
// the policies are missing or not configured.
}
return cred, ok && cred.IsValid()
}