MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 21:02:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: allow root credentials to generate STS, service accounts (#12210)

Browse Source
This commit is contained in:
Harshavardhana
2021-05-04 11:58:19 -07:00
committed by GitHub
parent 804a23a06d
commit 67001e3ce9
3 changed files with 20 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
cmd/sts-handlers.go
View File

@@ -122,13 +122,14 @@ func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Creden
if APIErrorCode(s3Err) != ErrNone {
return user, false, STSErrorCode(s3Err)
}
var owner bool
user, owner, s3Err = getReqAccessKeyV4(r, globalServerRegion, serviceSTS)
user, _, s3Err = getReqAccessKeyV4(r, globalServerRegion, serviceSTS)
if APIErrorCode(s3Err) != ErrNone {
return user, false, STSErrorCode(s3Err)
}
// Root credentials are not allowed to use STS API
if owner {
// Temporary credentials or Service accounts cannot generate further temporary credentials.
if user.IsTemp() || user.IsServiceAccount() {
return user, true, ErrSTSAccessDenied
}
}
@@ -138,11 +139,6 @@ func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Creden
return user, true, ErrSTSAccessDenied
}
// Temporary credentials or Service accounts cannot generate further temporary credentials.
if user.IsTemp() || user.IsServiceAccount() {
return user, true, ErrSTSAccessDenied
}
return user, true, ErrSTSNone
}
@@ -157,6 +153,7 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
writeSTSErrorResponse(ctx, w, isErrCodeSTS, stsErr, nil)
return
}
if err := r.ParseForm(); err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
return