MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-04-20 18:44:21 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix: allow root credentials to generate STS, service accounts (#12210)

Browse Source
This commit is contained in:
Harshavardhana 2021-05-04 11:58:19 -07:00 committed by GitHub
parent 804a23a06d
commit 67001e3ce9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 20 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cmd/admin-handlers-users.go
View File

@ -490,12 +490,6 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
return return
} }
// Disallow creating service accounts by root user.
if createReq.TargetUser == globalActiveCred.AccessKey {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminAccountNotEligible), r.URL)
return
}
var ( var (
targetUser string targetUser string
targetGroups []string targetGroups []string

21
cmd/iam.go
View File

@ -880,7 +880,7 @@ func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyNa
// This mapping is necessary to ensure that valid credentials // This mapping is necessary to ensure that valid credentials
// have necessary ParentUser present - this is mainly for only // have necessary ParentUser present - this is mainly for only
// webIdentity based STS tokens. // webIdentity based STS tokens.
if cred.IsTemp() && cred.ParentUser != "" { if cred.IsTemp() && cred.ParentUser != "" && cred.ParentUser != globalActiveCred.AccessKey {
if _, ok := sys.iamUserPolicyMap[cred.ParentUser]; !ok { if _, ok := sys.iamUserPolicyMap[cred.ParentUser]; !ok {
if err := sys.store.saveMappedPolicy(context.Background(), accessKey, stsUser, false, mp, options{ttl: ttl}); err != nil { if err := sys.store.saveMappedPolicy(context.Background(), accessKey, stsUser, false, mp, options{ttl: ttl}); err != nil {
sys.store.unlock() sys.store.unlock()
@ -1114,14 +1114,10 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro
sys.store.lock() sys.store.lock()
defer sys.store.unlock() defer sys.store.unlock()
if parentUser == globalActiveCred.AccessKey {
return auth.Credentials{}, errIAMActionNotAllowed
}
cr, ok := sys.iamUsersMap[parentUser] cr, ok := sys.iamUsersMap[parentUser]
if !ok { if !ok {
// For LDAP users we would need this fallback // For LDAP/OpenID users we would need this fallback
if sys.usersSysType != MinIOUsersSysType { if sys.usersSysType != MinIOUsersSysType && parentUser != globalActiveCred.ParentUser {
_, ok = sys.iamUserPolicyMap[parentUser] _, ok = sys.iamUserPolicyMap[parentUser]
if !ok { if !ok {
var found bool var found bool
@ -1479,8 +1475,13 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
if cred.IsServiceAccount() || cred.IsTemp() { if cred.IsServiceAccount() || cred.IsTemp() {
// temporary credentials or service accounts // temporary credentials or service accounts
// must have their parent in UsersMap // must have their parent in UsersMap
if cred.ParentUser == globalActiveCred.AccessKey {
// parent exists, so allow temporary and service accounts.
ok = true
} else {
_, ok = sys.iamUserPolicyMap[cred.ParentUser] _, ok = sys.iamUserPolicyMap[cred.ParentUser]
} }
}
// for LDAP service accounts with ParentUser set // for LDAP service accounts with ParentUser set
// we have no way to validate, either because user // we have no way to validate, either because user
// doesn't need an explicit policy as it can come // doesn't need an explicit policy as it can come
@ -1865,13 +1866,17 @@ func (sys *IAMSys) policyDBGet(name string, isGroup bool) (policies []string, er
var u auth.Credentials var u auth.Credentials
var ok bool var ok bool
if sys.usersSysType == MinIOUsersSysType { if sys.usersSysType == MinIOUsersSysType {
if name == globalActiveCred.AccessKey {
return []string{"consoleAdmin"}, nil
}
// When looking for a user's policies, we also check if the user // When looking for a user's policies, we also check if the user
// and the groups they are member of are enabled. // and the groups they are member of are enabled.
u, ok = sys.iamUsersMap[name] u, ok = sys.iamUsersMap[name]
if !ok { if !ok {
return nil, errNoSuchUser return nil, errNoSuchUser
} }
if !u.IsValid() { if !u.IsValid() {
return nil, nil return nil, nil
} }

15
cmd/sts-handlers.go
View File

@ -122,13 +122,14 @@ func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Creden
if APIErrorCode(s3Err) != ErrNone { if APIErrorCode(s3Err) != ErrNone {
return user, false, STSErrorCode(s3Err) return user, false, STSErrorCode(s3Err)
} }
var owner bool
user, owner, s3Err = getReqAccessKeyV4(r, globalServerRegion, serviceSTS) user, _, s3Err = getReqAccessKeyV4(r, globalServerRegion, serviceSTS)
if APIErrorCode(s3Err) != ErrNone { if APIErrorCode(s3Err) != ErrNone {
return user, false, STSErrorCode(s3Err) return user, false, STSErrorCode(s3Err)
} }
// Root credentials are not allowed to use STS API
if owner { // Temporary credentials or Service accounts cannot generate further temporary credentials.
if user.IsTemp() || user.IsServiceAccount() {
return user, true, ErrSTSAccessDenied return user, true, ErrSTSAccessDenied
} }
} }
@ -138,11 +139,6 @@ func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Creden
return user, true, ErrSTSAccessDenied return user, true, ErrSTSAccessDenied
} }
// Temporary credentials or Service accounts cannot generate further temporary credentials.
if user.IsTemp() || user.IsServiceAccount() {
return user, true, ErrSTSAccessDenied
}
return user, true, ErrSTSNone return user, true, ErrSTSNone
} }
@ -157,6 +153,7 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
writeSTSErrorResponse(ctx, w, isErrCodeSTS, stsErr, nil) writeSTSErrorResponse(ctx, w, isErrCodeSTS, stsErr, nil)
return return
} }
if err := r.ParseForm(); err != nil { if err := r.ParseForm(); err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
return return