sr: use service account cred for claims check (#19209)

PR #19111 overlaid service account secret with site replicator secret during token claims check. Fixes : #19206
2025-01-11 15:03:22 -05:00 · 2024-03-06 16:19:24 -08:00 · 2024-03-06 16:19:24 -08:00 · 837a2a3d4b
commit 837a2a3d4b
parent e91a4a414c
2 changed files with 22 additions and 7 deletions
--- a/cmd/auth-handler.go
+++ b/cmd/auth-handler.go
@ -300,19 +300,21 @@ func checkClaimsFromToken(r *http.Request, cred auth.Credentials) (map[string]in
 	}

 	secret := globalActiveCred.SecretKey
+	var err error
+	if globalSiteReplicationSys.isEnabled() && cred.AccessKey != siteReplicatorSvcAcc {
+		if cred.ParentUser != globalActiveCred.AccessKey {
+			secret, err = getTokenSigningKey()
+			if err != nil {
+				return nil, toAPIErrorCode(r.Context(), err)
+			}
+		}
+	}
 	if cred.IsServiceAccount() {
 		token = cred.SessionToken
 		secret = cred.SecretKey
 	}

 	if token != "" {
-		var err error
-		if globalSiteReplicationSys.isEnabled() && cred.AccessKey != siteReplicatorSvcAcc {
-			secret, err = getTokenSigningKey()
-			if err != nil {
-				return nil, toAPIErrorCode(r.Context(), err)
-			}
-		}
 		claims, err := getClaimsFromTokenWithSecret(token, secret)
 		if err != nil {
 			return nil, toAPIErrorCode(r.Context(), err)
--- a/docs/site-replication/run-multi-site-minio-idp.sh
+++ b/docs/site-replication/run-multi-site-minio-idp.sh
@ -164,8 +164,21 @@ if [ $? -ne 0 ]; then
 	exit_1
 fi

+./mc admin user svcacct add minio2 minio --access-key testsvc2 --secret-key testsvc123
+if [ $? -ne 0 ]; then
+	echo "adding root svc account testsvc2 failed, exiting.."
+	exit_1
+fi
+
 sleep 10

+export MC_HOST_rootsvc=http://testsvc2:testsvc123@localhost:9002
+./mc ls rootsvc
+if [ $? -ne 0 ]; then
+	echo "root service account not inherited root permissions, exiting.."
+	exit_1
+fi
+
 ./mc admin user svcacct info minio1 testsvc
 if [ $? -ne 0 ]; then
 	echo "svc account not mirrored, exiting.."