MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 12:52:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

sr: use service account cred for claims check (#19209)

Browse Source 
PR #19111 overlaid service account secret with site replicator secret
during token claims check.

Fixes : #19206
This commit is contained in:
Poorna
2024-03-06 16:19:24 -08:00
committed by GitHub
parent e91a4a414c
commit 837a2a3d4b
2 changed files with 22 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
cmd/auth-handler.go
View File

@@ -300,19 +300,21 @@ func checkClaimsFromToken(r *http.Request, cred auth.Credentials) (map[string]in
}
secret := globalActiveCred.SecretKey
var err error
if globalSiteReplicationSys.isEnabled() && cred.AccessKey != siteReplicatorSvcAcc {
if cred.ParentUser != globalActiveCred.AccessKey {
secret, err = getTokenSigningKey()
if err != nil {
return nil, toAPIErrorCode(r.Context(), err)
}
}
}
if cred.IsServiceAccount() {
token = cred.SessionToken
secret = cred.SecretKey
}
if token != "" {
var err error
if globalSiteReplicationSys.isEnabled() && cred.AccessKey != siteReplicatorSvcAcc {
secret, err = getTokenSigningKey()
if err != nil {
return nil, toAPIErrorCode(r.Context(), err)
}
}
claims, err := getClaimsFromTokenWithSecret(token, secret)
if err != nil {
return nil, toAPIErrorCode(r.Context(), err)