MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-09 21:49:46 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: accountInfo should use parentUser (#12652)

Browse Source 
parentUser is needed to make sure that
dynamic variables in policy work properly.

fixes #12651
This commit is contained in:
Harshavardhana
2021-07-08 12:43:25 -07:00
committed by GitHub
parent 95d29a6a53
commit 84a64a7e47
1 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
cmd/admin-handlers-users.go
View File

@@ -984,15 +984,18 @@ func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Requ
// Set delimiter value for "s3:delimiter" policy conditionals.
r.Header.Set("delimiter", SlashSeparator)
parentUser := cred.AccessKey
if cred.ParentUser != "" {
parentUser = cred.ParentUser
}
isAllowedAccess := func(bucketName string) (rd, wr bool) {
// Use the following trick to filter in place
// https://github.com/golang/go/wiki/SliceTricks#filter-in-place
if globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: cred.AccessKey,
AccountName: parentUser,
Groups: cred.Groups,
Action: iampolicy.ListBucketAction,
BucketName: bucketName,
ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
ConditionValues: getConditionValues(r, "", parentUser, claims),
IsOwner: owner,
ObjectName: "",
Claims: claims,
@@ -1001,11 +1004,11 @@ func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Requ
}
if globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: cred.AccessKey,
AccountName: parentUser,
Groups: cred.Groups,
Action: iampolicy.PutObjectAction,
BucketName: bucketName,
ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
ConditionValues: getConditionValues(r, "", parentUser, claims),
IsOwner: owner,
ObjectName: "",
Claims: claims,