From 8adfeb0d8432819b8d89a403dff823b1c81f3874 Mon Sep 17 00:00:00 2001 From: Aditya Manthramurthy Date: Tue, 23 Mar 2021 17:39:20 -0700 Subject: [PATCH] fix: AccountInfo API for LDAP users (#11874) Also, ensure admin APIs auth additionally validates groups --- cmd/admin-handlers-users.go | 11 ++++++++++- cmd/auth-handler.go | 1 + 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index 5ceaa49ff..a200e927a 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -19,6 +19,7 @@ package cmd import ( "context" "encoding/json" + "errors" "io" "io/ioutil" "net/http" @@ -742,7 +743,15 @@ func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Requ } accountName := cred.AccessKey - policies, err := globalIAMSys.PolicyDBGet(accountName, false) + var policies []string + switch globalIAMSys.usersSysType { + case MinIOUsersSysType: + policies, err = globalIAMSys.PolicyDBGet(accountName, false) + case LDAPUsersSysType: + policies, err = globalIAMSys.PolicyDBGetLDAP(cred.ParentUser, cred.Groups...) + default: + err = errors.New("should not happen!") + } if err != nil { logger.LogIf(ctx, err) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) diff --git a/cmd/auth-handler.go b/cmd/auth-handler.go index cd68bd01f..52735286b 100644 --- a/cmd/auth-handler.go +++ b/cmd/auth-handler.go @@ -162,6 +162,7 @@ func checkAdminRequestAuth(ctx context.Context, r *http.Request, action iampolic } if globalIAMSys.IsAllowed(iampolicy.Args{ AccountName: cred.AccessKey, + Groups: cred.Groups, Action: iampolicy.Action(action), ConditionValues: getConditionValues(r, "", cred.AccessKey, claims), IsOwner: owner,