From 8d19efe7e0a187ac9a8c0994cd5fe6ed3f4a93ac Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Wed, 14 Jul 2021 00:08:22 -0700 Subject: [PATCH] feat: increase allowed maximum STS expiration timeout to 365 days (#12704) --- docs/sts/assume-role.md | 14 +++++++------- docs/sts/client-grants.md | 14 +++++++------- docs/sts/ldap.md | 4 +++- docs/sts/web-identity.md | 14 +++++++------- internal/config/identity/openid/jwt.go | 4 ++-- internal/config/identity/openid/jwt_test.go | 2 +- 6 files changed, 27 insertions(+), 25 deletions(-) diff --git a/docs/sts/assume-role.md b/docs/sts/assume-role.md index 4c660458d..f069abce7 100644 --- a/docs/sts/assume-role.md +++ b/docs/sts/assume-role.md @@ -7,7 +7,7 @@ Returns a set of temporary security credentials that you can use to access MinIO - To be able to reliably use S3 multipart APIs feature of the SDKs without re-inventing the wheel of pre-signing the each URL in multipart API. This is very tedious to implement with all the scenarios of fault tolerance that's already implemented by the client SDK. The general client SDKs don't support multipart with presigned URLs. - To be able to easily get the temporary credentials to upload to a prefix. Make it possible for a client to upload a whole folder using the session. The server side applications need not create a presigned URL and serve to the client for each file. Since, the client would have the session it can do it by itself. -The temporary security credentials returned by this API consists of an access key, a secret key, and a security token. Applications can use these temporary security credentials to sign calls to MinIO API operations. The policy applied to these temporary credentials is inherited from the MinIO user credentials. By default, the temporary security credentials created by AssumeRole last for one hour. However, use the optional DurationSeconds parameter to specify the duration of the credentials. This value varies from 900 seconds (15 minutes) up to the maximum session duration of 7 days. +The temporary security credentials returned by this API consists of an access key, a secret key, and a security token. Applications can use these temporary security credentials to sign calls to MinIO API operations. The policy applied to these temporary credentials is inherited from the MinIO user credentials. By default, the temporary security credentials created by AssumeRole last for one hour. However, use the optional DurationSeconds parameter to specify the duration of the credentials. This value varies from 900 seconds (15 minutes) up to the maximum session duration of 365 days. ## API Request Parameters ### Version @@ -22,13 +22,13 @@ Indicates STS API version information, the only supported value is '2011-06-15'. Indicates STS API Authorization information. If you are familiar with AWS Signature V4 Authorization header, this STS API supports signature V4 authorization as mentioned [here](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) ### DurationSeconds -The duration, in seconds. The value can range from 900 seconds (15 minutes) up to 7 days. If value is higher than this setting, then operation fails. By default, the value is set to 3600 seconds. +The duration, in seconds. The value can range from 900 seconds (15 minutes) up to 365 days. If value is higher than this setting, then operation fails. By default, the value is set to 3600 seconds. -| Params | Value | -| :-- | :-- | -| *Type* | *Integer* | -| *Valid Range* | *Minimum value of 900. Maximum value of 604800.* | -| *Required* | *No* | +| Params | Value | +| :-- | :-- | +| *Type* | *Integer* | +| *Valid Range* | *Minimum value of 900. Maximum value of 31536000.* | +| *Required* | *No* | ### Policy An IAM policy in JSON format that you want to use as an inline session policy. This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the canned policy name and the policy set here. You cannot use this policy to grant more permissions than those allowed by the canned policy name being assumed. diff --git a/docs/sts/client-grants.md b/docs/sts/client-grants.md index 8bb9fc161..34bb3fe58 100644 --- a/docs/sts/client-grants.md +++ b/docs/sts/client-grants.md @@ -6,7 +6,7 @@ Returns a set of temporary security credentials for applications/clients who hav Calling AssumeRoleWithClientGrants does not require the use of MinIO default credentials. Therefore, client application can be distributed that requests temporary security credentials without including MinIO default credentials. Instead, the identity of the caller is validated by using a JWT access token from the identity provider. The temporary security credentials returned by this API consists of an access key, a secret key, and a security token. Applications can use these temporary security credentials to sign calls to MinIO API operations. -By default, the temporary security credentials created by AssumeRoleWithClientGrants last for one hour. However, use the optional DurationSeconds parameter to specify the duration of the credentials. This value varies from 900 seconds (15 minutes) up to the maximum session duration of 7 days. +By default, the temporary security credentials created by AssumeRoleWithClientGrants last for one hour. However, use the optional DurationSeconds parameter to specify the duration of the credentials. This value varies from 900 seconds (15 minutes) up to the maximum session duration of 365 days. ## API Request Parameters ### Token @@ -27,13 +27,13 @@ Indicates STS API version information, the only supported value is '2011-06-15'. | *Required* | *Yes* | ### DurationSeconds -The duration, in seconds. The value can range from 900 seconds (15 minutes) up to 7 days. If value is higher than this setting, then operation fails. By default, the value is set to 3600 seconds. If no *DurationSeconds* is specified expiry seconds is obtained from *Token*. +The duration, in seconds. The value can range from 900 seconds (15 minutes) up to 365 days. If value is higher than this setting, then operation fails. By default, the value is set to 3600 seconds. If no *DurationSeconds* is specified expiry seconds is obtained from *Token*. -| Params | Value | -| :-- | :-- | -| *Type* | *Integer* | -| *Valid Range* | *Minimum value of 900. Maximum value of 604800.* | -| *Required* | *No* | +| Params | Value | +| :-- | :-- | +| *Type* | *Integer* | +| *Valid Range* | *Minimum value of 900. Maximum value of 31536000.* | +| *Required* | *No* | ### Policy An IAM policy in JSON format that you want to use as an inline session policy. This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the canned policy name and the policy set here. You cannot use this policy to grant more permissions than those allowed by the canned policy name being assumed. diff --git a/docs/sts/ldap.md b/docs/sts/ldap.md index bccef195a..053b3fdbf 100644 --- a/docs/sts/ldap.md +++ b/docs/sts/ldap.md @@ -95,10 +95,12 @@ export MINIO_IDENTITY_LDAP_SERVER_ADDR=myldapserver.com:636 export MINIO_IDENTITY_LDAP_USERNAME_FORMAT="uid=%s,cn=accounts,dc=myldapserver,dc=com" export MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN="dc=myldapserver,dc=com" export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER="(&(objectclass=groupOfNames)(memberUid=%s)$)" -export MINIO_IDENTITY_LDAP_STS_EXPIRY=60h +export MINIO_IDENTITY_LDAP_STS_EXPIRY=720h export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on ``` +> NOTE: In this example STS_EXPIRY is set to 1month, maximum expiry that can be set is 365 days. + ### Variable substitution in AD/LDAP configuration strings ### In the configuration variables, `%s` is substituted with the *username* from the STS request and `%d` is substituted with the *distinguished username (user DN)* of the LDAP user. Please see the following table for which configuration variables support these substitution variables: diff --git a/docs/sts/web-identity.md b/docs/sts/web-identity.md index a9ffddf32..95eeda853 100644 --- a/docs/sts/web-identity.md +++ b/docs/sts/web-identity.md @@ -4,7 +4,7 @@ Calling AssumeRoleWithWebIdentity does not require the use of MinIO default credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including MinIO default credentials in the application. Instead, the identity of the caller is validated by using a JWT access token from the web identity provider. The temporary security credentials returned by this API consists of an access key, a secret key, and a security token. Applications can use these temporary security credentials to sign calls to MinIO API operations. -By default, the temporary security credentials created by AssumeRoleWithWebIdentity last for one hour. However, use the optional DurationSeconds parameter to specify the duration of the credentials. This value varies from 900 seconds (15 minutes) up to the maximum session duration of 7 days. +By default, the temporary security credentials created by AssumeRoleWithWebIdentity last for one hour. However, use the optional DurationSeconds parameter to specify the duration of the credentials. This value varies from 900 seconds (15 minutes) up to the maximum session duration of 365 days. ## API Request Parameters ### WebIdentityToken @@ -25,13 +25,13 @@ Indicates STS API version information, the only supported value is '2011-06-15'. | *Required* | *Yes* | ### DurationSeconds -The duration, in seconds. The value can range from 900 seconds (15 minutes) up to 7 days. If value is higher than this setting, then operation fails. By default, the value is set to 3600 seconds. If no *DurationSeconds* is specified expiry seconds is obtained from *WebIdentityToken*. +The duration, in seconds. The value can range from 900 seconds (15 minutes) up to 365 days. If value is higher than this setting, then operation fails. By default, the value is set to 3600 seconds. If no *DurationSeconds* is specified expiry seconds is obtained from *WebIdentityToken*. -| Params | Value | -| :-- | :-- | -| *Type* | *Integer* | -| *Valid Range* | *Minimum value of 900. Maximum value of 604800.* | -| *Required* | *No* | +| Params | Value | +| :-- | :-- | +| *Type* | *Integer* | +| *Valid Range* | *Minimum value of 900. Maximum value of 31536000.* | +| *Required* | *No* | ### Policy An IAM policy in JSON format that you want to use as an inline session policy. This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the canned policy name and the policy set here. You cannot use this policy to grant more permissions than those allowed by the canned policy name being assumed. diff --git a/internal/config/identity/openid/jwt.go b/internal/config/identity/openid/jwt.go index 4adfba061..f3533a035 100644 --- a/internal/config/identity/openid/jwt.go +++ b/internal/config/identity/openid/jwt.go @@ -197,8 +197,8 @@ func GetDefaultExpiration(dsecs string) (time.Duration, error) { // The duration, in seconds, of the role session. // The value can range from 900 seconds (15 minutes) - // up to 7 days. - if expirySecs < 900 || expirySecs > 604800 { + // up to 365 days. + if expirySecs < 900 || expirySecs > 31536000 { return 0, auth.ErrInvalidDuration } diff --git a/internal/config/identity/openid/jwt_test.go b/internal/config/identity/openid/jwt_test.go index d6131e38d..e5d5c7d72 100644 --- a/internal/config/identity/openid/jwt_test.go +++ b/internal/config/identity/openid/jwt_test.go @@ -172,7 +172,7 @@ func TestDefaultExpiryDuration(t *testing.T) { expectErr: true, }, { - reqURL: "http://localhost:8443/?DurationSeconds=604801", + reqURL: "http://localhost:8443/?DurationSeconds=31536001", expectErr: true, }, {