disallow sub-credentials based on root credentials to gain priviledges (#12947)

This happens because of a change added where any sub-credential with parentUser == rootCredential i.e (MINIO_ROOT_USER) will always be an owner, you cannot generate credentials with lower session policy to restrict their access. This doesn't affect user service accounts created with regular users, LDAP or OpenID
2025-11-07 12:52:58 -05:00 · 2021-08-12 18:07:08 -07:00
parent 89febdb3d6
commit 8f2a3efa85
10 changed files with 70 additions and 135 deletions
--- a/cmd/streaming-signature-v4.go
+++ b/cmd/streaming-signature-v4.go
@@ -93,7 +93,7 @@ func calculateSeedSignature(r *http.Request) (cred auth.Credentials, signature s
 		return cred, "", "", time.Time{}, errCode
 	}

-	cred, _, errCode = checkKeyValid(signV4Values.Credential.accessKey)
+	cred, _, errCode = checkKeyValid(r, signV4Values.Credential.accessKey)
 	if errCode != ErrNone {
 		return cred, "", "", time.Time{}, errCode
 	}