mirror of
https://github.com/minio/minio.git
synced 2025-03-29 08:43:40 -04:00
sr: use site replicator creds to verify temp user claims (#19224)
This PR continues #19209 which did not handle claims verification of temporary users created by root in site replication scenario. Fixes: #19217
This commit is contained in:
Poorna
GitHub
parent
233cc3905a
commit
934f6cabf6
@ -298,15 +298,15 @@ func checkClaimsFromToken(r *http.Request, cred auth.Credentials) (map[string]in
|
|||||||
if cred.IsTemp() && cred.IsExpired() {
|
if cred.IsTemp() && cred.IsExpired() {
|
||||||
return nil, toAPIErrorCode(r.Context(), errInvalidAccessKeyID)
|
return nil, toAPIErrorCode(r.Context(), errInvalidAccessKeyID)
|
||||||
}
|
}
|
||||||
|
|
||||||
secret := globalActiveCred.SecretKey
|
secret := globalActiveCred.SecretKey
|
||||||
var err error
|
|
||||||
if globalSiteReplicationSys.isEnabled() && cred.AccessKey != siteReplicatorSvcAcc {
|
if globalSiteReplicationSys.isEnabled() && cred.AccessKey != siteReplicatorSvcAcc {
|
||||||
if cred.ParentUser != globalActiveCred.AccessKey {
|
nsecret, err := getTokenSigningKey()
|
||||||
secret, err = getTokenSigningKey()
|
if err != nil {
|
||||||
if err != nil {
|
return nil, toAPIErrorCode(r.Context(), err)
|
||||||
return nil, toAPIErrorCode(r.Context(), err)
|
}
|
||||||
}
|
// sign root's temporary accounts also with site replicator creds
|
||||||
|
if cred.ParentUser != globalActiveCred.AccessKey || cred.IsTemp() {
|
||||||
|
secret = nsecret
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if cred.IsServiceAccount() {
|
if cred.IsServiceAccount() {
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user