sr: use site replicator creds to verify temp user claims (#19224)

This PR continues #19209 which did not handle claims verification of
temporary users created by root in site replication scenario.

Fixes: #19217
This commit is contained in:
Poorna 2024-03-07 14:30:00 -08:00 committed by GitHub
parent 233cc3905a
commit 934f6cabf6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -298,15 +298,15 @@ func checkClaimsFromToken(r *http.Request, cred auth.Credentials) (map[string]in
if cred.IsTemp() && cred.IsExpired() {
return nil, toAPIErrorCode(r.Context(), errInvalidAccessKeyID)
}
secret := globalActiveCred.SecretKey
var err error
if globalSiteReplicationSys.isEnabled() && cred.AccessKey != siteReplicatorSvcAcc {
if cred.ParentUser != globalActiveCred.AccessKey {
secret, err = getTokenSigningKey()
nsecret, err := getTokenSigningKey()
if err != nil {
return nil, toAPIErrorCode(r.Context(), err)
}
// sign root's temporary accounts also with site replicator creds
if cred.ParentUser != globalActiveCred.AccessKey || cred.IsTemp() {
secret = nsecret
}
}
if cred.IsServiceAccount() {