MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-09 05:34:56 -05:00
Code Issues Packages Projects Releases Wiki Activity

decouple service accounts from root credentials (#14534)

Browse Source 
changing root credentials makes service accounts
in-operable, this PR changes the way sessionToken
is generated for service accounts.

It changes service account behavior to generate
sessionToken claims from its own secret instead
of using global root credential.

Existing credentials will be supported by
falling back to verify using root credential.

fixes #14530
This commit is contained in:
Harshavardhana
2022-03-14 09:09:22 -07:00
committed by GitHub
parent cf94d1f1f1
commit 9c846106fa
6 changed files with 123 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/metrics.go
View File

@@ -674,7 +674,7 @@ func metricsHandler() http.Handler {
// AuthMiddleware checks if the bearer token is valid and authorized.
func AuthMiddleware(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
claims, groups, owner, authErr := webRequestAuthenticate(r)
claims, groups, owner, authErr := metricsRequestAuthenticate(r)
if authErr != nil || !claims.VerifyIssuer("prometheus", true) {
w.WriteHeader(http.StatusForbidden)
return