mirror of
https://github.com/minio/minio.git
synced 2024-12-24 22:25:54 -05:00
fix: svc accounts cannot have same name as parent/targetUser (#13082)
Currently in master this can cause existing parent users to stop working and lead to credentials getting overwritten. ``` ~ mc admin user add alias/ minio123 minio123456 ``` ``` ~ mc admin user svcacct add alias/ minio123 \ --access-key minio123 --secret-key minio123456 ``` This PR rejects all such scenarios.
This commit is contained in:
parent
ed16ce9b73
commit
ae8f7f11d5
30
cmd/iam.go
30
cmd/iam.go
@ -1177,6 +1177,10 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro
|
|||||||
return auth.Credentials{}, errServerNotInitialized
|
return auth.Credentials{}, errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if parentUser == "" {
|
||||||
|
return auth.Credentials{}, errInvalidArgument
|
||||||
|
}
|
||||||
|
|
||||||
var policyBuf []byte
|
var policyBuf []byte
|
||||||
if opts.sessionPolicy != nil {
|
if opts.sessionPolicy != nil {
|
||||||
err := opts.sessionPolicy.Validate()
|
err := opts.sessionPolicy.Validate()
|
||||||
@ -1192,9 +1196,35 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// found newly requested service account, to be same as
|
||||||
|
// parentUser, reject such operations.
|
||||||
|
if parentUser == opts.accessKey {
|
||||||
|
return auth.Credentials{}, errIAMActionNotAllowed
|
||||||
|
}
|
||||||
|
|
||||||
sys.store.lock()
|
sys.store.lock()
|
||||||
defer sys.store.unlock()
|
defer sys.store.unlock()
|
||||||
|
|
||||||
|
// Handle validation of incoming service accounts.
|
||||||
|
{
|
||||||
|
cr, found := sys.iamUsersMap[opts.accessKey]
|
||||||
|
// found newly requested service account, to be an existing
|
||||||
|
// user, reject such operations.
|
||||||
|
if found && !cr.IsTemp() && !cr.IsServiceAccount() {
|
||||||
|
return auth.Credentials{}, errIAMActionNotAllowed
|
||||||
|
}
|
||||||
|
// found newly requested service account, to be an existing
|
||||||
|
// temporary user, reject such operations.
|
||||||
|
if found && cr.IsTemp() {
|
||||||
|
return auth.Credentials{}, errIAMActionNotAllowed
|
||||||
|
}
|
||||||
|
// found newly requested service account, to be an existing
|
||||||
|
// service account for another parentUser, reject such operations.
|
||||||
|
if found && cr.IsServiceAccount() && cr.ParentUser != parentUser {
|
||||||
|
return auth.Credentials{}, errIAMActionNotAllowed
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
cr, found := sys.iamUsersMap[parentUser]
|
cr, found := sys.iamUsersMap[parentUser]
|
||||||
// Disallow service accounts to further create more service accounts.
|
// Disallow service accounts to further create more service accounts.
|
||||||
if found && cr.IsServiceAccount() {
|
if found && cr.IsServiceAccount() {
|
||||||
|
@ -82,7 +82,7 @@ var errGroupNotEmpty = errors.New("Specified group is not empty - cannot remove
|
|||||||
var errNoSuchPolicy = errors.New("Specified canned policy does not exist")
|
var errNoSuchPolicy = errors.New("Specified canned policy does not exist")
|
||||||
|
|
||||||
// error returned in IAM subsystem when an external users systems is configured.
|
// error returned in IAM subsystem when an external users systems is configured.
|
||||||
var errIAMActionNotAllowed = errors.New("Specified IAM action is not allowed with LDAP configuration")
|
var errIAMActionNotAllowed = errors.New("Specified IAM action is not allowed")
|
||||||
|
|
||||||
// error returned in IAM subsystem when IAM sub-system is still being initialized.
|
// error returned in IAM subsystem when IAM sub-system is still being initialized.
|
||||||
var errIAMNotInitialized = errors.New("IAM sub-system is being initialized, please try again")
|
var errIAMNotInitialized = errors.New("IAM sub-system is being initialized, please try again")
|
||||||
|
Loading…
Reference in New Issue
Block a user