mirror of
https://github.com/minio/minio.git
synced 2025-01-11 15:03:22 -05:00
fix: svc accounts cannot have same name as parent/targetUser (#13082)
Currently in master this can cause existing parent users to stop working and lead to credentials getting overwritten. ``` ~ mc admin user add alias/ minio123 minio123456 ``` ``` ~ mc admin user svcacct add alias/ minio123 \ --access-key minio123 --secret-key minio123456 ``` This PR rejects all such scenarios.
This commit is contained in:
parent
ed16ce9b73
commit
ae8f7f11d5
30
cmd/iam.go
30
cmd/iam.go
@ -1177,6 +1177,10 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro
|
||||
return auth.Credentials{}, errServerNotInitialized
|
||||
}
|
||||
|
||||
if parentUser == "" {
|
||||
return auth.Credentials{}, errInvalidArgument
|
||||
}
|
||||
|
||||
var policyBuf []byte
|
||||
if opts.sessionPolicy != nil {
|
||||
err := opts.sessionPolicy.Validate()
|
||||
@ -1192,9 +1196,35 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro
|
||||
}
|
||||
}
|
||||
|
||||
// found newly requested service account, to be same as
|
||||
// parentUser, reject such operations.
|
||||
if parentUser == opts.accessKey {
|
||||
return auth.Credentials{}, errIAMActionNotAllowed
|
||||
}
|
||||
|
||||
sys.store.lock()
|
||||
defer sys.store.unlock()
|
||||
|
||||
// Handle validation of incoming service accounts.
|
||||
{
|
||||
cr, found := sys.iamUsersMap[opts.accessKey]
|
||||
// found newly requested service account, to be an existing
|
||||
// user, reject such operations.
|
||||
if found && !cr.IsTemp() && !cr.IsServiceAccount() {
|
||||
return auth.Credentials{}, errIAMActionNotAllowed
|
||||
}
|
||||
// found newly requested service account, to be an existing
|
||||
// temporary user, reject such operations.
|
||||
if found && cr.IsTemp() {
|
||||
return auth.Credentials{}, errIAMActionNotAllowed
|
||||
}
|
||||
// found newly requested service account, to be an existing
|
||||
// service account for another parentUser, reject such operations.
|
||||
if found && cr.IsServiceAccount() && cr.ParentUser != parentUser {
|
||||
return auth.Credentials{}, errIAMActionNotAllowed
|
||||
}
|
||||
}
|
||||
|
||||
cr, found := sys.iamUsersMap[parentUser]
|
||||
// Disallow service accounts to further create more service accounts.
|
||||
if found && cr.IsServiceAccount() {
|
||||
|
@ -82,7 +82,7 @@ var errGroupNotEmpty = errors.New("Specified group is not empty - cannot remove
|
||||
var errNoSuchPolicy = errors.New("Specified canned policy does not exist")
|
||||
|
||||
// error returned in IAM subsystem when an external users systems is configured.
|
||||
var errIAMActionNotAllowed = errors.New("Specified IAM action is not allowed with LDAP configuration")
|
||||
var errIAMActionNotAllowed = errors.New("Specified IAM action is not allowed")
|
||||
|
||||
// error returned in IAM subsystem when IAM sub-system is still being initialized.
|
||||
var errIAMNotInitialized = errors.New("IAM sub-system is being initialized, please try again")
|
||||
|
Loading…
Reference in New Issue
Block a user