MyFavMirrors
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

iam: Do not create service accounts for non existant IAM users (#12236) 

When running MinIO server without LDAP/OpenID, we should error out when
the code tries to create a service account for a non existant regular
user.

Bonus: refactor the check code to be show all cases more clearly

Signed-off-by: Anis Elleuch <anis@min.io>

Co-authored-by: Anis Elleuch <anis@min.io>
This commit is contained in:
Anis Elleuch 2021-05-06 00:04:50 +01:00 committed by GitHub
parent 0eeb0a4e04
commit af1b6e3458
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 26 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
cmd/iam.go
View File

@ -1114,31 +1114,35 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro
sys.store.lock()
defer sys.store.unlock()
cr, ok := sys.iamUsersMap[parentUser]
if !ok {
// For LDAP/OpenID users we would need this fallback
if sys.usersSysType != MinIOUsersSysType && parentUser != globalActiveCred.ParentUser {
_, ok = sys.iamUserPolicyMap[parentUser]
if !ok {
var found bool
for _, group := range groups {
_, ok = sys.iamGroupPolicyMap[group]
if !ok {
continue
}
found = true
break
}
if !found {
return auth.Credentials{}, errNoSuchUser
cr, found := sys.iamUsersMap[parentUser]
switch {
// User found
case found:
// Disallow service accounts to further create more service accounts.
if cr.IsServiceAccount() {
return auth.Credentials{}, errIAMActionNotAllowed
}
// Allow creating service accounts for root user
case parentUser == globalActiveCred.AccessKey:
// For LDAP/OpenID users we would need this fallback
case sys.usersSysType != MinIOUsersSysType:
_, ok := sys.iamUserPolicyMap[parentUser]
if !ok {
var groupHasPolicy bool
for _, group := range groups {
_, ok = sys.iamGroupPolicyMap[group]
if !ok {
continue
}
groupHasPolicy = true
break
}
if !groupHasPolicy {
return auth.Credentials{}, errNoSuchUser
}
}
}
// Disallow service accounts to further create more service accounts.
if cr.IsServiceAccount() {
return auth.Credentials{}, errIAMActionNotAllowed
default:
return auth.Credentials{}, errNoSuchUser
}
m := make(map[string]interface{})