From af1b6e3458bef4f869c61e95d47942a41aaa6405 Mon Sep 17 00:00:00 2001 From: Anis Elleuch Date: Thu, 6 May 2021 00:04:50 +0100 Subject: [PATCH] iam: Do not create service accounts for non existant IAM users (#12236) When running MinIO server without LDAP/OpenID, we should error out when the code tries to create a service account for a non existant regular user. Bonus: refactor the check code to be show all cases more clearly Signed-off-by: Anis Elleuch Co-authored-by: Anis Elleuch --- cmd/iam.go | 48 ++++++++++++++++++++++++++---------------------- 1 file changed, 26 insertions(+), 22 deletions(-) diff --git a/cmd/iam.go b/cmd/iam.go index 2bcd6e766..00f3c01e5 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -1114,31 +1114,35 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro sys.store.lock() defer sys.store.unlock() - cr, ok := sys.iamUsersMap[parentUser] - if !ok { - // For LDAP/OpenID users we would need this fallback - if sys.usersSysType != MinIOUsersSysType && parentUser != globalActiveCred.ParentUser { - _, ok = sys.iamUserPolicyMap[parentUser] - if !ok { - var found bool - for _, group := range groups { - _, ok = sys.iamGroupPolicyMap[group] - if !ok { - continue - } - found = true - break - } - if !found { - return auth.Credentials{}, errNoSuchUser + cr, found := sys.iamUsersMap[parentUser] + switch { + // User found + case found: + // Disallow service accounts to further create more service accounts. + if cr.IsServiceAccount() { + return auth.Credentials{}, errIAMActionNotAllowed + } + // Allow creating service accounts for root user + case parentUser == globalActiveCred.AccessKey: + // For LDAP/OpenID users we would need this fallback + case sys.usersSysType != MinIOUsersSysType: + _, ok := sys.iamUserPolicyMap[parentUser] + if !ok { + var groupHasPolicy bool + for _, group := range groups { + _, ok = sys.iamGroupPolicyMap[group] + if !ok { + continue } + groupHasPolicy = true + break + } + if !groupHasPolicy { + return auth.Credentials{}, errNoSuchUser } } - } - - // Disallow service accounts to further create more service accounts. - if cr.IsServiceAccount() { - return auth.Credentials{}, errIAMActionNotAllowed + default: + return auth.Credentials{}, errNoSuchUser } m := make(map[string]interface{})