MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-03-29 08:43:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

iam: Do not create service accounts for non existant IAM users (#12236)

Browse Source 
When running MinIO server without LDAP/OpenID, we should error out when
the code tries to create a service account for a non existant regular
user.

Bonus: refactor the check code to be show all cases more clearly

Signed-off-by: Anis Elleuch <anis@min.io>

Co-authored-by: Anis Elleuch <anis@min.io>
This commit is contained in:
Anis Elleuch 2021-05-06 00:04:50 +01:00 committed by GitHub
parent 0eeb0a4e04
commit af1b6e3458
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 26 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
cmd/iam.go
View File

@ -1114,31 +1114,35 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro
sys.store.lock() sys.store.lock()
defer sys.store.unlock() defer sys.store.unlock()
cr, ok := sys.iamUsersMap[parentUser] cr, found := sys.iamUsersMap[parentUser]
if !ok { switch {
// For LDAP/OpenID users we would need this fallback // User found
if sys.usersSysType != MinIOUsersSysType && parentUser != globalActiveCred.ParentUser { case found:
_, ok = sys.iamUserPolicyMap[parentUser] // Disallow service accounts to further create more service accounts.
if !ok { if cr.IsServiceAccount() {
var found bool return auth.Credentials{}, errIAMActionNotAllowed
for _, group := range groups { }
_, ok = sys.iamGroupPolicyMap[group] // Allow creating service accounts for root user
if !ok { case parentUser == globalActiveCred.AccessKey:
continue // For LDAP/OpenID users we would need this fallback
} case sys.usersSysType != MinIOUsersSysType:
found = true _, ok := sys.iamUserPolicyMap[parentUser]
break if !ok {
} var groupHasPolicy bool
if !found { for _, group := range groups {
return auth.Credentials{}, errNoSuchUser _, ok = sys.iamGroupPolicyMap[group]
if !ok {
continue
} }
groupHasPolicy = true
break
}
if !groupHasPolicy {
return auth.Credentials{}, errNoSuchUser
} }
} }
} default:
return auth.Credentials{}, errNoSuchUser
// Disallow service accounts to further create more service accounts.
if cr.IsServiceAccount() {
return auth.Credentials{}, errIAMActionNotAllowed
} }
m := make(map[string]interface{}) m := make(map[string]interface{})