mirror of
https://github.com/minio/minio.git
synced 2025-01-11 15:03:22 -05:00
Allow STS credentials to create users (#13874)
- allow any regular user to change their own password - allow STS credentials to create users if permissions allow Bonus: do not allow changes to sts/service account credentials (via add user API)
This commit is contained in:
parent
3b79f7e4ae
commit
b9f0046ee7
@ -382,6 +382,14 @@ func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
userCred, exists := globalIAMSys.GetUser(ctx, accessKey)
|
||||||
|
if exists && (userCred.IsTemp() || userCred.IsServiceAccount()) {
|
||||||
|
// Updating STS credential is not allowed, and this API does not
|
||||||
|
// support updating service accounts.
|
||||||
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAddUserInvalidArgument), r.URL)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
if (cred.IsTemp() || cred.IsServiceAccount()) && cred.ParentUser == accessKey {
|
if (cred.IsTemp() || cred.IsServiceAccount()) && cred.ParentUser == accessKey {
|
||||||
// Incoming access key matches parent user then we should
|
// Incoming access key matches parent user then we should
|
||||||
// reject password change requests.
|
// reject password change requests.
|
||||||
@ -389,39 +397,21 @@ func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
implicitPerm := accessKey == cred.AccessKey
|
checkDenyOnly := false
|
||||||
if !implicitPerm {
|
if accessKey == cred.AccessKey {
|
||||||
parentUser := cred.ParentUser
|
// Check that there is no explicit deny - otherwise it's allowed
|
||||||
if parentUser == "" {
|
// to change one's own password.
|
||||||
parentUser = cred.AccessKey
|
checkDenyOnly = true
|
||||||
}
|
|
||||||
// For temporary credentials always
|
|
||||||
// the temporary credentials to check
|
|
||||||
// policy without implicit permissions.
|
|
||||||
if cred.IsTemp() && cred.ParentUser == globalActiveCred.AccessKey {
|
|
||||||
parentUser = cred.AccessKey
|
|
||||||
}
|
|
||||||
if !globalIAMSys.IsAllowed(iampolicy.Args{
|
|
||||||
AccountName: parentUser,
|
|
||||||
Groups: cred.Groups,
|
|
||||||
Action: iampolicy.CreateUserAdminAction,
|
|
||||||
ConditionValues: getConditionValues(r, "", parentUser, claims),
|
|
||||||
IsOwner: owner,
|
|
||||||
Claims: claims,
|
|
||||||
}) {
|
|
||||||
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if implicitPerm && !globalIAMSys.IsAllowed(iampolicy.Args{
|
if !globalIAMSys.IsAllowed(iampolicy.Args{
|
||||||
AccountName: accessKey,
|
AccountName: cred.AccessKey,
|
||||||
Groups: cred.Groups,
|
Groups: cred.Groups,
|
||||||
Action: iampolicy.CreateUserAdminAction,
|
Action: iampolicy.CreateUserAdminAction,
|
||||||
ConditionValues: getConditionValues(r, "", accessKey, claims),
|
ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
|
||||||
IsOwner: owner,
|
IsOwner: owner,
|
||||||
Claims: claims,
|
Claims: claims,
|
||||||
DenyOnly: true, // check if changing password is explicitly denied.
|
DenyOnly: checkDenyOnly,
|
||||||
}) {
|
}) {
|
||||||
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
|
||||||
return
|
return
|
||||||
|
Loading…
Reference in New Issue
Block a user