MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-04-19 18:17:30 -04:00
Code Issues Packages Projects Releases Wiki Activity

Do not allow adding root user to IAM subsystem (#16803)

Browse Source
This commit is contained in:
Harshavardhana 2023-03-13 12:46:17 -07:00 committed by GitHub
parent 628042e65e
commit c7f7e67a10
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/admin-handlers-users.go
View File

@ -431,7 +431,7 @@ func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) {
} }
// Not allowed to add a user with same access key as root credential // Not allowed to add a user with same access key as root credential
if owner && accessKey == cred.AccessKey { if accessKey == globalActiveCred.AccessKey {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAddUserInvalidArgument), r.URL) writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAddUserInvalidArgument), r.URL)
return return
} }
@ -2297,7 +2297,7 @@ func (a adminAPIHandlers) ImportIAM(w http.ResponseWriter, r *http.Request) {
} }
for accessKey, ureq := range userAccts { for accessKey, ureq := range userAccts {
// Not allowed to add a user with same access key as root credential // Not allowed to add a user with same access key as root credential
if owner && accessKey == cred.AccessKey { if accessKey == globalActiveCred.AccessKey {
writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAddUserInvalidArgument, err, allUsersFile, accessKey), r.URL) writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAddUserInvalidArgument, err, allUsersFile, accessKey), r.URL)
return return
} }

5
cmd/sts-handlers_test.go
View File

@ -627,6 +627,11 @@ func (s *TestSuiteIAM) TestSTSForRoot(c *check) {
if !gotBuckets.Equals(shouldHaveBuckets) { if !gotBuckets.Equals(shouldHaveBuckets) {
c.Fatalf("root user should have access to all buckets") c.Fatalf("root user should have access to all buckets")
} }
// This must fail.
if err := userAdmClient.AddUser(ctx, globalActiveCred.AccessKey, globalActiveCred.SecretKey); err == nil {
c.Fatal("AddUser() for root credential must fail via root STS creds")
}
} }
// SetUpLDAP - expects to setup an LDAP test server using the test LDAP // SetUpLDAP - expects to setup an LDAP test server using the test LDAP