MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-08 21:24:55 -05:00
Code Issues Packages Projects Releases Wiki Activity

make sure to pass groups for all credentials while verifying policies (#14193)

Browse Source 
fixes #14180
This commit is contained in:
Harshavardhana
2022-01-26 21:53:36 -08:00
committed by GitHub
parent a66071099c
commit d6dd17a483
4 changed files with 14 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/metrics.go
View File

@@ -674,7 +674,7 @@ func metricsHandler() http.Handler {
// AuthMiddleware checks if the bearer token is valid and authorized.
func AuthMiddleware(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
claims, owner, authErr := webRequestAuthenticate(r)
claims, groups, owner, authErr := webRequestAuthenticate(r)
if authErr != nil || !claims.VerifyIssuer("prometheus", true) {
w.WriteHeader(http.StatusForbidden)
return
@@ -682,6 +682,7 @@ func AuthMiddleware(h http.Handler) http.Handler {
// For authenticated users apply IAM policy.
if !globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: claims.AccessKey,
Groups: groups,
Action: iampolicy.PrometheusAdminAction,
ConditionValues: getConditionValues(r, "", claims.AccessKey, claims.Map()),
IsOwner: owner,