MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-02-25 20:39:14 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: service accounts policy enforcement regression (#11910)

Browse Source 
service accounts were not inheriting parent policies
anymore due to refactors in the PolicyDBGet() from
the latest release, fix this behavior properly.
This commit is contained in:
Harshavardhana 2021-03-26 13:55:42 -07:00 committed by GitHub
parent 2c296652f7
commit df42b128db
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
cmd/iam.go
View File

@ -1704,7 +1704,7 @@ func (sys *IAMSys) PolicyDBGet(name string, isGroup bool, groups ...string) ([]s
// information in IAM (i.e sys.iam*Map) - this info is stored only in the STS // information in IAM (i.e sys.iam*Map) - this info is stored only in the STS
// generated credentials. Thus we skip looking up group memberships, user map, // generated credentials. Thus we skip looking up group memberships, user map,
// and group map and check the appropriate policy maps directly. // and group map and check the appropriate policy maps directly.
func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) { func (sys *IAMSys) policyDBGet(name string, isGroup bool) (policies []string, err error) {
if isGroup { if isGroup {
if sys.usersSysType == MinIOUsersSysType { if sys.usersSysType == MinIOUsersSysType {
g, ok := sys.iamGroupsMap[name] g, ok := sys.iamGroupsMap[name]
@ -1719,8 +1719,7 @@ func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) {
} }
} }
mp := sys.iamGroupPolicyMap[name] return sys.iamGroupPolicyMap[name].toSlice(), nil
return mp.toSlice(), nil
} }
var u auth.Credentials var u auth.Credentials
@ -1738,8 +1737,6 @@ func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) {
} }
} }
var policies []string
mp, ok := sys.iamUserPolicyMap[name] mp, ok := sys.iamUserPolicyMap[name]
if !ok { if !ok {
if u.ParentUser != "" { if u.ParentUser != "" {
@ -1757,8 +1754,7 @@ func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) {
continue continue
} }
p := sys.iamGroupPolicyMap[group] policies = append(policies, sys.iamGroupPolicyMap[group].toSlice()...)
policies = append(policies, p.toSlice()...)
} }
return policies, nil return policies, nil
@ -1788,8 +1784,9 @@ func (sys *IAMSys) IsAllowedServiceAccount(args iampolicy.Args, parent string) b
} }
// Check policy for this service account. // Check policy for this service account.
svcPolicies, err := sys.PolicyDBGet(args.AccountName, false) svcPolicies, err := sys.PolicyDBGet(parent, false, args.Groups...)
if err != nil { if err != nil {
logger.LogIf(GlobalContext, err)
return false return false
} }
@ -2072,7 +2069,7 @@ func (sys *IAMSys) IsAllowed(args iampolicy.Args) bool {
} }
// Continue with the assumption of a regular user // Continue with the assumption of a regular user
policies, err := sys.PolicyDBGet(args.AccountName, false) policies, err := sys.PolicyDBGet(args.AccountName, false, args.Groups...)
if err != nil { if err != nil {
return false return false
} }