diff --git a/cmd/iam.go b/cmd/iam.go index 17eb03b64..e88020b54 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -315,6 +315,24 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc break } + cache := sys.store.lock() + setDefaultCannedPolicies(cache.iamPolicyDocsMap) + sys.store.unlock() + + // Load RoleARNs + sys.rolesMap = make(map[arn.ARN]string) + + // From OpenID + if riMap := sys.OpenIDConfig.GetRoleInfo(); riMap != nil { + sys.validateAndAddRolePolicyMappings(ctx, riMap) + } + + // From AuthN plugin if enabled. + if authn := newGlobalAuthNPluginFn(); authn != nil { + riMap := authn.GetRoleInfo() + sys.validateAndAddRolePolicyMappings(ctx, riMap) + } + // Load IAM data from storage. for { if err := sys.Load(retryCtx, true); err != nil { @@ -334,20 +352,6 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc go sys.periodicRoutines(ctx, refreshInterval) - // Load RoleARNs - sys.rolesMap = make(map[arn.ARN]string) - - // From OpenID - if riMap := sys.OpenIDConfig.GetRoleInfo(); riMap != nil { - sys.validateAndAddRolePolicyMappings(ctx, riMap) - } - - // From AuthN plugin if enabled. - if authn := newGlobalAuthNPluginFn(); authn != nil { - riMap := authn.GetRoleInfo() - sys.validateAndAddRolePolicyMappings(ctx, riMap) - } - sys.printIAMRoles() bootstrapTraceMsg("finishing IAM loading") @@ -2214,22 +2218,16 @@ func (sys *IAMSys) IsAllowedSTS(args policy.Args, parentUser string) bool { // 2. Combine the mapped policies into a single combined policy. var combinedPolicy policy.Policy + // Policies were found, evaluate all of them. if !isOwnerDerived { - var err error - combinedPolicy, err = sys.store.GetPolicy(strings.Join(policies, ",")) - if errors.Is(err, errNoSuchPolicy) { - for _, pname := range policies { - _, err := sys.store.GetPolicy(pname) - if errors.Is(err, errNoSuchPolicy) { - // all policies presented in the claim should exist - iamLogIf(GlobalContext, fmt.Errorf("expected policy (%s) missing from the JWT claim %s, rejecting the request", pname, iamPolicyClaimNameOpenID())) - return false - } - } - iamLogIf(GlobalContext, fmt.Errorf("all policies were unexpectedly present!")) + availablePoliciesStr, c := sys.store.MergePolicies(strings.Join(policies, ",")) + if availablePoliciesStr == "" { + // all policies presented in the claim should exist + iamLogIf(GlobalContext, fmt.Errorf("expected policy (%s) missing from the JWT claim %s, rejecting the request", policies, iamPolicyClaimNameOpenID())) + return false } - + combinedPolicy = c } // 3. If an inline session-policy is present, evaluate it. diff --git a/internal/config/etcd/etcd.go b/internal/config/etcd/etcd.go index 9bd51f912..d62d2be7e 100644 --- a/internal/config/etcd/etcd.go +++ b/internal/config/etcd/etcd.go @@ -24,6 +24,7 @@ import ( "time" "github.com/minio/minio/internal/config" + "github.com/minio/minio/internal/fips" "github.com/minio/pkg/v3/env" xnet "github.com/minio/pkg/v3/net" clientv3 "go.etcd.io/etcd/client/v3" @@ -159,7 +160,13 @@ func LookupConfig(kvs config.KVS, rootCAs *x509.CertPool) (Config, error) { cfg.PathPrefix = env.Get(EnvEtcdPathPrefix, kvs.Get(PathPrefix)) if etcdSecure { cfg.TLS = &tls.Config{ - RootCAs: rootCAs, + RootCAs: rootCAs, + PreferServerCipherSuites: true, + MinVersion: tls.VersionTLS12, + NextProtos: []string{"http/1.1", "h2"}, + ClientSessionCache: tls.NewLRUClientSessionCache(64), + CipherSuites: fips.TLSCiphersBackwardCompatible(), + CurvePreferences: fips.TLSCurveIDs(), } // This is only to support client side certificate authentication // https://coreos.com/etcd/docs/latest/op-guide/security.html