c7f7e67a10
Do not allow adding root user to IAM subsystem ( #16803 )
2023-03-13 12:46:17 -07:00
b363400587
fix: username replacements for aws:username must use parentUser ( #16591 )
2023-02-10 06:52:31 -08:00
84fe4fd156
fix: multiObjectDelete by passing versionId for authorization ( #16562 )
2023-02-08 08:01:00 +05:30
0319ae756a
fix: pass proper username (simple) string as expected ( #16555 )
2023-02-07 03:43:08 -08:00
a30cfdd88f
Bump up madmin-go to v2 ( #16162 )
2022-12-06 13:46:50 -08:00
87cbd41265
feat: Allow at most one claim based OpenID IDP ( #16145 )
2022-11-29 15:40:49 -08:00
927a879052
authenticate the request first for headObject() ( #15820 )
2022-10-07 21:45:53 -07:00
f696a221af
allow tagging policy condition for GetObject ( #15777 )
2022-10-02 12:29:29 -07:00
e152b2a975
Pass groups claim into condition values ( #15679 )
...
This allows using `jwt:groups` as a multi-valued condition key in policies.
2022-09-13 09:45:36 -07:00
f1abb92f0c
feat: Single drive XL implementation ( #14970 )
...
Main motivation is move towards a common backend format
for all different types of modes in MinIO, allowing for
a simpler code and predictable behavior across all features.
This PR also brings features such as versioning, replication,
transitioning to single drive setups.
2022-05-30 10:58:37 -07:00
f28a8eca91
Add Access Management Plugin tests with OpenID ( #14919 )
2022-05-13 12:48:02 -07:00
4629abd5a2
Add tests for Access Management Plugin ( #14909 )
2022-05-12 15:24:19 -07:00
0e502899a8
Add support for multiple OpenID providers with role policies ( #14223 )
...
- When using multiple providers, claim-based providers are not allowed. All
providers must use role policies.
- Update markdown config to allow `details` HTML element
2022-04-28 18:27:09 -07:00
a5b3548ede
Bring back listing LDAP users temporarly ( #14760 )
...
In previous releases, mc admin user list would return the list of users
that have policies mapped in IAM database. However, this was removed but
this commit will bring it back until we revamp this.
2022-04-15 21:26:02 -07:00
66b14a0d32
Fix service account privilege escalation ( #14729 )
...
Ensure that a regular unprivileged user is unable to create service accounts for other users/root.
2022-04-11 15:30:28 -07:00
0a224654c2
fix: progagation of service accounts for site replication ( #14054 )
...
- Only non-root-owned service accounts are replicated for now.
- Add integration tests for OIDC with site replication
2022-01-07 17:41:43 -08:00
526e10a2e0
Fix regression in STS permissions via group in internal IDP ( #13955 )
...
- When using MinIO's internal IDP, STS credential permissions did not check the
groups of a user.
- Also fix bug in policy checking in AccountInfo call
2021-12-20 14:07:16 -08:00
1f4e0bd17c
fix: access for root user's STS credential ( #13947 )
...
add a test to cover this case
2021-12-19 23:05:20 -08:00
de400f3473
Allow setting non-existent policy on a user/group ( #13898 )
2021-12-13 15:55:52 -08:00
f2bd026d0e
Allow OIDC user to query user info if policies permit ( #13882 )
2021-12-10 15:03:39 -08:00
a02e17f15c
Add tests to ensure that OIDC user can create IAM users ( #13881 )
2021-12-10 13:04:21 -08:00
85d2df02b9
fix: user listing with LDAP ( #13872 )
...
Users listing was showing just a weird policy
mapping output which does not make sense here.
2021-12-09 15:55:28 -08:00
12b63061c2
Fix LDAP service account creation ( #13849 )
...
- when a user has only group permissions
- fixes regression from ac74237f0#13657 )
- fixes https://github.com/minio/console/issues/1291
2021-12-06 15:55:11 -08:00
4f35054d29
Ensure that role ARNs don't collide ( #13817 )
...
This is to prepare for multiple providers enhancement.
2021-12-03 13:15:56 -08:00
4c0f48c548
Add role ARN support for OIDC identity provider ( #13651 )
...
- Allows setting a role policy parameter when configuring OIDC provider
- When role policy is set, the server prints a role ARN usable in STS API requests
- The given role policy is applied to STS API requests when the roleARN parameter is provided.
- Service accounts for role policy are also possible and work as expected.
2021-11-26 19:22:40 -08:00
61029fe20b
fix: returning invalid account-not-exists error for LDAP svc acc ( #13756 )
2021-11-24 15:19:33 -08:00
9739e55d0f
tests: add OpenID service accounts creation and update ( #13708 )
...
- service account creation for STS accounts
- service account session policy update for STS accounts
- refactor svc acc tests and add them for OpenID
2021-11-20 02:07:16 -08:00
087c1b98dc
Add tests for OpenID STS creds and add to CI ( #13638 )
2021-11-11 11:23:30 -08:00
1946922de3
Add CI for etcd IAM backend ( #13614 )
...
Runs when ETCD_SERVER env var is set
2021-11-09 09:25:13 -08:00
01b9ff54d9
Add LDAP STS tests and workflow for CI ( #13576 )
...
Runs LDAP tests with openldap container on GH Actions
2021-11-04 08:16:30 -07:00
ecd54b4cba
Move all IAM storage functionality into iam store type ( #13567 )
...
This reverts commit 091a7ae359
2021-11-03 19:47:49 -07:00
091a7ae359
Revert "Move all IAM storage functionality into iam store type ( #13541 )"
...
This reverts commit caadcc3ed8
2021-11-02 13:51:42 -07:00
caadcc3ed8
Move all IAM storage functionality into iam store type ( #13541 )
...
- Ensure all actions accessing storage lock properly.
- Behavior change: policies can be deleted only when they
are not associated with any active credentials.
2021-11-01 21:58:07 -07:00
2f1ee25f50
Add test for AssumeRole with internal IDP ( #13527 )
2021-10-28 09:05:51 -07:00
Harshavardhana
Aditya Manthramurthy
Anis Elleuch