mirror of
https://github.com/minio/minio.git
synced 2025-11-13 15:21:36 -05:00
890f43ffa5
When STS credentials are created for a user, a unique (hopefully stable) parent user value exists for the credential, which corresponds to the user for whom the credentials are created. The access policy is mapped to this parent-user and is persisted. This helps ensure that all STS credentials of a user have the same policy assignment at all times. Before this change, for an OIDC STS credential, when the policy claim changes in the provider (when not using RoleARNs), the change would not take effect on existing credentials, but only on new ones. To support existing STS credentials without parent-user policy mappings, we lookup the policy in the policy claim value. This behavior should be deprecated when such support is no longer required, as it can still lead to stale policy mappings. Additionally this change also simplifies the implementation for all non-RoleARN STS credentials. Specifically, for AssumeRole (internal IDP) STS credentials, policies are picked up from the parent user's policies; for AssumeRoleWithCertificate STS credentials, policies are picked up from the parent user mapping created when the STS credential is generated. AssumeRoleWithLDAP already picks up policies mapped to the virtual parent user.
28 KiB
28 KiB