Remove applying custom policies with STS access keys (#6626)

Move away from allowing custom policies, all policies in
STS come from OPA otherwise they fail.
master
Harshavardhana 6 years ago committed by Dee Koder
parent 81a481e098
commit 23b166b318
  1. 14
      cmd/iam.go
  2. 26
      cmd/sts-handlers.go

@ -326,20 +326,16 @@ func (sys *IAMSys) IsAllowed(args iampolicy.Args) bool {
sys.RLock()
defer sys.RUnlock()
// If opa is configured, use OPA always.
if globalPolicyOPA != nil {
return globalPolicyOPA.IsAllowed(args)
}
// If policy is available for given user, check the policy.
if p, found := sys.iamPolicyMap[args.AccountName]; found {
// If opa is configured, use OPA in conjunction with IAM policies.
if globalPolicyOPA != nil {
return p.IsAllowed(args) && globalPolicyOPA.IsAllowed(args)
}
return p.IsAllowed(args)
}
// If no policies are set, let the policy arrive from OPA if any.
if globalPolicyOPA != nil {
return globalPolicyOPA.IsAllowed(args)
}
// As policy is not available and OPA is not configured, return the owner value.
return args.IsOwner
}

@ -17,15 +17,12 @@
package cmd
import (
"bytes"
"encoding/base64"
"encoding/xml"
"net/http"
"github.com/gorilla/mux"
"github.com/minio/minio/cmd/logger"
"github.com/minio/minio/pkg/auth"
"github.com/minio/minio/pkg/iam/policy"
"github.com/minio/minio/pkg/iam/validator"
)
@ -142,22 +139,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *
return
}
policyStr := r.URL.Query().Get("Policy")
var p *iampolicy.Policy
if policyStr != "" {
var data []byte
data, err = base64.URLEncoding.DecodeString(policyStr)
if err != nil {
writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)
return
}
p, err = iampolicy.ParseConfig(bytes.NewReader(data))
if err != nil {
writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)
return
}
}
vars := mux.Vars(r)
m, err := v.Validate(vars["Token"], r.URL.Query().Get("DurationSeconds"))
if err != nil {
@ -187,13 +168,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *
writeSTSErrorResponse(w, ErrSTSInternalError)
return
}
if p != nil {
if err = globalIAMSys.SetPolicy(cred.AccessKey, *p); err != nil {
logger.LogIf(ctx, err)
writeSTSErrorResponse(w, ErrSTSInternalError)
return
}
}
encodedSuccessResponse := encodeResponse(&AssumeRoleWithClientGrantsResponse{
Result: ClientGrantsResult{Credentials: cred},

Loading…
Cancel
Save