oyd
/
minio
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove applying custom policies with STS access keys (#6626)

Browse Source 
Move away from allowing custom policies, all policies in
STS come from OPA otherwise they fail.
master
Harshavardhana 6 years ago committed by Dee Koder
parent 81a481e098
commit 23b166b318
2 changed files with 5 additions and 35 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 14
      cmd/iam.go
  2. 26
      cmd/sts-handlers.go

14
cmd/iam.go
Unescape View File

@ -326,18 +326,14 @@ func (sys *IAMSys) IsAllowed(args iampolicy.Args) bool {
sys.RLock() sys.RLock()
defer sys.RUnlock() defer sys.RUnlock()
// If policy is available for given user, check the policy. // If opa is configured, use OPA always.
if p, found := sys.iamPolicyMap[args.AccountName]; found {
// If opa is configured, use OPA in conjunction with IAM policies.
if globalPolicyOPA != nil { if globalPolicyOPA != nil {
return p.IsAllowed(args) && globalPolicyOPA.IsAllowed(args) return globalPolicyOPA.IsAllowed(args)
}
return p.IsAllowed(args)
} }
// If no policies are set, let the policy arrive from OPA if any. // If policy is available for given user, check the policy.
if globalPolicyOPA != nil { if p, found := sys.iamPolicyMap[args.AccountName]; found {
return globalPolicyOPA.IsAllowed(args) return p.IsAllowed(args)
} }
// As policy is not available and OPA is not configured, return the owner value. // As policy is not available and OPA is not configured, return the owner value.

26
cmd/sts-handlers.go
Unescape View File

@ -17,15 +17,12 @@
package cmd package cmd
import ( import (
"bytes"
"encoding/base64"
"encoding/xml" "encoding/xml"
"net/http" "net/http"
"github.com/gorilla/mux" "github.com/gorilla/mux"
"github.com/minio/minio/cmd/logger" "github.com/minio/minio/cmd/logger"
"github.com/minio/minio/pkg/auth" "github.com/minio/minio/pkg/auth"
"github.com/minio/minio/pkg/iam/policy"
"github.com/minio/minio/pkg/iam/validator" "github.com/minio/minio/pkg/iam/validator"
) )
@ -142,22 +139,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *
return return
} }
policyStr := r.URL.Query().Get("Policy")
var p *iampolicy.Policy
if policyStr != "" {
var data []byte
data, err = base64.URLEncoding.DecodeString(policyStr)
if err != nil {
writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)
return
}
p, err = iampolicy.ParseConfig(bytes.NewReader(data))
if err != nil {
writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)
return
}
}
vars := mux.Vars(r) vars := mux.Vars(r)
m, err := v.Validate(vars["Token"], r.URL.Query().Get("DurationSeconds")) m, err := v.Validate(vars["Token"], r.URL.Query().Get("DurationSeconds"))
if err != nil { if err != nil {
@ -187,13 +168,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *
writeSTSErrorResponse(w, ErrSTSInternalError) writeSTSErrorResponse(w, ErrSTSInternalError)
return return
} }
if p != nil {
if err = globalIAMSys.SetPolicy(cred.AccessKey, *p); err != nil {
logger.LogIf(ctx, err)
writeSTSErrorResponse(w, ErrSTSInternalError)
return
}
}
encodedSuccessResponse := encodeResponse(&AssumeRoleWithClientGrantsResponse{ encodedSuccessResponse := encodeResponse(&AssumeRoleWithClientGrantsResponse{
Result: ClientGrantsResult{Credentials: cred}, Result: ClientGrantsResult{Credentials: cred},

Write Preview
Loading…
Cancel
Save