Remove applying custom policies with STS access keys (#6626)

Move away from allowing custom policies, all policies in STS come from OPA otherwise they fail.
6 years ago · 23b166b318
parent 81a481e098
commit 23b166b318
2 changed files with 5 additions and 35 deletions
--- a/cmd/iam.go
+++ b/cmd/iam.go
@ -326,20 +326,16 @@ func (sys *IAMSys) IsAllowed(args iampolicy.Args) bool {
 	sys.RLock()
 	defer sys.RUnlock()

+	// If opa is configured, use OPA always.
+	if globalPolicyOPA != nil {
+		return globalPolicyOPA.IsAllowed(args)
+	}
+
 	// If policy is available for given user, check the policy.
 	if p, found := sys.iamPolicyMap[args.AccountName]; found {
-		// If opa is configured, use OPA in conjunction with IAM policies.
-		if globalPolicyOPA != nil {
-			return p.IsAllowed(args) && globalPolicyOPA.IsAllowed(args)
-		}
 		return p.IsAllowed(args)
 	}

-	// If no policies are set, let the policy arrive from OPA if any.
-	if globalPolicyOPA != nil {
-		return globalPolicyOPA.IsAllowed(args)
-	}
-
 	// As policy is not available and OPA is not configured, return the owner value.
 	return args.IsOwner
 }
--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@ -17,15 +17,12 @@
 package cmd

 import (
-	"bytes"
-	"encoding/base64"
 	"encoding/xml"
 	"net/http"

 	"github.com/gorilla/mux"
 	"github.com/minio/minio/cmd/logger"
 	"github.com/minio/minio/pkg/auth"
-	"github.com/minio/minio/pkg/iam/policy"
 	"github.com/minio/minio/pkg/iam/validator"
 )

@ -142,22 +139,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *
 		return
 	}

-	policyStr := r.URL.Query().Get("Policy")
-	var p *iampolicy.Policy
-	if policyStr != "" {
-		var data []byte
-		data, err = base64.URLEncoding.DecodeString(policyStr)
-		if err != nil {
-			writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)
-			return
-		}
-		p, err = iampolicy.ParseConfig(bytes.NewReader(data))
-		if err != nil {
-			writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)
-			return
-		}
-	}
-
 	vars := mux.Vars(r)
 	m, err := v.Validate(vars["Token"], r.URL.Query().Get("DurationSeconds"))
 	if err != nil {
@ -187,13 +168,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *
 		writeSTSErrorResponse(w, ErrSTSInternalError)
 		return
 	}
-	if p != nil {
-		if err = globalIAMSys.SetPolicy(cred.AccessKey, *p); err != nil {
-			logger.LogIf(ctx, err)
-			writeSTSErrorResponse(w, ErrSTSInternalError)
-			return
-		}
-	}

 	encodedSuccessResponse := encodeResponse(&AssumeRoleWithClientGrantsResponse{
 		Result: ClientGrantsResult{Credentials: cred},