From 27266f8a54298fe3848471c95fd632fdd91bde50 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Tue, 28 Jul 2020 11:47:57 -0700 Subject: [PATCH] fix: if OPA set do not enforce policy claim (#10149) --- cmd/config-current.go | 2 +- cmd/config/policy/opa/help.go | 6 +++--- cmd/sts-handlers.go | 2 +- docs/sts/sts.env | 5 ----- 4 files changed, 5 insertions(+), 10 deletions(-) delete mode 100644 docs/sts/sts.env diff --git a/cmd/config-current.go b/cmd/config-current.go index ed3a090e5..a9fe01c92 100644 --- a/cmd/config-current.go +++ b/cmd/config-current.go @@ -92,7 +92,7 @@ func initHelp() { }, config.HelpKV{ Key: config.PolicyOPASubSys, - Description: "enable external OPA for policy enforcement", + Description: "[DEPRECATED] enable external OPA for policy enforcement", }, config.HelpKV{ Key: config.KmsVaultSubSys, diff --git a/cmd/config/policy/opa/help.go b/cmd/config/policy/opa/help.go index 7090b09b6..20cba54f2 100644 --- a/cmd/config/policy/opa/help.go +++ b/cmd/config/policy/opa/help.go @@ -1,5 +1,5 @@ /* - * MinIO Cloud Storage, (C) 2019 MinIO, Inc. + * MinIO Cloud Storage, (C) 2019,2020 MinIO, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,12 +23,12 @@ var ( Help = config.HelpKVS{ config.HelpKV{ Key: URL, - Description: `OPA HTTP(s) endpoint e.g. "http://localhost:8181/v1/data/httpapi/authz/allow"`, + Description: `[DEPRECATED] OPA HTTP(s) endpoint e.g. "http://localhost:8181/v1/data/httpapi/authz/allow"`, Type: "url", }, config.HelpKV{ Key: AuthToken, - Description: "authorization token for OPA endpoint", + Description: "[DEPRECATED] authorization token for OPA endpoint", Optional: true, Type: "string", }, diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go index 0e66df47e..06a5350d4 100644 --- a/cmd/sts-handlers.go +++ b/cmd/sts-handlers.go @@ -328,7 +328,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ policyName = globalIAMSys.currentPolicies(strings.Join(policySet.ToSlice(), ",")) } - if policyName == "" { + if policyName == "" && globalPolicyOPA == nil { writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("%s claim missing from the JWT token, credentials will not be generated", iamPolicyClaimNameOpenID())) return } diff --git a/docs/sts/sts.env b/docs/sts/sts.env deleted file mode 100644 index 02157c9b7..000000000 --- a/docs/sts/sts.env +++ /dev/null @@ -1,5 +0,0 @@ -export MINIO_ACCESS_KEY=minio -export MINIO_SECRET_KEY=minio123 -export MINIO_IDENTITY_OPENID_CONFIG_URL=https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration -export MINIO_POLICY_OPA_URL=http://localhost:8181/v1/data/httpapi/authz -export MINIO_ETCD_ENDPOINTS=http://localhost:2379