oyd
/
minio
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fix: if OPA set do not enforce policy claim (#10149)

Browse Source
master
Harshavardhana 4 years ago committed by GitHub
parent 1b6ba0d062
commit 27266f8a54
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 5 additions and 10 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      cmd/config-current.go
  2. 6
      cmd/config/policy/opa/help.go
  3. 2
      cmd/sts-handlers.go
  4. 5
      docs/sts/sts.env

2
cmd/config-current.go
Unescape View File

@ -92,7 +92,7 @@ func initHelp() {
}, },
config.HelpKV{ config.HelpKV{
Key: config.PolicyOPASubSys, Key: config.PolicyOPASubSys,
Description: "enable external OPA for policy enforcement", Description: "[DEPRECATED] enable external OPA for policy enforcement",
}, },
config.HelpKV{ config.HelpKV{
Key: config.KmsVaultSubSys, Key: config.KmsVaultSubSys,

6
cmd/config/policy/opa/help.go
Unescape View File

@ -1,5 +1,5 @@
/* /*
* MinIO Cloud Storage, (C) 2019 MinIO, Inc. * MinIO Cloud Storage, (C) 2019,2020 MinIO, Inc.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -23,12 +23,12 @@ var (
Help = config.HelpKVS{ Help = config.HelpKVS{
config.HelpKV{ config.HelpKV{
Key: URL, Key: URL,
Description: `OPA HTTP(s) endpoint e.g. "http://localhost:8181/v1/data/httpapi/authz/allow"`, Description: `[DEPRECATED] OPA HTTP(s) endpoint e.g. "http://localhost:8181/v1/data/httpapi/authz/allow"`,
Type: "url", Type: "url",
}, },
config.HelpKV{ config.HelpKV{
Key: AuthToken, Key: AuthToken,
Description: "authorization token for OPA endpoint", Description: "[DEPRECATED] authorization token for OPA endpoint",
Optional: true, Optional: true,
Type: "string", Type: "string",
}, },

2
cmd/sts-handlers.go
Unescape View File

@ -328,7 +328,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
policyName = globalIAMSys.currentPolicies(strings.Join(policySet.ToSlice(), ",")) policyName = globalIAMSys.currentPolicies(strings.Join(policySet.ToSlice(), ","))
} }
if policyName == "" { if policyName == "" && globalPolicyOPA == nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("%s claim missing from the JWT token, credentials will not be generated", iamPolicyClaimNameOpenID())) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("%s claim missing from the JWT token, credentials will not be generated", iamPolicyClaimNameOpenID()))
return return
} }

5
docs/sts/sts.env
Unescape View File

@ -1,5 +0,0 @@
export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=minio123
export MINIO_IDENTITY_OPENID_CONFIG_URL=https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration
export MINIO_POLICY_OPA_URL=http://localhost:8181/v1/data/httpapi/authz
export MINIO_ETCD_ENDPOINTS=http://localhost:2379
Write Preview
Loading…
Cancel
Save