Skip to content

Commit

Permalink
svc: Assume Access Key creation to be permitted
Browse files Browse the repository at this point in the history 
Adding this policy will make the user not able to create a service account anymore:

```
    {
      "Effect": "Deny",
      "Action": [
              "admin:CreateServiceAccount"
      ],
      "Condition": {
              "NumericGreaterThanIfExists": {"svc:DurationSeconds": "1500"}
      }
    },

```

The reason is that policy.IsAllowedActions() is called with conditions from the user login.

Assume svc account creation to be possible for now until we come up with a better fix
  • Loading branch information
Anis Eleuch committed May 1, 2024
1 parent 02a0db1 commit 9e3df37
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion api/user_session.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,8 +139,11 @@ func getSessionResponse(ctx context.Context, session *models.Principal) (*models

defaultActions := policy.IsAllowedActions("", "", conditionValues)

consoleDefaultActions := defaultActions.Clone()
consoleDefaultActions.Add(minioIAMPolicy.Action(minioIAMPolicy.CreateServiceAccountAdminAction))

permissions := map[string]minioIAMPolicy.ActionSet{
ConsoleResourceName: defaultActions,
ConsoleResourceName: consoleDefaultActions,
}
deniedActions := map[string]minioIAMPolicy.ActionSet{}

Expand Down

0 comments on commit 9e3df37

Please sign in to comment.