root
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Actions 2 Packages Projects Releases Wiki Activity
minio/cmd/sts-handlers.go

1054 lines
35 KiB
Go
Raw Normal View History

fix: correct parentUser lookup for OIDC auto expiration (#14154) fixes #14026 This is a regression from #13884
2022-01-23 08:36:11 +08:00
/// Copyright (c) 2015-2021 MinIO, Inc.
update license change for MinIO Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 03:41:13 +08:00
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
package cmd
import (
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
"bytes"
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
"context"
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
"crypto/x509"
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
"encoding/base64"
support service accounts for OpenID connect properly (#12178) OpenID connect generated service accounts do not work properly after console logout, since the parentUser state is lost - instead use sub+iss claims for parentUser, according to OIDC spec both the claims provide the necessary stability across logins etc.
2021-04-30 04:01:42 +08:00
"errors"
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
"fmt"
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
"net/http"
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
"strconv"
fix: add service account support for AssumeRole/LDAPIdentity creds (#9451) allow generating service accounts for temporary credentials which have a designated parent, currently OpenID is not yet supported. added checks to ensure that service account cannot generate further service accounts for itself, service accounts can never be a parent to any credential.
2020-04-29 03:49:56 +08:00
"strings"
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
"time"
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
Bump up madmin-go and pkg deps (#17469)
2023-06-20 08:53:08 +08:00
"github.com/minio/madmin-go/v3"
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
2021-06-02 05:59:40 +08:00
"github.com/minio/minio/internal/auth"
"github.com/minio/minio/internal/config/identity/openid"
use crypto/sha256 only for FIPS 140-2 compliance (#14983) It would seem like the PR #11623 had chewed more than it wanted to, non-fips build shouldn't really be forced to use slower crypto/sha256 even for presumed "non-performance" codepaths. In MinIO there are really no "non-performance" codepaths. This assumption seems to have had an adverse effect in certain areas of CPU usage. This PR ensures that we stick to sha256-simd on all non-FIPS builds, our most common build to ensure we get the best out of the CPU at any given point in time.
2022-05-27 21:00:19 +08:00
"github.com/minio/minio/internal/hash/sha256"
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
2021-06-02 05:59:40 +08:00
xhttp "github.com/minio/minio/internal/http"
"github.com/minio/minio/internal/logger"
migrate to minio/mux from gorilla/mux (#16456)
2023-01-23 19:12:47 +08:00
"github.com/minio/mux"
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
"github.com/minio/pkg/v2/policy"
Update to minio/pkg/v2 (#17967)
2023-09-05 03:57:37 +08:00
"github.com/minio/pkg/v2/wildcard"
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
)
const (
// STS API version.
add userinfo support for OpenID (#12469) Some identity providers like GitLab do not provide information about group membership as part of the identity token claims. They only expose it via OIDC compatible '/oauth/userinfo' endpoint, as described in the OpenID Connect 1.0 sepcification. But this of course requires application to make sure to add additional accessToken, since idToken cannot be re-used to perform the same 'userinfo' call. This is why this is specialized requirement. Gitlab seems to be the only OpenID vendor that requires this support for the time being. fixes #12367
2021-09-14 07:22:14 +08:00
stsAPIVersion = "2011-06-15"
stsVersion = "Version"
stsAction = "Action"
stsPolicy = "Policy"
stsToken = "Token"
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-27 11:22:40 +08:00
stsRoleArn = "RoleArn"
add userinfo support for OpenID (#12469) Some identity providers like GitLab do not provide information about group membership as part of the identity token claims. They only expose it via OIDC compatible '/oauth/userinfo' endpoint, as described in the OpenID Connect 1.0 sepcification. But this of course requires application to make sure to add additional accessToken, since idToken cannot be re-used to perform the same 'userinfo' call. This is why this is specialized requirement. Gitlab seems to be the only OpenID vendor that requires this support for the time being. fixes #12367
2021-09-14 07:22:14 +08:00
stsWebIdentityToken = "WebIdentityToken"
stsWebIdentityAccessToken = "WebIdentityAccessToken" // only valid if UserInfo is enabled.
stsDurationSeconds = "DurationSeconds"
stsLDAPUsername = "LDAPUsername"
stsLDAPPassword = "LDAPPassword"
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
// STS API action constants
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
clientGrants = "AssumeRoleWithClientGrants"
webIdentity = "AssumeRoleWithWebIdentity"
ldapIdentity = "AssumeRoleWithLDAPIdentity"
clientCertificate = "AssumeRoleWithCertificate"
customTokenIdentity = "AssumeRoleWithCustomToken"
assumeRole = "AssumeRole"
fix DoS vulnerability in the content SHA-256 processing (#8026) This commit fixes a DoS issue that is caused by an incorrect SHA-256 content verification during STS requests. Before that fix clients could write arbitrary many bytes to the server memory. This commit fixes this by limiting the request body size.
2019-08-06 01:06:40 +08:00
stsRequestBodyLimit = 10 * (1 << 20) // 10 MiB
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
// JWT claim keys
expClaim = "exp"
subClaim = "sub"
always validate JWT token audience (#12797) audience for the JWT token should match the configured client_id, this allows rejecting valid JWTs not meant for MinIO.
2021-07-27 10:40:15 +08:00
audClaim = "aud"
support service accounts for OpenID connect properly (#12178) OpenID connect generated service accounts do not work properly after console logout, since the parentUser state is lost - instead use sub+iss claims for parentUser, according to OIDC spec both the claims provide the necessary stability across logins etc.
2021-04-30 04:01:42 +08:00
issClaim = "iss"
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
Add service account type in IAM (#9029)
2020-03-18 01:36:13 +08:00
// JWT claim to check the parent user
parentClaim = "parent"
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
// LDAP claim keys
fix: ldap: use validated base DNs (#19406) This fixes a regression from #19358 which prevents policy mappings created in the latest release from being displayed in policy entity listing APIs. This is due to the possibility that the base DNs in the LDAP config are not in a normalized form and #19358 introduced normalized of mapping keys (user DNs and group DNs). When listing, we check if the policy mappings are on entities that parse as valid DNs that are descendants of the base DNs in the config. Test added that demonstrates a failure without this fix.
2024-04-05 02:36:18 +08:00
ldapUser = "ldapUser" // this is a key name for a DN value
ldapUserN = "ldapUsername" // this is a key name for the short/login username
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-27 11:22:40 +08:00
// Role Claim key
roleArnClaim = "roleArn"
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
)
// stsAPIHandlers implements and provides http handlers for AWS STS API.
type stsAPIHandlers struct{}
// registerSTSRouter - registers AWS STS compatible APIs.
func registerSTSRouter(router *mux.Router) {
// Initialize STS.
sts := &stsAPIHandlers{}
// STS Router
Use const slashSeparator instead of "/" everywhere (#8028)
2019-08-07 03:08:58 +08:00
stsRouter := router.NewRoute().PathPrefix(SlashSeparator).Subrouter()
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
// Assume roles with no JWT, handles AssumeRole.
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 13:34:32 +08:00
stsRouter.Methods(http.MethodPost).MatcherFunc(func(r *http.Request, rm *mux.RouteMatch) bool {
ctypeOk := wildcard.MatchSimple("application/x-www-form-urlencoded*", r.Header.Get(xhttp.ContentType))
authOk := wildcard.MatchSimple(signV4Algorithm+"*", r.Header.Get(xhttp.Authorization))
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
noQueries := len(r.URL.RawQuery) == 0
Fix STS AssumeRole route conflict with MultipartUpload (#7574) Since AssumeRole API was introduced we have a wrong route match which results in certain clients failing to upload objects using multipart because, multipart POST conflicts with STS POST AssumeRole API. Write a proper matcher function which verifies the route more appropriately such that both can co-exist.
2019-04-24 06:55:41 +08:00
return ctypeOk && authOk && noQueries
}).HandlerFunc(httpTraceAll(sts.AssumeRole))
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
// Assume roles with JWT handler, handles both ClientGrants and WebIdentity.
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
stsRouter.Methods(http.MethodPost).MatcherFunc(func(r *http.Request, rm *mux.RouteMatch) bool {
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 13:34:32 +08:00
ctypeOk := wildcard.MatchSimple("application/x-www-form-urlencoded*", r.Header.Get(xhttp.ContentType))
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
noQueries := len(r.URL.RawQuery) == 0
Fix STS AssumeRole route conflict with MultipartUpload (#7574) Since AssumeRole API was introduced we have a wrong route match which results in certain clients failing to upload objects using multipart because, multipart POST conflicts with STS POST AssumeRole API. Write a proper matcher function which verifies the route more appropriately such that both can co-exist.
2019-04-24 06:55:41 +08:00
return ctypeOk && noQueries
fix: allow LDAP identity to support form body POST (#10468) similar to other STS APIs
2020-09-12 14:02:32 +08:00
}).HandlerFunc(httpTraceAll(sts.AssumeRoleWithSSO))
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
// AssumeRoleWithClientGrants
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
stsRouter.Methods(http.MethodPost).HandlerFunc(httpTraceAll(sts.AssumeRoleWithClientGrants)).
Queries(stsAction, clientGrants).
Queries(stsVersion, stsAPIVersion).
Queries(stsToken, "{Token:.*}")
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
Add support for AssumeRoleWithWebIdentity (#6985)
2019-01-05 05:48:12 +08:00
// AssumeRoleWithWebIdentity
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
stsRouter.Methods(http.MethodPost).HandlerFunc(httpTraceAll(sts.AssumeRoleWithWebIdentity)).
Queries(stsAction, webIdentity).
Queries(stsVersion, stsAPIVersion).
Queries(stsWebIdentityToken, "{Token:.*}")
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
// AssumeRoleWithLDAPIdentity
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
stsRouter.Methods(http.MethodPost).HandlerFunc(httpTraceAll(sts.AssumeRoleWithLDAPIdentity)).
Queries(stsAction, ldapIdentity).
Queries(stsVersion, stsAPIVersion).
Queries(stsLDAPUsername, "{LDAPUsername:.*}").
Queries(stsLDAPPassword, "{LDAPPassword:.*}")
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
// AssumeRoleWithCertificate
stsRouter.Methods(http.MethodPost).HandlerFunc(httpTraceAll(sts.AssumeRoleWithCertificate)).
Queries(stsAction, clientCertificate).
Queries(stsVersion, stsAPIVersion)
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
// AssumeRoleWithCustomToken
stsRouter.Methods(http.MethodPost).HandlerFunc(httpTraceAll(sts.AssumeRoleWithCustomToken)).
Queries(stsAction, customTokenIdentity).
Queries(stsVersion, stsAPIVersion)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
}
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
func apiToSTSError(authErr APIErrorCode) (stsErrCode STSErrorCode) {
switch authErr {
case ErrSignatureDoesNotMatch, ErrInvalidAccessKeyID, ErrAccessKeyDisabled:
return ErrSTSAccessDenied
case ErrServerNotInitialized:
return ErrSTSNotInitialized
case ErrInternalError:
return ErrSTSInternalError
default:
return ErrSTSAccessDenied
}
}
func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (auth.Credentials, APIErrorCode) {
Ensure that AssumeRole calls are sent to Audit log (#14202) When authentication fails MinIO was not sending out an Audit log event for this STS call
2022-01-28 08:17:11 +08:00
if !isRequestSignatureV4(r) {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
return auth.Credentials{}, ErrAccessDenied
Ensure that AssumeRole calls are sent to Audit log (#14202) When authentication fails MinIO was not sending out an Audit log event for this STS call
2022-01-28 08:17:11 +08:00
}
fix: allow root credentials to generate STS, service accounts (#12210)
2021-05-05 02:58:19 +08:00
Ensure that AssumeRole calls are sent to Audit log (#14202) When authentication fails MinIO was not sending out an Audit log event for this STS call
2022-01-28 08:17:11 +08:00
s3Err := isReqAuthenticated(ctx, r, globalSite.Region, serviceSTS)
if s3Err != ErrNone {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
return auth.Credentials{}, s3Err
Ensure that AssumeRole calls are sent to Audit log (#14202) When authentication fails MinIO was not sending out an Audit log event for this STS call
2022-01-28 08:17:11 +08:00
}
fix: allow root credentials to generate STS, service accounts (#12210)
2021-05-05 02:58:19 +08:00
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
user, _, s3Err := getReqAccessKeyV4(r, globalSite.Region, serviceSTS)
Ensure that AssumeRole calls are sent to Audit log (#14202) When authentication fails MinIO was not sending out an Audit log event for this STS call
2022-01-28 08:17:11 +08:00
if s3Err != ErrNone {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
return auth.Credentials{}, s3Err
Ensure that AssumeRole calls are sent to Audit log (#14202) When authentication fails MinIO was not sending out an Audit log event for this STS call
2022-01-28 08:17:11 +08:00
}
// Temporary credentials or Service accounts cannot generate further temporary credentials.
if user.IsTemp() || user.IsServiceAccount() {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
return auth.Credentials{}, ErrAccessDenied
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
}
// Session tokens are not allowed in STS AssumeRole requests.
if getSessionToken(r) != "" {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
return auth.Credentials{}, ErrAccessDenied
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
}
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
return user, ErrNone
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
}
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
func parseForm(r *http.Request) error {
if err := r.ParseForm(); err != nil {
return err
}
for k, v := range r.PostForm {
if _, ok := r.Form[k]; !ok {
r.Form[k] = v
}
}
return nil
}
sr: use site replicator svcacct to sign STS session tokens (#19111) This change is to decouple need for root credentials to match between site replication deployments. Also ensuring site replication config initialization is re-tried until it succeeds, this deoendency is critical to STS flow in site replication scenario.
2024-02-27 05:26:18 +08:00
// getTokenSigningKey returns secret key used to sign JWT session tokens
func getTokenSigningKey() (string, error) {
secret := globalActiveCred.SecretKey
if globalSiteReplicationSys.isEnabled() {
c, err := globalSiteReplicatorCred.Get(GlobalContext)
if err != nil {
return "", err
}
return c.SecretKey, nil
}
return secret, nil
}
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
// AssumeRole - implementation of AWS STS API AssumeRole to get temporary
// credentials for regular users on Minio.
// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "AssumeRole")
support additional claim info in Auditing STS calls (#15381) Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
2022-07-23 02:12:03 +08:00
claims := make(map[string]interface{})
defer logger.AuditLog(ctx, w, r, claims)
Ensure that AssumeRole calls are sent to Audit log (#14202) When authentication fails MinIO was not sending out an Audit log event for this STS call
2022-01-28 08:17:11 +08:00
// Check auth here (otherwise r.Form will have unexpected values from
// the call to `parseForm` below), but return failure only after we are
// able to validate that it is a valid STS request, so that we are able
// to send an appropriate audit log.
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
user, apiErrCode := checkAssumeRoleAuth(ctx, r)
fix: allow root credentials to generate STS, service accounts (#12210)
2021-05-05 02:58:19 +08:00
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
if err := parseForm(r); err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
if r.Form.Get(stsVersion) != stsAPIVersion {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSMissingParameter, fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get(stsVersion), stsAPIVersion))
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
action := r.Form.Get(stsAction)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
switch action {
case assumeRole:
default:
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Unsupported action %s", action))
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
return
}
ctx = newContext(r, w, action)
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
// Validate the authentication result here so that failures will be audit-logged.
if apiErrCode != ErrNone {
stsErr := apiToSTSError(apiErrCode)
// Borrow the description error from the API error code
writeSTSErrorResponse(ctx, w, stsErr, fmt.Errorf(errorCodes[apiErrCode].Description))
Ensure that AssumeRole calls are sent to Audit log (#14202) When authentication fails MinIO was not sending out an Audit log event for this STS call
2022-01-28 08:17:11 +08:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
sessionPolicyStr := r.Form.Get(stsPolicy)
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
// The plain text that you use for both inline and managed session
// policies shouldn't exceed 2048 characters.
if len(sessionPolicyStr) > 2048 {
allow JWT parsing on large session policy based tokens (#17167)
2023-05-09 15:53:08 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, errSessionPolicyTooLarge)
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
return
}
if len(sessionPolicyStr) > 0 {
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
sessionPolicy, err := policy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr)))
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
return
}
// Version in policy must not be empty
if sessionPolicy.Version == "" {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Version cannot be empty expecting '2012-10-17'"))
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
return
}
}
move to jwt-go v4 with correct releases (#13586)
2021-11-06 03:20:08 +08:00
duration, err := openid.GetDefaultExpiration(r.Form.Get(stsDurationSeconds))
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
return
}
support additional claim info in Auditing STS calls (#15381) Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
2022-07-23 02:12:03 +08:00
claims[expClaim] = UTCNow().Add(duration).Unix()
claims[parentClaim] = user.AccessKey
move to jwt-go v4 with correct releases (#13586)
2021-11-06 03:20:08 +08:00
Map policy to parent for STS (#13884) When STS credentials are created for a user, a unique (hopefully stable) parent user value exists for the credential, which corresponds to the user for whom the credentials are created. The access policy is mapped to this parent-user and is persisted. This helps ensure that all STS credentials of a user have the same policy assignment at all times. Before this change, for an OIDC STS credential, when the policy claim changes in the provider (when not using RoleARNs), the change would not take effect on existing credentials, but only on new ones. To support existing STS credentials without parent-user policy mappings, we lookup the policy in the policy claim value. This behavior should be deprecated when such support is no longer required, as it can still lead to stale policy mappings. Additionally this change also simplifies the implementation for all non-RoleARN STS credentials. Specifically, for AssumeRole (internal IDP) STS credentials, policies are picked up from the parent user's policies; for AssumeRoleWithCertificate STS credentials, policies are picked up from the parent user mapping created when the STS credential is generated. AssumeRoleWithLDAP already picks up policies mapped to the virtual parent user.
2021-12-17 16:46:30 +08:00
// Validate that user.AccessKey's policies can be retrieved - it may not
// be in case the user is disabled.
cleanup handling of STS isAllowed and simplifies the PolicyDBGet() (#18554)
2023-11-30 08:07:35 +08:00
if _, err = globalIAMSys.PolicyDBGet(user.AccessKey, user.Groups...); err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
return
}
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
if len(sessionPolicyStr) > 0 {
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
claims[policy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr))
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
}
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
sr: use site replicator svcacct to sign STS session tokens (#19111) This change is to decouple need for root credentials to match between site replication deployments. Also ensuring site replication config initialization is re-tried until it succeeds, this deoendency is critical to STS flow in site replication scenario.
2024-02-27 05:26:18 +08:00
secret, err := getTokenSigningKey()
if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err)
return
}
support additional claim info in Auditing STS calls (#15381) Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
2022-07-23 02:12:03 +08:00
cred, err := auth.GetNewCredentialsWithMetadata(claims, secret)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
return
}
Map policy to parent for STS (#13884) When STS credentials are created for a user, a unique (hopefully stable) parent user value exists for the credential, which corresponds to the user for whom the credentials are created. The access policy is mapped to this parent-user and is persisted. This helps ensure that all STS credentials of a user have the same policy assignment at all times. Before this change, for an OIDC STS credential, when the policy claim changes in the provider (when not using RoleARNs), the change would not take effect on existing credentials, but only on new ones. To support existing STS credentials without parent-user policy mappings, we lookup the policy in the policy claim value. This behavior should be deprecated when such support is no longer required, as it can still lead to stale policy mappings. Additionally this change also simplifies the implementation for all non-RoleARN STS credentials. Specifically, for AssumeRole (internal IDP) STS credentials, policies are picked up from the parent user's policies; for AssumeRoleWithCertificate STS credentials, policies are picked up from the parent user mapping created when the STS credential is generated. AssumeRoleWithLDAP already picks up policies mapped to the virtual parent user.
2021-12-17 16:46:30 +08:00
// Set the parent of the temporary access key, so that it's access
// policy is inherited from `user.AccessKey`.
fix: add service account support for AssumeRole/LDAPIdentity creds (#9451) allow generating service accounts for temporary credentials which have a designated parent, currently OpenID is not yet supported. added checks to ensure that service account cannot generate further service accounts for itself, service accounts can never be a parent to any credential.
2020-04-29 03:49:56 +08:00
cred.ParentUser = user.AccessKey
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
// Set the newly generated credentials.
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err := globalIAMSys.SetTempUser(ctx, cred.AccessKey, cred, "")
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
return
}
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
// Call hook for site replication.
if cred.ParentUser != globalActiveCred.AccessKey {
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
replLogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
Type: madmin.SRIAMItemSTSAcc,
STSCredential: &madmin.SRSTSCredential{
AccessKey: cred.AccessKey,
SecretKey: cred.SecretKey,
SessionToken: cred.SessionToken,
ParentUser: cred.ParentUser,
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
}
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
assumeRoleResponse := &AssumeRoleResponse{
Result: AssumeRoleResult{
Credentials: cred,
},
}
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 13:34:32 +08:00
assumeRoleResponse.ResponseMetadata.RequestID = w.Header().Get(xhttp.AmzRequestID)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
writeSuccessResponseXML(w, encodeResponse(assumeRoleResponse))
}
fix: allow LDAP identity to support form body POST (#10468) similar to other STS APIs
2020-09-12 14:02:32 +08:00
func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "AssumeRoleSSOCommon")
Add support for AssumeRoleWithWebIdentity (#6985)
2019-01-05 05:48:12 +08:00
support additional claim info in Auditing STS calls (#15381) Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
2022-07-23 02:12:03 +08:00
claims := make(map[string]interface{})
defer logger.AuditLog(ctx, w, r, claims)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
// Parse the incoming form data.
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
if err := parseForm(r); err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
Add support for AssumeRoleWithWebIdentity (#6985)
2019-01-05 05:48:12 +08:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
if r.Form.Get(stsVersion) != stsAPIVersion {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSMissingParameter, fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get("Version"), stsAPIVersion))
Add support for AssumeRoleWithWebIdentity (#6985)
2019-01-05 05:48:12 +08:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
action := r.Form.Get(stsAction)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
switch action {
fix: allow LDAP identity to support form body POST (#10468) similar to other STS APIs
2020-09-12 14:02:32 +08:00
case ldapIdentity:
sts.AssumeRoleWithLDAPIdentity(w, r)
return
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
case clientGrants, webIdentity:
default:
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Unsupported action %s", action))
Add support for AssumeRoleWithWebIdentity (#6985)
2019-01-05 05:48:12 +08:00
return
}
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
ctx = newContext(r, w, action)
Audit log claims from token (#6847)
2018-11-22 12:03:24 +08:00
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
token := r.Form.Get(stsToken)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
if token == "" {
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
token = r.Form.Get(stsWebIdentityToken)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
}
add userinfo support for OpenID (#12469) Some identity providers like GitLab do not provide information about group membership as part of the identity token claims. They only expose it via OIDC compatible '/oauth/userinfo' endpoint, as described in the OpenID Connect 1.0 sepcification. But this of course requires application to make sure to add additional accessToken, since idToken cannot be re-used to perform the same 'userinfo' call. This is why this is specialized requirement. Gitlab seems to be the only OpenID vendor that requires this support for the time being. fixes #12367
2021-09-14 07:22:14 +08:00
accessToken := r.Form.Get(stsWebIdentityAccessToken)
feat: Allow at most one claim based OpenID IDP (#16145)
2022-11-30 07:40:49 +08:00
// RoleARN parameter processing: If a role ARN is given in the request, we
// use that and validate the authentication request. If not, we assume this
// is an STS request for a claim based IDP (if one is present) and set
// roleArn = openid.DummyRoleARN.
//
// Currently, we do not support multiple claim based IDPs, as there is no
// defined parameter to disambiguate the intended IDP in this STS request.
Add support for multiple OpenID providers with role policies (#14223) - When using multiple providers, claim-based providers are not allowed. All providers must use role policies. - Update markdown config to allow `details` HTML element
2022-04-29 09:27:09 +08:00
roleArn := openid.DummyRoleARN
feat: Allow at most one claim based OpenID IDP (#16145)
2022-11-30 07:40:49 +08:00
roleArnStr := r.Form.Get(stsRoleArn)
if roleArnStr != "" {
Add support for multiple OpenID providers with role policies (#14223) - When using multiple providers, claim-based providers are not allowed. All providers must use role policies. - Update markdown config to allow `details` HTML element
2022-04-29 09:27:09 +08:00
var err error
roleArn, _, err = globalIAMSys.GetRolePolicy(roleArnStr)
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
Add support for multiple OpenID providers with role policies (#14223) - When using multiple providers, claim-based providers are not allowed. All providers must use role policies. - Update markdown config to allow `details` HTML element
2022-04-29 09:27:09 +08:00
fmt.Errorf("Error processing %s parameter: %v", stsRoleArn, err))
return
}
}
sts: validate if iam subsystem initialized in handlers (#17796)
2023-08-04 04:24:25 +08:00
if !globalIAMSys.Initialized() {
writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
return
}
Add support for multiple OpenID providers with role policies (#14223) - When using multiple providers, claim-based providers are not allowed. All providers must use role policies. - Update markdown config to allow `details` HTML element
2022-04-29 09:27:09 +08:00
// Validate JWT; check clientID in claims matches the one associated with the roleArn
Remove globalOpenIDConfig (#16708)
2023-02-26 13:01:37 +08:00
if err := globalIAMSys.OpenIDConfig.Validate(r.Context(), roleArn, token, accessToken, r.Form.Get(stsDurationSeconds), claims); err != nil {
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
switch err {
Rename iam/validator -> iam/openid and add tests (#8340) Refactor as part of config migration
2019-10-02 06:07:20 +08:00
case openid.ErrTokenExpired:
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
switch action {
case clientGrants:
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSClientGrantsExpiredToken, err)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
case webIdentity:
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSWebIdentityExpiredToken, err)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
}
return
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
case auth.ErrInvalidDuration:
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
return
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
}
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
return
}
allow claims to be optional in STS (#10078) not all claims need to be present for the JWT claim, let the policies not exist and only apply which are present when generating the credentials once credentials are generated then those policies should exist, otherwise the request will fail.
2020-07-20 06:34:01 +08:00
var policyName string
feat: Allow at most one claim based OpenID IDP (#16145)
2022-11-30 07:40:49 +08:00
if roleArnStr != "" && globalIAMSys.HasRolePolicy() {
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-27 11:22:40 +08:00
// If roleArn is used, we set it as a claim, and use the
// associated policy when credentials are used.
support additional claim info in Auditing STS calls (#15381) Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
2022-07-23 02:12:03 +08:00
claims[roleArnClaim] = roleArn.String()
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-27 11:22:40 +08:00
} else {
If role policy is configured, require that role ARN be set in STS (#13814)
2021-12-03 07:43:39 +08:00
// If no role policy is configured, then we use claims from the
// JWT. This is a MinIO STS API specific value, this value
// should be set and configured on your identity provider as
// part of JWT custom claims.
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
policySet, ok := policy.GetPoliciesFromClaims(claims, iamPolicyClaimNameOpenID())
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-27 11:22:40 +08:00
policies := strings.Join(policySet.ToSlice(), ",")
if ok {
policyName = globalIAMSys.CurrentPolicies(policies)
}
feat: Single drive XL implementation (#14970) Main motivation is move towards a common backend format for all different types of modes in MinIO, allowing for a simpler code and predictable behavior across all features. This PR also brings features such as versioning, replication, transitioning to single drive setups.
2022-05-31 01:58:37 +08:00
if newGlobalAuthZPluginFn() == nil {
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-27 11:22:40 +08:00
if !ok {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-27 11:22:40 +08:00
fmt.Errorf("%s claim missing from the JWT token, credentials will not be generated", iamPolicyClaimNameOpenID()))
return
} else if policyName == "" {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-27 11:22:40 +08:00
fmt.Errorf("None of the given policies (`%s`) are defined, credentials will not be generated", policies))
return
}
}
support additional claim info in Auditing STS calls (#15381) Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
2022-07-23 02:12:03 +08:00
claims[iamPolicyClaimNameOpenID()] = policyName
allow claims to be optional in STS (#10078) not all claims need to be present for the JWT claim, let the policies not exist and only apply which are present when generating the credentials once credentials are generated then those policies should exist, otherwise the request will fail.
2020-07-20 06:34:01 +08:00
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
sessionPolicyStr := r.Form.Get(stsPolicy)
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
// The plain text that you use for both inline and managed session
// policies shouldn't exceed 2048 characters.
if len(sessionPolicyStr) > 2048 {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Session policy should not exceed 2048 characters"))
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
return
}
if len(sessionPolicyStr) > 0 {
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
sessionPolicy, err := policy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr)))
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
return
}
// Version in policy must not be empty
if sessionPolicy.Version == "" {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Invalid session policy version"))
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
return
}
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
claims[policy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr))
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-24 06:21:16 +08:00
}
sr: use site replicator svcacct to sign STS session tokens (#19111) This change is to decouple need for root credentials to match between site replication deployments. Also ensuring site replication config initialization is re-tried until it succeeds, this deoendency is critical to STS flow in site replication scenario.
2024-02-27 05:26:18 +08:00
secret, err := getTokenSigningKey()
if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err)
return
}
support additional claim info in Auditing STS calls (#15381) Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
2022-07-23 02:12:03 +08:00
cred, err := auth.GetNewCredentialsWithMetadata(claims, secret)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
return
}
support service accounts for OpenID connect properly (#12178) OpenID connect generated service accounts do not work properly after console logout, since the parentUser state is lost - instead use sub+iss claims for parentUser, according to OIDC spec both the claims provide the necessary stability across logins etc.
2021-04-30 04:01:42 +08:00
// https://openid.net/specs/openid-connect-core-1_0.html#ClaimStability
// claim is only considered stable when subject and iss are used together
// this is to ensure that ParentUser doesn't change and we get to use
// parentUser as per the requirements for service accounts for OpenID
// based logins.
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-27 11:22:40 +08:00
var subFromToken string
support additional claim info in Auditing STS calls (#15381) Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
2022-07-23 02:12:03 +08:00
if v, ok := claims[subClaim]; ok {
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-27 11:22:40 +08:00
subFromToken, _ = v.(string)
}
if subFromToken == "" {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-27 11:22:40 +08:00
errors.New("STS JWT Token has `sub` claim missing, `sub` claim is mandatory"))
return
}
var issFromToken string
support additional claim info in Auditing STS calls (#15381) Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
2022-07-23 02:12:03 +08:00
if v, ok := claims[issClaim]; ok {
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-27 11:22:40 +08:00
issFromToken, _ = v.(string)
}
Map policy to parent for STS (#13884) When STS credentials are created for a user, a unique (hopefully stable) parent user value exists for the credential, which corresponds to the user for whom the credentials are created. The access policy is mapped to this parent-user and is persisted. This helps ensure that all STS credentials of a user have the same policy assignment at all times. Before this change, for an OIDC STS credential, when the policy claim changes in the provider (when not using RoleARNs), the change would not take effect on existing credentials, but only on new ones. To support existing STS credentials without parent-user policy mappings, we lookup the policy in the policy claim value. This behavior should be deprecated when such support is no longer required, as it can still lead to stale policy mappings. Additionally this change also simplifies the implementation for all non-RoleARN STS credentials. Specifically, for AssumeRole (internal IDP) STS credentials, policies are picked up from the parent user's policies; for AssumeRoleWithCertificate STS credentials, policies are picked up from the parent user mapping created when the STS credential is generated. AssumeRoleWithLDAP already picks up policies mapped to the virtual parent user.
2021-12-17 16:46:30 +08:00
// Since issFromToken can have `/` characters (it is typically the
// provider URL), we hash and encode it to base64 here. This is needed
// because there will be a policy mapping stored on drives whose
// filename is this parentUser: therefore, it needs to have only valid
// filename characters and needs to have bounded length.
{
h := sha256.New()
h.Write([]byte("openid:" + subFromToken + ":" + issFromToken))
bs := h.Sum(nil)
cred.ParentUser = base64.RawURLEncoding.EncodeToString(bs)
}
Add support for AssumeRoleWithWebIdentity (#6985)
2019-01-05 05:48:12 +08:00
sts: Add support of AssumeRoleWithWebIdentity and DurationSeconds (#18835) To force limit the duration of STS accounts, the user can create a new policy, like the following: { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["sts:AssumeRoleWithWebIdentity"], "Condition": {"NumericLessThanEquals": {"sts:DurationSeconds": "300"}} }] } And force binding the policy to all OpenID users, whether using a claim name or role ARN.
2024-02-06 03:44:23 +08:00
// Deny this assume role request if the policy that the user intends to bind
// has a sts:DurationSeconds condition, which is not satisfied as well
{
p := policyName
if p == "" {
var err error
_, p, err = globalIAMSys.GetRolePolicy(roleArnStr)
if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSAccessDenied, err)
return
}
}
if !globalIAMSys.doesPolicyAllow(p, policy.Args{
DenyOnly: true,
Action: policy.AssumeRoleWithWebIdentityAction,
ConditionValues: getSTSConditionValues(r, "", cred),
Claims: cred.Claims,
}) {
writeSTSErrorResponse(ctx, w, ErrSTSAccessDenied, errors.New("this user does not have enough permission"))
return
}
}
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
// Set the newly generated credentials.
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err := globalIAMSys.SetTempUser(ctx, cred.AccessKey, cred, policyName)
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
return
}
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
// Call hook for site replication.
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
replLogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
Type: madmin.SRIAMItemSTSAcc,
STSCredential: &madmin.SRSTSCredential{
AccessKey: cred.AccessKey,
SecretKey: cred.SecretKey,
SessionToken: cred.SessionToken,
ParentUser: cred.ParentUser,
ParentPolicyMapping: policyName,
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
var encodedSuccessResponse []byte
switch action {
case clientGrants:
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
clientGrantsResponse := &AssumeRoleWithClientGrantsResponse{
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
Result: ClientGrantsResult{
Credentials: cred,
SubjectFromToken: subFromToken,
},
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
}
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 13:34:32 +08:00
clientGrantsResponse.ResponseMetadata.RequestID = w.Header().Get(xhttp.AmzRequestID)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
encodedSuccessResponse = encodeResponse(clientGrantsResponse)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
case webIdentity:
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
webIdentityResponse := &AssumeRoleWithWebIdentityResponse{
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
Result: WebIdentityResult{
Credentials: cred,
SubjectFromWebIdentityToken: subFromToken,
},
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
}
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 13:34:32 +08:00
webIdentityResponse.ResponseMetadata.RequestID = w.Header().Get(xhttp.AmzRequestID)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
encodedSuccessResponse = encodeResponse(webIdentityResponse)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
}
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
writeSuccessResponseXML(w, encodedSuccessResponse)
}
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
// AssumeRoleWithWebIdentity - implementation of AWS STS API supporting OAuth2.0
// users from web identity provider such as Facebook, Google, or any OpenID
// Connect-compatible identity provider.
//
// Eg:-
upgrade golang-lint to the latest (#15600)
2022-08-27 03:52:29 +08:00
//
// $ curl https://minio:9000/?Action=AssumeRoleWithWebIdentity&WebIdentityToken=<jwt>
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
func (sts *stsAPIHandlers) AssumeRoleWithWebIdentity(w http.ResponseWriter, r *http.Request) {
fix: allow LDAP identity to support form body POST (#10468) similar to other STS APIs
2020-09-12 14:02:32 +08:00
sts.AssumeRoleWithSSO(w, r)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
}
// AssumeRoleWithClientGrants - implementation of AWS STS extension API supporting
// OAuth2.0 client credential grants.
//
// Eg:-
upgrade golang-lint to the latest (#15600)
2022-08-27 03:52:29 +08:00
//
// $ curl https://minio:9000/?Action=AssumeRoleWithClientGrants&Token=<jwt>
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *http.Request) {
fix: allow LDAP identity to support form body POST (#10468) similar to other STS APIs
2020-09-12 14:02:32 +08:00
sts.AssumeRoleWithSSO(w, r)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
}
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
// AssumeRoleWithLDAPIdentity - implements user auth against LDAP server
func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "AssumeRoleWithLDAPIdentity")
support additional claim info in Auditing STS calls (#15381) Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
2022-07-23 02:12:03 +08:00
claims := make(map[string]interface{})
defer logger.AuditLog(ctx, w, r, claims, stsLDAPPassword)
fix remove LDAPPassword from audit logs (#9773) the previous fix for #9707 was not correct, fix this properly passing the right filter keys to be filtered from the audit log output. Fixes #9767
2020-06-05 13:07:55 +08:00
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
// Parse the incoming form data.
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
if err := parseForm(r); err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
if r.Form.Get(stsVersion) != stsAPIVersion {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSMissingParameter,
fix remove LDAPPassword from audit logs (#9773) the previous fix for #9707 was not correct, fix this properly passing the right filter keys to be filtered from the audit log output. Fixes #9767
2020-06-05 13:07:55 +08:00
fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get("Version"), stsAPIVersion))
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
ldapUsername := r.Form.Get(stsLDAPUsername)
ldapPassword := r.Form.Get(stsLDAPPassword)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
if ldapUsername == "" || ldapPassword == "" {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSMissingParameter, fmt.Errorf("LDAPUsername and LDAPPassword cannot be empty"))
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
return
}
fix remove LDAPPassword from audit logs (#9773) the previous fix for #9707 was not correct, fix this properly passing the right filter keys to be filtered from the audit log output. Fixes #9767
2020-06-05 13:07:55 +08:00
action := r.Form.Get(stsAction)
switch action {
case ldapIdentity:
default:
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Unsupported action %s", action))
fix remove LDAPPassword from audit logs (#9773) the previous fix for #9707 was not correct, fix this properly passing the right filter keys to be filtered from the audit log output. Fixes #9767
2020-06-05 13:07:55 +08:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
sessionPolicyStr := r.Form.Get(stsPolicy)
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-24 06:21:16 +08:00
// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
// The plain text that you use for both inline and managed session
// policies shouldn't exceed 2048 characters.
if len(sessionPolicyStr) > 2048 {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Session policy should not exceed 2048 characters"))
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-24 06:21:16 +08:00
return
}
if len(sessionPolicyStr) > 0 {
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
sessionPolicy, err := policy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr)))
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-24 06:21:16 +08:00
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-24 06:21:16 +08:00
return
}
// Version in policy must not be empty
if sessionPolicy.Version == "" {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Version needs to be specified in session policy"))
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-24 06:21:16 +08:00
return
}
}
sts: validate if iam subsystem initialized in handlers (#17796)
2023-08-04 04:24:25 +08:00
if !globalIAMSys.Initialized() {
writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
return
}
Remove globalLDAPConfig (#16706)
2023-02-25 10:37:22 +08:00
ldapUserDN, groupDistNames, err := globalIAMSys.LDAPConfig.Bind(ldapUsername, ldapPassword)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
if err != nil {
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 13:54:32 +08:00
err = fmt.Errorf("LDAP server error: %w", err)
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
return
}
Return group DN instead of group name in LDAP STS (#11501) - Additionally, check if the user or their groups has a policy attached during the STS call. - Remove the group name attribute configuration value.
2021-02-11 08:52:49 +08:00
// Check if this user or their groups have a policy applied.
fix: ldap: use validated base DNs (#19406) This fixes a regression from #19358 which prevents policy mappings created in the latest release from being displayed in policy entity listing APIs. This is due to the possibility that the base DNs in the LDAP config are not in a normalized form and #19358 introduced normalized of mapping keys (user DNs and group DNs). When listing, we check if the policy mappings are on entities that parse as valid DNs that are descendants of the base DNs in the config. Test added that demonstrates a failure without this fix.
2024-04-05 02:36:18 +08:00
ldapPolicies, err := globalIAMSys.PolicyDBGet(ldapUserDN, groupDistNames...)
if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err)
return
}
feat: Single drive XL implementation (#14970) Main motivation is move towards a common backend format for all different types of modes in MinIO, allowing for a simpler code and predictable behavior across all features. This PR also brings features such as versioning, replication, transitioning to single drive setups.
2022-05-31 01:58:37 +08:00
if len(ldapPolicies) == 0 && newGlobalAuthZPluginFn() == nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
fmt.Errorf("expecting a policy to be set for user `%s` or one of their groups: `%s` - rejecting this request",
ldapUserDN, strings.Join(groupDistNames, "`,`")))
Return group DN instead of group name in LDAP STS (#11501) - Additionally, check if the user or their groups has a policy attached during the STS call. - Remove the group name attribute configuration value.
2021-02-11 08:52:49 +08:00
return
}
Remove globalLDAPConfig (#16706)
2023-02-25 10:37:22 +08:00
expiryDur, err := globalIAMSys.LDAPConfig.GetExpiryDuration(r.Form.Get(stsDurationSeconds))
fix: Add support for DurationSeconds in LDAP STS API (#12778)
2021-07-23 03:13:21 +08:00
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
fix: Add support for DurationSeconds in LDAP STS API (#12778)
2021-07-23 03:13:21 +08:00
return
}
support additional claim info in Auditing STS calls (#15381) Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
2022-07-23 02:12:03 +08:00
claims[expClaim] = UTCNow().Add(expiryDur).Unix()
claims[ldapUser] = ldapUserDN
claims[ldapUserN] = ldapUsername
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-24 06:21:16 +08:00
if len(sessionPolicyStr) > 0 {
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2023-09-15 05:50:16 +08:00
claims[policy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr))
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-24 06:21:16 +08:00
}
sr: use site replicator svcacct to sign STS session tokens (#19111) This change is to decouple need for root credentials to match between site replication deployments. Also ensuring site replication config initialization is re-tried until it succeeds, this deoendency is critical to STS flow in site replication scenario.
2024-02-27 05:26:18 +08:00
secret, err := getTokenSigningKey()
if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err)
return
}
support additional claim info in Auditing STS calls (#15381) Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
2022-07-23 02:12:03 +08:00
cred, err := auth.GetNewCredentialsWithMetadata(claims, secret)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
return
}
fix: add service account support for AssumeRole/LDAPIdentity creds (#9451) allow generating service accounts for temporary credentials which have a designated parent, currently OpenID is not yet supported. added checks to ensure that service account cannot generate further service accounts for itself, service accounts can never be a parent to any credential.
2020-04-29 03:49:56 +08:00
// Set the parent of the temporary access key, this is useful
// in obtaining service accounts by this cred.
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 13:54:32 +08:00
cred.ParentUser = ldapUserDN
fix: add service account support for AssumeRole/LDAPIdentity creds (#9451) allow generating service accounts for temporary credentials which have a designated parent, currently OpenID is not yet supported. added checks to ensure that service account cannot generate further service accounts for itself, service accounts can never be a parent to any credential.
2020-04-29 03:49:56 +08:00
fix: remove LDAP groups claim and store them on server (#9637) Groups information shall be now stored as part of the credential data structure, this is a more idiomatic way to support large LDAP groups. Avoids the complication of setups where LDAP groups can be in the range of 150+ which may lead to excess HTTP header size > 8KiB, to reduce such an occurrence we shall save the group information on the server as part of the credential data structure. Bonus change support multiple mapped policies, across all types of users.
2020-05-21 02:33:35 +08:00
// Set this value to LDAP groups, LDAP user can be part
// of large number of groups
Return group DN instead of group name in LDAP STS (#11501) - Additionally, check if the user or their groups has a policy attached during the STS call. - Remove the group name attribute configuration value.
2021-02-11 08:52:49 +08:00
cred.Groups = groupDistNames
fix: remove LDAP groups claim and store them on server (#9637) Groups information shall be now stored as part of the credential data structure, this is a more idiomatic way to support large LDAP groups. Avoids the complication of setups where LDAP groups can be in the range of 150+ which may lead to excess HTTP header size > 8KiB, to reduce such an occurrence we shall save the group information on the server as part of the credential data structure. Bonus change support multiple mapped policies, across all types of users.
2020-05-21 02:33:35 +08:00
fix: add service account support for AssumeRole/LDAPIdentity creds (#9451) allow generating service accounts for temporary credentials which have a designated parent, currently OpenID is not yet supported. added checks to ensure that service account cannot generate further service accounts for itself, service accounts can never be a parent to any credential.
2020-04-29 03:49:56 +08:00
// Set the newly generated credentials, policyName is empty on purpose
// LDAP policies are applied automatically using their ldapUser, ldapGroups
// mapping.
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err := globalIAMSys.SetTempUser(ctx, cred.AccessKey, cred, "")
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
return
}
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
// Call hook for site replication.
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
replLogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
Type: madmin.SRIAMItemSTSAcc,
STSCredential: &madmin.SRSTSCredential{
AccessKey: cred.AccessKey,
SecretKey: cred.SecretKey,
SessionToken: cred.SessionToken,
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
ParentUser: cred.ParentUser,
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
ldapIdentityResponse := &AssumeRoleWithLDAPResponse{
Result: LDAPIdentityResult{
Credentials: cred,
},
}
ldapIdentityResponse.ResponseMetadata.RequestID = w.Header().Get(xhttp.AmzRequestID)
encodedSuccessResponse := encodeResponse(ldapIdentityResponse)
writeSuccessResponseXML(w, encodedSuccessResponse)
}
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
// AssumeRoleWithCertificate implements user authentication with client certificates.
// It verifies the client-provided X.509 certificate, maps the certificate to an S3 policy
// and returns temp. S3 credentials to the client.
//
// API endpoint: https://minio:9000?Action=AssumeRoleWithCertificate&Version=2011-06-15
func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *http.Request) {
run gofumpt cleanup across code-base (#14015)
2022-01-03 01:15:06 +08:00
ctx := newContext(r, w, "AssumeRoleWithCertificate")
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
support additional claim info in Auditing STS calls (#15381) Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
2022-07-23 02:12:03 +08:00
claims := make(map[string]interface{})
defer logger.AuditLog(ctx, w, r, claims)
sts: validate if iam subsystem initialized in handlers (#17796)
2023-08-04 04:24:25 +08:00
if !globalIAMSys.Initialized() {
writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
return
}
Remove globalSTSTLSConfig (#16709)
2023-02-27 15:37:00 +08:00
if !globalIAMSys.STSTLSConfig.Enabled {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCertificate' is disabled"))
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
return
}
// We have to establish a TLS connection and the
// client must provide exactly one client certificate.
// Otherwise, we don't have a certificate to verify or
add codespell action (#18818) Original work here, #18474, refixed and updated.
2024-01-18 15:03:17 +08:00
// the policy lookup would ambiguous.
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
if r.TLS == nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInsecureConnection, errors.New("No TLS connection attempt"))
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
return
}
sts: allow clients to send certificate chain (#13235) This commit fixes an issue in the `AssumeRoleWithCertificate` handler. Before clients received an error when they send a chain of X.509 certificates (their client certificate as well as intermediate / root CAs). Now, client can send a certificate chain and the server will only consider non-CA / leaf certificates as possible client certificate candidates. However, the client still can only send one certificate. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-18 00:37:01 +08:00
// A client may send a certificate chain such that we end up
// with multiple peer certificates. However, we can only accept
// a single client certificate. Otherwise, the certificate to
add codespell action (#18818) Original work here, #18474, refixed and updated.
2024-01-18 15:03:17 +08:00
// policy mapping would be ambiguous.
sts: allow clients to send certificate chain (#13235) This commit fixes an issue in the `AssumeRoleWithCertificate` handler. Before clients received an error when they send a chain of X.509 certificates (their client certificate as well as intermediate / root CAs). Now, client can send a certificate chain and the server will only consider non-CA / leaf certificates as possible client certificate candidates. However, the client still can only send one certificate. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-18 00:37:01 +08:00
// However, we can filter all CA certificates and only check
// whether they client has sent exactly one (non-CA) leaf certificate.
run gofumpt cleanup across code-base (#14015)
2022-01-03 01:15:06 +08:00
peerCertificates := make([]*x509.Certificate, 0, len(r.TLS.PeerCertificates))
sts: allow clients to send certificate chain (#13235) This commit fixes an issue in the `AssumeRoleWithCertificate` handler. Before clients received an error when they send a chain of X.509 certificates (their client certificate as well as intermediate / root CAs). Now, client can send a certificate chain and the server will only consider non-CA / leaf certificates as possible client certificate candidates. However, the client still can only send one certificate. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-18 00:37:01 +08:00
for _, cert := range r.TLS.PeerCertificates {
if cert.IsCA {
continue
}
peerCertificates = append(peerCertificates, cert)
}
r.TLS.PeerCertificates = peerCertificates
// Now, we have to check that the client has provided exactly one leaf
// certificate that we can map to a policy.
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
if len(r.TLS.PeerCertificates) == 0 {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSMissingParameter, errors.New("No client certificate provided"))
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
return
}
if len(r.TLS.PeerCertificates) > 1 {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, errors.New("More than one client certificate provided"))
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
return
}
run gofumpt cleanup across code-base (#14015)
2022-01-03 01:15:06 +08:00
certificate := r.TLS.PeerCertificates[0]
Remove globalSTSTLSConfig (#16709)
2023-02-27 15:37:00 +08:00
if !globalIAMSys.STSTLSConfig.InsecureSkipVerify { // Verify whether the client certificate has been issued by a trusted CA.
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
_, err := certificate.Verify(x509.VerifyOptions{
KeyUsages: []x509.ExtKeyUsage{
x509.ExtKeyUsageClientAuth,
},
Roots: globalRootCAs,
})
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidClientCertificate, err)
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
return
}
sts: always verify the key usage of client certificates (#13583) This commit makes the MinIO server behavior more consistent w.r.t. key usage verification. When MinIO verifies the client certificates it also checks that the client certificate is valid of client authentication (or any (i.e. wildcard) usage). However, the MinIO server used to not verify the client key usage when client certificate verification was disabled. Now, the MinIO server verifies the client key usage even when client certificate verification has been disabled. This makes the MinIO behavior more consistent from a client's perspective. Now, a client certificate has to be valid for client authentication in all cases. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-11-05 17:16:26 +08:00
} else {
// Technically, there is no security argument for verifying the key usage
// when we don't verify that the certificate has been issued by a trusted CA.
// Any client can create a certificate with arbitrary key usage settings.
//
// However, this check ensures that a certificate with an invalid key usage
// gets rejected even when we skip certificate verification. This helps
// clients detect malformed certificates during testing instead of e.g.
// a self-signed certificate that works while a comparable certificate
// issued by a trusted CA fails due to the MinIO server being less strict
// w.r.t. key usage verification.
//
// Basically, MinIO is more consistent (from a client perspective) when
// we verify the key usage all the time.
var validKeyUsage bool
for _, usage := range certificate.ExtKeyUsage {
if usage == x509.ExtKeyUsageAny || usage == x509.ExtKeyUsageClientAuth {
validKeyUsage = true
break
}
}
if !validKeyUsage {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSMissingParameter, errors.New("certificate is not valid for client authentication"))
sts: always verify the key usage of client certificates (#13583) This commit makes the MinIO server behavior more consistent w.r.t. key usage verification. When MinIO verifies the client certificates it also checks that the client certificate is valid of client authentication (or any (i.e. wildcard) usage). However, the MinIO server used to not verify the client key usage when client certificate verification was disabled. Now, the MinIO server verifies the client key usage even when client certificate verification has been disabled. This makes the MinIO behavior more consistent from a client's perspective. Now, a client certificate has to be valid for client authentication in all cases. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-11-05 17:16:26 +08:00
return
}
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
}
// We map the X.509 subject common name to the policy. So, a client
// with the common name "foo" will be associated with the policy "foo".
// Other mapping functions - e.g. public-key hash based mapping - are
// possible but not implemented.
//
// Group mapping is not possible with standard X.509 certificates.
if certificate.Subject.CommonName == "" {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSMissingParameter, errors.New("certificate subject CN cannot be empty"))
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
return
}
Remove globalSTSTLSConfig (#16709)
2023-02-27 15:37:00 +08:00
expiry, err := globalIAMSys.STSTLSConfig.GetExpiryDuration(r.Form.Get(stsDurationSeconds))
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSMissingParameter, err)
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
return
}
// We set the expiry of the temp. credentials to the minimum of the
// configured expiry and the duration until the certificate itself
// expires.
// We must not issue credentials that out-live the certificate.
if validUntil := time.Until(certificate.NotAfter); validUntil < expiry {
expiry = validUntil
}
// Associate any service accounts to the certificate CN
parentUser := "tls:" + certificate.Subject.CommonName
support additional claim info in Auditing STS calls (#15381) Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
2022-07-23 02:12:03 +08:00
claims[expClaim] = UTCNow().Add(expiry).Unix()
claims[subClaim] = certificate.Subject.CommonName
claims[audClaim] = certificate.Subject.Organization
claims[issClaim] = certificate.Issuer.CommonName
claims[parentClaim] = parentUser
sr: use site replicator svcacct to sign STS session tokens (#19111) This change is to decouple need for root credentials to match between site replication deployments. Also ensuring site replication config initialization is re-tried until it succeeds, this deoendency is critical to STS flow in site replication scenario.
2024-02-27 05:26:18 +08:00
secretKey, err := getTokenSigningKey()
if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err)
return
}
tmpCredentials, err := auth.GetNewCredentialsWithMetadata(claims, secretKey)
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err)
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
return
}
tmpCredentials.ParentUser = parentUser
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
policyName := certificate.Subject.CommonName
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err := globalIAMSys.SetTempUser(ctx, tmpCredentials.AccessKey, tmpCredentials, policyName)
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err)
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
return
}
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
// Call hook for site replication.
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
replLogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
Type: madmin.SRIAMItemSTSAcc,
STSCredential: &madmin.SRSTSCredential{
AccessKey: tmpCredentials.AccessKey,
SecretKey: tmpCredentials.SecretKey,
SessionToken: tmpCredentials.SessionToken,
ParentUser: tmpCredentials.ParentUser,
ParentPolicyMapping: policyName,
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-07 07:52:43 +08:00
run gofumpt cleanup across code-base (#14015)
2022-01-03 01:15:06 +08:00
response := new(AssumeRoleWithCertificateResponse)
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
response.Result.Credentials = tmpCredentials
response.Metadata.RequestID = w.Header().Get(xhttp.AmzRequestID)
writeSuccessResponseXML(w, encodeResponse(response))
}
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
// AssumeRoleWithCustomToken implements user authentication with custom tokens.
// These tokens are opaque to MinIO and are verified by a configured (external)
// Identity Management Plugin.
//
// API endpoint: https://minio:9000?Action=AssumeRoleWithCustomToken&Token=xxx
func (sts *stsAPIHandlers) AssumeRoleWithCustomToken(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "AssumeRoleWithCustomToken")
support additional claim info in Auditing STS calls (#15381) Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
2022-07-23 02:12:03 +08:00
claims := make(map[string]interface{})
fix: Filter out cust. AssumeRole `Token` for audit (#19646) The `Token` parameter is a sensitive value that should not be output in the Audit log for STS AssumeRoleWithCustomToken API. Bonus: Add a simple tool that echoes audit logs to the console.
2024-05-02 05:31:13 +08:00
auditLogFilterKeys := []string{stsToken}
defer logger.AuditLog(ctx, w, r, claims, auditLogFilterKeys...)
support additional claim info in Auditing STS calls (#15381) Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
2022-07-23 02:12:03 +08:00
sts: validate if iam subsystem initialized in handlers (#17796)
2023-08-04 04:24:25 +08:00
if !globalIAMSys.Initialized() {
writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
return
}
LDAP/OpenID must be initialized IAM Init() (#15491) This allows for LDAP/OpenID to be non-blocking, allowing for unreachable Identity targets to be initialized in IAM.
2022-08-09 07:16:27 +08:00
authn := newGlobalAuthNPluginFn()
if authn == nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCustomToken' is disabled"))
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
return
}
action := r.Form.Get(stsAction)
if action != customTokenIdentity {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Unsupported action %s", action))
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
return
}
token := r.Form.Get(stsToken)
if token == "" {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Invalid empty `Token` parameter provided"))
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
return
}
durationParam := r.Form.Get(stsDurationSeconds)
var requestedDuration int
if durationParam != "" {
var err error
requestedDuration, err = strconv.Atoi(durationParam)
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Invalid requested duration: %s", durationParam))
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
return
}
}
roleArnStr := r.Form.Get(stsRoleArn)
roleArn, _, err := globalIAMSys.GetRolePolicy(roleArnStr)
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
fmt.Errorf("Error processing parameter %s: %v", stsRoleArn, err))
return
}
LDAP/OpenID must be initialized IAM Init() (#15491) This allows for LDAP/OpenID to be non-blocking, allowing for unreachable Identity targets to be initialized in IAM.
2022-08-09 07:16:27 +08:00
res, err := authn.Authenticate(roleArn, token)
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
return
}
// If authentication failed, return the error message to the user.
if res.Failure != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSUpstreamError, errors.New(res.Failure.Reason))
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
return
}
// It is required that parent user be set.
if res.Success.User == "" {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSUpstreamError, errors.New("A valid user was not returned by the authenticator."))
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
return
}
// Expiry is set as minimum of requested value and value allowed by auth
// plugin.
expiry := res.Success.MaxValiditySeconds
if durationParam != "" && requestedDuration < expiry {
expiry = requestedDuration
}
parentUser := "custom:" + res.Success.User
// metadata map
support additional claim info in Auditing STS calls (#15381) Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
2022-07-23 02:12:03 +08:00
claims[expClaim] = UTCNow().Add(time.Duration(expiry) * time.Second).Unix()
claims[subClaim] = parentUser
claims[roleArnClaim] = roleArn.String()
claims[parentClaim] = parentUser
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
// Add all other claims from the plugin **without** replacing any
// existing claims.
for k, v := range res.Success.Claims {
support additional claim info in Auditing STS calls (#15381) Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
2022-07-23 02:12:03 +08:00
if _, ok := claims[k]; !ok {
claims[k] = v
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
}
}
sr: use site replicator svcacct to sign STS session tokens (#19111) This change is to decouple need for root credentials to match between site replication deployments. Also ensuring site replication config initialization is re-tried until it succeeds, this deoendency is critical to STS flow in site replication scenario.
2024-02-27 05:26:18 +08:00
secretKey, err := getTokenSigningKey()
if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err)
return
}
tmpCredentials, err := auth.GetNewCredentialsWithMetadata(claims, secretKey)
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err)
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
return
}
tmpCredentials.ParentUser = parentUser
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
updatedAt, err := globalIAMSys.SetTempUser(ctx, tmpCredentials.AccessKey, tmpCredentials, "")
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
if err != nil {
assumeRole return the correct http code for auth errors (#16967)
2023-04-06 13:19:31 +08:00
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err)
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
return
}
// Call hook for site replication.
logging: Add subsystem to log API (#19002) Create new code paths for multiple subsystems in the code. This will make maintaing this easier later. Also introduce bugLogIf() for errors that should not happen in the first place.
2024-04-04 20:04:40 +08:00
replLogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
Type: madmin.SRIAMItemSTSAcc,
STSCredential: &madmin.SRSTSCredential{
AccessKey: tmpCredentials.AccessKey,
SecretKey: tmpCredentials.SecretKey,
SessionToken: tmpCredentials.SessionToken,
ParentUser: tmpCredentials.ParentUser,
},
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-02 04:19:13 +08:00
UpdatedAt: updatedAt,
fix: do not return IAM/Bucket metadata replication errors to client (#16486)
2023-01-27 03:11:54 +08:00
}))
Add support for Identity Management Plugin (#14913) - Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-27 08:58:09 +08:00
response := new(AssumeRoleWithCustomTokenResponse)
response.Result.Credentials = tmpCredentials
response.Result.AssumedUser = parentUser
response.Metadata.RequestID = w.Header().Get(xhttp.AmzRequestID)
writeSuccessResponseXML(w, encodeResponse(response))
}