Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

idp-ldap: Fix create-with-login command #5036

Merged
merged 1 commit into from
Sep 15, 2024
Merged

idp-ldap: Fix create-with-login command #5036

merged 1 commit into from
Sep 15, 2024

Conversation

vadmeste
Copy link
Member

Community Contribution License

All community contributions in this pull request are licensed to the project maintainers
under the terms of the Apache 2 license.
By creating this pull request I represent that I have the right to license the
contributions to the project maintainers under the Apache 2 license.

Description

Currently, LDAP create-with-login command is not working properly when the LDAP user does not have admin:CreateServiceAccount permission.

The permission is normally not needed since a user is allowed to create a service account for itself. In that case, a temporary account should be created and a new service account should be issued to the temporary account access key, and not to the LDAP username as what the code currently does.

This commit will send the correct target user in that case to make create-with-login always successful.

Motivation and Context

Fix creating a new service account of an LDAP user

How to test this PR?

Run a MinIO cluster with LDAP enabled and run this: mc idp ldap accesskey create-with-login http://localhost:9000

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Optimization (provides speedup with no functional changes)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • Fixes a regression (If yes, please add commit-id or PR # here)
  • Unit tests added/updated
  • Internal documentation updated
  • Create a documentation update request here

idp-ldap: Fix create-with-login command
8f94c6b 
Currently, LDAP create-with-login command is not working properly when
the LDAP user does not have admin:CreateServiceAccount permission.

The permission is normally not needed since a user is allowed
to create a service account for itself. In that case, a temporary
account should be created and a new service account should be issued to
the temporary account access key, and not to the LDAP username as what
the code currently does.

This commit will send the correct target user in that case to make
create-with-login always successful.
@donatello
Copy link
Member

Does this seem ok, the user is not permitted create-service-account, but we are creating one anyway (via an sts cred)?

donatello
donatello requested changes Sep 13, 2024
View reviewed changes
Copy link
Member

@donatello donatello left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The permission is normally not needed since a user is allowed to create a service account for itself. In that case, a temporary account should be created and a new service account should be issued to the temporary account access key, and not to the LDAP username as what the code currently does.

Generally, create-service-account permission is implicit, but when it's explicitly denied is it right to create on here? I think i may be missing something.

@harshavardhana
Copy link
Member

Generally, create-service-account permission is implicit, but when it's explicitly denied is it right to create on here? I think i may be missing something.

you will be rejected by the server @donatello what @vadmeste is doing is how Console UI does 'create-with-login instead of passing the LDAP username directly we must pass the STS creds and let the server tell us yay or nay.

donatello
donatello approved these changes Sep 13, 2024
View reviewed changes
Copy link
Member

@donatello donatello left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good. CC @taran-p

taran-p
taran-p approved these changes Sep 13, 2024
View reviewed changes
Copy link
Contributor

@taran-p taran-p left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@donatello donatello merged commit bbfe577 into minio:master Sep 15, 2024
5 checks passed
@taran-p taran-p mentioned this pull request Sep 16, 2024
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@taran-p taran-p taran-p approved these changes

@harshavardhana harshavardhana harshavardhana approved these changes

@donatello donatello donatello approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vadmeste @donatello @harshavardhana @taran-p