svc: Assume access key creation permission to be available by default (…

…minio#3306) Allow SVC creation when CreateServiceAccount is denied with a condition Adding this policy will make the user not able to create a service account anymore: ``` { "Effect": "Deny", "Action": [ "admin:CreateServiceAccount" ], "Condition": { "NumericGreaterThanIfExists": {"svc:DurationSeconds": "1500"} } }, ``` The reason is that policy.IsAllowedActions() is called with conditions from the user login. Assume svc account creation to be possible for now until we come up with a better fix Co-authored-by: Anis Eleuch <[email protected]> Co-authored-by: Prakash Senthil Vel <[email protected]>
brandongevat · May 8, 2024 · d0f744e · d0f744e
1 parent a8c043c
commit d0f744e
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/api/user_session.go b/api/user_session.go
@@ -139,6 +139,14 @@ func getSessionResponse(ctx context.Context, session *models.Principal) (*models
 
 	defaultActions := policy.IsAllowedActions("", "", conditionValues)
 
+	// Allow Create Access Key when admin:CreateServiceAccount is provided with a condition
+	for _, statement := range policy.Statements {
+		if statement.Effect == "Deny" && len(statement.Conditions) > 0 &&
+			statement.Actions.Contains(minioIAMPolicy.CreateServiceAccountAdminAction) {
+			defaultActions.Add(minioIAMPolicy.Action(minioIAMPolicy.CreateServiceAccountAdminAction))
+		}
+	}
+
 	permissions := map[string]minioIAMPolicy.ActionSet{
 		ConsoleResourceName: defaultActions,
 	}