-
Notifications
You must be signed in to change notification settings - Fork 5.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
if the MINIO_ROOT_USER
is changed, all its existing "service accounts" are orphaned
#17565
Comments
A service account is associated with its parent credentials. If parent credentials change then the service accounts simply become invalid because the parent is no longer the same. A parent must not change. |
Service accounts do not migrate because there is no way for us to know the previous credentials. If you change them. A service accounts only exist as long as their parent accounts exist in their existing form. If there is any change in their form they are simply invalidated and disallowed access. Think of them like tokens, the tokens are no longer valid since the parent is non existent anymore. It is to provide security guarantees in the current design. Just recreate the same credentials that you did again once the new parent exists. We can provide a different way to migrate these accounts with the new set of parents via an API but that is something we will discuss internally. |
@harshavardhana I am sure the root user's service accounts can be dealt with as a special case, by just changing their "parent account" in the database to always point to the root account. If not, then we must at least clean the credentials up when their parent account no longer exists, this way I don't have to manually PS: I think this issue of the old service accounts remaining is specific to |
Will keep this open until we decide on what to do here. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 15 days if no further activity occurs. Thank you for your contributions. |
NOTE
If this case is urgent, please subscribe to Subnet so that our 24/7 support team may help you faster.
Current Behavior
If the
MINIO_ROOT_USER
is changed while it has one or more "service accounts" (the ones you create withmc admin user svcacct add
), those service accounts are not migrated to the new user, and continue to exist.This can easily be verified by using
mc admin user svcacct info myminio "orphan_service_account"
, which will return that the account exists, but under the old value ofMINIO_ROOT_USER
.As far as I know, because the old
MINIO_ROOT_USER
no longer exists (and therefore has no access from MinIO's perspective), these orphaned users have no access beyond the ability to log in.Desired Behaviour
When the value of
MINIO_ROOT_USER
is changed these service accounts should be migrated to the new root user.If this is not possible, we must at least delete them, so that they don't clog up the cluster (and also prevent new service accounts from being created with the same name in the future, as they are unique cluster-wide).
Regression
Unknown
Context
This issue appears on at least minio
RELEASE.2023-06-29T05-12-28Z
, and I am sure all others too.The text was updated successfully, but these errors were encountered: