MinIO console broken when using root account in RELEASE.2022-07-29T19-40-48Z

[fmillion]

Expected Behavior

Note: This is occurring within the official Docker image. I have not tested it with directly running minio outside of Docker.

When logging into the MinIO console as the root user, the user should have all privileges.

Current Behavior

On RELEASE.2022-07-29T19-40-48Z, when the root user logs in the user has no privileges - cannot create buckets, see settings, access any objects, etc. The list of buckets can be obtained, and pseudo-directories can be viewed within buckets, but no actual objects can be viewed.

This was tested on a fresh new instance of MinIO, as described below.

Possible Solution

For now, downgrading to RELEASE.2022-07-24T17-09-31Z has temporarily fixed the issue.

Steps to Reproduce (for bugs)

1. Use the following docker-compose.yml file to start up a simple MinIO instance:

services:
  minio:
    image: minio/minio:RELEASE.2022-07-29T19-40-48Z
    command: server /data --console-address ":9001"
    environment:
      MINIO_ROOT_USER: rootuser1
      MINIO_ROOT_PASSWORD: Password1
    volumes:
      - ./data:/data
    ports:
      - 9000:9000
      - 9001:9001

2. Login to the MinIO console using the root user account. (I've deliberately used insecure credentials here, but it's reproducible with any credentials.)

3. Try to create a bucket and note that the Create Bucket option is disabled. Also note that most options in the left sidebar do not exist. The root account appears to have no privileges and is being treated like an anonymous user.

The mc admin trace command outputs the following when the user logs in:

127.0.0.1:9000  [OS os.Lstat] [2022-07-29T23:40:35.296] /data/.minio.sys/format.json 30.051µs
127.0.0.1:9000  [OS os.Lstat] [2022-07-29T23:40:35.296] /data/.minio.sys 9.347µs
127.0.0.1:9000  [STORAGE storage.StatVol] [2022-07-29T23:40:35.296] /data .minio.sys 19.138µs
127.0.0.1:9000  [OS os.OpenFileDirectIO] [2022-07-29T23:40:35.296] /data/.minio.sys/config/iam/sts/UKXDVLOC6H4HVARPBVSO/identity.json/xl.meta 37.448µs
127.0.0.1:9000  [OS os.OpenFile] [2022-07-29T23:40:35.296] /data/.minio.sys/config/iam/sts/UKXDVLOC6H4HVARPBVSO/identity.json/xl.meta 11.533µs
127.0.0.1:9000  [OS os.Access] [2022-07-29T23:40:35.296] /data/.minio.sys/tmp/8f936b07-9d9f-46d2-b999-fc3f0b443afc 26.813µs
127.0.0.1:9000  [OS os.Access] [2022-07-29T23:40:35.296] /data/.minio.sys/tmp 9.82µs
127.0.0.1:9000  [OS os.Mkdir] [2022-07-29T23:40:35.296] /data/.minio.sys/tmp/8f936b07-9d9f-46d2-b999-fc3f0b443afc 107.573µs
127.0.0.1:9000  [OS os.OpenFile] [2022-07-29T23:40:35.296] /data/.minio.sys/tmp/8f936b07-9d9f-46d2-b999-fc3f0b443afc/xl.meta 82.467µs
127.0.0.1:9000  [OS os.Access] [2022-07-29T23:40:35.300] /data/.minio.sys/config/iam/sts/UKXDVLOC6H4HVARPBVSO/identity.json 24.828µs
127.0.0.1:9000  [OS os.Access] [2022-07-29T23:40:35.300] /data/.minio.sys/config/iam/sts/UKXDVLOC6H4HVARPBVSO 11.646µs
127.0.0.1:9000  [OS os.Access] [2022-07-29T23:40:35.300] /data/.minio.sys/config/iam/sts 10.646µs
127.0.0.1:9000  [OS os.Mkdir] [2022-07-29T23:40:35.300] /data/.minio.sys/config/iam/sts/UKXDVLOC6H4HVARPBVSO 101.862µs
127.0.0.1:9000  [OS os.Mkdir] [2022-07-29T23:40:35.300] /data/.minio.sys/config/iam/sts/UKXDVLOC6H4HVARPBVSO/identity.json 61.089µs
127.0.0.1:9000  [OS os.Rename] [2022-07-29T23:40:35.301] /data/.minio.sys/tmp/8f936b07-9d9f-46d2-b999-fc3f0b443afc/xl.meta -> /data/.minio.sys/config/iam/sts/UKXDVLOC6H4HVARPBVSO/identity.json/xl.meta 57.817µs
127.0.0.1:9000  [OS os.Remove] [2022-07-29T23:40:35.301] /data/.minio.sys/tmp/8f936b07-9d9f-46d2-b999-fc3f0b443afc 93.637µs
127.0.0.1:9000  [STORAGE storage.RenameData] [2022-07-29T23:40:35.296] /data 8f936b07-9d9f-46d2-b999-fc3f0b443afc 9e736b7d-e899-4028-bfce-ecba92c2c1f4 .minio.sys config/iam/sts/UKXDVLOC6H4HVARPBVSO/identity.json 4.62314ms
172.23.0.2:9000 [REQUEST sts.AssumeRole] [2022-07-29T23:40:35.294] [Client IP: 172.23.0.2]
172.23.0.2:9000 POST /
172.23.0.2:9000 Proto: HTTP/1.1
172.23.0.2:9000 Host: 172.23.0.2:9000
172.23.0.2:9000 Authorization: AWS4-HMAC-SHA256 Credential=rootuser1/20220729//sts/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=6f8d2d63ec31a4d3519f060fa552175582149f31182f02fdac61f6e9ad53eea9
172.23.0.2:9000 Content-Length: 57
172.23.0.2:9000 Content-Type: application/x-www-form-urlencoded
172.23.0.2:9000 User-Agent: Go-http-client/1.1
172.23.0.2:9000 X-Amz-Date: 20220729T234035Z
172.23.0.2:9000 Action=AssumeRole&DurationSeconds=3600&Version=2011-06-15
172.23.0.2:9000 [RESPONSE] [2022-07-29T23:40:35.301] [ Duration 7.389ms  ↑ 126 B  ↓ 1.1 KiB ]
172.23.0.2:9000 200 OK
172.23.0.2:9000 Content-Security-Policy: block-all-mixed-content
172.23.0.2:9000 Content-Type: application/xml
172.23.0.2:9000 Strict-Transport-Security: max-age=31536000; includeSubDomains
172.23.0.2:9000 Vary: Origin
172.23.0.2:9000 X-Amz-Request-Id: 17067140AB0CA398
172.23.0.2:9000 X-Content-Type-Options: nosniff
172.23.0.2:9000 Accept-Ranges: bytes
172.23.0.2:9000 Content-Length: 764
172.23.0.2:9000 Server: MinIO
172.23.0.2:9000 X-Xss-Protection: 1; mode=block
172.23.0.2:9000 <?xml version="1.0" encoding="UTF-8"?>
<AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"><AssumeRoleResult><AssumedRoleUser><Arn></Arn><AssumeRoleId></AssumeRoleId></AssumedRoleUser><Credentials><AccessKeyId>UKXDVLOC6H4HVARPBVSO</AccessKeyId><SecretAccessKey>fzMa4VznHSPRlmGYEbWPEX+PuFb6gZsuPWtL1y3W</SecretAccessKey><Expiration>2022-07-30T00:40:35Z</Expiration><SessionToken>eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJVS1hEVkxPQzZINEhWQVJQQlZTTyIsImV4cCI6MTY1OTE0MTYzNSwicGFyZW50Ijoicm9vdHVzZXIxIn0.IYvCq6FuzPRbbJORJAuxqDbD0JKx0kSgEl-79lPAUbru2dGxjoKW8Ag3D2R6dIN-E_XgJp5__ON1OFc_h8gqfA</SessionToken></Credentials></AssumeRoleResult><ResponseMetadata><RequestId>17067140AB0CA398</RequestId></ResponseMetadata></AssumeRoleResponse>
172.23.0.2:9000 
127.0.0.1:9000  [OS os.OpenFileDirectIO] [2022-07-29T23:40:35.337] /data/.minio.sys/buckets/.usage.json/xl.meta 12.343µs
127.0.0.1:9000  [STORAGE storage.ReadVersion] [2022-07-29T23:40:35.337] /data .minio.sys buckets/.usage.json 299.578µs
127.0.0.1:9000  [OS os.OpenFile] [2022-07-29T23:40:35.337] /data 6.279µs
127.0.0.1:9000  [STORAGE storage.ListVols] [2022-07-29T23:40:35.337] /data / 21.768µs
172.23.0.2:9000 [REQUEST admin.AccountInfo] [2022-07-29T23:40:35.337] [Client IP: 172.23.0.2]
172.23.0.2:9000 GET /minio/admin/v3/accountinfo
172.23.0.2:9000 Proto: HTTP/1.1
172.23.0.2:9000 Host: 172.23.0.2:9000
172.23.0.2:9000 Content-Length: 0
172.23.0.2:9000 User-Agent: MinIO (linux; amd64) madmin-go/0.0.1
172.23.0.2:9000 X-Amz-Date: 20220729T234035Z
172.23.0.2:9000 X-Amz-Security-Token: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJVS1hEVkxPQzZINEhWQVJQQlZTTyIsImV4cCI6MTY1OTE0MTYzNSwicGFyZW50Ijoicm9vdHVzZXIxIn0.IYvCq6FuzPRbbJORJAuxqDbD0JKx0kSgEl-79lPAUbru2dGxjoKW8Ag3D2R6dIN-E_XgJp5__ON1OFc_h8gqfA
172.23.0.2:9000 Authorization: AWS4-HMAC-SHA256 Credential=UKXDVLOC6H4HVARPBVSO/20220729//s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=d9e5a2b92fe7152e3f70de2b2116ce0ca0be16df7fcbac3f84ff3468282fca2f
172.23.0.2:9000 Delimiter: /
172.23.0.2:9000 Prefix: 
172.23.0.2:9000 X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
172.23.0.2:9000 
172.23.0.2:9000 [RESPONSE] [2022-07-29T23:40:35.337] [ Duration 633µs  ↑ 115 B  ↓ 590 B ]
172.23.0.2:9000 200 OK
172.23.0.2:9000 Server: MinIO
172.23.0.2:9000 Vary: Origin,Accept-Encoding
172.23.0.2:9000 X-Xss-Protection: 1; mode=block
172.23.0.2:9000 Accept-Ranges: bytes
172.23.0.2:9000 Content-Security-Policy: block-all-mixed-content
172.23.0.2:9000 Content-Type: application/json
172.23.0.2:9000 X-Content-Type-Options: nosniff
172.23.0.2:9000 Content-Length: 273
172.23.0.2:9000 Strict-Transport-Security: max-age=31536000; includeSubDomains
172.23.0.2:9000 X-Amz-Request-Id: 17067140AD9BDE97
172.23.0.2:9000 {"AccountName":"rootuser1","Server":{"Type":2,"GatewayOnline":false,"OnlineDisks":null,"OfflineDisks":null,"StandardSCData":[1],"StandardSCParity":0,"RRSCData":[1],"RRSCParity":0,"TotalSets":null,"DrivesPerSet":null},"Policy":{"Version":"","Statement":null},"Buckets":null}
172.23.0.2:9000 
172.23.0.2:9000 [REQUEST admin.SiteReplicationInfo] [2022-07-29T23:40:35.370] [Client IP: 172.23.0.2]
172.23.0.2:9000 GET /minio/admin/v3/site-replication/info
172.23.0.2:9000 Proto: HTTP/1.1
172.23.0.2:9000 Host: 172.23.0.2:9000
172.23.0.2:9000 X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
172.23.0.2:9000 X-Amz-Date: 20220729T234035Z
172.23.0.2:9000 X-Amz-Security-Token: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJVS1hEVkxPQzZINEhWQVJQQlZTTyIsImV4cCI6MTY1OTE0MTYzNSwicGFyZW50Ijoicm9vdHVzZXIxIn0.IYvCq6FuzPRbbJORJAuxqDbD0JKx0kSgEl-79lPAUbru2dGxjoKW8Ag3D2R6dIN-E_XgJp5__ON1OFc_h8gqfA
172.23.0.2:9000 Authorization: AWS4-HMAC-SHA256 Credential=UKXDVLOC6H4HVARPBVSO/20220729//s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=10b78aedf6b489859c48209fa5a6eddebc857ddcab100b913700d5b45eb9d69b
172.23.0.2:9000 Content-Length: 0
172.23.0.2:9000 User-Agent: MinIO (linux; amd64) madmin-go/0.0.1
172.23.0.2:9000 <BODY>
172.23.0.2:9000 [RESPONSE] [2022-07-29T23:40:35.370] [ Duration 322µs  ↑ 98 B  ↓ 249 B ]
172.23.0.2:9000 200 OK
172.23.0.2:9000 Content-Security-Policy: block-all-mixed-content
172.23.0.2:9000 Strict-Transport-Security: max-age=31536000; includeSubDomains
172.23.0.2:9000 Vary: Origin,Accept-Encoding
172.23.0.2:9000 X-Amz-Request-Id: 17067140AF9B1BD8
172.23.0.2:9000 X-Content-Type-Options: nosniff
172.23.0.2:9000 X-Xss-Protection: 1; mode=block
172.23.0.2:9000 <BODY>
172.23.0.2:9000 
172.23.0.2:9000 [REQUEST admin.HelpConfigKV] [2022-07-29T23:40:35.372] [Client IP: 172.23.0.2]
172.23.0.2:9000 GET /minio/admin/v3/help-config-kv?key=&subSys=subnet
172.23.0.2:9000 Proto: HTTP/1.1
172.23.0.2:9000 Host: 172.23.0.2:9000
172.23.0.2:9000 User-Agent: MinIO (linux; amd64) madmin-go/0.0.1
172.23.0.2:9000 X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
172.23.0.2:9000 X-Amz-Date: 20220729T234035Z
172.23.0.2:9000 X-Amz-Security-Token: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJVS1hEVkxPQzZINEhWQVJQQlZTTyIsImV4cCI6MTY1OTE0MTYzNSwicGFyZW50Ijoicm9vdHVzZXIxIn0.IYvCq6FuzPRbbJORJAuxqDbD0JKx0kSgEl-79lPAUbru2dGxjoKW8Ag3D2R6dIN-E_XgJp5__ON1OFc_h8gqfA
172.23.0.2:9000 Authorization: AWS4-HMAC-SHA256 Credential=UKXDVLOC6H4HVARPBVSO/20220729//s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=c848aae617701233f8e71ea152c8dc8bc632c9e5fe3de2b094e0028b4cbb40be
172.23.0.2:9000 Content-Length: 0
172.23.0.2:9000 
172.23.0.2:9000 [RESPONSE] [2022-07-29T23:40:35.374] [ Duration 2.013ms  ↑ 98 B  ↓ 762 B ]
172.23.0.2:9000 200 OK
172.23.0.2:9000 X-Xss-Protection: 1; mode=block
172.23.0.2:9000 Content-Security-Policy: block-all-mixed-content
172.23.0.2:9000 Strict-Transport-Security: max-age=31536000; includeSubDomains
172.23.0.2:9000 Vary: Origin,Accept-Encoding
172.23.0.2:9000 X-Amz-Request-Id: 17067140AFBD7F01
172.23.0.2:9000 X-Content-Type-Options: nosniff
172.23.0.2:9000 {"subSys":"subnet","description":"set subnet config for the cluster e.g. api key","multipleTargets":false,"keysHelp":[{"key":"license","type":"string","description":"[DEPRECATED use api_key] Subnet license token for the cluster","optional":true,"multipleTargets":false},{"key":"api_key","type":"string","description":"Subnet api key for the cluster","optional":true,"multipleTargets":false},{"key":"proxy","type":"string","description":"HTTP(S) proxy URL to use for connecting to SUBNET","optional":true,"multipleTargets":false}]}

172.23.0.2:9000 
127.0.0.1:9000  [OS os.OpenFileDirectIO] [2022-07-29T23:40:35.392] /data/.minio.sys/buckets/.usage.json/xl.meta 18.459µs
127.0.0.1:9000  [STORAGE storage.ReadVersion] [2022-07-29T23:40:35.392] /data .minio.sys buckets/.usage.json 345.827µs
127.0.0.1:9000  [OS os.OpenFile] [2022-07-29T23:40:35.393] /data 8.022µs
127.0.0.1:9000  [STORAGE storage.ListVols] [2022-07-29T23:40:35.393] /data / 151.077µs
172.23.0.2:9000 [REQUEST admin.AccountInfo] [2022-07-29T23:40:35.392] [Client IP: 172.23.0.2]
172.23.0.2:9000 GET /minio/admin/v3/accountinfo
172.23.0.2:9000 Proto: HTTP/1.1
172.23.0.2:9000 Host: 172.23.0.2:9000
172.23.0.2:9000 Delimiter: /
172.23.0.2:9000 X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
172.23.0.2:9000 X-Amz-Security-Token: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJVS1hEVkxPQzZINEhWQVJQQlZTTyIsImV4cCI6MTY1OTE0MTYzNSwicGFyZW50Ijoicm9vdHVzZXIxIn0.IYvCq6FuzPRbbJORJAuxqDbD0JKx0kSgEl-79lPAUbru2dGxjoKW8Ag3D2R6dIN-E_XgJp5__ON1OFc_h8gqfA
172.23.0.2:9000 Authorization: AWS4-HMAC-SHA256 Credential=UKXDVLOC6H4HVARPBVSO/20220729//s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=d9e5a2b92fe7152e3f70de2b2116ce0ca0be16df7fcbac3f84ff3468282fca2f
172.23.0.2:9000 Content-Length: 0
172.23.0.2:9000 Prefix: 
172.23.0.2:9000 User-Agent: MinIO (linux; amd64) madmin-go/0.0.1
172.23.0.2:9000 X-Amz-Date: 20220729T234035Z
172.23.0.2:9000 
172.23.0.2:9000 [RESPONSE] [2022-07-29T23:40:35.393] [ Duration 944µs  ↑ 115 B  ↓ 590 B ]
172.23.0.2:9000 200 OK
172.23.0.2:9000 Content-Length: 273
172.23.0.2:9000 Content-Security-Policy: block-all-mixed-content
172.23.0.2:9000 Content-Type: application/json
172.23.0.2:9000 Vary: Origin,Accept-Encoding
172.23.0.2:9000 X-Amz-Request-Id: 17067140B0E6CA77
172.23.0.2:9000 Accept-Ranges: bytes
172.23.0.2:9000 Server: MinIO
172.23.0.2:9000 Strict-Transport-Security: max-age=31536000; includeSubDomains
172.23.0.2:9000 X-Content-Type-Options: nosniff
172.23.0.2:9000 X-Xss-Protection: 1; mode=block
172.23.0.2:9000 {"AccountName":"rootuser1","Server":{"Type":2,"GatewayOnline":false,"OnlineDisks":null,"OfflineDisks":null,"StandardSCData":[1],"StandardSCParity":0,"RRSCData":[1],"RRSCParity":0,"TotalSets":null,"DrivesPerSet":null},"Policy":{"Version":"","Statement":null},"Buckets":null}
172.23.0.2:9000 
172.23.0.2:9000 [REQUEST admin.GetConfigKV] [2022-07-29T23:40:35.375] [Client IP: 172.23.0.2]
172.23.0.2:9000 GET /minio/admin/v3/get-config-kv?key=subnet
172.23.0.2:9000 Proto: HTTP/1.1
172.23.0.2:9000 Host: 172.23.0.2:9000
172.23.0.2:9000 User-Agent: MinIO (linux; amd64) madmin-go/0.0.1
172.23.0.2:9000 X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
172.23.0.2:9000 X-Amz-Date: 20220729T234035Z
172.23.0.2:9000 X-Amz-Security-Token: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJVS1hEVkxPQzZINEhWQVJQQlZTTyIsImV4cCI6MTY1OTE0MTYzNSwicGFyZW50Ijoicm9vdHVzZXIxIn0.IYvCq6FuzPRbbJORJAuxqDbD0JKx0kSgEl-79lPAUbru2dGxjoKW8Ag3D2R6dIN-E_XgJp5__ON1OFc_h8gqfA
172.23.0.2:9000 Authorization: AWS4-HMAC-SHA256 Credential=UKXDVLOC6H4HVARPBVSO/20220729//s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=da621498615db62bea4da264fcbca30c172087c16e24afb4754c47de65022267
172.23.0.2:9000 Content-Length: 0
172.23.0.2:9000 <BODY>
172.23.0.2:9000 [RESPONSE] [2022-07-29T23:40:35.401] [ Duration 25.715ms  ↑ 98 B  ↓ 405 B ]
172.23.0.2:9000 200 OK
172.23.0.2:9000 Accept-Ranges: bytes
172.23.0.2:9000 Content-Security-Policy: block-all-mixed-content
172.23.0.2:9000 Server: MinIO
172.23.0.2:9000 X-Amz-Request-Id: 17067140AFE39A59
172.23.0.2:9000 X-Xss-Protection: 1; mode=block
172.23.0.2:9000 Content-Length: 89
172.23.0.2:9000 Content-Type: application/json
172.23.0.2:9000 Strict-Transport-Security: max-age=31536000; includeSubDomains
172.23.0.2:9000 Vary: Origin,Accept-Encoding
172.23.0.2:9000 X-Content-Type-Options: nosniff
172.23.0.2:9000 <BODY>
172.23.0.2:9000 

Context

This does not appear to impact access to the S3 backend itself. In testing so far it only appears to affect the MinIO integrated console.

Regression

This appears to be a regression. Downgrading to RELEASE.2022-07-24T17-09-31Z resolves the issue and the console can again be accessed using the root account.

Your Environment

• Version used (minio --version): RELEASE.2022-07-24T17-09-31Z
• Server setup and configuration:
  • Docker version 20.10.16, build aa7e414fdcb23a66e8fabbef0a560ef1769eace5
  • Docker Compose version v2.6.0
  • ZFS filesystem for storage
  • x86_64 architecture
• Operating System and version (uname -a): Alpine Linux as bare-metal OS on primary test system. Reproduced on Ubuntu 22.04 as well.

[harshavardhana]

Just proceed to create a new user with consoleAdmin policy and use that to login for now @fmillion

[harshavardhana]

Found the problem looks like Console UI expects Policy to be returned.

[aminotran]

I also had the same problem when upgrading docker image for minio