Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsupported admin action 'admin:UpdatePolicyAssociation' #18078

Closed
nreisingercres opened this issue Sep 21, 2023 · 8 comments · Fixed by #18080
Closed

Unsupported admin action 'admin:UpdatePolicyAssociation' #18078

nreisingercres opened this issue Sep 21, 2023 · 8 comments · Fixed by #18080
Assignees
@harshavardhana
Labels
community fixed

Comments

@nreisingercres
Copy link

I am not able to add admin:UpdatePolicyAssociation as an action to a access token policy.

Expected Behavior

I can add admin:UpdatePolicyAssociation as an action to my access key policy

Current Behavior

I get mc: <ERROR> Unable to edit the specified service account: unsupported admin action 'admin:UpdatePolicyAssociation'.

Possible Solution

It appears that only part of minio recognizes the permission so it may need to be added to a different part of minio.

Steps to Reproduce (for bugs)

  1. Create update_associaton.json with
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "admin:GetPolicy",
                "admin:UpdatePolicyAssociation"
            ]
        }
    ]
}
  1. Run mc admin user svcacct add <alias> <username> --policy update_association.json

Context

I am trying to add a specific permission to allow mc idp ldap policy attach ...
In the documentation I see admin:AttachUserOrGroupPolicy however that does not grant permission for this command.
Looking at the code I see here that it looks for the permission UpdatePolicyAssociationAction that appears to be set here as admin:UpdatePolicyAssociation but it cannot be attached to a user.
This leaves me having to use admin:* that violates the principle of least privilege.

Regression

No. I found no other issues on this.

Your Environment

  • Version used (minio --version):
minio version RELEASE.2023-08-16T20-17-30Z (commit-id=d09351bb10883d1b55579d11ad68efafaa86b700)
Runtime: go1.19.12 linux/amd64
License: GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
Copyright: 2015-2023 MinIO, Inc.
  • Server setup and configuration: Using podman to run the container
  • Operating System and version (uname -a): Linux 6.1.0-10-amd64 Full restructure in accordance with #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-2 (2023-07-27) x86_64 GNU/Linux
@harshavardhana
Copy link
Member

@nreisingercres have you tried this with latest release?

@nreisingercres
Copy link
Author

I just tested with the newest version and have the same issue.
Version info I just tested:

minio version RELEASE.2023-09-20T22-49-55Z (commit-id=9788d85ea3a99eeed8073a57a21ccee71035f152)
Runtime: go1.21.1 linux/amd64
License: GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
Copyright: 2015-2023 MinIO, Inc.

@harshavardhana
Copy link
Member

I just tested with the newest version and have the same issue. Version info I just tested:

minio version RELEASE.2023-09-20T22-49-55Z (commit-id=9788d85ea3a99eeed8073a57a21ccee71035f152)
Runtime: go1.21.1 linux/amd64
License: GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
Copyright: 2015-2023 MinIO, Inc.

I will check.

@harshavardhana harshavardhana self-assigned this Sep 21, 2023
@harshavardhana
Copy link
Member

I just tested with the newest version and have the same issue.
Version info I just tested:

@nreisingercres can you paste the error via --debug

harshavardhana added a commit to harshavardhana/minio that referenced this issue Sep 21, 2023
@harshavardhana
allow admin actions to have proper condition map
217ae28 
upgrade minio/pkg to v2.0.2

fixes minio#18078
@harshavardhana harshavardhana mentioned this issue Sep 21, 2023
Merged
8 tasks
@nreisingercres
Copy link
Author

@nreisingercres can you paste the error via --debug

mc.exe: <ERROR> Unable to parse the policy document. unsupported admin action 'admin:UpdatePolicyAssociation'
 (0) github.com/minio/mc/cmd/admin-user-svcacct-add.go:318 cmd.mainAdminUserSvcAcctAdd(..)
 Release-Tag:RELEASE.2023-08-15T23-03-09Z | Commit:df68f5cf897d | Host:NICKREISINGER | OS:windows | Arch:amd64 | Lang:go1.19.12 | Mem:3.0 MiB/18 MiB | Heap:3.0 MiB/7.8 MiB.

harshavardhana added a commit that referenced this issue Sep 21, 2023
@harshavardhana
allow admin actions to have proper condition map (#18080)
373d48c 
upgrade minio/pkg to v2.0.2

fixes #18078
@harshavardhana
Copy link
Member

mc.exe: Unable to parse the policy document. unsupported admin action 'admin:UpdatePolicyAssociation'
(0) github.com/minio/mc/cmd/admin-user-svcacct-add.go:318 cmd.mainAdminUserSvcAcctAdd(..)
Release-Tag:RELEASE.2023-08-15T23-03-09Z | Commit:df68f5cf897d | Host:NICKREISINGER | OS:windows | Arch:amd64 | Lang:go1.19.12 | Mem:3.0 MiB/18 MiB | Heap:3.0 MiB/7.8 MiB.

this is an mc bug not MinIO server.

@harshavardhana
Copy link
Member

your mc version needs to be upgrade here.

@harshavardhana
Copy link
Member

Remember always if you upgrade server, make sure you upgrade mc. That's how we make releases. mc must follow the server upgrade cycles.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@harshavardhana harshavardhana

Labels
community fixed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

allow admin actions to have proper condition map harshavardhana/minio
2 participants
@harshavardhana @nreisingercres