Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not allow adding root user to IAM subsystem #16803

Merged
merged 1 commit into from
Mar 13, 2023
Merged

Do not allow adding root user to IAM subsystem #16803

merged 1 commit into from
Mar 13, 2023

Conversation

harshavardhana
Copy link
Member

@harshavardhana harshavardhana commented Mar 13, 2023
edited
Loading

Description

Do not allow adding root user to IAM subsystem

Motivation and Context

A user with sufficient admin-level privileges can
add the root user into the IAM subsystem, which
would lead to permanently disabled access to the root
credentials.

The problem exists since RELEASE.2020-12-23T02-24-12Z
release onwards, a similar change was also introduced
in the IAM import API since RELEASE.2022-06-25T15-50-16Z

This PR fixes both scenarios.

How to test this PR?

Unit tests are added to cover the scenario.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Optimization (provides speedup with no functional changes)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • Fixes a regression (If yes, please add commit-id or PR # here)
  • Unit tests added/updated
  • Internal documentation updated
  • Create a documentation update request here

@harshavardhana
Do not allow adding root user to IAM subsystem
54df599 
A user with sufficient admin level priviledges can
add the root user into the IAM subsystem, which would
lead to permanently disabled access for root
credentials.

The problem exists since RELEASE.2020-12-23T02-24-12Z
release onwards, a similar also was introduced in the IAM
import API since RELEASE.2022-06-25T15-50-16Z

This PR fixes both scenarios.
@minio-trusted
Copy link
Contributor

Mint Automation

Test Result
mint-erasure.sh ✔️
mint-compress-encrypt-dist-erasure.sh more...
mint-pools.sh more...

16803-1d1b209/mint-pools.sh.log:

Running with
SERVER_ENDPOINT:      15.15.15.7:31416
ACCESS_KEY:           minio
SECRET_KEY:           ***REDACTED***
ENABLE_HTTPS:         0
SERVER_REGION:        us-east-1
MINT_DATA_DIR:        /mint/data
MINT_MODE:            full
ENABLE_VIRTUAL_STYLE: 0
RUN_ON_FAIL:          0

To get logs, run 'docker cp 669afbd10fa0:/mint/log /tmp/mint-logs'

(1/14) Running aws-sdk-go tests ... done in 9 seconds
(2/14) Running aws-sdk-java tests ... done in 2 seconds
(3/14) Running aws-sdk-php tests ... done in 42 seconds
(4/14) Running aws-sdk-ruby tests ... done in 10 seconds
(5/14) Running awscli tests ... done in 2 minutes and 24 seconds
(6/14) Running healthcheck tests ... done in 0 seconds
(7/14) Running mc tests ... done in 18 seconds
(8/14) Running minio-go tests ... done in 56 seconds
(9/14) Running minio-java tests ... done in 45 seconds
(10/14) Running minio-js tests ... FAILED in 1 minutes and 1 seconds
{
  "name": "minio-js",
  "function": "\"after all\" hook in \"functional tests\"",
  "duration": 7273,
  "status": "FAIL",
  "error": "S3Error: The bucket you tried to delete is not empty at Object.parseError (node_modules/minio/dist/main/xml-parsers.js:71:11) at /mint/run/core/minio-js/node_modules/minio/dist/main/transformers.js:166:22 at DestroyableTransform._flush (node_modules/minio/dist/main/transformers.js:90:10) at DestroyableTransform.prefinish (node_modules/readable-stream/lib/_stream_transform.js:129:10) at prefinish (node_modules/readable-stream/lib/_stream_writable.js:611:14) at finishMaybe (node_modules/readable-stream/lib/_stream_writable.js:620:5) at endWritable (node_modules/readable-stream/lib/_stream_writable.js:643:3) at DestroyableTransform.Writable.end (node_modules/readable-stream/lib/_stream_writable.js:571:22) at IncomingMessage.onend (internal/streams/readable.js:670:10) at endReadableNT (internal/streams/readable.js:1333:12) at processTicksAndRejections (internal/process/task_queues.js:82:21)"
}
(10/14) Running minio-py tests ... done in 2 minutes and 21 seconds
(11/14) Running s3cmd tests ... done in 18 seconds
(12/14) Running s3select tests ... done in 4 seconds
(13/14) Running versioning tests ... done in 3 minutes and 20 seconds

Executed 13 out of 14 tests successfully.

16803-1d1b209/mint-compress-encrypt-dist-erasure.sh.log:

Running with
SERVER_ENDPOINT:      15.15.15.8:31036
ACCESS_KEY:           minio
SECRET_KEY:           ***REDACTED***
ENABLE_HTTPS:         0
SERVER_REGION:        us-east-1
MINT_DATA_DIR:        /mint/data
MINT_MODE:            full
ENABLE_VIRTUAL_STYLE: 0
RUN_ON_FAIL:          0

To get logs, run 'docker cp 41dc944b6939:/mint/log /tmp/mint-logs'

(1/14) Running aws-sdk-go tests ... done in 8 seconds
(2/14) Running aws-sdk-java tests ... done in 2 seconds
(3/14) Running aws-sdk-php tests ... done in 42 seconds
(4/14) Running aws-sdk-ruby tests ... done in 10 seconds
(5/14) Running awscli tests ... done in 2 minutes and 23 seconds
(6/14) Running healthcheck tests ... done in 0 seconds
(7/14) Running mc tests ... done in 18 seconds
(8/14) Running minio-go tests ... done in 49 seconds
(9/14) Running minio-java tests ... done in 31 seconds
(10/14) Running minio-js tests ... done in 58 seconds
(11/14) Running minio-py tests ... FAILED in 1 minutes and 6 seconds
{
  "name": "minio-py:test_put_object",
  "status": "FAIL",
  "args": {
    "bucket_name": "minio-py-test-de11b877-cc95-481a-b403-0229416a8478",
    "object_name": "6bc2e079-6c01-4e61-9c40-35003bf8b1ce-metadata",
    "length": 11534336,
    "data": "LimitedRandomReader(11 * MB)",
    "metadata": {
      "x-amz-meta-testing": "value",
      "test-key": "value2"
    },
    "content_type": "application/octet-stream"
  },
  "message": "('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))",
  "error": "Traceback (most recent call last):\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 703, in urlopen\n    httplib_response = self._make_request(\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 449, in _make_request\n    six.raise_from(e, None)\n  File \"<string>\", line 3, in raise_from\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 444, in _make_request\n    httplib_response = conn.getresponse()\n  File \"/usr/lib/python3.8/http/client.py\", line 1348, in getresponse\n    response.begin()\n  File \"/usr/lib/python3.8/http/client.py\", line 316, in begin\n    version, status, reason = self._read_status()\n  File \"/usr/lib/python3.8/http/client.py\", line 277, in _read_status\n    line = str(self.fp.readline(_MAXLINE + 1), \"iso-8859-1\")\n  File \"/usr/lib/python3.8/socket.py\", line 669, in readinto\n    return self._sock.recv_into(b)\nConnectionResetError: [Errno 104] Connection reset by peer\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File \"/mint/run/core/minio-py/tests.py\", line 126, in _call_test\n    func(log_entry, *args, **kwargs)\n  File \"/mint/run/core/minio-py/tests.py\", line 697, in test_put_object\n    _CLIENT.put_object(bucket_name, object_name + \"-metadata\", reader,\n  File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 1766, in put_object\n    raise exc\n  File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 1725, in put_object\n    upload_id = self._create_multipart_upload(\n  File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 1565, in _create_multipart_upload\n    response = self._execute(\n  File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 403, in _execute\n    return self._url_open(\n  File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 266, in _url_open\n    response = self._http.urlopen(\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/poolmanager.py\", line 376, in urlopen\n    response = conn.urlopen(method, u.request_uri, **kw)\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 787, in urlopen\n    retries = retries.increment(\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/util/retry.py\", line 550, in increment\n    raise six.reraise(type(error), error, _stacktrace)\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/packages/six.py\", line 769, in reraise\n    raise value.with_traceback(tb)\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 703, in urlopen\n    httplib_response = self._make_request(\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 449, in _make_request\n    six.raise_from(e, None)\n  File \"<string>\", line 3, in raise_from\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 444, in _make_request\n    httplib_response = conn.getresponse()\n  File \"/usr/lib/python3.8/http/client.py\", line 1348, in getresponse\n    response.begin()\n  File \"/usr/lib/python3.8/http/client.py\", line 316, in begin\n    version, status, reason = self._read_status()\n  File \"/usr/lib/python3.8/http/client.py\", line 277, in _read_status\n    line = str(self.fp.readline(_MAXLINE + 1), \"iso-8859-1\")\n  File \"/usr/lib/python3.8/socket.py\", line 669, in readinto\n    return self._sock.recv_into(b)\nurllib3.exceptions.ProtocolError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))\n",
  "duration": 62741
}
(11/14) Running s3cmd tests ... done in 16 seconds
(12/14) Running s3select tests ... done in 4 seconds
(13/14) Running versioning tests ... done in 3 minutes and 4 seconds

Executed 13 out of 14 tests successfully.

Deleting image on docker hub
Deleting image locally

poornas
poornas approved these changes Mar 13, 2023
View reviewed changes
Copy link
Contributor

@poornas poornas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

vadmeste
vadmeste approved these changes Mar 13, 2023
View reviewed changes
Copy link
Member

@vadmeste vadmeste left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@harshavardhana harshavardhana merged commit c7f7e67 into minio:master Mar 13, 2023
@harshavardhana harshavardhana deleted the ddos branch March 13, 2023 19:46
@GoVulnBot GoVulnBot mentioned this pull request Mar 14, 2023
Closed
harshavardhana added a commit to harshavardhana/minio that referenced this pull request Mar 30, 2023
@harshavardhana
Do not allow adding root user to IAM subsystem (minio#16803)
b6b9339
@bh4t bh4t added the bugfix label May 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vadmeste vadmeste vadmeste approved these changes

@poornas poornas poornas approved these changes

@kannappanr kannappanr kannappanr approved these changes

@aead aead Awaiting requested review from aead

@donatello donatello Awaiting requested review from donatello

Assignees
No one assigned
Labels
bugfix priority: high
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@harshavardhana @minio-trusted @vadmeste @poornas @kannappanr @bh4t