Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: permission checks for editing access keys #18928

Merged
merged 1 commit into from Jan 31, 2024
Merged

fix: permission checks for editing access keys #18928

merged 1 commit into from Jan 31, 2024

Conversation

donatello
Copy link
Member

Description

With this change, only a user with UpdateServiceAccountAdminAction permission is able to edit access keys.

We would like to let a user edit their own access keys, however the feature needs to be re-designed for better security and integration with external systems like AD/LDAP and OpenID.

This change prevents privilege escalation via service accounts.

Motivation and Context

How to test this PR?

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Optimization (provides speedup with no functional changes)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • Fixes a regression (If yes, please add commit-id or PR # here)
  • Unit tests added/updated
  • Internal documentation updated
  • Create a documentation update request here

harshavardhana
harshavardhana requested changes Jan 31, 2024
View reviewed changes
Copy link
Member

@harshavardhana harshavardhana left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some tests might be needed as well for MinIO as IDP users.

cmd/iam.go Outdated Show resolved Hide resolved
@donatello donatello force-pushed the fix-acckey-edit branch 2 times, most recently from 430f698 to 766b7e8 Compare January 31, 2024 08:03
@donatello
Copy link
Member Author

Tests updated

vadmeste
vadmeste reviewed Jan 31, 2024
View reviewed changes
cmd/iam.go Outdated Show resolved Hide resolved
cmd/iam.go Outdated Show resolved Hide resolved
@donatello
fix: permission checks for editing access keys
9882b33 
With this change, only a user with `UpdateServiceAccountAdminAction`
permission is able to edit access keys.

We would like to let a user edit their own access keys, however the
feature needs to be re-designed for better security and integration with
external systems like AD/LDAP and OpenID.

This change prevents privilege escalation via service accounts.
vadmeste
vadmeste approved these changes Jan 31, 2024
View reviewed changes
Copy link
Member

@vadmeste vadmeste left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@harshavardhana harshavardhana merged commit 0ae4915 into minio:master Jan 31, 2024
20 checks passed
@donatello donatello mentioned this pull request Feb 1, 2024
Merged
8 tasks
@donatello donatello deleted the fix-acckey-edit branch February 1, 2024 22:22
@djwfyi djwfyi mentioned this pull request Feb 5, 2024
Open
2 tasks
Adphi pushed a commit to linka-cloud/minio-gateway that referenced this pull request Mar 21, 2024
@donatello @Adphi
fix: permission checks for editing access keys (minio#18928)
44b4456 
With this change, only a user with `UpdateServiceAccountAdminAction`
permission is able to edit access keys.

We would like to let a user edit their own access keys, however the
feature needs to be re-designed for better security and integration with
external systems like AD/LDAP and OpenID.

This change prevents privilege escalation via service accounts.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vadmeste vadmeste vadmeste approved these changes

@harshavardhana harshavardhana harshavardhana approved these changes

@klauspost klauspost Awaiting requested review from klauspost

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@donatello @vadmeste @harshavardhana @klauspost