Giters

minio / minio

The Object Store for AI Data Infrastructure

Home Page:https://min.io/download

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

aws:groups does not work in policies

olljanat opened this issue · comments

commented

Expected Behavior

#16538 added support for aws:groups but as far I see it does not work. Test automation only exists for jwt:groups so most likely there is some logic issue.

Current Behavior

I added logging line

logger.Error(fmt.Sprintf("getConditionValues called: Username %v, claims: %v, groups %v", username, claims, groups))

to below this one:

minio/cmd/bucket-policy.go

Lines 77 to 84 in 8b660e1

func getConditionValues(r *http.Request, lc string, cred auth.Credentials) map[string][]string {
currTime := UTCNow()
var (
username = cred.AccessKey
claims = cred.Claims
groups = cred.Groups
)

and what I see is messages like these even when user is part of the group:

getConditionValues called: Username ANTTQ5LPWPWYV8WFYKUS, claims: map[accessKey:ANTTQ5LPWPWYV8WFYKUS exp:1.715220743e+09 parent:test], groups []
getConditionValues called: Username test, claims: map[], groups []

Possible Solution

Perhaps order of code needs to be changed in way that cred.Groups get populated before getConditionValues function is called.

commented

aws:groups doesn't exist unless you have LDAP or OpenID enabled

  • ldap:groups
  • jwt:groups
commented

@harshavardhana hmm, comment in #11303 (comment) and documentation in

minio/docs/multi-user/README.md

Line 271 in 8b660e1

- `aws:groups` - This is an array containing the group names, this value would point to group mappings for the user, use `jwt:groups` in case of OpenID connect and `ldap:groups` in case of AD/LDAP.
are quite confusing.

Isn't MinIO always acting as IDP for users which are created directly to it?

And if either LDAP or OpenID is needed the what is use case of aws:groups?