donatello
commented
2 months ago Does this seem ok, the user is not permitted create-service-account, but we are creating one anyway (via an sts cred)?
Closed vadmeste closed 2 months ago
donatello
commented
2 months ago Does this seem ok, the user is not permitted create-service-account, but we are creating one anyway (via an sts cred)?
harshavardhana
commented
2 months ago Generally, create-service-account permission is implicit, but when it's explicitly denied is it right to create on here? I think i may be missing something.
you will be rejected by the server @donatello what @vadmeste is doing is how Console UI does 'create-with-login instead of passing the LDAP username directly we must pass the STS creds and let the server tell us yay or nay.
Community Contribution License
All community contributions in this pull request are licensed to the project maintainers under the terms of the Apache 2 license. By creating this pull request I represent that I have the right to license the contributions to the project maintainers under the Apache 2 license.
Description
Currently, LDAP create-with-login command is not working properly when the LDAP user does not have admin:CreateServiceAccount permission.
The permission is normally not needed since a user is allowed to create a service account for itself. In that case, a temporary account should be created and a new service account should be issued to the temporary account access key, and not to the LDAP username as what the code currently does.
This commit will send the correct target user in that case to make create-with-login always successful.
Motivation and Context
Fix creating a new service account of an LDAP user
How to test this PR?
Run a MinIO cluster with LDAP enabled and run this:
mc idp ldap accesskey create-with-login http://localhost:9000Types of changes
Checklist:
commit-idorPR #here)