if the MINIO_ROOT_USER is changed, all its existing "service accounts" are orphaned

[thesuperzapper]

NOTE

If this case is urgent, please subscribe to Subnet so that our 24/7 support team may help you faster.

Current Behavior

If the MINIO_ROOT_USER is changed while it has one or more "service accounts" (the ones you create with mc admin user svcacct add), those service accounts are not migrated to the new user, and continue to exist.

This can easily be verified by using mc admin user svcacct info myminio "orphan_service_account", which will return that the account exists, but under the old value of MINIO_ROOT_USER.

As far as I know, because the old MINIO_ROOT_USER no longer exists (and therefore has no access from MinIO's perspective), these orphaned users have no access beyond the ability to log in.

Desired Behaviour

When the value of MINIO_ROOT_USER is changed these service accounts should be migrated to the new root user.

If this is not possible, we must at least delete them, so that they don't clog up the cluster (and also prevent new service accounts from being created with the same name in the future, as they are unique cluster-wide).

Regression

Unknown

Context

This issue appears on at least minio RELEASE.2023-06-29T05-12-28Z, and I am sure all others too.

[harshavardhana]

A service account is associated with its parent credentials. If parent credentials change then the service accounts simply become invalid because the parent is no longer the same.

A parent must not change.

[harshavardhana]

Service accounts do not migrate because there is no way for us to know the previous credentials. If you change them.

A service accounts only exist as long as their parent accounts exist in their existing form. If there is any change in their form they are simply invalidated and disallowed access.

Think of them like tokens, the tokens are no longer valid since the parent is non existent anymore.

It is to provide security guarantees in the current design.

Just recreate the same credentials that you did again once the new parent exists.

We can provide a different way to migrate these accounts with the new set of parents via an API but that is something we will discuss internally.

[thesuperzapper]

@harshavardhana I am sure the root user's service accounts can be dealt with as a special case, by just changing their "parent account" in the database to always point to the root account.

If not, then we must at least clean the credentials up when their parent account no longer exists, this way I don't have to manually mc admin user svcacct rm all the old ones each time the MINIO_ROOT_USER changes.

PS: I think this issue of the old service accounts remaining is specific to MINIO_ROOT_USER because it's the only user which can "change name", unlike regular users, which have to be removed with mc admin user rm and then added back with mc admin user add.

[harshavardhana]

Will keep this open until we decide on what to do here.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 15 days if no further activity occurs. Thank you for your contributions.