Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add role ARN support for OIDC identity provider #13651

Merged
merged 4 commits into from Nov 27, 2021
Merged

Add role ARN support for OIDC identity provider #13651

merged 4 commits into from Nov 27, 2021

Conversation

donatello
Copy link
Member

@donatello donatello commented Nov 13, 2021
edited

Description

  • Allows setting a role policy parameter when configuring OIDC provider

  • When role policy is set, server prints a role ARN usable in STS API requests

  • The given role policy is applied to STS API requests when the roleARN
    parameter is provided.

  • Service accounts for role policy are also possible and work as expected.

Role Policy takes precedence when set. When the role policy is set the policy claims from the ID provider are ignored.

Motivation and Context

Add support for roles in STSWebIdentity. This will allow configuring access policies for users authenticated from OpenID without having to setup claims in the identity provider to return access policies via the id token (JWT).

How to test this PR?

Specify role ARN printed out by the server in the AssumeRoleWithIdentity STS API.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Optimization (provides speedup with no functional changes)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • Fixes a regression (If yes, please add commit-id or PR # here)
  • Documentation updated
  • Unit tests added/updated

@donatello
Copy link
Member Author

This requires minio/minio-go#1582 and minio/pkg#16

@minio minio deleted a comment from minio-trusted Nov 13, 2021
@donatello donatello force-pushed the role-policy branch 3 times, most recently from 3112ee4 to eba15ac Compare November 13, 2021 00:56
harshavardhana
harshavardhana reviewed Nov 13, 2021
View reviewed changes
Copy link
Member

@harshavardhana harshavardhana left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are you not planning to add multiple open_id connectors?

cmd/iam.go Show resolved Hide resolved
cmd/sts-handlers.go Outdated Show resolved Hide resolved
@minio minio deleted a comment from minio-trusted Nov 13, 2021
@minio minio deleted a comment from minio-trusted Nov 13, 2021
@minio minio deleted a comment from minio-trusted Nov 13, 2021
@minio minio deleted a comment from minio-trusted Nov 13, 2021
@donatello
Copy link
Member Author

are you not planning to add multiple open_id connectors?

Yes, I'm planning to add it subsequently.

@donatello donatello force-pushed the role-policy branch 7 times, most recently from 0201f3b to edd3ce9 Compare November 16, 2021 00:22
@donatello donatello marked this pull request as ready for review November 16, 2021 00:58
harshavardhana
harshavardhana requested changes Nov 16, 2021
View reviewed changes
docs/sts/web-identity.md Outdated Show resolved Hide resolved
docs/sts/web-identity.md Show resolved Hide resolved
internal/arn/arn.go Outdated Show resolved Hide resolved
internal/config/identity/openid/jwt.go Outdated Show resolved Hide resolved
@donatello donatello force-pushed the role-policy branch 2 times, most recently from ce2fb3b to e3fbf7b Compare November 16, 2021 07:57
@minio minio deleted a comment from minio-trusted Nov 16, 2021
@donatello donatello force-pushed the role-policy branch 6 times, most recently from 57f08ff to d5ad1d4 Compare November 19, 2021 07:49
@donatello
Copy link
Member Author

Fixed conflicts PTAL reviewers @harshavardhana @vadmeste @krisis @Alevsk

harshavardhana
harshavardhana previously requested changes Nov 19, 2021
View reviewed changes
cmd/iam.go Show resolved Hide resolved
@donatello donatello force-pushed the role-policy branch 3 times, most recently from 1af32b3 to 1dc6384 Compare November 24, 2021 19:19
@minio minio deleted a comment from minio-trusted Nov 24, 2021
@donatello
Add role ARN support for OIDC identity provider
293f9d4 
- Allows setting a role policy parameter when configuring OIDC provider

- When role policy is set, server prints a role ARN usable in STS API requests

- The given role policy is applied to STS API requests when the roleARN
parameter is provided.

- Service accounts for role policy are also possible and work as expected.
@minio minio deleted a comment from minio-trusted Nov 25, 2021
harshavardhana
harshavardhana requested changes Nov 25, 2021
View reviewed changes
cmd/config-current.go Outdated Show resolved Hide resolved
cmd/config-current.go Outdated Show resolved Hide resolved
@minio-trusted
Copy link
Contributor

Mint Automation

Test Result
mint-large-bucket.sh ✔️
mint-fs.sh ✔️
mint-gateway-s3.sh ✔️
mint-erasure.sh ✔️
mint-dist-erasure.sh ✔️
mint-gateway-nas.sh ✔️
mint-compress-encrypt-dist-erasure.sh ✔️
mint-pools.sh ✔️
Deleting image on docker hub
Deleting image locally

@harshavardhana harshavardhana merged commit 4c0f48c into minio:master Nov 27, 2021
This was referenced Nov 27, 2021
Closed
Closed
rbuchnajzer pushed a commit to rbuchnajzer/minio that referenced this pull request Dec 7, 2021
@donatello @rbuchnajzer
Add role ARN support for OIDC identity provider (minio#13651)
3e0afa3 
- Allows setting a role policy parameter when configuring OIDC provider

- When role policy is set, the server prints a role ARN usable in STS API requests

- The given role policy is applied to STS API requests when the roleARN parameter is provided.

- Service accounts for role policy are also possible and work as expected.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@harshavardhana harshavardhana harshavardhana approved these changes

@krisis krisis Awaiting requested review from krisis

@Alevsk Alevsk Awaiting requested review from Alevsk

@vadmeste vadmeste Awaiting requested review from vadmeste

@kannappanr kannappanr Awaiting requested review from kannappanr

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@donatello @harshavardhana @minio-trusted @vadmeste