Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mc admin user svcacct with oidc external managed user should be clarify #4666

Closed
alexisdondon opened this issue Aug 24, 2023 · 3 comments
Closed

mc admin user svcacct with oidc external managed user should be clarify #4666

alexisdondon opened this issue Aug 24, 2023 · 3 comments
Labels
community triage

Comments

@alexisdondon
Copy link

link to this minio/minio#17913

Expected behavior

As a minio administrator, for security reason i want to have the ability to act on service account created by oidc users with minio-console.

The whole scope of admin user svcacct already existing for AD, LDAP, minio users and it's nearly the case for oidc but not documented.

Actual behavior

As i understand the mechanism, the parentUser for oidc external managed user is a sha256 of sub and issuer.
https://github.com/minio/minio/blob/master/cmd/sts-handlers.go#L490

Let say i am an administrator and i know :

  • the oidc issuer
  • the oidc sub of a user.
  • the minio internal algorithm to compute parentUser

Then:

mc admin user svcacct list myminio computed-oidc-parent-user

Then mc return the list of service account linked to the user and all commands work.

So my question is:

  • is it supported? and the doc should mention if it is.
  • If it is supported, then mc admin usr svcacct list myminio computedoidcparentuser is in error if the computedoidcparentuser begins with -lsomething. mc think this is a command flag.

Steps to reproduce the behavior

try with an arg that begin with -, this is possible for oidc users.
@vadmeste
Copy link
Member

vadmeste commented Aug 24, 2023
edited

@alexisdondon you can do mc admin user svcacct info myminio <service-account-access-key> to get the parent user stored in MinIO;

For the '-' issue, you can add double quotes and escape the '-' character. Something like below;

mc admin user svcacct list <alias> "\-parent"

@alexisdondon
Copy link
Author

alexisdondon commented Sep 1, 2023
edited

@alexisdondon you can do mc admin user svcacct info myminio <service-account-access-key> to get the parent user stored in MinIO;

For the '-' issue, you can add double quotes and escape the '-' character. Something like below;

mc admin user svcacct list <alias> "\-parent"

Thanks, for the response it did not work for escaping caracters.

with mc admin user svcacct ls s3/ "-parentUser" we got the message
mc.exe: Invalid command usage, flag provided bit not defined: -parentUser

with mc admin user svcacct ls s3/ "\-parentUser" we got the message
mc.exe Unable t list service accounts. The Specified user does not exist. (Specified user does not exist)

we have tried multiple cases! single quote, double escape, no quote with escape.

My guess it that escaping allow to bypasse command framework but after minio look for this id with the escape char.

@alexisdondon
Copy link
Author

@vadmeste @harshavardhana
Hi, i think you fast closed this issue as from my test the workaround you mentionned to escape some special caracters (when parentUser starts with - for example), do not work

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vadmeste @harshavardhana @alexisdondon