You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
the minio internal algorithm to compute parentUser
Then:
mc admin user svcacct list myminio computed-oidc-parent-user
Then mc return the list of service account linked to the user and all commands work.
So my question is:
is it supported? and the doc should mention if it is.
If it is supported, then mc admin usr svcacct list myminio computedoidcparentuser is in error if the computedoidcparentuser begins with -lsomething. mc think this is a command flag.
Steps to reproduce the behavior
try with an arg that begin with -, this is possible for oidc users.
The text was updated successfully, but these errors were encountered:
@alexisdondon you can do mc admin user svcacct info myminio <service-account-access-key> to get the parent user stored in MinIO;
For the '-' issue, you can add double quotes and escape the '-' character. Something like below;
mc admin user svcacct list <alias> "\-parent"
Thanks, for the response it did not work for escaping caracters.
with mc admin user svcacct ls s3/ "-parentUser" we got the message
mc.exe: Invalid command usage, flag provided bit not defined: -parentUser
with mc admin user svcacct ls s3/ "\-parentUser" we got the message
mc.exe Unable t list service accounts. The Specified user does not exist. (Specified user does not exist)
we have tried multiple cases! single quote, double escape, no quote with escape.
My guess it that escaping allow to bypasse command framework but after minio look for this id with the escape char.
@vadmeste@harshavardhana
Hi, i think you fast closed this issue as from my test the workaround you mentionned to escape some special caracters (when parentUser starts with - for example), do not work
link to this minio/minio#17913
Expected behavior
As a minio administrator, for security reason i want to have the ability to act on service account created by oidc users with minio-console.
The whole scope of
admin user svcacct
already existing for AD, LDAP, minio users and it's nearly the case for oidc but not documented.Actual behavior
As i understand the mechanism, the parentUser for oidc external managed user is a sha256 of sub and issuer.
https://github.com/minio/minio/blob/master/cmd/sts-handlers.go#L490
Let say i am an administrator and i know :
Then:
mc admin user svcacct list myminio computed-oidc-parent-user
Then mc return the list of service account linked to the user and all commands work.
So my question is:
Steps to reproduce the behavior
try with an arg that begin with -, this is possible for oidc users.
The text was updated successfully, but these errors were encountered: