Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mc admin accesskey - Missing users and keys from OpenID identities #5086

Open
Reninion opened this issue Nov 26, 2024 · 0 comments
Open

mc admin accesskey - Missing users and keys from OpenID identities #5086

Reninion opened this issue Nov 26, 2024 · 0 comments
Assignees

Comments

@Reninion
Copy link

The "mc admin user svcacct" command can list accesskeys generated by OICD generated users if the parentuser is known, for example by pulling it out of the audit logs. The new "mc admin accesskeys" don't seem to find these users and their relevant keys.

Expected behavior

When running mc admin accesskey ls def --all all the keys currently active in minio should be presented including access keys for OICD users.

Also when running 'mc admin accesskey ls def --self' all accesskeys with the same parent user should be displayed.

Actual behavior

When running the --all command as an admin only internal users are presented.

bash-5.1# mc admin accesskey ls def --all --debug
mc: <DEBUG> GET /minio/admin/v3/list-access-keys-bulk?all=true&listType=all HTTP/1.1
Host: localhost:9000
User-Agent: MinIO (linux; amd64) madmin-go/3.0.70 mc/RELEASE.2024-10-29T15-34-59Z
Accept-Encoding: zstd,gzip
Authorization: AWS4-HMAC-SHA256 Credential=minioadmin/20241126//s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20241126T091404Z

mc: <DEBUG> HTTP/1.1 200 OK
Content-Length: 368
Accept-Ranges: bytes
Content-Type: application/json
Date: Tue, 26 Nov 2024 09:14:04 GMT
Server: MinIO
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Origin
Vary: Accept-Encoding
X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
X-Amz-Request-Id: 180B79D6C0768620
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  29.898749ms

User: minioadmin
  Access Keys:
    F41NLMTYUXVOQQK2CPLQ, expires: 11 hours from now, sts: true
    O5HJMMHHIPTFQ2QIJV2N, expires: 10 hours from now, sts: true

If there are accesskeys generated by OICD users these are not shown, the older command mc admin user svcacct list will show these accesskeys if the parentuser is known.

mc admin user svcacct list def oOrGinSs-ceGJgzXtD9tNiHCIyRo_KQg7BqsJRvKJxI --debug
mc: <DEBUG> GET /minio/admin/v3/list-service-accounts?user=oOrGinSs-ceGJgzXtD9tNiHCIyRo_KQg7BqsJRvKJxI HTTP/1.1
Host: localhost:9000
User-Agent: MinIO (linux; amd64) madmin-go/3.0.70 mc/RELEASE.2024-10-29T15-34-59Z
Accept-Encoding: zstd,gzip
Authorization: AWS4-HMAC-SHA256 Credential=minioadmin/20241126//s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20241126T083256Z

mc: <DEBUG> HTTP/1.1 200 OK
Content-Length: 415
Accept-Ranges: bytes
Content-Type: application/json
Date: Tue, 26 Nov 2024 08:32:56 GMT
Server: MinIO
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Origin
Vary: Accept-Encoding
X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
X-Amz-Request-Id: 180B77981277C54D
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  31.900816ms

   Access Key        | Expiry                       
vob1M4JmBDtekRCyJIQz | no-expiry                    
aaaaaaaaaaaaaaaa     | no-expiry

Steps to reproduce the behavior

mc --version

mc version RELEASE.2024-10-29T15-34-59Z (commit-id=9f4659884dd45dca726ba38ee6bfacb2bf776eb8)
Runtime: go1.22.7 linux/amd64
Copyright (c) 2015-2024 MinIO, Inc.
License GNU AGPLv3 https://www.gnu.org/licenses/agpl-3.0.html

System information

Minio running in docker with keycloak as OICD for testing

services:
  minio:
    image: minio/minio
    container_name: minio
    ports:
      - "9000:9000"
      - "9001:9001"
    environment:
      MINIO_ROOT_USER: minioadmin
      MINIO_ROOT_PASSWORD: minioadmin123
    command: server /data --console-address ":9001"
    network_mode: "host"

  keycloak:
    image: quay.io/keycloak/keycloak:latest
    container_name: keycloak
    ports:
      - "8080:8080"
    environment:
      KC_BOOTSTRAP_ADMIN_USERNAME: admin
      KC_BOOTSTRAP_ADMIN_PASSWORD: admin
    command: start-dev
    network_mode: "host"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants