mc admin accesskey - Missing users and keys from OpenID identities #5086
Description
The "mc admin user svcacct" command can list accesskeys generated by OICD generated users if the parentuser is known, for example by pulling it out of the audit logs. The new "mc admin accesskeys" don't seem to find these users and their relevant keys.
Expected behavior
When running mc admin accesskey ls def --all all the keys currently active in minio should be presented including access keys for OICD users.
Also when running 'mc admin accesskey ls def --self' all accesskeys with the same parent user should be displayed.
Actual behavior
When running the --all command as an admin only internal users are presented.
bash-5.1# mc admin accesskey ls def --all --debug
mc: <DEBUG> GET /minio/admin/v3/list-access-keys-bulk?all=true&listType=all HTTP/1.1
Host: localhost:9000
User-Agent: MinIO (linux; amd64) madmin-go/3.0.70 mc/RELEASE.2024-10-29T15-34-59Z
Accept-Encoding: zstd,gzip
Authorization: AWS4-HMAC-SHA256 Credential=minioadmin/20241126//s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20241126T091404Z
mc: <DEBUG> HTTP/1.1 200 OK
Content-Length: 368
Accept-Ranges: bytes
Content-Type: application/json
Date: Tue, 26 Nov 2024 09:14:04 GMT
Server: MinIO
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Origin
Vary: Accept-Encoding
X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
X-Amz-Request-Id: 180B79D6C0768620
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
mc: <DEBUG> Response Time: 29.898749ms
User: minioadmin
Access Keys:
F41NLMTYUXVOQQK2CPLQ, expires: 11 hours from now, sts: true
O5HJMMHHIPTFQ2QIJV2N, expires: 10 hours from now, sts: true
If there are accesskeys generated by OICD users these are not shown, the older command mc admin user svcacct list will show these accesskeys if the parentuser is known.
mc admin user svcacct list def oOrGinSs-ceGJgzXtD9tNiHCIyRo_KQg7BqsJRvKJxI --debug
mc: <DEBUG> GET /minio/admin/v3/list-service-accounts?user=oOrGinSs-ceGJgzXtD9tNiHCIyRo_KQg7BqsJRvKJxI HTTP/1.1
Host: localhost:9000
User-Agent: MinIO (linux; amd64) madmin-go/3.0.70 mc/RELEASE.2024-10-29T15-34-59Z
Accept-Encoding: zstd,gzip
Authorization: AWS4-HMAC-SHA256 Credential=minioadmin/20241126//s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20241126T083256Z
mc: <DEBUG> HTTP/1.1 200 OK
Content-Length: 415
Accept-Ranges: bytes
Content-Type: application/json
Date: Tue, 26 Nov 2024 08:32:56 GMT
Server: MinIO
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Origin
Vary: Accept-Encoding
X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
X-Amz-Request-Id: 180B77981277C54D
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
mc: <DEBUG> Response Time: 31.900816ms
Access Key | Expiry
vob1M4JmBDtekRCyJIQz | no-expiry
aaaaaaaaaaaaaaaa | no-expiry
Steps to reproduce the behavior
- Login to Minio console via OpenID
- Create a pair of accesskeys while logged in (https://min.io/docs/minio/linux/reference/minio-mc-admin/mc-admin-user-svcacct.html#description)
- Run command
mc admin accesskey lsas an admin
mc --version
mc version RELEASE.2024-10-29T15-34-59Z (commit-id=9f4659884dd45dca726ba38ee6bfacb2bf776eb8)
Runtime: go1.22.7 linux/amd64
Copyright (c) 2015-2024 MinIO, Inc.
License GNU AGPLv3 https://www.gnu.org/licenses/agpl-3.0.html
System information
Minio running in docker with keycloak as OICD for testing
services:
minio:
image: minio/minio
container_name: minio
ports:
- "9000:9000"
- "9001:9001"
environment:
MINIO_ROOT_USER: minioadmin
MINIO_ROOT_PASSWORD: minioadmin123
command: server /data --console-address ":9001"
network_mode: "host"
keycloak:
image: quay.io/keycloak/keycloak:latest
container_name: keycloak
ports:
- "8080:8080"
environment:
KC_BOOTSTRAP_ADMIN_USERNAME: admin
KC_BOOTSTRAP_ADMIN_PASSWORD: admin
command: start-dev
network_mode: "host"