AssumeRoleWithCertificate custom policy mapping

[max0ne]

Is your feature request related to a problem? Please describe.

I'd like to use the AssumeRoleWithCertificate to authenticate some Minio clients, these clients already hold pre-generated TLS client certs. When these clients make requests against Minio using their client cert, I'd like to map them to a Minio policy.

Problem: these client certs with subject CN=FOO_BAR_ABCDE12345, where the last part is a unique id of each client. We have hundreds to thousands of such clients. I don't have control of these client certs and cannot change their CN subject.

Currently this CN subject is directly mapped to policy of the same name, and no other mapping mechanism is available.

minio/cmd/sts-handlers.go

Lines 782 to 787 in c8b92f6

	// We map the X.509 subject common name to the policy. So, a client
	// with the common name "foo" will be associated with the policy "foo".
	// Other mapping functions - e.g. public-key hash based mapping - are
	// possible but not implemented.
	//
	// Group mapping is not possible with standard X.509 certificates.

I'd like to avoid having to create thousands of such policies in Minio, and always have to maintain them in sync with the client list.

Describe the solution you'd like

I'd like to have either:

1. a mapping function to map the CN subjects to policy
2. allow using a custom certificate attribute to identify minio policy

[harshavardhana]

Problem: these client certs with subject CN=FOO_BAR_ABCDE12345, where the last part is a unique id of each client. We have hundreds to thousands of such clients. I don't have control of these client certs and cannot change their CN subject

What do you really control here? How does server trust the client ideally? And who generates these client certs ?

[nicopal]

I think this kind of issues would be solved by implementing Public-key hash based mapping of policies in STS. More details in this discussion: #17243 (comment)