You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
I'd like to use the AssumeRoleWithCertificate to authenticate some Minio clients, these clients already hold pre-generated TLS client certs. When these clients make requests against Minio using their client cert, I'd like to map them to a Minio policy.
Problem: these client certs with subject CN=FOO_BAR_ABCDE12345, where the last part is a unique id of each client. We have hundreds to thousands of such clients. I don't have control of these client certs and cannot change their CN subject.
Currently this CN subject is directly mapped to policy of the same name, and no other mapping mechanism is available.
Problem: these client certs with subject CN=FOO_BAR_ABCDE12345, where the last part is a unique id of each client. We have hundreds to thousands of such clients. I don't have control of these client certs and cannot change their CN subject
What do you really control here? How does server trust the client ideally? And who generates these client certs ?
I think this kind of issues would be solved by implementing Public-key hash based mapping of policies in STS. More details in this discussion: #17243 (comment)
Is your feature request related to a problem? Please describe.
I'd like to use the AssumeRoleWithCertificate to authenticate some Minio clients, these clients already hold pre-generated TLS client certs. When these clients make requests against Minio using their client cert, I'd like to map them to a Minio policy.
Problem: these client certs with subject
CN=FOO_BAR_ABCDE12345
, where the last part is a unique id of each client. We have hundreds to thousands of such clients. I don't have control of these client certs and cannot change theirCN
subject.Currently this CN subject is directly mapped to policy of the same name, and no other mapping mechanism is available.
minio/cmd/sts-handlers.go
Lines 782 to 787 in c8b92f6
I'd like to avoid having to create thousands of such policies in Minio, and always have to maintain them in sync with the client list.
Describe the solution you'd like
I'd like to have either:
CN
subjects to policyThe text was updated successfully, but these errors were encountered: