Access Policy with OIDC Group condition does not grant admin:* permission when user is member in another group used in a access policy #21601
Description
NOTE
If this case is urgent, please subscribe to Subnet so that our 24/7 support team may help you faster.
I have created this Access Policy for MinIO that grants permissions depending on the group membership of a user, and in general it works as expected i.e. users in team operations get admin permissions for minio and for every bucket.
But when a user is part of both Team-Operations and one of the other groups the "admin:*" permission is not applied anymore, while the "s3:*" action is still applied, so those users can still see every bucket but cant see for example policies.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:DeleteObjectTagging",
"s3:GetBucketTagging",
"s3:PutBucketTagging",
"s3:DeleteObject",
"s3:GetBucketPolicy",
"s3:CreateBucket",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:HeadBucket",
"s3:ListBucket",
"s3:PutObject",
"s3:DeleteBucket",
"s3:PutBucketPolicy",
"s3:PutObjectTagging",
"s3:GetObjectTagging"
],
"Resource": [
"arn:aws:s3:::klm-*/*",
"arn:aws:s3:::klm-*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"jwt:groups": [
"Team-Dev-1"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:PutBucketPolicy",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetBucketTagging",
"s3:HeadBucket",
"s3:CreateBucket",
"s3:PutBucketTagging",
"s3:GetBucketPolicy",
"s3:GetObject",
"s3:GetObjectTagging",
"s3:ListBucket",
"s3:PutObjectTagging",
"s3:DeleteBucket",
"s3:DeleteObjectTagging",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::hij-*/*",
"arn:aws:s3:::hij-*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"jwt:groups": [
"Team-Dev-2"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteObjectTagging",
"s3:GetBucketPolicy",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketTagging",
"s3:GetObjectTagging",
"s3:HeadBucket",
"s3:DeleteBucket",
"s3:GetObject",
"s3:PutBucketPolicy",
"s3:PutBucketTagging",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::def-*/*",
"arn:aws:s3:::def-*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"jwt:groups": [
"Team-Dev-3"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectTagging",
"s3:DeleteBucket",
"s3:GetBucketPolicy",
"s3:HeadBucket",
"s3:ListBucket",
"s3:PutBucketPolicy",
"s3:PutObjectTagging",
"s3:DeleteObjectTagging",
"s3:GetBucketLocation",
"s3:GetBucketTagging",
"s3:PutObject",
"s3:CreateBucket",
"s3:PutBucketTagging"
],
"Resource": [
"arn:aws:s3:::abc-*",
"arn:aws:s3:::abc-*/*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"jwt:groups": [
"Team-Dev-4"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:HeadBucket",
"s3:ListBucket",
"s3:PutObjectTagging",
"s3:CreateBucket",
"s3:DeleteObjectTagging",
"s3:GetBucketTagging",
"s3:PutObject",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:PutBucketTagging",
"s3:PutBucketPolicy",
"s3:DeleteBucket",
"s3:GetObject",
"s3:GetObjectTagging"
],
"Resource": [
"arn:aws:s3:::xzy-*",
"arn:aws:s3:::xzy-*/*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"jwt:groups": [
"Team-Dev-5"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteObject",
"s3:PutBucketPolicy",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:GetBucketTagging",
"s3:ListBucket",
"s3:DeleteBucket",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetObjectTagging",
"s3:HeadBucket",
"s3:DeleteObjectTagging",
"s3:GetObject",
"s3:PutBucketTagging"
],
"Resource": [
"arn:aws:s3:::xyz",
"arn:aws:s3:::xyz/*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"jwt:groups": [
"Team-Dev-6"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"admin:*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"jwt:groups": [
"Team-Operations"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"jwt:groups": [
"Team-Operations"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"jwt:groups": [
"Team-Operations"
]
}
}
}
]
}
Expected Behavior
When a user is granted "admin:*" due to memebership in a group, those permissions should still apply if a user is granted permissions on a specific bucket via membership in another group.
Current Behavior
When a user is granted "admin:" due to memebership in a group, "admin:" permissions are not granted if the user is granted permissions on a specific bucket via membership in another group.
Possible Solution
Steps to Reproduce (for bugs)
1.Create Access Policy where group-a is granted "admin:" and "s3:" on every bucket and group-b is granted some "s3:" permissions on a specific bucket
2. Sign in as user who is only in group-a --> All Admin Permissions and Permissions on every bucket
3. Sign in as user who is in group-a and group-b --> Permissions on every bucket but no admin permissions anymore
Context
We have some devops users who are supposed to have admin access to minio who are also members of a group of devs that should only have access to specific buckets
Regression
Your Environment
- Version used (
minio --version): 2025-04-08T15-41-24Z - Server setup and configuration:
- Operating System and version (
uname -a):