Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AssumeRoleWithCertificate doesn't work, if minio is running under Windows #18865

Open
mcpride opened this issue Jan 25, 2024 · 0 comments
Open

AssumeRoleWithCertificate doesn't work, if minio is running under Windows #18865

mcpride opened this issue Jan 25, 2024 · 0 comments
Labels
community os-windows priority: low

Comments

@mcpride
Copy link

mcpride commented Jan 25, 2024
edited

If Minio server is hosted in a Windows environment, then the AssumeRoleWithCertificate doesn't work.

Expected Behavior

A MTLS webrequest to the AssumeRoleWithCertificate sts endpoint with a valid client certificate that CN is equal to an existing policy name returns valid credentials. (Works in linux hosted environment as expected!)

Current Behavior

When the Minio server is hosted in a Windows environment, the request as described previously fails with following output:

<?xml version="1.0" encoding="UTF-8"?>
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
    <Error>
        <Type></Type>
        <Code>InternalError</Code>
        <Message>Object name invalid: .minio.sys/config/iam/policydb/sts-users/tls:consoleAdmin.json</Message>
    </Error>
    <RequestId>17AD584B566D1258</RequestId>
</ErrorResponse>

The problem seems to be in relation to the underlying file system handling, because the tls: part cannot be used in file or directory names under Windows. At least the following characters are forbidden in Windows directory and file names: \ / : * ? " < > |. (see also: Naming Conventions)

This bug is related to #18853 (same root cause)!

Possible Solution

Sanitized file name handling per platform, maybe as described here: https://stackoverflow.com/questions/1976007/what-characters-are-forbidden-in-windows-and-linux-directory-names/61448658#61448658

Steps to Reproduce (for bugs)

  1. Host minio server under windows
  2. Configure TLS handling as described in AssumeRoleWithCertificate
  3. Make a web request with a valid client certificate as described in https://github.com/minio/minio/blob/master/docs/sts/tls.md to the AssumeRoleWithCertificate endpoint e.g.: https://localhost:9111?Action=AssumeRoleWithCertificate&Version=2011-06-15&DurationSeconds=3600

Context

We need to host minio server in a Windows environment without a linux based sub system and our applications need a possibility to get administration credentials dynamicly for maintenance.

Your Environment

  • Version used (minio --version): RELEASE.2024-01-18T22-51-28Z (commit-id=19387cafab76133c2e7642de4aac8c81b9f4f8c7) Runtime: go1.21.6 windows/amd64
  • Operating System and version: Windows Server 2019/2022
@mcpride mcpride mentioned this issue Jan 25, 2024
Closed
@harshavardhana harshavardhana changed the title AssumeRoleWithCertificate doesn't work, if minio is running under Windows [port/windows] AssumeRoleWithCertificate doesn't work, if minio is running under Windows Mar 27, 2024
@harshavardhana harshavardhana changed the title [port/windows] AssumeRoleWithCertificate doesn't work, if minio is running under Windows port/windows: AssumeRoleWithCertificate doesn't work, if minio is running under Windows Mar 27, 2024
@harshavardhana harshavardhana changed the title port/windows: AssumeRoleWithCertificate doesn't work, if minio is running under Windows AssumeRoleWithCertificate doesn't work, if minio is running under Windows Mar 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community os-windows priority: low
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@harshavardhana @mcpride @bh4t