Question: Generate user (session?) policy document #151
Description
Hi,
In the UI, when creating a personal service account, the option exists to generate the session policy document, edit it, and attach it to the service account.
We have MinIO authentication and authorisation using LDAP and policies on LDAP groups. That works nicely.
Sometimes users join new LDAP groups and therefore get updated session policies. For automation purposes (secret rotation) we would like to update existing service accounts (system wide but user specific) with new policy documents. These new policy documents should be generated by MinIO similar to what the UI does. That way we can update and/or rotate existing/new service accounts with the current complete policy document.
However, using minio admin go client:
mc admin user policy myminio "CN=Hartwig\, Jonas (cvv556),OU=...." I get the following error: mc: <ERROR> Unable to fetch user policy document. Policy not found for user CN=Hartwig\, Jonas (cvv556),OU=.... When using the minio admin go client, create a service account without policy attached, retrieve it and investigate it, it is shown as implied/empty policy. That also makes sense.
Another use case for admins would be to debug the policies. The setup might be quite complex of policies assigned to users and groups. The resulting policy document might be conflicting. It would be helpful to understand a user policy in case of complains.
Now here is what I need: How can I get this implied policy document?
Regards