mirror of
https://github.com/minio/minio.git
synced 2024-12-25 06:35:56 -05:00
Fix user and policy deletion IAM commands (#8683)
This commit is contained in:
parent
8f1243986e
commit
01468d5a75
67
cmd/iam.go
67
cmd/iam.go
@ -433,6 +433,38 @@ func (sys *IAMSys) DeletePolicy(policyName string) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
delete(sys.iamPolicyDocsMap, policyName)
|
delete(sys.iamPolicyDocsMap, policyName)
|
||||||
|
|
||||||
|
// Delete user-policy mappings that will no longer apply
|
||||||
|
var usersToDel []string
|
||||||
|
var isUserSTS []bool
|
||||||
|
for u, mp := range sys.iamUserPolicyMap {
|
||||||
|
if mp.Policy == policyName {
|
||||||
|
usersToDel = append(usersToDel, u)
|
||||||
|
cr, ok := sys.iamUsersMap[u]
|
||||||
|
if !ok {
|
||||||
|
// This case cannot happen
|
||||||
|
return errNoSuchUser
|
||||||
|
}
|
||||||
|
// User is from STS if the creds are temporary
|
||||||
|
isSTS := cr.IsTemp()
|
||||||
|
isUserSTS = append(isUserSTS, isSTS)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for i, u := range usersToDel {
|
||||||
|
sys.policyDBSet(u, "", isUserSTS[i], false)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Delete group-policy mappings that will no longer apply
|
||||||
|
var groupsToDel []string
|
||||||
|
for g, mp := range sys.iamGroupPolicyMap {
|
||||||
|
if mp.Policy == policyName {
|
||||||
|
groupsToDel = append(groupsToDel, g)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for _, g := range groupsToDel {
|
||||||
|
sys.policyDBSet(g, "", false, true)
|
||||||
|
}
|
||||||
|
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -509,6 +541,19 @@ func (sys *IAMSys) DeleteUser(accessKey string) error {
|
|||||||
return errServerNotInitialized
|
return errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// First we remove the user from their groups.
|
||||||
|
userInfo, getErr := sys.GetUserInfo(accessKey)
|
||||||
|
if getErr != nil {
|
||||||
|
return getErr
|
||||||
|
}
|
||||||
|
for _, group := range userInfo.MemberOf {
|
||||||
|
removeErr := sys.RemoveUsersFromGroup(group, []string{accessKey})
|
||||||
|
if removeErr != nil {
|
||||||
|
return removeErr
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Next we can remove the user from memory and IAM store
|
||||||
sys.Lock()
|
sys.Lock()
|
||||||
defer sys.Unlock()
|
defer sys.Unlock()
|
||||||
|
|
||||||
@ -1069,17 +1114,17 @@ func (sys *IAMSys) PolicyDBSet(name, policy string, isGroup bool) error {
|
|||||||
return sys.policyDBSet(name, policy, false, isGroup)
|
return sys.policyDBSet(name, policy, false, isGroup)
|
||||||
}
|
}
|
||||||
|
|
||||||
// policyDBSet - sets a policy for user in the policy db. Assumes that
|
// policyDBSet - sets a policy for user in the policy db. Assumes that caller
|
||||||
// caller has sys.Lock().
|
// has sys.Lock(). If policy == "", then policy mapping is removed.
|
||||||
func (sys *IAMSys) policyDBSet(name, policy string, isSTS, isGroup bool) error {
|
func (sys *IAMSys) policyDBSet(name, policy string, isSTS, isGroup bool) error {
|
||||||
if sys.store == nil {
|
if sys.store == nil {
|
||||||
return errServerNotInitialized
|
return errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
if name == "" || policy == "" {
|
if name == "" {
|
||||||
return errInvalidArgument
|
return errInvalidArgument
|
||||||
}
|
}
|
||||||
if _, ok := sys.iamPolicyDocsMap[policy]; !ok {
|
if _, ok := sys.iamPolicyDocsMap[policy]; !ok && policy != "" {
|
||||||
return errNoSuchPolicy
|
return errNoSuchPolicy
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1095,6 +1140,20 @@ func (sys *IAMSys) policyDBSet(name, policy string, isSTS, isGroup bool) error {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Handle policy mapping removal
|
||||||
|
if policy == "" {
|
||||||
|
if err := sys.store.deleteMappedPolicy(name, isSTS, isGroup); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if !isGroup {
|
||||||
|
delete(sys.iamUserPolicyMap, name)
|
||||||
|
} else {
|
||||||
|
delete(sys.iamGroupPolicyMap, name)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Handle policy mapping set/update
|
||||||
mp := newMappedPolicy(policy)
|
mp := newMappedPolicy(policy)
|
||||||
if err := sys.store.saveMappedPolicy(name, isSTS, isGroup, mp); err != nil {
|
if err := sys.store.saveMappedPolicy(name, isSTS, isGroup, mp); err != nil {
|
||||||
return err
|
return err
|
||||||
|
Loading…
Reference in New Issue
Block a user