return error if policy changes on disabled groups (#16766)

buildscripts/race.sh

@@ -5,7 +5,6 @@ set -e
 export GORACE="history_size=7"
 export MINIO_API_REQUESTS_MAX=10000
 
-## TODO remove `dsync` from race detector once this is merged and released https://go-review.googlesource.com/c/go/+/333529/
+for d in $(go list ./...); do
-for d in $(go list ./... | grep -v dsync); do
     CGO_ENABLED=1 go test -v -race --timeout 100m "$d"
 done

cmd/api-errors.go

@@ -266,6 +266,7 @@ const (
 	ErrAdminNoSuchUser
 	ErrAdminNoSuchGroup
 	ErrAdminGroupNotEmpty
+	ErrAdminGroupDisabled
 	ErrAdminNoSuchJob
 	ErrAdminNoSuchPolicy
 	ErrAdminPolicyChangeAlreadyApplied
@@ -1260,6 +1261,11 @@ var errorCodes = errorCodeMap{
 		Description:    "The specified group is not empty - cannot remove it.",
 		HTTPStatusCode: http.StatusBadRequest,
 	},
+	ErrAdminGroupDisabled: {
+		Code:           "XMinioAdminGroupDisabled",
+		Description:    "The specified group is disabled.",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
 	ErrAdminNoSuchPolicy: {
 		Code:           "XMinioAdminNoSuchPolicy",
 		Description:    "The canned policy does not exist.",

cmd/iam-store.go

@@ -937,8 +937,7 @@ func (store *IAMStoreSys) PolicyDBUpdate(ctx context.Context, name string, isGro
 			}
 
 			if g.Status == statusDisabled {
-				// TODO: return an error?
+				return updatedAt, nil, errGroupDisabled
-				return updatedAt, nil, nil
 			}
 		}
 		mp = cache.iamGroupPolicyMap[name]

cmd/typed-errors.go

@@ -88,6 +88,9 @@ var errNoPolicyToAttachOrDetach = errors.New("Specified policy update has no net
 // deleted.
 var errGroupNotEmpty = errors.New("Specified group is not empty - cannot remove it")
 
+// error returned in IAM subsystem when a group is disabled
+var errGroupDisabled = errors.New("Specified group is disabled")
+
 // error returned in IAM subsystem when policy doesn't exist.
 var errNoSuchPolicy = errors.New("Specified canned policy does not exist")