fix: LDAP derivative accounts parentUser validation is not needed (#9573)

* fix: LDAP derivative accounts parentUser validation is not needed fixes #9435 * Update cmd/iam.go Co-authored-by: Lenin Alevski <alevsk.8772@gmail.com> Co-authored-by: Lenin Alevski <alevsk.8772@gmail.com>
2025-01-26 22:23:15 -05:00 · 2020-05-12 09:21:08 -07:00 · 2020-05-12 09:21:08 -07:00 · 1756b7c6ff
commit 1756b7c6ff
parent e25ace2151
1 changed files with 66 additions and 45 deletions
--- a/cmd/iam.go
+++ b/cmd/iam.go
@ -1023,9 +1023,15 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {

 	cred, ok = sys.iamUsersMap[accessKey]
 	if ok && cred.IsValid() {
-		if cred.ParentUser != "" {
+		if cred.ParentUser != "" && sys.usersSysType == MinIOUsersSysType {
 			_, ok = sys.iamUsersMap[cred.ParentUser]
 		}
+		// for LDAP service accounts with ParentUser set
+		// we have no way to validate, either because user
+		// doesn't need an explicit policy as it can come
+		// automatically from a group. We are safe to ignore
+		// this and continue as policies would fail eventually
+		// the policies are missing or not configured.
 	}
 	return cred, ok && cred.IsValid()
 }
@ -1617,6 +1623,7 @@ func (sys *IAMSys) IsAllowedServiceAccount(args iampolicy.Args, parent string) b
 func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args) bool {
 	// If it is an LDAP request, check that user and group
 	// policies allow the request.
+	if sys.usersSysType == LDAPUsersSysType {
 		if userIface, ok := args.Claims[ldapUser]; ok {
 			var user string
 			if u, ok := userIface.(string); ok {
@ -1633,8 +1640,6 @@ func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args) bool {
 						groups = append(groups, eachGStr)
 					}
 				}
-		} else {
-			return false
 			}

 			sys.store.rlock()
@ -1644,19 +1649,33 @@ func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args) bool {
 			// users exists, group exists validations that do not
 			// apply here.
 			var policies []iampolicy.Policy
-		if policy, ok := sys.iamUserPolicyMap[user]; ok {
-			p, found := sys.iamPolicyDocsMap[policy.Policy]
-			if found {
+			if mp, ok := sys.iamUserPolicyMap[user]; ok {
+				for _, pname := range strings.Split(mp.Policy, ",") {
+					pname = strings.TrimSpace(pname)
+					if pname == "" {
+						continue
+					}
+					p, found := sys.iamPolicyDocsMap[pname]
+					if !found {
+						return false
+					}
 					policies = append(policies, p)
 				}
 			}
 			for _, group := range groups {
-			policy, ok := sys.iamGroupPolicyMap[group]
+				mp, ok := sys.iamGroupPolicyMap[group]
 				if !ok {
 					continue
 				}
-			p, found := sys.iamPolicyDocsMap[policy.Policy]
-			if found {
+				for _, pname := range strings.Split(mp.Policy, ",") {
+					pname = strings.TrimSpace(pname)
+					if pname == "" {
+						continue
+					}
+					p, found := sys.iamPolicyDocsMap[pname]
+					if !found {
+						return false
+					}
 					policies = append(policies, p)
 				}
 			}
@ -1671,6 +1690,8 @@ func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args) bool {
 			}
 			return combinedPolicy.IsAllowed(args)
 		}
+		return false
+	}

 	policies, ok := args.GetPolicies(iamPolicyClaimNameOpenID())
 	if !ok {