add IAM policyDB lookup fallbacks to drives (#19302)

IAM loading is a lazy operation, allow these fallbacks to be in place when we cannot find in-memory state(). this allows us to honor the request even if pay a small price for lookup and populating the data.
2025-04-22 03:24:38 -04:00 · 2024-03-20 09:24:04 -07:00 · 2024-03-20 09:24:04 -07:00 · 280526caf7
commit 280526caf7
parent 1173b26fc8
1 changed files with 57 additions and 13 deletions
--- a/cmd/iam-store.go
+++ b/cmd/iam-store.go
@ -358,9 +358,15 @@ func (c *iamCache) policyDBGet(store *IAMStoreSys, name string, isGroup bool) ([
 	if isGroup {
 		if store.getUsersSysType() == MinIOUsersSysType {
 			g, ok := c.iamGroupsMap[name]
 			if !ok {
 				if err := store.loadGroup(context.Background(), name, c.iamGroupsMap); err != nil {
 					return nil, time.Time{}, err
 				}
 				g, ok = c.iamGroupsMap[name]
 				if !ok {
 					return nil, time.Time{}, errNoSuchGroup
 				}
 			}
 			// Group is disabled, so we return no policy - this
 			// ensures the request is denied.
@ -369,7 +375,15 @@ func (c *iamCache) policyDBGet(store *IAMStoreSys, name string, isGroup bool) ([
 			}
 		}
-		return c.iamGroupPolicyMap[name].toSlice(), c.iamGroupPolicyMap[name].UpdatedAt, nil
+		policy, ok := c.iamGroupPolicyMap[name]
 		if ok {
 			return policy.toSlice(), policy.UpdatedAt, nil
 		}
 		if err := store.loadMappedPolicy(context.TODO(), name, regUser, true, c.iamGroupPolicyMap); err != nil && !errors.Is(err, errNoSuchPolicy) {
 			return nil, time.Time{}, err
 		}
 		policy = c.iamGroupPolicyMap[name]
 		return policy.toSlice(), policy.UpdatedAt, nil
 	}
 	// When looking for a user's policies, we also check if the user
@ -385,28 +399,58 @@ func (c *iamCache) policyDBGet(store *IAMStoreSys, name string, isGroup bool) ([
 	// mapping is iamUserPolicyMap. For STS accounts, the parent user would be
 	// passed here and we lookup the mapping in iamSTSPolicyMap.
 	mp, ok := c.iamUserPolicyMap[name]
 	if !ok {
 		if err := store.loadMappedPolicy(context.TODO(), name, regUser, false, c.iamUserPolicyMap); err != nil && !errors.Is(err, errNoSuchPolicy) {
 			return nil, time.Time{}, err
 		}
 		mp, ok = c.iamUserPolicyMap[name]
 		if !ok {
 			// Since user "name" could be a parent user of an STS account, we lookup
 			// mappings for those too.
 			mp, ok = c.iamSTSPolicyMap[name]
 			if !ok {
 				// Attempt to load parent user mapping for STS accounts
-			store.loadMappedPolicy(context.TODO(), name, stsUser, false, c.iamSTSPolicyMap)
+				if err := store.loadMappedPolicy(context.TODO(), name, stsUser, false, c.iamSTSPolicyMap); err != nil && !errors.Is(err, errNoSuchPolicy) {
 					return nil, time.Time{}, err
 				}
 				mp = c.iamSTSPolicyMap[name]
 			}
 		}
 	}
 	// returned policy could be empty
 	policies := mp.toSlice()
 	for _, group := range c.iamUserGroupMemberships[name].ToSlice() {
-		// Skip missing or disabled groups
+		if store.getUsersSysType() == MinIOUsersSysType {
-		gi, ok := c.iamGroupsMap[group]
+			g, ok := c.iamGroupsMap[group]
-		if !ok || gi.Status == statusDisabled {
+			if !ok {
-			continue
+				if err := store.loadGroup(context.Background(), group, c.iamGroupsMap); err != nil {
 					return nil, time.Time{}, err
 				}
 				g, ok = c.iamGroupsMap[group]
 				if !ok {
 					return nil, time.Time{}, errNoSuchGroup
 				}
 			}
-		policies = append(policies, c.iamGroupPolicyMap[group].toSlice()...)
+			// Group is disabled, so we return no policy - this
 			// ensures the request is denied.
 			if g.Status == statusDisabled {
 				return nil, time.Time{}, nil
 			}
 		}
 		policy, ok := c.iamGroupPolicyMap[group]
 		if ok {
 			if err := store.loadMappedPolicy(context.TODO(), group, regUser, true, c.iamGroupPolicyMap); err != nil && !errors.Is(err, errNoSuchPolicy) {
 				return nil, time.Time{}, err
 			}
 			policy = c.iamGroupPolicyMap[group]
 		}
 		policies = append(policies, policy.toSlice()...)
 	}
 	return policies, mp.UpdatedAt, nil