From 3cdb609cca0f1b3da15a907f5ea446e847ee2aa3 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Fri, 29 Jul 2022 20:58:03 -0700 Subject: [PATCH] allow root users to return appropriate policy in AccountInfo (#15437) fixes #15436 This fixes a regression caused after the removal of "consoleAdmin" policy usage for 'root users' in PR #15402 --- cmd/admin-handlers-users.go | 35 +++++++++++++++++++++++++---------- 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index ca8a5f595..65e280aa7 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -1189,17 +1189,32 @@ func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Requ // For derived credentials, check the parent user's permissions. accountName = cred.ParentUser } - policies, err := globalIAMSys.PolicyDBGet(accountName, false, cred.Groups...) - if err != nil { - logger.LogIf(ctx, err) - writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) - return - } - buf, err := json.MarshalIndent(globalIAMSys.GetCombinedPolicy(policies...), "", " ") - if err != nil { - writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) - return + var buf []byte + if accountName == globalActiveCred.AccessKey { + for _, policy := range iampolicy.DefaultPolicies { + if policy.Name == "consoleAdmin" { + buf, err = json.MarshalIndent(policy.Definition, "", " ") + if err != nil { + writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) + return + } + break + } + } + } else { + policies, err := globalIAMSys.PolicyDBGet(accountName, false, cred.Groups...) + if err != nil { + logger.LogIf(ctx, err) + writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) + return + } + + buf, err = json.MarshalIndent(globalIAMSys.GetCombinedPolicy(policies...), "", " ") + if err != nil { + writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) + return + } } acctInfo := madmin.AccountInfo{