Fix regression in STS permissions via group in internal IDP (#13955)

- When using MinIO's internal IDP, STS credential permissions did not check the groups of a user. - Also fix bug in policy checking in AccountInfo call
2025-11-06 20:33:07 -05:00 · 2021-12-20 14:07:16 -08:00
parent 0b21734571
commit 526e10a2e0
3 changed files with 109 additions and 23 deletions
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -1425,12 +1425,15 @@ func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args, parentUser string) bool {
 			return false
 		}
 		policies = newMappedPolicy(sys.rolesMap[arn]).toSlice()
-	} else if parentUser == globalActiveCred.AccessKey {
-		policies = []string{"consoleAdmin"}
 	} else {
 		// Lookup the parent user's mapping if there's no role-ARN.
-		mp, ok := sys.store.GetMappedPolicy(parentUser, false)
-		if !ok {
+		var err error
+		policies, err = sys.store.PolicyDBGet(parentUser, false, args.Groups...)
+		if err != nil {
+			logger.LogIf(GlobalContext, fmt.Errorf("error fetching policies on %s: %v", parentUser, err))
+			return false
+		}
+		if len(policies) == 0 {
 			// TODO (deprecated in Dec 2021): Only need to handle
 			// behavior for STS credentials created in older
 			// releases. Otherwise, reject such cases, once older
@@ -1444,10 +1447,7 @@ func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args, parentUser string) bool {
 				return false
 			}
 			policies = policySet.ToSlice()
-		} else {
-			policies = mp.toSlice()
 		}
-
 	}

 	combinedPolicy, err := sys.store.GetPolicy(strings.Join(policies, ","))