diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index 95de013ce..a9e651eda 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -523,6 +523,7 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque return } // targerUser is set to bindDN at this point in time. + // targetGroups is set to the groups at this point in time. } else { if cred.IsServiceAccount() || cred.IsTemp() { if cred.ParentUser == "" { @@ -534,7 +535,10 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque targetUser = cred.ParentUser } } - targetGroups = cred.Groups + // targetGroups not yet set, so set this to cred.Groups + if len(targetGroups) == 0 { + targetGroups = cred.Groups + } } var sp *iampolicy.Policy diff --git a/cmd/iam.go b/cmd/iam.go index de2864043..87bd0acea 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -1502,21 +1502,23 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) { if ok && cred.IsValid() { if cred.IsServiceAccount() || cred.IsTemp() { - // temporary credentials or service accounts - // must have their parent in UsersMap - if cred.ParentUser == globalActiveCred.AccessKey { - // parent exists, so allow temporary and service accounts. - ok = true - } else { - _, ok = sys.iamUserPolicyMap[cred.ParentUser] + policies, err := sys.policyDBGet(cred.ParentUser, false) + if err != nil { + // Reject if the policy map for user doesn't exist anymore. + logger.LogIf(context.Background(), fmt.Errorf("'%s' user does not have a policy present", cred.ParentUser)) + return auth.Credentials{}, false } + for _, group := range cred.Groups { + ps, err := sys.policyDBGet(group, true) + if err != nil { + // Reject if the policy map for group doesn't exist anymore. + logger.LogIf(context.Background(), fmt.Errorf("'%s' group does not have a policy present", group)) + return auth.Credentials{}, false + } + policies = append(policies, ps...) + } + ok = len(policies) > 0 } - // for LDAP service accounts with ParentUser set - // we have no way to validate, either because user - // doesn't need an explicit policy as it can come - // automatically from a group. We are safe to ignore - // this and continue as policies would fail eventually - // the policies are missing or not configured. } return cred, ok && cred.IsValid() }