iam: Hot load of the policy during request authorization (#20007)

Hot load a policy document when during account authorization evaluation to avoid returning 403 during server startup, when not all policies are already loaded. Add this support for group policies as well.
2025-11-07 12:52:58 -05:00 · 2024-06-28 01:03:07 +01:00
parent 709612cb37
commit 722118386d
3 changed files with 112 additions and 25 deletions
--- a/cmd/iam-object-store.go
+++ b/cmd/iam-object-store.go
@@ -457,6 +457,8 @@ func (iamOS *IAMObjectStore) loadAllFromObjStore(ctx context.Context, cache *iam

 	bootstrapTraceMsgFirstTime("loading all IAM items")

+	setDefaultCannedPolicies(cache.iamPolicyDocsMap)
+
 	listStartTime := UTCNow()
 	listedConfigItems, err := iamOS.listAllIAMConfigItems(ctx)
 	if err != nil {
@@ -485,7 +487,6 @@ func (iamOS *IAMObjectStore) loadAllFromObjStore(ctx context.Context, cache *iam
 	if took := time.Since(policyLoadStartTime); took > maxIAMLoadOpTime {
 		logger.Info("Policy docs load took %.2fs (for %d items)", took.Seconds(), len(policiesList))
 	}
-	setDefaultCannedPolicies(cache.iamPolicyDocsMap)

 	if iamOS.usersSysType == MinIOUsersSysType {
 		bootstrapTraceMsgFirstTime("loading regular IAM users")