fix: more regressions listing policy mappings (#18060)

also relax ListServiceAccounts() returning error if
no service accounts exist.

cmd/iam-store.go

@@ -958,13 +958,12 @@ func (store *IAMStoreSys) PolicyDBUpdate(ctx context.Context, name string, isGro
 	var mp MappedPolicy
 	if !isGroup {
 		if userType == stsUser {
-			var ok bool
-			mp, ok = cache.iamSTSPolicyMap[name]
-			if !ok {
-				// Attempt to load parent user mapping for STS accounts
-				store.loadMappedPolicy(context.TODO(), name, stsUser, false, cache.iamSTSPolicyMap)
-				mp = cache.iamSTSPolicyMap[name]
-			}
+			stsMap := map[string]MappedPolicy{}
+
+			// Attempt to load parent user mapping for STS accounts
+			store.loadMappedPolicy(context.TODO(), name, stsUser, false, stsMap)
+
+			mp = stsMap[name]
 		} else {
 			mp = cache.iamUserPolicyMap[name]
 		}
@@ -1888,6 +1887,25 @@ func (store *IAMStoreSys) listUserPolicyMappings(cache *iamCache, users []string
 		})
 	}
 
+	stsMap := map[string]MappedPolicy{}
+	for _, user := range users {
+		// Attempt to load parent user mapping for STS accounts
+		store.loadMappedPolicy(context.TODO(), user, stsUser, false, stsMap)
+	}
+
+	for user, mappedPolicy := range stsMap {
+		if userPredicate != nil && !userPredicate(user) {
+			continue
+		}
+
+		ps := mappedPolicy.toSlice()
+		sort.Strings(ps)
+		r = append(r, madmin.UserPolicyEntities{
+			User:     user,
+			Policies: ps,
+		})
+	}
+
 	sort.Slice(r, func(i, j int) bool {
 		return r[i].User < r[j].User
 	})
@@ -1952,6 +1970,32 @@ func (store *IAMStoreSys) listPolicyMappings(cache *iamCache, policies []string,
 		}
 	}
 
+	if iamOS, ok := store.IAMStorageAPI.(*IAMObjectStore); ok {
+		for item := range listIAMConfigItems(context.Background(), iamOS.objAPI, iamConfigPrefix+SlashSeparator+policyDBSTSUsersListKey) {
+			user := strings.TrimSuffix(item.Item, ".json")
+			if userPredicate != nil && !userPredicate(user) {
+				continue
+			}
+
+			var mappedPolicy MappedPolicy
+			store.loadIAMConfig(context.Background(), &mappedPolicy, getMappedPolicyPath(user, stsUser, false))
+
+			commonPolicySet := mappedPolicy.policySet()
+			if !queryPolSet.IsEmpty() {
+				commonPolicySet = commonPolicySet.Intersection(queryPolSet)
+			}
+			for _, policy := range commonPolicySet.ToSlice() {
+				s, ok := policyToUsersMap[policy]
+				if !ok {
+					policyToUsersMap[policy] = set.CreateStringSet(user)
+				} else {
+					s.Add(user)
+					policyToUsersMap[policy] = s
+				}
+			}
+		}
+	}
+
 	policyToGroupsMap := make(map[string]set.StringSet)
 	for group, mappedPolicy := range cache.iamGroupPolicyMap {
 		if groupPredicate != nil && !groupPredicate(group) {
@@ -2243,19 +2287,10 @@ func (store *IAMStoreSys) ListServiceAccounts(ctx context.Context, accessKey str
 	cache := store.rlock()
 	defer store.runlock()
 
-	userExists := false
 	var serviceAccounts []auth.Credentials
 	for _, u := range cache.iamUsersMap {
-		isDerived := false
 		v := u.Credentials
-		if v.IsServiceAccount() || v.IsTemp() {
-			isDerived = true
-		}
-
-		if !isDerived && v.AccessKey == accessKey {
-			userExists = true
-		} else if isDerived && v.ParentUser == accessKey {
-			userExists = true
+		if accessKey != "" && v.ParentUser == accessKey {
 			if v.IsServiceAccount() {
 				// Hide secret key & session key here
 				v.SecretKey = ""
@@ -2265,12 +2300,6 @@ func (store *IAMStoreSys) ListServiceAccounts(ctx context.Context, accessKey str
 		}
 	}
 
-	// If root user has no STS/Service Accounts, userExists would be false here,
-	// so we handle this exception.
-	if !userExists && globalActiveCred.AccessKey != accessKey {
-		return nil, errNoSuchUser
-	}
-
 	return serviceAccounts, nil
 }
 

docs/distributed/decom-compressed-sse-s3.sh

@@ -24,7 +24,7 @@ export MC_HOST_myminio="http://minioadmin:minioadmin@localhost:9000/"
 (minio server /tmp/xl/{1...10}/disk{0...1} 2>&1 >/dev/null) &
 pid=$!
 
-sleep 2
+sleep 10
 
 ./mc admin user add myminio/ minio123 minio123
 ./mc admin user add myminio/ minio12345 minio12345
@@ -55,7 +55,7 @@ kill $pid
 (minio server /tmp/xl/{1...10}/disk{0...1} /tmp/xl/{11...30}/disk{0...3} 2>&1 >/tmp/expanded.log) &
 pid=$!
 
-sleep 2
+sleep 10
 
 expanded_user_count=$(./mc admin user list myminio/ | wc -l)
 expanded_policy_count=$(./mc admin policy list myminio/ | wc -l)
@@ -94,7 +94,7 @@ kill $pid
 (minio server /tmp/xl/{11...30}/disk{0...3} 2>&1 >/tmp/removed.log) &
 pid=$!
 
-sleep 2
+sleep 10
 
 decom_user_count=$(./mc admin user list myminio/ | wc -l)
 decom_policy_count=$(./mc admin policy list myminio/ | wc -l)

docs/distributed/decom-encrypted-sse-s3.sh

@@ -19,7 +19,7 @@ export MC_HOST_myminio="http://minioadmin:minioadmin@localhost:9000/"
 (minio server /tmp/xl/{1...10}/disk{0...1} 2>&1 >/dev/null) &
 pid=$!
 
-sleep 2
+sleep 10
 
 ./mc admin user add myminio/ minio123 minio123
 ./mc admin user add myminio/ minio12345 minio12345
@@ -52,7 +52,7 @@ kill $pid
 (minio server /tmp/xl/{1...10}/disk{0...1} /tmp/xl/{11...30}/disk{0...3} 2>&1 >/tmp/expanded.log) &
 pid=$!
 
-sleep 2
+sleep 10
 
 expanded_user_count=$(./mc admin user list myminio/ | wc -l)
 expanded_policy_count=$(./mc admin policy list myminio/ | wc -l)
@@ -98,7 +98,7 @@ kill $pid
 (minio server /tmp/xl/{11...30}/disk{0...3} 2>&1 >/tmp/removed.log) &
 pid=$!
 
-sleep 2
+sleep 10
 
 decom_user_count=$(./mc admin user list myminio/ | wc -l)
 decom_policy_count=$(./mc admin policy list myminio/ | wc -l)

docs/distributed/decom-encrypted.sh

@@ -19,7 +19,7 @@ export MINIO_KMS_SECRET_KEY=my-minio-key:OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl
 (minio server /tmp/xl/{1...10}/disk{0...1} 2>&1 >/dev/null) &
 pid=$!
 
-sleep 2
+sleep 10
 
 export MC_HOST_myminio="http://minioadmin:minioadmin@localhost:9000/"
 
@@ -51,7 +51,7 @@ kill $pid
 (minio server /tmp/xl/{1...10}/disk{0...1} /tmp/xl/{11...30}/disk{0...3} 2>&1 >/tmp/expanded.log) &
 pid=$!
 
-sleep 2
+sleep 10
 
 expanded_user_count=$(./mc admin user list myminio/ | wc -l)
 expanded_policy_count=$(./mc admin policy list myminio/ | wc -l)
@@ -90,7 +90,7 @@ kill $pid
 (minio server /tmp/xl/{11...30}/disk{0...3} 2>&1 >/dev/null) &
 pid=$!
 
-sleep 2
+sleep 10
 
 decom_user_count=$(./mc admin user list myminio/ | wc -l)
 decom_policy_count=$(./mc admin policy list myminio/ | wc -l)

docs/site-replication/run-multi-site-ldap.sh

@@ -117,6 +117,20 @@ fi
 
 sleep 10
 
+./mc idp ldap policy entities minio1
+./mc idp ldap policy entities minio2
+./mc idp ldap policy entities minio3
+
+./mc admin service restart minio1
+./mc admin service restart minio2
+./mc admin service restart minio3
+
+sleep 10
+
+./mc idp ldap policy entities minio1
+./mc idp ldap policy entities minio2
+./mc idp ldap policy entities minio3
+
 ./mc admin user svcacct info minio1 testsvc
 if [ $? -ne 0 ]; then
 	echo "svc account not mirrored, exiting.."
@@ -129,13 +143,42 @@ if [ $? -ne 0 ]; then
 	exit_1
 fi
 
+./mc admin user svcacct info minio3 testsvc
+if [ $? -ne 0 ]; then
+	echo "svc account not mirrored, exiting.."
+	exit_1
+fi
+
+MC_HOST_svc1=http://testsvc:testsvc123@localhost:9001 ./mc ls svc1
+MC_HOST_svc2=http://testsvc:testsvc123@localhost:9002 ./mc ls svc2
+MC_HOST_svc3=http://testsvc:testsvc123@localhost:9003 ./mc ls svc3
+
 ./mc admin user svcacct rm minio1 testsvc
 if [ $? -ne 0 ]; then
 	echo "removing svc account failed, exiting.."
 	exit_1
 fi
 
+./mc admin user info minio1 "uid=dillon,ou=people,ou=swengg,dc=min,dc=io"
+if [ $? -ne 0 ]; then
+	echo "policy mapping missing, exiting.."
+	exit_1
+fi
+
+./mc admin user info minio2 "uid=dillon,ou=people,ou=swengg,dc=min,dc=io"
+if [ $? -ne 0 ]; then
+	echo "policy mapping missing, exiting.."
+	exit_1
+fi
+
+./mc admin user info minio3 "uid=dillon,ou=people,ou=swengg,dc=min,dc=io"
+if [ $? -ne 0 ]; then
+	echo "policy mapping missing, exiting.."
+	exit_1
+fi
+
 sleep 10
+
 ./mc admin user svcacct info minio2 testsvc
 if [ $? -eq 0 ]; then
 	echo "svc account found after delete, exiting.."