fix: more regressions listing policy mappings (#18060)

also relax ListServiceAccounts() returning error if no service accounts exist.
2025-04-16 00:49:09 -04:00 · 2023-09-19 15:22:25 -07:00 · 2023-09-19 15:22:25 -07:00 · 9081346c40
commit 9081346c40
parent fcfadb0e51
5 changed files with 104 additions and 32 deletions
--- a/cmd/iam-store.go
+++ b/cmd/iam-store.go
@ -958,13 +958,12 @@ func (store *IAMStoreSys) PolicyDBUpdate(ctx context.Context, name string, isGro
 	var mp MappedPolicy
 	if !isGroup {
 		if userType == stsUser {
-			var ok bool
+			stsMap := map[string]MappedPolicy{}
-			mp, ok = cache.iamSTSPolicyMap[name]
+
 			if !ok {
 			// Attempt to load parent user mapping for STS accounts
-				store.loadMappedPolicy(context.TODO(), name, stsUser, false, cache.iamSTSPolicyMap)
+			store.loadMappedPolicy(context.TODO(), name, stsUser, false, stsMap)
-				mp = cache.iamSTSPolicyMap[name]
+
-			}
+			mp = stsMap[name]
 		} else {
 			mp = cache.iamUserPolicyMap[name]
 		}
@ -1888,6 +1887,25 @@ func (store *IAMStoreSys) listUserPolicyMappings(cache *iamCache, users []string
 		})
 	}
 	stsMap := map[string]MappedPolicy{}
 	for _, user := range users {
 		// Attempt to load parent user mapping for STS accounts
 		store.loadMappedPolicy(context.TODO(), user, stsUser, false, stsMap)
 	}
 	for user, mappedPolicy := range stsMap {
 		if userPredicate != nil && !userPredicate(user) {
 			continue
 		}
 		ps := mappedPolicy.toSlice()
 		sort.Strings(ps)
 		r = append(r, madmin.UserPolicyEntities{
 			User:     user,
 			Policies: ps,
 		})
 	}
 	sort.Slice(r, func(i, j int) bool {
 		return r[i].User < r[j].User
 	})
@ -1952,6 +1970,32 @@ func (store *IAMStoreSys) listPolicyMappings(cache *iamCache, policies []string,
 		}
 	}
 	if iamOS, ok := store.IAMStorageAPI.(*IAMObjectStore); ok {
 		for item := range listIAMConfigItems(context.Background(), iamOS.objAPI, iamConfigPrefix+SlashSeparator+policyDBSTSUsersListKey) {
 			user := strings.TrimSuffix(item.Item, ".json")
 			if userPredicate != nil && !userPredicate(user) {
 				continue
 			}
 			var mappedPolicy MappedPolicy
 			store.loadIAMConfig(context.Background(), &mappedPolicy, getMappedPolicyPath(user, stsUser, false))
 			commonPolicySet := mappedPolicy.policySet()
 			if !queryPolSet.IsEmpty() {
 				commonPolicySet = commonPolicySet.Intersection(queryPolSet)
 			}
 			for _, policy := range commonPolicySet.ToSlice() {
 				s, ok := policyToUsersMap[policy]
 				if !ok {
 					policyToUsersMap[policy] = set.CreateStringSet(user)
 				} else {
 					s.Add(user)
 					policyToUsersMap[policy] = s
 				}
 			}
 		}
 	}
 	policyToGroupsMap := make(map[string]set.StringSet)
 	for group, mappedPolicy := range cache.iamGroupPolicyMap {
 		if groupPredicate != nil && !groupPredicate(group) {
@ -2243,19 +2287,10 @@ func (store *IAMStoreSys) ListServiceAccounts(ctx context.Context, accessKey str
 	cache := store.rlock()
 	defer store.runlock()
 	userExists := false
 	var serviceAccounts []auth.Credentials
 	for _, u := range cache.iamUsersMap {
 		isDerived := false
 		v := u.Credentials
-		if v.IsServiceAccount() || v.IsTemp() {
+		if accessKey != "" && v.ParentUser == accessKey {
 			isDerived = true
 		}
 		if !isDerived && v.AccessKey == accessKey {
 			userExists = true
 		} else if isDerived && v.ParentUser == accessKey {
 			userExists = true
 			if v.IsServiceAccount() {
 				// Hide secret key & session key here
 				v.SecretKey = ""
@ -2265,12 +2300,6 @@ func (store *IAMStoreSys) ListServiceAccounts(ctx context.Context, accessKey str
 		}
 	}
 	// If root user has no STS/Service Accounts, userExists would be false here,
 	// so we handle this exception.
 	if !userExists && globalActiveCred.AccessKey != accessKey {
 		return nil, errNoSuchUser
 	}
 	return serviceAccounts, nil
 }
--- a/docs/distributed/decom-compressed-sse-s3.sh
+++ b/docs/distributed/decom-compressed-sse-s3.sh
@ -24,7 +24,7 @@ export MC_HOST_myminio="http://minioadmin:minioadmin@localhost:9000/"
 (minio server /tmp/xl/{1...10}/disk{0...1} 2>&1 >/dev/null) &
 pid=$!
-sleep 2
+sleep 10
 ./mc admin user add myminio/ minio123 minio123
 ./mc admin user add myminio/ minio12345 minio12345
@ -55,7 +55,7 @@ kill $pid
 (minio server /tmp/xl/{1...10}/disk{0...1} /tmp/xl/{11...30}/disk{0...3} 2>&1 >/tmp/expanded.log) &
 pid=$!
-sleep 2
+sleep 10
 expanded_user_count=$(./mc admin user list myminio/ | wc -l)
 expanded_policy_count=$(./mc admin policy list myminio/ | wc -l)
@ -94,7 +94,7 @@ kill $pid
 (minio server /tmp/xl/{11...30}/disk{0...3} 2>&1 >/tmp/removed.log) &
 pid=$!
-sleep 2
+sleep 10
 decom_user_count=$(./mc admin user list myminio/ | wc -l)
 decom_policy_count=$(./mc admin policy list myminio/ | wc -l)
--- a/docs/distributed/decom-encrypted-sse-s3.sh
+++ b/docs/distributed/decom-encrypted-sse-s3.sh
@ -19,7 +19,7 @@ export MC_HOST_myminio="http://minioadmin:minioadmin@localhost:9000/"
 (minio server /tmp/xl/{1...10}/disk{0...1} 2>&1 >/dev/null) &
 pid=$!
-sleep 2
+sleep 10
 ./mc admin user add myminio/ minio123 minio123
 ./mc admin user add myminio/ minio12345 minio12345
@ -52,7 +52,7 @@ kill $pid
 (minio server /tmp/xl/{1...10}/disk{0...1} /tmp/xl/{11...30}/disk{0...3} 2>&1 >/tmp/expanded.log) &
 pid=$!
-sleep 2
+sleep 10
 expanded_user_count=$(./mc admin user list myminio/ | wc -l)
 expanded_policy_count=$(./mc admin policy list myminio/ | wc -l)
@ -98,7 +98,7 @@ kill $pid
 (minio server /tmp/xl/{11...30}/disk{0...3} 2>&1 >/tmp/removed.log) &
 pid=$!
-sleep 2
+sleep 10
 decom_user_count=$(./mc admin user list myminio/ | wc -l)
 decom_policy_count=$(./mc admin policy list myminio/ | wc -l)
--- a/docs/distributed/decom-encrypted.sh
+++ b/docs/distributed/decom-encrypted.sh
@ -19,7 +19,7 @@ export MINIO_KMS_SECRET_KEY=my-minio-key:OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl
 (minio server /tmp/xl/{1...10}/disk{0...1} 2>&1 >/dev/null) &
 pid=$!
-sleep 2
+sleep 10
 export MC_HOST_myminio="http://minioadmin:minioadmin@localhost:9000/"
@ -51,7 +51,7 @@ kill $pid
 (minio server /tmp/xl/{1...10}/disk{0...1} /tmp/xl/{11...30}/disk{0...3} 2>&1 >/tmp/expanded.log) &
 pid=$!
-sleep 2
+sleep 10
 expanded_user_count=$(./mc admin user list myminio/ | wc -l)
 expanded_policy_count=$(./mc admin policy list myminio/ | wc -l)
@ -90,7 +90,7 @@ kill $pid
 (minio server /tmp/xl/{11...30}/disk{0...3} 2>&1 >/dev/null) &
 pid=$!
-sleep 2
+sleep 10
 decom_user_count=$(./mc admin user list myminio/ | wc -l)
 decom_policy_count=$(./mc admin policy list myminio/ | wc -l)
--- a/docs/site-replication/run-multi-site-ldap.sh
+++ b/docs/site-replication/run-multi-site-ldap.sh
@ -117,6 +117,20 @@ fi
 sleep 10
 ./mc idp ldap policy entities minio1
 ./mc idp ldap policy entities minio2
 ./mc idp ldap policy entities minio3
 ./mc admin service restart minio1
 ./mc admin service restart minio2
 ./mc admin service restart minio3
 sleep 10
 ./mc idp ldap policy entities minio1
 ./mc idp ldap policy entities minio2
 ./mc idp ldap policy entities minio3
 ./mc admin user svcacct info minio1 testsvc
 if [ $? -ne 0 ]; then
 	echo "svc account not mirrored, exiting.."
@ -129,13 +143,42 @@ if [ $? -ne 0 ]; then
 	exit_1
 fi
 ./mc admin user svcacct info minio3 testsvc
 if [ $? -ne 0 ]; then
 	echo "svc account not mirrored, exiting.."
 	exit_1
 fi
 MC_HOST_svc1=http://testsvc:testsvc123@localhost:9001 ./mc ls svc1
 MC_HOST_svc2=http://testsvc:testsvc123@localhost:9002 ./mc ls svc2
 MC_HOST_svc3=http://testsvc:testsvc123@localhost:9003 ./mc ls svc3
 ./mc admin user svcacct rm minio1 testsvc
 if [ $? -ne 0 ]; then
 	echo "removing svc account failed, exiting.."
 	exit_1
 fi
 ./mc admin user info minio1 "uid=dillon,ou=people,ou=swengg,dc=min,dc=io"
 if [ $? -ne 0 ]; then
 	echo "policy mapping missing, exiting.."
 	exit_1
 fi
 ./mc admin user info minio2 "uid=dillon,ou=people,ou=swengg,dc=min,dc=io"
 if [ $? -ne 0 ]; then
 	echo "policy mapping missing, exiting.."
 	exit_1
 fi
 ./mc admin user info minio3 "uid=dillon,ou=people,ou=swengg,dc=min,dc=io"
 if [ $? -ne 0 ]; then
 	echo "policy mapping missing, exiting.."
 	exit_1
 fi
 sleep 10
 ./mc admin user svcacct info minio2 testsvc
 if [ $? -eq 0 ]; then
 	echo "svc account found after delete, exiting.."