mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
fix: a regression in IAM policy reload routine() (#19421)
all policy reloading is broken since last release since
48deccdc40
fixes #19417
This commit is contained in:
parent
a207bd6790
commit
91f91d8f47
@ -399,6 +399,7 @@ var (
|
||||
groupsListKey = "groups/"
|
||||
policiesListKey = "policies/"
|
||||
stsListKey = "sts/"
|
||||
policyDBPrefix = "policydb/"
|
||||
policyDBUsersListKey = "policydb/users/"
|
||||
policyDBSTSUsersListKey = "policydb/sts-users/"
|
||||
policyDBGroupsListKey = "policydb/groups/"
|
||||
@ -406,8 +407,13 @@ var (
|
||||
|
||||
// splitPath splits a path into a top-level directory and a child item. The
|
||||
// parent directory retains the trailing slash.
|
||||
func splitPath(s string) (string, string) {
|
||||
i := strings.Index(s, "/")
|
||||
func splitPath(s string, lastIndex bool) (string, string) {
|
||||
var i int
|
||||
if lastIndex {
|
||||
i = strings.LastIndex(s, "/")
|
||||
} else {
|
||||
i = strings.Index(s, "/")
|
||||
}
|
||||
if i == -1 {
|
||||
return s, ""
|
||||
}
|
||||
@ -424,7 +430,8 @@ func (iamOS *IAMObjectStore) listAllIAMConfigItems(ctx context.Context) (map[str
|
||||
return nil, item.Err
|
||||
}
|
||||
|
||||
listKey, trimmedItem := splitPath(item.Item)
|
||||
lastIndex := strings.HasPrefix(item.Item, policyDBPrefix)
|
||||
listKey, trimmedItem := splitPath(item.Item, lastIndex)
|
||||
if listKey == iamFormatFile {
|
||||
continue
|
||||
}
|
||||
|
@ -1918,7 +1918,7 @@ func (sys *IAMSys) IsAllowedSTS(args policy.Args, parentUser string) bool {
|
||||
default:
|
||||
// Otherwise, inherit parent user's policy
|
||||
var err error
|
||||
policies, err = sys.store.PolicyDBGet(parentUser, args.Groups...)
|
||||
policies, err = sys.PolicyDBGet(parentUser, args.Groups...)
|
||||
if err != nil {
|
||||
iamLogIf(GlobalContext, fmt.Errorf("error fetching policies on %s: %v", parentUser, err))
|
||||
return false
|
||||
|
@ -75,10 +75,13 @@ func TestCheckValid(t *testing.T) {
|
||||
t.Fatalf("unable create credential, %s", err)
|
||||
}
|
||||
|
||||
globalIAMSys.CreateUser(ctx, ucreds.AccessKey, madmin.AddOrUpdateUserReq{
|
||||
_, err = globalIAMSys.CreateUser(ctx, ucreds.AccessKey, madmin.AddOrUpdateUserReq{
|
||||
SecretKey: ucreds.SecretKey,
|
||||
Status: madmin.AccountEnabled,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("unable create credential, %s", err)
|
||||
}
|
||||
|
||||
_, owner, s3Err = checkKeyValid(req, ucreds.AccessKey)
|
||||
if s3Err != ErrNone {
|
||||
@ -88,6 +91,26 @@ func TestCheckValid(t *testing.T) {
|
||||
if owner {
|
||||
t.Fatalf("Expected owner to be 'false', found %t", owner)
|
||||
}
|
||||
|
||||
_, err = globalIAMSys.PolicyDBSet(ctx, ucreds.AccessKey, "consoleAdmin", regUser, false)
|
||||
if err != nil {
|
||||
t.Fatalf("unable to attach policy to credential, %s", err)
|
||||
}
|
||||
|
||||
time.Sleep(4 * time.Second)
|
||||
|
||||
policies, err := globalIAMSys.PolicyDBGet(ucreds.AccessKey)
|
||||
if err != nil {
|
||||
t.Fatalf("unable to get policy to credential, %s", err)
|
||||
}
|
||||
|
||||
if len(policies) == 0 {
|
||||
t.Fatal("no policies found")
|
||||
}
|
||||
|
||||
if policies[0] != "consoleAdmin" {
|
||||
t.Fatalf("expected 'consoleAdmin', %s", policies[0])
|
||||
}
|
||||
}
|
||||
|
||||
// TestSkipContentSha256Cksum - Test validate the logic which decides whether
|
||||
|
Loading…
Reference in New Issue
Block a user