fix: a regression in IAM policy reload routine() (#19421)

all policy reloading is broken since last release since

48deccdc40

fixes #19417
This commit is contained in:
Harshavardhana 2024-04-05 14:26:41 -07:00 committed by GitHub
parent a207bd6790
commit 91f91d8f47
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 35 additions and 5 deletions

View File

@ -399,6 +399,7 @@ var (
groupsListKey = "groups/" groupsListKey = "groups/"
policiesListKey = "policies/" policiesListKey = "policies/"
stsListKey = "sts/" stsListKey = "sts/"
policyDBPrefix = "policydb/"
policyDBUsersListKey = "policydb/users/" policyDBUsersListKey = "policydb/users/"
policyDBSTSUsersListKey = "policydb/sts-users/" policyDBSTSUsersListKey = "policydb/sts-users/"
policyDBGroupsListKey = "policydb/groups/" policyDBGroupsListKey = "policydb/groups/"
@ -406,8 +407,13 @@ var (
// splitPath splits a path into a top-level directory and a child item. The // splitPath splits a path into a top-level directory and a child item. The
// parent directory retains the trailing slash. // parent directory retains the trailing slash.
func splitPath(s string) (string, string) { func splitPath(s string, lastIndex bool) (string, string) {
i := strings.Index(s, "/") var i int
if lastIndex {
i = strings.LastIndex(s, "/")
} else {
i = strings.Index(s, "/")
}
if i == -1 { if i == -1 {
return s, "" return s, ""
} }
@ -424,7 +430,8 @@ func (iamOS *IAMObjectStore) listAllIAMConfigItems(ctx context.Context) (map[str
return nil, item.Err return nil, item.Err
} }
listKey, trimmedItem := splitPath(item.Item) lastIndex := strings.HasPrefix(item.Item, policyDBPrefix)
listKey, trimmedItem := splitPath(item.Item, lastIndex)
if listKey == iamFormatFile { if listKey == iamFormatFile {
continue continue
} }

View File

@ -1918,7 +1918,7 @@ func (sys *IAMSys) IsAllowedSTS(args policy.Args, parentUser string) bool {
default: default:
// Otherwise, inherit parent user's policy // Otherwise, inherit parent user's policy
var err error var err error
policies, err = sys.store.PolicyDBGet(parentUser, args.Groups...) policies, err = sys.PolicyDBGet(parentUser, args.Groups...)
if err != nil { if err != nil {
iamLogIf(GlobalContext, fmt.Errorf("error fetching policies on %s: %v", parentUser, err)) iamLogIf(GlobalContext, fmt.Errorf("error fetching policies on %s: %v", parentUser, err))
return false return false

View File

@ -75,10 +75,13 @@ func TestCheckValid(t *testing.T) {
t.Fatalf("unable create credential, %s", err) t.Fatalf("unable create credential, %s", err)
} }
globalIAMSys.CreateUser(ctx, ucreds.AccessKey, madmin.AddOrUpdateUserReq{ _, err = globalIAMSys.CreateUser(ctx, ucreds.AccessKey, madmin.AddOrUpdateUserReq{
SecretKey: ucreds.SecretKey, SecretKey: ucreds.SecretKey,
Status: madmin.AccountEnabled, Status: madmin.AccountEnabled,
}) })
if err != nil {
t.Fatalf("unable create credential, %s", err)
}
_, owner, s3Err = checkKeyValid(req, ucreds.AccessKey) _, owner, s3Err = checkKeyValid(req, ucreds.AccessKey)
if s3Err != ErrNone { if s3Err != ErrNone {
@ -88,6 +91,26 @@ func TestCheckValid(t *testing.T) {
if owner { if owner {
t.Fatalf("Expected owner to be 'false', found %t", owner) t.Fatalf("Expected owner to be 'false', found %t", owner)
} }
_, err = globalIAMSys.PolicyDBSet(ctx, ucreds.AccessKey, "consoleAdmin", regUser, false)
if err != nil {
t.Fatalf("unable to attach policy to credential, %s", err)
}
time.Sleep(4 * time.Second)
policies, err := globalIAMSys.PolicyDBGet(ucreds.AccessKey)
if err != nil {
t.Fatalf("unable to get policy to credential, %s", err)
}
if len(policies) == 0 {
t.Fatal("no policies found")
}
if policies[0] != "consoleAdmin" {
t.Fatalf("expected 'consoleAdmin', %s", policies[0])
}
} }
// TestSkipContentSha256Cksum - Test validate the logic which decides whether // TestSkipContentSha256Cksum - Test validate the logic which decides whether