From 94ff6242423d6b2d78773f9dc5c19b750c5800f9 Mon Sep 17 00:00:00 2001 From: Aditya Manthramurthy Date: Sat, 20 Mar 2021 02:37:52 -0700 Subject: [PATCH] Fix querying LDAP group/user policy (#11840) --- cmd/iam.go | 38 ++++++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/cmd/iam.go b/cmd/iam.go index d24e22a14..0e36090d6 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -1602,6 +1602,10 @@ func (sys *IAMSys) PolicyDBSet(name, policy string, isGroup bool) error { sys.store.lock() defer sys.store.unlock() + if sys.usersSysType == LDAPUsersSysType { + return sys.policyDBSet(name, policy, stsUser, isGroup) + } + return sys.policyDBSet(name, policy, regularUser, isGroup) } @@ -1678,15 +1682,17 @@ func (sys *IAMSys) PolicyDBGet(name string, isGroup bool) ([]string, error) { // This call assumes that caller has the sys.RLock() func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) { if isGroup { - g, ok := sys.iamGroupsMap[name] - if !ok { - return nil, errNoSuchGroup - } + if sys.usersSysType == MinIOUsersSysType { + g, ok := sys.iamGroupsMap[name] + if !ok { + return nil, errNoSuchGroup + } - // Group is disabled, so we return no policy - this - // ensures the request is denied. - if g.Status == statusDisabled { - return nil, nil + // Group is disabled, so we return no policy - this + // ensures the request is denied. + if g.Status == statusDisabled { + return nil, nil + } } mp := sys.iamGroupPolicyMap[name] @@ -1695,13 +1701,17 @@ func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) { // When looking for a user's policies, we also check if the // user and the groups they are member of are enabled. - u, ok := sys.iamUsersMap[name] - if !ok { - return nil, errNoSuchUser - } - if !u.IsValid() { - return nil, nil + var u auth.Credentials + var ok bool + if sys.usersSysType == MinIOUsersSysType { + u, ok = sys.iamUsersMap[name] + if !ok { + return nil, errNoSuchUser + } + if !u.IsValid() { + return nil, nil + } } var policies []string