iam: Do not create service accounts for non existant IAM users (#12236)

When running MinIO server without LDAP/OpenID, we should error out when the code tries to create a service account for a non existant regular user. Bonus: refactor the check code to be show all cases more clearly Signed-off-by: Anis Elleuch <anis@min.io> Co-authored-by: Anis Elleuch <anis@min.io>
2025-03-31 17:53:43 -04:00 · 2021-05-06 00:04:50 +01:00 · 2021-05-06 00:04:50 +01:00 · af1b6e3458
commit af1b6e3458
parent 0eeb0a4e04
1 changed files with 26 additions and 22 deletions
--- a/cmd/iam.go
+++ b/cmd/iam.go
@ -1114,31 +1114,35 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro
 	sys.store.lock()
 	defer sys.store.unlock()
-	cr, ok := sys.iamUsersMap[parentUser]
+	cr, found := sys.iamUsersMap[parentUser]
-	if !ok {
+	switch {
 	// User found
 	case found:
 		// Disallow service accounts to further create more service accounts.
 		if cr.IsServiceAccount() {
 			return auth.Credentials{}, errIAMActionNotAllowed
 		}
 	// Allow creating service accounts for root user
 	case parentUser == globalActiveCred.AccessKey:
 	// For LDAP/OpenID users we would need this fallback
-		if sys.usersSysType != MinIOUsersSysType && parentUser != globalActiveCred.ParentUser {
+	case sys.usersSysType != MinIOUsersSysType:
-			_, ok = sys.iamUserPolicyMap[parentUser]
+		_, ok := sys.iamUserPolicyMap[parentUser]
 		if !ok {
-				var found bool
+			var groupHasPolicy bool
 			for _, group := range groups {
 				_, ok = sys.iamGroupPolicyMap[group]
 				if !ok {
 					continue
 				}
-					found = true
+				groupHasPolicy = true
 				break
 			}
-				if !found {
+			if !groupHasPolicy {
 				return auth.Credentials{}, errNoSuchUser
 			}
 		}
-		}
+	default:
-	}
+		return auth.Credentials{}, errNoSuchUser
 	// Disallow service accounts to further create more service accounts.
 	if cr.IsServiceAccount() {
 		return auth.Credentials{}, errIAMActionNotAllowed
 	}
 	m := make(map[string]interface{})