diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index a200e927a..0bb353a2b 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -748,7 +748,11 @@ func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Requ case MinIOUsersSysType: policies, err = globalIAMSys.PolicyDBGet(accountName, false) case LDAPUsersSysType: - policies, err = globalIAMSys.PolicyDBGetLDAP(cred.ParentUser, cred.Groups...) + parentUser := accountName + if cred.ParentUser != "" { + parentUser = cred.ParentUser + } + policies, err = globalIAMSys.PolicyDBGet(parentUser, false, cred.Groups...) default: err = errors.New("should not happen!") } diff --git a/cmd/iam.go b/cmd/iam.go index 2fa36fa43..f3143ba81 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -1661,8 +1661,9 @@ func (sys *IAMSys) policyDBSet(name, policyName string, userType IAMUserType, is return nil } -// PolicyDBGetLDAP is only used by LDAP code, it is similar to PolicyDBGet -func (sys *IAMSys) PolicyDBGetLDAP(name string, groups ...string) ([]string, error) { +// PolicyDBGet - gets policy set on a user or group. If a list of groups is +// given, policies associated with them are included as well. +func (sys *IAMSys) PolicyDBGet(name string, isGroup bool, groups ...string) ([]string, error) { if !sys.Initialized() { return nil, errServerNotInitialized } @@ -1674,40 +1675,35 @@ func (sys *IAMSys) PolicyDBGetLDAP(name string, groups ...string) ([]string, err sys.store.rlock() defer sys.store.runlock() - var policies []string - mp, ok := sys.iamUserPolicyMap[name] - if ok { - // returned policy could be empty - policies = append(policies, mp.toSlice()...) + policies, err := sys.policyDBGet(name, isGroup) + if err != nil { + return nil, err } - for _, group := range groups { - p := sys.iamGroupPolicyMap[group] - policies = append(policies, p.toSlice()...) + if !isGroup { + for _, group := range groups { + ps, err := sys.policyDBGet(group, true) + if err != nil { + return nil, err + } + policies = append(policies, ps...) + } } return policies, nil } -// PolicyDBGet - gets policy set on a user or group. Since a user may -// be a member of multiple groups, this function returns an array of -// applicable policies -func (sys *IAMSys) PolicyDBGet(name string, isGroup bool) ([]string, error) { - if !sys.Initialized() { - return nil, errServerNotInitialized - } - - if name == "" { - return nil, errInvalidArgument - } - - sys.store.rlock() - defer sys.store.runlock() - - return sys.policyDBGet(name, isGroup) -} - -// This call assumes that caller has the sys.RLock() +// This call assumes that caller has the sys.RLock(). +// +// If a group is passed, it returns policies associated with the group. +// +// If a user is passed, it returns policies of the user along with any groups +// that the server knows the user is a member of. +// +// In LDAP users mode, the server does not store any group membership +// information in IAM (i.e sys.iam*Map) - this info is stored only in the STS +// generated credentials. Thus we skip looking up group memberships, user map, +// and group map and check the appropriate policy maps directly. func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) { if isGroup { if sys.usersSysType == MinIOUsersSysType { @@ -1727,12 +1723,12 @@ func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) { return mp.toSlice(), nil } - // When looking for a user's policies, we also check if the - // user and the groups they are member of are enabled. - var u auth.Credentials var ok bool if sys.usersSysType == MinIOUsersSysType { + // When looking for a user's policies, we also check if the user + // and the groups they are member of are enabled. + u, ok = sys.iamUsersMap[name] if !ok { return nil, errNoSuchUser @@ -1891,7 +1887,7 @@ func (sys *IAMSys) IsAllowedLDAPSTS(args iampolicy.Args, parentUser string) bool } // Check policy for this LDAP user. - ldapPolicies, err := sys.PolicyDBGetLDAP(parentUser, args.Groups...) + ldapPolicies, err := sys.PolicyDBGet(parentUser, false, args.Groups...) if err != nil { return false } diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go index 64f07bd24..dac331e7c 100644 --- a/cmd/sts-handlers.go +++ b/cmd/sts-handlers.go @@ -498,7 +498,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r * } // Check if this user or their groups have a policy applied. - ldapPolicies, _ := globalIAMSys.PolicyDBGetLDAP(ldapUserDN, groupDistNames...) + ldapPolicies, _ := globalIAMSys.PolicyDBGet(ldapUserDN, false, groupDistNames...) if len(ldapPolicies) == 0 { writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("expecting a policy to be set for user `%s` or one of their groups: `%s` - rejecting this request",