Support migrating inconsistent bucket policies (#5855)

Previously we used allow bucket policies without `Version` field to be set to any given value, but this behavior is inconsistent with AWS S3. PR #5790 addressed this by making bucket policies stricter and cleaner, but this causes a breaking change causing any existing policies perhaps without `Version` field or the field to be empty to fail upon server startup. This PR brings a code to migrate under these scenarios as a one time operation.
2025-11-09 21:49:46 -05:00 · 2018-04-27 15:02:54 -07:00
parent 1bd7eb979c
commit b6ca39ea48
4 changed files with 40 additions and 9 deletions
--- a/cmd/policy.go
+++ b/cmd/policy.go
@@ -24,6 +24,7 @@ import (
 	"sync"

 	miniogopolicy "github.com/minio/minio-go/pkg/policy"
+	"github.com/minio/minio/cmd/logger"
 	"github.com/minio/minio/pkg/handlers"
 	"github.com/minio/minio/pkg/policy"
 )
@@ -87,6 +88,20 @@ func (sys *PolicySys) Init(objAPI ObjectLayer) error {
 				return err
 			}
 		} else {
+			// This part is specifically written to handle migration
+			// when the Version string is empty, this was allowed
+			// in all previous minio releases but we need to migrate
+			// those policies by properly setting the Version string
+			// from now on.
+			if config.Version == "" {
+				logger.Info("Found in-consistent bucket policies, Migrating them for Bucket: (%s)", bucket.Name)
+				config.Version = policy.DefaultVersion
+
+				if err = savePolicyConfig(objAPI, bucket.Name, config); err != nil {
+					return err
+				}
+			}
+
 			sys.Set(bucket.Name, *config)
 		}
 	}
@@ -143,12 +158,7 @@ func GetPolicyConfig(objAPI ObjectLayer, bucketName string) (*policy.Policy, err
 		return nil, err
 	}

-	bucketPolicy, err := policy.ParseConfig(reader, bucketName)
-	if err != nil {
-		return nil, err
-	}
-
-	return bucketPolicy, nil
+	return policy.ParseConfig(reader, bucketName)
 }

 func savePolicyConfig(objAPI ObjectLayer, bucketName string, bucketPolicy *policy.Policy) error {