fix: generating service accounts for group only LDAP accounts (#12318)

fixes #12315
2025-11-09 13:39:46 -05:00 · 2021-05-18 15:19:20 -07:00
parent 82c53ac260
commit bb7fbcdc09
7 changed files with 34 additions and 63 deletions
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -1135,6 +1135,13 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro
 	if err != nil {
 		return auth.Credentials{}, err
 	}
+	for _, group := range groups {
+		gpolicies, err := sys.policyDBGet(group, true)
+		if err != nil && err != errNoSuchGroup {
+			return auth.Credentials{}, err
+		}
+		policies = append(policies, gpolicies...)
+	}
 	if len(policies) == 0 {
 		return auth.Credentials{}, errNoSuchUser
 	}
@@ -1896,6 +1903,9 @@ func (sys *IAMSys) policyDBGet(name string, isGroup bool) (policies []string, er
 	var parentName string
 	u, ok := sys.iamUsersMap[name]
 	if ok {
+		if !u.IsValid() {
+			return nil, nil
+		}
 		parentName = u.ParentUser
 	}