policy: Allow duplicate statements with different effects (#8775)

This allows "Allow" and "Deny" conflicting statements, where we evaluate to implicit "Deny".
2025-11-23 11:07:50 -05:00 · 2020-01-08 23:00:54 -08:00
parent abc1c1070a
commit c2cde6beb5
4 changed files with 97 additions and 7 deletions
--- a/pkg/iam/policy/policy.go
+++ b/pkg/iam/policy/policy.go
@@ -106,6 +106,10 @@ func (iamp Policy) isValid() error {

 	for i := range iamp.Statements {
 		for _, statement := range iamp.Statements[i+1:] {
+			if iamp.Statements[i].Effect != statement.Effect {
+				continue
+			}
+
 			actions := iamp.Statements[i].Actions.Intersection(statement.Actions)
 			if len(actions) == 0 {
 				continue