From cc5656f6d561b599370af46b12b18943c81d657c Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Thu, 24 Jun 2021 12:00:06 -0700 Subject: [PATCH] allow OPA fallback for STS requests (#12568) fixes #12547 --- cmd/iam.go | 2 +- cmd/sts-handlers.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/iam.go b/cmd/iam.go index 2db620e03..c83c9b4bb 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -1583,7 +1583,7 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) { } policies = append(policies, ps...) } - ok = len(policies) > 0 + ok = len(policies) > 0 || globalPolicyOPA != nil } } return cred, ok && cred.IsValid() diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go index 94627adc1..66c52a164 100644 --- a/cmd/sts-handlers.go +++ b/cmd/sts-handlers.go @@ -517,7 +517,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r * // Check if this user or their groups have a policy applied. ldapPolicies, _ := globalIAMSys.PolicyDBGet(ldapUserDN, false, groupDistNames...) - if len(ldapPolicies) == 0 { + if len(ldapPolicies) == 0 && globalPolicyOPA == nil { writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("expecting a policy to be set for user `%s` or one of their groups: `%s` - rejecting this request", ldapUserDN, strings.Join(groupDistNames, "`,`")))