allow OPA fallback for STS requests (#12568)

fixes #12547
2025-11-09 21:49:46 -05:00 · 2021-06-24 12:00:06 -07:00
parent 41caf89cf4
commit cc5656f6d5
2 changed files with 2 additions and 2 deletions
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -1583,7 +1583,7 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
 				}
 				policies = append(policies, ps...)
 			}
-			ok = len(policies) > 0
+			ok = len(policies) > 0 || globalPolicyOPA != nil
 		}
 	}
 	return cred, ok && cred.IsValid()
--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@@ -517,7 +517,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *

 	// Check if this user or their groups have a policy applied.
 	ldapPolicies, _ := globalIAMSys.PolicyDBGet(ldapUserDN, false, groupDistNames...)
-	if len(ldapPolicies) == 0 {
+	if len(ldapPolicies) == 0 && globalPolicyOPA == nil {
 		writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
 			fmt.Errorf("expecting a policy to be set for user `%s` or one of their groups: `%s` - rejecting this request",
 				ldapUserDN, strings.Join(groupDistNames, "`,`")))