allow OPA fallback for STS requests (#12568)

fixes #12547
This commit is contained in:
Harshavardhana 2021-06-24 12:00:06 -07:00 committed by GitHub
parent 41caf89cf4
commit cc5656f6d5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 2 deletions

View File

@ -1583,7 +1583,7 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
}
policies = append(policies, ps...)
}
ok = len(policies) > 0
ok = len(policies) > 0 || globalPolicyOPA != nil
}
}
return cred, ok && cred.IsValid()

View File

@ -517,7 +517,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
// Check if this user or their groups have a policy applied.
ldapPolicies, _ := globalIAMSys.PolicyDBGet(ldapUserDN, false, groupDistNames...)
if len(ldapPolicies) == 0 {
if len(ldapPolicies) == 0 && globalPolicyOPA == nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
fmt.Errorf("expecting a policy to be set for user `%s` or one of their groups: `%s` - rejecting this request",
ldapUserDN, strings.Join(groupDistNames, "`,`")))