Properly replicate policy mapping for virtual users (#15558)

Currently, replicating policy mapping for STS users does not work. Fix it is by passing user type to PolicyDBSet.
2026-03-16 17:53:43 +01:00 · 2022-08-23 19:11:45 +01:00
parent 9fb937986e
commit b8cdf060c8
10 changed files with 102 additions and 104 deletions
--- a/cmd/iam-store.go
+++ b/cmd/iam-store.go
@@ -862,7 +862,10 @@ func (store *IAMStoreSys) ListGroups(ctx context.Context) (res []string, err err
 }

 // PolicyDBSet - update the policy mapping for the given user or group in
-// storage and in cache.
+// storage and in cache. We do not check for the existence of the user here
+// since users can be virtual, such as for:
+//   - LDAP users
+//   - CommonName for STS accounts generated by AssumeRoleWithCertificate
 func (store *IAMStoreSys) PolicyDBSet(ctx context.Context, name, policy string, userType IAMUserType, isGroup bool) (updatedAt time.Time, err error) {
 	if name == "" {
 		return updatedAt, errInvalidArgument
@@ -871,19 +874,6 @@ func (store *IAMStoreSys) PolicyDBSet(ctx context.Context, name, policy string,
 	cache := store.lock()
 	defer store.unlock()

-	// Validate that user and group exist.
-	if store.getUsersSysType() == MinIOUsersSysType {
-		if !isGroup {
-			if _, ok := cache.iamUsersMap[name]; !ok {
-				return updatedAt, errNoSuchUser
-			}
-		} else {
-			if _, ok := cache.iamGroupsMap[name]; !ok {
-				return updatedAt, errNoSuchGroup
-			}
-		}
-	}
-
 	// Handle policy mapping removal.
 	if policy == "" {
 		if store.getUsersSysType() == LDAPUsersSysType {