Fix policy setting error in LDAP setups (#9303)

Fixes #8667 In addition to the above, if the user is mapped to a policy or belongs in a group, the user-info API returns this information, but otherwise, the API will now return a non-existent user error.
5 years ago · 6bb693488c
parent e20e08d700
commit 6bb693488c
2 changed files with 11 additions and 8 deletions
--- a/cmd/admin-handlers-users.go
+++ b/cmd/admin-handlers-users.go
@ -703,7 +703,7 @@ func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http

 	if !isGroup {
 		ok, err := globalIAMSys.IsTempUser(entityName)
-		if err != nil {
+		if err != nil && err != errNoSuchUser {
 			writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
 			return
 		}
--- a/cmd/iam.go
+++ b/cmd/iam.go
@ -682,9 +682,16 @@ func (sys *IAMSys) GetUserInfo(name string) (u madmin.UserInfo, err error) {
 	defer sys.store.runlock()

 	if sys.usersSysType != MinIOUsersSysType {
+		// If the user has a mapped policy or is a member of a group, we
+		// return that info. Otherwise we return error.
+		mappedPolicy, ok1 := sys.iamUserPolicyMap[name]
+		memberships, ok2 := sys.iamUserGroupMemberships[name]
+		if !ok1 && !ok2 {
+			return u, errNoSuchUser
+		}
 		return madmin.UserInfo{
-			PolicyName: sys.iamUserPolicyMap[name].Policy,
-			MemberOf:   sys.iamUserGroupMemberships[name].ToSlice(),
+			PolicyName: mappedPolicy.Policy,
+			MemberOf:   memberships.ToSlice(),
 		}, nil
 	}

@ -1176,9 +1183,7 @@ func (sys *IAMSys) ListGroups() (r []string, err error) {
 	return r, nil
 }

-// PolicyDBSet - sets a policy for a user or group in the
-// PolicyDB. This function applies only long-term users. For STS
-// users, policy is set directly by called sys.policyDBSet().
+// PolicyDBSet - sets a policy for a user or group in the PolicyDB.
 func (sys *IAMSys) PolicyDBSet(name, policy string, isGroup bool) error {
 	objectAPI := newObjectLayerWithoutSafeModeFn()
 	if objectAPI == nil || sys == nil || sys.store == nil {
@ -1188,8 +1193,6 @@ func (sys *IAMSys) PolicyDBSet(name, policy string, isGroup bool) error {
 	sys.store.lock()
 	defer sys.store.unlock()

-	// isSTS is always false when called via PolicyDBSet as policy
-	// is never set by an external API call for STS users.
 	return sys.policyDBSet(name, policy, regularUser, isGroup)
 }