From 95e0acbb2646b9b7bdac8d0367238de25d015b8b Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Wed, 17 Feb 2021 20:57:17 -0800 Subject: [PATCH] fix: allow accountInfo with creds with parentUsers (#11568) --- cmd/admin-handlers-users.go | 4 ---- cmd/iam.go | 26 ++++++++++++++++++++------ 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index 8dda69eb6..e9c40c04b 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -725,10 +725,6 @@ func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Requ } accountName := cred.AccessKey - if cred.ParentUser != "" { - accountName = cred.ParentUser - } - policies, err := globalIAMSys.PolicyDBGet(accountName, false) if err != nil { logger.LogIf(ctx, err) diff --git a/cmd/iam.go b/cmd/iam.go index bb1d41830..658c24eb2 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -1703,27 +1703,41 @@ func (sys *IAMSys) PolicyDBGet(name string, isGroup bool) ([]string, error) { // This call assumes that caller has the sys.RLock() func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) { if isGroup { - if _, ok := sys.iamGroupsMap[name]; !ok { + g, ok := sys.iamGroupsMap[name] + if !ok { return nil, errNoSuchGroup } + // Group is disabled, so we return no policy - this + // ensures the request is denied. + if g.Status == statusDisabled { + return nil, nil + } + mp := sys.iamGroupPolicyMap[name] return mp.toSlice(), nil } // When looking for a user's policies, we also check if the // user and the groups they are member of are enabled. - if u, ok := sys.iamUsersMap[name]; !ok { + u, ok := sys.iamUsersMap[name] + if !ok { return nil, errNoSuchUser - } else if u.Status == statusDisabled { - // User is disabled, so we return no policy - this - // ensures the request is denied. + } + + if !u.IsValid() { return nil, nil } var policies []string - mp := sys.iamUserPolicyMap[name] + mp, ok := sys.iamUserPolicyMap[name] + if !ok { + if u.ParentUser != "" { + mp = sys.iamUserPolicyMap[u.ParentUser] + } + } + // returned policy could be empty policies = append(policies, mp.toSlice()...)