Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

iam: check group attachment before policy deletion 

Reject DeletePolicy if the policy is attached to any group, matching
AWS IAM behavior. Add PolicyArn to ListAttachedGroupPolicies response.
pull/8560/head
Chris Lu 2 days ago
parent
79da12eee9
commit
886019f467
2 changed files with 29 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      weed/iamapi/iamapi_management_handlers.go
  2. 21
      weed/s3api/s3api_embedded_iam.go

8
weed/iamapi/iamapi_management_handlers.go
View File

@ -544,6 +544,14 @@ func (iama *IamApiServer) DeletePolicy(s3cfg *iam_pb.S3ApiConfiguration, values
}
}
// Reject deletion if the policy is attached to any group
if groupName, attached := isPolicyAttachedToAnyGroup(s3cfg, policyName); attached {
return resp, &IamError{
Code: iam.ErrCodeDeleteConflictException,
Error: fmt.Errorf("policy %s is still attached to group %s", policyName, groupName),
}
}
delete(policies.Policies, policyName)
if err := iama.s3ApiConfig.PutPolicies(&policies); err != nil {
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: err}

21
weed/s3api/s3api_embedded_iam.go
View File

@ -510,6 +510,25 @@ func (e *EmbeddedIamApi) DeletePolicy(ctx context.Context, values url.Values) (*
}
}
}
// Check if policy is attached to any group
groupNames, err := e.credentialManager.ListGroups(ctx)
if err != nil {
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
}
for _, gn := range groupNames {
g, err := e.credentialManager.GetGroup(ctx, gn)
if err != nil {
continue
}
for _, pn := range g.PolicyNames {
if pn == policyName {
return resp, &iamError{
Code: iam.ErrCodeDeleteConflictException,
Error: fmt.Errorf("policy %s is attached to group %s", policyName, gn),
}
}
}
}
if err := e.credentialManager.DeletePolicy(ctx, policyName); err != nil {
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
}
@ -1630,8 +1649,10 @@ func (e *EmbeddedIamApi) ListAttachedGroupPolicies(s3cfg *iam_pb.S3ApiConfigurat
if g.Name == groupName {
for _, policyName := range g.PolicyNames {
pn := policyName
policyArn := fmt.Sprintf("arn:aws:iam:::policy/%s", policyName)
resp.ListAttachedGroupPoliciesResult.AttachedPolicies = append(resp.ListAttachedGroupPoliciesResult.AttachedPolicies, &iam.AttachedPolicy{
PolicyName: &pn,
PolicyArn: &policyArn,
})
}
return resp, nil

Write Preview
Loading…
Cancel
Save