Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

iam: require empty PolicyNames before group deletion 

Reject DeleteGroup when group has attached policies, matching the
existing members check. Also fix GetGroup error handling in
DeletePolicy to only skip ErrGroupNotFound, not all errors.
pull/8560/head
Chris Lu 2 days ago
parent
f687001b9e
commit
b0bca50dfd
2 changed files with 10 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      weed/iamapi/iamapi_group_handlers.go
  2. 8
      weed/s3api/s3api_embedded_iam.go

3
weed/iamapi/iamapi_group_handlers.go
View File

@ -36,6 +36,9 @@ func (iama *IamApiServer) DeleteGroup(s3cfg *iam_pb.S3ApiConfiguration, values u
if len(g.Members) > 0 { if len(g.Members) > 0 {
return resp, &IamError{Code: iam.ErrCodeDeleteConflictException, Error: fmt.Errorf("cannot delete group %s: group has %d member(s)", groupName, len(g.Members))} return resp, &IamError{Code: iam.ErrCodeDeleteConflictException, Error: fmt.Errorf("cannot delete group %s: group has %d member(s)", groupName, len(g.Members))}
} }
if len(g.PolicyNames) > 0 {
return resp, &IamError{Code: iam.ErrCodeDeleteConflictException, Error: fmt.Errorf("cannot delete group %s: group has %d attached policy(ies)", groupName, len(g.PolicyNames))}
}
s3cfg.Groups = append(s3cfg.Groups[:i], s3cfg.Groups[i+1:]...) s3cfg.Groups = append(s3cfg.Groups[:i], s3cfg.Groups[i+1:]...)
return resp, nil return resp, nil
} }

8
weed/s3api/s3api_embedded_iam.go
View File

@ -518,7 +518,10 @@ func (e *EmbeddedIamApi) DeletePolicy(ctx context.Context, values url.Values) (*
for _, gn := range groupNames { for _, gn := range groupNames {
g, err := e.credentialManager.GetGroup(ctx, gn) g, err := e.credentialManager.GetGroup(ctx, gn)
if err != nil { if err != nil {
continue
if errors.Is(err, credential.ErrGroupNotFound) {
continue
}
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("failed to get group %s: %w", gn, err)}
} }
for _, pn := range g.PolicyNames { for _, pn := range g.PolicyNames {
if pn == policyName { if pn == policyName {
@ -1482,6 +1485,9 @@ func (e *EmbeddedIamApi) DeleteGroup(s3cfg *iam_pb.S3ApiConfiguration, values ur
if len(g.Members) > 0 { if len(g.Members) > 0 {
return resp, &iamError{Code: iam.ErrCodeDeleteConflictException, Error: fmt.Errorf("cannot delete group %s: group has %d member(s). Remove all members first", groupName, len(g.Members))} return resp, &iamError{Code: iam.ErrCodeDeleteConflictException, Error: fmt.Errorf("cannot delete group %s: group has %d member(s). Remove all members first", groupName, len(g.Members))}
} }
if len(g.PolicyNames) > 0 {
return resp, &iamError{Code: iam.ErrCodeDeleteConflictException, Error: fmt.Errorf("cannot delete group %s: group has %d attached policy(ies). Detach all policies first", groupName, len(g.PolicyNames))}
}
s3cfg.Groups = append(s3cfg.Groups[:i], s3cfg.Groups[i+1:]...) s3cfg.Groups = append(s3cfg.Groups[:i], s3cfg.Groups[i+1:]...)
return resp, nil return resp, nil
} }

Write Preview
Loading…
Cancel
Save