From d1bb4b6cd03c10636800dd9dd47402e4ac97d06e Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Sun, 8 Mar 2026 20:11:58 -0700 Subject: [PATCH] fix: standalone IAM AttachGroupPolicy uses persisted policy store Check managed policies from GetPolicies() instead of s3cfg.Policies so dynamically created policies are found. Also add duplicate name check to UpdateGroup rename. --- weed/iamapi/iamapi_group_handlers.go | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/weed/iamapi/iamapi_group_handlers.go b/weed/iamapi/iamapi_group_handlers.go index d6b440aba..fc4b17848 100644 --- a/weed/iamapi/iamapi_group_handlers.go +++ b/weed/iamapi/iamapi_group_handlers.go @@ -1,11 +1,13 @@ package iamapi import ( + "errors" "fmt" "net/url" "strings" "github.com/aws/aws-sdk-go/service/iam" + "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb" "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb" ) @@ -57,7 +59,12 @@ func (iama *IamApiServer) UpdateGroup(s3cfg *iam_pb.S3ApiConfiguration, values u if disabled := values.Get("Disabled"); disabled != "" { g.Disabled = disabled == "true" } - if newName := values.Get("NewGroupName"); newName != "" { + if newName := values.Get("NewGroupName"); newName != "" && newName != g.Name { + for _, other := range s3cfg.Groups { + if other.Name == newName { + return resp, &IamError{Code: iam.ErrCodeEntityAlreadyExistsException, Error: fmt.Errorf("group %s already exists", newName)} + } + } g.Name = newName } return resp, nil @@ -163,15 +170,12 @@ func (iama *IamApiServer) AttachGroupPolicy(s3cfg *iam_pb.S3ApiConfiguration, va if iamErr != nil { return resp, iamErr } - // Verify policy exists - policyFound := false - for _, p := range s3cfg.Policies { - if p.Name == policyName { - policyFound = true - break - } + // Verify policy exists in the persisted policies store + policies := Policies{} + if pErr := iama.s3ApiConfig.GetPolicies(&policies); pErr != nil && !errors.Is(pErr, filer_pb.ErrNotFound) { + return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: pErr} } - if !policyFound { + if _, exists := policies.Policies[policyName]; !exists { return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)} } for _, g := range s3cfg.Groups {