Merge e0182b85e0 into b9f0e8c712

fixes a regression since #19741

cmd/config-current.go

@@ -524,6 +524,7 @@ func lookupConfigs(s config.Config, objAPI ObjectLayer) {
 		configLogIf(ctx, fmt.Errorf("Invalid site configuration: %w", err))
 	}
 	globalSite.Update(siteCfg)
+	xhttp.SetSiteName(globalSite.Name())
 
 	globalAutoEncryption = crypto.LookupAutoEncryption() // Enable auto-encryption if enabled
 	if globalAutoEncryption && GlobalKMS == nil {

cmd/erasure-object.go

@@ -828,6 +828,13 @@ func (er erasureObjects) getObjectFileInfo(ctx context.Context, bucket, object s
 		minDisks = er.setDriveCount - er.defaultParityCount
 	}
 
+	if minDisks == er.setDriveCount/2 {
+		// when data and parity are same we must atleast
+		// wait for response from 1 extra drive to avoid
+		// split-brain.
+		minDisks++
+	}
+
 	calcQuorum := func(metaArr []FileInfo, errs []error) (FileInfo, []FileInfo, []StorageAPI, time.Time, string, error) {
 		readQuorum, _, err := objectQuorumFromMeta(ctx, metaArr, errs, er.defaultParityCount)
 		if err != nil {

cmd/iam.go

@@ -24,6 +24,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"maps"
 	"math/rand"
 	"path"
 	"sort"
@@ -366,14 +367,11 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
 	sys.rolesMap = make(map[arn.ARN]string)
 
 	// From OpenID
-	if riMap := sys.OpenIDConfig.GetRoleInfo(); riMap != nil {
+	maps.Copy(sys.rolesMap, sys.OpenIDConfig.GetRoleInfo())
-		sys.validateAndAddRolePolicyMappings(ctx, riMap)
-	}
 
 	// From AuthN plugin if enabled.
 	if authn := newGlobalAuthNPluginFn(); authn != nil {
-		riMap := authn.GetRoleInfo()
+		maps.Copy(sys.rolesMap, authn.GetRoleInfo())
-		sys.validateAndAddRolePolicyMappings(ctx, riMap)
 	}
 
 	sys.printIAMRoles()
@@ -501,33 +499,6 @@ func (sys *IAMSys) periodicRoutines(ctx context.Context, baseInterval time.Durat
 	}
 }
 
-func (sys *IAMSys) validateAndAddRolePolicyMappings(ctx context.Context, m map[arn.ARN]string) {
-	// Validate that policies associated with roles are defined. If
-	// authZ plugin is set, role policies are just claims sent to
-	// the plugin and they need not exist.
-	//
-	// If some mapped policies do not exist, we print some error
-	// messages but continue any way - they can be fixed in the
-	// running server by creating the policies after start up.
-	for arn, rolePolicies := range m {
-		specifiedPoliciesSet := newMappedPolicy(rolePolicies).policySet()
-		validPolicies, _ := sys.store.MergePolicies(rolePolicies)
-		knownPoliciesSet := newMappedPolicy(validPolicies).policySet()
-		unknownPoliciesSet := specifiedPoliciesSet.Difference(knownPoliciesSet)
-		if len(unknownPoliciesSet) > 0 {
-			authz := newGlobalAuthZPluginFn()
-			if authz == nil {
-				// Print a warning that some policies mapped to a role are not defined.
-				errMsg := fmt.Errorf(
-					"The policies \"%s\" mapped to role ARN %s are not defined - this role may not work as expected.",
-					unknownPoliciesSet.ToSlice(), arn.String())
-				authZLogIf(ctx, errMsg, logger.WarningKind)
-			}
-		}
-		sys.rolesMap[arn] = rolePolicies
-	}
-}
-
 // Prints IAM role ARNs.
 func (sys *IAMSys) printIAMRoles() {
 	if len(sys.rolesMap) == 0 {

cmd/object-handlers-common.go

@@ -331,7 +331,7 @@ func checkPreconditions(ctx context.Context, w http.ResponseWriter, r *http.Requ
 func ifModifiedSince(objTime time.Time, givenTime time.Time) bool {
 	// The Date-Modified header truncates sub-second precision, so
 	// use mtime < t+1s instead of mtime <= t to check for unmodified.
-	return objTime.After(givenTime.Add(1 * time.Second))
+	return !objTime.Before(givenTime.Add(1 * time.Second))
 }
 
 // canonicalizeETag returns ETag with leading and trailing double-quotes removed,

cmd/sts-handlers.go

@@ -545,6 +545,14 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
 				writeSTSErrorResponse(ctx, w, ErrSTSAccessDenied, err)
 				return
 			}
+			if newGlobalAuthZPluginFn() == nil {
+				// if authZ is not set - we expect the policies to be present.
+				if globalIAMSys.CurrentPolicies(p) == "" {
+					writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
+						fmt.Errorf("None of the given policies (`%s`) are defined, credentials will not be generated", p))
+					return
+				}
+			}
 		}
 
 		if !globalIAMSys.doesPolicyAllow(p, policy.Args{
@@ -1003,6 +1011,20 @@ func (sts *stsAPIHandlers) AssumeRoleWithCustomToken(w http.ResponseWriter, r *h
 		return
 	}
 
+	_, policyName, err := globalIAMSys.GetRolePolicy(roleArnStr)
+	if err != nil {
+		writeSTSErrorResponse(ctx, w, ErrSTSAccessDenied, err)
+		return
+	}
+
+	if newGlobalAuthZPluginFn() == nil { // if authZ is not set - we expect the policyname to be present.
+		if globalIAMSys.CurrentPolicies(policyName) == "" {
+			writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
+				fmt.Errorf("None of the given policies (`%s`) are defined, credentials will not be generated", policyName))
+			return
+		}
+	}
+
 	res, err := authn.Authenticate(roleArn, token)
 	if err != nil {
 		writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)

docs/orchestration/docker-compose/docker-compose.yaml

@@ -2,7 +2,7 @@ version: '3.7'
 
 # Settings and configurations that are common for all containers
 x-minio-common: &minio-common
-  image: quay.io/minio/minio:RELEASE.2025-07-18T21-56-31Z
+  image: quay.io/minio/minio:RELEASE.2025-07-23T15-54-02Z
   command: server --console-address ":9001" http://minio{1...4}/data{1...2}
   expose:
     - "9000"

internal/http/server.go

@@ -37,6 +37,9 @@ var (
 
 	// GlobalDeploymentID - is sent in the header to all http targets
 	GlobalDeploymentID string
+
+	// GlobalSiteName - is sent in the header to all http targets
+	GlobalSiteName string
 )
 
 const (
@@ -236,3 +239,8 @@ func SetMinIOVersion(version string) {
 func SetDeploymentID(deploymentID string) {
 	GlobalDeploymentID = deploymentID
 }
+
+// SetSiteName -- user defined site from environment variable `MINIO_SITE_NAME` or from configuration `site.name`
+func SetSiteName(siteName string) {
+	GlobalSiteName = siteName
+}

internal/logger/audit.go

@@ -52,6 +52,7 @@ func GetAuditEntry(ctx context.Context) *audit.Entry {
 		r = &audit.Entry{
 			Version:      internalAudit.Version,
 			DeploymentID: xhttp.GlobalDeploymentID,
+			SiteName:     xhttp.GlobalSiteName,
 			Time:         time.Now().UTC(),
 		}
 		return r

internal/logger/message/audit/entry.go

@@ -36,6 +36,7 @@ func NewEntry(deploymentID string) audit.Entry {
 	return audit.Entry{
 		Version:      Version,
 		DeploymentID: deploymentID,
+		SiteName:     xhttp.GlobalSiteName,
 		Time:         time.Now().UTC(),
 	}
 }