Merge 5c80aceb27 into b9f0e8c712

Update yaml files to latest version RELEASE.2025-07-23T15-54-02Z
simplify validating policy mapping (#21450 )
2025-07-23 21:54:01 -03:00 · 2025-07-23 18:28:46 +00:00 · 2025-07-23 08:54:02 -07:00 · 2025-07-22 17:13:05 +08:00 · 2025-07-21 15:11:09 +08:00
5 changed files with 28 additions and 47 deletions
--- a/cmd/admin-handlers.go
+++ b/cmd/admin-handlers.go
@ -3334,10 +3334,8 @@ func (a adminAPIHandlers) InspectDataHandler(w http.ResponseWriter, r *http.Requ

 		// Write a version for making *incompatible* changes.
 		// The AdminClient will reject any version it does not know.
-		if publicKey == nil {
-			w.Write([]byte{1})
-			w.Write(key[:])
-		}
+		w.Write([]byte{1})
+		w.Write(key[:])

 		stream, err := sio.AES_256_GCM.Stream(key[:])
 		if err != nil {
--- a/cmd/iam.go
+++ b/cmd/iam.go
@ -24,6 +24,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"maps"
 	"math/rand"
 	"path"
 	"sort"
@ -366,14 +367,11 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
 	sys.rolesMap = make(map[arn.ARN]string)

 	// From OpenID
-	if riMap := sys.OpenIDConfig.GetRoleInfo(); riMap != nil {
-		sys.validateAndAddRolePolicyMappings(ctx, riMap)
-	}
+	maps.Copy(sys.rolesMap, sys.OpenIDConfig.GetRoleInfo())

 	// From AuthN plugin if enabled.
 	if authn := newGlobalAuthNPluginFn(); authn != nil {
-		riMap := authn.GetRoleInfo()
-		sys.validateAndAddRolePolicyMappings(ctx, riMap)
+		maps.Copy(sys.rolesMap, authn.GetRoleInfo())
 	}

 	sys.printIAMRoles()
@ -501,33 +499,6 @@ func (sys *IAMSys) periodicRoutines(ctx context.Context, baseInterval time.Durat
 	}
 }

-func (sys *IAMSys) validateAndAddRolePolicyMappings(ctx context.Context, m map[arn.ARN]string) {
-	// Validate that policies associated with roles are defined. If
-	// authZ plugin is set, role policies are just claims sent to
-	// the plugin and they need not exist.
-	//
-	// If some mapped policies do not exist, we print some error
-	// messages but continue any way - they can be fixed in the
-	// running server by creating the policies after start up.
-	for arn, rolePolicies := range m {
-		specifiedPoliciesSet := newMappedPolicy(rolePolicies).policySet()
-		validPolicies, _ := sys.store.MergePolicies(rolePolicies)
-		knownPoliciesSet := newMappedPolicy(validPolicies).policySet()
-		unknownPoliciesSet := specifiedPoliciesSet.Difference(knownPoliciesSet)
-		if len(unknownPoliciesSet) > 0 {
-			authz := newGlobalAuthZPluginFn()
-			if authz == nil {
-				// Print a warning that some policies mapped to a role are not defined.
-				errMsg := fmt.Errorf(
-					"The policies \"%s\" mapped to role ARN %s are not defined - this role may not work as expected.",
-					unknownPoliciesSet.ToSlice(), arn.String())
-				authZLogIf(ctx, errMsg, logger.WarningKind)
-			}
-		}
-		sys.rolesMap[arn] = rolePolicies
-	}
-}
-
 // Prints IAM role ARNs.
 func (sys *IAMSys) printIAMRoles() {
 	if len(sys.rolesMap) == 0 {
--- a/cmd/peer-s3-client.go
+++ b/cmd/peer-s3-client.go
@ -113,8 +113,6 @@ func (sys *S3PeerSys) HealBucket(ctx context.Context, bucket string, opts madmin
 	g := errgroup.WithNErrs(len(sys.peerClients))

 	for idx, client := range sys.peerClients {
-		idx := idx
-		client := client
 		g.Go(func() error {
 			if client == nil {
 				return errPeerOffline
@ -148,8 +146,6 @@ func (sys *S3PeerSys) HealBucket(ctx context.Context, bucket string, opts madmin
 	g = errgroup.WithNErrs(len(sys.peerClients))
 	healBucketResults := make([]madmin.HealResultItem, len(sys.peerClients))
 	for idx, client := range sys.peerClients {
-		idx := idx
-		client := client
 		g.Go(func() error {
 			if client == nil {
 				return errPeerOffline
@ -207,8 +203,6 @@ func (sys *S3PeerSys) ListBuckets(ctx context.Context, opts BucketOptions) ([]Bu
 	nodeBuckets := make([][]BucketInfo, len(sys.peerClients))

 	for idx, client := range sys.peerClients {
-		idx := idx
-		client := client
 		g.Go(func() error {
 			if client == nil {
 				return errPeerOffline
@ -295,8 +289,6 @@ func (sys *S3PeerSys) GetBucketInfo(ctx context.Context, bucket string, opts Buc

 	bucketInfos := make([]BucketInfo, len(sys.peerClients))
 	for idx, client := range sys.peerClients {
-		idx := idx
-		client := client
 		g.Go(func() error {
 			if client == nil {
 				return errPeerOffline
@ -401,7 +393,6 @@ func (client *remotePeerS3Client) GetBucketInfo(ctx context.Context, bucket stri
 func (sys *S3PeerSys) MakeBucket(ctx context.Context, bucket string, opts MakeBucketOptions) error {
 	g := errgroup.WithNErrs(len(sys.peerClients))
 	for idx, client := range sys.peerClients {
-		client := client
 		g.Go(func() error {
 			if client == nil {
 				return errPeerOffline
@ -448,7 +439,6 @@ func (client *remotePeerS3Client) MakeBucket(ctx context.Context, bucket string,
 func (sys *S3PeerSys) DeleteBucket(ctx context.Context, bucket string, opts DeleteBucketOptions) error {
 	g := errgroup.WithNErrs(len(sys.peerClients))
 	for idx, client := range sys.peerClients {
-		client := client
 		g.Go(func() error {
 			if client == nil {
 				return errPeerOffline
--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@ -545,6 +545,14 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
 				writeSTSErrorResponse(ctx, w, ErrSTSAccessDenied, err)
 				return
 			}
+			if newGlobalAuthZPluginFn() == nil {
+				// if authZ is not set - we expect the policies to be present.
+				if globalIAMSys.CurrentPolicies(p) == "" {
+					writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
+						fmt.Errorf("None of the given policies (`%s`) are defined, credentials will not be generated", p))
+					return
+				}
+			}
 		}

 		if !globalIAMSys.doesPolicyAllow(p, policy.Args{
@ -1003,6 +1011,20 @@ func (sts *stsAPIHandlers) AssumeRoleWithCustomToken(w http.ResponseWriter, r *h
 		return
 	}

+	_, policyName, err := globalIAMSys.GetRolePolicy(roleArnStr)
+	if err != nil {
+		writeSTSErrorResponse(ctx, w, ErrSTSAccessDenied, err)
+		return
+	}
+
+	if newGlobalAuthZPluginFn() == nil { // if authZ is not set - we expect the policyname to be present.
+		if globalIAMSys.CurrentPolicies(policyName) == "" {
+			writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
+				fmt.Errorf("None of the given policies (`%s`) are defined, credentials will not be generated", policyName))
+			return
+		}
+	}
+
 	res, err := authn.Authenticate(roleArn, token)
 	if err != nil {
 		writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
--- a/docs/orchestration/docker-compose/docker-compose.yaml
+++ b/docs/orchestration/docker-compose/docker-compose.yaml
@ -2,7 +2,7 @@ version: '3.7'

 # Settings and configurations that are common for all containers
 x-minio-common: &minio-common
-  image: quay.io/minio/minio:RELEASE.2025-07-18T21-56-31Z
+  image: quay.io/minio/minio:RELEASE.2025-07-23T15-54-02Z
  command: server --console-address ":9001" http://minio{1...4}/data{1...2}
  expose:
    - "9000"
Author	SHA1	Message	Date
asamuj	773c145e9d	Merge `5c80aceb27` into `b9f0e8c712`	2025-07-23 21:54:01 -03:00
Minio Trusted	b9f0e8c712	Update yaml files to latest version RELEASE.2025-07-23T15-54-02Z VulnCheck / Analysis (push) Has been cancelled Details	2025-07-23 18:28:46 +00:00
M Alvee	7ced9663e6	simplify validating policy mapping (#21450 )	2025-07-23 08:54:02 -07:00
asamuj	5c80aceb27	refactor: remove redundant variable declarations in S3PeerSys methods	2025-07-22 17:13:05 +08:00
asamuj	eff39d0993	refactor: remove tautological nil check for publicKey in InspectDataHandler	2025-07-21 15:11:09 +08:00