IAM: add support for advanced IAM config file to server command (#7317)

* IAM: add support for advanced IAM config file to server command * Add support for advanced IAM config file in S3 options * Fix S3 IAM config handling to simplify checks for configuration presence * simplify * simplify again * copy the value * const --------- Co-authored-by: chrislu <chris.lu@gmail.com> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
2025-10-29 00:30:12 +00:00
parent b8bef0328b
commit 20e0d91037
2 changed files with 20 additions and 1 deletions
--- a/weed/s3api/s3api_server.go
+++ b/weed/s3api/s3api_server.go
@@ -473,12 +473,23 @@ func loadIAMManagerFromConfig(configPath string, filerAddressProvider func() str
 		return nil, fmt.Errorf("failed to parse config: %w", err)
 	}

+	// Ensure a valid policy engine config exists
+	if configRoot.Policy == nil {
+		// Provide a secure default if not specified in the config file
+		// Default to Deny with in-memory store so that JSON-defined policies work without filer
+		glog.V(0).Infof("No policy engine config provided; using defaults (DefaultEffect=%s, StoreType=%s)", sts.EffectDeny, sts.StoreTypeMemory)
+		configRoot.Policy = &policy.PolicyEngineConfig{
+			DefaultEffect: sts.EffectDeny,
+			StoreType:     sts.StoreTypeMemory,
+		}
+	}
+
 	// Create IAM configuration
 	iamConfig := &integration.IAMConfig{
 		STS:    configRoot.STS,
 		Policy: configRoot.Policy,
 		Roles: &integration.RoleStoreConfig{
-			StoreType: "memory", // Use memory store for JSON config-based setup
+			StoreType: sts.StoreTypeMemory, // Use memory store for JSON config-based setup
 		},
 	}