From a3717cd4b584742571f5a86b70cd97752367c5de Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Mon, 16 Mar 2026 19:54:57 -0700 Subject: [PATCH] fix(admin): show anonymous user in Object Store Users UI (#8671) The anonymous identity was explicitly filtered out of the user listing, making it invisible in the admin console. Users could not view or edit its permissions. Attempting to recreate it failed with "already exists". Remove the anonymous skip in GetObjectStoreUsers so it appears like any other identity. Add a guard in DeleteObjectStoreUser to prevent deletion of the anonymous system identity, which would break unauthenticated S3 access. Fixes #8466 Co-authored-by: Copilot --- weed/admin/dash/admin_server.go | 5 ----- weed/admin/dash/user_management.go | 7 +++++++ 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/weed/admin/dash/admin_server.go b/weed/admin/dash/admin_server.go index a2f73f02d..666dcb1b0 100644 --- a/weed/admin/dash/admin_server.go +++ b/weed/admin/dash/admin_server.go @@ -882,11 +882,6 @@ func (s *AdminServer) GetObjectStoreUsers(ctx context.Context) ([]ObjectStoreUse // Convert IAM identities to ObjectStoreUser format for _, identity := range s3cfg.Identities { - // Skip anonymous identity - if identity.Name == "anonymous" { - continue - } - // Skip service accounts - they should not be parent users if strings.HasPrefix(identity.Name, serviceAccountPrefix) { continue diff --git a/weed/admin/dash/user_management.go b/weed/admin/dash/user_management.go index 7832e501f..685bf4937 100644 --- a/weed/admin/dash/user_management.go +++ b/weed/admin/dash/user_management.go @@ -153,6 +153,13 @@ func (s *AdminServer) DeleteObjectStoreUser(username string) error { return fmt.Errorf("credential manager not available") } + // Prevent deletion of the anonymous identity — it is a system identity + // used for unauthenticated S3 access. Removing it would break anonymous + // request handling in the IAM layer. + if username == "anonymous" { + return fmt.Errorf("cannot delete the system identity 'anonymous'") + } + ctx := context.Background() // Delete user using credential manager