gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix IAM defaults and s3tables identities

Browse Source
This commit is contained in:
Chris Lu
2026-02-18 16:21:48 -08:00
parent 53048ffffb
commit bf71fe0039
5 changed files with 260 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
weed/s3api/s3api_server.go
View File

@@ -884,10 +884,10 @@ func loadIAMManagerFromConfig(configPath string, filerAddressProvider func() str
configRoot.Policy.StoreType = sts.StoreTypeMemory
}
if configRoot.Policy.DefaultEffect == "" {
// Default to Allow (open) with in-memory store so that
// users can start using STS without locking themselves out immediately.
// For other stores (e.g. filer), default to Deny (closed) for security.
if configRoot.Policy.StoreType == sts.StoreTypeMemory {
// Secure default when an explicit IAM config file is provided:
// omitted defaultEffect should be Deny to avoid unintentional privilege escalation.
// Keep zero-config startup behavior (no config file path) open for memory store.
if configPath == "" && configRoot.Policy.StoreType == sts.StoreTypeMemory {
configRoot.Policy.DefaultEffect = sts.EffectAllow
} else {
configRoot.Policy.DefaultEffect = sts.EffectDeny