gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix IAM defaults and S3Tables IAM regression (#8374)

Browse Source 
* Fix IAM defaults and s3tables identities

* Refine S3Tables identity tests

* Clarify identity tests
This commit is contained in:
Chris Lu
2026-02-18 18:20:03 -08:00
committed by GitHub
parent 38e14a867b
commit d1fecdface
5 changed files with 316 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
weed/s3api/s3api_server.go
View File

@@ -884,10 +884,10 @@ func loadIAMManagerFromConfig(configPath string, filerAddressProvider func() str
configRoot.Policy.StoreType = sts.StoreTypeMemory
}
if configRoot.Policy.DefaultEffect == "" {
// Default to Allow (open) with in-memory store so that
// users can start using STS without locking themselves out immediately.
// For other stores (e.g. filer), default to Deny (closed) for security.
if configRoot.Policy.StoreType == sts.StoreTypeMemory {
// Secure default when an explicit IAM config file is provided:
// omitted defaultEffect should be Deny to avoid unintentional privilege escalation.
// Keep zero-config startup behavior (no config file path) open for memory store.
if configPath == "" && configRoot.Policy.StoreType == sts.StoreTypeMemory {
configRoot.Policy.DefaultEffect = sts.EffectAllow
} else {
configRoot.Policy.DefaultEffect = sts.EffectDeny