s3api: fix static IAM policy enforcement after reload (#8532)
* s3api: honor attached IAM policies over legacy actions * s3api: hydrate IAM policy docs during config reload * s3api: use policy-aware auth when listing buckets * credential: propagate context through filer_etc policy reads * credential: make legacy policy deletes durable * s3api: exercise managed policy runtime loader * s3api: allow static IAM users without session tokens * iam: deny unmatched attached policies under default allow * iam: load embedded policy files from filer store * s3api: require session tokens for IAM presigning * s3api: sync runtime policies into zero-config IAM * credential: respect context in policy file loads * credential: serialize legacy policy deletes * iam: align filer policy store naming * s3api: use authenticated principals for presigning * iam: deep copy policy conditions * s3api: require request creation in policy tests * filer: keep ReadInsideFiler as the context-aware API * iam: harden filer policy store writes * credential: strengthen legacy policy serialization test * credential: forward runtime policy loaders through wrapper * s3api: harden runtime policy merging * iam: require typed already-exists errors
This commit is contained in:
Chris Lu
@@ -6,6 +6,7 @@ import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"strings"
|
||||
"sync"
|
||||
|
||||
"github.com/golang-jwt/jwt/v5"
|
||||
"github.com/seaweedfs/seaweedfs/weed/iam/policy"
|
||||
@@ -28,6 +29,8 @@ type IAMManager struct {
|
||||
userStore UserStore
|
||||
filerAddressProvider func() string // Function to get current filer address
|
||||
initialized bool
|
||||
runtimePolicyMu sync.Mutex
|
||||
runtimePolicyNames map[string]struct{}
|
||||
}
|
||||
|
||||
// IAMConfig holds configuration for all IAM components
|
||||
@@ -105,6 +108,57 @@ func (m *IAMManager) SetUserStore(store UserStore) {
|
||||
m.userStore = store
|
||||
}
|
||||
|
||||
// SyncRuntimePolicies keeps zero-config runtime policies available to the
|
||||
// in-memory policy engine used by the advanced IAM authorizer.
|
||||
func (m *IAMManager) SyncRuntimePolicies(ctx context.Context, policies []*iam_pb.Policy) error {
|
||||
if !m.initialized || m.policyEngine == nil {
|
||||
return nil
|
||||
}
|
||||
if m.policyEngine.StoreType() != sts.StoreTypeMemory {
|
||||
return nil
|
||||
}
|
||||
|
||||
desiredPolicies := make(map[string]*policy.PolicyDocument, len(policies))
|
||||
for _, runtimePolicy := range policies {
|
||||
if runtimePolicy == nil || runtimePolicy.Name == "" {
|
||||
continue
|
||||
}
|
||||
|
||||
var document policy.PolicyDocument
|
||||
if err := json.Unmarshal([]byte(runtimePolicy.Content), &document); err != nil {
|
||||
return fmt.Errorf("failed to parse runtime policy %q: %w", runtimePolicy.Name, err)
|
||||
}
|
||||
|
||||
desiredPolicies[runtimePolicy.Name] = &document
|
||||
}
|
||||
|
||||
m.runtimePolicyMu.Lock()
|
||||
defer m.runtimePolicyMu.Unlock()
|
||||
|
||||
filerAddress := m.getFilerAddress()
|
||||
for policyName := range m.runtimePolicyNames {
|
||||
if _, keep := desiredPolicies[policyName]; keep {
|
||||
continue
|
||||
}
|
||||
if err := m.policyEngine.DeletePolicy(ctx, filerAddress, policyName); err != nil {
|
||||
return fmt.Errorf("failed to delete runtime policy %q: %w", policyName, err)
|
||||
}
|
||||
}
|
||||
|
||||
for policyName, document := range desiredPolicies {
|
||||
if err := m.policyEngine.AddPolicy(filerAddress, policyName, document); err != nil {
|
||||
return fmt.Errorf("failed to sync runtime policy %q: %w", policyName, err)
|
||||
}
|
||||
}
|
||||
|
||||
m.runtimePolicyNames = make(map[string]struct{}, len(desiredPolicies))
|
||||
for policyName := range desiredPolicies {
|
||||
m.runtimePolicyNames[policyName] = struct{}{}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// Initialize initializes the IAM manager with all components
|
||||
func (m *IAMManager) Initialize(config *IAMConfig, filerAddressProvider func() string) error {
|
||||
if config == nil {
|
||||
@@ -422,6 +476,7 @@ func (m *IAMManager) IsActionAllowed(ctx context.Context, request *ActionRequest
|
||||
|
||||
var baseResult *policy.EvaluationResult
|
||||
var err error
|
||||
subjectPolicyCount := 0
|
||||
|
||||
if isAdmin {
|
||||
// Admin always has base access allowed
|
||||
@@ -454,6 +509,7 @@ func (m *IAMManager) IsActionAllowed(ctx context.Context, request *ActionRequest
|
||||
policies = roleDef.AttachedPolicies
|
||||
}
|
||||
}
|
||||
subjectPolicyCount = len(policies)
|
||||
|
||||
if bucketPolicyName != "" {
|
||||
// Enforce an upper bound on the number of policies to avoid excessive allocations
|
||||
@@ -477,6 +533,14 @@ func (m *IAMManager) IsActionAllowed(ctx context.Context, request *ActionRequest
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// Zero-config IAM uses DefaultEffect=Allow to preserve open-by-default behavior
|
||||
// for requests without any subject policies. Once a user or role has attached
|
||||
// policies, "no matching statement" must fall back to deny so the attachment
|
||||
// actually scopes access.
|
||||
if subjectPolicyCount > 0 && len(baseResult.MatchingStatements) == 0 {
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// If there's a session policy, it must also allow the action
|
||||
if sessionInfo != nil && sessionInfo.SessionPolicy != "" {
|
||||
var sessionPolicy policy.PolicyDocument
|
||||
|
||||
Reference in New Issue
Block a user