checkKeyValid() should return owner true for rootCreds (#13422)

Looks like policy restriction was not working properly for normal users when they are not svc or STS accounts. - svc accounts are now properly fixed to get right permissions when its inherited, so we do not have to set 'owner = true' - sts accounts have always been using right permissions, do not need an explicit lookup - regular users always have proper policy mapping
2026-02-04 18:00:15 -05:00 · 2021-10-12 13:18:02 -07:00
parent 13e41f2c68
commit 415bbc74aa
2 changed files with 66 additions and 14 deletions
--- a/cmd/signature-v4-utils.go
+++ b/cmd/signature-v4-utils.go
@@ -31,7 +31,6 @@ import (
 	"github.com/minio/minio/internal/auth"
 	xhttp "github.com/minio/minio/internal/http"
 	"github.com/minio/minio/internal/logger"
-	iampolicy "github.com/minio/pkg/iam/policy"
 )

 // http Header "x-amz-content-sha256" == "UNSIGNED-PAYLOAD" indicates that the
@@ -150,8 +149,7 @@ func checkKeyValid(r *http.Request, accessKey string) (auth.Credentials, bool, A
 		return auth.Credentials{}, false, ErrServerNotInitialized
 	}

-	var owner = true
-	var cred = globalActiveCred
+	cred := globalActiveCred
 	if cred.AccessKey != accessKey {
 		// Check if the access key is part of users credentials.
 		ucred, ok := globalIAMSys.GetUser(accessKey)
@@ -165,18 +163,9 @@ func checkKeyValid(r *http.Request, accessKey string) (auth.Credentials, bool, A
 	if s3Err != ErrNone {
 		return cred, false, s3Err
 	}
+	cred.Claims = claims

-	if len(claims) > 0 {
-		cred.Claims = claims
-
-		// Now check if we have a sessionPolicy.
-		if _, ok := claims[iampolicy.SessionPolicyName]; ok {
-			owner = false
-		} else {
-			owner = cred.AccessKey == cred.ParentUser
-		}
-	}
-
+	owner := cred.AccessKey == globalActiveCred.AccessKey
 	return cred, owner, ErrNone
 }