iam: Return a slice of policies for a group (#11722)

A group can have multiple policies, a user subscribed to readwrite & diagnostics can perform S3 operations & admin operations as well. However, the current code only returns one policy for one group.
2024-09-30 21:23:37 +00:00 · 2021-03-06 18:27:06 +01:00 · 2021-03-06 18:27:06 +01:00 · 558762bdf6
parent d971061305
commit 558762bdf6
1 changed files with 2 additions and 17 deletions
--- a/cmd/iam.go
+++ b/cmd/iam.go
@ -1563,11 +1563,7 @@ func (sys *IAMSys) GetGroupDescription(group string) (gd madmin.GroupDesc, err e
 		return gd, err
 	}

-	// A group may be mapped to at most one policy.
-	policy := ""
-	if len(ps) > 0 {
-		policy = ps[0]
-	}
+	policy := strings.Join(ps, ",")

 	if sys.usersSysType != MinIOUsersSysType {
 		return madmin.GroupDesc{
@ -1681,7 +1677,7 @@ func (sys *IAMSys) policyDBSet(name, policyName string, userType IAMUserType, is

 // PolicyDBGet - gets policy set on a user or group. Since a user may
 // be a member of multiple groups, this function returns an array of
-// applicable policies (each group is mapped to at most one policy).
+// applicable policies
 func (sys *IAMSys) PolicyDBGet(name string, isGroup bool) ([]string, error) {
 	if !sys.Initialized() {
 		return nil, errServerNotInitialized
@ -1749,17 +1745,6 @@ func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) {
 		policies = append(policies, p.toSlice()...)
 	}

-	for _, group := range u.Groups {
-		// Skip missing or disabled groups
-		gi, ok := sys.iamGroupsMap[group]
-		if !ok || gi.Status == statusDisabled {
-			continue
-		}
-
-		p := sys.iamGroupPolicyMap[group]
-		policies = append(policies, p.toSlice()...)
-	}
-
 	return policies, nil
 }