From 6305b206e111eeedf7baea38820c05042ab1d6f0 Mon Sep 17 00:00:00 2001
From: Aditya Manthramurthy <donatello@users.noreply.github.com>
Date: Fri, 10 Mar 2023 16:21:51 -0800
Subject: [PATCH] fix: site-repl should heal STS with virtual parent (#16792)

---
 cmd/site-replication.go | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/cmd/site-replication.go b/cmd/site-replication.go
index 07ad63397..b840823ce 100644
--- a/cmd/site-replication.go
+++ b/cmd/site-replication.go
@@ -4728,10 +4728,19 @@ func (c *SiteReplicationSys) healUsers(ctx context.Context, objAPI ObjectLayer,
 			continue
 		}
 		if creds.IsTemp() && !creds.IsExpired() {
+			var parentPolicy string
 			u, err := globalIAMSys.GetUserInfo(ctx, creds.ParentUser)
 			if err != nil {
-				logger.LogIf(ctx, fmt.Errorf("Unable to heal temporary credentials %s from peer site %s -> %s : %w", user, latestPeerName, peerName, err))
-				continue
+				// Parent may be "virtual" (for ldap, oidc, client tls auth,
+				// custom auth plugin), so in such cases we apply no parent
+				// policy. The session token will contain info about policy to
+				// be applied.
+				if !errors.Is(err, errNoSuchUser) {
+					logger.LogIf(ctx, fmt.Errorf("Unable to heal temporary credentials %s from peer site %s -> %s : %w", user, latestPeerName, peerName, err))
+					continue
+				}
+			} else {
+				parentPolicy = u.PolicyName
 			}
 			// Call hook for site replication.
 			if err := c.IAMChangeHook(ctx, madmin.SRIAMItem{
@@ -4741,7 +4750,7 @@ func (c *SiteReplicationSys) healUsers(ctx context.Context, objAPI ObjectLayer,
 					SecretKey:           creds.SecretKey,
 					SessionToken:        creds.SessionToken,
 					ParentUser:          creds.ParentUser,
-					ParentPolicyMapping: u.PolicyName,
+					ParentPolicyMapping: parentPolicy,
 				},
 				UpdatedAt: lastUpdate,
 			}); err != nil {