iam reload policy mapping of STS users properly (#19626)

2024-04-27 03:04:10 -07:00 · 2024-04-27 03:04:10 -07:00 · 9e95703efc
parent d8e05aca81
commit 9e95703efc
1 changed files with 28 additions and 0 deletions
--- a/cmd/iam-store.go
+++ b/cmd/iam-store.go
@ -1634,6 +1634,8 @@ func (store *IAMStoreSys) PolicyMappingNotificationHandler(ctx context.Context,
 	switch {
 	case isGroup:
 		m = cache.iamGroupPolicyMap
+	case userType == stsUser:
+		m = cache.iamSTSPolicyMap
 	default:
 		m = cache.iamUserPolicyMap
 	}
@ -2108,6 +2110,32 @@ func (store *IAMStoreSys) listPolicyMappings(cache *iamCache, policies []string,
 			}
 		}
 	}
+	if iamOS, ok := store.IAMStorageAPI.(*IAMEtcdStore); ok {
+		m := xsync.NewMapOf[string, MappedPolicy]()
+		err := iamOS.loadMappedPolicies(context.Background(), stsUser, false, m)
+		if err == nil {
+			m.Range(func(user string, mappedPolicy MappedPolicy) bool {
+				if userPredicate != nil && !userPredicate(user) {
+					return true
+				}
+
+				commonPolicySet := mappedPolicy.policySet()
+				if !queryPolSet.IsEmpty() {
+					commonPolicySet = commonPolicySet.Intersection(queryPolSet)
+				}
+				for _, policy := range commonPolicySet.ToSlice() {
+					s, ok := policyToUsersMap[policy]
+					if !ok {
+						policyToUsersMap[policy] = set.CreateStringSet(user)
+					} else {
+						s.Add(user)
+						policyToUsersMap[policy] = s
+					}
+				}
+				return true
+			})
+		}
+	}

 	policyToGroupsMap := make(map[string]set.StringSet)
 	cache.iamGroupPolicyMap.Range(func(group string, mappedPolicy MappedPolicy) bool {