From 4585e2258912e8ca7fcd2b1e7b480016b1386f5c Mon Sep 17 00:00:00 2001 From: Naveen Paul Date: Tue, 2 Dec 2025 13:18:49 +0530 Subject: [PATCH] IAM | User ID for principal is not supported Signed-off-by: Naveen Paul --- src/endpoint/s3/s3_bucket_policy_utils.js | 14 ++++++++++++++ src/endpoint/s3/s3_rest.js | 6 +++--- src/server/system_services/bucket_server.js | 6 +++++- 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/src/endpoint/s3/s3_bucket_policy_utils.js b/src/endpoint/s3/s3_bucket_policy_utils.js index d4290f2915..074bcf0a8a 100644 --- a/src/endpoint/s3/s3_bucket_policy_utils.js +++ b/src/endpoint/s3/s3_bucket_policy_utils.js @@ -377,6 +377,19 @@ function get_bucket_policy_principal_arn(account) { return bucket_policy_arn; } +/** + * Both NSFS NC and containerized will validate bucket policy against acccount id + * but in containerized deplyment not against IAM user ID. + * + * @param {boolean} is_nc_deployment + * @param {object} account + */ +function get_account_identifier_id(is_nc_deployment, account) { + if (is_nc_deployment || account.owner === undefined) { + return account._id; + } +} + /** * create_arn_for_root creates the AWS ARN for root account user * see: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns @@ -416,3 +429,4 @@ exports.validate_s3_policy = validate_s3_policy; exports.allows_public_access = allows_public_access; exports.get_bucket_policy_principal_arn = get_bucket_policy_principal_arn; exports.create_arn_for_root = create_arn_for_root; +exports.get_account_identifier_id = get_account_identifier_id; diff --git a/src/endpoint/s3/s3_rest.js b/src/endpoint/s3/s3_rest.js index 1785e7b0bb..c2dbbc8b37 100755 --- a/src/endpoint/s3/s3_rest.js +++ b/src/endpoint/s3/s3_rest.js @@ -252,10 +252,10 @@ async function authorize_request_policy(req) { const account = req.object_sdk.requesting_account; const is_nc_deployment = Boolean(req.object_sdk.nsfs_config_root); const account_identifier_name = is_nc_deployment ? account.name.unwrap() : account.email.unwrap(); - // Both NSFS NC and containerized will validate bucket policy against acccount id. - const account_identifier_id = account._id; + // Both NSFS NC and containerized will validate bucket policy against acccount id + // but in containerized deplyment not against IAM user ID. + const account_identifier_id = s3_bucket_policy_utils.get_account_identifier_id(is_nc_deployment, account); const account_identifier_arn = s3_bucket_policy_utils.get_bucket_policy_principal_arn(account); - // deny delete_bucket permissions from bucket_claim_owner accounts (accounts that were created by OBC from openshift\k8s) // the OBC bucket can still be delete by normal accounts according to the access policy which is checked below if (req.op_name === 'delete_bucket' && account.bucket_claim_owner) { diff --git a/src/server/system_services/bucket_server.js b/src/server/system_services/bucket_server.js index 491592dc83..fa6abf5764 100644 --- a/src/server/system_services/bucket_server.js +++ b/src/server/system_services/bucket_server.js @@ -559,7 +559,11 @@ async function get_account_by_principal(principal) { if (principal_by_arn) return true; } else { const account = system_store.data.accounts.find(acc => acc._id.toString() === principal_as_string); - const principal_by_id = account !== undefined; + if (account && account.owner) { + dbg.log3('get_account_by_principal: principal_by_id not supported for IAM users'); + return false; + } + const principal_by_id = Boolean(account); dbg.log3('get_account_by_principal: principal_by_id', principal_by_id); if (principal_by_id) return true; }