Skip to content

fix(iam): STS parent groups fallback and session policy debug for #1423#1804

Merged
overtrue merged 3 commits intorustfs:mainfrom
GatewayJ:fix/issue-1423-sts-session-policy
Feb 14, 2026
Merged

fix(iam): STS parent groups fallback and session policy debug for #1423#1804
overtrue merged 3 commits intorustfs:mainfrom
GatewayJ:fix/issue-1423-sts-session-policy

Conversation

@GatewayJ
Copy link
Member

@GatewayJ GatewayJ commented Feb 13, 2026

  • Use parent user's groups for policy_db_get when temp credential has no groups, so group-attached policies apply (AssumeRole does not copy groups).
  • Add debug logging in is_allowed_sts for session policy evaluation (action, has_session_policy, is_allowed_sp, parent_user) to diagnose vendored-credential AccessDenied (e.g. DeleteObjects 403).

Type of Change

  • New Feature
  • Bug Fix
  • Documentation
  • Performance Improvement
  • Test/CI
  • Refactor
  • Other:

Related Issues

Summary of Changes

Checklist

  • I have read and followed the CONTRIBUTING.md guidelines
  • Passed make pre-commit
  • Added/updated necessary tests
  • Documentation updated (if needed)
  • CI/CD passed (if applicable)

Impact

  • Breaking change (compatibility)
  • Requires doc/config/deployment update
  • Other impact:

Additional Notes

Thank you for your contribution! Please ensure your PR follows the community standards (CODE_OF_CONDUCT.md) and sign the CLA if this is your first contribution.

@GatewayJ GatewayJ requested a review from loverustfs February 13, 2026 15:47
@loverustfs loverustfs requested a review from Copilot February 13, 2026 16:12
Copilot AI reviewed Feb 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes an issue where temporary credentials created via AssumeRole fail to properly evaluate group-attached policies because AssumeRole does not copy groups from the parent user. The fix implements a fallback mechanism to use the parent user's groups when the temporary credential has no groups assigned.

Changes:

  • Added groups fallback logic in is_allowed_sts to use parent user's groups when temp credentials have none
  • Added debug logging to track session policy evaluation flow for diagnosing AccessDenied errors

@loverustfs loverustfs requested a review from Copilot February 14, 2026 02:08
Copilot AI reviewed Feb 14, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

@GatewayJ GatewayJ force-pushed the fix/issue-1423-sts-session-policy branch from da68661 to d1ac194 Compare February 14, 2026 02:17
@GatewayJ
fix(iam): STS parent groups fallback and session policy debug for rus…
681e4cc 
…tfs#1423

- Use parent user's groups for policy_db_get when temp credential has no
  groups, so group-attached policies apply (AssumeRole does not copy groups).
- Add debug logging in is_allowed_sts for session policy evaluation
  (action, has_session_policy, is_allowed_sp, parent_user) to diagnose
  vendored-credential AccessDenied (e.g. DeleteObjects 403).
@GatewayJ GatewayJ force-pushed the fix/issue-1423-sts-session-policy branch from d1ac194 to 681e4cc Compare February 14, 2026 02:34
@overtrue overtrue merged commit fb02679 into rustfs:main Feb 14, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@loverustfs loverustfs loverustfs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@GatewayJ @loverustfs @overtrue