Skip to content

fix(iam): preserve portable IAM storage and derived auth#2713

Merged
weisd merged 3 commits intomainfrom
issue/backlog-640
Apr 28, 2026
Merged

fix(iam): preserve portable IAM storage and derived auth#2713
weisd merged 3 commits intomainfrom
issue/backlog-640

Conversation

@weisd
Copy link
Copy Markdown
Contributor

@weisd weisd commented Apr 28, 2026
edited
Loading

Type of Change

  • New Feature
  • Bug Fix
  • Documentation
  • Performance Improvement
  • Test/CI
  • Refactor
  • Other:

Related Issues

Summary of Changes

  • Keep IAM object storage plaintext by default when no IAM master key is configured, while preserving explicit master-key encryption.
  • Continue accepting existing plaintext and legacy encrypted IAM records during reads.
  • Route created service accounts through service-account authorization before generic temporary-credential authorization.
  • List created STS credentials from the STS cache and keep temporary-account lookups consistent across caches.
  • Add regression coverage for service-account authorization, STS authorization, and STS listing behavior.

Checklist

  • I have read and followed the CONTRIBUTING.md guidelines
  • Passed make pre-commit
  • Added/updated necessary tests
  • Documentation updated (if needed)
  • CI/CD passed (if applicable)

Impact

  • Breaking change (compatibility)
  • Requires doc/config/deployment update
  • Other impact: Existing legacy IAM records remain readable; new default IAM writes are portable without startup-credential-derived encryption.

Additional Notes

Verification:

  • make pre-commit
  • cargo fmt --all --check
  • git diff --check
  • cargo test -p rustfs-iam --lib
  • cargo clippy -p rustfs-iam --all-features --all-targets -- -D warnings
  • cargo clippy --workspace --all-features --all-targets -- -D warnings
  • cargo check --all-targets
  • cargo nextest run --all --exclude e2e_test
  • cargo test --all --doc

Not tested:

  • Manual admin API validation against a live cluster.

Thank you for your contribution! Please ensure your PR follows the community standards (CODE_OF_CONDUCT.md). If this is your first contribution, review the CLA document and sign it by commenting I have read and agree to the CLA. on the PR.

weisd added 2 commits April 28, 2026 00:04
@weisd
fix(iam): preserve metadata portability by default
b36cfc8 
The object-backed IAM store previously encrypted every serialized IAM record with operator credentials when no dedicated IAM key was set. That made persisted identity data depend on mutable startup credentials.

This keeps explicit IAM master-key encryption while making the default storage bytes the JSON payload. The read path still accepts plaintext plus prior encrypted encodings so existing deployments can load old records.

Constraint: IAM storage must load existing encrypted records during upgrade

Rejected: Require an IAM master key for all writes | would break default deployments and existing plaintext-compatible behavior

Confidence: high

Scope-risk: narrow

Directive: Do not reintroduce credential-derived IAM write encryption without a migration and key-rotation story

Tested: cargo fmt --all --check

Tested: cargo clippy --workspace --all-features --all-targets -- -D warnings

Tested: make pre-commit

Not-tested: Manual cluster upgrade against persisted legacy IAM objects
@weisd
fix(iam): route derived credentials through their caches
ccceb8a 
Created STS credentials live in sts_accounts while service accounts live in users, and service accounts also satisfy generic temporary-credential checks because they carry session tokens. The authorization and listing paths now resolve the service-account case first and enumerate STS entries from the STS cache.

Constraint: IAM derived credentials are split between users and sts_accounts caches

Rejected: Collapse service and STS entries into one cache | broader migration risk for a narrow authorization/listing bug

Confidence: high

Scope-risk: narrow

Directive: Check service-account identity before generic temp identity whenever session-token based credentials can overlap

Tested: cargo fmt --all --check

Tested: git diff --check

Tested: cargo test -p rustfs-iam --lib

Tested: cargo clippy -p rustfs-iam --all-features --all-targets -- -D warnings

Tested: cargo clippy --workspace --all-features --all-targets -- -D warnings

Tested: cargo check --all-targets

Tested: cargo nextest run --all --exclude e2e_test

Tested: cargo test --all --doc

Not-tested: Manual admin API run against a live cluster
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 28, 2026

CLA requirements are satisfied for this pull request.

@weisd weisd added this pull request to the merge queue Apr 28, 2026
Merged via the queue into main with commit a995ec0 Apr 28, 2026
9 checks passed
@weisd weisd deleted the issue/backlog-640 branch April 28, 2026 06:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@weisd