fix: allow all console actions with custom authZ (minio#20489)

When custom authorization via plugin is enabled, the console will now render the UI as if all actions are allowed. Since server cannot determine the exact policy allowed for a user via the plugin, this is acceptable to do. If a particular action is actually not allowed by the plugin the call will result in an error. Previously the server was evaluating a policy when custom authZ is enabled - this is fixed now.
reivaj05 · Sep 27, 2024 · 402b798 · 402b798
1 parent 4759532
commit 402b798
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go
@@ -1441,7 +1441,12 @@ func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Requ
 
  var buf []byte
  switch {
- case accountName == globalActiveCred.AccessKey:
+ case accountName == globalActiveCred.AccessKey || newGlobalAuthZPluginFn() != nil:
+ // For owner account and when plugin authZ is configured always set
+ // effective policy as `consoleAdmin`.
+ //
+ // In the latter case, we let the UI render everything, but individual
+ // actions would fail if not permitted by the external authZ service.
  for _, policy := range policy.DefaultPolicies {
  if policy.Name == "consoleAdmin" {
  effectivePolicy = policy.Definition