From cc960adbee840392f64e4630b73fb2061c8f2594 Mon Sep 17 00:00:00 2001 From: Aditya Manthramurthy Date: Fri, 19 Jan 2024 10:31:40 -0800 Subject: [PATCH] fix: remove policy mapping file when empty (#18828) On a policy detach operation, if there are no policies remaining attached to the user/group, remove the policy mapping file, instead of leaving a file containing an empty list of policies. --- cmd/iam-store.go | 35 +++++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 8 deletions(-) diff --git a/cmd/iam-store.go b/cmd/iam-store.go index 6f415d345..324cd8799 100644 --- a/cmd/iam-store.go +++ b/cmd/iam-store.go @@ -1017,18 +1017,37 @@ func (store *IAMStoreSys) PolicyDBUpdate(ctx context.Context, name string, isGro newPolicyMapping.UpdatedAt = UTCNow() addedOrRemoved = policiesToUpdate.ToSlice() - if err = store.saveMappedPolicy(ctx, name, userType, isGroup, newPolicyMapping); err != nil { - return - } - if !isGroup { - if userType == stsUser { - cache.iamSTSPolicyMap[name] = newPolicyMapping + // In case of detach operation, it is possible that no policies are mapped - + // in this case, we delete the mapping from the store. + if len(newPolicies) == 0 { + if err = store.deleteMappedPolicy(ctx, name, userType, isGroup); err != nil && !errors.Is(err, errNoSuchPolicy) { + return + } + if !isGroup { + if userType == stsUser { + delete(cache.iamSTSPolicyMap, name) + } else { + delete(cache.iamUserPolicyMap, name) + } } else { - cache.iamUserPolicyMap[name] = newPolicyMapping + delete(cache.iamGroupPolicyMap, name) } } else { - cache.iamGroupPolicyMap[name] = newPolicyMapping + + if err = store.saveMappedPolicy(ctx, name, userType, isGroup, newPolicyMapping); err != nil { + return + } + if !isGroup { + if userType == stsUser { + cache.iamSTSPolicyMap[name] = newPolicyMapping + } else { + cache.iamUserPolicyMap[name] = newPolicyMapping + } + } else { + cache.iamGroupPolicyMap[name] = newPolicyMapping + } } + cache.updatedAt = UTCNow() return cache.updatedAt, addedOrRemoved, newPolicies, nil }