Merge pull request #9302 from shirady/iam-user-policy-default-behavior

shirady · web-flow · commit 5a51122d8919 · 2025-11-24T10:16:16.000+02:00
IAM | Change Default Behavior of Users Without IAM User Policy
diff --git a/docs/design/IamUserInlinePolicy.md b/docs/design/IamUserInlinePolicy.md
@@ -4,7 +4,7 @@ When used, it adds a layer of permission to the users under the account.
 We decided that IAM user inline policies are checked for authorization only in S3 operations (`src/endpoint/s3/s3_rest.js`).
 
 ## User Without IAM User Policy
-We decided that when a user is created under the account (and has access keys), it can operate all S3 operations (unless there is a bucket policy which do not authorize it).
+User must have IAM policy to be authorized for S3 operations.
 
 ## User With IAM User Policy
 The user’s inline policy is embedded in the user.  
@@ -29,8 +29,8 @@ If a user has a user policy, the ability to perform an S3 operation is based on
 For every S3 request, authorization (`authorize_request` in `src/endpoint/s3/s3_rest.js`) is performed.
 The authorization now will have:
 1. Authorization handle for signed request and anonymous requests.  
-2. Authorization handle according to bucket policy.  
-3. Authorization handle according to the user IAM policy (the new added layer - only for IAM users).  
+2. Authorization handle according to the user IAM policy (the new added layer - only for IAM users).  
+3. Authorization handle according to bucket policy.  
 
 If one of the layers does not permit it would result in `AccessDenied` error.
 
diff --git a/src/endpoint/s3/s3_rest.js b/src/endpoint/s3/s3_rest.js
@@ -217,14 +217,11 @@ function authenticate_request(req) {
 
 async function authorize_request(req) {
     await req.object_sdk.load_requesting_account(req);
-    await Promise.all([
-        req.object_sdk.authorize_request_account(req),
-        // authorize_request_policy(req) is supposed to
-        // allow owners access unless there is an explicit DENY policy
-        authorize_request_policy(req),
-        // authorize_request_iam_policy(req) is for users only
-        authorize_request_iam_policy(req),
-    ]);
+    await req.object_sdk.authorize_request_account(req);
+    await authorize_request_iam_policy(req); // authorize_request_iam_policy(req) is for users only
+    // authorize_request_policy(req) is supposed to
+    // allow owners access unless there is an explicit DENY policy
+    await authorize_request_policy(req);
 }
 
 async function authorize_request_policy(req) {
@@ -333,6 +330,7 @@ async function authorize_request_policy(req) {
     throw new S3Error(S3Error.AccessDenied);
 }
 
+// TODO - move the function and throw message error with details
 async function authorize_request_iam_policy(req) {
     const auth_token = req.object_sdk.get_auth_token();
     const is_anonymous = !(auth_token && auth_token.access_key);
@@ -345,7 +343,7 @@ async function authorize_request_iam_policy(req) {
     const resource_arn = _get_arn_from_req_path(req);
     const method = _get_method_from_req(req);
     const iam_policies = account.iam_user_policies || [];
-    if (iam_policies.length === 0) return;
+    if (iam_policies.length === 0 && req.object_sdk.nsfs_config_root) return; // We do not have IAM policies in NC yet
 
     // parallel policy check
     const promises = [];
