Giters

ricsanfre / ansible-role-minio

Ansible role for installing and configuring Minio

Home Page:https://galaxy.ansible.com/ricsanfre/minio

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Attaching Changed User Policies to a User Fails

desebjohnston opened this issue · comments

commented

Thank you for this ansible role! I've very much been enjoying working with it.

The ansible role attaching policy fails when I change the rules of a user policy and re-apply. The user policy was changed successfully but applying the policy to the user results in a failed task. The task should probably check if the applied policy is already attached as a gate or the failed_when value should change.

TASK [ricsanfre.minio : Apply user policy] *****************************************************************************************************************************************************************

fatal: [localhost]: FAILED! => {"changed": false, "cmd": ["mc", "admin", "policy", "attach", "myminio", "test", "-u", "test"], "delta": "0:00:00.147802", "end": "2024-05-17 09:25:59.068474", "msg": "non-zero return code", "rc": 1, "start": "2024-05-17 09:25:58.920672", "stderr": "mc: <ERROR> Unable to make user/group policy association. The specified policy change is already in effect. (Specified policy update has no net effect).", "stderr_lines": ["mc: <ERROR> Unable to make user/group policy association. The specified policy change is already in effect. (Specified policy update has no net effect)."], "stdout": "", "stdout_lines": []}

Another proposal I have, which I could make a PR for if it's worthwhile since it'd be a major change, is it may be useful to separate the user creation from policy creation in the vars configuration, and map the policy names to the users when that's the explicit intention. I'll have non-user "users" that I've created and will probably use for token access in other automated workflows, but I think there's a use case for having these objects separate in cases where user access is provided by an OpenID service where the policies are inherited.

Thanks again!

commented

Hi @desebjohnston, thanks for raising this issue.

Let's try your proposal and decouple user and policy creation. Please create a PR for that and we will merge it into the main branch

Thanks
Regards
Ricardo

commented

Awesome. I'll work on putting it together. Also, I have a small PR coming to allow object locking on buckets I'll submit first. I'll keep them separate for traceability.