Do not fail mc-admin-policy-attach if policy already attached/detached (#5058)

Currently, attempts to attach a policy to a user who already has
the policy attached to them results in a 400.

This change handles cases where policy attach/detach operations
are automated using scripts/jobs. A re-run of the attach/detach
step should not fail the entire job.

Author: dhananjaykrutika

cmd/admin-policy-attach.go

@@ -23,6 +23,10 @@ import (
 	"github.com/minio/mc/pkg/probe"
 )
 
+const (
+	errCodeChangeAlreadyApplied = "XMinioAdminPolicyChangeAlreadyApplied"
+)
+
 var adminAttachPolicyFlags = []cli.Flag{
 	cli.StringFlag{
 		Name:  "user, u",
@@ -97,7 +101,10 @@ func userAttachOrDetachPolicy(ctx *cli.Context, attach bool) error {
 	} else {
 		res, e = client.DetachPolicy(globalContext, req)
 	}
-	fatalIf(probe.NewError(e), "Unable to make user/group policy association")
+
+	if e != nil && madmin.ToErrorResponse(e).Code != errCodeChangeAlreadyApplied {
+		fatalIf(probe.NewError(e), "Unable to make user/group policy association")
+	}
 
 	var emptyResp madmin.PolicyAssociationResp
 	if res.UpdatedAt == emptyResp.UpdatedAt {

functional-tests.sh

@@ -967,6 +967,9 @@ function test_admin_users() {
 	# check that the user can write objects with readwrite policy
 	assert_success "$start_time" "${FUNCNAME[0]}" mc_cmd admin policy attach "$SERVER_ALIAS" readwrite --user="${username}"
 
+	# verify that re-attaching an already attached policy to a user does not result in a failure.
+	assert_success "$start_time" "${FUNCNAME[0]}" mc_cmd admin policy attach "$SERVER_ALIAS" readwrite --user="${username}"
+
 	# Validate that the correct policy has been added to the user
 	"${MC_CMD[@]}" --json admin user list "${SERVER_ALIAS}" | jq -r '.policyName' | grep --quiet "^readwrite$"
 	rv=$?