filer/iam-grpc: make admin Bearer auth opt-in (fixes #9509) (#9514)

PR #9442 made the filer refuse to register the IAM gRPC service unless
jwt.filer_signing.key was set in security.toml, which broke the admin
UI Users/Groups/Policies pages for every deployment that ships without
a security.toml — weed mini, plain Helm, vanilla weed filer. The Users
tab returns Unimplemented and the page is unusable. Issues #9504,
#9505 and #9509 all trace to this gap.

The rest of the filer's gRPC surface is unauthenticated by default;
treat IAM the same way. The service now always registers, and the
auth gate is a no-op when no signing key is configured. When the key
is set, every RPC still requires an admin-signed Bearer token, matching
the post-#9442 behaviour. Operators who expose the filer gRPC port
beyond a trusted network should set the key on both filer and admin.

The admin client (IamGrpcStore.withIamClient) already skips attaching
the authorization metadata when its key is empty, so no changes there.

weed/command/filer.go

@@ -431,20 +431,19 @@ func (fo *FilerOptions) startFiler() {
 	grpcS := pb.NewGrpcServer(security.LoadServerTLS(util.GetViper(), "grpc.filer"))
 	filer_pb.RegisterSeaweedFilerServer(grpcS, fs)
 
-	// Register IAM gRPC service only when both a credential manager and an
-	// admin signing key are configured. The IAM RPCs can create users and
-	// mint access keys; mounting them on an unauthenticated listener would
-	// hand any caller that can reach the gRPC port S3-admin equivalent power.
-	// Operators who relied on the unauthenticated path must now set
-	// jwt.filer_signing.key in security.toml and attach a Bearer token signed
-	// with that key on every IAM call.
+	// Register the IAM gRPC service. Auth is opt-in: when
+	// jwt.filer_signing.key is configured the service requires a Bearer token
+	// signed with that key; otherwise it runs unauthenticated, matching the
+	// rest of the filer's gRPC surface. Operators who expose the filer gRPC
+	// port beyond a trusted network should set jwt.filer_signing.key on both
+	// the filer and the admin server.
 	if credentialManager != nil {
 		adminSigningKey := security.SigningKey(util.GetViper().GetString("jwt.filer_signing.key"))
+		iamGrpcServer := weed_server.NewIamGrpcServer(credentialManager, adminSigningKey)
+		iam_pb.RegisterSeaweedIdentityAccessManagementServer(grpcS, iamGrpcServer)
 		if len(adminSigningKey) == 0 {
-			glog.Warningf("IAM gRPC service NOT registered on filer: jwt.filer_signing.key is empty in security.toml; configure it to enable IAM administration")
+			glog.V(0).Info("Registered IAM gRPC service on filer (unauthenticated; set jwt.filer_signing.key in security.toml to require admin Bearer token)")
 		} else {
-			iamGrpcServer := weed_server.NewIamGrpcServer(credentialManager, adminSigningKey)
-			iam_pb.RegisterSeaweedIdentityAccessManagementServer(grpcS, iamGrpcServer)
 			glog.V(0).Info("Registered IAM gRPC service on filer (admin Bearer token required)")
 		}
 	}

weed/command/scaffold/security.toml

@@ -44,11 +44,13 @@ expires_after_seconds = 10           # seconds
 # - f.e. the S3 API Shim generates the JWT
 # - the Filer server validates the JWT on writing
 # NOTE: This key is ALSO used as a fallback signing key for S3 STS if s3.iam.config does not specify a signingKey.
-# NOTE: This key is ALSO required to mount the IAM gRPC service (CreateUser,
-#       PutPolicy, CreateAccessKey, ...) on the filer. The filer refuses to
-#       register that service when the key is empty, and every IAM RPC must
-#       carry a Bearer token signed with this key in its "authorization"
-#       gRPC metadata. Mint such a token with security.GenJwtForFilerAdmin.
+# NOTE: This key also gates the filer IAM gRPC service (CreateUser, PutPolicy,
+#       CreateAccessKey, ...). When set, every IAM RPC must carry a Bearer
+#       token signed with this key in its "authorization" gRPC metadata; mint
+#       such a token with security.GenJwtForFilerAdmin. When empty, the IAM
+#       gRPC service runs unauthenticated, like the rest of the filer's gRPC
+#       surface — set the key on both filer and admin if the gRPC port is
+#       reachable beyond a trusted network.
 # the jwt defaults to expire after 10 seconds.
 [jwt.filer_signing]
 key = ""