add thread context in surrounding function into IAM functions (#13658)

This commit is contained in:
Aditya Manthramurthy 2021-11-15 14:14:22 -08:00 committed by GitHub
parent 7752cdbfaf
commit 07c5e72cdb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 82 additions and 81 deletions

View File

@ -58,7 +58,7 @@ func (a adminAPIHandlers) RemoveUser(w http.ResponseWriter, r *http.Request) {
return return
} }
if err := globalIAMSys.DeleteUser(accessKey); err != nil { if err := globalIAMSys.DeleteUser(ctx, accessKey); err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return return
} }
@ -191,7 +191,7 @@ func (a adminAPIHandlers) GetUserInfo(w http.ResponseWriter, r *http.Request) {
} }
} }
userInfo, err := globalIAMSys.GetUserInfo(name) userInfo, err := globalIAMSys.GetUserInfo(ctx, name)
if err != nil { if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return return
@ -231,9 +231,9 @@ func (a adminAPIHandlers) UpdateGroupMembers(w http.ResponseWriter, r *http.Requ
} }
if updReq.IsRemove { if updReq.IsRemove {
err = globalIAMSys.RemoveUsersFromGroup(updReq.Group, updReq.Members) err = globalIAMSys.RemoveUsersFromGroup(ctx, updReq.Group, updReq.Members)
} else { } else {
err = globalIAMSys.AddUsersToGroup(updReq.Group, updReq.Members) err = globalIAMSys.AddUsersToGroup(ctx, updReq.Group, updReq.Members)
} }
if err != nil { if err != nil {
@ -292,7 +292,7 @@ func (a adminAPIHandlers) ListGroups(w http.ResponseWriter, r *http.Request) {
return return
} }
groups, err := globalIAMSys.ListGroups() groups, err := globalIAMSys.ListGroups(ctx)
if err != nil { if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return return
@ -324,9 +324,9 @@ func (a adminAPIHandlers) SetGroupStatus(w http.ResponseWriter, r *http.Request)
var err error var err error
if status == statusEnabled { if status == statusEnabled {
err = globalIAMSys.SetGroupStatus(group, true) err = globalIAMSys.SetGroupStatus(ctx, group, true)
} else if status == statusDisabled { } else if status == statusDisabled {
err = globalIAMSys.SetGroupStatus(group, false) err = globalIAMSys.SetGroupStatus(ctx, group, false)
} else { } else {
err = errInvalidArgument err = errInvalidArgument
} }
@ -367,7 +367,7 @@ func (a adminAPIHandlers) SetUserStatus(w http.ResponseWriter, r *http.Request)
return return
} }
if err := globalIAMSys.SetUserStatus(accessKey, madmin.AccountStatus(status)); err != nil { if err := globalIAMSys.SetUserStatus(ctx, accessKey, madmin.AccountStatus(status)); err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return return
} }
@ -477,7 +477,7 @@ func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) {
return return
} }
if err = globalIAMSys.CreateUser(accessKey, uinfo); err != nil { if err = globalIAMSys.CreateUser(ctx, accessKey, uinfo); err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return return
} }
@ -1304,7 +1304,7 @@ func (a adminAPIHandlers) ListBucketPolicies(w http.ResponseWriter, r *http.Requ
} }
bucket := mux.Vars(r)["bucket"] bucket := mux.Vars(r)["bucket"]
policies, err := globalIAMSys.ListPolicies(bucket) policies, err := globalIAMSys.ListPolicies(ctx, bucket)
if err != nil { if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return return
@ -1336,7 +1336,7 @@ func (a adminAPIHandlers) ListCannedPolicies(w http.ResponseWriter, r *http.Requ
return return
} }
policies, err := globalIAMSys.ListPolicies("") policies, err := globalIAMSys.ListPolicies(ctx, "")
if err != nil { if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return return
@ -1371,7 +1371,7 @@ func (a adminAPIHandlers) RemoveCannedPolicy(w http.ResponseWriter, r *http.Requ
vars := mux.Vars(r) vars := mux.Vars(r)
policyName := vars["name"] policyName := vars["name"]
if err := globalIAMSys.DeletePolicy(policyName); err != nil { if err := globalIAMSys.DeletePolicy(ctx, policyName); err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return return
} }
@ -1439,7 +1439,7 @@ func (a adminAPIHandlers) AddCannedPolicy(w http.ResponseWriter, r *http.Request
return return
} }
if err = globalIAMSys.SetPolicy(policyName, *iamPolicy); err != nil { if err = globalIAMSys.SetPolicy(ctx, policyName, *iamPolicy); err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return return
} }
@ -1494,7 +1494,7 @@ func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http
} }
} }
if err := globalIAMSys.PolicyDBSet(entityName, policyName, isGroup); err != nil { if err := globalIAMSys.PolicyDBSet(ctx, entityName, policyName, isGroup); err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return return
} }

View File

@ -1353,7 +1353,7 @@ func (store *IAMStoreSys) SetTempUser(ctx context.Context, accessKey string, cre
} }
u := newUserIdentity(cred) u := newUserIdentity(cred)
err := store.saveUserIdentity(context.Background(), accessKey, stsUser, u, options{ttl: ttl}) err := store.saveUserIdentity(ctx, accessKey, stsUser, u, options{ttl: ttl})
if err != nil { if err != nil {
return err return err
} }

View File

@ -87,26 +87,26 @@ const (
// storage, it is removed from in-memory maps as well - this // storage, it is removed from in-memory maps as well - this
// simplifies the implementation for group removal. This is called // simplifies the implementation for group removal. This is called
// only via IAM notifications. // only via IAM notifications.
func (sys *IAMSys) LoadGroup(objAPI ObjectLayer, group string) error { func (sys *IAMSys) LoadGroup(ctx context.Context, objAPI ObjectLayer, group string) error {
if !sys.Initialized() { if !sys.Initialized() {
return errServerNotInitialized return errServerNotInitialized
} }
return sys.store.GroupNotificationHandler(context.Background(), group) return sys.store.GroupNotificationHandler(ctx, group)
} }
// LoadPolicy - reloads a specific canned policy from backend disks or etcd. // LoadPolicy - reloads a specific canned policy from backend disks or etcd.
func (sys *IAMSys) LoadPolicy(objAPI ObjectLayer, policyName string) error { func (sys *IAMSys) LoadPolicy(ctx context.Context, objAPI ObjectLayer, policyName string) error {
if !sys.Initialized() { if !sys.Initialized() {
return errServerNotInitialized return errServerNotInitialized
} }
return sys.store.PolicyNotificationHandler(context.Background(), policyName) return sys.store.PolicyNotificationHandler(ctx, policyName)
} }
// LoadPolicyMapping - loads the mapped policy for a user or group // LoadPolicyMapping - loads the mapped policy for a user or group
// from storage into server memory. // from storage into server memory.
func (sys *IAMSys) LoadPolicyMapping(objAPI ObjectLayer, userOrGroup string, isGroup bool) error { func (sys *IAMSys) LoadPolicyMapping(ctx context.Context, objAPI ObjectLayer, userOrGroup string, isGroup bool) error {
if !sys.Initialized() { if !sys.Initialized() {
return errServerNotInitialized return errServerNotInitialized
} }
@ -117,25 +117,25 @@ func (sys *IAMSys) LoadPolicyMapping(objAPI ObjectLayer, userOrGroup string, isG
userType = stsUser userType = stsUser
} }
return sys.store.PolicyMappingNotificationHandler(context.Background(), userOrGroup, isGroup, userType) return sys.store.PolicyMappingNotificationHandler(ctx, userOrGroup, isGroup, userType)
} }
// LoadUser - reloads a specific user from backend disks or etcd. // LoadUser - reloads a specific user from backend disks or etcd.
func (sys *IAMSys) LoadUser(objAPI ObjectLayer, accessKey string, userType IAMUserType) error { func (sys *IAMSys) LoadUser(ctx context.Context, objAPI ObjectLayer, accessKey string, userType IAMUserType) error {
if !sys.Initialized() { if !sys.Initialized() {
return errServerNotInitialized return errServerNotInitialized
} }
return sys.store.UserNotificationHandler(context.Background(), accessKey, userType) return sys.store.UserNotificationHandler(ctx, accessKey, userType)
} }
// LoadServiceAccount - reloads a specific service account from backend disks or etcd. // LoadServiceAccount - reloads a specific service account from backend disks or etcd.
func (sys *IAMSys) LoadServiceAccount(accessKey string) error { func (sys *IAMSys) LoadServiceAccount(ctx context.Context, accessKey string) error {
if !sys.Initialized() { if !sys.Initialized() {
return errServerNotInitialized return errServerNotInitialized
} }
return sys.store.UserNotificationHandler(context.Background(), accessKey, svcUser) return sys.store.UserNotificationHandler(ctx, accessKey, svcUser)
} }
// Perform IAM configuration migration. // Perform IAM configuration migration.
@ -338,7 +338,7 @@ func (sys *IAMSys) watch(ctx context.Context) {
} }
} }
func (sys *IAMSys) loadWatchedEvent(outerCtx context.Context, event iamWatchEvent) (err error) { func (sys *IAMSys) loadWatchedEvent(ctx context.Context, event iamWatchEvent) (err error) {
usersPrefix := strings.HasPrefix(event.keyPath, iamConfigUsersPrefix) usersPrefix := strings.HasPrefix(event.keyPath, iamConfigUsersPrefix)
groupsPrefix := strings.HasPrefix(event.keyPath, iamConfigGroupsPrefix) groupsPrefix := strings.HasPrefix(event.keyPath, iamConfigGroupsPrefix)
stsPrefix := strings.HasPrefix(event.keyPath, iamConfigSTSPrefix) stsPrefix := strings.HasPrefix(event.keyPath, iamConfigSTSPrefix)
@ -348,7 +348,7 @@ func (sys *IAMSys) loadWatchedEvent(outerCtx context.Context, event iamWatchEven
policyDBSTSUsersPrefix := strings.HasPrefix(event.keyPath, iamConfigPolicyDBSTSUsersPrefix) policyDBSTSUsersPrefix := strings.HasPrefix(event.keyPath, iamConfigPolicyDBSTSUsersPrefix)
policyDBGroupsPrefix := strings.HasPrefix(event.keyPath, iamConfigPolicyDBGroupsPrefix) policyDBGroupsPrefix := strings.HasPrefix(event.keyPath, iamConfigPolicyDBGroupsPrefix)
ctx, cancel := context.WithTimeout(context.Background(), defaultContextTimeout) ctx, cancel := context.WithTimeout(ctx, defaultContextTimeout)
defer cancel() defer cancel()
if event.isCreated { if event.isCreated {
@ -417,12 +417,12 @@ func (sys *IAMSys) loadWatchedEvent(outerCtx context.Context, event iamWatchEven
} }
// DeletePolicy - deletes a canned policy from backend or etcd. // DeletePolicy - deletes a canned policy from backend or etcd.
func (sys *IAMSys) DeletePolicy(policyName string) error { func (sys *IAMSys) DeletePolicy(ctx context.Context, policyName string) error {
if !sys.Initialized() { if !sys.Initialized() {
return errServerNotInitialized return errServerNotInitialized
} }
return sys.store.DeletePolicy(context.Background(), policyName) return sys.store.DeletePolicy(ctx, policyName)
} }
// InfoPolicy - expands the canned policy into its JSON structure. // InfoPolicy - expands the canned policy into its JSON structure.
@ -435,32 +435,32 @@ func (sys *IAMSys) InfoPolicy(policyName string) (iampolicy.Policy, error) {
} }
// ListPolicies - lists all canned policies. // ListPolicies - lists all canned policies.
func (sys *IAMSys) ListPolicies(bucketName string) (map[string]iampolicy.Policy, error) { func (sys *IAMSys) ListPolicies(ctx context.Context, bucketName string) (map[string]iampolicy.Policy, error) {
if !sys.Initialized() { if !sys.Initialized() {
return nil, errServerNotInitialized return nil, errServerNotInitialized
} }
<-sys.configLoaded <-sys.configLoaded
return sys.store.ListPolicies(context.Background(), bucketName) return sys.store.ListPolicies(ctx, bucketName)
} }
// SetPolicy - sets a new named policy. // SetPolicy - sets a new named policy.
func (sys *IAMSys) SetPolicy(policyName string, p iampolicy.Policy) error { func (sys *IAMSys) SetPolicy(ctx context.Context, policyName string, p iampolicy.Policy) error {
if !sys.Initialized() { if !sys.Initialized() {
return errServerNotInitialized return errServerNotInitialized
} }
return sys.store.SetPolicy(context.Background(), policyName, p) return sys.store.SetPolicy(ctx, policyName, p)
} }
// DeleteUser - delete user (only for long-term users not STS users). // DeleteUser - delete user (only for long-term users not STS users).
func (sys *IAMSys) DeleteUser(accessKey string) error { func (sys *IAMSys) DeleteUser(ctx context.Context, accessKey string) error {
if !sys.Initialized() { if !sys.Initialized() {
return errServerNotInitialized return errServerNotInitialized
} }
return sys.store.DeleteUser(context.Background(), accessKey, regUser) return sys.store.DeleteUser(ctx, accessKey, regUser)
} }
// CurrentPolicies - returns comma separated policy string, from // CurrentPolicies - returns comma separated policy string, from
@ -476,7 +476,7 @@ func (sys *IAMSys) CurrentPolicies(policyName string) string {
} }
// SetTempUser - set temporary user credentials, these credentials have an expiry. // SetTempUser - set temporary user credentials, these credentials have an expiry.
func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyName string) error { func (sys *IAMSys) SetTempUser(ctx context.Context, accessKey string, cred auth.Credentials, policyName string) error {
if !sys.Initialized() { if !sys.Initialized() {
return errServerNotInitialized return errServerNotInitialized
} }
@ -486,7 +486,7 @@ func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyNa
policyName = "" policyName = ""
} }
return sys.store.SetTempUser(context.Background(), accessKey, cred, policyName) return sys.store.SetTempUser(ctx, accessKey, cred, policyName)
} }
// ListBucketUsers - list all users who can access this 'bucket' // ListBucketUsers - list all users who can access this 'bucket'
@ -548,7 +548,7 @@ func (sys *IAMSys) IsServiceAccount(name string) (bool, string, error) {
} }
// GetUserInfo - get info on a user. // GetUserInfo - get info on a user.
func (sys *IAMSys) GetUserInfo(name string) (u madmin.UserInfo, err error) { func (sys *IAMSys) GetUserInfo(ctx context.Context, name string) (u madmin.UserInfo, err error) {
if !sys.Initialized() { if !sys.Initialized() {
return u, errServerNotInitialized return u, errServerNotInitialized
} }
@ -556,14 +556,14 @@ func (sys *IAMSys) GetUserInfo(name string) (u madmin.UserInfo, err error) {
select { select {
case <-sys.configLoaded: case <-sys.configLoaded:
default: default:
sys.store.LoadUser(context.Background(), name) sys.store.LoadUser(ctx, name)
} }
return sys.store.GetUserInfo(name) return sys.store.GetUserInfo(name)
} }
// SetUserStatus - sets current user status, supports disabled or enabled. // SetUserStatus - sets current user status, supports disabled or enabled.
func (sys *IAMSys) SetUserStatus(accessKey string, status madmin.AccountStatus) error { func (sys *IAMSys) SetUserStatus(ctx context.Context, accessKey string, status madmin.AccountStatus) error {
if !sys.Initialized() { if !sys.Initialized() {
return errServerNotInitialized return errServerNotInitialized
} }
@ -572,7 +572,7 @@ func (sys *IAMSys) SetUserStatus(accessKey string, status madmin.AccountStatus)
return errIAMActionNotAllowed return errIAMActionNotAllowed
} }
return sys.store.SetUserStatus(context.Background(), accessKey, status) return sys.store.SetUserStatus(ctx, accessKey, status)
} }
type newServiceAccountOpts struct { type newServiceAccountOpts struct {
@ -756,7 +756,7 @@ func (sys *IAMSys) DeleteServiceAccount(ctx context.Context, accessKey string) e
// CreateUser - create new user credentials and policy, if user already exists // CreateUser - create new user credentials and policy, if user already exists
// they shall be rewritten with new inputs. // they shall be rewritten with new inputs.
func (sys *IAMSys) CreateUser(accessKey string, uinfo madmin.UserInfo) error { func (sys *IAMSys) CreateUser(ctx context.Context, accessKey string, uinfo madmin.UserInfo) error {
if !sys.Initialized() { if !sys.Initialized() {
return errServerNotInitialized return errServerNotInitialized
} }
@ -773,11 +773,11 @@ func (sys *IAMSys) CreateUser(accessKey string, uinfo madmin.UserInfo) error {
return auth.ErrInvalidSecretKeyLength return auth.ErrInvalidSecretKeyLength
} }
return sys.store.AddUser(context.Background(), accessKey, uinfo) return sys.store.AddUser(ctx, accessKey, uinfo)
} }
// SetUserSecretKey - sets user secret key // SetUserSecretKey - sets user secret key
func (sys *IAMSys) SetUserSecretKey(accessKey string, secretKey string) error { func (sys *IAMSys) SetUserSecretKey(ctx context.Context, accessKey string, secretKey string) error {
if !sys.Initialized() { if !sys.Initialized() {
return errServerNotInitialized return errServerNotInitialized
} }
@ -794,7 +794,7 @@ func (sys *IAMSys) SetUserSecretKey(accessKey string, secretKey string) error {
return auth.ErrInvalidSecretKeyLength return auth.ErrInvalidSecretKeyLength
} }
return sys.store.UpdateUserSecretKey(context.Background(), accessKey, secretKey) return sys.store.UpdateUserSecretKey(ctx, accessKey, secretKey)
} }
// purgeExpiredCredentialsForExternalSSO - validates if local credentials are still valid // purgeExpiredCredentialsForExternalSSO - validates if local credentials are still valid
@ -919,7 +919,7 @@ func (sys *IAMSys) updateGroupMembershipsForLDAP(ctx context.Context) {
} }
// GetUser - get user credentials // GetUser - get user credentials
func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) { func (sys *IAMSys) GetUser(ctx context.Context, accessKey string) (cred auth.Credentials, ok bool) {
if !sys.Initialized() { if !sys.Initialized() {
return cred, false return cred, false
} }
@ -928,7 +928,7 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
select { select {
case <-sys.configLoaded: case <-sys.configLoaded:
default: default:
sys.store.LoadUser(context.Background(), accessKey) sys.store.LoadUser(ctx, accessKey)
fallback = true fallback = true
} }
@ -940,7 +940,7 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
// the IAM store and see if credential // the IAM store and see if credential
// exists now. If it doesn't proceed to // exists now. If it doesn't proceed to
// fail. // fail.
sys.store.LoadUser(context.Background(), accessKey) sys.store.LoadUser(ctx, accessKey)
cred, ok = sys.store.GetUser(accessKey) cred, ok = sys.store.GetUser(accessKey)
} }
@ -949,14 +949,14 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
policies, err := sys.store.PolicyDBGet(cred.AccessKey, false) policies, err := sys.store.PolicyDBGet(cred.AccessKey, false)
if err != nil { if err != nil {
// Reject if the policy map for user doesn't exist anymore. // Reject if the policy map for user doesn't exist anymore.
logger.LogIf(context.Background(), fmt.Errorf("'%s' user does not have a policy present", cred.ParentUser)) logger.LogIf(ctx, fmt.Errorf("'%s' user does not have a policy present", cred.ParentUser))
return auth.Credentials{}, false return auth.Credentials{}, false
} }
for _, group := range cred.Groups { for _, group := range cred.Groups {
ps, err := sys.store.PolicyDBGet(group, true) ps, err := sys.store.PolicyDBGet(group, true)
if err != nil { if err != nil {
// Reject if the policy map for group doesn't exist anymore. // Reject if the policy map for group doesn't exist anymore.
logger.LogIf(context.Background(), fmt.Errorf("'%s' group does not have a policy present", group)) logger.LogIf(ctx, fmt.Errorf("'%s' group does not have a policy present", group))
return auth.Credentials{}, false return auth.Credentials{}, false
} }
policies = append(policies, ps...) policies = append(policies, ps...)
@ -969,7 +969,7 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
// AddUsersToGroup - adds users to a group, creating the group if // AddUsersToGroup - adds users to a group, creating the group if
// needed. No error if user(s) already are in the group. // needed. No error if user(s) already are in the group.
func (sys *IAMSys) AddUsersToGroup(group string, members []string) error { func (sys *IAMSys) AddUsersToGroup(ctx context.Context, group string, members []string) error {
if !sys.Initialized() { if !sys.Initialized() {
return errServerNotInitialized return errServerNotInitialized
} }
@ -978,12 +978,12 @@ func (sys *IAMSys) AddUsersToGroup(group string, members []string) error {
return errIAMActionNotAllowed return errIAMActionNotAllowed
} }
return sys.store.AddUsersToGroup(context.Background(), group, members) return sys.store.AddUsersToGroup(ctx, group, members)
} }
// RemoveUsersFromGroup - remove users from group. If no users are // RemoveUsersFromGroup - remove users from group. If no users are
// given, and the group is empty, deletes the group as well. // given, and the group is empty, deletes the group as well.
func (sys *IAMSys) RemoveUsersFromGroup(group string, members []string) error { func (sys *IAMSys) RemoveUsersFromGroup(ctx context.Context, group string, members []string) error {
if !sys.Initialized() { if !sys.Initialized() {
return errServerNotInitialized return errServerNotInitialized
} }
@ -992,11 +992,11 @@ func (sys *IAMSys) RemoveUsersFromGroup(group string, members []string) error {
return errIAMActionNotAllowed return errIAMActionNotAllowed
} }
return sys.store.RemoveUsersFromGroup(context.Background(), group, members) return sys.store.RemoveUsersFromGroup(ctx, group, members)
} }
// SetGroupStatus - enable/disabled a group // SetGroupStatus - enable/disabled a group
func (sys *IAMSys) SetGroupStatus(group string, enabled bool) error { func (sys *IAMSys) SetGroupStatus(ctx context.Context, group string, enabled bool) error {
if !sys.Initialized() { if !sys.Initialized() {
return errServerNotInitialized return errServerNotInitialized
} }
@ -1005,7 +1005,7 @@ func (sys *IAMSys) SetGroupStatus(group string, enabled bool) error {
return errIAMActionNotAllowed return errIAMActionNotAllowed
} }
return sys.store.SetGroupStatus(context.Background(), group, enabled) return sys.store.SetGroupStatus(ctx, group, enabled)
} }
// GetGroupDescription - builds up group description // GetGroupDescription - builds up group description
@ -1018,18 +1018,18 @@ func (sys *IAMSys) GetGroupDescription(group string) (gd madmin.GroupDesc, err e
} }
// ListGroups - lists groups. // ListGroups - lists groups.
func (sys *IAMSys) ListGroups() (r []string, err error) { func (sys *IAMSys) ListGroups(ctx context.Context) (r []string, err error) {
if !sys.Initialized() { if !sys.Initialized() {
return r, errServerNotInitialized return r, errServerNotInitialized
} }
<-sys.configLoaded <-sys.configLoaded
return sys.store.ListGroups(context.Background()) return sys.store.ListGroups(ctx)
} }
// PolicyDBSet - sets a policy for a user or group in the PolicyDB. // PolicyDBSet - sets a policy for a user or group in the PolicyDB.
func (sys *IAMSys) PolicyDBSet(name, policy string, isGroup bool) error { func (sys *IAMSys) PolicyDBSet(ctx context.Context, name, policy string, isGroup bool) error {
if !sys.Initialized() { if !sys.Initialized() {
return errServerNotInitialized return errServerNotInitialized
} }
@ -1040,7 +1040,7 @@ func (sys *IAMSys) PolicyDBSet(name, policy string, isGroup bool) error {
userType = stsUser userType = stsUser
} }
return sys.store.PolicyDBSet(context.Background(), name, policy, userType, isGroup) return sys.store.PolicyDBSet(ctx, name, policy, userType, isGroup)
} }
// PolicyDBGet - gets policy set on a user or group. If a list of groups is // PolicyDBGet - gets policy set on a user or group. If a list of groups is

View File

@ -18,6 +18,7 @@
package cmd package cmd
import ( import (
"context"
"errors" "errors"
"net/http" "net/http"
"time" "time"
@ -62,7 +63,7 @@ func authenticateJWTUsersWithCredentials(credentials auth.Credentials, expiresAt
serverCred := globalActiveCred serverCred := globalActiveCred
if serverCred.AccessKey != credentials.AccessKey { if serverCred.AccessKey != credentials.AccessKey {
var ok bool var ok bool
serverCred, ok = globalIAMSys.GetUser(credentials.AccessKey) serverCred, ok = globalIAMSys.GetUser(context.TODO(), credentials.AccessKey)
if !ok { if !ok {
return "", errInvalidAccessKeyID return "", errInvalidAccessKeyID
} }
@ -114,7 +115,7 @@ func webRequestAuthenticate(req *http.Request) (*xjwt.MapClaims, bool, error) {
if claims.AccessKey == globalActiveCred.AccessKey { if claims.AccessKey == globalActiveCred.AccessKey {
return []byte(globalActiveCred.SecretKey), nil return []byte(globalActiveCred.SecretKey), nil
} }
cred, ok := globalIAMSys.GetUser(claims.AccessKey) cred, ok := globalIAMSys.GetUser(req.Context(), claims.AccessKey)
if !ok { if !ok {
return nil, errInvalidAccessKeyID return nil, errInvalidAccessKeyID
} }
@ -125,7 +126,7 @@ func webRequestAuthenticate(req *http.Request) (*xjwt.MapClaims, bool, error) {
owner := true owner := true
if globalActiveCred.AccessKey != claims.AccessKey { if globalActiveCred.AccessKey != claims.AccessKey {
// Check if the access key is part of users credentials. // Check if the access key is part of users credentials.
ucred, ok := globalIAMSys.GetUser(claims.AccessKey) ucred, ok := globalIAMSys.GetUser(req.Context(), claims.AccessKey)
if !ok { if !ok {
return nil, false, errInvalidAccessKeyID return nil, false, errInvalidAccessKeyID
} }

View File

@ -77,7 +77,7 @@ func (s *peerRESTServer) DeletePolicyHandler(w http.ResponseWriter, r *http.Requ
return return
} }
if err := globalIAMSys.DeletePolicy(policyName); err != nil { if err := globalIAMSys.DeletePolicy(r.Context(), policyName); err != nil {
s.writeErrorResponse(w, err) s.writeErrorResponse(w, err)
return return
} }
@ -103,7 +103,7 @@ func (s *peerRESTServer) LoadPolicyHandler(w http.ResponseWriter, r *http.Reques
return return
} }
if err := globalIAMSys.LoadPolicy(objAPI, policyName); err != nil { if err := globalIAMSys.LoadPolicy(r.Context(), objAPI, policyName); err != nil {
s.writeErrorResponse(w, err) s.writeErrorResponse(w, err)
return return
} }
@ -130,7 +130,7 @@ func (s *peerRESTServer) LoadPolicyMappingHandler(w http.ResponseWriter, r *http
} }
_, isGroup := r.Form[peerRESTIsGroup] _, isGroup := r.Form[peerRESTIsGroup]
if err := globalIAMSys.LoadPolicyMapping(objAPI, userOrGroup, isGroup); err != nil { if err := globalIAMSys.LoadPolicyMapping(r.Context(), objAPI, userOrGroup, isGroup); err != nil {
s.writeErrorResponse(w, err) s.writeErrorResponse(w, err)
return return
} }
@ -182,7 +182,7 @@ func (s *peerRESTServer) LoadServiceAccountHandler(w http.ResponseWriter, r *htt
return return
} }
if err := globalIAMSys.LoadServiceAccount(accessKey); err != nil { if err := globalIAMSys.LoadServiceAccount(r.Context(), accessKey); err != nil {
s.writeErrorResponse(w, err) s.writeErrorResponse(w, err)
return return
} }
@ -208,7 +208,7 @@ func (s *peerRESTServer) DeleteUserHandler(w http.ResponseWriter, r *http.Reques
return return
} }
if err := globalIAMSys.DeleteUser(accessKey); err != nil { if err := globalIAMSys.DeleteUser(r.Context(), accessKey); err != nil {
s.writeErrorResponse(w, err) s.writeErrorResponse(w, err)
return return
} }
@ -245,7 +245,7 @@ func (s *peerRESTServer) LoadUserHandler(w http.ResponseWriter, r *http.Request)
userType = stsUser userType = stsUser
} }
if err = globalIAMSys.LoadUser(objAPI, accessKey, userType); err != nil { if err = globalIAMSys.LoadUser(r.Context(), objAPI, accessKey, userType); err != nil {
s.writeErrorResponse(w, err) s.writeErrorResponse(w, err)
return return
} }
@ -266,7 +266,7 @@ func (s *peerRESTServer) LoadGroupHandler(w http.ResponseWriter, r *http.Request
vars := mux.Vars(r) vars := mux.Vars(r)
group := vars[peerRESTGroup] group := vars[peerRESTGroup]
err := globalIAMSys.LoadGroup(objAPI, group) err := globalIAMSys.LoadGroup(r.Context(), objAPI, group)
if err != nil { if err != nil {
s.writeErrorResponse(w, err) s.writeErrorResponse(w, err)
return return

View File

@ -152,7 +152,7 @@ func checkKeyValid(r *http.Request, accessKey string) (auth.Credentials, bool, A
cred := globalActiveCred cred := globalActiveCred
if cred.AccessKey != accessKey { if cred.AccessKey != accessKey {
// Check if the access key is part of users credentials. // Check if the access key is part of users credentials.
ucred, ok := globalIAMSys.GetUser(accessKey) ucred, ok := globalIAMSys.GetUser(r.Context(), accessKey)
if !ok { if !ok {
return cred, false, ErrInvalidAccessKeyID return cred, false, ErrInvalidAccessKeyID
} }

View File

@ -76,7 +76,7 @@ func TestCheckValid(t *testing.T) {
t.Fatalf("unable create credential, %s", err) t.Fatalf("unable create credential, %s", err)
} }
globalIAMSys.CreateUser(ucreds.AccessKey, madmin.UserInfo{ globalIAMSys.CreateUser(ctx, ucreds.AccessKey, madmin.UserInfo{
SecretKey: ucreds.SecretKey, SecretKey: ucreds.SecretKey,
Status: madmin.AccountEnabled, Status: madmin.AccountEnabled,
}) })

View File

@ -947,9 +947,9 @@ func (c *SiteReplicationSys) IAMChangeHook(ctx context.Context, item madmin.SRIA
func (c *SiteReplicationSys) PeerAddPolicyHandler(ctx context.Context, policyName string, p *iampolicy.Policy) error { func (c *SiteReplicationSys) PeerAddPolicyHandler(ctx context.Context, policyName string, p *iampolicy.Policy) error {
var err error var err error
if p == nil { if p == nil {
err = globalIAMSys.DeletePolicy(policyName) err = globalIAMSys.DeletePolicy(ctx, policyName)
} else { } else {
err = globalIAMSys.SetPolicy(policyName, *p) err = globalIAMSys.SetPolicy(ctx, policyName, *p)
} }
if err != nil { if err != nil {
return wrapSRErr(err) return wrapSRErr(err)
@ -1061,7 +1061,7 @@ func (c *SiteReplicationSys) PeerSvcAccChangeHandler(ctx context.Context, change
// PeerPolicyMappingHandler - copies policy mapping to local. // PeerPolicyMappingHandler - copies policy mapping to local.
func (c *SiteReplicationSys) PeerPolicyMappingHandler(ctx context.Context, mapping madmin.SRPolicyMapping) error { func (c *SiteReplicationSys) PeerPolicyMappingHandler(ctx context.Context, mapping madmin.SRPolicyMapping) error {
err := globalIAMSys.PolicyDBSet(mapping.UserOrGroup, mapping.Policy, mapping.IsGroup) err := globalIAMSys.PolicyDBSet(ctx, mapping.UserOrGroup, mapping.Policy, mapping.IsGroup)
if err != nil { if err != nil {
return wrapSRErr(err) return wrapSRErr(err)
} }
@ -1116,7 +1116,7 @@ func (c *SiteReplicationSys) PeerSTSAccHandler(ctx context.Context, stsCred madm
} }
// Set these credentials to IAM. // Set these credentials to IAM.
if err := globalIAMSys.SetTempUser(cred.AccessKey, cred, ""); err != nil { if err := globalIAMSys.SetTempUser(ctx, cred.AccessKey, cred, ""); err != nil {
return fmt.Errorf("unable to save STS credential: %v", err) return fmt.Errorf("unable to save STS credential: %v", err)
} }
@ -1404,7 +1404,7 @@ func (c *SiteReplicationSys) syncLocalToPeers(ctx context.Context) SRError {
{ {
// Replicate IAM policies on local to all peers. // Replicate IAM policies on local to all peers.
allPolicies, err := globalIAMSys.ListPolicies("") allPolicies, err := globalIAMSys.ListPolicies(ctx, "")
if err != nil { if err != nil {
return errSRBackendIssue(err) return errSRBackendIssue(err)
} }

View File

@ -273,7 +273,7 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
cred.ParentUser = user.AccessKey cred.ParentUser = user.AccessKey
// Set the newly generated credentials. // Set the newly generated credentials.
if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, policyName); err != nil { if err = globalIAMSys.SetTempUser(ctx, cred.AccessKey, cred, policyName); err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
return return
} }
@ -479,7 +479,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
cred.ParentUser = "openid:" + subFromToken + ":" + issFromToken cred.ParentUser = "openid:" + subFromToken + ":" + issFromToken
// Set the newly generated credentials. // Set the newly generated credentials.
if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, policyName); err != nil { if err = globalIAMSys.SetTempUser(ctx, cred.AccessKey, cred, policyName); err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
return return
} }
@ -645,7 +645,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
// Set the newly generated credentials, policyName is empty on purpose // Set the newly generated credentials, policyName is empty on purpose
// LDAP policies are applied automatically using their ldapUser, ldapGroups // LDAP policies are applied automatically using their ldapUser, ldapGroups
// mapping. // mapping.
if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, ""); err != nil { if err = globalIAMSys.SetTempUser(ctx, cred.AccessKey, cred, ""); err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
return return
} }
@ -813,7 +813,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h
} }
tmpCredentials.ParentUser = parentUser tmpCredentials.ParentUser = parentUser
err = globalIAMSys.SetTempUser(tmpCredentials.AccessKey, tmpCredentials, certificate.Subject.CommonName) err = globalIAMSys.SetTempUser(ctx, tmpCredentials.AccessKey, tmpCredentials, certificate.Subject.CommonName)
if err != nil { if err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
return return