Revert "Move all IAM storage functionality into iam store type (#13541)"

This reverts commit caadcc3ed82be3276a338fb01d6e9b0390fc5097.
This commit is contained in:
Harshavardhana 2021-11-02 13:51:42 -07:00
parent 70160aeab3
commit 091a7ae359
10 changed files with 1652 additions and 1977 deletions

View File

@ -103,12 +103,6 @@ func toAdminAPIErr(ctx context.Context, err error) APIError {
Description: err.Error(), Description: err.Error(),
HTTPStatusCode: http.StatusServiceUnavailable, HTTPStatusCode: http.StatusServiceUnavailable,
} }
case errors.Is(err, errPolicyInUse):
apiErr = APIError{
Code: "XMinioAdminPolicyInUse",
Description: "The policy cannot be removed, as it is in use",
HTTPStatusCode: http.StatusBadRequest,
}
case errors.Is(err, kes.ErrKeyExists): case errors.Is(err, kes.ErrKeyExists):
apiErr = APIError{ apiErr = APIError{
Code: "XMinioKMSKeyExists", Code: "XMinioKMSKeyExists",

View File

@ -258,20 +258,10 @@ func (s *TestSuiteIAM) TestPolicyCreate(c *check) {
c.Fatalf("policy was missing!") c.Fatalf("policy was missing!")
} }
// 5. Check that policy cannot be deleted when attached to a user. // 5. Check that policy can be deleted.
err = s.adm.RemoveCannedPolicy(ctx, policy)
if err == nil {
c.Fatalf("policy could be unexpectedly deleted!")
}
// 6. Delete the user and then delete the policy.
err = s.adm.RemoveUser(ctx, accessKey)
if err != nil {
c.Fatalf("user could not be deleted: %v", err)
}
err = s.adm.RemoveCannedPolicy(ctx, policy) err = s.adm.RemoveCannedPolicy(ctx, policy)
if err != nil { if err != nil {
c.Fatalf("policy del err: %v", err) c.Fatalf("policy delete err: %v", err)
} }
} }
@ -637,8 +627,7 @@ func (c *check) mustListObjects(ctx context.Context, client *minio.Client, bucke
res := client.ListObjects(ctx, bucket, minio.ListObjectsOptions{}) res := client.ListObjects(ctx, bucket, minio.ListObjectsOptions{})
v, ok := <-res v, ok := <-res
if ok && v.Err != nil { if ok && v.Err != nil {
msg := fmt.Sprintf("user was unable to list: %v", v.Err) c.Fatalf("user was unable to list unexpectedly!")
c.Fatalf(msg)
} }
} }

View File

@ -27,37 +27,22 @@ import (
type iamDummyStore struct { type iamDummyStore struct {
sync.RWMutex sync.RWMutex
*iamCache
usersSysType UsersSysType
} }
func newIAMDummyStore(usersSysType UsersSysType) *iamDummyStore { func (ids *iamDummyStore) lock() {
return &iamDummyStore{
iamCache: newIamCache(),
usersSysType: usersSysType,
}
}
func (ids *iamDummyStore) rlock() *iamCache {
ids.RLock()
return ids.iamCache
}
func (ids *iamDummyStore) runlock() {
ids.RUnlock()
}
func (ids *iamDummyStore) lock() *iamCache {
ids.Lock() ids.Lock()
return ids.iamCache
} }
func (ids *iamDummyStore) unlock() { func (ids *iamDummyStore) unlock() {
ids.Unlock() ids.Unlock()
} }
func (ids *iamDummyStore) getUsersSysType() UsersSysType { func (ids *iamDummyStore) rlock() {
return ids.usersSysType ids.RLock()
}
func (ids *iamDummyStore) runlock() {
ids.RUnlock()
} }
func (ids *iamDummyStore) migrateBackendFormat(context.Context) error { func (ids *iamDummyStore) migrateBackendFormat(context.Context) error {

View File

@ -62,37 +62,27 @@ func extractPathPrefixAndSuffix(s string, prefix string, suffix string) string {
type IAMEtcdStore struct { type IAMEtcdStore struct {
sync.RWMutex sync.RWMutex
*iamCache
usersSysType UsersSysType
client *etcd.Client client *etcd.Client
} }
func newIAMEtcdStore(client *etcd.Client, usersSysType UsersSysType) *IAMEtcdStore { func newIAMEtcdStore(client *etcd.Client) *IAMEtcdStore {
return &IAMEtcdStore{client: client, usersSysType: usersSysType} return &IAMEtcdStore{client: client}
} }
func (ies *IAMEtcdStore) rlock() *iamCache { func (ies *IAMEtcdStore) lock() {
ies.RLock()
return ies.iamCache
}
func (ies *IAMEtcdStore) runlock() {
ies.RUnlock()
}
func (ies *IAMEtcdStore) lock() *iamCache {
ies.Lock() ies.Lock()
return ies.iamCache
} }
func (ies *IAMEtcdStore) unlock() { func (ies *IAMEtcdStore) unlock() {
ies.Unlock() ies.Unlock()
} }
func (ies *IAMEtcdStore) getUsersSysType() UsersSysType { func (ies *IAMEtcdStore) rlock() {
return ies.usersSysType ies.RLock()
}
func (ies *IAMEtcdStore) runlock() {
ies.RUnlock()
} }
func (ies *IAMEtcdStore) saveIAMConfig(ctx context.Context, item interface{}, itemPath string, opts ...options) error { func (ies *IAMEtcdStore) saveIAMConfig(ctx context.Context, item interface{}, itemPath string, opts ...options) error {
@ -254,8 +244,6 @@ func (ies *IAMEtcdStore) migrateToV1(ctx context.Context) error {
// Should be called under config migration lock // Should be called under config migration lock
func (ies *IAMEtcdStore) migrateBackendFormat(ctx context.Context) error { func (ies *IAMEtcdStore) migrateBackendFormat(ctx context.Context) error {
ies.Lock()
defer ies.Unlock()
return ies.migrateToV1(ctx) return ies.migrateToV1(ctx)
} }
@ -272,7 +260,7 @@ func (ies *IAMEtcdStore) loadPolicyDoc(ctx context.Context, policy string, m map
return nil return nil
} }
func (ies *IAMEtcdStore) getPolicyDocKV(ctx context.Context, kvs *mvccpb.KeyValue, m map[string]iampolicy.Policy) error { func (ies *IAMEtcdStore) getPolicyDoc(ctx context.Context, kvs *mvccpb.KeyValue, m map[string]iampolicy.Policy) error {
var p iampolicy.Policy var p iampolicy.Policy
err := getIAMConfig(&p, kvs.Value, string(kvs.Key)) err := getIAMConfig(&p, kvs.Value, string(kvs.Key))
if err != nil { if err != nil {
@ -298,14 +286,14 @@ func (ies *IAMEtcdStore) loadPolicyDocs(ctx context.Context, m map[string]iampol
// Parse all values to construct the policies data model. // Parse all values to construct the policies data model.
for _, kvs := range r.Kvs { for _, kvs := range r.Kvs {
if err = ies.getPolicyDocKV(ctx, kvs, m); err != nil && err != errNoSuchPolicy { if err = ies.getPolicyDoc(ctx, kvs, m); err != nil && err != errNoSuchPolicy {
return err return err
} }
} }
return nil return nil
} }
func (ies *IAMEtcdStore) getUserKV(ctx context.Context, userkv *mvccpb.KeyValue, userType IAMUserType, m map[string]auth.Credentials, basePrefix string) error { func (ies *IAMEtcdStore) getUser(ctx context.Context, userkv *mvccpb.KeyValue, userType IAMUserType, m map[string]auth.Credentials, basePrefix string) error {
var u UserIdentity var u UserIdentity
err := getIAMConfig(&u, userkv.Value, string(userkv.Key)) err := getIAMConfig(&u, userkv.Value, string(userkv.Key))
if err != nil { if err != nil {
@ -367,7 +355,7 @@ func (ies *IAMEtcdStore) loadUsers(ctx context.Context, userType IAMUserType, m
// Parse all users values to create the proper data model // Parse all users values to create the proper data model
for _, userKv := range r.Kvs { for _, userKv := range r.Kvs {
if err = ies.getUserKV(ctx, userKv, userType, m, basePrefix); err != nil && err != errNoSuchUser { if err = ies.getUser(ctx, userKv, userType, m, basePrefix); err != nil && err != errNoSuchUser {
return err return err
} }
} }

View File

@ -34,44 +34,30 @@ import (
// IAMObjectStore implements IAMStorageAPI // IAMObjectStore implements IAMStorageAPI
type IAMObjectStore struct { type IAMObjectStore struct {
// Protect access to storage within the current server. // Protect assignment to objAPI
sync.RWMutex sync.RWMutex
*iamCache
usersSysType UsersSysType
objAPI ObjectLayer objAPI ObjectLayer
} }
func newIAMObjectStore(objAPI ObjectLayer, usersSysType UsersSysType) *IAMObjectStore { func newIAMObjectStore(objAPI ObjectLayer) *IAMObjectStore {
return &IAMObjectStore{ return &IAMObjectStore{objAPI: objAPI}
iamCache: newIamCache(),
objAPI: objAPI,
usersSysType: usersSysType,
}
} }
func (iamOS *IAMObjectStore) rlock() *iamCache { func (iamOS *IAMObjectStore) lock() {
iamOS.RLock()
return iamOS.iamCache
}
func (iamOS *IAMObjectStore) runlock() {
iamOS.RUnlock()
}
func (iamOS *IAMObjectStore) lock() *iamCache {
iamOS.Lock() iamOS.Lock()
return iamOS.iamCache
} }
func (iamOS *IAMObjectStore) unlock() { func (iamOS *IAMObjectStore) unlock() {
iamOS.Unlock() iamOS.Unlock()
} }
func (iamOS *IAMObjectStore) getUsersSysType() UsersSysType { func (iamOS *IAMObjectStore) rlock() {
return iamOS.usersSysType iamOS.RLock()
}
func (iamOS *IAMObjectStore) runlock() {
iamOS.RUnlock()
} }
// Migrate users directory in a single scan. // Migrate users directory in a single scan.
@ -196,8 +182,6 @@ func (iamOS *IAMObjectStore) migrateToV1(ctx context.Context) error {
// Should be called under config migration lock // Should be called under config migration lock
func (iamOS *IAMObjectStore) migrateBackendFormat(ctx context.Context) error { func (iamOS *IAMObjectStore) migrateBackendFormat(ctx context.Context) error {
iamOS.Lock()
defer iamOS.Unlock()
return iamOS.migrateToV1(ctx) return iamOS.migrateToV1(ctx)
} }

File diff suppressed because it is too large Load Diff

1780
cmd/iam.go

File diff suppressed because it is too large Load Diff

View File

@ -1270,7 +1270,9 @@ func (c *SiteReplicationSys) getAdminClient(ctx context.Context, deploymentID st
} }
func (c *SiteReplicationSys) getPeerCreds() (*auth.Credentials, error) { func (c *SiteReplicationSys) getPeerCreds() (*auth.Credentials, error) {
creds, ok := globalIAMSys.store.GetUser(c.state.ServiceAccountAccessKey) globalIAMSys.store.rlock()
defer globalIAMSys.store.runlock()
creds, ok := globalIAMSys.iamUsersMap[c.state.ServiceAccountAccessKey]
if !ok { if !ok {
return nil, errors.New("site replication service account not found!") return nil, errors.New("site replication service account not found!")
} }

View File

@ -95,10 +95,6 @@ func (s *TestSuiteIAM) TestSTS(c *check) {
c.Fatalf("Unable to set policy: %v", err) c.Fatalf("Unable to set policy: %v", err)
} }
// confirm that the user is able to access the bucket
uClient := s.getUserClient(c, accessKey, secretKey, "")
c.mustListObjects(ctx, uClient, bucket)
assumeRole := cr.STSAssumeRole{ assumeRole := cr.STSAssumeRole{
Client: s.TestSuiteCommon.client, Client: s.TestSuiteCommon.client,
STSEndpoint: s.endPoint, STSEndpoint: s.endPoint,

View File

@ -81,9 +81,6 @@ var errGroupNotEmpty = errors.New("Specified group is not empty - cannot remove
// error returned in IAM subsystem when policy doesn't exist. // error returned in IAM subsystem when policy doesn't exist.
var errNoSuchPolicy = errors.New("Specified canned policy does not exist") var errNoSuchPolicy = errors.New("Specified canned policy does not exist")
// error returned when policy to be deleted is in use.
var errPolicyInUse = errors.New("Specified policy is in use and cannot be deleted.")
// error returned in IAM subsystem when an external users systems is configured. // error returned in IAM subsystem when an external users systems is configured.
var errIAMActionNotAllowed = errors.New("Specified IAM action is not allowed") var errIAMActionNotAllowed = errors.New("Specified IAM action is not allowed")