mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
Revert "Move all IAM storage functionality into iam store type (#13541)"
This reverts commit caadcc3ed8
.
This commit is contained in:
parent
70160aeab3
commit
091a7ae359
@ -103,12 +103,6 @@ func toAdminAPIErr(ctx context.Context, err error) APIError {
|
||||
Description: err.Error(),
|
||||
HTTPStatusCode: http.StatusServiceUnavailable,
|
||||
}
|
||||
case errors.Is(err, errPolicyInUse):
|
||||
apiErr = APIError{
|
||||
Code: "XMinioAdminPolicyInUse",
|
||||
Description: "The policy cannot be removed, as it is in use",
|
||||
HTTPStatusCode: http.StatusBadRequest,
|
||||
}
|
||||
case errors.Is(err, kes.ErrKeyExists):
|
||||
apiErr = APIError{
|
||||
Code: "XMinioKMSKeyExists",
|
||||
|
@ -258,20 +258,10 @@ func (s *TestSuiteIAM) TestPolicyCreate(c *check) {
|
||||
c.Fatalf("policy was missing!")
|
||||
}
|
||||
|
||||
// 5. Check that policy cannot be deleted when attached to a user.
|
||||
err = s.adm.RemoveCannedPolicy(ctx, policy)
|
||||
if err == nil {
|
||||
c.Fatalf("policy could be unexpectedly deleted!")
|
||||
}
|
||||
|
||||
// 6. Delete the user and then delete the policy.
|
||||
err = s.adm.RemoveUser(ctx, accessKey)
|
||||
if err != nil {
|
||||
c.Fatalf("user could not be deleted: %v", err)
|
||||
}
|
||||
// 5. Check that policy can be deleted.
|
||||
err = s.adm.RemoveCannedPolicy(ctx, policy)
|
||||
if err != nil {
|
||||
c.Fatalf("policy del err: %v", err)
|
||||
c.Fatalf("policy delete err: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
@ -637,8 +627,7 @@ func (c *check) mustListObjects(ctx context.Context, client *minio.Client, bucke
|
||||
res := client.ListObjects(ctx, bucket, minio.ListObjectsOptions{})
|
||||
v, ok := <-res
|
||||
if ok && v.Err != nil {
|
||||
msg := fmt.Sprintf("user was unable to list: %v", v.Err)
|
||||
c.Fatalf(msg)
|
||||
c.Fatalf("user was unable to list unexpectedly!")
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -27,37 +27,22 @@ import (
|
||||
|
||||
type iamDummyStore struct {
|
||||
sync.RWMutex
|
||||
*iamCache
|
||||
usersSysType UsersSysType
|
||||
}
|
||||
|
||||
func newIAMDummyStore(usersSysType UsersSysType) *iamDummyStore {
|
||||
return &iamDummyStore{
|
||||
iamCache: newIamCache(),
|
||||
usersSysType: usersSysType,
|
||||
}
|
||||
}
|
||||
|
||||
func (ids *iamDummyStore) rlock() *iamCache {
|
||||
ids.RLock()
|
||||
return ids.iamCache
|
||||
}
|
||||
|
||||
func (ids *iamDummyStore) runlock() {
|
||||
ids.RUnlock()
|
||||
}
|
||||
|
||||
func (ids *iamDummyStore) lock() *iamCache {
|
||||
func (ids *iamDummyStore) lock() {
|
||||
ids.Lock()
|
||||
return ids.iamCache
|
||||
}
|
||||
|
||||
func (ids *iamDummyStore) unlock() {
|
||||
ids.Unlock()
|
||||
}
|
||||
|
||||
func (ids *iamDummyStore) getUsersSysType() UsersSysType {
|
||||
return ids.usersSysType
|
||||
func (ids *iamDummyStore) rlock() {
|
||||
ids.RLock()
|
||||
}
|
||||
|
||||
func (ids *iamDummyStore) runlock() {
|
||||
ids.RUnlock()
|
||||
}
|
||||
|
||||
func (ids *iamDummyStore) migrateBackendFormat(context.Context) error {
|
||||
|
@ -62,37 +62,27 @@ func extractPathPrefixAndSuffix(s string, prefix string, suffix string) string {
|
||||
type IAMEtcdStore struct {
|
||||
sync.RWMutex
|
||||
|
||||
*iamCache
|
||||
|
||||
usersSysType UsersSysType
|
||||
|
||||
client *etcd.Client
|
||||
}
|
||||
|
||||
func newIAMEtcdStore(client *etcd.Client, usersSysType UsersSysType) *IAMEtcdStore {
|
||||
return &IAMEtcdStore{client: client, usersSysType: usersSysType}
|
||||
func newIAMEtcdStore(client *etcd.Client) *IAMEtcdStore {
|
||||
return &IAMEtcdStore{client: client}
|
||||
}
|
||||
|
||||
func (ies *IAMEtcdStore) rlock() *iamCache {
|
||||
ies.RLock()
|
||||
return ies.iamCache
|
||||
}
|
||||
|
||||
func (ies *IAMEtcdStore) runlock() {
|
||||
ies.RUnlock()
|
||||
}
|
||||
|
||||
func (ies *IAMEtcdStore) lock() *iamCache {
|
||||
func (ies *IAMEtcdStore) lock() {
|
||||
ies.Lock()
|
||||
return ies.iamCache
|
||||
}
|
||||
|
||||
func (ies *IAMEtcdStore) unlock() {
|
||||
ies.Unlock()
|
||||
}
|
||||
|
||||
func (ies *IAMEtcdStore) getUsersSysType() UsersSysType {
|
||||
return ies.usersSysType
|
||||
func (ies *IAMEtcdStore) rlock() {
|
||||
ies.RLock()
|
||||
}
|
||||
|
||||
func (ies *IAMEtcdStore) runlock() {
|
||||
ies.RUnlock()
|
||||
}
|
||||
|
||||
func (ies *IAMEtcdStore) saveIAMConfig(ctx context.Context, item interface{}, itemPath string, opts ...options) error {
|
||||
@ -254,8 +244,6 @@ func (ies *IAMEtcdStore) migrateToV1(ctx context.Context) error {
|
||||
|
||||
// Should be called under config migration lock
|
||||
func (ies *IAMEtcdStore) migrateBackendFormat(ctx context.Context) error {
|
||||
ies.Lock()
|
||||
defer ies.Unlock()
|
||||
return ies.migrateToV1(ctx)
|
||||
}
|
||||
|
||||
@ -272,7 +260,7 @@ func (ies *IAMEtcdStore) loadPolicyDoc(ctx context.Context, policy string, m map
|
||||
return nil
|
||||
}
|
||||
|
||||
func (ies *IAMEtcdStore) getPolicyDocKV(ctx context.Context, kvs *mvccpb.KeyValue, m map[string]iampolicy.Policy) error {
|
||||
func (ies *IAMEtcdStore) getPolicyDoc(ctx context.Context, kvs *mvccpb.KeyValue, m map[string]iampolicy.Policy) error {
|
||||
var p iampolicy.Policy
|
||||
err := getIAMConfig(&p, kvs.Value, string(kvs.Key))
|
||||
if err != nil {
|
||||
@ -298,14 +286,14 @@ func (ies *IAMEtcdStore) loadPolicyDocs(ctx context.Context, m map[string]iampol
|
||||
|
||||
// Parse all values to construct the policies data model.
|
||||
for _, kvs := range r.Kvs {
|
||||
if err = ies.getPolicyDocKV(ctx, kvs, m); err != nil && err != errNoSuchPolicy {
|
||||
if err = ies.getPolicyDoc(ctx, kvs, m); err != nil && err != errNoSuchPolicy {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (ies *IAMEtcdStore) getUserKV(ctx context.Context, userkv *mvccpb.KeyValue, userType IAMUserType, m map[string]auth.Credentials, basePrefix string) error {
|
||||
func (ies *IAMEtcdStore) getUser(ctx context.Context, userkv *mvccpb.KeyValue, userType IAMUserType, m map[string]auth.Credentials, basePrefix string) error {
|
||||
var u UserIdentity
|
||||
err := getIAMConfig(&u, userkv.Value, string(userkv.Key))
|
||||
if err != nil {
|
||||
@ -367,7 +355,7 @@ func (ies *IAMEtcdStore) loadUsers(ctx context.Context, userType IAMUserType, m
|
||||
|
||||
// Parse all users values to create the proper data model
|
||||
for _, userKv := range r.Kvs {
|
||||
if err = ies.getUserKV(ctx, userKv, userType, m, basePrefix); err != nil && err != errNoSuchUser {
|
||||
if err = ies.getUser(ctx, userKv, userType, m, basePrefix); err != nil && err != errNoSuchUser {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
@ -34,44 +34,30 @@ import (
|
||||
|
||||
// IAMObjectStore implements IAMStorageAPI
|
||||
type IAMObjectStore struct {
|
||||
// Protect access to storage within the current server.
|
||||
// Protect assignment to objAPI
|
||||
sync.RWMutex
|
||||
|
||||
*iamCache
|
||||
|
||||
usersSysType UsersSysType
|
||||
|
||||
objAPI ObjectLayer
|
||||
}
|
||||
|
||||
func newIAMObjectStore(objAPI ObjectLayer, usersSysType UsersSysType) *IAMObjectStore {
|
||||
return &IAMObjectStore{
|
||||
iamCache: newIamCache(),
|
||||
objAPI: objAPI,
|
||||
usersSysType: usersSysType,
|
||||
}
|
||||
func newIAMObjectStore(objAPI ObjectLayer) *IAMObjectStore {
|
||||
return &IAMObjectStore{objAPI: objAPI}
|
||||
}
|
||||
|
||||
func (iamOS *IAMObjectStore) rlock() *iamCache {
|
||||
iamOS.RLock()
|
||||
return iamOS.iamCache
|
||||
}
|
||||
|
||||
func (iamOS *IAMObjectStore) runlock() {
|
||||
iamOS.RUnlock()
|
||||
}
|
||||
|
||||
func (iamOS *IAMObjectStore) lock() *iamCache {
|
||||
func (iamOS *IAMObjectStore) lock() {
|
||||
iamOS.Lock()
|
||||
return iamOS.iamCache
|
||||
}
|
||||
|
||||
func (iamOS *IAMObjectStore) unlock() {
|
||||
iamOS.Unlock()
|
||||
}
|
||||
|
||||
func (iamOS *IAMObjectStore) getUsersSysType() UsersSysType {
|
||||
return iamOS.usersSysType
|
||||
func (iamOS *IAMObjectStore) rlock() {
|
||||
iamOS.RLock()
|
||||
}
|
||||
|
||||
func (iamOS *IAMObjectStore) runlock() {
|
||||
iamOS.RUnlock()
|
||||
}
|
||||
|
||||
// Migrate users directory in a single scan.
|
||||
@ -196,8 +182,6 @@ func (iamOS *IAMObjectStore) migrateToV1(ctx context.Context) error {
|
||||
|
||||
// Should be called under config migration lock
|
||||
func (iamOS *IAMObjectStore) migrateBackendFormat(ctx context.Context) error {
|
||||
iamOS.Lock()
|
||||
defer iamOS.Unlock()
|
||||
return iamOS.migrateToV1(ctx)
|
||||
}
|
||||
|
||||
|
1712
cmd/iam-store.go
1712
cmd/iam-store.go
File diff suppressed because it is too large
Load Diff
1716
cmd/iam.go
1716
cmd/iam.go
File diff suppressed because it is too large
Load Diff
@ -1270,7 +1270,9 @@ func (c *SiteReplicationSys) getAdminClient(ctx context.Context, deploymentID st
|
||||
}
|
||||
|
||||
func (c *SiteReplicationSys) getPeerCreds() (*auth.Credentials, error) {
|
||||
creds, ok := globalIAMSys.store.GetUser(c.state.ServiceAccountAccessKey)
|
||||
globalIAMSys.store.rlock()
|
||||
defer globalIAMSys.store.runlock()
|
||||
creds, ok := globalIAMSys.iamUsersMap[c.state.ServiceAccountAccessKey]
|
||||
if !ok {
|
||||
return nil, errors.New("site replication service account not found!")
|
||||
}
|
||||
|
@ -95,10 +95,6 @@ func (s *TestSuiteIAM) TestSTS(c *check) {
|
||||
c.Fatalf("Unable to set policy: %v", err)
|
||||
}
|
||||
|
||||
// confirm that the user is able to access the bucket
|
||||
uClient := s.getUserClient(c, accessKey, secretKey, "")
|
||||
c.mustListObjects(ctx, uClient, bucket)
|
||||
|
||||
assumeRole := cr.STSAssumeRole{
|
||||
Client: s.TestSuiteCommon.client,
|
||||
STSEndpoint: s.endPoint,
|
||||
|
@ -81,9 +81,6 @@ var errGroupNotEmpty = errors.New("Specified group is not empty - cannot remove
|
||||
// error returned in IAM subsystem when policy doesn't exist.
|
||||
var errNoSuchPolicy = errors.New("Specified canned policy does not exist")
|
||||
|
||||
// error returned when policy to be deleted is in use.
|
||||
var errPolicyInUse = errors.New("Specified policy is in use and cannot be deleted.")
|
||||
|
||||
// error returned in IAM subsystem when an external users systems is configured.
|
||||
var errIAMActionNotAllowed = errors.New("Specified IAM action is not allowed")
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user