fix: SR: Add more info when IAM config differs (#18302)

Provide details on what IAM info mismatched when the validation fails
2025-01-23 04:33:15 -05:00 · 2023-10-23 21:16:40 -07:00 · 2023-10-23 21:16:40 -07:00 · 0a284a1a10
commit 0a284a1a10
parent 5c8339e1e8
3 changed files with 131 additions and 119 deletions
--- a/cmd/api-errors.go
+++ b/cmd/api-errors.go
@ -310,6 +310,7 @@ const (
 	ErrSiteReplicationBucketMetaError
 	ErrSiteReplicationIAMError
 	ErrSiteReplicationConfigMissing
+	ErrSiteReplicationIAMConfigMismatch

 	// Pool rebalance errors
 	ErrAdminRebalanceAlreadyStarted
@ -1512,6 +1513,11 @@ var errorCodes = errorCodeMap{
 		Description:    "Site not found in site replication configuration",
 		HTTPStatusCode: http.StatusBadRequest,
 	},
+	ErrSiteReplicationIAMConfigMismatch: {
+		Code:           "XMinioSiteReplicationIAMConfigMismatch",
+		Description:    "IAM configuration mismatch between sites",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
 	ErrAdminRebalanceAlreadyStarted: {
 		Code:           "XMinioAdminRebalanceAlreadyStarted",
 		Description:    "Pool rebalance is already started",
--- a/cmd/apierrorcode_string.go
+++ b/cmd/apierrorcode_string.go
--- a/cmd/site-replication.go
+++ b/cmd/site-replication.go
@ -154,6 +154,13 @@ func errSRConfigMissingError(err error) SRError {
 	}
 }

+func errSRIAMConfigMismatch(peer1, peer2 string, s1, s2 madmin.IDPSettings) SRError {
+	return SRError{
+		Cause: fmt.Errorf("IAM/IDP settings mismatch between %s and %s: %#v vs %#v", peer1, peer2, s1, s2),
+		Code:  ErrSiteReplicationIAMConfigMismatch,
+	}
+}
+
 var errSRObjectLayerNotReady = SRError{
 	Cause: fmt.Errorf("object layer not ready"),
 	Code:  ErrServerNotInitialized,
@ -424,13 +431,10 @@ func (c *SiteReplicationSys) AddPeerClusters(ctx context.Context, psites []madmi
 	}

 	// validate that all clusters are using the same IDP settings.
-	pass, err := c.validateIDPSettings(ctx, sites)
+	err = c.validateIDPSettings(ctx, sites)
 	if err != nil {
 		return madmin.ReplicateAddStatus{}, err
 	}
-	if !pass {
-		return madmin.ReplicateAddStatus{}, errSRInvalidRequest(errors.New("all cluster sites must have the same IAM/IDP settings"))
-	}

 	// For this `add` API, either all clusters must be empty or the local
 	// cluster must be the only one having some buckets.
@ -619,7 +623,7 @@ func (c *SiteReplicationSys) GetIDPSettings(ctx context.Context) madmin.IDPSetti
 	return s
 }

-func (c *SiteReplicationSys) validateIDPSettings(ctx context.Context, peers []PeerSiteInfo) (bool, error) {
+func (c *SiteReplicationSys) validateIDPSettings(ctx context.Context, peers []PeerSiteInfo) error {
 	s := make([]madmin.IDPSettings, 0, len(peers))
 	for _, v := range peers {
 		if v.self {
@ -629,22 +633,23 @@ func (c *SiteReplicationSys) validateIDPSettings(ctx context.Context, peers []Pe

 		admClient, err := getAdminClient(v.Endpoint, v.AccessKey, v.SecretKey)
 		if err != nil {
-			return false, errSRPeerResp(fmt.Errorf("unable to create admin client for %s: %w", v.Name, err))
+			return errSRPeerResp(fmt.Errorf("unable to create admin client for %s: %w", v.Name, err))
 		}

 		is, err := admClient.SRPeerGetIDPSettings(ctx)
 		if err != nil {
-			return false, errSRPeerResp(fmt.Errorf("unable to fetch IDP settings from %s: %v", v.Name, err))
+			return errSRPeerResp(fmt.Errorf("unable to fetch IDP settings from %s: %v", v.Name, err))
 		}
 		s = append(s, is)
 	}

 	for i := 1; i < len(s); i++ {
 		if !reflect.DeepEqual(s[i], s[0]) {
-			return false, nil
+			return errSRIAMConfigMismatch(peers[0].Name, peers[i].Name, s[0], s[i])
 		}
 	}
-	return true, nil
+
+	return nil
 }

 // Netperf for site-replication net perf