From 0cfd5a21bae7ef4355ab719d960add18d7cd4247 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Mon, 3 Jun 2019 11:06:13 -0700 Subject: [PATCH] [gateway] Remove policy reload, instead read policy from backend (#7727) Inconsistencies can arise after applying bucket policies in gateway mode, since all gateway instances do not share a common shared state. This is by design to keep gateway as shared nothing architecture. This PR fixes such inconsistencies by reloading policy if any from the backend. Fixes #7723 --- cmd/gateway-main.go | 3 +++ cmd/globals.go | 5 +++-- cmd/policy.go | 44 +++++++++++++++++++++++++------------------- 3 files changed, 31 insertions(+), 21 deletions(-) diff --git a/cmd/gateway-main.go b/cmd/gateway-main.go index d37baf210..9d3776b57 100644 --- a/cmd/gateway-main.go +++ b/cmd/gateway-main.go @@ -304,6 +304,9 @@ func StartGateway(ctx *cli.Context, gw Gateway) { printGatewayStartupMessage(getAPIEndpoints(), gatewayName) } + // Set when gateway is enabled + globalIsGateway = true + // Set uptime time after object layer has initialized. globalBootTime = UTCNow() diff --git a/cmd/globals.go b/cmd/globals.go index 9b3e569e3..7038aeedd 100644 --- a/cmd/globals.go +++ b/cmd/globals.go @@ -82,8 +82,6 @@ const ( // GlobalMultipartCleanupInterval - Cleanup interval when the stale multipart cleanup is initiated. GlobalMultipartCleanupInterval = time.Hour * 24 // 24 hrs. - // Refresh interval to update in-memory bucket policy cache. - globalRefreshBucketPolicyInterval = 5 * time.Minute // Refresh interval to update in-memory iam config cache. globalRefreshIAMInterval = 5 * time.Minute @@ -111,6 +109,9 @@ var ( // Indicates if the running minio server is an erasure-code backend. globalIsXL = false + // Indicates if the running minio is in gateway mode. + globalIsGateway = false + // This flag is set to 'true' by default globalIsBrowserEnabled = true diff --git a/cmd/policy.go b/cmd/policy.go index 9fe5fa3c4..b30fba3db 100644 --- a/cmd/policy.go +++ b/cmd/policy.go @@ -25,7 +25,6 @@ import ( "path" "strings" "sync" - "time" miniogopolicy "github.com/minio/minio-go/v6/pkg/policy" "github.com/minio/minio-go/v6/pkg/set" @@ -61,6 +60,11 @@ func (sys *PolicySys) removeDeletedBuckets(bucketInfos []BucketInfo) { // Set - sets policy to given bucket name. If policy is empty, existing policy is removed. func (sys *PolicySys) Set(bucketName string, policy policy.Policy) { + if globalIsGateway { + // Set policy is a non-op under gateway mode. + return + } + sys.Lock() defer sys.Unlock() @@ -84,9 +88,21 @@ func (sys *PolicySys) IsAllowed(args policy.Args) bool { sys.RLock() defer sys.RUnlock() - // If policy is available for given bucket, check the policy. - if p, found := sys.bucketPolicyMap[args.BucketName]; found { - return p.IsAllowed(args) + if globalIsGateway { + // When gateway is enabled, no cached value + // is used to validate bucket policies. + objAPI := newObjectLayerFn() + if objAPI != nil { + config, err := objAPI.GetBucketPolicy(context.Background(), args.BucketName) + if err == nil { + return config.IsAllowed(args) + } + } + } else { + // If policy is available for given bucket, check the policy. + if p, found := sys.bucketPolicyMap[args.BucketName]; found { + return p.IsAllowed(args) + } } // As policy is not available for given bucket name, returns IsOwner i.e. @@ -135,21 +151,11 @@ func (sys *PolicySys) Init(objAPI ObjectLayer) error { return errInvalidArgument } - defer func() { - // Refresh PolicySys in background. - go func() { - ticker := time.NewTicker(globalRefreshBucketPolicyInterval) - defer ticker.Stop() - for { - select { - case <-GlobalServiceDoneCh: - return - case <-ticker.C: - sys.refresh(objAPI) - } - } - }() - }() + // In gateway mode, we don't need to load the policies + // from the backend. + if globalIsGateway { + return nil + } doneCh := make(chan struct{}) defer close(doneCh)