[gateway] Remove policy reload, instead read policy from backend (#7727)

Inconsistencies can arise after applying bucket policies in gateway mode, since all gateway instances do not share a common shared state. This is by design to keep gateway as shared nothing architecture. This PR fixes such inconsistencies by reloading policy if any from the backend. Fixes #7723
2025-01-23 04:33:15 -05:00 · 2019-06-03 11:06:13 -07:00 · 2019-06-03 11:06:13 -07:00 · 0cfd5a21ba
commit 0cfd5a21ba
parent 1ce2d29bbb
3 changed files with 31 additions and 21 deletions
--- a/cmd/gateway-main.go
+++ b/cmd/gateway-main.go
@ -304,6 +304,9 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
 		printGatewayStartupMessage(getAPIEndpoints(), gatewayName)
 	}
 	// Set when gateway is enabled
 	globalIsGateway = true
 	// Set uptime time after object layer has initialized.
 	globalBootTime = UTCNow()
--- a/cmd/globals.go
+++ b/cmd/globals.go
@ -82,8 +82,6 @@ const (
 	// GlobalMultipartCleanupInterval - Cleanup interval when the stale multipart cleanup is initiated.
 	GlobalMultipartCleanupInterval = time.Hour * 24 // 24 hrs.
 	// Refresh interval to update in-memory bucket policy cache.
 	globalRefreshBucketPolicyInterval = 5 * time.Minute
 	// Refresh interval to update in-memory iam config cache.
 	globalRefreshIAMInterval = 5 * time.Minute
@ -111,6 +109,9 @@ var (
 	// Indicates if the running minio server is an erasure-code backend.
 	globalIsXL = false
 	// Indicates if the running minio is in gateway mode.
 	globalIsGateway = false
 	// This flag is set to 'true' by default
 	globalIsBrowserEnabled = true
--- a/cmd/policy.go
+++ b/cmd/policy.go
@ -25,7 +25,6 @@ import (
 	"path"
 	"strings"
 	"sync"
 	"time"
 	miniogopolicy "github.com/minio/minio-go/v6/pkg/policy"
 	"github.com/minio/minio-go/v6/pkg/set"
@ -61,6 +60,11 @@ func (sys *PolicySys) removeDeletedBuckets(bucketInfos []BucketInfo) {
 // Set - sets policy to given bucket name.  If policy is empty, existing policy is removed.
 func (sys *PolicySys) Set(bucketName string, policy policy.Policy) {
 	if globalIsGateway {
 		// Set policy is a non-op under gateway mode.
 		return
 	}
 	sys.Lock()
 	defer sys.Unlock()
@ -84,9 +88,21 @@ func (sys *PolicySys) IsAllowed(args policy.Args) bool {
 	sys.RLock()
 	defer sys.RUnlock()
-	// If policy is available for given bucket, check the policy.
+	if globalIsGateway {
-	if p, found := sys.bucketPolicyMap[args.BucketName]; found {
+		// When gateway is enabled, no cached value
-		return p.IsAllowed(args)
+		// is used to validate bucket policies.
 		objAPI := newObjectLayerFn()
 		if objAPI != nil {
 			config, err := objAPI.GetBucketPolicy(context.Background(), args.BucketName)
 			if err == nil {
 				return config.IsAllowed(args)
 			}
 		}
 	} else {
 		// If policy is available for given bucket, check the policy.
 		if p, found := sys.bucketPolicyMap[args.BucketName]; found {
 			return p.IsAllowed(args)
 		}
 	}
 	// As policy is not available for given bucket name, returns IsOwner i.e.
@ -135,21 +151,11 @@ func (sys *PolicySys) Init(objAPI ObjectLayer) error {
 		return errInvalidArgument
 	}
-	defer func() {
+	// In gateway mode, we don't need to load the policies
-		// Refresh PolicySys in background.
+	// from the backend.
-		go func() {
+	if globalIsGateway {
-			ticker := time.NewTicker(globalRefreshBucketPolicyInterval)
+		return nil
-			defer ticker.Stop()
+	}
 			for {
 				select {
 				case <-GlobalServiceDoneCh:
 					return
 				case <-ticker.C:
 					sys.refresh(objAPI)
 				}
 			}
 		}()
 	}()
 	doneCh := make(chan struct{})
 	defer close(doneCh)