tier: Allow edit of the new Azure and AWS auth params (#18690)

Allow editing for the service principal credentials from Azure
and the web identity token for AWS;

Also, more validation of input parameters.

cmd/tier.go

@@ -311,22 +311,30 @@ func (config *TierConfigMgr) Edit(ctx context.Context, tierName string, creds ma
 	cfg := config.Tiers[tierName]
 	switch tierType {
 	case madmin.S3:
-		if (creds.AccessKey == "" || creds.SecretKey == "") && !creds.AWSRole {
-			return errTierMissingCredentials
-		}
-		switch {
-		case creds.AWSRole:
+		if creds.AWSRole {
 			cfg.S3.AWSRole = true
-		default:
+		}
+		if creds.AWSRoleWebIdentityTokenFile != "" && creds.AWSRoleARN != "" {
+			cfg.S3.AWSRoleARN = creds.AWSRoleARN
+			cfg.S3.AWSRoleWebIdentityTokenFile = creds.AWSRoleWebIdentityTokenFile
+		}
+		if creds.AccessKey != "" && creds.SecretKey != "" {
 			cfg.S3.AccessKey = creds.AccessKey
 			cfg.S3.SecretKey = creds.SecretKey
 		}
 	case madmin.Azure:
-		if creds.SecretKey == "" {
-			return errTierMissingCredentials
+		if creds.SecretKey != "" {
+			cfg.Azure.AccountKey = creds.SecretKey
+		}
+		if creds.AzSP.TenantID != "" {
+			cfg.Azure.SPAuth.TenantID = creds.AzSP.TenantID
+		}
+		if creds.AzSP.ClientID != "" {
+			cfg.Azure.SPAuth.ClientID = creds.AzSP.ClientID
+		}
+		if creds.AzSP.ClientSecret != "" {
+			cfg.Azure.SPAuth.ClientSecret = creds.AzSP.ClientSecret
 		}
-		cfg.Azure.AccountKey = creds.SecretKey
-
 	case madmin.GCS:
 		if creds.CredsJSON == nil {
 			return errTierMissingCredentials

cmd/warm-backend-azure.go

@@ -153,6 +153,19 @@ func newWarmBackendAzure(conf madmin.TierAzure, _ string) (*warmBackendAzure, er
 		err        error
 	)
 
+	switch {
+	case conf.AccountName == "":
+		return nil, errors.New("the account name is required")
+	case conf.AccountKey != "" && (conf.SPAuth.TenantID != "" || conf.SPAuth.ClientID != "" || conf.SPAuth.ClientSecret != ""):
+		return nil, errors.New("multiple authentication mechanisms are provided")
+	case conf.AccountKey == "" && (conf.SPAuth.TenantID == "" || conf.SPAuth.ClientID == "" || conf.SPAuth.ClientSecret == ""):
+		return nil, errors.New("no authentication mechanism was provided")
+	}
+
+	if conf.Bucket == "" {
+		return nil, errors.New("no bucket name was provided")
+	}
+
 	if conf.IsSPEnabled() {
 		credential, err = newCredentialFromSP(conf)
 	} else {

cmd/warm-backend-gcs.go

@@ -19,6 +19,7 @@ package cmd
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 
@@ -102,6 +103,15 @@ func (gcs *warmBackendGCS) InUse(ctx context.Context) (bool, error) {
 }
 
 func newWarmBackendGCS(conf madmin.TierGCS, _ string) (*warmBackendGCS, error) {
+	// Validation code
+	if conf.Creds == "" {
+		return nil, errors.New("empty credentials unsupported")
+	}
+
+	if conf.Bucket == "" {
+		return nil, errors.New("no bucket name was provided")
+	}
+
 	credsJSON, err := conf.GetCredentialJSON()
 	if err != nil {
 		return nil, err

cmd/warm-backend-minio.go

@@ -18,6 +18,7 @@
 package cmd
 
 import (
+	"errors"
 	"fmt"
 	"net/url"
 	"strings"
@@ -35,6 +36,15 @@ type warmBackendMinIO struct {
 var _ WarmBackend = (*warmBackendMinIO)(nil)
 
 func newWarmBackendMinIO(conf madmin.TierMinIO, tier string) (*warmBackendMinIO, error) {
+	// Validation of credentials
+	if conf.AccessKey == "" || conf.SecretKey == "" {
+		return nil, errors.New("both access and secret keys are requied")
+	}
+
+	if conf.Bucket == "" {
+		return nil, errors.New("no bucket name was provided")
+	}
+
 	u, err := url.Parse(conf.Endpoint)
 	if err != nil {
 		return nil, err

cmd/warm-backend-s3.go

@@ -114,6 +114,20 @@ func newWarmBackendS3(conf madmin.TierS3, tier string) (*warmBackendS3, error) {
 	if err != nil {
 		return nil, err
 	}
+
+	// Validation code
+	switch {
+	case conf.AWSRoleWebIdentityTokenFile == "" && conf.AWSRoleARN != "" || conf.AWSRoleWebIdentityTokenFile != "" && conf.AWSRoleARN == "":
+		return nil, errors.New("both the token file and the role ARN are required")
+	case conf.AccessKey == "" && conf.SecretKey != "" || conf.AccessKey != "" && conf.SecretKey == "":
+		return nil, errors.New("both the access and secret keys are required")
+	case conf.AWSRole && (conf.AWSRoleWebIdentityTokenFile != "" || conf.AWSRoleARN != "" || conf.AccessKey != "" || conf.SecretKey != ""):
+		return nil, errors.New("AWS Role cannot be activated with static credentials or the web identity token file")
+	case conf.Bucket == "":
+		return nil, errors.New("no bucket name was provided")
+	}
+
+	// Credentials initialization
 	var creds *credentials.Credentials
 	switch {
 	case conf.AWSRole:

go.mod

@@ -51,7 +51,7 @@ require (
 	github.com/minio/dperf v0.5.3
 	github.com/minio/highwayhash v1.0.2
 	github.com/minio/kes-go v0.2.0
-	github.com/minio/madmin-go/v3 v3.0.37-0.20231211192618-d20cff0b11d9
+	github.com/minio/madmin-go/v3 v3.0.38-0.20231221010728-743d3caa32cf
 	github.com/minio/minio-go/v7 v7.0.66
 	github.com/minio/mux v1.9.0
 	github.com/minio/pkg/v2 v2.0.6

go.sum

@@ -443,8 +443,8 @@ github.com/minio/highwayhash v1.0.2 h1:Aak5U0nElisjDCfPSG79Tgzkn2gl66NxOMspRrKnA
 github.com/minio/highwayhash v1.0.2/go.mod h1:BQskDq+xkJ12lmlUUi7U0M5Swg3EWR+dLTk+kldvVxY=
 github.com/minio/kes-go v0.2.0 h1:HA33arq9s3MErbsj3PAXFVfFo4U4yw7lTKQ5kWFrpCA=
 github.com/minio/kes-go v0.2.0/go.mod h1:VorHLaIYis9/MxAHAtXN4d8PUMNKhIxTIlvFt0hBOEo=
-github.com/minio/madmin-go/v3 v3.0.37-0.20231211192618-d20cff0b11d9 h1:Rpz09w+Y9Bcq3MvNbxA/IFynLjVm6L62o5P7oMwNMWc=
-github.com/minio/madmin-go/v3 v3.0.37-0.20231211192618-d20cff0b11d9/go.mod h1:4QN2NftLSV7MdlT50dkrenOMmNVHluxTvlqJou3hte8=
+github.com/minio/madmin-go/v3 v3.0.38-0.20231221010728-743d3caa32cf h1:JlSWDteG4F4Q9rpTxLctWv/r6+wd0TTlevXtPd1Ecg8=
+github.com/minio/madmin-go/v3 v3.0.38-0.20231221010728-743d3caa32cf/go.mod h1:4QN2NftLSV7MdlT50dkrenOMmNVHluxTvlqJou3hte8=
 github.com/minio/mc v0.0.0-20231215213629-9ad4ee9d08f0 h1:YotPzCeUJfGclBcVhnVONeeBTrg/zhyP3ygulU3Svrg=
 github.com/minio/mc v0.0.0-20231215213629-9ad4ee9d08f0/go.mod h1:QGlyiXQJCU2Q/W0yx3wu/6kv/C4V+7t5avMIN/H05xU=
 github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=