From 42d11d9e7ddef2c647628a4a8bd54bfbc907bf6c Mon Sep 17 00:00:00 2001 From: Aditya Manthramurthy Date: Mon, 29 Nov 2021 14:38:57 -0800 Subject: [PATCH] Move IAM notifications into IAM system functions (#13780) --- cmd/admin-handlers-users.go | 90 +------------------ cmd/admin-handlers_test.go | 2 +- cmd/auth-handler_test.go | 4 +- cmd/gateway-main.go | 2 +- cmd/iam.go | 152 ++++++++++++++++++++++++++++++--- cmd/peer-rest-server.go | 2 +- cmd/server-main.go | 2 +- cmd/signature-v4-utils_test.go | 2 +- cmd/site-replication.go | 86 +------------------ cmd/sts-handlers.go | 30 ------- cmd/test-utils_test.go | 8 +- 11 files changed, 155 insertions(+), 225 deletions(-) diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index 41d6417a5..77eaefd5c 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -240,16 +240,6 @@ func (a adminAPIHandlers) UpdateGroupMembers(w http.ResponseWriter, r *http.Requ writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return } - - // Notify all other MinIO peers to load group. - if !globalIAMSys.HasWatcher() { - for _, nerr := range globalNotificationSys.LoadGroup(updReq.Group) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - } } // GetGroup - /minio/admin/v3/group?group=mygroup1 @@ -335,16 +325,6 @@ func (a adminAPIHandlers) SetGroupStatus(w http.ResponseWriter, r *http.Request) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return } - - // Notify all other MinIO peers to reload user. - if !globalIAMSys.HasWatcher() { - for _, nerr := range globalNotificationSys.LoadGroup(group) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - } } // SetUserStatus - PUT /minio/admin/v3/set-user-status?accessKey=&status=[enabled|disabled] @@ -372,16 +352,6 @@ func (a adminAPIHandlers) SetUserStatus(w http.ResponseWriter, r *http.Request) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return } - - // Notify all other MinIO peers to reload user. - if !globalIAMSys.HasWatcher() { - for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - } } // AddUser - PUT /minio/admin/v3/add-user?accessKey= @@ -482,16 +452,6 @@ func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return } - - // Notify all other Minio peers to reload user - if !globalIAMSys.HasWatcher() { - for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - } } // AddServiceAccount - PUT /minio/admin/v3/add-service-account @@ -647,16 +607,6 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque return } - // Notify all other Minio peers to reload user the service account - if !globalIAMSys.HasWatcher() { - for _, nerr := range globalNotificationSys.LoadServiceAccount(newCred.AccessKey) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - } - // Call hook for cluster-replication. // // FIXME: This wont work in an OpenID situation as the parent credential @@ -788,16 +738,6 @@ func (a adminAPIHandlers) UpdateServiceAccount(w http.ResponseWriter, r *http.Re return } - // Notify all other Minio peers to reload user the service account - if !globalIAMSys.HasWatcher() { - for _, nerr := range globalNotificationSys.LoadServiceAccount(accessKey) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - } - // Call site replication hook. Only LDAP accounts are supported for // replication operations. svcAccClaims, err := globalIAMSys.GetClaimsForSvcAcc(ctx, accessKey) @@ -1375,19 +1315,11 @@ func (a adminAPIHandlers) RemoveCannedPolicy(w http.ResponseWriter, r *http.Requ vars := mux.Vars(r) policyName := vars["name"] - if err := globalIAMSys.DeletePolicy(ctx, policyName); err != nil { + if err := globalIAMSys.DeletePolicy(ctx, policyName, true); err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return } - // Notify all other MinIO peers to delete policy - for _, nerr := range globalNotificationSys.DeletePolicy(policyName) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - // Call cluster-replication policy creation hook to replicate policy deletion to // other minio clusters. if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{ @@ -1448,16 +1380,6 @@ func (a adminAPIHandlers) AddCannedPolicy(w http.ResponseWriter, r *http.Request return } - // Notify all other MinIO peers to reload policy - if !globalIAMSys.HasWatcher() { - for _, nerr := range globalNotificationSys.LoadPolicy(policyName) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - } - // Call cluster-replication policy creation hook to replicate policy to // other minio clusters. if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{ @@ -1503,16 +1425,6 @@ func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http return } - // Notify all other MinIO peers to reload policy - if !globalIAMSys.HasWatcher() { - for _, nerr := range globalNotificationSys.LoadPolicyMapping(entityName, isGroup) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - } - if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{ Type: madmin.SRIAMItemPolicyMapping, PolicyMapping: &madmin.SRPolicyMapping{ diff --git a/cmd/admin-handlers_test.go b/cmd/admin-handlers_test.go index 69f8dfa90..12d7101d3 100644 --- a/cmd/admin-handlers_test.go +++ b/cmd/admin-handlers_test.go @@ -74,7 +74,7 @@ func prepareAdminErasureTestBed(ctx context.Context) (*adminErasureTestBed, erro initConfigSubsystem(ctx, objLayer) - globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second) + globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second) // Setup admin mgmt REST API handlers. adminRouter := mux.NewRouter() diff --git a/cmd/auth-handler_test.go b/cmd/auth-handler_test.go index 247898551..174494832 100644 --- a/cmd/auth-handler_test.go +++ b/cmd/auth-handler_test.go @@ -369,7 +369,7 @@ func TestIsReqAuthenticated(t *testing.T) { initConfigSubsystem(ctx, objLayer) - globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second) + globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second) creds, err := auth.CreateCredentials("myuser", "mypassword") if err != nil { @@ -459,7 +459,7 @@ func TestValidateAdminSignature(t *testing.T) { initConfigSubsystem(ctx, objLayer) - globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second) + globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second) creds, err := auth.CreateCredentials("admin", "mypassword") if err != nil { diff --git a/cmd/gateway-main.go b/cmd/gateway-main.go index 8891ce30d..84f55cb37 100644 --- a/cmd/gateway-main.go +++ b/cmd/gateway-main.go @@ -308,7 +308,7 @@ func StartGateway(ctx *cli.Context, gw Gateway) { logger.FatalIf(globalNotificationSys.Init(GlobalContext, buckets, newObject), "Unable to initialize notification system") } - go globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient, globalRefreshIAMInterval) + go globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient, globalNotificationSys, globalRefreshIAMInterval) if globalCacheConfig.Enabled { // initialize the new disk cache objects. diff --git a/cmd/iam.go b/cmd/iam.go index 47847e525..92058738c 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -65,6 +65,7 @@ type IAMSys struct { sync.Mutex iamRefreshInterval time.Duration + notificationSys *NotificationSys usersSysType UsersSysType @@ -197,11 +198,12 @@ func (sys *IAMSys) Load(ctx context.Context) error { } // Init - initializes config system by reading entries from config/iam -func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etcd.Client, iamRefreshInterval time.Duration) { +func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etcd.Client, nSys *NotificationSys, iamRefreshInterval time.Duration) { sys.Lock() defer sys.Unlock() sys.iamRefreshInterval = iamRefreshInterval + sys.notificationSys = nSys // Initialize IAM store sys.initStore(objAPI, etcdClient) @@ -451,12 +453,29 @@ func (sys *IAMSys) GetRolePolicy(arnStr string) (string, error) { } // DeletePolicy - deletes a canned policy from backend or etcd. -func (sys *IAMSys) DeletePolicy(ctx context.Context, policyName string) error { +func (sys *IAMSys) DeletePolicy(ctx context.Context, policyName string, notifyPeers bool) error { if !sys.Initialized() { return errServerNotInitialized } - return sys.store.DeletePolicy(ctx, policyName) + err := sys.store.DeletePolicy(ctx, policyName) + if err != nil { + return err + } + + if !notifyPeers || sys.HasWatcher() { + return nil + } + + // Notify all other MinIO peers to delete policy + for _, nerr := range sys.notificationSys.DeletePolicy(policyName) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } + } + + return nil } // InfoPolicy - expands the canned policy into its JSON structure. @@ -485,7 +504,21 @@ func (sys *IAMSys) SetPolicy(ctx context.Context, policyName string, p iampolicy return errServerNotInitialized } - return sys.store.SetPolicy(ctx, policyName, p) + err := sys.store.SetPolicy(ctx, policyName, p) + if err != nil { + return err + } + + if !sys.HasWatcher() { + // Notify all other MinIO peers to reload policy + for _, nerr := range sys.notificationSys.LoadPolicy(policyName) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } + } + } + return nil } // DeleteUser - delete user (only for long-term users not STS users). @@ -509,6 +542,18 @@ func (sys *IAMSys) CurrentPolicies(policyName string) string { return policies } +func (sys *IAMSys) notifyForUser(ctx context.Context, accessKey string, isTemp bool) { + // Notify all other MinIO peers to reload user. + if !sys.HasWatcher() { + for _, nerr := range sys.notificationSys.LoadUser(accessKey, isTemp) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } + } + } +} + // SetTempUser - set temporary user credentials, these credentials have an expiry. func (sys *IAMSys) SetTempUser(ctx context.Context, accessKey string, cred auth.Credentials, policyName string) error { if !sys.Initialized() { @@ -520,7 +565,13 @@ func (sys *IAMSys) SetTempUser(ctx context.Context, accessKey string, cred auth. policyName = "" } - return sys.store.SetTempUser(ctx, accessKey, cred, policyName) + err := sys.store.SetTempUser(ctx, accessKey, cred, policyName) + if err != nil { + return err + } + + sys.notifyForUser(ctx, cred.AccessKey, true) + return nil } // ListBucketUsers - list all users who can access this 'bucket' @@ -606,7 +657,25 @@ func (sys *IAMSys) SetUserStatus(ctx context.Context, accessKey string, status m return errIAMActionNotAllowed } - return sys.store.SetUserStatus(ctx, accessKey, status) + err := sys.store.SetUserStatus(ctx, accessKey, status) + if err != nil { + return err + } + + sys.notifyForUser(ctx, accessKey, false) + return nil +} + +func (sys *IAMSys) notifyForServiceAccount(ctx context.Context, accessKey string) { + // Notify all other Minio peers to reload the service account + if !sys.HasWatcher() { + for _, nerr := range sys.notificationSys.LoadServiceAccount(accessKey) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } + } + } } type newServiceAccountOpts struct { @@ -687,6 +756,8 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro if err != nil { return auth.Credentials{}, err } + + sys.notifyForServiceAccount(ctx, cred.AccessKey) return cred, nil } @@ -702,7 +773,13 @@ func (sys *IAMSys) UpdateServiceAccount(ctx context.Context, accessKey string, o return errServerNotInitialized } - return sys.store.UpdateServiceAccount(ctx, accessKey, opts) + err := sys.store.UpdateServiceAccount(ctx, accessKey, opts) + if err != nil { + return err + } + + sys.notifyForServiceAccount(ctx, accessKey) + return nil } // ListServiceAccounts - lists all services accounts associated to a specific user @@ -807,7 +884,13 @@ func (sys *IAMSys) CreateUser(ctx context.Context, accessKey string, uinfo madmi return auth.ErrInvalidSecretKeyLength } - return sys.store.AddUser(ctx, accessKey, uinfo) + err := sys.store.AddUser(ctx, accessKey, uinfo) + if err != nil { + return err + } + + sys.notifyForUser(ctx, accessKey, false) + return nil } // SetUserSecretKey - sets user secret key @@ -981,6 +1064,18 @@ func (sys *IAMSys) GetUser(ctx context.Context, accessKey string) (cred auth.Cre return cred, ok && cred.IsValid() } +// Notify all other MinIO peers to load group. +func (sys *IAMSys) notifyForGroup(ctx context.Context, group string) { + if !sys.HasWatcher() { + for _, nerr := range sys.notificationSys.LoadGroup(group) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } + } + } +} + // AddUsersToGroup - adds users to a group, creating the group if // needed. No error if user(s) already are in the group. func (sys *IAMSys) AddUsersToGroup(ctx context.Context, group string, members []string) error { @@ -992,7 +1087,13 @@ func (sys *IAMSys) AddUsersToGroup(ctx context.Context, group string, members [] return errIAMActionNotAllowed } - return sys.store.AddUsersToGroup(ctx, group, members) + err := sys.store.AddUsersToGroup(ctx, group, members) + if err != nil { + return err + } + + sys.notifyForGroup(ctx, group) + return nil } // RemoveUsersFromGroup - remove users from group. If no users are @@ -1006,7 +1107,13 @@ func (sys *IAMSys) RemoveUsersFromGroup(ctx context.Context, group string, membe return errIAMActionNotAllowed } - return sys.store.RemoveUsersFromGroup(ctx, group, members) + err := sys.store.RemoveUsersFromGroup(ctx, group, members) + if err != nil { + return err + } + + sys.notifyForGroup(ctx, group) + return nil } // SetGroupStatus - enable/disabled a group @@ -1019,7 +1126,13 @@ func (sys *IAMSys) SetGroupStatus(ctx context.Context, group string, enabled boo return errIAMActionNotAllowed } - return sys.store.SetGroupStatus(ctx, group, enabled) + err := sys.store.SetGroupStatus(ctx, group, enabled) + if err != nil { + return err + } + + sys.notifyForGroup(ctx, group) + return nil } // GetGroupDescription - builds up group description @@ -1054,7 +1167,22 @@ func (sys *IAMSys) PolicyDBSet(ctx context.Context, name, policy string, isGroup userType = stsUser } - return sys.store.PolicyDBSet(ctx, name, policy, userType, isGroup) + err := sys.store.PolicyDBSet(ctx, name, policy, userType, isGroup) + if err != nil { + return nil + } + + // Notify all other MinIO peers to reload policy + if !sys.HasWatcher() { + for _, nerr := range sys.notificationSys.LoadPolicyMapping(name, isGroup) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } + } + } + + return nil } // PolicyDBGet - gets policy set on a user or group. If a list of groups is diff --git a/cmd/peer-rest-server.go b/cmd/peer-rest-server.go index 76b89cdb6..daf4cb67b 100644 --- a/cmd/peer-rest-server.go +++ b/cmd/peer-rest-server.go @@ -78,7 +78,7 @@ func (s *peerRESTServer) DeletePolicyHandler(w http.ResponseWriter, r *http.Requ return } - if err := globalIAMSys.DeletePolicy(r.Context(), policyName); err != nil { + if err := globalIAMSys.DeletePolicy(r.Context(), policyName, false); err != nil { s.writeErrorResponse(w, err) return } diff --git a/cmd/server-main.go b/cmd/server-main.go index 964330b7f..2581c9aee 100644 --- a/cmd/server-main.go +++ b/cmd/server-main.go @@ -568,7 +568,7 @@ func serverMain(ctx *cli.Context) { globalSiteReplicationSys.Init(GlobalContext, newObject) // Initialize users credentials and policies in background right after config has initialized. - go globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient, globalRefreshIAMInterval) + go globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient, globalNotificationSys, globalRefreshIAMInterval) // Initialize transition tier configuration manager if globalIsErasure { diff --git a/cmd/signature-v4-utils_test.go b/cmd/signature-v4-utils_test.go index 3449010b4..437661647 100644 --- a/cmd/signature-v4-utils_test.go +++ b/cmd/signature-v4-utils_test.go @@ -46,7 +46,7 @@ func TestCheckValid(t *testing.T) { initConfigSubsystem(ctx, objLayer) - globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second) + globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second) req, err := newTestRequest(http.MethodGet, "http://example.com:9000/bucket/object", 0, nil) if err != nil { diff --git a/cmd/site-replication.go b/cmd/site-replication.go index 1c1540a4c..3c4882f65 100644 --- a/cmd/site-replication.go +++ b/cmd/site-replication.go @@ -370,16 +370,6 @@ func (c *SiteReplicationSys) AddPeerClusters(ctx context.Context, sites []madmin return madmin.ReplicateAddStatus{}, errSRServiceAccount(fmt.Errorf("unable to create local service account: %w", err)) } - // Notify all other Minio peers to reload user the service account - if !globalIAMSys.HasWatcher() { - for _, nerr := range globalNotificationSys.LoadServiceAccount(svcCred.AccessKey) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - } - joinReq := madmin.SRInternalJoinReq{ SvcAcctAccessKey: svcCred.AccessKey, SvcAcctSecretKey: svcCred.SecretKey, @@ -473,7 +463,7 @@ func (c *SiteReplicationSys) InternalJoinReq(ctx context.Context, arg madmin.SRI return errSRInvalidRequest(errSRSelfNotFound) } - svcCred, err := globalIAMSys.NewServiceAccount(ctx, arg.SvcAcctParent, nil, newServiceAccountOpts{ + _, err := globalIAMSys.NewServiceAccount(ctx, arg.SvcAcctParent, nil, newServiceAccountOpts{ accessKey: arg.SvcAcctAccessKey, secretKey: arg.SvcAcctSecretKey, }) @@ -481,16 +471,6 @@ func (c *SiteReplicationSys) InternalJoinReq(ctx context.Context, arg madmin.SRI return errSRServiceAccount(fmt.Errorf("unable to create service account on %s: %v", ourName, err)) } - // Notify all other Minio peers to reload the service account - if !globalIAMSys.HasWatcher() { - for _, nerr := range globalNotificationSys.LoadServiceAccount(svcCred.AccessKey) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - } - state := srState{ Name: ourName, Peers: arg.Peers, @@ -947,34 +927,13 @@ func (c *SiteReplicationSys) IAMChangeHook(ctx context.Context, item madmin.SRIA func (c *SiteReplicationSys) PeerAddPolicyHandler(ctx context.Context, policyName string, p *iampolicy.Policy) error { var err error if p == nil { - err = globalIAMSys.DeletePolicy(ctx, policyName) + err = globalIAMSys.DeletePolicy(ctx, policyName, true) } else { err = globalIAMSys.SetPolicy(ctx, policyName, *p) } if err != nil { return wrapSRErr(err) } - - if p != nil { - if !globalIAMSys.HasWatcher() { - // Notify all other MinIO peers to reload policy - for _, nerr := range globalNotificationSys.LoadPolicy(policyName) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - } - return nil - } - - // Notify all other MinIO peers to delete policy - for _, nerr := range globalNotificationSys.DeletePolicy(policyName) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } return nil } @@ -997,20 +956,11 @@ func (c *SiteReplicationSys) PeerSvcAccChangeHandler(ctx context.Context, change sessionPolicy: sp, claims: change.Create.Claims, } - newCred, err := globalIAMSys.NewServiceAccount(ctx, change.Create.Parent, change.Create.Groups, opts) + _, err = globalIAMSys.NewServiceAccount(ctx, change.Create.Parent, change.Create.Groups, opts) if err != nil { return wrapSRErr(err) } - // Notify all other Minio peers to reload the service account - if !globalIAMSys.HasWatcher() { - for _, nerr := range globalNotificationSys.LoadServiceAccount(newCred.AccessKey) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - } case change.Update != nil: var sp *iampolicy.Policy var err error @@ -1031,16 +981,6 @@ func (c *SiteReplicationSys) PeerSvcAccChangeHandler(ctx context.Context, change return wrapSRErr(err) } - // Notify all other Minio peers to reload the service account - if !globalIAMSys.HasWatcher() { - for _, nerr := range globalNotificationSys.LoadServiceAccount(change.Update.AccessKey) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - } - case change.Delete != nil: err := globalIAMSys.DeleteServiceAccount(ctx, change.Delete.AccessKey) if err != nil { @@ -1065,16 +1005,6 @@ func (c *SiteReplicationSys) PeerPolicyMappingHandler(ctx context.Context, mappi if err != nil { return wrapSRErr(err) } - - // Notify all other MinIO peers to reload policy - if !globalIAMSys.HasWatcher() { - for _, nerr := range globalNotificationSys.LoadPolicyMapping(mapping.UserOrGroup, mapping.IsGroup) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - } return nil } @@ -1120,16 +1050,6 @@ func (c *SiteReplicationSys) PeerSTSAccHandler(ctx context.Context, stsCred madm return fmt.Errorf("unable to save STS credential: %v", err) } - // Notify in-cluster peers to reload temp users. - if !globalIAMSys.HasWatcher() { - for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - } - return nil } diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go index 72b0dcae0..8016b35fe 100644 --- a/cmd/sts-handlers.go +++ b/cmd/sts-handlers.go @@ -282,16 +282,6 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) { return } - // Notify all other MinIO peers to reload temp users - if !globalIAMSys.HasWatcher() { - for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - } - assumeRoleResponse := &AssumeRoleResponse{ Result: AssumeRoleResult{ Credentials: cred, @@ -501,16 +491,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ return } - // Notify all other MinIO peers to reload temp users - if !globalIAMSys.HasWatcher() { - for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - } - var encodedSuccessResponse []byte switch action { case clientGrants: @@ -667,16 +647,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r * return } - // Notify all other MinIO peers to reload temp users - if !globalIAMSys.HasWatcher() { - for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - } - // Call hook for cluster-replication. if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{ Type: madmin.SRIAMItemSTSAcc, diff --git a/cmd/test-utils_test.go b/cmd/test-utils_test.go index 1875a0aa8..f00e6e048 100644 --- a/cmd/test-utils_test.go +++ b/cmd/test-utils_test.go @@ -359,7 +359,7 @@ func initTestServerWithBackend(ctx context.Context, t TestErrHandler, testServer initConfigSubsystem(ctx, objLayer) - globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second) + globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second) return testServer } @@ -1523,7 +1523,7 @@ func initAPIHandlerTest(ctx context.Context, obj ObjectLayer, endpoints []string initConfigSubsystem(ctx, obj) - globalIAMSys.Init(ctx, obj, globalEtcdClient, 2*time.Second) + globalIAMSys.Init(ctx, obj, globalEtcdClient, globalNotificationSys, 2*time.Second) // get random bucket name. bucketName := getRandomBucketName() @@ -1809,7 +1809,7 @@ func ExecObjectLayerTest(t TestErrHandler, objTest objTestType) { t.Fatal("Unexpected error", err) } initConfigSubsystem(ctx, objLayer) - globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second) + globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second) // Executing the object layer tests for single node setup. objTest(objLayer, FSTestStr, t) @@ -1834,7 +1834,7 @@ func ExecObjectLayerTest(t TestErrHandler, objTest objTestType) { } setObjectLayer(objLayer) initConfigSubsystem(ctx, objLayer) - globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second) + globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second) // Executing the object layer tests for Erasure. objTest(objLayer, ErasureTestStr, t)