mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
Move IAM notifications into IAM system functions (#13780)
This commit is contained in:
parent
e49c184595
commit
42d11d9e7d
@ -240,16 +240,6 @@ func (a adminAPIHandlers) UpdateGroupMembers(w http.ResponseWriter, r *http.Requ
|
|||||||
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other MinIO peers to load group.
|
|
||||||
if !globalIAMSys.HasWatcher() {
|
|
||||||
for _, nerr := range globalNotificationSys.LoadGroup(updReq.Group) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetGroup - /minio/admin/v3/group?group=mygroup1
|
// GetGroup - /minio/admin/v3/group?group=mygroup1
|
||||||
@ -335,16 +325,6 @@ func (a adminAPIHandlers) SetGroupStatus(w http.ResponseWriter, r *http.Request)
|
|||||||
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other MinIO peers to reload user.
|
|
||||||
if !globalIAMSys.HasWatcher() {
|
|
||||||
for _, nerr := range globalNotificationSys.LoadGroup(group) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetUserStatus - PUT /minio/admin/v3/set-user-status?accessKey=<access_key>&status=[enabled|disabled]
|
// SetUserStatus - PUT /minio/admin/v3/set-user-status?accessKey=<access_key>&status=[enabled|disabled]
|
||||||
@ -372,16 +352,6 @@ func (a adminAPIHandlers) SetUserStatus(w http.ResponseWriter, r *http.Request)
|
|||||||
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other MinIO peers to reload user.
|
|
||||||
if !globalIAMSys.HasWatcher() {
|
|
||||||
for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// AddUser - PUT /minio/admin/v3/add-user?accessKey=<access_key>
|
// AddUser - PUT /minio/admin/v3/add-user?accessKey=<access_key>
|
||||||
@ -482,16 +452,6 @@ func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) {
|
|||||||
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other Minio peers to reload user
|
|
||||||
if !globalIAMSys.HasWatcher() {
|
|
||||||
for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// AddServiceAccount - PUT /minio/admin/v3/add-service-account
|
// AddServiceAccount - PUT /minio/admin/v3/add-service-account
|
||||||
@ -647,16 +607,6 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other Minio peers to reload user the service account
|
|
||||||
if !globalIAMSys.HasWatcher() {
|
|
||||||
for _, nerr := range globalNotificationSys.LoadServiceAccount(newCred.AccessKey) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Call hook for cluster-replication.
|
// Call hook for cluster-replication.
|
||||||
//
|
//
|
||||||
// FIXME: This wont work in an OpenID situation as the parent credential
|
// FIXME: This wont work in an OpenID situation as the parent credential
|
||||||
@ -788,16 +738,6 @@ func (a adminAPIHandlers) UpdateServiceAccount(w http.ResponseWriter, r *http.Re
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other Minio peers to reload user the service account
|
|
||||||
if !globalIAMSys.HasWatcher() {
|
|
||||||
for _, nerr := range globalNotificationSys.LoadServiceAccount(accessKey) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Call site replication hook. Only LDAP accounts are supported for
|
// Call site replication hook. Only LDAP accounts are supported for
|
||||||
// replication operations.
|
// replication operations.
|
||||||
svcAccClaims, err := globalIAMSys.GetClaimsForSvcAcc(ctx, accessKey)
|
svcAccClaims, err := globalIAMSys.GetClaimsForSvcAcc(ctx, accessKey)
|
||||||
@ -1375,19 +1315,11 @@ func (a adminAPIHandlers) RemoveCannedPolicy(w http.ResponseWriter, r *http.Requ
|
|||||||
vars := mux.Vars(r)
|
vars := mux.Vars(r)
|
||||||
policyName := vars["name"]
|
policyName := vars["name"]
|
||||||
|
|
||||||
if err := globalIAMSys.DeletePolicy(ctx, policyName); err != nil {
|
if err := globalIAMSys.DeletePolicy(ctx, policyName, true); err != nil {
|
||||||
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other MinIO peers to delete policy
|
|
||||||
for _, nerr := range globalNotificationSys.DeletePolicy(policyName) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Call cluster-replication policy creation hook to replicate policy deletion to
|
// Call cluster-replication policy creation hook to replicate policy deletion to
|
||||||
// other minio clusters.
|
// other minio clusters.
|
||||||
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
|
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
|
||||||
@ -1448,16 +1380,6 @@ func (a adminAPIHandlers) AddCannedPolicy(w http.ResponseWriter, r *http.Request
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other MinIO peers to reload policy
|
|
||||||
if !globalIAMSys.HasWatcher() {
|
|
||||||
for _, nerr := range globalNotificationSys.LoadPolicy(policyName) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Call cluster-replication policy creation hook to replicate policy to
|
// Call cluster-replication policy creation hook to replicate policy to
|
||||||
// other minio clusters.
|
// other minio clusters.
|
||||||
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
|
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
|
||||||
@ -1503,16 +1425,6 @@ func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other MinIO peers to reload policy
|
|
||||||
if !globalIAMSys.HasWatcher() {
|
|
||||||
for _, nerr := range globalNotificationSys.LoadPolicyMapping(entityName, isGroup) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
|
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
|
||||||
Type: madmin.SRIAMItemPolicyMapping,
|
Type: madmin.SRIAMItemPolicyMapping,
|
||||||
PolicyMapping: &madmin.SRPolicyMapping{
|
PolicyMapping: &madmin.SRPolicyMapping{
|
||||||
|
@ -74,7 +74,7 @@ func prepareAdminErasureTestBed(ctx context.Context) (*adminErasureTestBed, erro
|
|||||||
|
|
||||||
initConfigSubsystem(ctx, objLayer)
|
initConfigSubsystem(ctx, objLayer)
|
||||||
|
|
||||||
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second)
|
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second)
|
||||||
|
|
||||||
// Setup admin mgmt REST API handlers.
|
// Setup admin mgmt REST API handlers.
|
||||||
adminRouter := mux.NewRouter()
|
adminRouter := mux.NewRouter()
|
||||||
|
@ -369,7 +369,7 @@ func TestIsReqAuthenticated(t *testing.T) {
|
|||||||
|
|
||||||
initConfigSubsystem(ctx, objLayer)
|
initConfigSubsystem(ctx, objLayer)
|
||||||
|
|
||||||
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second)
|
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second)
|
||||||
|
|
||||||
creds, err := auth.CreateCredentials("myuser", "mypassword")
|
creds, err := auth.CreateCredentials("myuser", "mypassword")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -459,7 +459,7 @@ func TestValidateAdminSignature(t *testing.T) {
|
|||||||
|
|
||||||
initConfigSubsystem(ctx, objLayer)
|
initConfigSubsystem(ctx, objLayer)
|
||||||
|
|
||||||
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second)
|
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second)
|
||||||
|
|
||||||
creds, err := auth.CreateCredentials("admin", "mypassword")
|
creds, err := auth.CreateCredentials("admin", "mypassword")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -308,7 +308,7 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
|
|||||||
logger.FatalIf(globalNotificationSys.Init(GlobalContext, buckets, newObject), "Unable to initialize notification system")
|
logger.FatalIf(globalNotificationSys.Init(GlobalContext, buckets, newObject), "Unable to initialize notification system")
|
||||||
}
|
}
|
||||||
|
|
||||||
go globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient, globalRefreshIAMInterval)
|
go globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient, globalNotificationSys, globalRefreshIAMInterval)
|
||||||
|
|
||||||
if globalCacheConfig.Enabled {
|
if globalCacheConfig.Enabled {
|
||||||
// initialize the new disk cache objects.
|
// initialize the new disk cache objects.
|
||||||
|
152
cmd/iam.go
152
cmd/iam.go
@ -65,6 +65,7 @@ type IAMSys struct {
|
|||||||
sync.Mutex
|
sync.Mutex
|
||||||
|
|
||||||
iamRefreshInterval time.Duration
|
iamRefreshInterval time.Duration
|
||||||
|
notificationSys *NotificationSys
|
||||||
|
|
||||||
usersSysType UsersSysType
|
usersSysType UsersSysType
|
||||||
|
|
||||||
@ -197,11 +198,12 @@ func (sys *IAMSys) Load(ctx context.Context) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Init - initializes config system by reading entries from config/iam
|
// Init - initializes config system by reading entries from config/iam
|
||||||
func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etcd.Client, iamRefreshInterval time.Duration) {
|
func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etcd.Client, nSys *NotificationSys, iamRefreshInterval time.Duration) {
|
||||||
sys.Lock()
|
sys.Lock()
|
||||||
defer sys.Unlock()
|
defer sys.Unlock()
|
||||||
|
|
||||||
sys.iamRefreshInterval = iamRefreshInterval
|
sys.iamRefreshInterval = iamRefreshInterval
|
||||||
|
sys.notificationSys = nSys
|
||||||
|
|
||||||
// Initialize IAM store
|
// Initialize IAM store
|
||||||
sys.initStore(objAPI, etcdClient)
|
sys.initStore(objAPI, etcdClient)
|
||||||
@ -451,12 +453,29 @@ func (sys *IAMSys) GetRolePolicy(arnStr string) (string, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// DeletePolicy - deletes a canned policy from backend or etcd.
|
// DeletePolicy - deletes a canned policy from backend or etcd.
|
||||||
func (sys *IAMSys) DeletePolicy(ctx context.Context, policyName string) error {
|
func (sys *IAMSys) DeletePolicy(ctx context.Context, policyName string, notifyPeers bool) error {
|
||||||
if !sys.Initialized() {
|
if !sys.Initialized() {
|
||||||
return errServerNotInitialized
|
return errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
return sys.store.DeletePolicy(ctx, policyName)
|
err := sys.store.DeletePolicy(ctx, policyName)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if !notifyPeers || sys.HasWatcher() {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Notify all other MinIO peers to delete policy
|
||||||
|
for _, nerr := range sys.notificationSys.DeletePolicy(policyName) {
|
||||||
|
if nerr.Err != nil {
|
||||||
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// InfoPolicy - expands the canned policy into its JSON structure.
|
// InfoPolicy - expands the canned policy into its JSON structure.
|
||||||
@ -485,7 +504,21 @@ func (sys *IAMSys) SetPolicy(ctx context.Context, policyName string, p iampolicy
|
|||||||
return errServerNotInitialized
|
return errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
return sys.store.SetPolicy(ctx, policyName, p)
|
err := sys.store.SetPolicy(ctx, policyName, p)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if !sys.HasWatcher() {
|
||||||
|
// Notify all other MinIO peers to reload policy
|
||||||
|
for _, nerr := range sys.notificationSys.LoadPolicy(policyName) {
|
||||||
|
if nerr.Err != nil {
|
||||||
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// DeleteUser - delete user (only for long-term users not STS users).
|
// DeleteUser - delete user (only for long-term users not STS users).
|
||||||
@ -509,6 +542,18 @@ func (sys *IAMSys) CurrentPolicies(policyName string) string {
|
|||||||
return policies
|
return policies
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (sys *IAMSys) notifyForUser(ctx context.Context, accessKey string, isTemp bool) {
|
||||||
|
// Notify all other MinIO peers to reload user.
|
||||||
|
if !sys.HasWatcher() {
|
||||||
|
for _, nerr := range sys.notificationSys.LoadUser(accessKey, isTemp) {
|
||||||
|
if nerr.Err != nil {
|
||||||
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// SetTempUser - set temporary user credentials, these credentials have an expiry.
|
// SetTempUser - set temporary user credentials, these credentials have an expiry.
|
||||||
func (sys *IAMSys) SetTempUser(ctx context.Context, accessKey string, cred auth.Credentials, policyName string) error {
|
func (sys *IAMSys) SetTempUser(ctx context.Context, accessKey string, cred auth.Credentials, policyName string) error {
|
||||||
if !sys.Initialized() {
|
if !sys.Initialized() {
|
||||||
@ -520,7 +565,13 @@ func (sys *IAMSys) SetTempUser(ctx context.Context, accessKey string, cred auth.
|
|||||||
policyName = ""
|
policyName = ""
|
||||||
}
|
}
|
||||||
|
|
||||||
return sys.store.SetTempUser(ctx, accessKey, cred, policyName)
|
err := sys.store.SetTempUser(ctx, accessKey, cred, policyName)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
sys.notifyForUser(ctx, cred.AccessKey, true)
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// ListBucketUsers - list all users who can access this 'bucket'
|
// ListBucketUsers - list all users who can access this 'bucket'
|
||||||
@ -606,7 +657,25 @@ func (sys *IAMSys) SetUserStatus(ctx context.Context, accessKey string, status m
|
|||||||
return errIAMActionNotAllowed
|
return errIAMActionNotAllowed
|
||||||
}
|
}
|
||||||
|
|
||||||
return sys.store.SetUserStatus(ctx, accessKey, status)
|
err := sys.store.SetUserStatus(ctx, accessKey, status)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
sys.notifyForUser(ctx, accessKey, false)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (sys *IAMSys) notifyForServiceAccount(ctx context.Context, accessKey string) {
|
||||||
|
// Notify all other Minio peers to reload the service account
|
||||||
|
if !sys.HasWatcher() {
|
||||||
|
for _, nerr := range sys.notificationSys.LoadServiceAccount(accessKey) {
|
||||||
|
if nerr.Err != nil {
|
||||||
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
type newServiceAccountOpts struct {
|
type newServiceAccountOpts struct {
|
||||||
@ -687,6 +756,8 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return auth.Credentials{}, err
|
return auth.Credentials{}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sys.notifyForServiceAccount(ctx, cred.AccessKey)
|
||||||
return cred, nil
|
return cred, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -702,7 +773,13 @@ func (sys *IAMSys) UpdateServiceAccount(ctx context.Context, accessKey string, o
|
|||||||
return errServerNotInitialized
|
return errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
return sys.store.UpdateServiceAccount(ctx, accessKey, opts)
|
err := sys.store.UpdateServiceAccount(ctx, accessKey, opts)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
sys.notifyForServiceAccount(ctx, accessKey)
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// ListServiceAccounts - lists all services accounts associated to a specific user
|
// ListServiceAccounts - lists all services accounts associated to a specific user
|
||||||
@ -807,7 +884,13 @@ func (sys *IAMSys) CreateUser(ctx context.Context, accessKey string, uinfo madmi
|
|||||||
return auth.ErrInvalidSecretKeyLength
|
return auth.ErrInvalidSecretKeyLength
|
||||||
}
|
}
|
||||||
|
|
||||||
return sys.store.AddUser(ctx, accessKey, uinfo)
|
err := sys.store.AddUser(ctx, accessKey, uinfo)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
sys.notifyForUser(ctx, accessKey, false)
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetUserSecretKey - sets user secret key
|
// SetUserSecretKey - sets user secret key
|
||||||
@ -981,6 +1064,18 @@ func (sys *IAMSys) GetUser(ctx context.Context, accessKey string) (cred auth.Cre
|
|||||||
return cred, ok && cred.IsValid()
|
return cred, ok && cred.IsValid()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Notify all other MinIO peers to load group.
|
||||||
|
func (sys *IAMSys) notifyForGroup(ctx context.Context, group string) {
|
||||||
|
if !sys.HasWatcher() {
|
||||||
|
for _, nerr := range sys.notificationSys.LoadGroup(group) {
|
||||||
|
if nerr.Err != nil {
|
||||||
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// AddUsersToGroup - adds users to a group, creating the group if
|
// AddUsersToGroup - adds users to a group, creating the group if
|
||||||
// needed. No error if user(s) already are in the group.
|
// needed. No error if user(s) already are in the group.
|
||||||
func (sys *IAMSys) AddUsersToGroup(ctx context.Context, group string, members []string) error {
|
func (sys *IAMSys) AddUsersToGroup(ctx context.Context, group string, members []string) error {
|
||||||
@ -992,7 +1087,13 @@ func (sys *IAMSys) AddUsersToGroup(ctx context.Context, group string, members []
|
|||||||
return errIAMActionNotAllowed
|
return errIAMActionNotAllowed
|
||||||
}
|
}
|
||||||
|
|
||||||
return sys.store.AddUsersToGroup(ctx, group, members)
|
err := sys.store.AddUsersToGroup(ctx, group, members)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
sys.notifyForGroup(ctx, group)
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// RemoveUsersFromGroup - remove users from group. If no users are
|
// RemoveUsersFromGroup - remove users from group. If no users are
|
||||||
@ -1006,7 +1107,13 @@ func (sys *IAMSys) RemoveUsersFromGroup(ctx context.Context, group string, membe
|
|||||||
return errIAMActionNotAllowed
|
return errIAMActionNotAllowed
|
||||||
}
|
}
|
||||||
|
|
||||||
return sys.store.RemoveUsersFromGroup(ctx, group, members)
|
err := sys.store.RemoveUsersFromGroup(ctx, group, members)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
sys.notifyForGroup(ctx, group)
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetGroupStatus - enable/disabled a group
|
// SetGroupStatus - enable/disabled a group
|
||||||
@ -1019,7 +1126,13 @@ func (sys *IAMSys) SetGroupStatus(ctx context.Context, group string, enabled boo
|
|||||||
return errIAMActionNotAllowed
|
return errIAMActionNotAllowed
|
||||||
}
|
}
|
||||||
|
|
||||||
return sys.store.SetGroupStatus(ctx, group, enabled)
|
err := sys.store.SetGroupStatus(ctx, group, enabled)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
sys.notifyForGroup(ctx, group)
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetGroupDescription - builds up group description
|
// GetGroupDescription - builds up group description
|
||||||
@ -1054,7 +1167,22 @@ func (sys *IAMSys) PolicyDBSet(ctx context.Context, name, policy string, isGroup
|
|||||||
userType = stsUser
|
userType = stsUser
|
||||||
}
|
}
|
||||||
|
|
||||||
return sys.store.PolicyDBSet(ctx, name, policy, userType, isGroup)
|
err := sys.store.PolicyDBSet(ctx, name, policy, userType, isGroup)
|
||||||
|
if err != nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Notify all other MinIO peers to reload policy
|
||||||
|
if !sys.HasWatcher() {
|
||||||
|
for _, nerr := range sys.notificationSys.LoadPolicyMapping(name, isGroup) {
|
||||||
|
if nerr.Err != nil {
|
||||||
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// PolicyDBGet - gets policy set on a user or group. If a list of groups is
|
// PolicyDBGet - gets policy set on a user or group. If a list of groups is
|
||||||
|
@ -78,7 +78,7 @@ func (s *peerRESTServer) DeletePolicyHandler(w http.ResponseWriter, r *http.Requ
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := globalIAMSys.DeletePolicy(r.Context(), policyName); err != nil {
|
if err := globalIAMSys.DeletePolicy(r.Context(), policyName, false); err != nil {
|
||||||
s.writeErrorResponse(w, err)
|
s.writeErrorResponse(w, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -568,7 +568,7 @@ func serverMain(ctx *cli.Context) {
|
|||||||
globalSiteReplicationSys.Init(GlobalContext, newObject)
|
globalSiteReplicationSys.Init(GlobalContext, newObject)
|
||||||
|
|
||||||
// Initialize users credentials and policies in background right after config has initialized.
|
// Initialize users credentials and policies in background right after config has initialized.
|
||||||
go globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient, globalRefreshIAMInterval)
|
go globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient, globalNotificationSys, globalRefreshIAMInterval)
|
||||||
|
|
||||||
// Initialize transition tier configuration manager
|
// Initialize transition tier configuration manager
|
||||||
if globalIsErasure {
|
if globalIsErasure {
|
||||||
|
@ -46,7 +46,7 @@ func TestCheckValid(t *testing.T) {
|
|||||||
|
|
||||||
initConfigSubsystem(ctx, objLayer)
|
initConfigSubsystem(ctx, objLayer)
|
||||||
|
|
||||||
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second)
|
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second)
|
||||||
|
|
||||||
req, err := newTestRequest(http.MethodGet, "http://example.com:9000/bucket/object", 0, nil)
|
req, err := newTestRequest(http.MethodGet, "http://example.com:9000/bucket/object", 0, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -370,16 +370,6 @@ func (c *SiteReplicationSys) AddPeerClusters(ctx context.Context, sites []madmin
|
|||||||
return madmin.ReplicateAddStatus{}, errSRServiceAccount(fmt.Errorf("unable to create local service account: %w", err))
|
return madmin.ReplicateAddStatus{}, errSRServiceAccount(fmt.Errorf("unable to create local service account: %w", err))
|
||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other Minio peers to reload user the service account
|
|
||||||
if !globalIAMSys.HasWatcher() {
|
|
||||||
for _, nerr := range globalNotificationSys.LoadServiceAccount(svcCred.AccessKey) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
joinReq := madmin.SRInternalJoinReq{
|
joinReq := madmin.SRInternalJoinReq{
|
||||||
SvcAcctAccessKey: svcCred.AccessKey,
|
SvcAcctAccessKey: svcCred.AccessKey,
|
||||||
SvcAcctSecretKey: svcCred.SecretKey,
|
SvcAcctSecretKey: svcCred.SecretKey,
|
||||||
@ -473,7 +463,7 @@ func (c *SiteReplicationSys) InternalJoinReq(ctx context.Context, arg madmin.SRI
|
|||||||
return errSRInvalidRequest(errSRSelfNotFound)
|
return errSRInvalidRequest(errSRSelfNotFound)
|
||||||
}
|
}
|
||||||
|
|
||||||
svcCred, err := globalIAMSys.NewServiceAccount(ctx, arg.SvcAcctParent, nil, newServiceAccountOpts{
|
_, err := globalIAMSys.NewServiceAccount(ctx, arg.SvcAcctParent, nil, newServiceAccountOpts{
|
||||||
accessKey: arg.SvcAcctAccessKey,
|
accessKey: arg.SvcAcctAccessKey,
|
||||||
secretKey: arg.SvcAcctSecretKey,
|
secretKey: arg.SvcAcctSecretKey,
|
||||||
})
|
})
|
||||||
@ -481,16 +471,6 @@ func (c *SiteReplicationSys) InternalJoinReq(ctx context.Context, arg madmin.SRI
|
|||||||
return errSRServiceAccount(fmt.Errorf("unable to create service account on %s: %v", ourName, err))
|
return errSRServiceAccount(fmt.Errorf("unable to create service account on %s: %v", ourName, err))
|
||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other Minio peers to reload the service account
|
|
||||||
if !globalIAMSys.HasWatcher() {
|
|
||||||
for _, nerr := range globalNotificationSys.LoadServiceAccount(svcCred.AccessKey) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
state := srState{
|
state := srState{
|
||||||
Name: ourName,
|
Name: ourName,
|
||||||
Peers: arg.Peers,
|
Peers: arg.Peers,
|
||||||
@ -947,34 +927,13 @@ func (c *SiteReplicationSys) IAMChangeHook(ctx context.Context, item madmin.SRIA
|
|||||||
func (c *SiteReplicationSys) PeerAddPolicyHandler(ctx context.Context, policyName string, p *iampolicy.Policy) error {
|
func (c *SiteReplicationSys) PeerAddPolicyHandler(ctx context.Context, policyName string, p *iampolicy.Policy) error {
|
||||||
var err error
|
var err error
|
||||||
if p == nil {
|
if p == nil {
|
||||||
err = globalIAMSys.DeletePolicy(ctx, policyName)
|
err = globalIAMSys.DeletePolicy(ctx, policyName, true)
|
||||||
} else {
|
} else {
|
||||||
err = globalIAMSys.SetPolicy(ctx, policyName, *p)
|
err = globalIAMSys.SetPolicy(ctx, policyName, *p)
|
||||||
}
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return wrapSRErr(err)
|
return wrapSRErr(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if p != nil {
|
|
||||||
if !globalIAMSys.HasWatcher() {
|
|
||||||
// Notify all other MinIO peers to reload policy
|
|
||||||
for _, nerr := range globalNotificationSys.LoadPolicy(policyName) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Notify all other MinIO peers to delete policy
|
|
||||||
for _, nerr := range globalNotificationSys.DeletePolicy(policyName) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -997,20 +956,11 @@ func (c *SiteReplicationSys) PeerSvcAccChangeHandler(ctx context.Context, change
|
|||||||
sessionPolicy: sp,
|
sessionPolicy: sp,
|
||||||
claims: change.Create.Claims,
|
claims: change.Create.Claims,
|
||||||
}
|
}
|
||||||
newCred, err := globalIAMSys.NewServiceAccount(ctx, change.Create.Parent, change.Create.Groups, opts)
|
_, err = globalIAMSys.NewServiceAccount(ctx, change.Create.Parent, change.Create.Groups, opts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return wrapSRErr(err)
|
return wrapSRErr(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other Minio peers to reload the service account
|
|
||||||
if !globalIAMSys.HasWatcher() {
|
|
||||||
for _, nerr := range globalNotificationSys.LoadServiceAccount(newCred.AccessKey) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
case change.Update != nil:
|
case change.Update != nil:
|
||||||
var sp *iampolicy.Policy
|
var sp *iampolicy.Policy
|
||||||
var err error
|
var err error
|
||||||
@ -1031,16 +981,6 @@ func (c *SiteReplicationSys) PeerSvcAccChangeHandler(ctx context.Context, change
|
|||||||
return wrapSRErr(err)
|
return wrapSRErr(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other Minio peers to reload the service account
|
|
||||||
if !globalIAMSys.HasWatcher() {
|
|
||||||
for _, nerr := range globalNotificationSys.LoadServiceAccount(change.Update.AccessKey) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
case change.Delete != nil:
|
case change.Delete != nil:
|
||||||
err := globalIAMSys.DeleteServiceAccount(ctx, change.Delete.AccessKey)
|
err := globalIAMSys.DeleteServiceAccount(ctx, change.Delete.AccessKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -1065,16 +1005,6 @@ func (c *SiteReplicationSys) PeerPolicyMappingHandler(ctx context.Context, mappi
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return wrapSRErr(err)
|
return wrapSRErr(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other MinIO peers to reload policy
|
|
||||||
if !globalIAMSys.HasWatcher() {
|
|
||||||
for _, nerr := range globalNotificationSys.LoadPolicyMapping(mapping.UserOrGroup, mapping.IsGroup) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1120,16 +1050,6 @@ func (c *SiteReplicationSys) PeerSTSAccHandler(ctx context.Context, stsCred madm
|
|||||||
return fmt.Errorf("unable to save STS credential: %v", err)
|
return fmt.Errorf("unable to save STS credential: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Notify in-cluster peers to reload temp users.
|
|
||||||
if !globalIAMSys.HasWatcher() {
|
|
||||||
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -282,16 +282,6 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other MinIO peers to reload temp users
|
|
||||||
if !globalIAMSys.HasWatcher() {
|
|
||||||
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
assumeRoleResponse := &AssumeRoleResponse{
|
assumeRoleResponse := &AssumeRoleResponse{
|
||||||
Result: AssumeRoleResult{
|
Result: AssumeRoleResult{
|
||||||
Credentials: cred,
|
Credentials: cred,
|
||||||
@ -501,16 +491,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other MinIO peers to reload temp users
|
|
||||||
if !globalIAMSys.HasWatcher() {
|
|
||||||
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
var encodedSuccessResponse []byte
|
var encodedSuccessResponse []byte
|
||||||
switch action {
|
switch action {
|
||||||
case clientGrants:
|
case clientGrants:
|
||||||
@ -667,16 +647,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other MinIO peers to reload temp users
|
|
||||||
if !globalIAMSys.HasWatcher() {
|
|
||||||
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
|
|
||||||
if nerr.Err != nil {
|
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
|
||||||
logger.LogIf(ctx, nerr.Err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Call hook for cluster-replication.
|
// Call hook for cluster-replication.
|
||||||
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
|
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
|
||||||
Type: madmin.SRIAMItemSTSAcc,
|
Type: madmin.SRIAMItemSTSAcc,
|
||||||
|
@ -359,7 +359,7 @@ func initTestServerWithBackend(ctx context.Context, t TestErrHandler, testServer
|
|||||||
|
|
||||||
initConfigSubsystem(ctx, objLayer)
|
initConfigSubsystem(ctx, objLayer)
|
||||||
|
|
||||||
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second)
|
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second)
|
||||||
|
|
||||||
return testServer
|
return testServer
|
||||||
}
|
}
|
||||||
@ -1523,7 +1523,7 @@ func initAPIHandlerTest(ctx context.Context, obj ObjectLayer, endpoints []string
|
|||||||
|
|
||||||
initConfigSubsystem(ctx, obj)
|
initConfigSubsystem(ctx, obj)
|
||||||
|
|
||||||
globalIAMSys.Init(ctx, obj, globalEtcdClient, 2*time.Second)
|
globalIAMSys.Init(ctx, obj, globalEtcdClient, globalNotificationSys, 2*time.Second)
|
||||||
|
|
||||||
// get random bucket name.
|
// get random bucket name.
|
||||||
bucketName := getRandomBucketName()
|
bucketName := getRandomBucketName()
|
||||||
@ -1809,7 +1809,7 @@ func ExecObjectLayerTest(t TestErrHandler, objTest objTestType) {
|
|||||||
t.Fatal("Unexpected error", err)
|
t.Fatal("Unexpected error", err)
|
||||||
}
|
}
|
||||||
initConfigSubsystem(ctx, objLayer)
|
initConfigSubsystem(ctx, objLayer)
|
||||||
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second)
|
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second)
|
||||||
|
|
||||||
// Executing the object layer tests for single node setup.
|
// Executing the object layer tests for single node setup.
|
||||||
objTest(objLayer, FSTestStr, t)
|
objTest(objLayer, FSTestStr, t)
|
||||||
@ -1834,7 +1834,7 @@ func ExecObjectLayerTest(t TestErrHandler, objTest objTestType) {
|
|||||||
}
|
}
|
||||||
setObjectLayer(objLayer)
|
setObjectLayer(objLayer)
|
||||||
initConfigSubsystem(ctx, objLayer)
|
initConfigSubsystem(ctx, objLayer)
|
||||||
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second)
|
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second)
|
||||||
|
|
||||||
// Executing the object layer tests for Erasure.
|
// Executing the object layer tests for Erasure.
|
||||||
objTest(objLayer, ErasureTestStr, t)
|
objTest(objLayer, ErasureTestStr, t)
|
||||||
|
Loading…
Reference in New Issue
Block a user