Move IAM notifications into IAM system functions (#13780)

This commit is contained in:
Aditya Manthramurthy 2021-11-29 14:38:57 -08:00 committed by GitHub
parent e49c184595
commit 42d11d9e7d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 155 additions and 225 deletions

View File

@ -240,16 +240,6 @@ func (a adminAPIHandlers) UpdateGroupMembers(w http.ResponseWriter, r *http.Requ
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return return
} }
// Notify all other MinIO peers to load group.
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadGroup(updReq.Group) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
} }
// GetGroup - /minio/admin/v3/group?group=mygroup1 // GetGroup - /minio/admin/v3/group?group=mygroup1
@ -335,16 +325,6 @@ func (a adminAPIHandlers) SetGroupStatus(w http.ResponseWriter, r *http.Request)
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return return
} }
// Notify all other MinIO peers to reload user.
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadGroup(group) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
} }
// SetUserStatus - PUT /minio/admin/v3/set-user-status?accessKey=<access_key>&status=[enabled|disabled] // SetUserStatus - PUT /minio/admin/v3/set-user-status?accessKey=<access_key>&status=[enabled|disabled]
@ -372,16 +352,6 @@ func (a adminAPIHandlers) SetUserStatus(w http.ResponseWriter, r *http.Request)
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return return
} }
// Notify all other MinIO peers to reload user.
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
} }
// AddUser - PUT /minio/admin/v3/add-user?accessKey=<access_key> // AddUser - PUT /minio/admin/v3/add-user?accessKey=<access_key>
@ -482,16 +452,6 @@ func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return return
} }
// Notify all other Minio peers to reload user
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
} }
// AddServiceAccount - PUT /minio/admin/v3/add-service-account // AddServiceAccount - PUT /minio/admin/v3/add-service-account
@ -647,16 +607,6 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
return return
} }
// Notify all other Minio peers to reload user the service account
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadServiceAccount(newCred.AccessKey) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
// Call hook for cluster-replication. // Call hook for cluster-replication.
// //
// FIXME: This wont work in an OpenID situation as the parent credential // FIXME: This wont work in an OpenID situation as the parent credential
@ -788,16 +738,6 @@ func (a adminAPIHandlers) UpdateServiceAccount(w http.ResponseWriter, r *http.Re
return return
} }
// Notify all other Minio peers to reload user the service account
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadServiceAccount(accessKey) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
// Call site replication hook. Only LDAP accounts are supported for // Call site replication hook. Only LDAP accounts are supported for
// replication operations. // replication operations.
svcAccClaims, err := globalIAMSys.GetClaimsForSvcAcc(ctx, accessKey) svcAccClaims, err := globalIAMSys.GetClaimsForSvcAcc(ctx, accessKey)
@ -1375,19 +1315,11 @@ func (a adminAPIHandlers) RemoveCannedPolicy(w http.ResponseWriter, r *http.Requ
vars := mux.Vars(r) vars := mux.Vars(r)
policyName := vars["name"] policyName := vars["name"]
if err := globalIAMSys.DeletePolicy(ctx, policyName); err != nil { if err := globalIAMSys.DeletePolicy(ctx, policyName, true); err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return return
} }
// Notify all other MinIO peers to delete policy
for _, nerr := range globalNotificationSys.DeletePolicy(policyName) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
// Call cluster-replication policy creation hook to replicate policy deletion to // Call cluster-replication policy creation hook to replicate policy deletion to
// other minio clusters. // other minio clusters.
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{ if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
@ -1448,16 +1380,6 @@ func (a adminAPIHandlers) AddCannedPolicy(w http.ResponseWriter, r *http.Request
return return
} }
// Notify all other MinIO peers to reload policy
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadPolicy(policyName) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
// Call cluster-replication policy creation hook to replicate policy to // Call cluster-replication policy creation hook to replicate policy to
// other minio clusters. // other minio clusters.
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{ if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
@ -1503,16 +1425,6 @@ func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http
return return
} }
// Notify all other MinIO peers to reload policy
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadPolicyMapping(entityName, isGroup) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{ if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Type: madmin.SRIAMItemPolicyMapping, Type: madmin.SRIAMItemPolicyMapping,
PolicyMapping: &madmin.SRPolicyMapping{ PolicyMapping: &madmin.SRPolicyMapping{

View File

@ -74,7 +74,7 @@ func prepareAdminErasureTestBed(ctx context.Context) (*adminErasureTestBed, erro
initConfigSubsystem(ctx, objLayer) initConfigSubsystem(ctx, objLayer)
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second) globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second)
// Setup admin mgmt REST API handlers. // Setup admin mgmt REST API handlers.
adminRouter := mux.NewRouter() adminRouter := mux.NewRouter()

View File

@ -369,7 +369,7 @@ func TestIsReqAuthenticated(t *testing.T) {
initConfigSubsystem(ctx, objLayer) initConfigSubsystem(ctx, objLayer)
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second) globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second)
creds, err := auth.CreateCredentials("myuser", "mypassword") creds, err := auth.CreateCredentials("myuser", "mypassword")
if err != nil { if err != nil {
@ -459,7 +459,7 @@ func TestValidateAdminSignature(t *testing.T) {
initConfigSubsystem(ctx, objLayer) initConfigSubsystem(ctx, objLayer)
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second) globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second)
creds, err := auth.CreateCredentials("admin", "mypassword") creds, err := auth.CreateCredentials("admin", "mypassword")
if err != nil { if err != nil {

View File

@ -308,7 +308,7 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
logger.FatalIf(globalNotificationSys.Init(GlobalContext, buckets, newObject), "Unable to initialize notification system") logger.FatalIf(globalNotificationSys.Init(GlobalContext, buckets, newObject), "Unable to initialize notification system")
} }
go globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient, globalRefreshIAMInterval) go globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient, globalNotificationSys, globalRefreshIAMInterval)
if globalCacheConfig.Enabled { if globalCacheConfig.Enabled {
// initialize the new disk cache objects. // initialize the new disk cache objects.

View File

@ -65,6 +65,7 @@ type IAMSys struct {
sync.Mutex sync.Mutex
iamRefreshInterval time.Duration iamRefreshInterval time.Duration
notificationSys *NotificationSys
usersSysType UsersSysType usersSysType UsersSysType
@ -197,11 +198,12 @@ func (sys *IAMSys) Load(ctx context.Context) error {
} }
// Init - initializes config system by reading entries from config/iam // Init - initializes config system by reading entries from config/iam
func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etcd.Client, iamRefreshInterval time.Duration) { func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etcd.Client, nSys *NotificationSys, iamRefreshInterval time.Duration) {
sys.Lock() sys.Lock()
defer sys.Unlock() defer sys.Unlock()
sys.iamRefreshInterval = iamRefreshInterval sys.iamRefreshInterval = iamRefreshInterval
sys.notificationSys = nSys
// Initialize IAM store // Initialize IAM store
sys.initStore(objAPI, etcdClient) sys.initStore(objAPI, etcdClient)
@ -451,12 +453,29 @@ func (sys *IAMSys) GetRolePolicy(arnStr string) (string, error) {
} }
// DeletePolicy - deletes a canned policy from backend or etcd. // DeletePolicy - deletes a canned policy from backend or etcd.
func (sys *IAMSys) DeletePolicy(ctx context.Context, policyName string) error { func (sys *IAMSys) DeletePolicy(ctx context.Context, policyName string, notifyPeers bool) error {
if !sys.Initialized() { if !sys.Initialized() {
return errServerNotInitialized return errServerNotInitialized
} }
return sys.store.DeletePolicy(ctx, policyName) err := sys.store.DeletePolicy(ctx, policyName)
if err != nil {
return err
}
if !notifyPeers || sys.HasWatcher() {
return nil
}
// Notify all other MinIO peers to delete policy
for _, nerr := range sys.notificationSys.DeletePolicy(policyName) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
return nil
} }
// InfoPolicy - expands the canned policy into its JSON structure. // InfoPolicy - expands the canned policy into its JSON structure.
@ -485,7 +504,21 @@ func (sys *IAMSys) SetPolicy(ctx context.Context, policyName string, p iampolicy
return errServerNotInitialized return errServerNotInitialized
} }
return sys.store.SetPolicy(ctx, policyName, p) err := sys.store.SetPolicy(ctx, policyName, p)
if err != nil {
return err
}
if !sys.HasWatcher() {
// Notify all other MinIO peers to reload policy
for _, nerr := range sys.notificationSys.LoadPolicy(policyName) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
return nil
} }
// DeleteUser - delete user (only for long-term users not STS users). // DeleteUser - delete user (only for long-term users not STS users).
@ -509,6 +542,18 @@ func (sys *IAMSys) CurrentPolicies(policyName string) string {
return policies return policies
} }
func (sys *IAMSys) notifyForUser(ctx context.Context, accessKey string, isTemp bool) {
// Notify all other MinIO peers to reload user.
if !sys.HasWatcher() {
for _, nerr := range sys.notificationSys.LoadUser(accessKey, isTemp) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
}
// SetTempUser - set temporary user credentials, these credentials have an expiry. // SetTempUser - set temporary user credentials, these credentials have an expiry.
func (sys *IAMSys) SetTempUser(ctx context.Context, accessKey string, cred auth.Credentials, policyName string) error { func (sys *IAMSys) SetTempUser(ctx context.Context, accessKey string, cred auth.Credentials, policyName string) error {
if !sys.Initialized() { if !sys.Initialized() {
@ -520,7 +565,13 @@ func (sys *IAMSys) SetTempUser(ctx context.Context, accessKey string, cred auth.
policyName = "" policyName = ""
} }
return sys.store.SetTempUser(ctx, accessKey, cred, policyName) err := sys.store.SetTempUser(ctx, accessKey, cred, policyName)
if err != nil {
return err
}
sys.notifyForUser(ctx, cred.AccessKey, true)
return nil
} }
// ListBucketUsers - list all users who can access this 'bucket' // ListBucketUsers - list all users who can access this 'bucket'
@ -606,7 +657,25 @@ func (sys *IAMSys) SetUserStatus(ctx context.Context, accessKey string, status m
return errIAMActionNotAllowed return errIAMActionNotAllowed
} }
return sys.store.SetUserStatus(ctx, accessKey, status) err := sys.store.SetUserStatus(ctx, accessKey, status)
if err != nil {
return err
}
sys.notifyForUser(ctx, accessKey, false)
return nil
}
func (sys *IAMSys) notifyForServiceAccount(ctx context.Context, accessKey string) {
// Notify all other Minio peers to reload the service account
if !sys.HasWatcher() {
for _, nerr := range sys.notificationSys.LoadServiceAccount(accessKey) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
} }
type newServiceAccountOpts struct { type newServiceAccountOpts struct {
@ -687,6 +756,8 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro
if err != nil { if err != nil {
return auth.Credentials{}, err return auth.Credentials{}, err
} }
sys.notifyForServiceAccount(ctx, cred.AccessKey)
return cred, nil return cred, nil
} }
@ -702,7 +773,13 @@ func (sys *IAMSys) UpdateServiceAccount(ctx context.Context, accessKey string, o
return errServerNotInitialized return errServerNotInitialized
} }
return sys.store.UpdateServiceAccount(ctx, accessKey, opts) err := sys.store.UpdateServiceAccount(ctx, accessKey, opts)
if err != nil {
return err
}
sys.notifyForServiceAccount(ctx, accessKey)
return nil
} }
// ListServiceAccounts - lists all services accounts associated to a specific user // ListServiceAccounts - lists all services accounts associated to a specific user
@ -807,7 +884,13 @@ func (sys *IAMSys) CreateUser(ctx context.Context, accessKey string, uinfo madmi
return auth.ErrInvalidSecretKeyLength return auth.ErrInvalidSecretKeyLength
} }
return sys.store.AddUser(ctx, accessKey, uinfo) err := sys.store.AddUser(ctx, accessKey, uinfo)
if err != nil {
return err
}
sys.notifyForUser(ctx, accessKey, false)
return nil
} }
// SetUserSecretKey - sets user secret key // SetUserSecretKey - sets user secret key
@ -981,6 +1064,18 @@ func (sys *IAMSys) GetUser(ctx context.Context, accessKey string) (cred auth.Cre
return cred, ok && cred.IsValid() return cred, ok && cred.IsValid()
} }
// Notify all other MinIO peers to load group.
func (sys *IAMSys) notifyForGroup(ctx context.Context, group string) {
if !sys.HasWatcher() {
for _, nerr := range sys.notificationSys.LoadGroup(group) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
}
// AddUsersToGroup - adds users to a group, creating the group if // AddUsersToGroup - adds users to a group, creating the group if
// needed. No error if user(s) already are in the group. // needed. No error if user(s) already are in the group.
func (sys *IAMSys) AddUsersToGroup(ctx context.Context, group string, members []string) error { func (sys *IAMSys) AddUsersToGroup(ctx context.Context, group string, members []string) error {
@ -992,7 +1087,13 @@ func (sys *IAMSys) AddUsersToGroup(ctx context.Context, group string, members []
return errIAMActionNotAllowed return errIAMActionNotAllowed
} }
return sys.store.AddUsersToGroup(ctx, group, members) err := sys.store.AddUsersToGroup(ctx, group, members)
if err != nil {
return err
}
sys.notifyForGroup(ctx, group)
return nil
} }
// RemoveUsersFromGroup - remove users from group. If no users are // RemoveUsersFromGroup - remove users from group. If no users are
@ -1006,7 +1107,13 @@ func (sys *IAMSys) RemoveUsersFromGroup(ctx context.Context, group string, membe
return errIAMActionNotAllowed return errIAMActionNotAllowed
} }
return sys.store.RemoveUsersFromGroup(ctx, group, members) err := sys.store.RemoveUsersFromGroup(ctx, group, members)
if err != nil {
return err
}
sys.notifyForGroup(ctx, group)
return nil
} }
// SetGroupStatus - enable/disabled a group // SetGroupStatus - enable/disabled a group
@ -1019,7 +1126,13 @@ func (sys *IAMSys) SetGroupStatus(ctx context.Context, group string, enabled boo
return errIAMActionNotAllowed return errIAMActionNotAllowed
} }
return sys.store.SetGroupStatus(ctx, group, enabled) err := sys.store.SetGroupStatus(ctx, group, enabled)
if err != nil {
return err
}
sys.notifyForGroup(ctx, group)
return nil
} }
// GetGroupDescription - builds up group description // GetGroupDescription - builds up group description
@ -1054,7 +1167,22 @@ func (sys *IAMSys) PolicyDBSet(ctx context.Context, name, policy string, isGroup
userType = stsUser userType = stsUser
} }
return sys.store.PolicyDBSet(ctx, name, policy, userType, isGroup) err := sys.store.PolicyDBSet(ctx, name, policy, userType, isGroup)
if err != nil {
return nil
}
// Notify all other MinIO peers to reload policy
if !sys.HasWatcher() {
for _, nerr := range sys.notificationSys.LoadPolicyMapping(name, isGroup) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
return nil
} }
// PolicyDBGet - gets policy set on a user or group. If a list of groups is // PolicyDBGet - gets policy set on a user or group. If a list of groups is

View File

@ -78,7 +78,7 @@ func (s *peerRESTServer) DeletePolicyHandler(w http.ResponseWriter, r *http.Requ
return return
} }
if err := globalIAMSys.DeletePolicy(r.Context(), policyName); err != nil { if err := globalIAMSys.DeletePolicy(r.Context(), policyName, false); err != nil {
s.writeErrorResponse(w, err) s.writeErrorResponse(w, err)
return return
} }

View File

@ -568,7 +568,7 @@ func serverMain(ctx *cli.Context) {
globalSiteReplicationSys.Init(GlobalContext, newObject) globalSiteReplicationSys.Init(GlobalContext, newObject)
// Initialize users credentials and policies in background right after config has initialized. // Initialize users credentials and policies in background right after config has initialized.
go globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient, globalRefreshIAMInterval) go globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient, globalNotificationSys, globalRefreshIAMInterval)
// Initialize transition tier configuration manager // Initialize transition tier configuration manager
if globalIsErasure { if globalIsErasure {

View File

@ -46,7 +46,7 @@ func TestCheckValid(t *testing.T) {
initConfigSubsystem(ctx, objLayer) initConfigSubsystem(ctx, objLayer)
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second) globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second)
req, err := newTestRequest(http.MethodGet, "http://example.com:9000/bucket/object", 0, nil) req, err := newTestRequest(http.MethodGet, "http://example.com:9000/bucket/object", 0, nil)
if err != nil { if err != nil {

View File

@ -370,16 +370,6 @@ func (c *SiteReplicationSys) AddPeerClusters(ctx context.Context, sites []madmin
return madmin.ReplicateAddStatus{}, errSRServiceAccount(fmt.Errorf("unable to create local service account: %w", err)) return madmin.ReplicateAddStatus{}, errSRServiceAccount(fmt.Errorf("unable to create local service account: %w", err))
} }
// Notify all other Minio peers to reload user the service account
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadServiceAccount(svcCred.AccessKey) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
joinReq := madmin.SRInternalJoinReq{ joinReq := madmin.SRInternalJoinReq{
SvcAcctAccessKey: svcCred.AccessKey, SvcAcctAccessKey: svcCred.AccessKey,
SvcAcctSecretKey: svcCred.SecretKey, SvcAcctSecretKey: svcCred.SecretKey,
@ -473,7 +463,7 @@ func (c *SiteReplicationSys) InternalJoinReq(ctx context.Context, arg madmin.SRI
return errSRInvalidRequest(errSRSelfNotFound) return errSRInvalidRequest(errSRSelfNotFound)
} }
svcCred, err := globalIAMSys.NewServiceAccount(ctx, arg.SvcAcctParent, nil, newServiceAccountOpts{ _, err := globalIAMSys.NewServiceAccount(ctx, arg.SvcAcctParent, nil, newServiceAccountOpts{
accessKey: arg.SvcAcctAccessKey, accessKey: arg.SvcAcctAccessKey,
secretKey: arg.SvcAcctSecretKey, secretKey: arg.SvcAcctSecretKey,
}) })
@ -481,16 +471,6 @@ func (c *SiteReplicationSys) InternalJoinReq(ctx context.Context, arg madmin.SRI
return errSRServiceAccount(fmt.Errorf("unable to create service account on %s: %v", ourName, err)) return errSRServiceAccount(fmt.Errorf("unable to create service account on %s: %v", ourName, err))
} }
// Notify all other Minio peers to reload the service account
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadServiceAccount(svcCred.AccessKey) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
state := srState{ state := srState{
Name: ourName, Name: ourName,
Peers: arg.Peers, Peers: arg.Peers,
@ -947,34 +927,13 @@ func (c *SiteReplicationSys) IAMChangeHook(ctx context.Context, item madmin.SRIA
func (c *SiteReplicationSys) PeerAddPolicyHandler(ctx context.Context, policyName string, p *iampolicy.Policy) error { func (c *SiteReplicationSys) PeerAddPolicyHandler(ctx context.Context, policyName string, p *iampolicy.Policy) error {
var err error var err error
if p == nil { if p == nil {
err = globalIAMSys.DeletePolicy(ctx, policyName) err = globalIAMSys.DeletePolicy(ctx, policyName, true)
} else { } else {
err = globalIAMSys.SetPolicy(ctx, policyName, *p) err = globalIAMSys.SetPolicy(ctx, policyName, *p)
} }
if err != nil { if err != nil {
return wrapSRErr(err) return wrapSRErr(err)
} }
if p != nil {
if !globalIAMSys.HasWatcher() {
// Notify all other MinIO peers to reload policy
for _, nerr := range globalNotificationSys.LoadPolicy(policyName) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
return nil
}
// Notify all other MinIO peers to delete policy
for _, nerr := range globalNotificationSys.DeletePolicy(policyName) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
return nil return nil
} }
@ -997,20 +956,11 @@ func (c *SiteReplicationSys) PeerSvcAccChangeHandler(ctx context.Context, change
sessionPolicy: sp, sessionPolicy: sp,
claims: change.Create.Claims, claims: change.Create.Claims,
} }
newCred, err := globalIAMSys.NewServiceAccount(ctx, change.Create.Parent, change.Create.Groups, opts) _, err = globalIAMSys.NewServiceAccount(ctx, change.Create.Parent, change.Create.Groups, opts)
if err != nil { if err != nil {
return wrapSRErr(err) return wrapSRErr(err)
} }
// Notify all other Minio peers to reload the service account
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadServiceAccount(newCred.AccessKey) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
case change.Update != nil: case change.Update != nil:
var sp *iampolicy.Policy var sp *iampolicy.Policy
var err error var err error
@ -1031,16 +981,6 @@ func (c *SiteReplicationSys) PeerSvcAccChangeHandler(ctx context.Context, change
return wrapSRErr(err) return wrapSRErr(err)
} }
// Notify all other Minio peers to reload the service account
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadServiceAccount(change.Update.AccessKey) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
case change.Delete != nil: case change.Delete != nil:
err := globalIAMSys.DeleteServiceAccount(ctx, change.Delete.AccessKey) err := globalIAMSys.DeleteServiceAccount(ctx, change.Delete.AccessKey)
if err != nil { if err != nil {
@ -1065,16 +1005,6 @@ func (c *SiteReplicationSys) PeerPolicyMappingHandler(ctx context.Context, mappi
if err != nil { if err != nil {
return wrapSRErr(err) return wrapSRErr(err)
} }
// Notify all other MinIO peers to reload policy
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadPolicyMapping(mapping.UserOrGroup, mapping.IsGroup) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
return nil return nil
} }
@ -1120,16 +1050,6 @@ func (c *SiteReplicationSys) PeerSTSAccHandler(ctx context.Context, stsCred madm
return fmt.Errorf("unable to save STS credential: %v", err) return fmt.Errorf("unable to save STS credential: %v", err)
} }
// Notify in-cluster peers to reload temp users.
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
return nil return nil
} }

View File

@ -282,16 +282,6 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
return return
} }
// Notify all other MinIO peers to reload temp users
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
assumeRoleResponse := &AssumeRoleResponse{ assumeRoleResponse := &AssumeRoleResponse{
Result: AssumeRoleResult{ Result: AssumeRoleResult{
Credentials: cred, Credentials: cred,
@ -501,16 +491,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
return return
} }
// Notify all other MinIO peers to reload temp users
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
var encodedSuccessResponse []byte var encodedSuccessResponse []byte
switch action { switch action {
case clientGrants: case clientGrants:
@ -667,16 +647,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
return return
} }
// Notify all other MinIO peers to reload temp users
if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
}
// Call hook for cluster-replication. // Call hook for cluster-replication.
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{ if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Type: madmin.SRIAMItemSTSAcc, Type: madmin.SRIAMItemSTSAcc,

View File

@ -359,7 +359,7 @@ func initTestServerWithBackend(ctx context.Context, t TestErrHandler, testServer
initConfigSubsystem(ctx, objLayer) initConfigSubsystem(ctx, objLayer)
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second) globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second)
return testServer return testServer
} }
@ -1523,7 +1523,7 @@ func initAPIHandlerTest(ctx context.Context, obj ObjectLayer, endpoints []string
initConfigSubsystem(ctx, obj) initConfigSubsystem(ctx, obj)
globalIAMSys.Init(ctx, obj, globalEtcdClient, 2*time.Second) globalIAMSys.Init(ctx, obj, globalEtcdClient, globalNotificationSys, 2*time.Second)
// get random bucket name. // get random bucket name.
bucketName := getRandomBucketName() bucketName := getRandomBucketName()
@ -1809,7 +1809,7 @@ func ExecObjectLayerTest(t TestErrHandler, objTest objTestType) {
t.Fatal("Unexpected error", err) t.Fatal("Unexpected error", err)
} }
initConfigSubsystem(ctx, objLayer) initConfigSubsystem(ctx, objLayer)
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second) globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second)
// Executing the object layer tests for single node setup. // Executing the object layer tests for single node setup.
objTest(objLayer, FSTestStr, t) objTest(objLayer, FSTestStr, t)
@ -1834,7 +1834,7 @@ func ExecObjectLayerTest(t TestErrHandler, objTest objTestType) {
} }
setObjectLayer(objLayer) setObjectLayer(objLayer)
initConfigSubsystem(ctx, objLayer) initConfigSubsystem(ctx, objLayer)
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second) globalIAMSys.Init(ctx, objLayer, globalEtcdClient, globalNotificationSys, 2*time.Second)
// Executing the object layer tests for Erasure. // Executing the object layer tests for Erasure.
objTest(objLayer, ErasureTestStr, t) objTest(objLayer, ErasureTestStr, t)