mirror of
https://github.com/minio/minio.git
synced 2025-01-11 15:03:22 -05:00
For IAM with etcd backend, avoid sending notifications (#13472)
As we use etcd's watch interface, we do not need the network notifications as they are no-ops anyway. Bonus: Remove globalEtcdClient global usage in IAM
This commit is contained in:
parent
c57ff2640e
commit
5f1af8a69d
@ -242,10 +242,12 @@ func (a adminAPIHandlers) UpdateGroupMembers(w http.ResponseWriter, r *http.Requ
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other MinIO peers to load group.
|
// Notify all other MinIO peers to load group.
|
||||||
for _, nerr := range globalNotificationSys.LoadGroup(updReq.Group) {
|
if !globalIAMSys.HasWatcher() {
|
||||||
if nerr.Err != nil {
|
for _, nerr := range globalNotificationSys.LoadGroup(updReq.Group) {
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
if nerr.Err != nil {
|
||||||
logger.LogIf(ctx, nerr.Err)
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -334,10 +336,12 @@ func (a adminAPIHandlers) SetGroupStatus(w http.ResponseWriter, r *http.Request)
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other MinIO peers to reload user.
|
// Notify all other MinIO peers to reload user.
|
||||||
for _, nerr := range globalNotificationSys.LoadGroup(group) {
|
if !globalIAMSys.HasWatcher() {
|
||||||
if nerr.Err != nil {
|
for _, nerr := range globalNotificationSys.LoadGroup(group) {
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
if nerr.Err != nil {
|
||||||
logger.LogIf(ctx, nerr.Err)
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -369,10 +373,12 @@ func (a adminAPIHandlers) SetUserStatus(w http.ResponseWriter, r *http.Request)
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other MinIO peers to reload user.
|
// Notify all other MinIO peers to reload user.
|
||||||
for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) {
|
if !globalIAMSys.HasWatcher() {
|
||||||
if nerr.Err != nil {
|
for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) {
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
if nerr.Err != nil {
|
||||||
logger.LogIf(ctx, nerr.Err)
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -477,10 +483,12 @@ func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other Minio peers to reload user
|
// Notify all other Minio peers to reload user
|
||||||
for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) {
|
if !globalIAMSys.HasWatcher() {
|
||||||
if nerr.Err != nil {
|
for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) {
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
if nerr.Err != nil {
|
||||||
logger.LogIf(ctx, nerr.Err)
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -623,10 +631,12 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other Minio peers to reload user the service account
|
// Notify all other Minio peers to reload user the service account
|
||||||
for _, nerr := range globalNotificationSys.LoadServiceAccount(newCred.AccessKey) {
|
if !globalIAMSys.HasWatcher() {
|
||||||
if nerr.Err != nil {
|
for _, nerr := range globalNotificationSys.LoadServiceAccount(newCred.AccessKey) {
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
if nerr.Err != nil {
|
||||||
logger.LogIf(ctx, nerr.Err)
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -762,10 +772,12 @@ func (a adminAPIHandlers) UpdateServiceAccount(w http.ResponseWriter, r *http.Re
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other Minio peers to reload user the service account
|
// Notify all other Minio peers to reload user the service account
|
||||||
for _, nerr := range globalNotificationSys.LoadServiceAccount(accessKey) {
|
if !globalIAMSys.HasWatcher() {
|
||||||
if nerr.Err != nil {
|
for _, nerr := range globalNotificationSys.LoadServiceAccount(accessKey) {
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
if nerr.Err != nil {
|
||||||
logger.LogIf(ctx, nerr.Err)
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1422,10 +1434,12 @@ func (a adminAPIHandlers) AddCannedPolicy(w http.ResponseWriter, r *http.Request
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other MinIO peers to reload policy
|
// Notify all other MinIO peers to reload policy
|
||||||
for _, nerr := range globalNotificationSys.LoadPolicy(policyName) {
|
if !globalIAMSys.HasWatcher() {
|
||||||
if nerr.Err != nil {
|
for _, nerr := range globalNotificationSys.LoadPolicy(policyName) {
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
if nerr.Err != nil {
|
||||||
logger.LogIf(ctx, nerr.Err)
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1475,10 +1489,12 @@ func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other MinIO peers to reload policy
|
// Notify all other MinIO peers to reload policy
|
||||||
for _, nerr := range globalNotificationSys.LoadPolicyMapping(entityName, isGroup) {
|
if !globalIAMSys.HasWatcher() {
|
||||||
if nerr.Err != nil {
|
for _, nerr := range globalNotificationSys.LoadPolicyMapping(entityName, isGroup) {
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
if nerr.Err != nil {
|
||||||
logger.LogIf(ctx, nerr.Err)
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -73,7 +73,7 @@ func prepareAdminErasureTestBed(ctx context.Context) (*adminErasureTestBed, erro
|
|||||||
|
|
||||||
initAllSubsystems(ctx, objLayer)
|
initAllSubsystems(ctx, objLayer)
|
||||||
|
|
||||||
globalIAMSys.InitStore(objLayer)
|
globalIAMSys.InitStore(objLayer, globalEtcdClient)
|
||||||
|
|
||||||
// Setup admin mgmt REST API handlers.
|
// Setup admin mgmt REST API handlers.
|
||||||
adminRouter := mux.NewRouter()
|
adminRouter := mux.NewRouter()
|
||||||
|
@ -366,7 +366,7 @@ func TestIsReqAuthenticated(t *testing.T) {
|
|||||||
|
|
||||||
initAllSubsystems(context.Background(), objLayer)
|
initAllSubsystems(context.Background(), objLayer)
|
||||||
|
|
||||||
globalIAMSys.InitStore(objLayer)
|
globalIAMSys.InitStore(objLayer, globalEtcdClient)
|
||||||
|
|
||||||
creds, err := auth.CreateCredentials("myuser", "mypassword")
|
creds, err := auth.CreateCredentials("myuser", "mypassword")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -457,7 +457,7 @@ func TestValidateAdminSignature(t *testing.T) {
|
|||||||
|
|
||||||
initAllSubsystems(context.Background(), objLayer)
|
initAllSubsystems(context.Background(), objLayer)
|
||||||
|
|
||||||
globalIAMSys.InitStore(objLayer)
|
globalIAMSys.InitStore(objLayer, globalEtcdClient)
|
||||||
|
|
||||||
creds, err := auth.CreateCredentials("admin", "mypassword")
|
creds, err := auth.CreateCredentials("admin", "mypassword")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -306,7 +306,7 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
|
|||||||
logger.FatalIf(globalNotificationSys.Init(GlobalContext, buckets, newObject), "Unable to initialize notification system")
|
logger.FatalIf(globalNotificationSys.Init(GlobalContext, buckets, newObject), "Unable to initialize notification system")
|
||||||
}
|
}
|
||||||
|
|
||||||
go globalIAMSys.Init(GlobalContext, newObject)
|
go globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient)
|
||||||
|
|
||||||
if globalCacheConfig.Enabled {
|
if globalCacheConfig.Enabled {
|
||||||
// initialize the new disk cache objects.
|
// initialize the new disk cache objects.
|
||||||
|
@ -65,8 +65,8 @@ type IAMEtcdStore struct {
|
|||||||
client *etcd.Client
|
client *etcd.Client
|
||||||
}
|
}
|
||||||
|
|
||||||
func newIAMEtcdStore() *IAMEtcdStore {
|
func newIAMEtcdStore(client *etcd.Client) *IAMEtcdStore {
|
||||||
return &IAMEtcdStore{client: globalEtcdClient}
|
return &IAMEtcdStore{client: client}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) lock() {
|
func (ies *IAMEtcdStore) lock() {
|
||||||
|
134
cmd/iam.go
134
cmd/iam.go
@ -36,6 +36,7 @@ import (
|
|||||||
"github.com/minio/minio/internal/auth"
|
"github.com/minio/minio/internal/auth"
|
||||||
"github.com/minio/minio/internal/logger"
|
"github.com/minio/minio/internal/logger"
|
||||||
iampolicy "github.com/minio/pkg/iam/policy"
|
iampolicy "github.com/minio/pkg/iam/policy"
|
||||||
|
etcd "go.etcd.io/etcd/client/v3"
|
||||||
)
|
)
|
||||||
|
|
||||||
// UsersSysType - defines the type of users and groups system that is
|
// UsersSysType - defines the type of users and groups system that is
|
||||||
@ -299,11 +300,6 @@ func (sys *IAMSys) LoadGroup(objAPI ObjectLayer, group string) error {
|
|||||||
return errServerNotInitialized
|
return errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
if globalEtcdClient != nil {
|
|
||||||
// Watch APIs cover this case, so nothing to do.
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
sys.store.lock()
|
sys.store.lock()
|
||||||
defer sys.store.unlock()
|
defer sys.store.unlock()
|
||||||
|
|
||||||
@ -343,12 +339,7 @@ func (sys *IAMSys) LoadPolicy(objAPI ObjectLayer, policyName string) error {
|
|||||||
sys.store.lock()
|
sys.store.lock()
|
||||||
defer sys.store.unlock()
|
defer sys.store.unlock()
|
||||||
|
|
||||||
if globalEtcdClient == nil {
|
return sys.store.loadPolicyDoc(context.Background(), policyName, sys.iamPolicyDocsMap)
|
||||||
return sys.store.loadPolicyDoc(context.Background(), policyName, sys.iamPolicyDocsMap)
|
|
||||||
}
|
|
||||||
|
|
||||||
// When etcd is set, we use watch APIs so this code is not needed.
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// LoadPolicyMapping - loads the mapped policy for a user or group
|
// LoadPolicyMapping - loads the mapped policy for a user or group
|
||||||
@ -361,33 +352,30 @@ func (sys *IAMSys) LoadPolicyMapping(objAPI ObjectLayer, userOrGroup string, isG
|
|||||||
sys.store.lock()
|
sys.store.lock()
|
||||||
defer sys.store.unlock()
|
defer sys.store.unlock()
|
||||||
|
|
||||||
if globalEtcdClient == nil {
|
var err error
|
||||||
var err error
|
userType := regUser
|
||||||
userType := regUser
|
if sys.usersSysType == LDAPUsersSysType {
|
||||||
if sys.usersSysType == LDAPUsersSysType {
|
userType = stsUser
|
||||||
userType = stsUser
|
}
|
||||||
}
|
|
||||||
|
|
||||||
|
if isGroup {
|
||||||
|
err = sys.store.loadMappedPolicy(context.Background(), userOrGroup, userType, isGroup, sys.iamGroupPolicyMap)
|
||||||
|
} else {
|
||||||
|
err = sys.store.loadMappedPolicy(context.Background(), userOrGroup, userType, isGroup, sys.iamUserPolicyMap)
|
||||||
|
}
|
||||||
|
|
||||||
|
if err == errNoSuchPolicy {
|
||||||
if isGroup {
|
if isGroup {
|
||||||
err = sys.store.loadMappedPolicy(context.Background(), userOrGroup, userType, isGroup, sys.iamGroupPolicyMap)
|
delete(sys.iamGroupPolicyMap, userOrGroup)
|
||||||
} else {
|
} else {
|
||||||
err = sys.store.loadMappedPolicy(context.Background(), userOrGroup, userType, isGroup, sys.iamUserPolicyMap)
|
delete(sys.iamUserPolicyMap, userOrGroup)
|
||||||
}
|
|
||||||
|
|
||||||
if err == errNoSuchPolicy {
|
|
||||||
if isGroup {
|
|
||||||
delete(sys.iamGroupPolicyMap, userOrGroup)
|
|
||||||
} else {
|
|
||||||
delete(sys.iamUserPolicyMap, userOrGroup)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
// Ignore policy not mapped error
|
|
||||||
if err != nil && err != errNoSuchPolicy {
|
|
||||||
return err
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// When etcd is set, we use watch APIs so this code is not needed.
|
// Ignore policy not mapped error
|
||||||
return nil
|
if err == errNoSuchPolicy {
|
||||||
|
err = nil
|
||||||
|
}
|
||||||
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// LoadUser - reloads a specific user from backend disks or etcd.
|
// LoadUser - reloads a specific user from backend disks or etcd.
|
||||||
@ -399,34 +387,34 @@ func (sys *IAMSys) LoadUser(objAPI ObjectLayer, accessKey string, userType IAMUs
|
|||||||
sys.store.lock()
|
sys.store.lock()
|
||||||
defer sys.store.unlock()
|
defer sys.store.unlock()
|
||||||
|
|
||||||
if globalEtcdClient == nil {
|
err := sys.store.loadUser(context.Background(), accessKey, userType, sys.iamUsersMap)
|
||||||
err := sys.store.loadUser(context.Background(), accessKey, userType, sys.iamUsersMap)
|
if err != nil {
|
||||||
if err != nil {
|
return err
|
||||||
return err
|
}
|
||||||
}
|
err = sys.store.loadMappedPolicy(context.Background(), accessKey, userType, false, sys.iamUserPolicyMap)
|
||||||
err = sys.store.loadMappedPolicy(context.Background(), accessKey, userType, false, sys.iamUserPolicyMap)
|
// Ignore policy not mapped error
|
||||||
// Ignore policy not mapped error
|
if err == errNoSuchPolicy {
|
||||||
if err != nil && err != errNoSuchPolicy {
|
err = nil
|
||||||
return err
|
}
|
||||||
}
|
if err != nil {
|
||||||
// We are on purpose not persisting the policy map for parent
|
return err
|
||||||
// user, although this is a hack, it is a good enough hack
|
}
|
||||||
// at this point in time - we need to overhaul our OIDC
|
// We are on purpose not persisting the policy map for parent
|
||||||
// usage with service accounts with a more cleaner implementation
|
// user, although this is a hack, it is a good enough hack
|
||||||
//
|
// at this point in time - we need to overhaul our OIDC
|
||||||
// This mapping is necessary to ensure that valid credentials
|
// usage with service accounts with a more cleaner implementation
|
||||||
// have necessary ParentUser present - this is mainly for only
|
//
|
||||||
// webIdentity based STS tokens.
|
// This mapping is necessary to ensure that valid credentials
|
||||||
cred, ok := sys.iamUsersMap[accessKey]
|
// have necessary ParentUser present - this is mainly for only
|
||||||
if ok {
|
// webIdentity based STS tokens.
|
||||||
if cred.IsTemp() && cred.ParentUser != "" && cred.ParentUser != globalActiveCred.AccessKey {
|
cred, ok := sys.iamUsersMap[accessKey]
|
||||||
if _, ok := sys.iamUserPolicyMap[cred.ParentUser]; !ok {
|
if ok {
|
||||||
sys.iamUserPolicyMap[cred.ParentUser] = sys.iamUserPolicyMap[accessKey]
|
if cred.IsTemp() && cred.ParentUser != "" && cred.ParentUser != globalActiveCred.AccessKey {
|
||||||
}
|
if _, ok := sys.iamUserPolicyMap[cred.ParentUser]; !ok {
|
||||||
|
sys.iamUserPolicyMap[cred.ParentUser] = sys.iamUserPolicyMap[accessKey]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// When etcd is set, we use watch APIs so this code is not needed.
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -439,14 +427,7 @@ func (sys *IAMSys) LoadServiceAccount(accessKey string) error {
|
|||||||
sys.store.lock()
|
sys.store.lock()
|
||||||
defer sys.store.unlock()
|
defer sys.store.unlock()
|
||||||
|
|
||||||
if globalEtcdClient == nil {
|
return sys.store.loadUser(context.Background(), accessKey, svcUser, sys.iamUsersMap)
|
||||||
err := sys.store.loadUser(context.Background(), accessKey, svcUser, sys.iamUsersMap)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
// When etcd is set, we use watch APIs so this code is not needed.
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Perform IAM configuration migration.
|
// Perform IAM configuration migration.
|
||||||
@ -455,18 +436,18 @@ func (sys *IAMSys) doIAMConfigMigration(ctx context.Context) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// InitStore initializes IAM stores
|
// InitStore initializes IAM stores
|
||||||
func (sys *IAMSys) InitStore(objAPI ObjectLayer) {
|
func (sys *IAMSys) InitStore(objAPI ObjectLayer, etcdClient *etcd.Client) {
|
||||||
sys.Lock()
|
sys.Lock()
|
||||||
defer sys.Unlock()
|
defer sys.Unlock()
|
||||||
|
|
||||||
if globalEtcdClient == nil {
|
if etcdClient == nil {
|
||||||
if globalIsGateway {
|
if globalIsGateway {
|
||||||
sys.store = &iamDummyStore{}
|
sys.store = &iamDummyStore{}
|
||||||
} else {
|
} else {
|
||||||
sys.store = newIAMObjectStore(objAPI)
|
sys.store = newIAMObjectStore(objAPI)
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
sys.store = newIAMEtcdStore()
|
sys.store = newIAMEtcdStore(etcdClient)
|
||||||
}
|
}
|
||||||
|
|
||||||
if globalLDAPConfig.Enabled {
|
if globalLDAPConfig.Enabled {
|
||||||
@ -584,9 +565,9 @@ func (sys *IAMSys) Load(ctx context.Context, store IAMStorageAPI) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Init - initializes config system by reading entries from config/iam
|
// Init - initializes config system by reading entries from config/iam
|
||||||
func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer) {
|
func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etcd.Client) {
|
||||||
// Initialize IAM store
|
// Initialize IAM store
|
||||||
sys.InitStore(objAPI)
|
sys.InitStore(objAPI, etcdClient)
|
||||||
|
|
||||||
retryCtx, cancel := context.WithCancel(ctx)
|
retryCtx, cancel := context.WithCancel(ctx)
|
||||||
|
|
||||||
@ -611,11 +592,11 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer) {
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
if globalEtcdClient != nil {
|
if etcdClient != nil {
|
||||||
// **** WARNING ****
|
// **** WARNING ****
|
||||||
// Migrating to encrypted backend on etcd should happen before initialization of
|
// Migrating to encrypted backend on etcd should happen before initialization of
|
||||||
// IAM sub-system, make sure that we do not move the above codeblock elsewhere.
|
// IAM sub-system, make sure that we do not move the above codeblock elsewhere.
|
||||||
if err := migrateIAMConfigsEtcdToEncrypted(retryCtx, globalEtcdClient); err != nil {
|
if err := migrateIAMConfigsEtcdToEncrypted(retryCtx, etcdClient); err != nil {
|
||||||
txnLk.Unlock(lkctx.Cancel)
|
txnLk.Unlock(lkctx.Cancel)
|
||||||
if errors.Is(err, errEtcdUnreachable) {
|
if errors.Is(err, errEtcdUnreachable) {
|
||||||
logger.Info("Connection to etcd timed out. Retrying..")
|
logger.Info("Connection to etcd timed out. Retrying..")
|
||||||
@ -685,6 +666,13 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer) {
|
|||||||
go sys.watch(ctx)
|
go sys.watch(ctx)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// HasWatcher - returns if the IAM system has a watcher to be notified of
|
||||||
|
// changes.
|
||||||
|
func (sys *IAMSys) HasWatcher() bool {
|
||||||
|
_, ok := sys.store.(iamStorageWatcher)
|
||||||
|
return ok
|
||||||
|
}
|
||||||
|
|
||||||
func (sys *IAMSys) watch(ctx context.Context) {
|
func (sys *IAMSys) watch(ctx context.Context) {
|
||||||
watcher, ok := sys.store.(iamStorageWatcher)
|
watcher, ok := sys.store.(iamStorageWatcher)
|
||||||
if ok {
|
if ok {
|
||||||
|
@ -570,7 +570,7 @@ func serverMain(ctx *cli.Context) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Initialize users credentials and policies in background right after config has initialized.
|
// Initialize users credentials and policies in background right after config has initialized.
|
||||||
go globalIAMSys.Init(GlobalContext, newObject)
|
go globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient)
|
||||||
|
|
||||||
initDataScanner(GlobalContext, newObject)
|
initDataScanner(GlobalContext, newObject)
|
||||||
|
|
||||||
|
@ -42,7 +42,7 @@ func TestCheckValid(t *testing.T) {
|
|||||||
|
|
||||||
initAllSubsystems(context.Background(), objLayer)
|
initAllSubsystems(context.Background(), objLayer)
|
||||||
|
|
||||||
globalIAMSys.InitStore(objLayer)
|
globalIAMSys.InitStore(objLayer, globalEtcdClient)
|
||||||
|
|
||||||
req, err := newTestRequest(http.MethodGet, "http://example.com:9000/bucket/object", 0, nil)
|
req, err := newTestRequest(http.MethodGet, "http://example.com:9000/bucket/object", 0, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -380,10 +380,12 @@ func (c *SiteReplicationSys) AddPeerClusters(ctx context.Context, sites []madmin
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other Minio peers to reload user the service account
|
// Notify all other Minio peers to reload user the service account
|
||||||
for _, nerr := range globalNotificationSys.LoadServiceAccount(svcCred.AccessKey) {
|
if !globalIAMSys.HasWatcher() {
|
||||||
if nerr.Err != nil {
|
for _, nerr := range globalNotificationSys.LoadServiceAccount(svcCred.AccessKey) {
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
if nerr.Err != nil {
|
||||||
logger.LogIf(ctx, nerr.Err)
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -489,10 +491,12 @@ func (c *SiteReplicationSys) InternalJoinReq(ctx context.Context, arg madmin.SRI
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other Minio peers to reload the service account
|
// Notify all other Minio peers to reload the service account
|
||||||
for _, nerr := range globalNotificationSys.LoadServiceAccount(svcCred.AccessKey) {
|
if !globalIAMSys.HasWatcher() {
|
||||||
if nerr.Err != nil {
|
for _, nerr := range globalNotificationSys.LoadServiceAccount(svcCred.AccessKey) {
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
if nerr.Err != nil {
|
||||||
logger.LogIf(ctx, nerr.Err)
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -961,11 +965,13 @@ func (c *SiteReplicationSys) PeerAddPolicyHandler(ctx context.Context, policyNam
|
|||||||
}
|
}
|
||||||
|
|
||||||
if p != nil {
|
if p != nil {
|
||||||
// Notify all other MinIO peers to reload policy
|
if !globalIAMSys.HasWatcher() {
|
||||||
for _, nerr := range globalNotificationSys.LoadPolicy(policyName) {
|
// Notify all other MinIO peers to reload policy
|
||||||
if nerr.Err != nil {
|
for _, nerr := range globalNotificationSys.LoadPolicy(policyName) {
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
if nerr.Err != nil {
|
||||||
logger.LogIf(ctx, nerr.Err)
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
@ -1006,10 +1012,12 @@ func (c *SiteReplicationSys) PeerSvcAccChangeHandler(ctx context.Context, change
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other Minio peers to reload the service account
|
// Notify all other Minio peers to reload the service account
|
||||||
for _, nerr := range globalNotificationSys.LoadServiceAccount(newCred.AccessKey) {
|
if !globalIAMSys.HasWatcher() {
|
||||||
if nerr.Err != nil {
|
for _, nerr := range globalNotificationSys.LoadServiceAccount(newCred.AccessKey) {
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
if nerr.Err != nil {
|
||||||
logger.LogIf(ctx, nerr.Err)
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
case change.Update != nil:
|
case change.Update != nil:
|
||||||
@ -1033,10 +1041,12 @@ func (c *SiteReplicationSys) PeerSvcAccChangeHandler(ctx context.Context, change
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other Minio peers to reload the service account
|
// Notify all other Minio peers to reload the service account
|
||||||
for _, nerr := range globalNotificationSys.LoadServiceAccount(change.Update.AccessKey) {
|
if !globalIAMSys.HasWatcher() {
|
||||||
if nerr.Err != nil {
|
for _, nerr := range globalNotificationSys.LoadServiceAccount(change.Update.AccessKey) {
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
if nerr.Err != nil {
|
||||||
logger.LogIf(ctx, nerr.Err)
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1066,13 +1076,14 @@ func (c *SiteReplicationSys) PeerPolicyMappingHandler(ctx context.Context, mappi
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other MinIO peers to reload policy
|
// Notify all other MinIO peers to reload policy
|
||||||
for _, nerr := range globalNotificationSys.LoadPolicyMapping(mapping.UserOrGroup, mapping.IsGroup) {
|
if !globalIAMSys.HasWatcher() {
|
||||||
if nerr.Err != nil {
|
for _, nerr := range globalNotificationSys.LoadPolicyMapping(mapping.UserOrGroup, mapping.IsGroup) {
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
if nerr.Err != nil {
|
||||||
logger.LogIf(ctx, nerr.Err)
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1119,10 +1130,12 @@ func (c *SiteReplicationSys) PeerSTSAccHandler(ctx context.Context, stsCred madm
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Notify in-cluster peers to reload temp users.
|
// Notify in-cluster peers to reload temp users.
|
||||||
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
|
if !globalIAMSys.HasWatcher() {
|
||||||
if nerr.Err != nil {
|
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
if nerr.Err != nil {
|
||||||
logger.LogIf(ctx, nerr.Err)
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -277,10 +277,12 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other MinIO peers to reload temp users
|
// Notify all other MinIO peers to reload temp users
|
||||||
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
|
if !globalIAMSys.HasWatcher() {
|
||||||
if nerr.Err != nil {
|
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
if nerr.Err != nil {
|
||||||
logger.LogIf(ctx, nerr.Err)
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -481,10 +483,12 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other MinIO peers to reload temp users
|
// Notify all other MinIO peers to reload temp users
|
||||||
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
|
if !globalIAMSys.HasWatcher() {
|
||||||
if nerr.Err != nil {
|
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
if nerr.Err != nil {
|
||||||
logger.LogIf(ctx, nerr.Err)
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -645,10 +649,12 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Notify all other MinIO peers to reload temp users
|
// Notify all other MinIO peers to reload temp users
|
||||||
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
|
if !globalIAMSys.HasWatcher() {
|
||||||
if nerr.Err != nil {
|
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
|
||||||
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
if nerr.Err != nil {
|
||||||
logger.LogIf(ctx, nerr.Err)
|
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
|
||||||
|
logger.LogIf(ctx, nerr.Err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -350,7 +350,7 @@ func UnstartedTestServer(t TestErrHandler, instanceType string) TestServer {
|
|||||||
|
|
||||||
initAllSubsystems(ctx, objLayer)
|
initAllSubsystems(ctx, objLayer)
|
||||||
|
|
||||||
globalIAMSys.InitStore(objLayer)
|
globalIAMSys.InitStore(objLayer, globalEtcdClient)
|
||||||
|
|
||||||
return testServer
|
return testServer
|
||||||
}
|
}
|
||||||
@ -1470,7 +1470,7 @@ func newTestObjectLayer(ctx context.Context, endpointServerPools EndpointServerP
|
|||||||
|
|
||||||
initAllSubsystems(ctx, z)
|
initAllSubsystems(ctx, z)
|
||||||
|
|
||||||
globalIAMSys.InitStore(z)
|
globalIAMSys.InitStore(z, globalEtcdClient)
|
||||||
|
|
||||||
return z, nil
|
return z, nil
|
||||||
}
|
}
|
||||||
@ -1518,7 +1518,7 @@ func initAPIHandlerTest(obj ObjectLayer, endpoints []string) (string, http.Handl
|
|||||||
|
|
||||||
initAllSubsystems(context.Background(), obj)
|
initAllSubsystems(context.Background(), obj)
|
||||||
|
|
||||||
globalIAMSys.InitStore(obj)
|
globalIAMSys.InitStore(obj, globalEtcdClient)
|
||||||
|
|
||||||
// get random bucket name.
|
// get random bucket name.
|
||||||
bucketName := getRandomBucketName()
|
bucketName := getRandomBucketName()
|
||||||
@ -1808,7 +1808,7 @@ func ExecObjectLayerTest(t TestErrHandler, objTest objTestType) {
|
|||||||
|
|
||||||
initAllSubsystems(ctx, objLayer)
|
initAllSubsystems(ctx, objLayer)
|
||||||
|
|
||||||
globalIAMSys.InitStore(objLayer)
|
globalIAMSys.InitStore(objLayer, globalEtcdClient)
|
||||||
|
|
||||||
// Executing the object layer tests for single node setup.
|
// Executing the object layer tests for single node setup.
|
||||||
objTest(objLayer, FSTestStr, t)
|
objTest(objLayer, FSTestStr, t)
|
||||||
@ -1829,7 +1829,7 @@ func ExecObjectLayerTest(t TestErrHandler, objTest objTestType) {
|
|||||||
|
|
||||||
initAllSubsystems(ctx, objLayer)
|
initAllSubsystems(ctx, objLayer)
|
||||||
|
|
||||||
globalIAMSys.InitStore(objLayer)
|
globalIAMSys.InitStore(objLayer, globalEtcdClient)
|
||||||
|
|
||||||
defer removeRoots(append(fsDirs, fsDir))
|
defer removeRoots(append(fsDirs, fsDir))
|
||||||
// Executing the object layer tests for Erasure.
|
// Executing the object layer tests for Erasure.
|
||||||
|
Loading…
Reference in New Issue
Block a user