fix: migrate users properly from older releases to newer (#12333)

2025-04-16 17:00:07 -04:00 · 2021-05-19 19:25:44 -07:00 · 2021-05-19 19:25:44 -07:00 · 6060b755c6
commit 6060b755c6
parent cfa94cc35c
3 changed files with 15 additions and 31 deletions
--- a/cmd/data-scanner.go
+++ b/cmd/data-scanner.go
@ -149,7 +149,6 @@ func runDataScanner(pctx context.Context, objAPI ObjectLayer) {
 			bf, err := globalNotificationSys.updateBloomFilter(ctx, nextBloomCycle)
 			logger.LogIf(ctx, err)
 			err = objAPI.NSScanner(ctx, bf, results)
 			close(results)
 			logger.LogIf(ctx, err)
 			if err == nil {
 				// Store new cycle...
--- a/cmd/erasure-server-pool.go
+++ b/cmd/erasure-server-pool.go
@ -408,6 +408,9 @@ func (z *erasureServerPools) StorageInfo(ctx context.Context) (StorageInfo, []er
 }
 func (z *erasureServerPools) NSScanner(ctx context.Context, bf *bloomFilter, updates chan<- madmin.DataUsageInfo) error {
 	// Updates must be closed before we return.
 	defer close(updates)
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
--- a/cmd/iam-object-store.go
+++ b/cmd/iam-object-store.go
@ -19,7 +19,6 @@ package cmd
 import (
 	"context"
 	"errors"
 	"path"
 	"strings"
 	"sync"
@ -76,12 +75,8 @@ func (iamOS *IAMObjectStore) runlock() {
 // location.
 //
 // 3. Migrate user identity json file to include version info.
-func (iamOS *IAMObjectStore) migrateUsersConfigToV1(ctx context.Context, isSTS bool) error {
+func (iamOS *IAMObjectStore) migrateUsersConfigToV1(ctx context.Context) error {
 	basePrefix := iamConfigUsersPrefix
 	if isSTS {
 		basePrefix = iamConfigSTSPrefix
 	}
 	for item := range listIAMConfigItems(ctx, iamOS.objAPI, basePrefix) {
 		if item.Err != nil {
 			return item.Err
@ -110,9 +105,6 @@ func (iamOS *IAMObjectStore) migrateUsersConfigToV1(ctx context.Context, isSTS b
 			// 2. copy policy file to new location.
 			mp := newMappedPolicy(policyName)
 			userType := regularUser
 			if isSTS {
 				userType = stsUser
 			}
 			if err := iamOS.saveMappedPolicy(ctx, user, userType, false, mp); err != nil {
 				return err
 			}
@ -124,7 +116,9 @@ func (iamOS *IAMObjectStore) migrateUsersConfigToV1(ctx context.Context, isSTS b
 	next:
 		// 4. check if user identity has old format.
 		identityPath := pathJoin(basePrefix, user, iamIdentityFile)
-		var cred auth.Credentials
+		var cred = auth.Credentials{
 			AccessKey: user,
 		}
 		if err := iamOS.loadIAMConfig(ctx, &cred, identityPath); err != nil {
 			switch err {
 			case errConfigNotFound:
@ -138,15 +132,11 @@ func (iamOS *IAMObjectStore) migrateUsersConfigToV1(ctx context.Context, isSTS b
 		// If the file is already in the new format,
 		// then the parsed auth.Credentials will have
 		// the zero value for the struct.
-		var zeroCred auth.Credentials
+		if !cred.IsValid() {
 		if cred.Equal(zeroCred) {
 			// nothing to do
 			continue
 		}
 		// Found a id file in old format. Copy value
 		// into new format and save it.
 		cred.AccessKey = user
 		u := newUserIdentity(cred)
 		if err := iamOS.saveIAMConfig(ctx, u, identityPath); err != nil {
 			logger.LogIf(ctx, err)
@ -171,26 +161,18 @@ func (iamOS *IAMObjectStore) migrateToV1(ctx context.Context) error {
 			// if IAM format
 			return err
 		}
 	} else {
 		if iamFmt.Version >= iamFormatVersion1 {
 			// Nothing to do.
 			return nil
 		}
 		// This case should not happen
 		// (i.e. Version is 0 or negative.)
 		return errors.New("got an invalid IAM format version")
 	}
-	// Migrate long-term users
+	if iamFmt.Version >= iamFormatVersion1 {
-	if err := iamOS.migrateUsersConfigToV1(ctx, false); err != nil {
+		// Nothing to do.
-		logger.LogIf(ctx, err)
+		return nil
-		return err
+	}
-	}
+
-	// Migrate STS users
+	if err := iamOS.migrateUsersConfigToV1(ctx); err != nil {
 	if err := iamOS.migrateUsersConfigToV1(ctx, true); err != nil {
 		logger.LogIf(ctx, err)
 		return err
 	}
 	// Save iam format to version 1.
 	if err := iamOS.saveIAMConfig(ctx, newIAMFormatVersion1(), path); err != nil {
 		logger.LogIf(ctx, err)