diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index e478bbba0..623b8e4bf 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -58,18 +58,10 @@ func (a adminAPIHandlers) RemoveUser(w http.ResponseWriter, r *http.Request) { return } - if err := globalIAMSys.DeleteUser(ctx, accessKey); err != nil { + if err := globalIAMSys.DeleteUser(ctx, accessKey, true); err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return } - - // Notify all other MinIO peers to delete user. - for _, nerr := range globalNotificationSys.DeleteUser(accessKey) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } } // ListUsers - GET /minio/admin/v3/list-users?bucket={bucket} @@ -978,17 +970,11 @@ func (a adminAPIHandlers) DeleteServiceAccount(w http.ResponseWriter, r *http.Re return } - err = globalIAMSys.DeleteServiceAccount(ctx, serviceAccount) + err = globalIAMSys.DeleteServiceAccount(ctx, serviceAccount, true) if err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return } - for _, nerr := range globalNotificationSys.DeleteServiceAccount(serviceAccount) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } // Call site replication hook. Only LDAP accounts are supported for // replication operations. diff --git a/cmd/iam.go b/cmd/iam.go index f1a2fc552..48a5fe3f7 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -536,12 +536,26 @@ func (sys *IAMSys) SetPolicy(ctx context.Context, policyName string, p iampolicy } // DeleteUser - delete user (only for long-term users not STS users). -func (sys *IAMSys) DeleteUser(ctx context.Context, accessKey string) error { +func (sys *IAMSys) DeleteUser(ctx context.Context, accessKey string, notifyPeers bool) error { if !sys.Initialized() { return errServerNotInitialized } - return sys.store.DeleteUser(ctx, accessKey, regUser) + if err := sys.store.DeleteUser(ctx, accessKey, regUser); err != nil { + return err + } + + // Notify all other MinIO peers to delete user. + if notifyPeers && !sys.HasWatcher() { + for _, nerr := range sys.notificationSys.DeleteUser(accessKey) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } + } + } + + return nil } // CurrentPolicies - returns comma separated policy string, from @@ -912,7 +926,7 @@ func (sys *IAMSys) GetClaimsForSvcAcc(ctx context.Context, accessKey string) (ma } // DeleteServiceAccount - delete a service account -func (sys *IAMSys) DeleteServiceAccount(ctx context.Context, accessKey string) error { +func (sys *IAMSys) DeleteServiceAccount(ctx context.Context, accessKey string, notifyPeers bool) error { if !sys.Initialized() { return errServerNotInitialized } @@ -922,7 +936,20 @@ func (sys *IAMSys) DeleteServiceAccount(ctx context.Context, accessKey string) e return nil } - return sys.store.DeleteUser(ctx, accessKey, svcUser) + if err := sys.store.DeleteUser(ctx, accessKey, svcUser); err != nil { + return err + } + + if notifyPeers && !sys.HasWatcher() { + for _, nerr := range sys.notificationSys.DeleteServiceAccount(accessKey) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } + } + } + + return nil } // CreateUser - create new user credentials and policy, if user already exists diff --git a/cmd/peer-rest-server.go b/cmd/peer-rest-server.go index d25d509c7..8973a3efa 100644 --- a/cmd/peer-rest-server.go +++ b/cmd/peer-rest-server.go @@ -157,7 +157,7 @@ func (s *peerRESTServer) DeleteServiceAccountHandler(w http.ResponseWriter, r *h return } - if err := globalIAMSys.DeleteServiceAccount(r.Context(), accessKey); err != nil { + if err := globalIAMSys.DeleteServiceAccount(r.Context(), accessKey, false); err != nil { s.writeErrorResponse(w, err) return } @@ -209,7 +209,7 @@ func (s *peerRESTServer) DeleteUserHandler(w http.ResponseWriter, r *http.Reques return } - if err := globalIAMSys.DeleteUser(r.Context(), accessKey); err != nil { + if err := globalIAMSys.DeleteUser(r.Context(), accessKey, false); err != nil { s.writeErrorResponse(w, err) return } diff --git a/cmd/site-replication.go b/cmd/site-replication.go index 0e2f41ffd..c84455feb 100644 --- a/cmd/site-replication.go +++ b/cmd/site-replication.go @@ -1080,18 +1080,11 @@ func (c *SiteReplicationSys) PeerSvcAccChangeHandler(ctx context.Context, change } case change.Delete != nil: - err := globalIAMSys.DeleteServiceAccount(ctx, change.Delete.AccessKey) + err := globalIAMSys.DeleteServiceAccount(ctx, change.Delete.AccessKey, true) if err != nil { return wrapSRErr(err) } - for _, nerr := range globalNotificationSys.DeleteServiceAccount(change.Delete.AccessKey) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) - } - } - } return nil