From 8859c92f80cb266a4fb6e86d9de1e22493635fe6 Mon Sep 17 00:00:00 2001 From: Poorna Date: Fri, 20 May 2022 19:09:11 -0700 Subject: [PATCH] Relax site replication syncing of service accounts (#14955) Synchronous replication of service/sts accounts can be relaxed as site replication healing should catch up when peer clusters are back online. --- cmd/admin-handlers-users.go | 46 ++++++++++++++++++------------------- cmd/sts-handlers.go | 12 ++++------ 2 files changed, 27 insertions(+), 31 deletions(-) diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index c1873cc15..5890ebb8a 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -677,29 +677,6 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque return } - // Call hook for cluster-replication if the service account is not for a - // root user. - if newCred.ParentUser != globalActiveCred.AccessKey { - err = globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{ - Type: madmin.SRIAMItemSvcAcc, - SvcAccChange: &madmin.SRSvcAccChange{ - Create: &madmin.SRSvcAccCreate{ - Parent: newCred.ParentUser, - AccessKey: newCred.AccessKey, - SecretKey: newCred.SecretKey, - Groups: newCred.Groups, - Claims: opts.claims, - SessionPolicy: createReq.Policy, - Status: auth.AccountOn, - }, - }, - }) - if err != nil { - writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) - return - } - } - createResp := madmin.AddServiceAccountResp{ Credentials: madmin.Credentials{ AccessKey: newCred.AccessKey, @@ -720,6 +697,29 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque } writeSuccessResponseJSON(w, encryptedData) + + // Call hook for cluster-replication if the service account is not for a + // root user. + if newCred.ParentUser != globalActiveCred.AccessKey { + err = globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{ + Type: madmin.SRIAMItemSvcAcc, + SvcAccChange: &madmin.SRSvcAccChange{ + Create: &madmin.SRSvcAccCreate{ + Parent: newCred.ParentUser, + AccessKey: newCred.AccessKey, + SecretKey: newCred.SecretKey, + Groups: newCred.Groups, + Claims: opts.claims, + SessionPolicy: createReq.Policy, + Status: auth.AccountOn, + }, + }, + }) + if err != nil { + logger.LogIf(ctx, err) + return + } + } } // UpdateServiceAccount - POST /minio/admin/v3/update-service-account diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go index 042365fe0..42fb2716c 100644 --- a/cmd/sts-handlers.go +++ b/cmd/sts-handlers.go @@ -284,8 +284,7 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) { ParentUser: cred.ParentUser, }, }); err != nil { - writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) - return + logger.LogIf(ctx, err) } } @@ -479,8 +478,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ ParentPolicyMapping: policyName, }, }); err != nil { - writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) - return + logger.LogIf(ctx, err) } var encodedSuccessResponse []byte @@ -649,8 +647,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r * ParentUser: cred.ParentUser, }, }); err != nil { - writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) - return + logger.LogIf(ctx, err) } ldapIdentityResponse := &AssumeRoleWithLDAPResponse{ @@ -810,8 +807,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h ParentPolicyMapping: policyName, }, }); err != nil { - writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) - return + logger.LogIf(ctx, err) } response := new(AssumeRoleWithCertificateResponse)