MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-04-19 10:07:30 -04:00
Code Issues Packages Projects Releases Wiki Activity

Relax site replication syncing of service accounts (#14955)

Browse Source 
Synchronous replication of service/sts accounts can be relaxed
as site replication healing should catch up when peer clusters
are back online.
This commit is contained in:
Poorna 2022-05-20 19:09:11 -07:00 committed by GitHub
parent 01e5632949
commit 8859c92f80
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 27 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
cmd/admin-handlers-users.go
View File

@ -677,29 +677,6 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
return return
} }
// Call hook for cluster-replication if the service account is not for a
// root user.
if newCred.ParentUser != globalActiveCred.AccessKey {
err = globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Type: madmin.SRIAMItemSvcAcc,
SvcAccChange: &madmin.SRSvcAccChange{
Create: &madmin.SRSvcAccCreate{
Parent: newCred.ParentUser,
AccessKey: newCred.AccessKey,
SecretKey: newCred.SecretKey,
Groups: newCred.Groups,
Claims: opts.claims,
SessionPolicy: createReq.Policy,
Status: auth.AccountOn,
},
},
})
if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
}
createResp := madmin.AddServiceAccountResp{ createResp := madmin.AddServiceAccountResp{
Credentials: madmin.Credentials{ Credentials: madmin.Credentials{
AccessKey: newCred.AccessKey, AccessKey: newCred.AccessKey,
@ -720,6 +697,29 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
} }
writeSuccessResponseJSON(w, encryptedData) writeSuccessResponseJSON(w, encryptedData)
// Call hook for cluster-replication if the service account is not for a
// root user.
if newCred.ParentUser != globalActiveCred.AccessKey {
err = globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Type: madmin.SRIAMItemSvcAcc,
SvcAccChange: &madmin.SRSvcAccChange{
Create: &madmin.SRSvcAccCreate{
Parent: newCred.ParentUser,
AccessKey: newCred.AccessKey,
SecretKey: newCred.SecretKey,
Groups: newCred.Groups,
Claims: opts.claims,
SessionPolicy: createReq.Policy,
Status: auth.AccountOn,
},
},
})
if err != nil {
logger.LogIf(ctx, err)
return
}
}
} }
// UpdateServiceAccount - POST /minio/admin/v3/update-service-account // UpdateServiceAccount - POST /minio/admin/v3/update-service-account

12
cmd/sts-handlers.go
View File

@ -284,8 +284,7 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
ParentUser: cred.ParentUser, ParentUser: cred.ParentUser,
}, },
}); err != nil { }); err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) logger.LogIf(ctx, err)
return
} }
} }
@ -479,8 +478,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
ParentPolicyMapping: policyName, ParentPolicyMapping: policyName,
}, },
}); err != nil { }); err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) logger.LogIf(ctx, err)
return
} }
var encodedSuccessResponse []byte var encodedSuccessResponse []byte
@ -649,8 +647,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
ParentUser: cred.ParentUser, ParentUser: cred.ParentUser,
}, },
}); err != nil { }); err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) logger.LogIf(ctx, err)
return
} }
ldapIdentityResponse := &AssumeRoleWithLDAPResponse{ ldapIdentityResponse := &AssumeRoleWithLDAPResponse{
@ -810,8 +807,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h
ParentPolicyMapping: policyName, ParentPolicyMapping: policyName,
}, },
}); err != nil { }); err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) logger.LogIf(ctx, err)
return
} }
response := new(AssumeRoleWithCertificateResponse) response := new(AssumeRoleWithCertificateResponse)