From 9081346c4096f7bb1a6a4f84c43e5a0623fe7341 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Tue, 19 Sep 2023 15:22:25 -0700 Subject: [PATCH] fix: more regressions listing policy mappings (#18060) also relax ListServiceAccounts() returning error if no service accounts exist. --- cmd/iam-store.go | 75 ++++++++++++++------ docs/distributed/decom-compressed-sse-s3.sh | 6 +- docs/distributed/decom-encrypted-sse-s3.sh | 6 +- docs/distributed/decom-encrypted.sh | 6 +- docs/site-replication/run-multi-site-ldap.sh | 43 +++++++++++ 5 files changed, 104 insertions(+), 32 deletions(-) diff --git a/cmd/iam-store.go b/cmd/iam-store.go index 019006109..aa92279da 100644 --- a/cmd/iam-store.go +++ b/cmd/iam-store.go @@ -958,13 +958,12 @@ func (store *IAMStoreSys) PolicyDBUpdate(ctx context.Context, name string, isGro var mp MappedPolicy if !isGroup { if userType == stsUser { - var ok bool - mp, ok = cache.iamSTSPolicyMap[name] - if !ok { - // Attempt to load parent user mapping for STS accounts - store.loadMappedPolicy(context.TODO(), name, stsUser, false, cache.iamSTSPolicyMap) - mp = cache.iamSTSPolicyMap[name] - } + stsMap := map[string]MappedPolicy{} + + // Attempt to load parent user mapping for STS accounts + store.loadMappedPolicy(context.TODO(), name, stsUser, false, stsMap) + + mp = stsMap[name] } else { mp = cache.iamUserPolicyMap[name] } @@ -1888,6 +1887,25 @@ func (store *IAMStoreSys) listUserPolicyMappings(cache *iamCache, users []string }) } + stsMap := map[string]MappedPolicy{} + for _, user := range users { + // Attempt to load parent user mapping for STS accounts + store.loadMappedPolicy(context.TODO(), user, stsUser, false, stsMap) + } + + for user, mappedPolicy := range stsMap { + if userPredicate != nil && !userPredicate(user) { + continue + } + + ps := mappedPolicy.toSlice() + sort.Strings(ps) + r = append(r, madmin.UserPolicyEntities{ + User: user, + Policies: ps, + }) + } + sort.Slice(r, func(i, j int) bool { return r[i].User < r[j].User }) @@ -1952,6 +1970,32 @@ func (store *IAMStoreSys) listPolicyMappings(cache *iamCache, policies []string, } } + if iamOS, ok := store.IAMStorageAPI.(*IAMObjectStore); ok { + for item := range listIAMConfigItems(context.Background(), iamOS.objAPI, iamConfigPrefix+SlashSeparator+policyDBSTSUsersListKey) { + user := strings.TrimSuffix(item.Item, ".json") + if userPredicate != nil && !userPredicate(user) { + continue + } + + var mappedPolicy MappedPolicy + store.loadIAMConfig(context.Background(), &mappedPolicy, getMappedPolicyPath(user, stsUser, false)) + + commonPolicySet := mappedPolicy.policySet() + if !queryPolSet.IsEmpty() { + commonPolicySet = commonPolicySet.Intersection(queryPolSet) + } + for _, policy := range commonPolicySet.ToSlice() { + s, ok := policyToUsersMap[policy] + if !ok { + policyToUsersMap[policy] = set.CreateStringSet(user) + } else { + s.Add(user) + policyToUsersMap[policy] = s + } + } + } + } + policyToGroupsMap := make(map[string]set.StringSet) for group, mappedPolicy := range cache.iamGroupPolicyMap { if groupPredicate != nil && !groupPredicate(group) { @@ -2243,19 +2287,10 @@ func (store *IAMStoreSys) ListServiceAccounts(ctx context.Context, accessKey str cache := store.rlock() defer store.runlock() - userExists := false var serviceAccounts []auth.Credentials for _, u := range cache.iamUsersMap { - isDerived := false v := u.Credentials - if v.IsServiceAccount() || v.IsTemp() { - isDerived = true - } - - if !isDerived && v.AccessKey == accessKey { - userExists = true - } else if isDerived && v.ParentUser == accessKey { - userExists = true + if accessKey != "" && v.ParentUser == accessKey { if v.IsServiceAccount() { // Hide secret key & session key here v.SecretKey = "" @@ -2265,12 +2300,6 @@ func (store *IAMStoreSys) ListServiceAccounts(ctx context.Context, accessKey str } } - // If root user has no STS/Service Accounts, userExists would be false here, - // so we handle this exception. - if !userExists && globalActiveCred.AccessKey != accessKey { - return nil, errNoSuchUser - } - return serviceAccounts, nil } diff --git a/docs/distributed/decom-compressed-sse-s3.sh b/docs/distributed/decom-compressed-sse-s3.sh index dd1b0ea01..385ba1243 100644 --- a/docs/distributed/decom-compressed-sse-s3.sh +++ b/docs/distributed/decom-compressed-sse-s3.sh @@ -24,7 +24,7 @@ export MC_HOST_myminio="http://minioadmin:minioadmin@localhost:9000/" (minio server /tmp/xl/{1...10}/disk{0...1} 2>&1 >/dev/null) & pid=$! -sleep 2 +sleep 10 ./mc admin user add myminio/ minio123 minio123 ./mc admin user add myminio/ minio12345 minio12345 @@ -55,7 +55,7 @@ kill $pid (minio server /tmp/xl/{1...10}/disk{0...1} /tmp/xl/{11...30}/disk{0...3} 2>&1 >/tmp/expanded.log) & pid=$! -sleep 2 +sleep 10 expanded_user_count=$(./mc admin user list myminio/ | wc -l) expanded_policy_count=$(./mc admin policy list myminio/ | wc -l) @@ -94,7 +94,7 @@ kill $pid (minio server /tmp/xl/{11...30}/disk{0...3} 2>&1 >/tmp/removed.log) & pid=$! -sleep 2 +sleep 10 decom_user_count=$(./mc admin user list myminio/ | wc -l) decom_policy_count=$(./mc admin policy list myminio/ | wc -l) diff --git a/docs/distributed/decom-encrypted-sse-s3.sh b/docs/distributed/decom-encrypted-sse-s3.sh index 6d451b94f..82d99caca 100644 --- a/docs/distributed/decom-encrypted-sse-s3.sh +++ b/docs/distributed/decom-encrypted-sse-s3.sh @@ -19,7 +19,7 @@ export MC_HOST_myminio="http://minioadmin:minioadmin@localhost:9000/" (minio server /tmp/xl/{1...10}/disk{0...1} 2>&1 >/dev/null) & pid=$! -sleep 2 +sleep 10 ./mc admin user add myminio/ minio123 minio123 ./mc admin user add myminio/ minio12345 minio12345 @@ -52,7 +52,7 @@ kill $pid (minio server /tmp/xl/{1...10}/disk{0...1} /tmp/xl/{11...30}/disk{0...3} 2>&1 >/tmp/expanded.log) & pid=$! -sleep 2 +sleep 10 expanded_user_count=$(./mc admin user list myminio/ | wc -l) expanded_policy_count=$(./mc admin policy list myminio/ | wc -l) @@ -98,7 +98,7 @@ kill $pid (minio server /tmp/xl/{11...30}/disk{0...3} 2>&1 >/tmp/removed.log) & pid=$! -sleep 2 +sleep 10 decom_user_count=$(./mc admin user list myminio/ | wc -l) decom_policy_count=$(./mc admin policy list myminio/ | wc -l) diff --git a/docs/distributed/decom-encrypted.sh b/docs/distributed/decom-encrypted.sh index 173e1653d..9afbe7154 100644 --- a/docs/distributed/decom-encrypted.sh +++ b/docs/distributed/decom-encrypted.sh @@ -19,7 +19,7 @@ export MINIO_KMS_SECRET_KEY=my-minio-key:OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl (minio server /tmp/xl/{1...10}/disk{0...1} 2>&1 >/dev/null) & pid=$! -sleep 2 +sleep 10 export MC_HOST_myminio="http://minioadmin:minioadmin@localhost:9000/" @@ -51,7 +51,7 @@ kill $pid (minio server /tmp/xl/{1...10}/disk{0...1} /tmp/xl/{11...30}/disk{0...3} 2>&1 >/tmp/expanded.log) & pid=$! -sleep 2 +sleep 10 expanded_user_count=$(./mc admin user list myminio/ | wc -l) expanded_policy_count=$(./mc admin policy list myminio/ | wc -l) @@ -90,7 +90,7 @@ kill $pid (minio server /tmp/xl/{11...30}/disk{0...3} 2>&1 >/dev/null) & pid=$! -sleep 2 +sleep 10 decom_user_count=$(./mc admin user list myminio/ | wc -l) decom_policy_count=$(./mc admin policy list myminio/ | wc -l) diff --git a/docs/site-replication/run-multi-site-ldap.sh b/docs/site-replication/run-multi-site-ldap.sh index 134dc3588..102ec8f0a 100755 --- a/docs/site-replication/run-multi-site-ldap.sh +++ b/docs/site-replication/run-multi-site-ldap.sh @@ -117,6 +117,20 @@ fi sleep 10 +./mc idp ldap policy entities minio1 +./mc idp ldap policy entities minio2 +./mc idp ldap policy entities minio3 + +./mc admin service restart minio1 +./mc admin service restart minio2 +./mc admin service restart minio3 + +sleep 10 + +./mc idp ldap policy entities minio1 +./mc idp ldap policy entities minio2 +./mc idp ldap policy entities minio3 + ./mc admin user svcacct info minio1 testsvc if [ $? -ne 0 ]; then echo "svc account not mirrored, exiting.." @@ -129,13 +143,42 @@ if [ $? -ne 0 ]; then exit_1 fi +./mc admin user svcacct info minio3 testsvc +if [ $? -ne 0 ]; then + echo "svc account not mirrored, exiting.." + exit_1 +fi + +MC_HOST_svc1=http://testsvc:testsvc123@localhost:9001 ./mc ls svc1 +MC_HOST_svc2=http://testsvc:testsvc123@localhost:9002 ./mc ls svc2 +MC_HOST_svc3=http://testsvc:testsvc123@localhost:9003 ./mc ls svc3 + ./mc admin user svcacct rm minio1 testsvc if [ $? -ne 0 ]; then echo "removing svc account failed, exiting.." exit_1 fi +./mc admin user info minio1 "uid=dillon,ou=people,ou=swengg,dc=min,dc=io" +if [ $? -ne 0 ]; then + echo "policy mapping missing, exiting.." + exit_1 +fi + +./mc admin user info minio2 "uid=dillon,ou=people,ou=swengg,dc=min,dc=io" +if [ $? -ne 0 ]; then + echo "policy mapping missing, exiting.." + exit_1 +fi + +./mc admin user info minio3 "uid=dillon,ou=people,ou=swengg,dc=min,dc=io" +if [ $? -ne 0 ]; then + echo "policy mapping missing, exiting.." + exit_1 +fi + sleep 10 + ./mc admin user svcacct info minio2 testsvc if [ $? -eq 0 ]; then echo "svc account found after delete, exiting.."