mirror of
https://github.com/minio/minio.git
synced 2024-12-24 22:25:54 -05:00
initialize IAM as soon as object layer is initialized (#10700)
Allow requests to come in for users as soon as object layer and config are initialized, this allows users to be authenticated sooner and would succeed automatically on servers which are yet to fully initialize.
This commit is contained in:
parent
c107728676
commit
b07df5cae1
@ -36,7 +36,7 @@ func validateAdminUsersReq(ctx context.Context, w http.ResponseWriter, r *http.R
|
|||||||
|
|
||||||
// Get current object layer instance.
|
// Get current object layer instance.
|
||||||
objectAPI := newObjectLayerFn()
|
objectAPI := newObjectLayerFn()
|
||||||
if objectAPI == nil || globalNotificationSys == nil || globalIAMSys == nil {
|
if objectAPI == nil || globalNotificationSys == nil {
|
||||||
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
|
||||||
return nil, cred
|
return nil, cred
|
||||||
}
|
}
|
||||||
@ -387,7 +387,7 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
|
|||||||
|
|
||||||
// Get current object layer instance.
|
// Get current object layer instance.
|
||||||
objectAPI := newObjectLayerFn()
|
objectAPI := newObjectLayerFn()
|
||||||
if objectAPI == nil || globalNotificationSys == nil || globalIAMSys == nil {
|
if objectAPI == nil || globalNotificationSys == nil {
|
||||||
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -466,7 +466,7 @@ func (a adminAPIHandlers) ListServiceAccounts(w http.ResponseWriter, r *http.Req
|
|||||||
|
|
||||||
// Get current object layer instance.
|
// Get current object layer instance.
|
||||||
objectAPI := newObjectLayerFn()
|
objectAPI := newObjectLayerFn()
|
||||||
if objectAPI == nil || globalNotificationSys == nil || globalIAMSys == nil {
|
if objectAPI == nil || globalNotificationSys == nil {
|
||||||
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -521,7 +521,7 @@ func (a adminAPIHandlers) DeleteServiceAccount(w http.ResponseWriter, r *http.Re
|
|||||||
|
|
||||||
// Get current object layer instance.
|
// Get current object layer instance.
|
||||||
objectAPI := newObjectLayerFn()
|
objectAPI := newObjectLayerFn()
|
||||||
if objectAPI == nil || globalNotificationSys == nil || globalIAMSys == nil {
|
if objectAPI == nil || globalNotificationSys == nil {
|
||||||
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -580,7 +580,7 @@ func (a adminAPIHandlers) AccountUsageInfoHandler(w http.ResponseWriter, r *http
|
|||||||
|
|
||||||
// Get current object layer instance.
|
// Get current object layer instance.
|
||||||
objectAPI := newObjectLayerFn()
|
objectAPI := newObjectLayerFn()
|
||||||
if objectAPI == nil || globalNotificationSys == nil || globalIAMSys == nil {
|
if objectAPI == nil || globalNotificationSys == nil {
|
||||||
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -300,14 +300,14 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
|
|||||||
}
|
}
|
||||||
newObject = NewGatewayLayerWithLocker(newObject)
|
newObject = NewGatewayLayerWithLocker(newObject)
|
||||||
|
|
||||||
|
// Calls all New() for all sub-systems.
|
||||||
|
newAllSubsystems()
|
||||||
|
|
||||||
// Once endpoints are finalized, initialize the new object api in safe mode.
|
// Once endpoints are finalized, initialize the new object api in safe mode.
|
||||||
globalObjLayerMutex.Lock()
|
globalObjLayerMutex.Lock()
|
||||||
globalObjectAPI = newObject
|
globalObjectAPI = newObject
|
||||||
globalObjLayerMutex.Unlock()
|
globalObjLayerMutex.Unlock()
|
||||||
|
|
||||||
// Calls all New() for all sub-systems.
|
|
||||||
newAllSubsystems()
|
|
||||||
|
|
||||||
if gatewayName == NASBackendGateway {
|
if gatewayName == NASBackendGateway {
|
||||||
buckets, err := newObject.ListBuckets(GlobalContext)
|
buckets, err := newObject.ListBuckets(GlobalContext)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -326,6 +326,8 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
|
|||||||
|
|
||||||
if enableIAMOps {
|
if enableIAMOps {
|
||||||
// Initialize users credentials and policies in background.
|
// Initialize users credentials and policies in background.
|
||||||
|
globalIAMSys.InitStore(newObject)
|
||||||
|
|
||||||
go globalIAMSys.Init(GlobalContext, newObject)
|
go globalIAMSys.Init(GlobalContext, newObject)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -76,13 +76,11 @@ func etcdKvsToSetPolicyDB(prefix string, kvs []*mvccpb.KeyValue) set.StringSet {
|
|||||||
type IAMEtcdStore struct {
|
type IAMEtcdStore struct {
|
||||||
sync.RWMutex
|
sync.RWMutex
|
||||||
|
|
||||||
ctx context.Context
|
|
||||||
|
|
||||||
client *etcd.Client
|
client *etcd.Client
|
||||||
}
|
}
|
||||||
|
|
||||||
func newIAMEtcdStore(ctx context.Context) *IAMEtcdStore {
|
func newIAMEtcdStore() *IAMEtcdStore {
|
||||||
return &IAMEtcdStore{client: globalEtcdClient, ctx: ctx}
|
return &IAMEtcdStore{client: globalEtcdClient}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) lock() {
|
func (ies *IAMEtcdStore) lock() {
|
||||||
@ -101,7 +99,7 @@ func (ies *IAMEtcdStore) runlock() {
|
|||||||
ies.RUnlock()
|
ies.RUnlock()
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) saveIAMConfig(item interface{}, path string) error {
|
func (ies *IAMEtcdStore) saveIAMConfig(ctx context.Context, item interface{}, path string) error {
|
||||||
data, err := json.Marshal(item)
|
data, err := json.Marshal(item)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
@ -112,11 +110,11 @@ func (ies *IAMEtcdStore) saveIAMConfig(item interface{}, path string) error {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return saveKeyEtcd(ies.ctx, ies.client, path, data)
|
return saveKeyEtcd(ctx, ies.client, path, data)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) loadIAMConfig(item interface{}, path string) error {
|
func (ies *IAMEtcdStore) loadIAMConfig(ctx context.Context, item interface{}, path string) error {
|
||||||
pdata, err := readKeyEtcd(ies.ctx, ies.client, path)
|
pdata, err := readKeyEtcd(ctx, ies.client, path)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -131,8 +129,8 @@ func (ies *IAMEtcdStore) loadIAMConfig(item interface{}, path string) error {
|
|||||||
return json.Unmarshal(pdata, item)
|
return json.Unmarshal(pdata, item)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) deleteIAMConfig(path string) error {
|
func (ies *IAMEtcdStore) deleteIAMConfig(ctx context.Context, path string) error {
|
||||||
return deleteKeyEtcd(ies.ctx, ies.client, path)
|
return deleteKeyEtcd(ctx, ies.client, path)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) migrateUsersConfigToV1(ctx context.Context, isSTS bool) error {
|
func (ies *IAMEtcdStore) migrateUsersConfigToV1(ctx context.Context, isSTS bool) error {
|
||||||
@ -154,7 +152,7 @@ func (ies *IAMEtcdStore) migrateUsersConfigToV1(ctx context.Context, isSTS bool)
|
|||||||
// 1. check if there is a policy file in the old loc.
|
// 1. check if there is a policy file in the old loc.
|
||||||
oldPolicyPath := pathJoin(basePrefix, user, iamPolicyFile)
|
oldPolicyPath := pathJoin(basePrefix, user, iamPolicyFile)
|
||||||
var policyName string
|
var policyName string
|
||||||
err := ies.loadIAMConfig(&policyName, oldPolicyPath)
|
err := ies.loadIAMConfig(ctx, &policyName, oldPolicyPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
switch err {
|
switch err {
|
||||||
case errConfigNotFound:
|
case errConfigNotFound:
|
||||||
@ -172,7 +170,7 @@ func (ies *IAMEtcdStore) migrateUsersConfigToV1(ctx context.Context, isSTS bool)
|
|||||||
userType = stsUser
|
userType = stsUser
|
||||||
}
|
}
|
||||||
path := getMappedPolicyPath(user, userType, false)
|
path := getMappedPolicyPath(user, userType, false)
|
||||||
if err := ies.saveIAMConfig(mp, path); err != nil {
|
if err := ies.saveIAMConfig(ctx, mp, path); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -184,7 +182,7 @@ func (ies *IAMEtcdStore) migrateUsersConfigToV1(ctx context.Context, isSTS bool)
|
|||||||
// 4. check if user identity has old format.
|
// 4. check if user identity has old format.
|
||||||
identityPath := pathJoin(basePrefix, user, iamIdentityFile)
|
identityPath := pathJoin(basePrefix, user, iamIdentityFile)
|
||||||
var cred auth.Credentials
|
var cred auth.Credentials
|
||||||
if err := ies.loadIAMConfig(&cred, identityPath); err != nil {
|
if err := ies.loadIAMConfig(ctx, &cred, identityPath); err != nil {
|
||||||
switch err {
|
switch err {
|
||||||
case errConfigNotFound:
|
case errConfigNotFound:
|
||||||
// This case should not happen.
|
// This case should not happen.
|
||||||
@ -207,7 +205,7 @@ func (ies *IAMEtcdStore) migrateUsersConfigToV1(ctx context.Context, isSTS bool)
|
|||||||
// into new format and save it.
|
// into new format and save it.
|
||||||
cred.AccessKey = user
|
cred.AccessKey = user
|
||||||
u := newUserIdentity(cred)
|
u := newUserIdentity(cred)
|
||||||
if err := ies.saveIAMConfig(u, identityPath); err != nil {
|
if err := ies.saveIAMConfig(ctx, u, identityPath); err != nil {
|
||||||
logger.LogIf(ctx, err)
|
logger.LogIf(ctx, err)
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -221,7 +219,7 @@ func (ies *IAMEtcdStore) migrateUsersConfigToV1(ctx context.Context, isSTS bool)
|
|||||||
func (ies *IAMEtcdStore) migrateToV1(ctx context.Context) error {
|
func (ies *IAMEtcdStore) migrateToV1(ctx context.Context) error {
|
||||||
var iamFmt iamFormat
|
var iamFmt iamFormat
|
||||||
path := getIAMFormatFilePath()
|
path := getIAMFormatFilePath()
|
||||||
if err := ies.loadIAMConfig(&iamFmt, path); err != nil {
|
if err := ies.loadIAMConfig(ctx, &iamFmt, path); err != nil {
|
||||||
switch err {
|
switch err {
|
||||||
case errConfigNotFound:
|
case errConfigNotFound:
|
||||||
// Need to migrate to V1.
|
// Need to migrate to V1.
|
||||||
@ -250,7 +248,7 @@ func (ies *IAMEtcdStore) migrateToV1(ctx context.Context) error {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
// Save iam version file.
|
// Save iam version file.
|
||||||
if err := ies.saveIAMConfig(newIAMFormatVersion1(), path); err != nil {
|
if err := ies.saveIAMConfig(ctx, newIAMFormatVersion1(), path); err != nil {
|
||||||
logger.LogIf(ctx, err)
|
logger.LogIf(ctx, err)
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -262,9 +260,9 @@ func (ies *IAMEtcdStore) migrateBackendFormat(ctx context.Context) error {
|
|||||||
return ies.migrateToV1(ctx)
|
return ies.migrateToV1(ctx)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) loadPolicyDoc(policy string, m map[string]iampolicy.Policy) error {
|
func (ies *IAMEtcdStore) loadPolicyDoc(ctx context.Context, policy string, m map[string]iampolicy.Policy) error {
|
||||||
var p iampolicy.Policy
|
var p iampolicy.Policy
|
||||||
err := ies.loadIAMConfig(&p, getPolicyDocPath(policy))
|
err := ies.loadIAMConfig(ctx, &p, getPolicyDocPath(policy))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -284,7 +282,7 @@ func (ies *IAMEtcdStore) loadPolicyDocs(ctx context.Context, m map[string]iampol
|
|||||||
|
|
||||||
// Reload config and policies for all policys.
|
// Reload config and policies for all policys.
|
||||||
for _, policyName := range policies.ToSlice() {
|
for _, policyName := range policies.ToSlice() {
|
||||||
err = ies.loadPolicyDoc(policyName, m)
|
err = ies.loadPolicyDoc(ctx, policyName, m)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -292,9 +290,9 @@ func (ies *IAMEtcdStore) loadPolicyDocs(ctx context.Context, m map[string]iampol
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) loadUser(user string, userType IAMUserType, m map[string]auth.Credentials) error {
|
func (ies *IAMEtcdStore) loadUser(ctx context.Context, user string, userType IAMUserType, m map[string]auth.Credentials) error {
|
||||||
var u UserIdentity
|
var u UserIdentity
|
||||||
err := ies.loadIAMConfig(&u, getUserIdentityPath(user, userType))
|
err := ies.loadIAMConfig(ctx, &u, getUserIdentityPath(user, userType))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if err == errConfigNotFound {
|
if err == errConfigNotFound {
|
||||||
return errNoSuchUser
|
return errNoSuchUser
|
||||||
@ -304,8 +302,8 @@ func (ies *IAMEtcdStore) loadUser(user string, userType IAMUserType, m map[strin
|
|||||||
|
|
||||||
if u.Credentials.IsExpired() {
|
if u.Credentials.IsExpired() {
|
||||||
// Delete expired identity.
|
// Delete expired identity.
|
||||||
deleteKeyEtcd(ies.ctx, ies.client, getUserIdentityPath(user, userType))
|
deleteKeyEtcd(ctx, ies.client, getUserIdentityPath(user, userType))
|
||||||
deleteKeyEtcd(ies.ctx, ies.client, getMappedPolicyPath(user, userType, false))
|
deleteKeyEtcd(ctx, ies.client, getMappedPolicyPath(user, userType, false))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -320,7 +318,7 @@ func (ies *IAMEtcdStore) loadUser(user string, userType IAMUserType, m map[strin
|
|||||||
jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims(m))
|
jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims(m))
|
||||||
if token, err := jwt.SignedString([]byte(globalActiveCred.SecretKey)); err == nil {
|
if token, err := jwt.SignedString([]byte(globalActiveCred.SecretKey)); err == nil {
|
||||||
u.Credentials.SessionToken = token
|
u.Credentials.SessionToken = token
|
||||||
err := ies.saveIAMConfig(&u, getUserIdentityPath(user, userType))
|
err := ies.saveIAMConfig(ctx, &u, getUserIdentityPath(user, userType))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -348,9 +346,10 @@ func (ies *IAMEtcdStore) loadUsers(ctx context.Context, userType IAMUserType, m
|
|||||||
basePrefix = iamConfigUsersPrefix
|
basePrefix = iamConfigUsersPrefix
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx, cancel := context.WithTimeout(ctx, defaultContextTimeout)
|
cctx, cancel := context.WithTimeout(ctx, defaultContextTimeout)
|
||||||
defer cancel()
|
defer cancel()
|
||||||
r, err := ies.client.Get(ctx, basePrefix, etcd.WithPrefix(), etcd.WithKeysOnly())
|
|
||||||
|
r, err := ies.client.Get(cctx, basePrefix, etcd.WithPrefix(), etcd.WithKeysOnly())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -359,16 +358,16 @@ func (ies *IAMEtcdStore) loadUsers(ctx context.Context, userType IAMUserType, m
|
|||||||
|
|
||||||
// Reload config for all users.
|
// Reload config for all users.
|
||||||
for _, user := range users.ToSlice() {
|
for _, user := range users.ToSlice() {
|
||||||
if err = ies.loadUser(user, userType, m); err != nil {
|
if err = ies.loadUser(ctx, user, userType, m); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) loadGroup(group string, m map[string]GroupInfo) error {
|
func (ies *IAMEtcdStore) loadGroup(ctx context.Context, group string, m map[string]GroupInfo) error {
|
||||||
var gi GroupInfo
|
var gi GroupInfo
|
||||||
err := ies.loadIAMConfig(&gi, getGroupInfoPath(group))
|
err := ies.loadIAMConfig(ctx, &gi, getGroupInfoPath(group))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if err == errConfigNotFound {
|
if err == errConfigNotFound {
|
||||||
return errNoSuchGroup
|
return errNoSuchGroup
|
||||||
@ -381,9 +380,10 @@ func (ies *IAMEtcdStore) loadGroup(group string, m map[string]GroupInfo) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) loadGroups(ctx context.Context, m map[string]GroupInfo) error {
|
func (ies *IAMEtcdStore) loadGroups(ctx context.Context, m map[string]GroupInfo) error {
|
||||||
ctx, cancel := context.WithTimeout(ctx, defaultContextTimeout)
|
cctx, cancel := context.WithTimeout(ctx, defaultContextTimeout)
|
||||||
defer cancel()
|
defer cancel()
|
||||||
r, err := ies.client.Get(ctx, iamConfigGroupsPrefix, etcd.WithPrefix(), etcd.WithKeysOnly())
|
|
||||||
|
r, err := ies.client.Get(cctx, iamConfigGroupsPrefix, etcd.WithPrefix(), etcd.WithKeysOnly())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -392,7 +392,7 @@ func (ies *IAMEtcdStore) loadGroups(ctx context.Context, m map[string]GroupInfo)
|
|||||||
|
|
||||||
// Reload config for all groups.
|
// Reload config for all groups.
|
||||||
for _, group := range groups.ToSlice() {
|
for _, group := range groups.ToSlice() {
|
||||||
if err = ies.loadGroup(group, m); err != nil {
|
if err = ies.loadGroup(ctx, group, m); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -400,9 +400,9 @@ func (ies *IAMEtcdStore) loadGroups(ctx context.Context, m map[string]GroupInfo)
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) loadMappedPolicy(name string, userType IAMUserType, isGroup bool, m map[string]MappedPolicy) error {
|
func (ies *IAMEtcdStore) loadMappedPolicy(ctx context.Context, name string, userType IAMUserType, isGroup bool, m map[string]MappedPolicy) error {
|
||||||
var p MappedPolicy
|
var p MappedPolicy
|
||||||
err := ies.loadIAMConfig(&p, getMappedPolicyPath(name, userType, isGroup))
|
err := ies.loadIAMConfig(ctx, &p, getMappedPolicyPath(name, userType, isGroup))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if err == errConfigNotFound {
|
if err == errConfigNotFound {
|
||||||
return errNoSuchPolicy
|
return errNoSuchPolicy
|
||||||
@ -415,7 +415,7 @@ func (ies *IAMEtcdStore) loadMappedPolicy(name string, userType IAMUserType, isG
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) loadMappedPolicies(ctx context.Context, userType IAMUserType, isGroup bool, m map[string]MappedPolicy) error {
|
func (ies *IAMEtcdStore) loadMappedPolicies(ctx context.Context, userType IAMUserType, isGroup bool, m map[string]MappedPolicy) error {
|
||||||
ctx, cancel := context.WithTimeout(ctx, defaultContextTimeout)
|
cctx, cancel := context.WithTimeout(ctx, defaultContextTimeout)
|
||||||
defer cancel()
|
defer cancel()
|
||||||
var basePrefix string
|
var basePrefix string
|
||||||
if isGroup {
|
if isGroup {
|
||||||
@ -430,7 +430,8 @@ func (ies *IAMEtcdStore) loadMappedPolicies(ctx context.Context, userType IAMUse
|
|||||||
basePrefix = iamConfigPolicyDBUsersPrefix
|
basePrefix = iamConfigPolicyDBUsersPrefix
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
r, err := ies.client.Get(ctx, basePrefix, etcd.WithPrefix(), etcd.WithKeysOnly())
|
|
||||||
|
r, err := ies.client.Get(cctx, basePrefix, etcd.WithPrefix(), etcd.WithKeysOnly())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -439,7 +440,7 @@ func (ies *IAMEtcdStore) loadMappedPolicies(ctx context.Context, userType IAMUse
|
|||||||
|
|
||||||
// Reload config and policies for all users.
|
// Reload config and policies for all users.
|
||||||
for _, user := range users.ToSlice() {
|
for _, user := range users.ToSlice() {
|
||||||
if err = ies.loadMappedPolicy(user, userType, isGroup, m); err != nil {
|
if err = ies.loadMappedPolicy(ctx, user, userType, isGroup, m); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -531,7 +532,7 @@ func (ies *IAMEtcdStore) loadAll(ctx context.Context, sys *IAMSys) error {
|
|||||||
if v.IsServiceAccount() {
|
if v.IsServiceAccount() {
|
||||||
for _, accessKey := range expiredEntries {
|
for _, accessKey := range expiredEntries {
|
||||||
if v.ParentUser == accessKey {
|
if v.ParentUser == accessKey {
|
||||||
_ = ies.deleteUserIdentity(v.AccessKey, srvAccUser)
|
_ = ies.deleteUserIdentity(ctx, v.AccessKey, srvAccUser)
|
||||||
delete(sys.iamUsersMap, v.AccessKey)
|
delete(sys.iamUsersMap, v.AccessKey)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -561,48 +562,48 @@ func (ies *IAMEtcdStore) loadAll(ctx context.Context, sys *IAMSys) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) savePolicyDoc(policyName string, p iampolicy.Policy) error {
|
func (ies *IAMEtcdStore) savePolicyDoc(ctx context.Context, policyName string, p iampolicy.Policy) error {
|
||||||
return ies.saveIAMConfig(&p, getPolicyDocPath(policyName))
|
return ies.saveIAMConfig(ctx, &p, getPolicyDocPath(policyName))
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) saveMappedPolicy(name string, userType IAMUserType, isGroup bool, mp MappedPolicy) error {
|
func (ies *IAMEtcdStore) saveMappedPolicy(ctx context.Context, name string, userType IAMUserType, isGroup bool, mp MappedPolicy) error {
|
||||||
return ies.saveIAMConfig(mp, getMappedPolicyPath(name, userType, isGroup))
|
return ies.saveIAMConfig(ctx, mp, getMappedPolicyPath(name, userType, isGroup))
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) saveUserIdentity(name string, userType IAMUserType, u UserIdentity) error {
|
func (ies *IAMEtcdStore) saveUserIdentity(ctx context.Context, name string, userType IAMUserType, u UserIdentity) error {
|
||||||
return ies.saveIAMConfig(u, getUserIdentityPath(name, userType))
|
return ies.saveIAMConfig(ctx, u, getUserIdentityPath(name, userType))
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) saveGroupInfo(name string, gi GroupInfo) error {
|
func (ies *IAMEtcdStore) saveGroupInfo(ctx context.Context, name string, gi GroupInfo) error {
|
||||||
return ies.saveIAMConfig(gi, getGroupInfoPath(name))
|
return ies.saveIAMConfig(ctx, gi, getGroupInfoPath(name))
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) deletePolicyDoc(name string) error {
|
func (ies *IAMEtcdStore) deletePolicyDoc(ctx context.Context, name string) error {
|
||||||
err := ies.deleteIAMConfig(getPolicyDocPath(name))
|
err := ies.deleteIAMConfig(ctx, getPolicyDocPath(name))
|
||||||
if err == errConfigNotFound {
|
if err == errConfigNotFound {
|
||||||
err = errNoSuchPolicy
|
err = errNoSuchPolicy
|
||||||
}
|
}
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) deleteMappedPolicy(name string, userType IAMUserType, isGroup bool) error {
|
func (ies *IAMEtcdStore) deleteMappedPolicy(ctx context.Context, name string, userType IAMUserType, isGroup bool) error {
|
||||||
err := ies.deleteIAMConfig(getMappedPolicyPath(name, userType, isGroup))
|
err := ies.deleteIAMConfig(ctx, getMappedPolicyPath(name, userType, isGroup))
|
||||||
if err == errConfigNotFound {
|
if err == errConfigNotFound {
|
||||||
err = errNoSuchPolicy
|
err = errNoSuchPolicy
|
||||||
}
|
}
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) deleteUserIdentity(name string, userType IAMUserType) error {
|
func (ies *IAMEtcdStore) deleteUserIdentity(ctx context.Context, name string, userType IAMUserType) error {
|
||||||
err := ies.deleteIAMConfig(getUserIdentityPath(name, userType))
|
err := ies.deleteIAMConfig(ctx, getUserIdentityPath(name, userType))
|
||||||
if err == errConfigNotFound {
|
if err == errConfigNotFound {
|
||||||
err = errNoSuchUser
|
err = errNoSuchUser
|
||||||
}
|
}
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ies *IAMEtcdStore) deleteGroupInfo(name string) error {
|
func (ies *IAMEtcdStore) deleteGroupInfo(ctx context.Context, name string) error {
|
||||||
err := ies.deleteIAMConfig(getGroupInfoPath(name))
|
err := ies.deleteIAMConfig(ctx, getGroupInfoPath(name))
|
||||||
if err == errConfigNotFound {
|
if err == errConfigNotFound {
|
||||||
err = errNoSuchGroup
|
err = errNoSuchGroup
|
||||||
}
|
}
|
||||||
@ -657,43 +658,46 @@ func (ies *IAMEtcdStore) reloadFromEvent(sys *IAMSys, event *etcd.Event) {
|
|||||||
policyDBSTSUsersPrefix := strings.HasPrefix(string(event.Kv.Key), iamConfigPolicyDBSTSUsersPrefix)
|
policyDBSTSUsersPrefix := strings.HasPrefix(string(event.Kv.Key), iamConfigPolicyDBSTSUsersPrefix)
|
||||||
policyDBGroupsPrefix := strings.HasPrefix(string(event.Kv.Key), iamConfigPolicyDBGroupsPrefix)
|
policyDBGroupsPrefix := strings.HasPrefix(string(event.Kv.Key), iamConfigPolicyDBGroupsPrefix)
|
||||||
|
|
||||||
|
ctx, cancel := context.WithTimeout(context.Background(), defaultContextTimeout)
|
||||||
|
defer cancel()
|
||||||
|
|
||||||
switch {
|
switch {
|
||||||
case eventCreate:
|
case eventCreate:
|
||||||
switch {
|
switch {
|
||||||
case usersPrefix:
|
case usersPrefix:
|
||||||
accessKey := path.Dir(strings.TrimPrefix(string(event.Kv.Key),
|
accessKey := path.Dir(strings.TrimPrefix(string(event.Kv.Key),
|
||||||
iamConfigUsersPrefix))
|
iamConfigUsersPrefix))
|
||||||
ies.loadUser(accessKey, regularUser, sys.iamUsersMap)
|
ies.loadUser(ctx, accessKey, regularUser, sys.iamUsersMap)
|
||||||
case stsPrefix:
|
case stsPrefix:
|
||||||
accessKey := path.Dir(strings.TrimPrefix(string(event.Kv.Key),
|
accessKey := path.Dir(strings.TrimPrefix(string(event.Kv.Key),
|
||||||
iamConfigSTSPrefix))
|
iamConfigSTSPrefix))
|
||||||
ies.loadUser(accessKey, stsUser, sys.iamUsersMap)
|
ies.loadUser(ctx, accessKey, stsUser, sys.iamUsersMap)
|
||||||
case groupsPrefix:
|
case groupsPrefix:
|
||||||
group := path.Dir(strings.TrimPrefix(string(event.Kv.Key),
|
group := path.Dir(strings.TrimPrefix(string(event.Kv.Key),
|
||||||
iamConfigGroupsPrefix))
|
iamConfigGroupsPrefix))
|
||||||
ies.loadGroup(group, sys.iamGroupsMap)
|
ies.loadGroup(ctx, group, sys.iamGroupsMap)
|
||||||
gi := sys.iamGroupsMap[group]
|
gi := sys.iamGroupsMap[group]
|
||||||
sys.removeGroupFromMembershipsMap(group)
|
sys.removeGroupFromMembershipsMap(group)
|
||||||
sys.updateGroupMembershipsMap(group, &gi)
|
sys.updateGroupMembershipsMap(group, &gi)
|
||||||
case policyPrefix:
|
case policyPrefix:
|
||||||
policyName := path.Dir(strings.TrimPrefix(string(event.Kv.Key),
|
policyName := path.Dir(strings.TrimPrefix(string(event.Kv.Key),
|
||||||
iamConfigPoliciesPrefix))
|
iamConfigPoliciesPrefix))
|
||||||
ies.loadPolicyDoc(policyName, sys.iamPolicyDocsMap)
|
ies.loadPolicyDoc(ctx, policyName, sys.iamPolicyDocsMap)
|
||||||
case policyDBUsersPrefix:
|
case policyDBUsersPrefix:
|
||||||
policyMapFile := strings.TrimPrefix(string(event.Kv.Key),
|
policyMapFile := strings.TrimPrefix(string(event.Kv.Key),
|
||||||
iamConfigPolicyDBUsersPrefix)
|
iamConfigPolicyDBUsersPrefix)
|
||||||
user := strings.TrimSuffix(policyMapFile, ".json")
|
user := strings.TrimSuffix(policyMapFile, ".json")
|
||||||
ies.loadMappedPolicy(user, regularUser, false, sys.iamUserPolicyMap)
|
ies.loadMappedPolicy(ctx, user, regularUser, false, sys.iamUserPolicyMap)
|
||||||
case policyDBSTSUsersPrefix:
|
case policyDBSTSUsersPrefix:
|
||||||
policyMapFile := strings.TrimPrefix(string(event.Kv.Key),
|
policyMapFile := strings.TrimPrefix(string(event.Kv.Key),
|
||||||
iamConfigPolicyDBSTSUsersPrefix)
|
iamConfigPolicyDBSTSUsersPrefix)
|
||||||
user := strings.TrimSuffix(policyMapFile, ".json")
|
user := strings.TrimSuffix(policyMapFile, ".json")
|
||||||
ies.loadMappedPolicy(user, stsUser, false, sys.iamUserPolicyMap)
|
ies.loadMappedPolicy(ctx, user, stsUser, false, sys.iamUserPolicyMap)
|
||||||
case policyDBGroupsPrefix:
|
case policyDBGroupsPrefix:
|
||||||
policyMapFile := strings.TrimPrefix(string(event.Kv.Key),
|
policyMapFile := strings.TrimPrefix(string(event.Kv.Key),
|
||||||
iamConfigPolicyDBGroupsPrefix)
|
iamConfigPolicyDBGroupsPrefix)
|
||||||
user := strings.TrimSuffix(policyMapFile, ".json")
|
user := strings.TrimSuffix(policyMapFile, ".json")
|
||||||
ies.loadMappedPolicy(user, regularUser, true, sys.iamGroupPolicyMap)
|
ies.loadMappedPolicy(ctx, user, regularUser, true, sys.iamGroupPolicyMap)
|
||||||
}
|
}
|
||||||
case eventDelete:
|
case eventDelete:
|
||||||
switch {
|
switch {
|
||||||
|
@ -39,12 +39,11 @@ type IAMObjectStore struct {
|
|||||||
// Protect assignment to objAPI
|
// Protect assignment to objAPI
|
||||||
sync.RWMutex
|
sync.RWMutex
|
||||||
|
|
||||||
ctx context.Context
|
|
||||||
objAPI ObjectLayer
|
objAPI ObjectLayer
|
||||||
}
|
}
|
||||||
|
|
||||||
func newIAMObjectStore(ctx context.Context, objAPI ObjectLayer) *IAMObjectStore {
|
func newIAMObjectStore(objAPI ObjectLayer) *IAMObjectStore {
|
||||||
return &IAMObjectStore{ctx: ctx, objAPI: objAPI}
|
return &IAMObjectStore{objAPI: objAPI}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (iamOS *IAMObjectStore) lock() {
|
func (iamOS *IAMObjectStore) lock() {
|
||||||
@ -94,7 +93,7 @@ func (iamOS *IAMObjectStore) migrateUsersConfigToV1(ctx context.Context, isSTS b
|
|||||||
// 1. check if there is policy file in old location.
|
// 1. check if there is policy file in old location.
|
||||||
oldPolicyPath := pathJoin(basePrefix, user, iamPolicyFile)
|
oldPolicyPath := pathJoin(basePrefix, user, iamPolicyFile)
|
||||||
var policyName string
|
var policyName string
|
||||||
if err := iamOS.loadIAMConfig(&policyName, oldPolicyPath); err != nil {
|
if err := iamOS.loadIAMConfig(ctx, &policyName, oldPolicyPath); err != nil {
|
||||||
switch err {
|
switch err {
|
||||||
case errConfigNotFound:
|
case errConfigNotFound:
|
||||||
// This case means it is already
|
// This case means it is already
|
||||||
@ -115,19 +114,19 @@ func (iamOS *IAMObjectStore) migrateUsersConfigToV1(ctx context.Context, isSTS b
|
|||||||
if isSTS {
|
if isSTS {
|
||||||
userType = stsUser
|
userType = stsUser
|
||||||
}
|
}
|
||||||
if err := iamOS.saveMappedPolicy(user, userType, false, mp); err != nil {
|
if err := iamOS.saveMappedPolicy(ctx, user, userType, false, mp); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// 3. delete policy file from old
|
// 3. delete policy file from old
|
||||||
// location. Ignore error.
|
// location. Ignore error.
|
||||||
iamOS.deleteIAMConfig(oldPolicyPath)
|
iamOS.deleteIAMConfig(ctx, oldPolicyPath)
|
||||||
}
|
}
|
||||||
next:
|
next:
|
||||||
// 4. check if user identity has old format.
|
// 4. check if user identity has old format.
|
||||||
identityPath := pathJoin(basePrefix, user, iamIdentityFile)
|
identityPath := pathJoin(basePrefix, user, iamIdentityFile)
|
||||||
var cred auth.Credentials
|
var cred auth.Credentials
|
||||||
if err := iamOS.loadIAMConfig(&cred, identityPath); err != nil {
|
if err := iamOS.loadIAMConfig(ctx, &cred, identityPath); err != nil {
|
||||||
switch err {
|
switch err {
|
||||||
case errConfigNotFound:
|
case errConfigNotFound:
|
||||||
// This should not happen.
|
// This should not happen.
|
||||||
@ -150,7 +149,7 @@ func (iamOS *IAMObjectStore) migrateUsersConfigToV1(ctx context.Context, isSTS b
|
|||||||
// into new format and save it.
|
// into new format and save it.
|
||||||
cred.AccessKey = user
|
cred.AccessKey = user
|
||||||
u := newUserIdentity(cred)
|
u := newUserIdentity(cred)
|
||||||
if err := iamOS.saveIAMConfig(u, identityPath); err != nil {
|
if err := iamOS.saveIAMConfig(ctx, u, identityPath); err != nil {
|
||||||
logger.LogIf(ctx, err)
|
logger.LogIf(ctx, err)
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -165,7 +164,7 @@ func (iamOS *IAMObjectStore) migrateUsersConfigToV1(ctx context.Context, isSTS b
|
|||||||
func (iamOS *IAMObjectStore) migrateToV1(ctx context.Context) error {
|
func (iamOS *IAMObjectStore) migrateToV1(ctx context.Context) error {
|
||||||
var iamFmt iamFormat
|
var iamFmt iamFormat
|
||||||
path := getIAMFormatFilePath()
|
path := getIAMFormatFilePath()
|
||||||
if err := iamOS.loadIAMConfig(&iamFmt, path); err != nil {
|
if err := iamOS.loadIAMConfig(ctx, &iamFmt, path); err != nil {
|
||||||
switch err {
|
switch err {
|
||||||
case errConfigNotFound:
|
case errConfigNotFound:
|
||||||
// Need to migrate to V1.
|
// Need to migrate to V1.
|
||||||
@ -193,7 +192,7 @@ func (iamOS *IAMObjectStore) migrateToV1(ctx context.Context) error {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
// Save iam format to version 1.
|
// Save iam format to version 1.
|
||||||
if err := iamOS.saveIAMConfig(newIAMFormatVersion1(), path); err != nil {
|
if err := iamOS.saveIAMConfig(ctx, newIAMFormatVersion1(), path); err != nil {
|
||||||
logger.LogIf(ctx, err)
|
logger.LogIf(ctx, err)
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -205,7 +204,7 @@ func (iamOS *IAMObjectStore) migrateBackendFormat(ctx context.Context) error {
|
|||||||
return iamOS.migrateToV1(ctx)
|
return iamOS.migrateToV1(ctx)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (iamOS *IAMObjectStore) saveIAMConfig(item interface{}, path string) error {
|
func (iamOS *IAMObjectStore) saveIAMConfig(ctx context.Context, item interface{}, path string) error {
|
||||||
data, err := json.Marshal(item)
|
data, err := json.Marshal(item)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
@ -216,11 +215,11 @@ func (iamOS *IAMObjectStore) saveIAMConfig(item interface{}, path string) error
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return saveConfig(GlobalContext, iamOS.objAPI, path, data)
|
return saveConfig(ctx, iamOS.objAPI, path, data)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (iamOS *IAMObjectStore) loadIAMConfig(item interface{}, path string) error {
|
func (iamOS *IAMObjectStore) loadIAMConfig(ctx context.Context, item interface{}, path string) error {
|
||||||
data, err := readConfig(iamOS.ctx, iamOS.objAPI, path)
|
data, err := readConfig(ctx, iamOS.objAPI, path)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -233,13 +232,13 @@ func (iamOS *IAMObjectStore) loadIAMConfig(item interface{}, path string) error
|
|||||||
return json.Unmarshal(data, item)
|
return json.Unmarshal(data, item)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (iamOS *IAMObjectStore) deleteIAMConfig(path string) error {
|
func (iamOS *IAMObjectStore) deleteIAMConfig(ctx context.Context, path string) error {
|
||||||
return deleteConfig(iamOS.ctx, iamOS.objAPI, path)
|
return deleteConfig(ctx, iamOS.objAPI, path)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (iamOS *IAMObjectStore) loadPolicyDoc(policy string, m map[string]iampolicy.Policy) error {
|
func (iamOS *IAMObjectStore) loadPolicyDoc(ctx context.Context, policy string, m map[string]iampolicy.Policy) error {
|
||||||
var p iampolicy.Policy
|
var p iampolicy.Policy
|
||||||
err := iamOS.loadIAMConfig(&p, getPolicyDocPath(policy))
|
err := iamOS.loadIAMConfig(ctx, &p, getPolicyDocPath(policy))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if err == errConfigNotFound {
|
if err == errConfigNotFound {
|
||||||
return errNoSuchPolicy
|
return errNoSuchPolicy
|
||||||
@ -257,16 +256,16 @@ func (iamOS *IAMObjectStore) loadPolicyDocs(ctx context.Context, m map[string]ia
|
|||||||
}
|
}
|
||||||
|
|
||||||
policyName := item.Item
|
policyName := item.Item
|
||||||
if err := iamOS.loadPolicyDoc(policyName, m); err != nil && err != errNoSuchPolicy {
|
if err := iamOS.loadPolicyDoc(ctx, policyName, m); err != nil && err != errNoSuchPolicy {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (iamOS *IAMObjectStore) loadUser(user string, userType IAMUserType, m map[string]auth.Credentials) error {
|
func (iamOS *IAMObjectStore) loadUser(ctx context.Context, user string, userType IAMUserType, m map[string]auth.Credentials) error {
|
||||||
var u UserIdentity
|
var u UserIdentity
|
||||||
err := iamOS.loadIAMConfig(&u, getUserIdentityPath(user, userType))
|
err := iamOS.loadIAMConfig(ctx, &u, getUserIdentityPath(user, userType))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if err == errConfigNotFound {
|
if err == errConfigNotFound {
|
||||||
return errNoSuchUser
|
return errNoSuchUser
|
||||||
@ -276,8 +275,8 @@ func (iamOS *IAMObjectStore) loadUser(user string, userType IAMUserType, m map[s
|
|||||||
|
|
||||||
if u.Credentials.IsExpired() {
|
if u.Credentials.IsExpired() {
|
||||||
// Delete expired identity - ignoring errors here.
|
// Delete expired identity - ignoring errors here.
|
||||||
iamOS.deleteIAMConfig(getUserIdentityPath(user, userType))
|
iamOS.deleteIAMConfig(ctx, getUserIdentityPath(user, userType))
|
||||||
iamOS.deleteIAMConfig(getMappedPolicyPath(user, userType, false))
|
iamOS.deleteIAMConfig(ctx, getMappedPolicyPath(user, userType, false))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -292,7 +291,7 @@ func (iamOS *IAMObjectStore) loadUser(user string, userType IAMUserType, m map[s
|
|||||||
jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims(m))
|
jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims(m))
|
||||||
if token, err := jwt.SignedString([]byte(globalActiveCred.SecretKey)); err == nil {
|
if token, err := jwt.SignedString([]byte(globalActiveCred.SecretKey)); err == nil {
|
||||||
u.Credentials.SessionToken = token
|
u.Credentials.SessionToken = token
|
||||||
err := iamOS.saveIAMConfig(&u, getUserIdentityPath(user, userType))
|
err := iamOS.saveIAMConfig(ctx, &u, getUserIdentityPath(user, userType))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -326,16 +325,16 @@ func (iamOS *IAMObjectStore) loadUsers(ctx context.Context, userType IAMUserType
|
|||||||
}
|
}
|
||||||
|
|
||||||
userName := item.Item
|
userName := item.Item
|
||||||
if err := iamOS.loadUser(userName, userType, m); err != nil && err != errNoSuchUser {
|
if err := iamOS.loadUser(ctx, userName, userType, m); err != nil && err != errNoSuchUser {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (iamOS *IAMObjectStore) loadGroup(group string, m map[string]GroupInfo) error {
|
func (iamOS *IAMObjectStore) loadGroup(ctx context.Context, group string, m map[string]GroupInfo) error {
|
||||||
var g GroupInfo
|
var g GroupInfo
|
||||||
err := iamOS.loadIAMConfig(&g, getGroupInfoPath(group))
|
err := iamOS.loadIAMConfig(ctx, &g, getGroupInfoPath(group))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if err == errConfigNotFound {
|
if err == errConfigNotFound {
|
||||||
return errNoSuchGroup
|
return errNoSuchGroup
|
||||||
@ -353,18 +352,18 @@ func (iamOS *IAMObjectStore) loadGroups(ctx context.Context, m map[string]GroupI
|
|||||||
}
|
}
|
||||||
|
|
||||||
group := item.Item
|
group := item.Item
|
||||||
if err := iamOS.loadGroup(group, m); err != nil && err != errNoSuchGroup {
|
if err := iamOS.loadGroup(ctx, group, m); err != nil && err != errNoSuchGroup {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (iamOS *IAMObjectStore) loadMappedPolicy(name string, userType IAMUserType, isGroup bool,
|
func (iamOS *IAMObjectStore) loadMappedPolicy(ctx context.Context, name string, userType IAMUserType, isGroup bool,
|
||||||
m map[string]MappedPolicy) error {
|
m map[string]MappedPolicy) error {
|
||||||
|
|
||||||
var p MappedPolicy
|
var p MappedPolicy
|
||||||
err := iamOS.loadIAMConfig(&p, getMappedPolicyPath(name, userType, isGroup))
|
err := iamOS.loadIAMConfig(ctx, &p, getMappedPolicyPath(name, userType, isGroup))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if err == errConfigNotFound {
|
if err == errConfigNotFound {
|
||||||
return errNoSuchPolicy
|
return errNoSuchPolicy
|
||||||
@ -396,7 +395,7 @@ func (iamOS *IAMObjectStore) loadMappedPolicies(ctx context.Context, userType IA
|
|||||||
|
|
||||||
policyFile := item.Item
|
policyFile := item.Item
|
||||||
userOrGroupName := strings.TrimSuffix(policyFile, ".json")
|
userOrGroupName := strings.TrimSuffix(policyFile, ".json")
|
||||||
if err := iamOS.loadMappedPolicy(userOrGroupName, userType, isGroup, m); err != nil && err != errNoSuchPolicy {
|
if err := iamOS.loadMappedPolicy(ctx, userOrGroupName, userType, isGroup, m); err != nil && err != errNoSuchPolicy {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -489,7 +488,7 @@ func (iamOS *IAMObjectStore) loadAll(ctx context.Context, sys *IAMSys) error {
|
|||||||
if v.IsServiceAccount() {
|
if v.IsServiceAccount() {
|
||||||
for _, accessKey := range expiredEntries {
|
for _, accessKey := range expiredEntries {
|
||||||
if v.ParentUser == accessKey {
|
if v.ParentUser == accessKey {
|
||||||
_ = iamOS.deleteUserIdentity(v.AccessKey, srvAccUser)
|
_ = iamOS.deleteUserIdentity(ctx, v.AccessKey, srvAccUser)
|
||||||
delete(sys.iamUsersMap, v.AccessKey)
|
delete(sys.iamUsersMap, v.AccessKey)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -510,48 +509,48 @@ func (iamOS *IAMObjectStore) loadAll(ctx context.Context, sys *IAMSys) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (iamOS *IAMObjectStore) savePolicyDoc(policyName string, p iampolicy.Policy) error {
|
func (iamOS *IAMObjectStore) savePolicyDoc(ctx context.Context, policyName string, p iampolicy.Policy) error {
|
||||||
return iamOS.saveIAMConfig(&p, getPolicyDocPath(policyName))
|
return iamOS.saveIAMConfig(ctx, &p, getPolicyDocPath(policyName))
|
||||||
}
|
}
|
||||||
|
|
||||||
func (iamOS *IAMObjectStore) saveMappedPolicy(name string, userType IAMUserType, isGroup bool, mp MappedPolicy) error {
|
func (iamOS *IAMObjectStore) saveMappedPolicy(ctx context.Context, name string, userType IAMUserType, isGroup bool, mp MappedPolicy) error {
|
||||||
return iamOS.saveIAMConfig(mp, getMappedPolicyPath(name, userType, isGroup))
|
return iamOS.saveIAMConfig(ctx, mp, getMappedPolicyPath(name, userType, isGroup))
|
||||||
}
|
}
|
||||||
|
|
||||||
func (iamOS *IAMObjectStore) saveUserIdentity(name string, userType IAMUserType, u UserIdentity) error {
|
func (iamOS *IAMObjectStore) saveUserIdentity(ctx context.Context, name string, userType IAMUserType, u UserIdentity) error {
|
||||||
return iamOS.saveIAMConfig(u, getUserIdentityPath(name, userType))
|
return iamOS.saveIAMConfig(ctx, u, getUserIdentityPath(name, userType))
|
||||||
}
|
}
|
||||||
|
|
||||||
func (iamOS *IAMObjectStore) saveGroupInfo(name string, gi GroupInfo) error {
|
func (iamOS *IAMObjectStore) saveGroupInfo(ctx context.Context, name string, gi GroupInfo) error {
|
||||||
return iamOS.saveIAMConfig(gi, getGroupInfoPath(name))
|
return iamOS.saveIAMConfig(ctx, gi, getGroupInfoPath(name))
|
||||||
}
|
}
|
||||||
|
|
||||||
func (iamOS *IAMObjectStore) deletePolicyDoc(name string) error {
|
func (iamOS *IAMObjectStore) deletePolicyDoc(ctx context.Context, name string) error {
|
||||||
err := iamOS.deleteIAMConfig(getPolicyDocPath(name))
|
err := iamOS.deleteIAMConfig(ctx, getPolicyDocPath(name))
|
||||||
if err == errConfigNotFound {
|
if err == errConfigNotFound {
|
||||||
err = errNoSuchPolicy
|
err = errNoSuchPolicy
|
||||||
}
|
}
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (iamOS *IAMObjectStore) deleteMappedPolicy(name string, userType IAMUserType, isGroup bool) error {
|
func (iamOS *IAMObjectStore) deleteMappedPolicy(ctx context.Context, name string, userType IAMUserType, isGroup bool) error {
|
||||||
err := iamOS.deleteIAMConfig(getMappedPolicyPath(name, userType, isGroup))
|
err := iamOS.deleteIAMConfig(ctx, getMappedPolicyPath(name, userType, isGroup))
|
||||||
if err == errConfigNotFound {
|
if err == errConfigNotFound {
|
||||||
err = errNoSuchPolicy
|
err = errNoSuchPolicy
|
||||||
}
|
}
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (iamOS *IAMObjectStore) deleteUserIdentity(name string, userType IAMUserType) error {
|
func (iamOS *IAMObjectStore) deleteUserIdentity(ctx context.Context, name string, userType IAMUserType) error {
|
||||||
err := iamOS.deleteIAMConfig(getUserIdentityPath(name, userType))
|
err := iamOS.deleteIAMConfig(ctx, getUserIdentityPath(name, userType))
|
||||||
if err == errConfigNotFound {
|
if err == errConfigNotFound {
|
||||||
err = errNoSuchUser
|
err = errNoSuchUser
|
||||||
}
|
}
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (iamOS *IAMObjectStore) deleteGroupInfo(name string) error {
|
func (iamOS *IAMObjectStore) deleteGroupInfo(ctx context.Context, name string) error {
|
||||||
err := iamOS.deleteIAMConfig(getGroupInfoPath(name))
|
err := iamOS.deleteIAMConfig(ctx, getGroupInfoPath(name))
|
||||||
if err == errConfigNotFound {
|
if err == errConfigNotFound {
|
||||||
err = errNoSuchGroup
|
err = errNoSuchGroup
|
||||||
}
|
}
|
||||||
|
201
cmd/iam.go
201
cmd/iam.go
@ -240,33 +240,33 @@ type IAMStorageAPI interface {
|
|||||||
|
|
||||||
migrateBackendFormat(context.Context) error
|
migrateBackendFormat(context.Context) error
|
||||||
|
|
||||||
loadPolicyDoc(policy string, m map[string]iampolicy.Policy) error
|
loadPolicyDoc(ctx context.Context, policy string, m map[string]iampolicy.Policy) error
|
||||||
loadPolicyDocs(ctx context.Context, m map[string]iampolicy.Policy) error
|
loadPolicyDocs(ctx context.Context, m map[string]iampolicy.Policy) error
|
||||||
|
|
||||||
loadUser(user string, userType IAMUserType, m map[string]auth.Credentials) error
|
loadUser(ctx context.Context, user string, userType IAMUserType, m map[string]auth.Credentials) error
|
||||||
loadUsers(ctx context.Context, userType IAMUserType, m map[string]auth.Credentials) error
|
loadUsers(ctx context.Context, userType IAMUserType, m map[string]auth.Credentials) error
|
||||||
|
|
||||||
loadGroup(group string, m map[string]GroupInfo) error
|
loadGroup(ctx context.Context, group string, m map[string]GroupInfo) error
|
||||||
loadGroups(ctx context.Context, m map[string]GroupInfo) error
|
loadGroups(ctx context.Context, m map[string]GroupInfo) error
|
||||||
|
|
||||||
loadMappedPolicy(name string, userType IAMUserType, isGroup bool, m map[string]MappedPolicy) error
|
loadMappedPolicy(ctx context.Context, name string, userType IAMUserType, isGroup bool, m map[string]MappedPolicy) error
|
||||||
loadMappedPolicies(ctx context.Context, userType IAMUserType, isGroup bool, m map[string]MappedPolicy) error
|
loadMappedPolicies(ctx context.Context, userType IAMUserType, isGroup bool, m map[string]MappedPolicy) error
|
||||||
|
|
||||||
loadAll(context.Context, *IAMSys) error
|
loadAll(context.Context, *IAMSys) error
|
||||||
|
|
||||||
saveIAMConfig(item interface{}, path string) error
|
saveIAMConfig(ctx context.Context, item interface{}, path string) error
|
||||||
loadIAMConfig(item interface{}, path string) error
|
loadIAMConfig(ctx context.Context, item interface{}, path string) error
|
||||||
deleteIAMConfig(path string) error
|
deleteIAMConfig(ctx context.Context, path string) error
|
||||||
|
|
||||||
savePolicyDoc(policyName string, p iampolicy.Policy) error
|
savePolicyDoc(ctx context.Context, policyName string, p iampolicy.Policy) error
|
||||||
saveMappedPolicy(name string, userType IAMUserType, isGroup bool, mp MappedPolicy) error
|
saveMappedPolicy(ctx context.Context, name string, userType IAMUserType, isGroup bool, mp MappedPolicy) error
|
||||||
saveUserIdentity(name string, userType IAMUserType, u UserIdentity) error
|
saveUserIdentity(ctx context.Context, name string, userType IAMUserType, u UserIdentity) error
|
||||||
saveGroupInfo(group string, gi GroupInfo) error
|
saveGroupInfo(ctx context.Context, group string, gi GroupInfo) error
|
||||||
|
|
||||||
deletePolicyDoc(policyName string) error
|
deletePolicyDoc(ctx context.Context, policyName string) error
|
||||||
deleteMappedPolicy(name string, userType IAMUserType, isGroup bool) error
|
deleteMappedPolicy(ctx context.Context, name string, userType IAMUserType, isGroup bool) error
|
||||||
deleteUserIdentity(name string, userType IAMUserType) error
|
deleteUserIdentity(ctx context.Context, name string, userType IAMUserType) error
|
||||||
deleteGroupInfo(name string) error
|
deleteGroupInfo(ctx context.Context, name string) error
|
||||||
|
|
||||||
watch(context.Context, *IAMSys)
|
watch(context.Context, *IAMSys)
|
||||||
}
|
}
|
||||||
@ -289,7 +289,7 @@ func (sys *IAMSys) LoadGroup(objAPI ObjectLayer, group string) error {
|
|||||||
sys.store.lock()
|
sys.store.lock()
|
||||||
defer sys.store.unlock()
|
defer sys.store.unlock()
|
||||||
|
|
||||||
err := sys.store.loadGroup(group, sys.iamGroupsMap)
|
err := sys.store.loadGroup(context.Background(), group, sys.iamGroupsMap)
|
||||||
if err != nil && err != errNoSuchGroup {
|
if err != nil && err != errNoSuchGroup {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -326,7 +326,7 @@ func (sys *IAMSys) LoadPolicy(objAPI ObjectLayer, policyName string) error {
|
|||||||
defer sys.store.unlock()
|
defer sys.store.unlock()
|
||||||
|
|
||||||
if globalEtcdClient == nil {
|
if globalEtcdClient == nil {
|
||||||
return sys.store.loadPolicyDoc(policyName, sys.iamPolicyDocsMap)
|
return sys.store.loadPolicyDoc(context.Background(), policyName, sys.iamPolicyDocsMap)
|
||||||
}
|
}
|
||||||
|
|
||||||
// When etcd is set, we use watch APIs so this code is not needed.
|
// When etcd is set, we use watch APIs so this code is not needed.
|
||||||
@ -346,9 +346,9 @@ func (sys *IAMSys) LoadPolicyMapping(objAPI ObjectLayer, userOrGroup string, isG
|
|||||||
if globalEtcdClient == nil {
|
if globalEtcdClient == nil {
|
||||||
var err error
|
var err error
|
||||||
if isGroup {
|
if isGroup {
|
||||||
err = sys.store.loadMappedPolicy(userOrGroup, regularUser, isGroup, sys.iamGroupPolicyMap)
|
err = sys.store.loadMappedPolicy(context.Background(), userOrGroup, regularUser, isGroup, sys.iamGroupPolicyMap)
|
||||||
} else {
|
} else {
|
||||||
err = sys.store.loadMappedPolicy(userOrGroup, regularUser, isGroup, sys.iamUserPolicyMap)
|
err = sys.store.loadMappedPolicy(context.Background(), userOrGroup, regularUser, isGroup, sys.iamUserPolicyMap)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Ignore policy not mapped error
|
// Ignore policy not mapped error
|
||||||
@ -370,11 +370,11 @@ func (sys *IAMSys) LoadUser(objAPI ObjectLayer, accessKey string, userType IAMUs
|
|||||||
defer sys.store.unlock()
|
defer sys.store.unlock()
|
||||||
|
|
||||||
if globalEtcdClient == nil {
|
if globalEtcdClient == nil {
|
||||||
err := sys.store.loadUser(accessKey, userType, sys.iamUsersMap)
|
err := sys.store.loadUser(context.Background(), accessKey, userType, sys.iamUsersMap)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
err = sys.store.loadMappedPolicy(accessKey, userType, false, sys.iamUserPolicyMap)
|
err = sys.store.loadMappedPolicy(context.Background(), accessKey, userType, false, sys.iamUserPolicyMap)
|
||||||
// Ignore policy not mapped error
|
// Ignore policy not mapped error
|
||||||
if err != nil && err != errNoSuchPolicy {
|
if err != nil && err != errNoSuchPolicy {
|
||||||
return err
|
return err
|
||||||
@ -386,7 +386,7 @@ func (sys *IAMSys) LoadUser(objAPI ObjectLayer, accessKey string, userType IAMUs
|
|||||||
|
|
||||||
// LoadServiceAccount - reloads a specific service account from backend disks or etcd.
|
// LoadServiceAccount - reloads a specific service account from backend disks or etcd.
|
||||||
func (sys *IAMSys) LoadServiceAccount(accessKey string) error {
|
func (sys *IAMSys) LoadServiceAccount(accessKey string) error {
|
||||||
if sys == nil || sys.store == nil {
|
if sys == nil {
|
||||||
return errServerNotInitialized
|
return errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -394,7 +394,7 @@ func (sys *IAMSys) LoadServiceAccount(accessKey string) error {
|
|||||||
defer sys.store.unlock()
|
defer sys.store.unlock()
|
||||||
|
|
||||||
if globalEtcdClient == nil {
|
if globalEtcdClient == nil {
|
||||||
err := sys.store.loadUser(accessKey, srvAccUser, sys.iamUsersMap)
|
err := sys.store.loadUser(context.Background(), accessKey, srvAccUser, sys.iamUsersMap)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -408,23 +408,21 @@ func (sys *IAMSys) doIAMConfigMigration(ctx context.Context) error {
|
|||||||
return sys.store.migrateBackendFormat(ctx)
|
return sys.store.migrateBackendFormat(ctx)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Init - initializes config system by reading entries from config/iam
|
// InitStore initializes IAM stores
|
||||||
func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer) {
|
func (sys *IAMSys) InitStore(objAPI ObjectLayer) {
|
||||||
if objAPI == nil {
|
|
||||||
logger.LogIf(ctx, errServerNotInitialized)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
if globalEtcdClient == nil {
|
if globalEtcdClient == nil {
|
||||||
sys.store = newIAMObjectStore(ctx, objAPI)
|
sys.store = newIAMObjectStore(objAPI)
|
||||||
} else {
|
} else {
|
||||||
sys.store = newIAMEtcdStore(ctx)
|
sys.store = newIAMEtcdStore()
|
||||||
}
|
}
|
||||||
|
|
||||||
if globalLDAPConfig.Enabled {
|
if globalLDAPConfig.Enabled {
|
||||||
sys.EnableLDAPSys()
|
sys.EnableLDAPSys()
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Init - initializes config system by reading entries from config/iam
|
||||||
|
func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer) {
|
||||||
retryCtx, cancel := context.WithCancel(ctx)
|
retryCtx, cancel := context.WithCancel(ctx)
|
||||||
|
|
||||||
// Indicate to our routine to exit cleanly upon return.
|
// Indicate to our routine to exit cleanly upon return.
|
||||||
@ -507,8 +505,7 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer) {
|
|||||||
|
|
||||||
// DeletePolicy - deletes a canned policy from backend or etcd.
|
// DeletePolicy - deletes a canned policy from backend or etcd.
|
||||||
func (sys *IAMSys) DeletePolicy(policyName string) error {
|
func (sys *IAMSys) DeletePolicy(policyName string) error {
|
||||||
objectAPI := newObjectLayerFn()
|
if sys == nil {
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
|
||||||
return errServerNotInitialized
|
return errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -519,7 +516,7 @@ func (sys *IAMSys) DeletePolicy(policyName string) error {
|
|||||||
sys.store.lock()
|
sys.store.lock()
|
||||||
defer sys.store.unlock()
|
defer sys.store.unlock()
|
||||||
|
|
||||||
err := sys.store.deletePolicyDoc(policyName)
|
err := sys.store.deletePolicyDoc(context.Background(), policyName)
|
||||||
if err == errNoSuchPolicy {
|
if err == errNoSuchPolicy {
|
||||||
// Ignore error if policy is already deleted.
|
// Ignore error if policy is already deleted.
|
||||||
err = nil
|
err = nil
|
||||||
@ -560,8 +557,7 @@ func (sys *IAMSys) DeletePolicy(policyName string) error {
|
|||||||
|
|
||||||
// InfoPolicy - expands the canned policy into its JSON structure.
|
// InfoPolicy - expands the canned policy into its JSON structure.
|
||||||
func (sys *IAMSys) InfoPolicy(policyName string) (iampolicy.Policy, error) {
|
func (sys *IAMSys) InfoPolicy(policyName string) (iampolicy.Policy, error) {
|
||||||
objectAPI := newObjectLayerFn()
|
if sys == nil {
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
|
||||||
return iampolicy.Policy{}, errServerNotInitialized
|
return iampolicy.Policy{}, errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -578,8 +574,7 @@ func (sys *IAMSys) InfoPolicy(policyName string) (iampolicy.Policy, error) {
|
|||||||
|
|
||||||
// ListPolicies - lists all canned policies.
|
// ListPolicies - lists all canned policies.
|
||||||
func (sys *IAMSys) ListPolicies() (map[string]iampolicy.Policy, error) {
|
func (sys *IAMSys) ListPolicies() (map[string]iampolicy.Policy, error) {
|
||||||
objectAPI := newObjectLayerFn()
|
if sys == nil {
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
|
||||||
return nil, errServerNotInitialized
|
return nil, errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -600,8 +595,7 @@ func (sys *IAMSys) ListPolicies() (map[string]iampolicy.Policy, error) {
|
|||||||
|
|
||||||
// SetPolicy - sets a new name policy.
|
// SetPolicy - sets a new name policy.
|
||||||
func (sys *IAMSys) SetPolicy(policyName string, p iampolicy.Policy) error {
|
func (sys *IAMSys) SetPolicy(policyName string, p iampolicy.Policy) error {
|
||||||
objectAPI := newObjectLayerFn()
|
if sys == nil {
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
|
||||||
return errServerNotInitialized
|
return errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -612,7 +606,7 @@ func (sys *IAMSys) SetPolicy(policyName string, p iampolicy.Policy) error {
|
|||||||
sys.store.lock()
|
sys.store.lock()
|
||||||
defer sys.store.unlock()
|
defer sys.store.unlock()
|
||||||
|
|
||||||
if err := sys.store.savePolicyDoc(policyName, p); err != nil {
|
if err := sys.store.savePolicyDoc(context.Background(), policyName, p); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -622,8 +616,7 @@ func (sys *IAMSys) SetPolicy(policyName string, p iampolicy.Policy) error {
|
|||||||
|
|
||||||
// DeleteUser - delete user (only for long-term users not STS users).
|
// DeleteUser - delete user (only for long-term users not STS users).
|
||||||
func (sys *IAMSys) DeleteUser(accessKey string) error {
|
func (sys *IAMSys) DeleteUser(accessKey string) error {
|
||||||
objectAPI := newObjectLayerFn()
|
if sys == nil {
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
|
||||||
return errServerNotInitialized
|
return errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -652,15 +645,15 @@ func (sys *IAMSys) DeleteUser(accessKey string) error {
|
|||||||
for _, u := range sys.iamUsersMap {
|
for _, u := range sys.iamUsersMap {
|
||||||
if u.IsServiceAccount() {
|
if u.IsServiceAccount() {
|
||||||
if u.ParentUser == accessKey {
|
if u.ParentUser == accessKey {
|
||||||
_ = sys.store.deleteUserIdentity(u.AccessKey, srvAccUser)
|
_ = sys.store.deleteUserIdentity(context.Background(), u.AccessKey, srvAccUser)
|
||||||
delete(sys.iamUsersMap, u.AccessKey)
|
delete(sys.iamUsersMap, u.AccessKey)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// It is ok to ignore deletion error on the mapped policy
|
// It is ok to ignore deletion error on the mapped policy
|
||||||
sys.store.deleteMappedPolicy(accessKey, regularUser, false)
|
sys.store.deleteMappedPolicy(context.Background(), accessKey, regularUser, false)
|
||||||
err := sys.store.deleteUserIdentity(accessKey, regularUser)
|
err := sys.store.deleteUserIdentity(context.Background(), accessKey, regularUser)
|
||||||
if err == errNoSuchUser {
|
if err == errNoSuchUser {
|
||||||
// ignore if user is already deleted.
|
// ignore if user is already deleted.
|
||||||
err = nil
|
err = nil
|
||||||
@ -692,8 +685,7 @@ func (sys *IAMSys) currentPolicies(policyName string) string {
|
|||||||
|
|
||||||
// SetTempUser - set temporary user credentials, these credentials have an expiry.
|
// SetTempUser - set temporary user credentials, these credentials have an expiry.
|
||||||
func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyName string) error {
|
func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyName string) error {
|
||||||
objectAPI := newObjectLayerFn()
|
if sys == nil {
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
|
||||||
return errServerNotInitialized
|
return errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -724,7 +716,7 @@ func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyNa
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := sys.store.saveMappedPolicy(accessKey, stsUser, false, mp); err != nil {
|
if err := sys.store.saveMappedPolicy(context.Background(), accessKey, stsUser, false, mp); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -732,7 +724,7 @@ func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyNa
|
|||||||
}
|
}
|
||||||
|
|
||||||
u := newUserIdentity(cred)
|
u := newUserIdentity(cred)
|
||||||
if err := sys.store.saveUserIdentity(accessKey, stsUser, u); err != nil {
|
if err := sys.store.saveUserIdentity(context.Background(), accessKey, stsUser, u); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -742,8 +734,7 @@ func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyNa
|
|||||||
|
|
||||||
// ListUsers - list all users.
|
// ListUsers - list all users.
|
||||||
func (sys *IAMSys) ListUsers() (map[string]madmin.UserInfo, error) {
|
func (sys *IAMSys) ListUsers() (map[string]madmin.UserInfo, error) {
|
||||||
objectAPI := newObjectLayerFn()
|
if sys == nil {
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
|
||||||
return nil, errServerNotInitialized
|
return nil, errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -779,8 +770,7 @@ func (sys *IAMSys) ListUsers() (map[string]madmin.UserInfo, error) {
|
|||||||
|
|
||||||
// IsTempUser - returns if given key is a temporary user.
|
// IsTempUser - returns if given key is a temporary user.
|
||||||
func (sys *IAMSys) IsTempUser(name string) (bool, error) {
|
func (sys *IAMSys) IsTempUser(name string) (bool, error) {
|
||||||
objectAPI := newObjectLayerFn()
|
if sys == nil {
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
|
||||||
return false, errServerNotInitialized
|
return false, errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -797,8 +787,7 @@ func (sys *IAMSys) IsTempUser(name string) (bool, error) {
|
|||||||
|
|
||||||
// IsServiceAccount - returns if given key is a service account
|
// IsServiceAccount - returns if given key is a service account
|
||||||
func (sys *IAMSys) IsServiceAccount(name string) (bool, string, error) {
|
func (sys *IAMSys) IsServiceAccount(name string) (bool, string, error) {
|
||||||
objectAPI := newObjectLayerFn()
|
if sys == nil {
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
|
||||||
return false, "", errServerNotInitialized
|
return false, "", errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -819,8 +808,7 @@ func (sys *IAMSys) IsServiceAccount(name string) (bool, string, error) {
|
|||||||
|
|
||||||
// GetUserInfo - get info on a user.
|
// GetUserInfo - get info on a user.
|
||||||
func (sys *IAMSys) GetUserInfo(name string) (u madmin.UserInfo, err error) {
|
func (sys *IAMSys) GetUserInfo(name string) (u madmin.UserInfo, err error) {
|
||||||
objectAPI := newObjectLayerFn()
|
if sys == nil {
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
|
||||||
return u, errServerNotInitialized
|
return u, errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -865,8 +853,8 @@ func (sys *IAMSys) GetUserInfo(name string) (u madmin.UserInfo, err error) {
|
|||||||
|
|
||||||
// SetUserStatus - sets current user status, supports disabled or enabled.
|
// SetUserStatus - sets current user status, supports disabled or enabled.
|
||||||
func (sys *IAMSys) SetUserStatus(accessKey string, status madmin.AccountStatus) error {
|
func (sys *IAMSys) SetUserStatus(accessKey string, status madmin.AccountStatus) error {
|
||||||
objectAPI := newObjectLayerFn()
|
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
if sys == nil {
|
||||||
return errServerNotInitialized
|
return errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -901,7 +889,7 @@ func (sys *IAMSys) SetUserStatus(accessKey string, status madmin.AccountStatus)
|
|||||||
}(),
|
}(),
|
||||||
})
|
})
|
||||||
|
|
||||||
if err := sys.store.saveUserIdentity(accessKey, regularUser, uinfo); err != nil {
|
if err := sys.store.saveUserIdentity(context.Background(), accessKey, regularUser, uinfo); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -911,8 +899,8 @@ func (sys *IAMSys) SetUserStatus(accessKey string, status madmin.AccountStatus)
|
|||||||
|
|
||||||
// NewServiceAccount - create a new service account
|
// NewServiceAccount - create a new service account
|
||||||
func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, sessionPolicy *iampolicy.Policy) (auth.Credentials, error) {
|
func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, sessionPolicy *iampolicy.Policy) (auth.Credentials, error) {
|
||||||
objectAPI := newObjectLayerFn()
|
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
if sys == nil {
|
||||||
return auth.Credentials{}, errServerNotInitialized
|
return auth.Credentials{}, errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -967,7 +955,7 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, ses
|
|||||||
|
|
||||||
u := newUserIdentity(cred)
|
u := newUserIdentity(cred)
|
||||||
|
|
||||||
if err := sys.store.saveUserIdentity(u.Credentials.AccessKey, srvAccUser, u); err != nil {
|
if err := sys.store.saveUserIdentity(context.Background(), u.Credentials.AccessKey, srvAccUser, u); err != nil {
|
||||||
return auth.Credentials{}, err
|
return auth.Credentials{}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -978,8 +966,8 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, ses
|
|||||||
|
|
||||||
// ListServiceAccounts - lists all services accounts associated to a specific user
|
// ListServiceAccounts - lists all services accounts associated to a specific user
|
||||||
func (sys *IAMSys) ListServiceAccounts(ctx context.Context, accessKey string) ([]string, error) {
|
func (sys *IAMSys) ListServiceAccounts(ctx context.Context, accessKey string) ([]string, error) {
|
||||||
objectAPI := newObjectLayerFn()
|
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
if sys == nil {
|
||||||
return nil, errServerNotInitialized
|
return nil, errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1003,8 +991,8 @@ func (sys *IAMSys) ListServiceAccounts(ctx context.Context, accessKey string) ([
|
|||||||
|
|
||||||
// GetServiceAccountParent - gets information about a service account
|
// GetServiceAccountParent - gets information about a service account
|
||||||
func (sys *IAMSys) GetServiceAccountParent(ctx context.Context, accessKey string) (string, error) {
|
func (sys *IAMSys) GetServiceAccountParent(ctx context.Context, accessKey string) (string, error) {
|
||||||
objectAPI := newObjectLayerFn()
|
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
if sys == nil {
|
||||||
return "", errServerNotInitialized
|
return "", errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1020,8 +1008,8 @@ func (sys *IAMSys) GetServiceAccountParent(ctx context.Context, accessKey string
|
|||||||
|
|
||||||
// DeleteServiceAccount - delete a service account
|
// DeleteServiceAccount - delete a service account
|
||||||
func (sys *IAMSys) DeleteServiceAccount(ctx context.Context, accessKey string) error {
|
func (sys *IAMSys) DeleteServiceAccount(ctx context.Context, accessKey string) error {
|
||||||
objectAPI := newObjectLayerFn()
|
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
if sys == nil {
|
||||||
return errServerNotInitialized
|
return errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1034,7 +1022,7 @@ func (sys *IAMSys) DeleteServiceAccount(ctx context.Context, accessKey string) e
|
|||||||
}
|
}
|
||||||
|
|
||||||
// It is ok to ignore deletion error on the mapped policy
|
// It is ok to ignore deletion error on the mapped policy
|
||||||
err := sys.store.deleteUserIdentity(accessKey, srvAccUser)
|
err := sys.store.deleteUserIdentity(context.Background(), accessKey, srvAccUser)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// ignore if user is already deleted.
|
// ignore if user is already deleted.
|
||||||
if err == errNoSuchUser {
|
if err == errNoSuchUser {
|
||||||
@ -1049,8 +1037,8 @@ func (sys *IAMSys) DeleteServiceAccount(ctx context.Context, accessKey string) e
|
|||||||
|
|
||||||
// SetUser - set user credentials and policy.
|
// SetUser - set user credentials and policy.
|
||||||
func (sys *IAMSys) SetUser(accessKey string, uinfo madmin.UserInfo) error {
|
func (sys *IAMSys) SetUser(accessKey string, uinfo madmin.UserInfo) error {
|
||||||
objectAPI := newObjectLayerFn()
|
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
if sys == nil {
|
||||||
return errServerNotInitialized
|
return errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1072,7 +1060,7 @@ func (sys *IAMSys) SetUser(accessKey string, uinfo madmin.UserInfo) error {
|
|||||||
return errIAMActionNotAllowed
|
return errIAMActionNotAllowed
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := sys.store.saveUserIdentity(accessKey, regularUser, u); err != nil {
|
if err := sys.store.saveUserIdentity(context.Background(), accessKey, regularUser, u); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1087,8 +1075,8 @@ func (sys *IAMSys) SetUser(accessKey string, uinfo madmin.UserInfo) error {
|
|||||||
|
|
||||||
// SetUserSecretKey - sets user secret key
|
// SetUserSecretKey - sets user secret key
|
||||||
func (sys *IAMSys) SetUserSecretKey(accessKey string, secretKey string) error {
|
func (sys *IAMSys) SetUserSecretKey(accessKey string, secretKey string) error {
|
||||||
objectAPI := newObjectLayerFn()
|
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
if sys == nil {
|
||||||
return errServerNotInitialized
|
return errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1106,7 +1094,7 @@ func (sys *IAMSys) SetUserSecretKey(accessKey string, secretKey string) error {
|
|||||||
|
|
||||||
cred.SecretKey = secretKey
|
cred.SecretKey = secretKey
|
||||||
u := newUserIdentity(cred)
|
u := newUserIdentity(cred)
|
||||||
if err := sys.store.saveUserIdentity(accessKey, regularUser, u); err != nil {
|
if err := sys.store.saveUserIdentity(context.Background(), accessKey, regularUser, u); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1116,8 +1104,7 @@ func (sys *IAMSys) SetUserSecretKey(accessKey string, secretKey string) error {
|
|||||||
|
|
||||||
// GetUser - get user credentials
|
// GetUser - get user credentials
|
||||||
func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
|
func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
|
||||||
objectAPI := newObjectLayerFn()
|
if sys == nil {
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
|
||||||
return cred, false
|
return cred, false
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1128,34 +1115,37 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
|
|||||||
sys.store.lock()
|
sys.store.lock()
|
||||||
// If user is already found proceed.
|
// If user is already found proceed.
|
||||||
if _, found := sys.iamUsersMap[accessKey]; !found {
|
if _, found := sys.iamUsersMap[accessKey]; !found {
|
||||||
sys.store.loadUser(accessKey, regularUser, sys.iamUsersMap)
|
sys.store.loadUser(context.Background(), accessKey, regularUser, sys.iamUsersMap)
|
||||||
if _, found = sys.iamUsersMap[accessKey]; found {
|
if _, found = sys.iamUsersMap[accessKey]; found {
|
||||||
// found user, load its mapped policies
|
// found user, load its mapped policies
|
||||||
sys.store.loadMappedPolicy(accessKey, regularUser, false, sys.iamUserPolicyMap)
|
sys.store.loadMappedPolicy(context.Background(), accessKey, regularUser, false, sys.iamUserPolicyMap)
|
||||||
} else {
|
} else {
|
||||||
sys.store.loadUser(accessKey, srvAccUser, sys.iamUsersMap)
|
sys.store.loadUser(context.Background(), accessKey, srvAccUser, sys.iamUsersMap)
|
||||||
if svc, found := sys.iamUsersMap[accessKey]; found {
|
if svc, found := sys.iamUsersMap[accessKey]; found {
|
||||||
// Found service account, load its parent user and its mapped policies.
|
// Found service account, load its parent user and its mapped policies.
|
||||||
if sys.usersSysType == MinIOUsersSysType {
|
if sys.usersSysType == MinIOUsersSysType {
|
||||||
sys.store.loadUser(svc.ParentUser, regularUser, sys.iamUsersMap)
|
sys.store.loadUser(context.Background(), svc.ParentUser, regularUser, sys.iamUsersMap)
|
||||||
}
|
}
|
||||||
sys.store.loadMappedPolicy(svc.ParentUser, regularUser, false, sys.iamUserPolicyMap)
|
sys.store.loadMappedPolicy(context.Background(), svc.ParentUser, regularUser, false, sys.iamUserPolicyMap)
|
||||||
} else {
|
} else {
|
||||||
// None found fall back to STS users.
|
// None found fall back to STS users.
|
||||||
sys.store.loadUser(accessKey, stsUser, sys.iamUsersMap)
|
sys.store.loadUser(context.Background(), accessKey, stsUser, sys.iamUsersMap)
|
||||||
if _, found = sys.iamUsersMap[accessKey]; found {
|
if _, found = sys.iamUsersMap[accessKey]; found {
|
||||||
// STS user found, load its mapped policy.
|
// STS user found, load its mapped policy.
|
||||||
sys.store.loadMappedPolicy(accessKey, stsUser, false, sys.iamUserPolicyMap)
|
sys.store.loadMappedPolicy(context.Background(), accessKey, stsUser, false, sys.iamUserPolicyMap)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Load associated policies if any.
|
// Load associated policies if any.
|
||||||
for _, policy := range sys.iamUserPolicyMap[accessKey].toSlice() {
|
for _, policy := range sys.iamUserPolicyMap[accessKey].toSlice() {
|
||||||
if _, found := sys.iamPolicyDocsMap[policy]; !found {
|
if _, found := sys.iamPolicyDocsMap[policy]; !found {
|
||||||
sys.store.loadPolicyDoc(policy, sys.iamPolicyDocsMap)
|
sys.store.loadPolicyDoc(context.Background(), policy, sys.iamPolicyDocsMap)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sys.buildUserGroupMemberships()
|
||||||
sys.store.unlock()
|
sys.store.unlock()
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1180,8 +1170,7 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
|
|||||||
// AddUsersToGroup - adds users to a group, creating the group if
|
// AddUsersToGroup - adds users to a group, creating the group if
|
||||||
// needed. No error if user(s) already are in the group.
|
// needed. No error if user(s) already are in the group.
|
||||||
func (sys *IAMSys) AddUsersToGroup(group string, members []string) error {
|
func (sys *IAMSys) AddUsersToGroup(group string, members []string) error {
|
||||||
objectAPI := newObjectLayerFn()
|
if sys == nil {
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
|
||||||
return errServerNotInitialized
|
return errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1218,7 +1207,7 @@ func (sys *IAMSys) AddUsersToGroup(group string, members []string) error {
|
|||||||
gi.Members = uniqMembers
|
gi.Members = uniqMembers
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := sys.store.saveGroupInfo(group, gi); err != nil {
|
if err := sys.store.saveGroupInfo(context.Background(), group, gi); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1241,8 +1230,7 @@ func (sys *IAMSys) AddUsersToGroup(group string, members []string) error {
|
|||||||
// RemoveUsersFromGroup - remove users from group. If no users are
|
// RemoveUsersFromGroup - remove users from group. If no users are
|
||||||
// given, and the group is empty, deletes the group as well.
|
// given, and the group is empty, deletes the group as well.
|
||||||
func (sys *IAMSys) RemoveUsersFromGroup(group string, members []string) error {
|
func (sys *IAMSys) RemoveUsersFromGroup(group string, members []string) error {
|
||||||
objectAPI := newObjectLayerFn()
|
if sys == nil {
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
|
||||||
return errServerNotInitialized
|
return errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1283,10 +1271,10 @@ func (sys *IAMSys) RemoveUsersFromGroup(group string, members []string) error {
|
|||||||
|
|
||||||
// Remove the group from storage. First delete the
|
// Remove the group from storage. First delete the
|
||||||
// mapped policy. No-mapped-policy case is ignored.
|
// mapped policy. No-mapped-policy case is ignored.
|
||||||
if err := sys.store.deleteMappedPolicy(group, regularUser, true); err != nil && err != errNoSuchPolicy {
|
if err := sys.store.deleteMappedPolicy(context.Background(), group, regularUser, true); err != nil && err != errNoSuchPolicy {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := sys.store.deleteGroupInfo(group); err != nil && err != errNoSuchGroup {
|
if err := sys.store.deleteGroupInfo(context.Background(), group); err != nil && err != errNoSuchGroup {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1301,7 +1289,7 @@ func (sys *IAMSys) RemoveUsersFromGroup(group string, members []string) error {
|
|||||||
d := set.CreateStringSet(members...)
|
d := set.CreateStringSet(members...)
|
||||||
gi.Members = s.Difference(d).ToSlice()
|
gi.Members = s.Difference(d).ToSlice()
|
||||||
|
|
||||||
err := sys.store.saveGroupInfo(group, gi)
|
err := sys.store.saveGroupInfo(context.Background(), group, gi)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -1322,8 +1310,7 @@ func (sys *IAMSys) RemoveUsersFromGroup(group string, members []string) error {
|
|||||||
|
|
||||||
// SetGroupStatus - enable/disabled a group
|
// SetGroupStatus - enable/disabled a group
|
||||||
func (sys *IAMSys) SetGroupStatus(group string, enabled bool) error {
|
func (sys *IAMSys) SetGroupStatus(group string, enabled bool) error {
|
||||||
objectAPI := newObjectLayerFn()
|
if sys == nil {
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
|
||||||
return errServerNotInitialized
|
return errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1349,7 +1336,7 @@ func (sys *IAMSys) SetGroupStatus(group string, enabled bool) error {
|
|||||||
gi.Status = statusDisabled
|
gi.Status = statusDisabled
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := sys.store.saveGroupInfo(group, gi); err != nil {
|
if err := sys.store.saveGroupInfo(context.Background(), group, gi); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
sys.iamGroupsMap[group] = gi
|
sys.iamGroupsMap[group] = gi
|
||||||
@ -1358,8 +1345,7 @@ func (sys *IAMSys) SetGroupStatus(group string, enabled bool) error {
|
|||||||
|
|
||||||
// GetGroupDescription - builds up group description
|
// GetGroupDescription - builds up group description
|
||||||
func (sys *IAMSys) GetGroupDescription(group string) (gd madmin.GroupDesc, err error) {
|
func (sys *IAMSys) GetGroupDescription(group string) (gd madmin.GroupDesc, err error) {
|
||||||
objectAPI := newObjectLayerFn()
|
if sys == nil {
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
|
||||||
return gd, errServerNotInitialized
|
return gd, errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1399,8 +1385,7 @@ func (sys *IAMSys) GetGroupDescription(group string) (gd madmin.GroupDesc, err e
|
|||||||
|
|
||||||
// ListGroups - lists groups.
|
// ListGroups - lists groups.
|
||||||
func (sys *IAMSys) ListGroups() (r []string, err error) {
|
func (sys *IAMSys) ListGroups() (r []string, err error) {
|
||||||
objectAPI := newObjectLayerFn()
|
if sys == nil {
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
|
||||||
return r, errServerNotInitialized
|
return r, errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1423,8 +1408,7 @@ func (sys *IAMSys) ListGroups() (r []string, err error) {
|
|||||||
|
|
||||||
// PolicyDBSet - sets a policy for a user or group in the PolicyDB.
|
// PolicyDBSet - sets a policy for a user or group in the PolicyDB.
|
||||||
func (sys *IAMSys) PolicyDBSet(name, policy string, isGroup bool) error {
|
func (sys *IAMSys) PolicyDBSet(name, policy string, isGroup bool) error {
|
||||||
objectAPI := newObjectLayerFn()
|
if sys == nil {
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
|
||||||
return errServerNotInitialized
|
return errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1455,7 +1439,7 @@ func (sys *IAMSys) policyDBSet(name, policyName string, userType IAMUserType, is
|
|||||||
|
|
||||||
// Handle policy mapping removal
|
// Handle policy mapping removal
|
||||||
if policyName == "" {
|
if policyName == "" {
|
||||||
if err := sys.store.deleteMappedPolicy(name, userType, isGroup); err != nil && err != errNoSuchPolicy {
|
if err := sys.store.deleteMappedPolicy(context.Background(), name, userType, isGroup); err != nil && err != errNoSuchPolicy {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if !isGroup {
|
if !isGroup {
|
||||||
@ -1475,7 +1459,7 @@ func (sys *IAMSys) policyDBSet(name, policyName string, userType IAMUserType, is
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Handle policy mapping set/update
|
// Handle policy mapping set/update
|
||||||
if err := sys.store.saveMappedPolicy(name, userType, isGroup, mp); err != nil {
|
if err := sys.store.saveMappedPolicy(context.Background(), name, userType, isGroup, mp); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if !isGroup {
|
if !isGroup {
|
||||||
@ -1490,8 +1474,7 @@ func (sys *IAMSys) policyDBSet(name, policyName string, userType IAMUserType, is
|
|||||||
// be a member of multiple groups, this function returns an array of
|
// be a member of multiple groups, this function returns an array of
|
||||||
// applicable policies (each group is mapped to at most one policy).
|
// applicable policies (each group is mapped to at most one policy).
|
||||||
func (sys *IAMSys) PolicyDBGet(name string, isGroup bool) ([]string, error) {
|
func (sys *IAMSys) PolicyDBGet(name string, isGroup bool) ([]string, error) {
|
||||||
objectAPI := newObjectLayerFn()
|
if sys == nil {
|
||||||
if objectAPI == nil || sys == nil || sys.store == nil {
|
|
||||||
return nil, errServerNotInitialized
|
return nil, errServerNotInitialized
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -104,9 +104,6 @@ func webTokenCallback(claims *xjwt.MapClaims) ([]byte, error) {
|
|||||||
if claims.AccessKey == globalActiveCred.AccessKey {
|
if claims.AccessKey == globalActiveCred.AccessKey {
|
||||||
return []byte(globalActiveCred.SecretKey), nil
|
return []byte(globalActiveCred.SecretKey), nil
|
||||||
}
|
}
|
||||||
if globalIAMSys == nil {
|
|
||||||
return nil, errInvalidAccessKeyID
|
|
||||||
}
|
|
||||||
ok, err := globalIAMSys.IsTempUser(claims.AccessKey)
|
ok, err := globalIAMSys.IsTempUser(claims.AccessKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if err == errNoSuchUser {
|
if err == errNoSuchUser {
|
||||||
|
@ -71,11 +71,6 @@ func (s *peerRESTServer) DeletePolicyHandler(w http.ResponseWriter, r *http.Requ
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if globalIAMSys == nil {
|
|
||||||
s.writeErrorResponse(w, errServerNotInitialized)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
vars := mux.Vars(r)
|
vars := mux.Vars(r)
|
||||||
policyName := vars[peerRESTPolicy]
|
policyName := vars[peerRESTPolicy]
|
||||||
if policyName == "" {
|
if policyName == "" {
|
||||||
@ -104,11 +99,6 @@ func (s *peerRESTServer) LoadPolicyHandler(w http.ResponseWriter, r *http.Reques
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if globalIAMSys == nil {
|
|
||||||
s.writeErrorResponse(w, errServerNotInitialized)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
vars := mux.Vars(r)
|
vars := mux.Vars(r)
|
||||||
policyName := vars[peerRESTPolicy]
|
policyName := vars[peerRESTPolicy]
|
||||||
if policyName == "" {
|
if policyName == "" {
|
||||||
@ -137,11 +127,6 @@ func (s *peerRESTServer) LoadPolicyMappingHandler(w http.ResponseWriter, r *http
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if globalIAMSys == nil {
|
|
||||||
s.writeErrorResponse(w, errServerNotInitialized)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
vars := mux.Vars(r)
|
vars := mux.Vars(r)
|
||||||
userOrGroup := vars[peerRESTUserOrGroup]
|
userOrGroup := vars[peerRESTUserOrGroup]
|
||||||
if userOrGroup == "" {
|
if userOrGroup == "" {
|
||||||
@ -171,11 +156,6 @@ func (s *peerRESTServer) DeleteServiceAccountHandler(w http.ResponseWriter, r *h
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if globalIAMSys == nil {
|
|
||||||
s.writeErrorResponse(w, errServerNotInitialized)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
vars := mux.Vars(r)
|
vars := mux.Vars(r)
|
||||||
accessKey := vars[peerRESTUser]
|
accessKey := vars[peerRESTUser]
|
||||||
if accessKey == "" {
|
if accessKey == "" {
|
||||||
@ -204,11 +184,6 @@ func (s *peerRESTServer) LoadServiceAccountHandler(w http.ResponseWriter, r *htt
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if globalIAMSys == nil {
|
|
||||||
s.writeErrorResponse(w, errServerNotInitialized)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
vars := mux.Vars(r)
|
vars := mux.Vars(r)
|
||||||
accessKey := vars[peerRESTUser]
|
accessKey := vars[peerRESTUser]
|
||||||
if accessKey == "" {
|
if accessKey == "" {
|
||||||
@ -237,11 +212,6 @@ func (s *peerRESTServer) DeleteUserHandler(w http.ResponseWriter, r *http.Reques
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if globalIAMSys == nil {
|
|
||||||
s.writeErrorResponse(w, errServerNotInitialized)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
vars := mux.Vars(r)
|
vars := mux.Vars(r)
|
||||||
accessKey := vars[peerRESTUser]
|
accessKey := vars[peerRESTUser]
|
||||||
if accessKey == "" {
|
if accessKey == "" {
|
||||||
@ -270,11 +240,6 @@ func (s *peerRESTServer) LoadUserHandler(w http.ResponseWriter, r *http.Request)
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if globalIAMSys == nil {
|
|
||||||
s.writeErrorResponse(w, errServerNotInitialized)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
vars := mux.Vars(r)
|
vars := mux.Vars(r)
|
||||||
accessKey := vars[peerRESTUser]
|
accessKey := vars[peerRESTUser]
|
||||||
if accessKey == "" {
|
if accessKey == "" {
|
||||||
@ -314,11 +279,6 @@ func (s *peerRESTServer) LoadGroupHandler(w http.ResponseWriter, r *http.Request
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if globalIAMSys == nil {
|
|
||||||
s.writeErrorResponse(w, errServerNotInitialized)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
vars := mux.Vars(r)
|
vars := mux.Vars(r)
|
||||||
group := vars[peerRESTGroup]
|
group := vars[peerRESTGroup]
|
||||||
err := globalIAMSys.LoadGroup(objAPI, group)
|
err := globalIAMSys.LoadGroup(objAPI, group)
|
||||||
|
@ -327,9 +327,12 @@ func initAllSubsystems(ctx context.Context, newObject ObjectLayer) (err error) {
|
|||||||
return fmt.Errorf("Unable to initialize config system: %w", err)
|
return fmt.Errorf("Unable to initialize config system: %w", err)
|
||||||
}
|
}
|
||||||
// Any other config errors we simply print a message and proceed forward.
|
// Any other config errors we simply print a message and proceed forward.
|
||||||
logger.LogIf(ctx, err)
|
logger.LogIf(ctx, fmt.Errorf("Unable to initialize config, some features may be missing %w", err))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Initialize IAM store
|
||||||
|
globalIAMSys.InitStore(newObject)
|
||||||
|
|
||||||
// Populate existing buckets to the etcd backend
|
// Populate existing buckets to the etcd backend
|
||||||
if globalDNSConfig != nil {
|
if globalDNSConfig != nil {
|
||||||
// Background this operation.
|
// Background this operation.
|
||||||
@ -385,6 +388,9 @@ func serverMain(ctx *cli.Context) {
|
|||||||
// Initialize all help
|
// Initialize all help
|
||||||
initHelp()
|
initHelp()
|
||||||
|
|
||||||
|
// Initialize all sub-systems
|
||||||
|
newAllSubsystems()
|
||||||
|
|
||||||
var err error
|
var err error
|
||||||
globalProxyEndpoints, err = GetProxyEndpoints(globalEndpoints)
|
globalProxyEndpoints, err = GetProxyEndpoints(globalEndpoints)
|
||||||
logger.FatalIf(err, "Invalid command line arguments")
|
logger.FatalIf(err, "Invalid command line arguments")
|
||||||
@ -427,9 +433,6 @@ func serverMain(ctx *cli.Context) {
|
|||||||
globalReplicationState = newReplicationState()
|
globalReplicationState = newReplicationState()
|
||||||
}
|
}
|
||||||
|
|
||||||
// Initialize all sub-systems
|
|
||||||
newAllSubsystems()
|
|
||||||
|
|
||||||
// Configure server.
|
// Configure server.
|
||||||
handler, err := configureServerHandler(globalEndpoints)
|
handler, err := configureServerHandler(globalEndpoints)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -476,11 +479,6 @@ func serverMain(ctx *cli.Context) {
|
|||||||
|
|
||||||
logger.SetDeploymentID(globalDeploymentID)
|
logger.SetDeploymentID(globalDeploymentID)
|
||||||
|
|
||||||
// Once endpoints are finalized, initialize the new object api in safe mode.
|
|
||||||
globalObjLayerMutex.Lock()
|
|
||||||
globalObjectAPI = newObject
|
|
||||||
globalObjLayerMutex.Unlock()
|
|
||||||
|
|
||||||
go initDataCrawler(GlobalContext, newObject)
|
go initDataCrawler(GlobalContext, newObject)
|
||||||
|
|
||||||
// Enable background operations for erasure coding
|
// Enable background operations for erasure coding
|
||||||
@ -503,6 +501,11 @@ func serverMain(ctx *cli.Context) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Once the config is fully loaded, initialize the new object layer.
|
||||||
|
globalObjLayerMutex.Lock()
|
||||||
|
globalObjectAPI = newObject
|
||||||
|
globalObjLayerMutex.Unlock()
|
||||||
|
|
||||||
// Initialize users credentials and policies in background right after config has initialized.
|
// Initialize users credentials and policies in background right after config has initialized.
|
||||||
go globalIAMSys.Init(GlobalContext, newObject)
|
go globalIAMSys.Init(GlobalContext, newObject)
|
||||||
|
|
||||||
|
@ -124,9 +124,6 @@ func checkKeyValid(accessKey string) (auth.Credentials, bool, APIErrorCode) {
|
|||||||
var owner = true
|
var owner = true
|
||||||
var cred = globalActiveCred
|
var cred = globalActiveCred
|
||||||
if cred.AccessKey != accessKey {
|
if cred.AccessKey != accessKey {
|
||||||
if globalIAMSys == nil {
|
|
||||||
return cred, false, ErrInvalidAccessKeyID
|
|
||||||
}
|
|
||||||
// Check if the access key is part of users credentials.
|
// Check if the access key is part of users credentials.
|
||||||
var ok bool
|
var ok bool
|
||||||
if cred, ok = globalIAMSys.GetUser(accessKey); !ok {
|
if cred, ok = globalIAMSys.GetUser(accessKey); !ok {
|
||||||
|
Loading…
Reference in New Issue
Block a user