Do not use a chain for S3 tiering to return better error messages (#18030)

When using a chain provider all providers do not return a valid
access and secret key, an anonymous request is sent, which makes it hard
for users to figure out what is going on

In the case of S3 tiering, when AWS IAM temporary account generation returns
an error, an anonymous login will be used because of the chain provider.
Avoid this and use the AWS IAM provider directly to get a good error
message.
This commit is contained in:
Anis Eleuch 2023-09-14 15:28:20 -07:00 committed by GitHub
parent 7a7068ee47
commit b0e1776d6d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 7 additions and 16 deletions

View File

@ -29,7 +29,6 @@ import (
"fmt"
"math/rand"
"net"
"net/http"
"net/url"
"os"
"path"
@ -54,7 +53,6 @@ import (
"github.com/minio/kes-go"
"github.com/minio/madmin-go/v3"
"github.com/minio/minio-go/v7"
"github.com/minio/minio-go/v7/pkg/credentials"
"github.com/minio/minio-go/v7/pkg/set"
"github.com/minio/minio/internal/auth"
"github.com/minio/minio/internal/color"
@ -71,10 +69,7 @@ import (
// serverDebugLog will enable debug printing
var serverDebugLog = env.Get("_MINIO_SERVER_DEBUG", config.EnableOff) == config.EnableOn
var (
shardDiskTimeDelta time.Duration
defaultAWSCredProvider []credentials.Provider
)
var shardDiskTimeDelta time.Duration
func init() {
if runtime.GOOS == "windows" {
@ -112,14 +107,6 @@ func init() {
gob.Register(madmin.XFSErrorConfigs{})
gob.Register(map[string]interface{}{})
defaultAWSCredProvider = []credentials.Provider{
&credentials.IAM{
Client: &http.Client{
Transport: NewHTTPTransport(),
},
},
}
var err error
shardDiskTimeDelta, err = time.ParseDuration(env.Get("_MINIO_SHARD_DISKTIME_DELTA", "1m"))
if err != nil {

View File

@ -115,7 +115,11 @@ func newWarmBackendS3(conf madmin.TierS3, tier string) (*warmBackendS3, error) {
}
var creds *credentials.Credentials
if conf.AWSRole {
creds = credentials.NewChainCredentials(defaultAWSCredProvider)
creds = credentials.New(&credentials.IAM{
Client: &http.Client{
Transport: NewHTTPTransport(),
},
})
} else {
creds = credentials.NewStaticV4(conf.AccessKey, conf.SecretKey, "")
}

View File

@ -117,7 +117,7 @@ type tierPermErr struct {
}
func (te tierPermErr) Error() string {
return fmt.Sprintf("failed to perform %s %v", te.Op, te.Err)
return fmt.Sprintf("failed to perform %s: %v", te.Op, te.Err)
}
func errIsTierPermError(err error) bool {