IAM: Block while loading users (#11671)

While starting up a request that needs all IAM data will start another load operation if the first on startup hasn't finished. This slows down both operations. Block these requests until initial load has completed. Blocking calls will be ListPolicies, ListUsers, ListServiceAccounts, ListGroups - and the calls that eventually trigger these. These will wait for the initial load to complete. Fixes issue seen in #11305
2025-05-21 17:43:48 -04:00 · 2021-03-02 17:08:25 -08:00 · 2021-03-02 17:08:25 -08:00 · cd9e30c0f4
commit cd9e30c0f4
parent f96d4cf7d3
1 changed files with 22 additions and 48 deletions
--- a/cmd/iam.go
+++ b/cmd/iam.go
@ -220,8 +220,10 @@ type IAMSys struct {
 	iamGroupPolicyMap map[string]MappedPolicy
 	// Persistence layer for IAM subsystem
-	store         IAMStorageAPI
+	store IAMStorageAPI
-	storeFallback bool
+
 	// configLoaded will be closed and remain so after first load.
 	configLoaded chan struct{}
 }
 // IAMUserType represents a user type inside MinIO server
@ -554,7 +556,11 @@ func (sys *IAMSys) Load(ctx context.Context, store IAMStorageAPI) error {
 	}
 	sys.buildUserGroupMemberships()
-	sys.storeFallback = false
+	select {
 	case <-sys.configLoaded:
 	default:
 		close(sys.configLoaded)
 	}
 	return nil
 }
@ -732,15 +738,7 @@ func (sys *IAMSys) ListPolicies() (map[string]iampolicy.Policy, error) {
 		return nil, errServerNotInitialized
 	}
-	sys.store.rlock()
+	<-sys.configLoaded
 	fallback := sys.storeFallback
 	sys.store.runlock()
 	if fallback {
 		if err := sys.store.loadAll(context.Background(), sys); err != nil {
 			return nil, err
 		}
 	}
 	sys.store.rlock()
 	defer sys.store.runlock()
@ -915,15 +913,7 @@ func (sys *IAMSys) ListUsers() (map[string]madmin.UserInfo, error) {
 		return nil, errIAMActionNotAllowed
 	}
-	sys.store.rlock()
+	<-sys.configLoaded
 	fallback := sys.storeFallback
 	sys.store.runlock()
 	if fallback {
 		if err := sys.store.loadAll(context.Background(), sys); err != nil {
 			return nil, err
 		}
 	}
 	sys.store.rlock()
 	defer sys.store.runlock()
@ -995,10 +985,9 @@ func (sys *IAMSys) GetUserInfo(name string) (u madmin.UserInfo, err error) {
 		return u, errServerNotInitialized
 	}
-	sys.store.rlock()
+	select {
-	fallback := sys.storeFallback
+	case <-sys.configLoaded:
-	sys.store.runlock()
+	default:
 	if fallback {
 		sys.loadUserFromStore(name)
 	}
@ -1178,15 +1167,7 @@ func (sys *IAMSys) ListServiceAccounts(ctx context.Context, accessKey string) ([
 		return nil, errServerNotInitialized
 	}
-	sys.store.rlock()
+	<-sys.configLoaded
 	fallback := sys.storeFallback
 	sys.store.runlock()
 	if fallback {
 		if err := sys.store.loadAll(context.Background(), sys); err != nil {
 			return nil, err
 		}
 	}
 	sys.store.rlock()
 	defer sys.store.runlock()
@ -1355,11 +1336,12 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
 		return cred, false
 	}
-	sys.store.rlock()
+	fallback := false
-	fallback := sys.storeFallback
+	select {
-	sys.store.runlock()
+	case <-sys.configLoaded:
-	if fallback {
+	default:
 		sys.loadUserFromStore(accessKey)
 		fallback = true
 	}
 	sys.store.rlock()
@ -1619,15 +1601,7 @@ func (sys *IAMSys) ListGroups() (r []string, err error) {
 		return nil, errIAMActionNotAllowed
 	}
-	sys.store.rlock()
+	<-sys.configLoaded
 	fallback := sys.storeFallback
 	sys.store.runlock()
 	if fallback {
 		if err := sys.store.loadAll(context.Background(), sys); err != nil {
 			return nil, err
 		}
 	}
 	sys.store.rlock()
 	defer sys.store.runlock()
@ -2182,6 +2156,6 @@ func NewIAMSys() *IAMSys {
 		iamGroupPolicyMap:       make(map[string]MappedPolicy),
 		iamGroupsMap:            make(map[string]GroupInfo),
 		iamUserGroupMemberships: make(map[string]set.StringSet),
-		storeFallback:           true,
+		configLoaded:            make(chan struct{}),
 	}
 }