Move all IAM storage functionality into iam store type (#13567)

This reverts commit 091a7ae359. - Ensure all actions accessing storage lock properly. - Behavior change: policies can be deleted only when they are not associated with any active credentials. Also adds fix for accidental canned policy removal that was present in the reverted version of the change.
2025-11-07 21:02:58 -05:00 · 2021-11-03 19:47:49 -07:00
parent ca2b288a4b
commit ecd54b4cba
12 changed files with 1992 additions and 1692 deletions
--- a/cmd/iam-etcd-store.go
+++ b/cmd/iam-etcd-store.go
@@ -62,27 +62,37 @@ func extractPathPrefixAndSuffix(s string, prefix string, suffix string) string {
 type IAMEtcdStore struct {
 	sync.RWMutex

+	*iamCache
+
+	usersSysType UsersSysType
+
 	client *etcd.Client
 }

-func newIAMEtcdStore(client *etcd.Client) *IAMEtcdStore {
-	return &IAMEtcdStore{client: client}
+func newIAMEtcdStore(client *etcd.Client, usersSysType UsersSysType) *IAMEtcdStore {
+	return &IAMEtcdStore{client: client, usersSysType: usersSysType}
 }

-func (ies *IAMEtcdStore) lock() {
+func (ies *IAMEtcdStore) rlock() *iamCache {
+	ies.RLock()
+	return ies.iamCache
+}
+
+func (ies *IAMEtcdStore) runlock() {
+	ies.RUnlock()
+}
+
+func (ies *IAMEtcdStore) lock() *iamCache {
 	ies.Lock()
+	return ies.iamCache
 }

 func (ies *IAMEtcdStore) unlock() {
 	ies.Unlock()
 }

-func (ies *IAMEtcdStore) rlock() {
-	ies.RLock()
-}
-
-func (ies *IAMEtcdStore) runlock() {
-	ies.RUnlock()
+func (ies *IAMEtcdStore) getUsersSysType() UsersSysType {
+	return ies.usersSysType
 }

 func (ies *IAMEtcdStore) saveIAMConfig(ctx context.Context, item interface{}, itemPath string, opts ...options) error {
@@ -244,6 +254,8 @@ func (ies *IAMEtcdStore) migrateToV1(ctx context.Context) error {

 // Should be called under config migration lock
 func (ies *IAMEtcdStore) migrateBackendFormat(ctx context.Context) error {
+	ies.Lock()
+	defer ies.Unlock()
 	return ies.migrateToV1(ctx)
 }

@@ -260,7 +272,7 @@ func (ies *IAMEtcdStore) loadPolicyDoc(ctx context.Context, policy string, m map
 	return nil
 }

-func (ies *IAMEtcdStore) getPolicyDoc(ctx context.Context, kvs *mvccpb.KeyValue, m map[string]iampolicy.Policy) error {
+func (ies *IAMEtcdStore) getPolicyDocKV(ctx context.Context, kvs *mvccpb.KeyValue, m map[string]iampolicy.Policy) error {
 	var p iampolicy.Policy
 	err := getIAMConfig(&p, kvs.Value, string(kvs.Key))
 	if err != nil {
@@ -286,14 +298,14 @@ func (ies *IAMEtcdStore) loadPolicyDocs(ctx context.Context, m map[string]iampol

 	// Parse all values to construct the policies data model.
 	for _, kvs := range r.Kvs {
-		if err = ies.getPolicyDoc(ctx, kvs, m); err != nil && err != errNoSuchPolicy {
+		if err = ies.getPolicyDocKV(ctx, kvs, m); err != nil && err != errNoSuchPolicy {
 			return err
 		}
 	}
 	return nil
 }

-func (ies *IAMEtcdStore) getUser(ctx context.Context, userkv *mvccpb.KeyValue, userType IAMUserType, m map[string]auth.Credentials, basePrefix string) error {
+func (ies *IAMEtcdStore) getUserKV(ctx context.Context, userkv *mvccpb.KeyValue, userType IAMUserType, m map[string]auth.Credentials, basePrefix string) error {
 	var u UserIdentity
 	err := getIAMConfig(&u, userkv.Value, string(userkv.Key))
 	if err != nil {
@@ -355,7 +367,7 @@ func (ies *IAMEtcdStore) loadUsers(ctx context.Context, userType IAMUserType, m

 	// Parse all users values to create the proper data model
 	for _, userKv := range r.Kvs {
-		if err = ies.getUser(ctx, userKv, userType, m, basePrefix); err != nil && err != errNoSuchUser {
+		if err = ies.getUserKV(ctx, userKv, userType, m, basePrefix); err != nil && err != errNoSuchUser {
 			return err
 		}
 	}