Revert "Move all IAM storage functionality into iam store type (#13541)"

This reverts commit caadcc3ed8.
2021-11-02 13:51:42 -07:00 · 2021-11-02 13:51:42 -07:00 · 091a7ae359
parent 70160aeab3
commit 091a7ae359
10 changed files with 1652 additions and 1977 deletions
--- a/cmd/admin-handler-utils.go
+++ b/cmd/admin-handler-utils.go
@ -103,12 +103,6 @@ func toAdminAPIErr(ctx context.Context, err error) APIError {
 				Description:    err.Error(),
 				HTTPStatusCode: http.StatusServiceUnavailable,
 			}
-		case errors.Is(err, errPolicyInUse):
-			apiErr = APIError{
-				Code:           "XMinioAdminPolicyInUse",
-				Description:    "The policy cannot be removed, as it is in use",
-				HTTPStatusCode: http.StatusBadRequest,
-			}
 		case errors.Is(err, kes.ErrKeyExists):
 			apiErr = APIError{
 				Code:           "XMinioKMSKeyExists",
--- a/cmd/admin-handlers-users_test.go
+++ b/cmd/admin-handlers-users_test.go
@ -258,20 +258,10 @@ func (s *TestSuiteIAM) TestPolicyCreate(c *check) {
 		c.Fatalf("policy was missing!")
 	}

-	// 5. Check that policy cannot be deleted when attached to a user.
-	err = s.adm.RemoveCannedPolicy(ctx, policy)
-	if err == nil {
-		c.Fatalf("policy could be unexpectedly deleted!")
-	}
-
-	// 6. Delete the user and then delete the policy.
-	err = s.adm.RemoveUser(ctx, accessKey)
-	if err != nil {
-		c.Fatalf("user could not be deleted: %v", err)
-	}
+	// 5. Check that policy can be deleted.
 	err = s.adm.RemoveCannedPolicy(ctx, policy)
 	if err != nil {
-		c.Fatalf("policy del err: %v", err)
+		c.Fatalf("policy delete err: %v", err)
 	}
 }

@ -637,8 +627,7 @@ func (c *check) mustListObjects(ctx context.Context, client *minio.Client, bucke
 	res := client.ListObjects(ctx, bucket, minio.ListObjectsOptions{})
 	v, ok := <-res
 	if ok && v.Err != nil {
-		msg := fmt.Sprintf("user was unable to list: %v", v.Err)
-		c.Fatalf(msg)
+		c.Fatalf("user was unable to list unexpectedly!")
 	}
 }

--- a/cmd/iam-dummy-store.go
+++ b/cmd/iam-dummy-store.go
@ -27,37 +27,22 @@ import (

 type iamDummyStore struct {
 	sync.RWMutex
-	*iamCache
-	usersSysType UsersSysType
 }

-func newIAMDummyStore(usersSysType UsersSysType) *iamDummyStore {
-	return &iamDummyStore{
-		iamCache:     newIamCache(),
-		usersSysType: usersSysType,
-	}
-}
-
-func (ids *iamDummyStore) rlock() *iamCache {
-	ids.RLock()
-	return ids.iamCache
-}
-
-func (ids *iamDummyStore) runlock() {
-	ids.RUnlock()
-}
-
-func (ids *iamDummyStore) lock() *iamCache {
+func (ids *iamDummyStore) lock() {
 	ids.Lock()
-	return ids.iamCache
 }

 func (ids *iamDummyStore) unlock() {
 	ids.Unlock()
 }

-func (ids *iamDummyStore) getUsersSysType() UsersSysType {
-	return ids.usersSysType
+func (ids *iamDummyStore) rlock() {
+	ids.RLock()
+}
+
+func (ids *iamDummyStore) runlock() {
+	ids.RUnlock()
 }

 func (ids *iamDummyStore) migrateBackendFormat(context.Context) error {
--- a/cmd/iam-etcd-store.go
+++ b/cmd/iam-etcd-store.go
@ -62,37 +62,27 @@ func extractPathPrefixAndSuffix(s string, prefix string, suffix string) string {
 type IAMEtcdStore struct {
 	sync.RWMutex

-	*iamCache
-
-	usersSysType UsersSysType
-
 	client *etcd.Client
 }

-func newIAMEtcdStore(client *etcd.Client, usersSysType UsersSysType) *IAMEtcdStore {
-	return &IAMEtcdStore{client: client, usersSysType: usersSysType}
+func newIAMEtcdStore(client *etcd.Client) *IAMEtcdStore {
+	return &IAMEtcdStore{client: client}
 }

-func (ies *IAMEtcdStore) rlock() *iamCache {
-	ies.RLock()
-	return ies.iamCache
-}
-
-func (ies *IAMEtcdStore) runlock() {
-	ies.RUnlock()
-}
-
-func (ies *IAMEtcdStore) lock() *iamCache {
+func (ies *IAMEtcdStore) lock() {
 	ies.Lock()
-	return ies.iamCache
 }

 func (ies *IAMEtcdStore) unlock() {
 	ies.Unlock()
 }

-func (ies *IAMEtcdStore) getUsersSysType() UsersSysType {
-	return ies.usersSysType
+func (ies *IAMEtcdStore) rlock() {
+	ies.RLock()
+}
+
+func (ies *IAMEtcdStore) runlock() {
+	ies.RUnlock()
 }

 func (ies *IAMEtcdStore) saveIAMConfig(ctx context.Context, item interface{}, itemPath string, opts ...options) error {
@ -254,8 +244,6 @@ func (ies *IAMEtcdStore) migrateToV1(ctx context.Context) error {

 // Should be called under config migration lock
 func (ies *IAMEtcdStore) migrateBackendFormat(ctx context.Context) error {
-	ies.Lock()
-	defer ies.Unlock()
 	return ies.migrateToV1(ctx)
 }

@ -272,7 +260,7 @@ func (ies *IAMEtcdStore) loadPolicyDoc(ctx context.Context, policy string, m map
 	return nil
 }

-func (ies *IAMEtcdStore) getPolicyDocKV(ctx context.Context, kvs *mvccpb.KeyValue, m map[string]iampolicy.Policy) error {
+func (ies *IAMEtcdStore) getPolicyDoc(ctx context.Context, kvs *mvccpb.KeyValue, m map[string]iampolicy.Policy) error {
 	var p iampolicy.Policy
 	err := getIAMConfig(&p, kvs.Value, string(kvs.Key))
 	if err != nil {
@ -298,14 +286,14 @@ func (ies *IAMEtcdStore) loadPolicyDocs(ctx context.Context, m map[string]iampol

 	// Parse all values to construct the policies data model.
 	for _, kvs := range r.Kvs {
-		if err = ies.getPolicyDocKV(ctx, kvs, m); err != nil && err != errNoSuchPolicy {
+		if err = ies.getPolicyDoc(ctx, kvs, m); err != nil && err != errNoSuchPolicy {
 			return err
 		}
 	}
 	return nil
 }

-func (ies *IAMEtcdStore) getUserKV(ctx context.Context, userkv *mvccpb.KeyValue, userType IAMUserType, m map[string]auth.Credentials, basePrefix string) error {
+func (ies *IAMEtcdStore) getUser(ctx context.Context, userkv *mvccpb.KeyValue, userType IAMUserType, m map[string]auth.Credentials, basePrefix string) error {
 	var u UserIdentity
 	err := getIAMConfig(&u, userkv.Value, string(userkv.Key))
 	if err != nil {
@ -367,7 +355,7 @@ func (ies *IAMEtcdStore) loadUsers(ctx context.Context, userType IAMUserType, m

 	// Parse all users values to create the proper data model
 	for _, userKv := range r.Kvs {
-		if err = ies.getUserKV(ctx, userKv, userType, m, basePrefix); err != nil && err != errNoSuchUser {
+		if err = ies.getUser(ctx, userKv, userType, m, basePrefix); err != nil && err != errNoSuchUser {
 			return err
 		}
 	}
--- a/cmd/iam-object-store.go
+++ b/cmd/iam-object-store.go
@ -34,44 +34,30 @@ import (

 // IAMObjectStore implements IAMStorageAPI
 type IAMObjectStore struct {
-	// Protect access to storage within the current server.
+	// Protect assignment to objAPI
 	sync.RWMutex

-	*iamCache
-
-	usersSysType UsersSysType
-
 	objAPI ObjectLayer
 }

-func newIAMObjectStore(objAPI ObjectLayer, usersSysType UsersSysType) *IAMObjectStore {
-	return &IAMObjectStore{
-		iamCache:     newIamCache(),
-		objAPI:       objAPI,
-		usersSysType: usersSysType,
-	}
+func newIAMObjectStore(objAPI ObjectLayer) *IAMObjectStore {
+	return &IAMObjectStore{objAPI: objAPI}
 }

-func (iamOS *IAMObjectStore) rlock() *iamCache {
-	iamOS.RLock()
-	return iamOS.iamCache
-}
-
-func (iamOS *IAMObjectStore) runlock() {
-	iamOS.RUnlock()
-}
-
-func (iamOS *IAMObjectStore) lock() *iamCache {
+func (iamOS *IAMObjectStore) lock() {
 	iamOS.Lock()
-	return iamOS.iamCache
 }

 func (iamOS *IAMObjectStore) unlock() {
 	iamOS.Unlock()
 }

-func (iamOS *IAMObjectStore) getUsersSysType() UsersSysType {
-	return iamOS.usersSysType
+func (iamOS *IAMObjectStore) rlock() {
+	iamOS.RLock()
+}
+
+func (iamOS *IAMObjectStore) runlock() {
+	iamOS.RUnlock()
 }

 // Migrate users directory in a single scan.
@ -196,8 +182,6 @@ func (iamOS *IAMObjectStore) migrateToV1(ctx context.Context) error {

 // Should be called under config migration lock
 func (iamOS *IAMObjectStore) migrateBackendFormat(ctx context.Context) error {
-	iamOS.Lock()
-	defer iamOS.Unlock()
 	return iamOS.migrateToV1(ctx)
 }

--- a/cmd/iam-store.go
+++ b/cmd/iam-store.go
--- a/cmd/iam.go
+++ b/cmd/iam.go
--- a/cmd/site-replication.go
+++ b/cmd/site-replication.go
@ -1270,7 +1270,9 @@ func (c *SiteReplicationSys) getAdminClient(ctx context.Context, deploymentID st
 }

 func (c *SiteReplicationSys) getPeerCreds() (*auth.Credentials, error) {
-	creds, ok := globalIAMSys.store.GetUser(c.state.ServiceAccountAccessKey)
+	globalIAMSys.store.rlock()
+	defer globalIAMSys.store.runlock()
+	creds, ok := globalIAMSys.iamUsersMap[c.state.ServiceAccountAccessKey]
 	if !ok {
 		return nil, errors.New("site replication service account not found!")
 	}
--- a/cmd/sts-handlers_test.go
+++ b/cmd/sts-handlers_test.go
@ -95,10 +95,6 @@ func (s *TestSuiteIAM) TestSTS(c *check) {
 		c.Fatalf("Unable to set policy: %v", err)
 	}

-	// confirm that the user is able to access the bucket
-	uClient := s.getUserClient(c, accessKey, secretKey, "")
-	c.mustListObjects(ctx, uClient, bucket)
-
 	assumeRole := cr.STSAssumeRole{
 		Client:      s.TestSuiteCommon.client,
 		STSEndpoint: s.endPoint,
--- a/cmd/typed-errors.go
+++ b/cmd/typed-errors.go
@ -81,9 +81,6 @@ var errGroupNotEmpty = errors.New("Specified group is not empty - cannot remove
 // error returned in IAM subsystem when policy doesn't exist.
 var errNoSuchPolicy = errors.New("Specified canned policy does not exist")

-// error returned when policy to be deleted is in use.
-var errPolicyInUse = errors.New("Specified policy is in use and cannot be deleted.")
-
 // error returned in IAM subsystem when an external users systems is configured.
 var errIAMActionNotAllowed = errors.New("Specified IAM action is not allowed")