maxmustermann/minio
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

For IAM with etcd backend, avoid sending notifications (#13472)

Browse source 
As we use etcd's watch interface, we do not need the 
network notifications as they are no-ops anyway.

Bonus: Remove globalEtcdClient global usage in IAM
This commit is contained in:
Aditya Manthramurthy 2021-10-20 03:22:35 -07:00 committed by GitHub
parent c57ff2640e
commit 5f1af8a69d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 183 additions and 160 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

80
cmd/admin-handlers-users.go
View file

@ -242,10 +242,12 @@ func (a adminAPIHandlers) UpdateGroupMembers(w http.ResponseWriter, r *http.Requ
} }
// Notify all other MinIO peers to load group. // Notify all other MinIO peers to load group.
for _, nerr := range globalNotificationSys.LoadGroup(updReq.Group) { if !globalIAMSys.HasWatcher() {
if nerr.Err != nil { for _, nerr := range globalNotificationSys.LoadGroup(updReq.Group) {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) if nerr.Err != nil {
logger.LogIf(ctx, nerr.Err) logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
} }
} }
} }
@ -334,10 +336,12 @@ func (a adminAPIHandlers) SetGroupStatus(w http.ResponseWriter, r *http.Request)
} }
// Notify all other MinIO peers to reload user. // Notify all other MinIO peers to reload user.
for _, nerr := range globalNotificationSys.LoadGroup(group) { if !globalIAMSys.HasWatcher() {
if nerr.Err != nil { for _, nerr := range globalNotificationSys.LoadGroup(group) {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) if nerr.Err != nil {
logger.LogIf(ctx, nerr.Err) logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
} }
} }
} }
@ -369,10 +373,12 @@ func (a adminAPIHandlers) SetUserStatus(w http.ResponseWriter, r *http.Request)
} }
// Notify all other MinIO peers to reload user. // Notify all other MinIO peers to reload user.
for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) { if !globalIAMSys.HasWatcher() {
if nerr.Err != nil { for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) if nerr.Err != nil {
logger.LogIf(ctx, nerr.Err) logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
} }
} }
} }
@ -477,10 +483,12 @@ func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) {
} }
// Notify all other Minio peers to reload user // Notify all other Minio peers to reload user
for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) { if !globalIAMSys.HasWatcher() {
if nerr.Err != nil { for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) if nerr.Err != nil {
logger.LogIf(ctx, nerr.Err) logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
} }
} }
} }
@ -623,10 +631,12 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
} }
// Notify all other Minio peers to reload user the service account // Notify all other Minio peers to reload user the service account
for _, nerr := range globalNotificationSys.LoadServiceAccount(newCred.AccessKey) { if !globalIAMSys.HasWatcher() {
if nerr.Err != nil { for _, nerr := range globalNotificationSys.LoadServiceAccount(newCred.AccessKey) {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) if nerr.Err != nil {
logger.LogIf(ctx, nerr.Err) logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
} }
} }
@ -762,10 +772,12 @@ func (a adminAPIHandlers) UpdateServiceAccount(w http.ResponseWriter, r *http.Re
} }
// Notify all other Minio peers to reload user the service account // Notify all other Minio peers to reload user the service account
for _, nerr := range globalNotificationSys.LoadServiceAccount(accessKey) { if !globalIAMSys.HasWatcher() {
if nerr.Err != nil { for _, nerr := range globalNotificationSys.LoadServiceAccount(accessKey) {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) if nerr.Err != nil {
logger.LogIf(ctx, nerr.Err) logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
} }
} }
@ -1422,10 +1434,12 @@ func (a adminAPIHandlers) AddCannedPolicy(w http.ResponseWriter, r *http.Request
} }
// Notify all other MinIO peers to reload policy // Notify all other MinIO peers to reload policy
for _, nerr := range globalNotificationSys.LoadPolicy(policyName) { if !globalIAMSys.HasWatcher() {
if nerr.Err != nil { for _, nerr := range globalNotificationSys.LoadPolicy(policyName) {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) if nerr.Err != nil {
logger.LogIf(ctx, nerr.Err) logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
} }
} }
@ -1475,10 +1489,12 @@ func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http
} }
// Notify all other MinIO peers to reload policy // Notify all other MinIO peers to reload policy
for _, nerr := range globalNotificationSys.LoadPolicyMapping(entityName, isGroup) { if !globalIAMSys.HasWatcher() {
if nerr.Err != nil { for _, nerr := range globalNotificationSys.LoadPolicyMapping(entityName, isGroup) {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) if nerr.Err != nil {
logger.LogIf(ctx, nerr.Err) logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
} }
} }

2
cmd/admin-handlers_test.go
View file

@ -73,7 +73,7 @@ func prepareAdminErasureTestBed(ctx context.Context) (*adminErasureTestBed, erro
initAllSubsystems(ctx, objLayer) initAllSubsystems(ctx, objLayer)
globalIAMSys.InitStore(objLayer) globalIAMSys.InitStore(objLayer, globalEtcdClient)
// Setup admin mgmt REST API handlers. // Setup admin mgmt REST API handlers.
adminRouter := mux.NewRouter() adminRouter := mux.NewRouter()

4
cmd/auth-handler_test.go
View file

@ -366,7 +366,7 @@ func TestIsReqAuthenticated(t *testing.T) {
initAllSubsystems(context.Background(), objLayer) initAllSubsystems(context.Background(), objLayer)
globalIAMSys.InitStore(objLayer) globalIAMSys.InitStore(objLayer, globalEtcdClient)
creds, err := auth.CreateCredentials("myuser", "mypassword") creds, err := auth.CreateCredentials("myuser", "mypassword")
if err != nil { if err != nil {
@ -457,7 +457,7 @@ func TestValidateAdminSignature(t *testing.T) {
initAllSubsystems(context.Background(), objLayer) initAllSubsystems(context.Background(), objLayer)
globalIAMSys.InitStore(objLayer) globalIAMSys.InitStore(objLayer, globalEtcdClient)
creds, err := auth.CreateCredentials("admin", "mypassword") creds, err := auth.CreateCredentials("admin", "mypassword")
if err != nil { if err != nil {

2
cmd/gateway-main.go
View file

@ -306,7 +306,7 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
logger.FatalIf(globalNotificationSys.Init(GlobalContext, buckets, newObject), "Unable to initialize notification system") logger.FatalIf(globalNotificationSys.Init(GlobalContext, buckets, newObject), "Unable to initialize notification system")
} }
go globalIAMSys.Init(GlobalContext, newObject) go globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient)
if globalCacheConfig.Enabled { if globalCacheConfig.Enabled {
// initialize the new disk cache objects. // initialize the new disk cache objects.

4
cmd/iam-etcd-store.go
View file

@ -65,8 +65,8 @@ type IAMEtcdStore struct {
client *etcd.Client client *etcd.Client
} }
func newIAMEtcdStore() *IAMEtcdStore { func newIAMEtcdStore(client *etcd.Client) *IAMEtcdStore {
return &IAMEtcdStore{client: globalEtcdClient} return &IAMEtcdStore{client: client}
} }
func (ies *IAMEtcdStore) lock() { func (ies *IAMEtcdStore) lock() {

134
cmd/iam.go
View file

@ -36,6 +36,7 @@ import (
"github.com/minio/minio/internal/auth" "github.com/minio/minio/internal/auth"
"github.com/minio/minio/internal/logger" "github.com/minio/minio/internal/logger"
iampolicy "github.com/minio/pkg/iam/policy" iampolicy "github.com/minio/pkg/iam/policy"
etcd "go.etcd.io/etcd/client/v3"
) )
// UsersSysType - defines the type of users and groups system that is // UsersSysType - defines the type of users and groups system that is
@ -299,11 +300,6 @@ func (sys *IAMSys) LoadGroup(objAPI ObjectLayer, group string) error {
return errServerNotInitialized return errServerNotInitialized
} }
if globalEtcdClient != nil {
// Watch APIs cover this case, so nothing to do.
return nil
}
sys.store.lock() sys.store.lock()
defer sys.store.unlock() defer sys.store.unlock()
@ -343,12 +339,7 @@ func (sys *IAMSys) LoadPolicy(objAPI ObjectLayer, policyName string) error {
sys.store.lock() sys.store.lock()
defer sys.store.unlock() defer sys.store.unlock()
if globalEtcdClient == nil { return sys.store.loadPolicyDoc(context.Background(), policyName, sys.iamPolicyDocsMap)
return sys.store.loadPolicyDoc(context.Background(), policyName, sys.iamPolicyDocsMap)
}
// When etcd is set, we use watch APIs so this code is not needed.
return nil
} }
// LoadPolicyMapping - loads the mapped policy for a user or group // LoadPolicyMapping - loads the mapped policy for a user or group
@ -361,33 +352,30 @@ func (sys *IAMSys) LoadPolicyMapping(objAPI ObjectLayer, userOrGroup string, isG
sys.store.lock() sys.store.lock()
defer sys.store.unlock() defer sys.store.unlock()
if globalEtcdClient == nil { var err error
var err error userType := regUser
userType := regUser if sys.usersSysType == LDAPUsersSysType {
if sys.usersSysType == LDAPUsersSysType { userType = stsUser
userType = stsUser }
}
if isGroup {
err = sys.store.loadMappedPolicy(context.Background(), userOrGroup, userType, isGroup, sys.iamGroupPolicyMap)
} else {
err = sys.store.loadMappedPolicy(context.Background(), userOrGroup, userType, isGroup, sys.iamUserPolicyMap)
}
if err == errNoSuchPolicy {
if isGroup { if isGroup {
err = sys.store.loadMappedPolicy(context.Background(), userOrGroup, userType, isGroup, sys.iamGroupPolicyMap) delete(sys.iamGroupPolicyMap, userOrGroup)
} else { } else {
err = sys.store.loadMappedPolicy(context.Background(), userOrGroup, userType, isGroup, sys.iamUserPolicyMap) delete(sys.iamUserPolicyMap, userOrGroup)
}
if err == errNoSuchPolicy {
if isGroup {
delete(sys.iamGroupPolicyMap, userOrGroup)
} else {
delete(sys.iamUserPolicyMap, userOrGroup)
}
}
// Ignore policy not mapped error
if err != nil && err != errNoSuchPolicy {
return err
} }
} }
// When etcd is set, we use watch APIs so this code is not needed. // Ignore policy not mapped error
return nil if err == errNoSuchPolicy {
err = nil
}
return err
} }
// LoadUser - reloads a specific user from backend disks or etcd. // LoadUser - reloads a specific user from backend disks or etcd.
@ -399,34 +387,34 @@ func (sys *IAMSys) LoadUser(objAPI ObjectLayer, accessKey string, userType IAMUs
sys.store.lock() sys.store.lock()
defer sys.store.unlock() defer sys.store.unlock()
if globalEtcdClient == nil { err := sys.store.loadUser(context.Background(), accessKey, userType, sys.iamUsersMap)
err := sys.store.loadUser(context.Background(), accessKey, userType, sys.iamUsersMap) if err != nil {
if err != nil { return err
return err }
} err = sys.store.loadMappedPolicy(context.Background(), accessKey, userType, false, sys.iamUserPolicyMap)
err = sys.store.loadMappedPolicy(context.Background(), accessKey, userType, false, sys.iamUserPolicyMap) // Ignore policy not mapped error
// Ignore policy not mapped error if err == errNoSuchPolicy {
if err != nil && err != errNoSuchPolicy { err = nil
return err }
} if err != nil {
// We are on purpose not persisting the policy map for parent return err
// user, although this is a hack, it is a good enough hack }
// at this point in time - we need to overhaul our OIDC // We are on purpose not persisting the policy map for parent
// usage with service accounts with a more cleaner implementation // user, although this is a hack, it is a good enough hack
// // at this point in time - we need to overhaul our OIDC
// This mapping is necessary to ensure that valid credentials // usage with service accounts with a more cleaner implementation
// have necessary ParentUser present - this is mainly for only //
// webIdentity based STS tokens. // This mapping is necessary to ensure that valid credentials
cred, ok := sys.iamUsersMap[accessKey] // have necessary ParentUser present - this is mainly for only
if ok { // webIdentity based STS tokens.
if cred.IsTemp() && cred.ParentUser != "" && cred.ParentUser != globalActiveCred.AccessKey { cred, ok := sys.iamUsersMap[accessKey]
if _, ok := sys.iamUserPolicyMap[cred.ParentUser]; !ok { if ok {
sys.iamUserPolicyMap[cred.ParentUser] = sys.iamUserPolicyMap[accessKey] if cred.IsTemp() && cred.ParentUser != "" && cred.ParentUser != globalActiveCred.AccessKey {
} if _, ok := sys.iamUserPolicyMap[cred.ParentUser]; !ok {
sys.iamUserPolicyMap[cred.ParentUser] = sys.iamUserPolicyMap[accessKey]
} }
} }
} }
// When etcd is set, we use watch APIs so this code is not needed.
return nil return nil
} }
@ -439,14 +427,7 @@ func (sys *IAMSys) LoadServiceAccount(accessKey string) error {
sys.store.lock() sys.store.lock()
defer sys.store.unlock() defer sys.store.unlock()
if globalEtcdClient == nil { return sys.store.loadUser(context.Background(), accessKey, svcUser, sys.iamUsersMap)
err := sys.store.loadUser(context.Background(), accessKey, svcUser, sys.iamUsersMap)
if err != nil {
return err
}
}
// When etcd is set, we use watch APIs so this code is not needed.
return nil
} }
// Perform IAM configuration migration. // Perform IAM configuration migration.
@ -455,18 +436,18 @@ func (sys *IAMSys) doIAMConfigMigration(ctx context.Context) error {
} }
// InitStore initializes IAM stores // InitStore initializes IAM stores
func (sys *IAMSys) InitStore(objAPI ObjectLayer) { func (sys *IAMSys) InitStore(objAPI ObjectLayer, etcdClient *etcd.Client) {
sys.Lock() sys.Lock()
defer sys.Unlock() defer sys.Unlock()
if globalEtcdClient == nil { if etcdClient == nil {
if globalIsGateway { if globalIsGateway {
sys.store = &iamDummyStore{} sys.store = &iamDummyStore{}
} else { } else {
sys.store = newIAMObjectStore(objAPI) sys.store = newIAMObjectStore(objAPI)
} }
} else { } else {
sys.store = newIAMEtcdStore() sys.store = newIAMEtcdStore(etcdClient)
} }
if globalLDAPConfig.Enabled { if globalLDAPConfig.Enabled {
@ -584,9 +565,9 @@ func (sys *IAMSys) Load(ctx context.Context, store IAMStorageAPI) error {
} }
// Init - initializes config system by reading entries from config/iam // Init - initializes config system by reading entries from config/iam
func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer) { func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etcd.Client) {
// Initialize IAM store // Initialize IAM store
sys.InitStore(objAPI) sys.InitStore(objAPI, etcdClient)
retryCtx, cancel := context.WithCancel(ctx) retryCtx, cancel := context.WithCancel(ctx)
@ -611,11 +592,11 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer) {
continue continue
} }
if globalEtcdClient != nil { if etcdClient != nil {
// **** WARNING **** // **** WARNING ****
// Migrating to encrypted backend on etcd should happen before initialization of // Migrating to encrypted backend on etcd should happen before initialization of
// IAM sub-system, make sure that we do not move the above codeblock elsewhere. // IAM sub-system, make sure that we do not move the above codeblock elsewhere.
if err := migrateIAMConfigsEtcdToEncrypted(retryCtx, globalEtcdClient); err != nil { if err := migrateIAMConfigsEtcdToEncrypted(retryCtx, etcdClient); err != nil {
txnLk.Unlock(lkctx.Cancel) txnLk.Unlock(lkctx.Cancel)
if errors.Is(err, errEtcdUnreachable) { if errors.Is(err, errEtcdUnreachable) {
logger.Info("Connection to etcd timed out. Retrying..") logger.Info("Connection to etcd timed out. Retrying..")
@ -685,6 +666,13 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer) {
go sys.watch(ctx) go sys.watch(ctx)
} }
// HasWatcher - returns if the IAM system has a watcher to be notified of
// changes.
func (sys *IAMSys) HasWatcher() bool {
_, ok := sys.store.(iamStorageWatcher)
return ok
}
func (sys *IAMSys) watch(ctx context.Context) { func (sys *IAMSys) watch(ctx context.Context) {
watcher, ok := sys.store.(iamStorageWatcher) watcher, ok := sys.store.(iamStorageWatcher)
if ok { if ok {

2
cmd/server-main.go
View file

@ -570,7 +570,7 @@ func serverMain(ctx *cli.Context) {
} }
// Initialize users credentials and policies in background right after config has initialized. // Initialize users credentials and policies in background right after config has initialized.
go globalIAMSys.Init(GlobalContext, newObject) go globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient)
initDataScanner(GlobalContext, newObject) initDataScanner(GlobalContext, newObject)

2
cmd/signature-v4-utils_test.go
View file

@ -42,7 +42,7 @@ func TestCheckValid(t *testing.T) {
initAllSubsystems(context.Background(), objLayer) initAllSubsystems(context.Background(), objLayer)
globalIAMSys.InitStore(objLayer) globalIAMSys.InitStore(objLayer, globalEtcdClient)
req, err := newTestRequest(http.MethodGet, "http://example.com:9000/bucket/object", 0, nil) req, err := newTestRequest(http.MethodGet, "http://example.com:9000/bucket/object", 0, nil)
if err != nil { if err != nil {

73
cmd/site-replication.go
View file

@ -380,10 +380,12 @@ func (c *SiteReplicationSys) AddPeerClusters(ctx context.Context, sites []madmin
} }
// Notify all other Minio peers to reload user the service account // Notify all other Minio peers to reload user the service account
for _, nerr := range globalNotificationSys.LoadServiceAccount(svcCred.AccessKey) { if !globalIAMSys.HasWatcher() {
if nerr.Err != nil { for _, nerr := range globalNotificationSys.LoadServiceAccount(svcCred.AccessKey) {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) if nerr.Err != nil {
logger.LogIf(ctx, nerr.Err) logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
} }
} }
@ -489,10 +491,12 @@ func (c *SiteReplicationSys) InternalJoinReq(ctx context.Context, arg madmin.SRI
} }
// Notify all other Minio peers to reload the service account // Notify all other Minio peers to reload the service account
for _, nerr := range globalNotificationSys.LoadServiceAccount(svcCred.AccessKey) { if !globalIAMSys.HasWatcher() {
if nerr.Err != nil { for _, nerr := range globalNotificationSys.LoadServiceAccount(svcCred.AccessKey) {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) if nerr.Err != nil {
logger.LogIf(ctx, nerr.Err) logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
} }
} }
@ -961,11 +965,13 @@ func (c *SiteReplicationSys) PeerAddPolicyHandler(ctx context.Context, policyNam
} }
if p != nil { if p != nil {
// Notify all other MinIO peers to reload policy if !globalIAMSys.HasWatcher() {
for _, nerr := range globalNotificationSys.LoadPolicy(policyName) { // Notify all other MinIO peers to reload policy
if nerr.Err != nil { for _, nerr := range globalNotificationSys.LoadPolicy(policyName) {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) if nerr.Err != nil {
logger.LogIf(ctx, nerr.Err) logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
} }
} }
return nil return nil
@ -1006,10 +1012,12 @@ func (c *SiteReplicationSys) PeerSvcAccChangeHandler(ctx context.Context, change
} }
// Notify all other Minio peers to reload the service account // Notify all other Minio peers to reload the service account
for _, nerr := range globalNotificationSys.LoadServiceAccount(newCred.AccessKey) { if !globalIAMSys.HasWatcher() {
if nerr.Err != nil { for _, nerr := range globalNotificationSys.LoadServiceAccount(newCred.AccessKey) {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) if nerr.Err != nil {
logger.LogIf(ctx, nerr.Err) logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
} }
} }
case change.Update != nil: case change.Update != nil:
@ -1033,10 +1041,12 @@ func (c *SiteReplicationSys) PeerSvcAccChangeHandler(ctx context.Context, change
} }
// Notify all other Minio peers to reload the service account // Notify all other Minio peers to reload the service account
for _, nerr := range globalNotificationSys.LoadServiceAccount(change.Update.AccessKey) { if !globalIAMSys.HasWatcher() {
if nerr.Err != nil { for _, nerr := range globalNotificationSys.LoadServiceAccount(change.Update.AccessKey) {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) if nerr.Err != nil {
logger.LogIf(ctx, nerr.Err) logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
} }
} }
@ -1066,13 +1076,14 @@ func (c *SiteReplicationSys) PeerPolicyMappingHandler(ctx context.Context, mappi
} }
// Notify all other MinIO peers to reload policy // Notify all other MinIO peers to reload policy
for _, nerr := range globalNotificationSys.LoadPolicyMapping(mapping.UserOrGroup, mapping.IsGroup) { if !globalIAMSys.HasWatcher() {
if nerr.Err != nil { for _, nerr := range globalNotificationSys.LoadPolicyMapping(mapping.UserOrGroup, mapping.IsGroup) {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) if nerr.Err != nil {
logger.LogIf(ctx, nerr.Err) logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
} }
} }
return nil return nil
} }
@ -1119,10 +1130,12 @@ func (c *SiteReplicationSys) PeerSTSAccHandler(ctx context.Context, stsCred madm
} }
// Notify in-cluster peers to reload temp users. // Notify in-cluster peers to reload temp users.
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) { if !globalIAMSys.HasWatcher() {
if nerr.Err != nil { for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) if nerr.Err != nil {
logger.LogIf(ctx, nerr.Err) logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
} }
} }

30
cmd/sts-handlers.go
View file

@ -277,10 +277,12 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
} }
// Notify all other MinIO peers to reload temp users // Notify all other MinIO peers to reload temp users
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) { if !globalIAMSys.HasWatcher() {
if nerr.Err != nil { for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) if nerr.Err != nil {
logger.LogIf(ctx, nerr.Err) logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
} }
} }
@ -481,10 +483,12 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
} }
// Notify all other MinIO peers to reload temp users // Notify all other MinIO peers to reload temp users
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) { if !globalIAMSys.HasWatcher() {
if nerr.Err != nil { for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) if nerr.Err != nil {
logger.LogIf(ctx, nerr.Err) logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
} }
} }
@ -645,10 +649,12 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
} }
// Notify all other MinIO peers to reload temp users // Notify all other MinIO peers to reload temp users
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) { if !globalIAMSys.HasWatcher() {
if nerr.Err != nil { for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) if nerr.Err != nil {
logger.LogIf(ctx, nerr.Err) logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
} }
} }

10
cmd/test-utils_test.go
View file

@ -350,7 +350,7 @@ func UnstartedTestServer(t TestErrHandler, instanceType string) TestServer {
initAllSubsystems(ctx, objLayer) initAllSubsystems(ctx, objLayer)
globalIAMSys.InitStore(objLayer) globalIAMSys.InitStore(objLayer, globalEtcdClient)
return testServer return testServer
} }
@ -1470,7 +1470,7 @@ func newTestObjectLayer(ctx context.Context, endpointServerPools EndpointServerP
initAllSubsystems(ctx, z) initAllSubsystems(ctx, z)
globalIAMSys.InitStore(z) globalIAMSys.InitStore(z, globalEtcdClient)
return z, nil return z, nil
} }
@ -1518,7 +1518,7 @@ func initAPIHandlerTest(obj ObjectLayer, endpoints []string) (string, http.Handl
initAllSubsystems(context.Background(), obj) initAllSubsystems(context.Background(), obj)
globalIAMSys.InitStore(obj) globalIAMSys.InitStore(obj, globalEtcdClient)
// get random bucket name. // get random bucket name.
bucketName := getRandomBucketName() bucketName := getRandomBucketName()
@ -1808,7 +1808,7 @@ func ExecObjectLayerTest(t TestErrHandler, objTest objTestType) {
initAllSubsystems(ctx, objLayer) initAllSubsystems(ctx, objLayer)
globalIAMSys.InitStore(objLayer) globalIAMSys.InitStore(objLayer, globalEtcdClient)
// Executing the object layer tests for single node setup. // Executing the object layer tests for single node setup.
objTest(objLayer, FSTestStr, t) objTest(objLayer, FSTestStr, t)
@ -1829,7 +1829,7 @@ func ExecObjectLayerTest(t TestErrHandler, objTest objTestType) {
initAllSubsystems(ctx, objLayer) initAllSubsystems(ctx, objLayer)
globalIAMSys.InitStore(objLayer) globalIAMSys.InitStore(objLayer, globalEtcdClient)
defer removeRoots(append(fsDirs, fsDir)) defer removeRoots(append(fsDirs, fsDir))
// Executing the object layer tests for Erasure. // Executing the object layer tests for Erasure.