mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2026-05-23 02:01:32 +00:00
ff6f9fd90a
* iamapi: route managed policies through credential manager (fixes #9518) CreatePolicy via the IAM API wrote straight to the filer /etc/iam/policies.json, ignoring any non-filer credential store. When credential.postgres was configured, policies created via the IAM API landed only in the filer while the Admin UI wrote to postgres, producing a split-brain where ListPolicies/GetPolicy never saw the Admin UI's policies and vice versa. GetPolicies/PutPolicies on IamS3ApiConfigure now load managed policies from credentialManager and persist Create/Update/Delete as a delta against the store. Inline user/group policies still live in the legacy policies.json file (no credential-store API for them yet). Pre-existing managed policies in the legacy file are merged on read so deployments don't lose data, and re-persisted to the store on the next write so the legacy file is drained over time. * credential: route IAM API inline policies through credential manager Extends the #9518 fix to user-inline and group-inline policies so the IAM API never writes the legacy /etc/iam/policies.json bundle directly. The previous patch only routed managed policies; this one finishes the job for the other two policy types. - Add GroupInlinePolicyStore + GroupInlinePoliciesLoader optional interfaces, mirroring the existing user-inline ones, and matching Put/Get/Delete/List/LoadAll wrappers on CredentialManager. - Implement group-inline storage in memory (new map), filer_etc (new field on PoliciesCollection, reusing the legacy file under policyMu), and postgres (new group_inline_policies table with ON DELETE CASCADE off the groups FK). - Wire the new methods through PropagatingCredentialStore so wrapped stores still delegate correctly. - IamS3ApiConfigure.PutPolicies now applies managed + user-inline + group-inline as deltas through the credential manager; the legacy /etc/iam/policies.json file is never written when a credential manager is wired up. GetPolicies still reads the legacy bundle once as a fallback so unmigrated data is picked up and re-persisted into the store on the next write. * credential: propagate SaveConfiguration writes to running S3 caches Postgres (and any non-filer) credential stores never fired the S3 IAM cache invalidation path on bulk identity / group updates. The PropagatingCredentialStore had explicit Put/Remove handlers for single-entity calls (CreateUser, PutPolicy, etc.) but inherited SaveConfiguration unchanged from the embedded store, so the bulk path the IAM API takes at the end of every handler was silent. Inline-policy changes recompute identity.Actions and persist via SaveConfiguration, so until restart the cached Actions on each S3 server stayed stale and authorization decisions used the pre-change view. Override SaveConfiguration to snapshot the prior user / group lists, delegate the save, then fan out PutIdentity / PutGroup for what's in the new config and RemoveIdentity / RemoveGroup for what got pruned. Reuses the existing SeaweedS3IamCache RPCs, no protobuf changes. * iamapi: drain legacy policies.json after authoritative credential-store writes Review pointed out a resurrection bug: GetPolicies still reads /etc/iam/policies.json as a one-way migration fallback, but PutPolicies in the credential-manager path never wrote that file, so legacy-only entries reappeared on the next read even after the IAM API "deleted" them. PutPolicies now overwrites the bundle with an empty {} after a successful credential-store write, unless the store is filer_etc (which owns the bundle as its own inline-policy backing — clearing it would wipe filer_etc's data). Also wraps the filer read, JSON unmarshal, and marshal errors with context per the other review comments.
113 lines
3.9 KiB
Go
113 lines
3.9 KiB
Go
package memory
|
|
|
|
import (
|
|
"context"
|
|
"sync"
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/credential"
|
|
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine"
|
|
"github.com/seaweedfs/seaweedfs/weed/util"
|
|
)
|
|
|
|
func init() {
|
|
credential.Stores = append(credential.Stores, &MemoryStore{})
|
|
}
|
|
|
|
// MemoryStore implements CredentialStore using in-memory storage
|
|
// This is primarily intended for testing purposes
|
|
type MemoryStore struct {
|
|
mu sync.RWMutex
|
|
users map[string]*iam_pb.Identity // username -> identity
|
|
accessKeys map[string]string // access_key -> username
|
|
serviceAccounts map[string]*iam_pb.ServiceAccount // id -> service_account
|
|
serviceAccountAccessKeys map[string]string // access_key -> id
|
|
policies map[string]policy_engine.PolicyDocument // policy_name -> policy_document
|
|
inlinePolicies map[string]map[string]policy_engine.PolicyDocument // username -> policy_name -> document
|
|
groupInlinePolicies map[string]map[string]policy_engine.PolicyDocument // group_name -> policy_name -> document
|
|
groups map[string]*iam_pb.Group // group_name -> group
|
|
initialized bool
|
|
}
|
|
|
|
func (store *MemoryStore) GetName() credential.CredentialStoreTypeName {
|
|
return credential.StoreTypeMemory
|
|
}
|
|
|
|
func (store *MemoryStore) Initialize(configuration util.Configuration, prefix string) error {
|
|
store.mu.Lock()
|
|
defer store.mu.Unlock()
|
|
|
|
if store.initialized {
|
|
return nil
|
|
}
|
|
|
|
store.users = make(map[string]*iam_pb.Identity)
|
|
store.accessKeys = make(map[string]string)
|
|
store.serviceAccounts = make(map[string]*iam_pb.ServiceAccount)
|
|
store.serviceAccountAccessKeys = make(map[string]string)
|
|
store.policies = make(map[string]policy_engine.PolicyDocument)
|
|
store.inlinePolicies = make(map[string]map[string]policy_engine.PolicyDocument)
|
|
store.groupInlinePolicies = make(map[string]map[string]policy_engine.PolicyDocument)
|
|
store.groups = make(map[string]*iam_pb.Group)
|
|
store.initialized = true
|
|
|
|
return nil
|
|
}
|
|
|
|
func (store *MemoryStore) Shutdown() {
|
|
store.mu.Lock()
|
|
defer store.mu.Unlock()
|
|
|
|
store.users = nil
|
|
store.accessKeys = nil
|
|
store.serviceAccounts = nil
|
|
store.serviceAccountAccessKeys = nil
|
|
store.policies = nil
|
|
store.inlinePolicies = nil
|
|
store.groupInlinePolicies = nil
|
|
store.groups = nil
|
|
store.initialized = false
|
|
}
|
|
|
|
// Reset clears all data in the store (useful for testing)
|
|
func (store *MemoryStore) Reset() {
|
|
store.mu.Lock()
|
|
defer store.mu.Unlock()
|
|
|
|
if store.initialized {
|
|
store.users = make(map[string]*iam_pb.Identity)
|
|
store.accessKeys = make(map[string]string)
|
|
store.serviceAccounts = make(map[string]*iam_pb.ServiceAccount)
|
|
store.serviceAccountAccessKeys = make(map[string]string)
|
|
store.policies = make(map[string]policy_engine.PolicyDocument)
|
|
store.inlinePolicies = make(map[string]map[string]policy_engine.PolicyDocument)
|
|
store.groupInlinePolicies = make(map[string]map[string]policy_engine.PolicyDocument)
|
|
store.groups = make(map[string]*iam_pb.Group)
|
|
}
|
|
}
|
|
|
|
// GetUserCount returns the number of users in the store (useful for testing)
|
|
func (store *MemoryStore) GetUserCount() int {
|
|
store.mu.RLock()
|
|
defer store.mu.RUnlock()
|
|
|
|
return len(store.users)
|
|
}
|
|
|
|
// GetAccessKeyCount returns the number of access keys in the store (useful for testing)
|
|
func (store *MemoryStore) GetAccessKeyCount() int {
|
|
store.mu.RLock()
|
|
defer store.mu.RUnlock()
|
|
|
|
return len(store.accessKeys)
|
|
}
|
|
func (store *MemoryStore) GetServiceAccountByAccessKey(ctx context.Context, accessKey string) (*iam_pb.ServiceAccount, error) {
|
|
store.mu.RLock()
|
|
defer store.mu.RUnlock()
|
|
|
|
if id, ok := store.serviceAccountAccessKeys[accessKey]; ok {
|
|
return store.serviceAccounts[id], nil
|
|
}
|
|
return nil, credential.ErrAccessKeyNotFound
|
|
}
|