mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2026-05-23 10:11:28 +00:00
ff6f9fd90a
* iamapi: route managed policies through credential manager (fixes #9518) CreatePolicy via the IAM API wrote straight to the filer /etc/iam/policies.json, ignoring any non-filer credential store. When credential.postgres was configured, policies created via the IAM API landed only in the filer while the Admin UI wrote to postgres, producing a split-brain where ListPolicies/GetPolicy never saw the Admin UI's policies and vice versa. GetPolicies/PutPolicies on IamS3ApiConfigure now load managed policies from credentialManager and persist Create/Update/Delete as a delta against the store. Inline user/group policies still live in the legacy policies.json file (no credential-store API for them yet). Pre-existing managed policies in the legacy file are merged on read so deployments don't lose data, and re-persisted to the store on the next write so the legacy file is drained over time. * credential: route IAM API inline policies through credential manager Extends the #9518 fix to user-inline and group-inline policies so the IAM API never writes the legacy /etc/iam/policies.json bundle directly. The previous patch only routed managed policies; this one finishes the job for the other two policy types. - Add GroupInlinePolicyStore + GroupInlinePoliciesLoader optional interfaces, mirroring the existing user-inline ones, and matching Put/Get/Delete/List/LoadAll wrappers on CredentialManager. - Implement group-inline storage in memory (new map), filer_etc (new field on PoliciesCollection, reusing the legacy file under policyMu), and postgres (new group_inline_policies table with ON DELETE CASCADE off the groups FK). - Wire the new methods through PropagatingCredentialStore so wrapped stores still delegate correctly. - IamS3ApiConfigure.PutPolicies now applies managed + user-inline + group-inline as deltas through the credential manager; the legacy /etc/iam/policies.json file is never written when a credential manager is wired up. GetPolicies still reads the legacy bundle once as a fallback so unmigrated data is picked up and re-persisted into the store on the next write. * credential: propagate SaveConfiguration writes to running S3 caches Postgres (and any non-filer) credential stores never fired the S3 IAM cache invalidation path on bulk identity / group updates. The PropagatingCredentialStore had explicit Put/Remove handlers for single-entity calls (CreateUser, PutPolicy, etc.) but inherited SaveConfiguration unchanged from the embedded store, so the bulk path the IAM API takes at the end of every handler was silent. Inline-policy changes recompute identity.Actions and persist via SaveConfiguration, so until restart the cached Actions on each S3 server stayed stale and authorization decisions used the pre-change view. Override SaveConfiguration to snapshot the prior user / group lists, delegate the save, then fan out PutIdentity / PutGroup for what's in the new config and RemoveIdentity / RemoveGroup for what got pruned. Reuses the existing SeaweedS3IamCache RPCs, no protobuf changes. * iamapi: drain legacy policies.json after authoritative credential-store writes Review pointed out a resurrection bug: GetPolicies still reads /etc/iam/policies.json as a one-way migration fallback, but PutPolicies in the credential-manager path never wrote that file, so legacy-only entries reappeared on the next read even after the IAM API "deleted" them. PutPolicies now overwrites the bundle with an empty {} after a successful credential-store write, unless the store is filer_etc (which owns the bundle as its own inline-policy backing — clearing it would wipe filer_etc's data). Also wraps the filer read, JSON unmarshal, and marshal errors with context per the other review comments.
150 lines
5.2 KiB
Go
150 lines
5.2 KiB
Go
package postgres
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
"encoding/json"
|
|
"fmt"
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/glog"
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine"
|
|
)
|
|
|
|
func (store *PostgresStore) PutGroupInlinePolicy(ctx context.Context, groupName, policyName string, document policy_engine.PolicyDocument) error {
|
|
if !store.configured {
|
|
return fmt.Errorf("store not configured")
|
|
}
|
|
|
|
docJSON, err := json.Marshal(document)
|
|
if err != nil {
|
|
glog.Errorf("credential postgres: PutGroupInlinePolicy marshal failed group=%s policy=%s: %v", groupName, policyName, err)
|
|
return fmt.Errorf("failed to marshal policy document: %w", err)
|
|
}
|
|
|
|
_, err = store.db.ExecContext(ctx,
|
|
`INSERT INTO group_inline_policies (group_name, policy_name, document)
|
|
VALUES ($1, $2, $3)
|
|
ON CONFLICT (group_name, policy_name)
|
|
DO UPDATE SET document = $3, updated_at = CURRENT_TIMESTAMP`,
|
|
groupName, policyName, jsonbParam(docJSON))
|
|
if err != nil {
|
|
glog.Errorf("credential postgres: PutGroupInlinePolicy failed group=%s policy=%s: %v", groupName, policyName, err)
|
|
return fmt.Errorf("failed to upsert group inline policy: %w", err)
|
|
}
|
|
|
|
glog.V(0).Infof("credential postgres: PutGroupInlinePolicy group=%s policy=%s", groupName, policyName)
|
|
return nil
|
|
}
|
|
|
|
func (store *PostgresStore) GetGroupInlinePolicy(ctx context.Context, groupName, policyName string) (*policy_engine.PolicyDocument, error) {
|
|
if !store.configured {
|
|
return nil, fmt.Errorf("store not configured")
|
|
}
|
|
|
|
var docJSON []byte
|
|
err := store.db.QueryRowContext(ctx,
|
|
"SELECT document FROM group_inline_policies WHERE group_name = $1 AND policy_name = $2",
|
|
groupName, policyName).Scan(&docJSON)
|
|
if err != nil {
|
|
if err == sql.ErrNoRows {
|
|
return nil, nil
|
|
}
|
|
glog.Errorf("credential postgres: GetGroupInlinePolicy query failed group=%s policy=%s: %v", groupName, policyName, err)
|
|
return nil, fmt.Errorf("failed to query group inline policy: %w", err)
|
|
}
|
|
|
|
var doc policy_engine.PolicyDocument
|
|
if err := json.Unmarshal(docJSON, &doc); err != nil {
|
|
return nil, fmt.Errorf("failed to unmarshal group inline policy: %w", err)
|
|
}
|
|
return &doc, nil
|
|
}
|
|
|
|
func (store *PostgresStore) DeleteGroupInlinePolicy(ctx context.Context, groupName, policyName string) error {
|
|
if !store.configured {
|
|
return fmt.Errorf("store not configured")
|
|
}
|
|
|
|
result, err := store.db.ExecContext(ctx,
|
|
"DELETE FROM group_inline_policies WHERE group_name = $1 AND policy_name = $2",
|
|
groupName, policyName)
|
|
if err != nil {
|
|
glog.Errorf("credential postgres: DeleteGroupInlinePolicy failed group=%s policy=%s: %v", groupName, policyName, err)
|
|
return fmt.Errorf("failed to delete group inline policy: %w", err)
|
|
}
|
|
|
|
rowsAffected, _ := result.RowsAffected()
|
|
glog.V(0).Infof("credential postgres: DeleteGroupInlinePolicy group=%s policy=%s deleted=%d", groupName, policyName, rowsAffected)
|
|
return nil
|
|
}
|
|
|
|
func (store *PostgresStore) ListGroupInlinePolicies(ctx context.Context, groupName string) ([]string, error) {
|
|
if !store.configured {
|
|
return nil, fmt.Errorf("store not configured")
|
|
}
|
|
|
|
rows, err := store.db.QueryContext(ctx,
|
|
"SELECT policy_name FROM group_inline_policies WHERE group_name = $1 ORDER BY policy_name",
|
|
groupName)
|
|
if err != nil {
|
|
glog.Errorf("credential postgres: ListGroupInlinePolicies query failed group=%s: %v", groupName, err)
|
|
return nil, fmt.Errorf("failed to query group inline policies: %w", err)
|
|
}
|
|
defer rows.Close()
|
|
|
|
var names []string
|
|
for rows.Next() {
|
|
var name string
|
|
if err := rows.Scan(&name); err != nil {
|
|
return nil, fmt.Errorf("failed to scan policy name: %w", err)
|
|
}
|
|
names = append(names, name)
|
|
}
|
|
if err := rows.Err(); err != nil {
|
|
return nil, fmt.Errorf("failed iterating group inline policy rows: %w", err)
|
|
}
|
|
return names, nil
|
|
}
|
|
|
|
func (store *PostgresStore) LoadGroupInlinePolicies(ctx context.Context) (map[string]map[string]policy_engine.PolicyDocument, error) {
|
|
if !store.configured {
|
|
return nil, fmt.Errorf("store not configured")
|
|
}
|
|
|
|
rows, err := store.db.QueryContext(ctx,
|
|
"SELECT group_name, policy_name, document FROM group_inline_policies ORDER BY group_name, policy_name")
|
|
if err != nil {
|
|
glog.Errorf("credential postgres: LoadGroupInlinePolicies query failed: %v", err)
|
|
return nil, fmt.Errorf("failed to query group inline policies: %w", err)
|
|
}
|
|
defer rows.Close()
|
|
|
|
result := make(map[string]map[string]policy_engine.PolicyDocument)
|
|
count := 0
|
|
for rows.Next() {
|
|
var groupName, policyName string
|
|
var docJSON []byte
|
|
if err := rows.Scan(&groupName, &policyName, &docJSON); err != nil {
|
|
return nil, fmt.Errorf("failed to scan group inline policy row: %w", err)
|
|
}
|
|
|
|
var doc policy_engine.PolicyDocument
|
|
if err := json.Unmarshal(docJSON, &doc); err != nil {
|
|
glog.Warningf("credential postgres: LoadGroupInlinePolicies unmarshal failed group=%s policy=%s: %v", groupName, policyName, err)
|
|
continue
|
|
}
|
|
|
|
if result[groupName] == nil {
|
|
result[groupName] = make(map[string]policy_engine.PolicyDocument)
|
|
}
|
|
result[groupName][policyName] = doc
|
|
count++
|
|
}
|
|
if err := rows.Err(); err != nil {
|
|
return nil, fmt.Errorf("failed iterating group inline policy rows: %w", err)
|
|
}
|
|
|
|
glog.V(0).Infof("credential postgres: LoadGroupInlinePolicies loaded %d policies for %d groups", count, len(result))
|
|
return result, nil
|
|
}
|