Browse Source

feat: default IAM stores to filer for production-ready persistence

This change makes filer stores the default for all IAM components, requiring
explicit configuration only when different storage is needed.

### Changes Made:

#### Default Store Types Updated:
- STS Session Store: memory → filer (persistent sessions)
- Policy Engine: memory → filer (persistent policies)
- Role Store: memory → filer (persistent roles)

#### Code Updates:
- STSService: Default sessionStoreType now uses DefaultStoreType constant
- PolicyEngine: Default storeType changed to filer for persistence
- IAMManager: Default roleStore changed to filer for persistence
- Added DefaultStoreType constant for consistent configuration

#### Configuration Simplification:
- iam_config_distributed.json: Removed redundant filer specifications
- Only specify storeType when different from default (e.g. memory for testing)

### Benefits:
- Production-ready defaults with persistent storage
- Minimal configuration for standard deployments
- Clear intent: only specify when different from sensible defaults
- Backwards compatible: existing explicit configs continue to work
- Consistent with SeaweedFS distributed, persistent nature
pull/7160/head
chrislu 1 month ago
parent
commit
29fedb1f0e
  1. 8
      test/s3/iam/iam_config_distributed.json
  2. 10
      weed/iam/integration/iam_manager.go
  3. 2
      weed/iam/policy/policy_engine.go
  4. 9
      weed/iam/sts/constants.go
  5. 6
      weed/iam/sts/sts_service.go

8
test/s3/iam/iam_config_distributed.json

@ -4,7 +4,6 @@
"maxSessionLength": 43200000000000,
"issuer": "seaweedfs-sts",
"signingKey": "dGVzdC1zaWduaW5nLWtleS0zMi1jaGFyYWN0ZXJzLWxvbmc=",
"sessionStoreType": "filer",
"providers": [
{
"name": "keycloak-oidc",
@ -34,12 +33,9 @@
]
},
"policy": {
"defaultEffect": "Deny",
"storeType": "filer"
},
"roleStore": {
"storeType": "filer"
"defaultEffect": "Deny"
},
"roleStore": {},
"roles": [
{

10
weed/iam/integration/iam_manager.go

@ -111,15 +111,15 @@ func (m *IAMManager) Initialize(config *IAMConfig) error {
// createRoleStore creates a role store based on configuration
func (m *IAMManager) createRoleStore(config *RoleStoreConfig) (RoleStore, error) {
if config == nil {
// Default to memory role store
return NewMemoryRoleStore(), nil
// Default to filer role store
return NewFilerRoleStore(nil)
}
switch config.StoreType {
case "", "memory":
return NewMemoryRoleStore(), nil
case "filer":
case "", "filer":
return NewFilerRoleStore(config.StoreConfig)
case "memory":
return NewMemoryRoleStore(), nil
default:
return nil, fmt.Errorf("unsupported role store type: %s", config.StoreType)
}

2
weed/iam/policy/policy_engine.go

@ -186,7 +186,7 @@ func (e *PolicyEngine) validateConfig(config *PolicyEngineConfig) error {
}
if config.StoreType == "" {
config.StoreType = "memory" // Default to memory store
config.StoreType = "filer" // Default to filer store for persistence
}
return nil

9
weed/iam/sts/constants.go

@ -30,10 +30,11 @@ const (
// Default Values
const (
DefaultTokenDuration = 3600 // 1 hour in seconds
DefaultMaxSessionLength = 43200 // 12 hours in seconds
DefaultIssuer = "seaweedfs-sts"
MinSigningKeyLength = 16 // Minimum signing key length in bytes
DefaultTokenDuration = 3600 // 1 hour in seconds
DefaultMaxSessionLength = 43200 // 12 hours in seconds
DefaultIssuer = "seaweedfs-sts"
DefaultStoreType = StoreTypeFiler // Default store type for persistence
MinSigningKeyLength = 16 // Minimum signing key length in bytes
)
// Configuration Field Names

6
weed/iam/sts/sts_service.go

@ -237,10 +237,10 @@ func (s *STSService) validateConfig(config *STSConfig) error {
// createSessionStore creates a session store based on configuration
func (s *STSService) createSessionStore(config *STSConfig) (SessionStore, error) {
switch config.SessionStoreType {
case "", StoreTypeMemory:
return NewMemorySessionStore(), nil
case StoreTypeFiler:
case "", DefaultStoreType:
return NewFilerSessionStore(config.SessionStoreConfig)
case StoreTypeMemory:
return NewMemorySessionStore(), nil
default:
return nil, fmt.Errorf(ErrUnsupportedStoreType, config.SessionStoreType)
}

Loading…
Cancel
Save