From 29fedb1f0e8b8765730b9770a6f90814850a7492 Mon Sep 17 00:00:00 2001
From: chrislu <chris.lu@gmail.com>
Date: Sun, 24 Aug 2025 14:53:08 -0700
Subject: [PATCH] feat: default IAM stores to filer for production-ready
 persistence
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This change makes filer stores the default for all IAM components, requiring
explicit configuration only when different storage is needed.

### Changes Made:

#### Default Store Types Updated:
- STS Session Store: memory → filer (persistent sessions)
- Policy Engine: memory → filer (persistent policies)
- Role Store: memory → filer (persistent roles)

#### Code Updates:
- STSService: Default sessionStoreType now uses DefaultStoreType constant
- PolicyEngine: Default storeType changed to filer for persistence
- IAMManager: Default roleStore changed to filer for persistence
- Added DefaultStoreType constant for consistent configuration

#### Configuration Simplification:
- iam_config_distributed.json: Removed redundant filer specifications
- Only specify storeType when different from default (e.g. memory for testing)

### Benefits:
- Production-ready defaults with persistent storage
- Minimal configuration for standard deployments
- Clear intent: only specify when different from sensible defaults
- Backwards compatible: existing explicit configs continue to work
- Consistent with SeaweedFS distributed, persistent nature
---
 test/s3/iam/iam_config_distributed.json |  8 ++------
 weed/iam/integration/iam_manager.go     | 10 +++++-----
 weed/iam/policy/policy_engine.go        |  2 +-
 weed/iam/sts/constants.go               |  9 +++++----
 weed/iam/sts/sts_service.go             |  6 +++---
 5 files changed, 16 insertions(+), 19 deletions(-)

diff --git a/test/s3/iam/iam_config_distributed.json b/test/s3/iam/iam_config_distributed.json
index 8284c9e43..865733d65 100644
--- a/test/s3/iam/iam_config_distributed.json
+++ b/test/s3/iam/iam_config_distributed.json
@@ -4,7 +4,6 @@
     "maxSessionLength": 43200000000000,
     "issuer": "seaweedfs-sts",
     "signingKey": "dGVzdC1zaWduaW5nLWtleS0zMi1jaGFyYWN0ZXJzLWxvbmc=",
-    "sessionStoreType": "filer",
     "providers": [
       {
         "name": "keycloak-oidc",
@@ -34,12 +33,9 @@
     ]
   },
   "policy": {
-    "defaultEffect": "Deny",
-    "storeType": "filer"
-  },
-  "roleStore": {
-    "storeType": "filer"
+    "defaultEffect": "Deny"
   },
+  "roleStore": {},
 
   "roles": [
     {
diff --git a/weed/iam/integration/iam_manager.go b/weed/iam/integration/iam_manager.go
index fc4665232..4f29cc4cd 100644
--- a/weed/iam/integration/iam_manager.go
+++ b/weed/iam/integration/iam_manager.go
@@ -111,15 +111,15 @@ func (m *IAMManager) Initialize(config *IAMConfig) error {
 // createRoleStore creates a role store based on configuration
 func (m *IAMManager) createRoleStore(config *RoleStoreConfig) (RoleStore, error) {
 	if config == nil {
-		// Default to memory role store
-		return NewMemoryRoleStore(), nil
+		// Default to filer role store
+		return NewFilerRoleStore(nil)
 	}
 
 	switch config.StoreType {
-	case "", "memory":
-		return NewMemoryRoleStore(), nil
-	case "filer":
+	case "", "filer":
 		return NewFilerRoleStore(config.StoreConfig)
+	case "memory":
+		return NewMemoryRoleStore(), nil
 	default:
 		return nil, fmt.Errorf("unsupported role store type: %s", config.StoreType)
 	}
diff --git a/weed/iam/policy/policy_engine.go b/weed/iam/policy/policy_engine.go
index b2b07d27c..19dd7cd32 100644
--- a/weed/iam/policy/policy_engine.go
+++ b/weed/iam/policy/policy_engine.go
@@ -186,7 +186,7 @@ func (e *PolicyEngine) validateConfig(config *PolicyEngineConfig) error {
 	}
 
 	if config.StoreType == "" {
-		config.StoreType = "memory" // Default to memory store
+		config.StoreType = "filer" // Default to filer store for persistence
 	}
 
 	return nil
diff --git a/weed/iam/sts/constants.go b/weed/iam/sts/constants.go
index f26264c40..c684b45fe 100644
--- a/weed/iam/sts/constants.go
+++ b/weed/iam/sts/constants.go
@@ -30,10 +30,11 @@ const (
 
 // Default Values
 const (
-	DefaultTokenDuration    = 3600  // 1 hour in seconds
-	DefaultMaxSessionLength = 43200 // 12 hours in seconds
-	DefaultIssuer          = "seaweedfs-sts"
-	MinSigningKeyLength    = 16 // Minimum signing key length in bytes
+	DefaultTokenDuration      = 3600          // 1 hour in seconds
+	DefaultMaxSessionLength   = 43200         // 12 hours in seconds
+	DefaultIssuer            = "seaweedfs-sts"
+	DefaultStoreType         = StoreTypeFiler // Default store type for persistence
+	MinSigningKeyLength      = 16             // Minimum signing key length in bytes
 )
 
 // Configuration Field Names
diff --git a/weed/iam/sts/sts_service.go b/weed/iam/sts/sts_service.go
index 736a07a48..7f6d25e87 100644
--- a/weed/iam/sts/sts_service.go
+++ b/weed/iam/sts/sts_service.go
@@ -237,10 +237,10 @@ func (s *STSService) validateConfig(config *STSConfig) error {
 // createSessionStore creates a session store based on configuration
 func (s *STSService) createSessionStore(config *STSConfig) (SessionStore, error) {
 	switch config.SessionStoreType {
-	case "", StoreTypeMemory:
-		return NewMemorySessionStore(), nil
-	case StoreTypeFiler:
+	case "", DefaultStoreType:
 		return NewFilerSessionStore(config.SessionStoreConfig)
+	case StoreTypeMemory:
+		return NewMemorySessionStore(), nil
 	default:
 		return nil, fmt.Errorf(ErrUnsupportedStoreType, config.SessionStoreType)
 	}