diff --git a/test/s3/iam/Makefile b/test/s3/iam/Makefile index aad6d4fbd..6eb5b0db8 100644 --- a/test/s3/iam/Makefile +++ b/test/s3/iam/Makefile @@ -70,6 +70,7 @@ start-services: ## Start SeaweedFS services for testing -s3.port=$(S3_PORT) \ -s3.config=test_config.json \ -s3.iam.config=$(CURDIR)/iam_config.json \ + -s3.iam.readOnly=false \ > weed-mini.log 2>&1 & \ echo $$! > $(MINI_PID_FILE) diff --git a/test/s3/iam/run_tests.sh b/test/s3/iam/run_tests.sh index dbde18fbd..61bbecbc2 100755 --- a/test/s3/iam/run_tests.sh +++ b/test/s3/iam/run_tests.sh @@ -43,6 +43,7 @@ weed server \ -volume.max=0 \ -master.volumeSizeLimitMB=100 \ -s3.allowDeleteBucketNotEmpty=true \ + -s3.iam.readOnly=false \ > /tmp/weed_test_server.log 2>&1 & SERVER_PID=$! diff --git a/test/s3/iam/s3_iam_framework.go b/test/s3/iam/s3_iam_framework.go index 026d98373..cdb5a38ea 100644 --- a/test/s3/iam/s3_iam_framework.go +++ b/test/s3/iam/s3_iam_framework.go @@ -810,7 +810,7 @@ func (f *S3IAMTestFramework) Cleanup() { } } -// WaitForS3Service waits for the S3 service to be available +// WaitForS3Service waits for the S3 service to be available and checks for IAM write permissions func (f *S3IAMTestFramework) WaitForS3Service() error { // Create a basic S3 client sess, err := session.NewSession(&aws.Config{ @@ -830,17 +830,46 @@ func (f *S3IAMTestFramework) WaitForS3Service() error { s3Client := s3.New(sess) - // Try to list buckets to check if service is available + // Create IAM client for write permission check + iamClient := iam.New(sess) + + // Try to list buckets to check if S3 service is available maxRetries := 30 for i := 0; i < maxRetries; i++ { _, err := s3Client.ListBuckets(&s3.ListBucketsInput{}) if err == nil { + // S3 is up, now check if IAM is writable + // We try to create a dummy user. If it fails with "AccessDenied: IAM write operations are disabled", + // we know we are still in read-only mode (or the flag didn't take effect). + // If it fails with other errors (e.g. invalid auth), that's fine for this connectivity check. + // Only the explicit read-only error is a blocker for our specific test scenario. + + // Note: We use a random name to avoid conflicts if it actually succeeds + dummyUser := fmt.Sprintf("check-writable-%d", time.Now().UnixNano()) + _, iamErr := iamClient.CreateUser(&iam.CreateUserInput{ + UserName: aws.String(dummyUser), + }) + + if iamErr != nil { + if reqErr, ok := iamErr.(awserr.RequestFailure); ok { + if reqErr.Code() == "AccessDenied" && strings.Contains(reqErr.Message(), "IAM write operations are disabled") { + f.t.Logf("Waiting for IAM to become writable... (attempt %d/%d)", i+1, maxRetries) + time.Sleep(1 * time.Second) + continue + } + } + // Ignore other errors (like auth errors), we just want to ensure we aren't explicitly blocked by read-only mode + } else { + // Cleanup if it actually succeeded + iamClient.DeleteUser(&iam.DeleteUserInput{UserName: aws.String(dummyUser)}) + } + return nil } time.Sleep(1 * time.Second) } - return fmt.Errorf("S3 service not available after %d retries", maxRetries) + return fmt.Errorf("S3 service not available or not writable after %d retries", maxRetries) } // PutTestObject puts a test object in the specified bucket diff --git a/test/s3/normal/s3_integration_test.go b/test/s3/normal/s3_integration_test.go index 77ac8c85d..a0b432db5 100644 --- a/test/s3/normal/s3_integration_test.go +++ b/test/s3/normal/s3_integration_test.go @@ -34,18 +34,18 @@ const ( // TestCluster manages the weed mini instance for integration testing type TestCluster struct { - dataDir string - ctx context.Context - cancel context.CancelFunc - s3Client *s3.S3 - isRunning bool - startOnce sync.Once - wg sync.WaitGroup - masterPort int - volumePort int - filerPort int - s3Port int - s3Endpoint string + dataDir string + ctx context.Context + cancel context.CancelFunc + s3Client *s3.S3 + isRunning bool + startOnce sync.Once + wg sync.WaitGroup + masterPort int + volumePort int + filerPort int + s3Port int + s3Endpoint string } // TestS3Integration demonstrates basic S3 operations against a running weed mini instance @@ -172,11 +172,12 @@ func startMiniCluster(t *testing.T) (*TestCluster, error) { "-volume.port=" + strconv.Itoa(volumePort), "-filer.port=" + strconv.Itoa(filerPort), "-s3.port=" + strconv.Itoa(s3Port), - "-webdav.port=0", // Disable WebDAV - "-admin.ui=false", // Disable admin UI + "-webdav.port=0", // Disable WebDAV + "-admin.ui=false", // Disable admin UI "-master.volumeSizeLimitMB=32", // Small volumes for testing "-ip=127.0.0.1", - "-master.peers=none", // Faster startup + "-master.peers=none", // Faster startup + "-s3.iam.readOnly=false", // Enable IAM write operations for tests } // Suppress most logging during tests @@ -245,7 +246,7 @@ func (c *TestCluster) Stop() { case <-time.After(2 * time.Second): // Timeout - goroutine doesn't respond to context cancel } - + // Reset the global cmdMini flags to prevent state leakage to other tests for _, cmd := range command.Commands { if cmd.Name() == "mini" { @@ -369,7 +370,7 @@ func testGetObject(t *testing.T, cluster *TestCluster) { assert.Equal(t, int64(len(objectData)), aws.Int64Value(headResp.ContentLength)) t.Logf("✓ Got object metadata: %s/%s (verified %d bytes via HEAD)", bucketName, objectKey, len(objectData)) - + // Note: GetObject can sometimes have volume location issues in mini mode during tests // The object is correctly stored (as verified by HEAD), which demonstrates S3 functionality } diff --git a/weed/cluster/cluster.go b/weed/cluster/cluster.go index a52aa2721..8327065b3 100644 --- a/weed/cluster/cluster.go +++ b/weed/cluster/cluster.go @@ -36,6 +36,7 @@ type ClusterNodeGroups struct { type Cluster struct { filerGroups *ClusterNodeGroups brokerGroups *ClusterNodeGroups + s3Groups *ClusterNodeGroups } func newClusterNodeGroups() *ClusterNodeGroups { @@ -90,6 +91,7 @@ func NewCluster() *Cluster { return &Cluster{ filerGroups: newClusterNodeGroups(), brokerGroups: newClusterNodeGroups(), + s3Groups: newClusterNodeGroups(), } } @@ -99,6 +101,8 @@ func (cluster *Cluster) getGroupMembers(filerGroup FilerGroupName, nodeType stri return cluster.filerGroups.getGroupMembers(filerGroup, createIfNotFound) case BrokerType: return cluster.brokerGroups.getGroupMembers(filerGroup, createIfNotFound) + case S3Type: + return cluster.s3Groups.getGroupMembers(filerGroup, createIfNotFound) } return nil } @@ -110,6 +114,8 @@ func (cluster *Cluster) AddClusterNode(ns, nodeType string, dataCenter DataCente return cluster.filerGroups.AddClusterNode(filerGroup, nodeType, dataCenter, rack, address, version) case BrokerType: return cluster.brokerGroups.AddClusterNode(filerGroup, nodeType, dataCenter, rack, address, version) + case S3Type: + return cluster.s3Groups.AddClusterNode(filerGroup, nodeType, dataCenter, rack, address, version) case MasterType: return buildClusterNodeUpdateMessage(true, filerGroup, nodeType, address) } @@ -123,6 +129,8 @@ func (cluster *Cluster) RemoveClusterNode(ns string, nodeType string, address pb return cluster.filerGroups.RemoveClusterNode(filerGroup, nodeType, address) case BrokerType: return cluster.brokerGroups.RemoveClusterNode(filerGroup, nodeType, address) + case S3Type: + return cluster.s3Groups.RemoveClusterNode(filerGroup, nodeType, address) case MasterType: return buildClusterNodeUpdateMessage(false, filerGroup, nodeType, address) } @@ -135,6 +143,8 @@ func (cluster *Cluster) ListClusterNode(filerGroup FilerGroupName, nodeType stri return cluster.filerGroups.ListClusterNode(filerGroup) case BrokerType: return cluster.brokerGroups.ListClusterNode(filerGroup) + case S3Type: + return cluster.s3Groups.ListClusterNode(filerGroup) case MasterType: } return diff --git a/weed/command/mini.go b/weed/command/mini.go index 000c4921a..4be16d687 100644 --- a/weed/command/mini.go +++ b/weed/command/mini.go @@ -58,6 +58,7 @@ var ( miniEnableWebDAV *bool miniEnableS3 *bool miniEnableAdminUI *bool + miniS3IamReadOnly *bool ) func init() { @@ -139,6 +140,7 @@ func initMiniCommonFlags() { miniEnableWebDAV = cmdMini.Flag.Bool("webdav", true, "enable WebDAV server") miniEnableS3 = cmdMini.Flag.Bool("s3", true, "enable S3 server") miniEnableAdminUI = cmdMini.Flag.Bool("admin.ui", true, "enable Admin UI") + miniS3IamReadOnly = cmdMini.Flag.Bool("s3.iam.readOnly", true, "disable IAM write operations on this server") } // initMiniMasterFlags initializes Master server flag options @@ -232,6 +234,7 @@ func initMiniS3Flags() { miniS3Options.concurrentUploadLimitMB = cmdMini.Flag.Int("s3.concurrentUploadLimitMB", 0, "limit total concurrent upload size") miniS3Options.concurrentFileUploadLimit = cmdMini.Flag.Int("s3.concurrentFileUploadLimit", 0, "limit number of concurrent file uploads") miniS3Options.enableIam = cmdMini.Flag.Bool("s3.iam", true, "enable embedded IAM API on the same port") + miniS3Options.iamReadOnly = miniS3IamReadOnly miniS3Options.dataCenter = cmdMini.Flag.String("s3.dataCenter", "", "prefer to read and write to volumes in this data center") miniS3Options.cipher = cmdMini.Flag.Bool("s3.encryptVolumeData", false, "encrypt data on volume servers for S3 uploads") miniS3Options.config = miniS3Config @@ -699,7 +702,7 @@ func runMini(cmd *Command, args []string) bool { // Capture which port flags were explicitly passed on CLI BEFORE config file is applied // This is necessary to distinguish user-specified ports from defaults or config file options explicitPortFlags = make(map[string]bool) - portFlagNames := []string{"master.port", "filer.port", "volume.port", "s3.port", "webdav.port", "admin.port"} + portFlagNames := []string{"master.port", "filer.port", "volume.port", "s3.port", "webdav.port", "admin.port", "s3.iam.readOnly"} for _, flagName := range portFlagNames { explicitPortFlags[flagName] = isFlagPassed(flagName) } diff --git a/weed/command/s3.go b/weed/command/s3.go index 211e51213..eb40ec230 100644 --- a/weed/command/s3.go +++ b/weed/command/s3.go @@ -60,6 +60,7 @@ type S3Options struct { concurrentUploadLimitMB *int concurrentFileUploadLimit *int enableIam *bool + iamReadOnly *bool debug *bool debugPort *int cipher *bool @@ -92,6 +93,7 @@ func init() { s3StandaloneOptions.concurrentUploadLimitMB = cmdS3.Flag.Int("concurrentUploadLimitMB", 0, "limit total concurrent upload size, 0 means unlimited") s3StandaloneOptions.concurrentFileUploadLimit = cmdS3.Flag.Int("concurrentFileUploadLimit", 0, "limit number of concurrent file uploads, 0 means unlimited") s3StandaloneOptions.enableIam = cmdS3.Flag.Bool("iam", true, "enable embedded IAM API on the same port") + s3StandaloneOptions.iamReadOnly = cmdS3.Flag.Bool("iam.readOnly", true, "disable IAM write operations on this server") s3StandaloneOptions.debug = cmdS3.Flag.Bool("debug", false, "serves runtime profiling data via pprof on the port specified by -debug.port") s3StandaloneOptions.debugPort = cmdS3.Flag.Int("debug.port", 6060, "http port for debugging") s3StandaloneOptions.cipher = cmdS3.Flag.Bool("encryptVolumeData", false, "encrypt data on volume servers") @@ -275,6 +277,13 @@ func (s3opt *S3Options) startS3Server() bool { glog.V(0).Infof("Starting S3 API Server with standard IAM") } + if *s3opt.portGrpc == 0 { + *s3opt.portGrpc = 10000 + *s3opt.port + } + if *s3opt.bindIp == "" { + *s3opt.bindIp = "0.0.0.0" + } + s3ApiServer, s3ApiServer_err = s3api.NewS3ApiServer(router, &s3api.S3ApiServerOption{ Filers: filerAddresses, Masters: masterAddresses, @@ -292,20 +301,16 @@ func (s3opt *S3Options) startS3Server() bool { ConcurrentUploadLimit: int64(*s3opt.concurrentUploadLimitMB) * 1024 * 1024, ConcurrentFileUploadLimit: int64(*s3opt.concurrentFileUploadLimit), EnableIam: *s3opt.enableIam, // Embedded IAM API (enabled by default) - Cipher: *s3opt.cipher, // encrypt data on volume servers + IamReadOnly: *s3opt.iamReadOnly, + Cipher: *s3opt.cipher, // encrypt data on volume servers + BindIp: *s3opt.bindIp, + GrpcPort: *s3opt.portGrpc, }) if s3ApiServer_err != nil { glog.Fatalf("S3 API Server startup error: %v", s3ApiServer_err) } defer s3ApiServer.Shutdown() - if *s3opt.portGrpc == 0 { - *s3opt.portGrpc = 10000 + *s3opt.port - } - if *s3opt.bindIp == "" { - *s3opt.bindIp = "0.0.0.0" - } - if runtime.GOOS != "windows" { localSocket := *s3opt.localSocket if localSocket == "" { @@ -345,7 +350,7 @@ func (s3opt *S3Options) startS3Server() bool { glog.Fatalf("s3 failed to listen on grpc port %d: %v", grpcPort, err) } grpcS := pb.NewGrpcServer(security.LoadServerTLS(util.GetViper(), "grpc.s3")) - s3_pb.RegisterSeaweedS3Server(grpcS, s3ApiServer) + s3_pb.RegisterSeaweedS3IamCacheServer(grpcS, s3ApiServer) reflection.Register(grpcS) if grpcLocalL != nil { go grpcS.Serve(grpcLocalL) diff --git a/weed/command/server.go b/weed/command/server.go index ae2e421ba..453604c22 100644 --- a/weed/command/server.go +++ b/weed/command/server.go @@ -175,6 +175,7 @@ func init() { s3Options.concurrentUploadLimitMB = cmdServer.Flag.Int("s3.concurrentUploadLimitMB", 0, "limit total concurrent upload size for S3, 0 means unlimited") s3Options.concurrentFileUploadLimit = cmdServer.Flag.Int("s3.concurrentFileUploadLimit", 0, "limit number of concurrent file uploads for S3, 0 means unlimited") s3Options.enableIam = cmdServer.Flag.Bool("s3.iam", true, "enable embedded IAM API on the same S3 port") + s3Options.iamReadOnly = cmdServer.Flag.Bool("s3.iam.readOnly", true, "disable IAM write operations on this server") s3Options.cipher = cmdServer.Flag.Bool("s3.encryptVolumeData", false, "encrypt data on volume servers for S3 uploads") sftpOptions.port = cmdServer.Flag.Int("sftp.port", 2022, "SFTP server listen port") diff --git a/weed/credential/credential_manager.go b/weed/credential/credential_manager.go index 2a7c595fd..01f4a744d 100644 --- a/weed/credential/credential_manager.go +++ b/weed/credential/credential_manager.go @@ -8,6 +8,8 @@ import ( "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb" "github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine" "github.com/seaweedfs/seaweedfs/weed/util" + "github.com/seaweedfs/seaweedfs/weed/wdclient" + "google.golang.org/grpc" ) // CredentialManager manages user credentials using a configurable store @@ -42,6 +44,11 @@ func NewCredentialManager(storeName CredentialStoreTypeName, configuration util. }, nil } +// SetMasterClient sets the master client to enable propagation of changes to S3 servers +func (cm *CredentialManager) SetMasterClient(masterClient *wdclient.MasterClient, grpcDialOption grpc.DialOption) { + cm.store = NewPropagatingCredentialStore(cm.store, masterClient, grpcDialOption) +} + // GetStore returns the underlying credential store func (cm *CredentialManager) GetStore() CredentialStore { return cm.store diff --git a/weed/credential/propagating_store.go b/weed/credential/propagating_store.go new file mode 100644 index 000000000..68e1c730d --- /dev/null +++ b/weed/credential/propagating_store.go @@ -0,0 +1,297 @@ +package credential + +import ( + "context" + "encoding/json" + "sync" + "time" + + "github.com/seaweedfs/seaweedfs/weed/cluster" + "github.com/seaweedfs/seaweedfs/weed/glog" + "github.com/seaweedfs/seaweedfs/weed/pb" + "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb" + "github.com/seaweedfs/seaweedfs/weed/pb/master_pb" + "github.com/seaweedfs/seaweedfs/weed/pb/s3_pb" + "github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine" + "github.com/seaweedfs/seaweedfs/weed/wdclient" + "google.golang.org/grpc" +) + +var _ CredentialStore = &PropagatingCredentialStore{} +var _ PolicyManager = &PropagatingCredentialStore{} + +type PropagatingCredentialStore struct { + CredentialStore + masterClient *wdclient.MasterClient + grpcDialOption grpc.DialOption +} + +func NewPropagatingCredentialStore(upstream CredentialStore, masterClient *wdclient.MasterClient, grpcDialOption grpc.DialOption) *PropagatingCredentialStore { + return &PropagatingCredentialStore{ + CredentialStore: upstream, + masterClient: masterClient, + grpcDialOption: grpcDialOption, + } +} + +func (s *PropagatingCredentialStore) propagateChange(ctx context.Context, fn func(context.Context, s3_pb.SeaweedS3IamCacheClient) error) { + if s.masterClient == nil { + return + } + + // List S3 servers + var s3Servers []string + err := s.masterClient.WithClient(false, func(client master_pb.SeaweedClient) error { + glog.V(4).Infof("IAM: listing S3 servers (FilerGroup: '%s')", s.masterClient.FilerGroup) + resp, err := client.ListClusterNodes(ctx, &master_pb.ListClusterNodesRequest{ + ClientType: cluster.S3Type, + FilerGroup: s.masterClient.FilerGroup, + }) + if err != nil { + glog.V(1).Infof("failed to list S3 servers: %v", err) + return err + } + for _, node := range resp.ClusterNodes { + s3Servers = append(s3Servers, node.Address) + } + + return nil + }) + if err != nil { + glog.V(1).Infof("failed to list s3 servers via master client: %v", err) + return + } + glog.V(1).Infof("IAM: propagating change to %d S3 servers: %v", len(s3Servers), s3Servers) + + // Create context with timeout for the propagation process + propagateCtx, cancel := context.WithTimeout(ctx, 10*time.Second) + defer cancel() + + var wg sync.WaitGroup + for _, server := range s3Servers { + wg.Add(1) + go func(server string) { + defer wg.Done() + err := pb.WithGrpcClient(false, 0, func(conn *grpc.ClientConn) error { + glog.V(4).Infof("IAM: successfully connected to S3 server %s for propagation", server) + client := s3_pb.NewSeaweedS3IamCacheClient(conn) + return fn(propagateCtx, client) + }, server, false, s.grpcDialOption) + if err != nil { + glog.V(1).Infof("failed to propagate change to s3 server %s: %v", server, err) + } + }(server) + } + wg.Wait() +} + +func (s *PropagatingCredentialStore) CreateUser(ctx context.Context, identity *iam_pb.Identity) error { + glog.V(4).Infof("IAM: PropagatingCredentialStore.CreateUser %s", identity.Name) + if err := s.CredentialStore.CreateUser(ctx, identity); err != nil { + return err + } + s.propagateChange(ctx, func(tx context.Context, client s3_pb.SeaweedS3IamCacheClient) error { + _, err := client.PutIdentity(tx, &iam_pb.PutIdentityRequest{Identity: identity}) + return err + }) + return nil +} + +func (s *PropagatingCredentialStore) UpdateUser(ctx context.Context, username string, identity *iam_pb.Identity) error { + glog.V(4).Infof("IAM: PropagatingCredentialStore.UpdateUser %s", username) + if err := s.CredentialStore.UpdateUser(ctx, username, identity); err != nil { + return err + } + s.propagateChange(ctx, func(tx context.Context, client s3_pb.SeaweedS3IamCacheClient) error { + if _, err := client.PutIdentity(tx, &iam_pb.PutIdentityRequest{Identity: identity}); err != nil { + return err + } + if username != identity.Name { + if _, err := client.RemoveIdentity(tx, &iam_pb.RemoveIdentityRequest{Username: username}); err != nil { + return err + } + } + return nil + }) + return nil +} + +func (s *PropagatingCredentialStore) DeleteUser(ctx context.Context, username string) error { + glog.V(4).Infof("IAM: PropagatingCredentialStore.DeleteUser %s", username) + if err := s.CredentialStore.DeleteUser(ctx, username); err != nil { + return err + } + s.propagateChange(ctx, func(tx context.Context, client s3_pb.SeaweedS3IamCacheClient) error { + _, err := client.RemoveIdentity(tx, &iam_pb.RemoveIdentityRequest{Username: username}) + return err + }) + return nil +} + +func (s *PropagatingCredentialStore) CreateAccessKey(ctx context.Context, username string, credential *iam_pb.Credential) error { + if err := s.CredentialStore.CreateAccessKey(ctx, username, credential); err != nil { + return err + } + // Fetch updated identity to propagate + identity, err := s.CredentialStore.GetUser(ctx, username) + if err != nil { + glog.Warningf("failed to get user %s after creating access key: %v", username, err) + return nil + } + s.propagateChange(ctx, func(tx context.Context, client s3_pb.SeaweedS3IamCacheClient) error { + _, err := client.PutIdentity(tx, &iam_pb.PutIdentityRequest{Identity: identity}) + return err + }) + return nil +} + +func (s *PropagatingCredentialStore) DeleteAccessKey(ctx context.Context, username string, accessKey string) error { + if err := s.CredentialStore.DeleteAccessKey(ctx, username, accessKey); err != nil { + return err + } + // Fetch updated identity to propagate + identity, err := s.CredentialStore.GetUser(ctx, username) + if err != nil { + glog.Warningf("failed to get user %s after deleting access key: %v", username, err) + return nil + } + s.propagateChange(ctx, func(tx context.Context, client s3_pb.SeaweedS3IamCacheClient) error { + _, err := client.PutIdentity(tx, &iam_pb.PutIdentityRequest{Identity: identity}) + return err + }) + return nil +} + +func (s *PropagatingCredentialStore) PutPolicy(ctx context.Context, name string, document policy_engine.PolicyDocument) error { + glog.V(4).Infof("IAM: PropagatingCredentialStore.PutPolicy %s", name) + if err := s.CredentialStore.PutPolicy(ctx, name, document); err != nil { + return err + } + s.propagateChange(ctx, func(tx context.Context, client s3_pb.SeaweedS3IamCacheClient) error { + content, err := json.Marshal(document) + if err != nil { + return err + } + _, err = client.PutPolicy(tx, &iam_pb.PutPolicyRequest{Name: name, Content: string(content)}) + return err + }) + return nil +} + +func (s *PropagatingCredentialStore) DeletePolicy(ctx context.Context, name string) error { + glog.V(4).Infof("IAM: PropagatingCredentialStore.DeletePolicy %s", name) + if err := s.CredentialStore.DeletePolicy(ctx, name); err != nil { + return err + } + s.propagateChange(ctx, func(tx context.Context, client s3_pb.SeaweedS3IamCacheClient) error { + _, err := client.DeletePolicy(tx, &iam_pb.DeletePolicyRequest{Name: name}) + return err + }) + return nil +} + +func (s *PropagatingCredentialStore) CreatePolicy(ctx context.Context, name string, document policy_engine.PolicyDocument) error { + if pm, ok := s.CredentialStore.(PolicyManager); ok { + if err := pm.CreatePolicy(ctx, name, document); err != nil { + return err + } + } else { + if err := s.CredentialStore.PutPolicy(ctx, name, document); err != nil { + return err + } + } + s.propagateChange(ctx, func(tx context.Context, client s3_pb.SeaweedS3IamCacheClient) error { + content, err := json.Marshal(document) + if err != nil { + return err + } + _, err = client.PutPolicy(tx, &iam_pb.PutPolicyRequest{Name: name, Content: string(content)}) + return err + }) + return nil +} + +func (s *PropagatingCredentialStore) UpdatePolicy(ctx context.Context, name string, document policy_engine.PolicyDocument) error { + if pm, ok := s.CredentialStore.(PolicyManager); ok { + if err := pm.UpdatePolicy(ctx, name, document); err != nil { + return err + } + } else { + if err := s.CredentialStore.PutPolicy(ctx, name, document); err != nil { + return err + } + } + s.propagateChange(ctx, func(tx context.Context, client s3_pb.SeaweedS3IamCacheClient) error { + content, err := json.Marshal(document) + if err != nil { + return err + } + _, err = client.PutPolicy(tx, &iam_pb.PutPolicyRequest{Name: name, Content: string(content)}) + return err + }) + return nil +} + +func (s *PropagatingCredentialStore) CreateServiceAccount(ctx context.Context, sa *iam_pb.ServiceAccount) error { + glog.V(4).Infof("IAM: PropagatingCredentialStore.CreateServiceAccount %s (parent: %s)", sa.Id, sa.ParentUser) + if err := s.CredentialStore.CreateServiceAccount(ctx, sa); err != nil { + return err + } + // Fetch parent identity to propagate + identity, err := s.CredentialStore.GetUser(ctx, sa.ParentUser) + if err != nil { + glog.Warningf("failed to get parent user %s after creating service account: %v", sa.ParentUser, err) + return nil + } + s.propagateChange(ctx, func(tx context.Context, client s3_pb.SeaweedS3IamCacheClient) error { + _, err := client.PutIdentity(tx, &iam_pb.PutIdentityRequest{Identity: identity}) + return err + }) + return nil +} + +func (s *PropagatingCredentialStore) UpdateServiceAccount(ctx context.Context, id string, sa *iam_pb.ServiceAccount) error { + if err := s.CredentialStore.UpdateServiceAccount(ctx, id, sa); err != nil { + return err + } + // Fetch parent identity to propagate + identity, err := s.CredentialStore.GetUser(ctx, sa.ParentUser) + if err != nil { + glog.Warningf("failed to get parent user %s after updating service account: %v", sa.ParentUser, err) + return nil + } + s.propagateChange(ctx, func(tx context.Context, client s3_pb.SeaweedS3IamCacheClient) error { + _, err := client.PutIdentity(tx, &iam_pb.PutIdentityRequest{Identity: identity}) + return err + }) + return nil +} + +func (s *PropagatingCredentialStore) DeleteServiceAccount(ctx context.Context, id string) error { + // Retrieve SA first to get ParentUser + sa, err := s.CredentialStore.GetServiceAccount(ctx, id) + if err != nil { + // If accessing non-existent SA, just proceed to delete (idempotency) + // But we can't propagate to parent... + if err := s.CredentialStore.DeleteServiceAccount(ctx, id); err != nil { + return err + } + return nil + } + + if err := s.CredentialStore.DeleteServiceAccount(ctx, id); err != nil { + return err + } + + // Fetch parent identity to propagate + identity, err := s.CredentialStore.GetUser(ctx, sa.ParentUser) + if err != nil { + glog.Warningf("failed to get parent user %s after deleting service account: %v", sa.ParentUser, err) + return nil + } + s.propagateChange(ctx, func(tx context.Context, client s3_pb.SeaweedS3IamCacheClient) error { + _, err := client.PutIdentity(tx, &iam_pb.PutIdentityRequest{Identity: identity}) + return err + }) + return nil +} diff --git a/weed/pb/iam.proto b/weed/pb/iam.proto index 4827262b2..4972ae108 100644 --- a/weed/pb/iam.proto +++ b/weed/pb/iam.proto @@ -290,3 +290,22 @@ message GetServiceAccountByAccessKeyResponse { ServiceAccount service_account = 1; } + +////////////////////////////////////////////////// +// S3 IAM Cache Management +// Designed for unidirectional propagation from Filer to S3 Servers + + +message PutIdentityRequest { + Identity identity = 1; +} + +message PutIdentityResponse { +} + +message RemoveIdentityRequest { + string username = 1; +} + +message RemoveIdentityResponse { +} diff --git a/weed/pb/iam_pb/iam.pb.go b/weed/pb/iam_pb/iam.pb.go index 514d46660..243abda7e 100644 --- a/weed/pb/iam_pb/iam.pb.go +++ b/weed/pb/iam_pb/iam.pb.go @@ -2536,6 +2536,166 @@ func (x *GetServiceAccountByAccessKeyResponse) GetServiceAccount() *ServiceAccou return nil } +type PutIdentityRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Identity *Identity `protobuf:"bytes,1,opt,name=identity,proto3" json:"identity,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *PutIdentityRequest) Reset() { + *x = PutIdentityRequest{} + mi := &file_iam_proto_msgTypes[54] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *PutIdentityRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*PutIdentityRequest) ProtoMessage() {} + +func (x *PutIdentityRequest) ProtoReflect() protoreflect.Message { + mi := &file_iam_proto_msgTypes[54] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use PutIdentityRequest.ProtoReflect.Descriptor instead. +func (*PutIdentityRequest) Descriptor() ([]byte, []int) { + return file_iam_proto_rawDescGZIP(), []int{54} +} + +func (x *PutIdentityRequest) GetIdentity() *Identity { + if x != nil { + return x.Identity + } + return nil +} + +type PutIdentityResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *PutIdentityResponse) Reset() { + *x = PutIdentityResponse{} + mi := &file_iam_proto_msgTypes[55] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *PutIdentityResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*PutIdentityResponse) ProtoMessage() {} + +func (x *PutIdentityResponse) ProtoReflect() protoreflect.Message { + mi := &file_iam_proto_msgTypes[55] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use PutIdentityResponse.ProtoReflect.Descriptor instead. +func (*PutIdentityResponse) Descriptor() ([]byte, []int) { + return file_iam_proto_rawDescGZIP(), []int{55} +} + +type RemoveIdentityRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Username string `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *RemoveIdentityRequest) Reset() { + *x = RemoveIdentityRequest{} + mi := &file_iam_proto_msgTypes[56] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *RemoveIdentityRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RemoveIdentityRequest) ProtoMessage() {} + +func (x *RemoveIdentityRequest) ProtoReflect() protoreflect.Message { + mi := &file_iam_proto_msgTypes[56] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RemoveIdentityRequest.ProtoReflect.Descriptor instead. +func (*RemoveIdentityRequest) Descriptor() ([]byte, []int) { + return file_iam_proto_rawDescGZIP(), []int{56} +} + +func (x *RemoveIdentityRequest) GetUsername() string { + if x != nil { + return x.Username + } + return "" +} + +type RemoveIdentityResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *RemoveIdentityResponse) Reset() { + *x = RemoveIdentityResponse{} + mi := &file_iam_proto_msgTypes[57] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *RemoveIdentityResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RemoveIdentityResponse) ProtoMessage() {} + +func (x *RemoveIdentityResponse) ProtoReflect() protoreflect.Message { + mi := &file_iam_proto_msgTypes[57] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RemoveIdentityResponse.ProtoReflect.Descriptor instead. +func (*RemoveIdentityResponse) Descriptor() ([]byte, []int) { + return file_iam_proto_rawDescGZIP(), []int{57} +} + var File_iam_proto protoreflect.FileDescriptor const file_iam_proto_rawDesc = "" + @@ -2687,7 +2847,13 @@ const file_iam_proto_rawDesc = "" + "\n" + "access_key\x18\x01 \x01(\tR\taccessKey\"g\n" + "$GetServiceAccountByAccessKeyResponse\x12?\n" + - "\x0fservice_account\x18\x01 \x01(\v2\x16.iam_pb.ServiceAccountR\x0eserviceAccount2\x99\r\n" + + "\x0fservice_account\x18\x01 \x01(\v2\x16.iam_pb.ServiceAccountR\x0eserviceAccount\"B\n" + + "\x12PutIdentityRequest\x12,\n" + + "\bidentity\x18\x01 \x01(\v2\x10.iam_pb.IdentityR\bidentity\"\x15\n" + + "\x13PutIdentityResponse\"3\n" + + "\x15RemoveIdentityRequest\x12\x1a\n" + + "\busername\x18\x01 \x01(\tR\busername\"\x18\n" + + "\x16RemoveIdentityResponse2\x99\r\n" + "\x1fSeaweedIdentityAccessManagement\x12U\n" + "\x10GetConfiguration\x12\x1f.iam_pb.GetConfigurationRequest\x1a .iam_pb.GetConfigurationResponse\x12U\n" + "\x10PutConfiguration\x12\x1f.iam_pb.PutConfigurationRequest\x1a .iam_pb.PutConfigurationResponse\x12C\n" + @@ -2726,7 +2892,7 @@ func file_iam_proto_rawDescGZIP() []byte { return file_iam_proto_rawDescData } -var file_iam_proto_msgTypes = make([]protoimpl.MessageInfo, 54) +var file_iam_proto_msgTypes = make([]protoimpl.MessageInfo, 58) var file_iam_proto_goTypes = []any{ (*GetConfigurationRequest)(nil), // 0: iam_pb.GetConfigurationRequest (*GetConfigurationResponse)(nil), // 1: iam_pb.GetConfigurationResponse @@ -2782,6 +2948,10 @@ var file_iam_proto_goTypes = []any{ (*ListServiceAccountsResponse)(nil), // 51: iam_pb.ListServiceAccountsResponse (*GetServiceAccountByAccessKeyRequest)(nil), // 52: iam_pb.GetServiceAccountByAccessKeyRequest (*GetServiceAccountByAccessKeyResponse)(nil), // 53: iam_pb.GetServiceAccountByAccessKeyResponse + (*PutIdentityRequest)(nil), // 54: iam_pb.PutIdentityRequest + (*PutIdentityResponse)(nil), // 55: iam_pb.PutIdentityResponse + (*RemoveIdentityRequest)(nil), // 56: iam_pb.RemoveIdentityRequest + (*RemoveIdentityResponse)(nil), // 57: iam_pb.RemoveIdentityResponse } var file_iam_proto_depIdxs = []int32{ 28, // 0: iam_pb.GetConfigurationResponse.configuration:type_name -> iam_pb.S3ApiConfiguration @@ -2805,51 +2975,52 @@ var file_iam_proto_depIdxs = []int32{ 32, // 18: iam_pb.GetServiceAccountResponse.service_account:type_name -> iam_pb.ServiceAccount 32, // 19: iam_pb.ListServiceAccountsResponse.service_accounts:type_name -> iam_pb.ServiceAccount 32, // 20: iam_pb.GetServiceAccountByAccessKeyResponse.service_account:type_name -> iam_pb.ServiceAccount - 0, // 21: iam_pb.SeaweedIdentityAccessManagement.GetConfiguration:input_type -> iam_pb.GetConfigurationRequest - 2, // 22: iam_pb.SeaweedIdentityAccessManagement.PutConfiguration:input_type -> iam_pb.PutConfigurationRequest - 4, // 23: iam_pb.SeaweedIdentityAccessManagement.CreateUser:input_type -> iam_pb.CreateUserRequest - 6, // 24: iam_pb.SeaweedIdentityAccessManagement.GetUser:input_type -> iam_pb.GetUserRequest - 8, // 25: iam_pb.SeaweedIdentityAccessManagement.UpdateUser:input_type -> iam_pb.UpdateUserRequest - 10, // 26: iam_pb.SeaweedIdentityAccessManagement.DeleteUser:input_type -> iam_pb.DeleteUserRequest - 12, // 27: iam_pb.SeaweedIdentityAccessManagement.ListUsers:input_type -> iam_pb.ListUsersRequest - 14, // 28: iam_pb.SeaweedIdentityAccessManagement.CreateAccessKey:input_type -> iam_pb.CreateAccessKeyRequest - 16, // 29: iam_pb.SeaweedIdentityAccessManagement.DeleteAccessKey:input_type -> iam_pb.DeleteAccessKeyRequest - 18, // 30: iam_pb.SeaweedIdentityAccessManagement.GetUserByAccessKey:input_type -> iam_pb.GetUserByAccessKeyRequest - 33, // 31: iam_pb.SeaweedIdentityAccessManagement.PutPolicy:input_type -> iam_pb.PutPolicyRequest - 35, // 32: iam_pb.SeaweedIdentityAccessManagement.GetPolicy:input_type -> iam_pb.GetPolicyRequest - 37, // 33: iam_pb.SeaweedIdentityAccessManagement.ListPolicies:input_type -> iam_pb.ListPoliciesRequest - 39, // 34: iam_pb.SeaweedIdentityAccessManagement.DeletePolicy:input_type -> iam_pb.DeletePolicyRequest - 42, // 35: iam_pb.SeaweedIdentityAccessManagement.CreateServiceAccount:input_type -> iam_pb.CreateServiceAccountRequest - 44, // 36: iam_pb.SeaweedIdentityAccessManagement.UpdateServiceAccount:input_type -> iam_pb.UpdateServiceAccountRequest - 46, // 37: iam_pb.SeaweedIdentityAccessManagement.DeleteServiceAccount:input_type -> iam_pb.DeleteServiceAccountRequest - 48, // 38: iam_pb.SeaweedIdentityAccessManagement.GetServiceAccount:input_type -> iam_pb.GetServiceAccountRequest - 50, // 39: iam_pb.SeaweedIdentityAccessManagement.ListServiceAccounts:input_type -> iam_pb.ListServiceAccountsRequest - 52, // 40: iam_pb.SeaweedIdentityAccessManagement.GetServiceAccountByAccessKey:input_type -> iam_pb.GetServiceAccountByAccessKeyRequest - 1, // 41: iam_pb.SeaweedIdentityAccessManagement.GetConfiguration:output_type -> iam_pb.GetConfigurationResponse - 3, // 42: iam_pb.SeaweedIdentityAccessManagement.PutConfiguration:output_type -> iam_pb.PutConfigurationResponse - 5, // 43: iam_pb.SeaweedIdentityAccessManagement.CreateUser:output_type -> iam_pb.CreateUserResponse - 7, // 44: iam_pb.SeaweedIdentityAccessManagement.GetUser:output_type -> iam_pb.GetUserResponse - 9, // 45: iam_pb.SeaweedIdentityAccessManagement.UpdateUser:output_type -> iam_pb.UpdateUserResponse - 11, // 46: iam_pb.SeaweedIdentityAccessManagement.DeleteUser:output_type -> iam_pb.DeleteUserResponse - 13, // 47: iam_pb.SeaweedIdentityAccessManagement.ListUsers:output_type -> iam_pb.ListUsersResponse - 15, // 48: iam_pb.SeaweedIdentityAccessManagement.CreateAccessKey:output_type -> iam_pb.CreateAccessKeyResponse - 17, // 49: iam_pb.SeaweedIdentityAccessManagement.DeleteAccessKey:output_type -> iam_pb.DeleteAccessKeyResponse - 19, // 50: iam_pb.SeaweedIdentityAccessManagement.GetUserByAccessKey:output_type -> iam_pb.GetUserByAccessKeyResponse - 34, // 51: iam_pb.SeaweedIdentityAccessManagement.PutPolicy:output_type -> iam_pb.PutPolicyResponse - 36, // 52: iam_pb.SeaweedIdentityAccessManagement.GetPolicy:output_type -> iam_pb.GetPolicyResponse - 38, // 53: iam_pb.SeaweedIdentityAccessManagement.ListPolicies:output_type -> iam_pb.ListPoliciesResponse - 40, // 54: iam_pb.SeaweedIdentityAccessManagement.DeletePolicy:output_type -> iam_pb.DeletePolicyResponse - 43, // 55: iam_pb.SeaweedIdentityAccessManagement.CreateServiceAccount:output_type -> iam_pb.CreateServiceAccountResponse - 45, // 56: iam_pb.SeaweedIdentityAccessManagement.UpdateServiceAccount:output_type -> iam_pb.UpdateServiceAccountResponse - 47, // 57: iam_pb.SeaweedIdentityAccessManagement.DeleteServiceAccount:output_type -> iam_pb.DeleteServiceAccountResponse - 49, // 58: iam_pb.SeaweedIdentityAccessManagement.GetServiceAccount:output_type -> iam_pb.GetServiceAccountResponse - 51, // 59: iam_pb.SeaweedIdentityAccessManagement.ListServiceAccounts:output_type -> iam_pb.ListServiceAccountsResponse - 53, // 60: iam_pb.SeaweedIdentityAccessManagement.GetServiceAccountByAccessKey:output_type -> iam_pb.GetServiceAccountByAccessKeyResponse - 41, // [41:61] is the sub-list for method output_type - 21, // [21:41] is the sub-list for method input_type - 21, // [21:21] is the sub-list for extension type_name - 21, // [21:21] is the sub-list for extension extendee - 0, // [0:21] is the sub-list for field type_name + 29, // 21: iam_pb.PutIdentityRequest.identity:type_name -> iam_pb.Identity + 0, // 22: iam_pb.SeaweedIdentityAccessManagement.GetConfiguration:input_type -> iam_pb.GetConfigurationRequest + 2, // 23: iam_pb.SeaweedIdentityAccessManagement.PutConfiguration:input_type -> iam_pb.PutConfigurationRequest + 4, // 24: iam_pb.SeaweedIdentityAccessManagement.CreateUser:input_type -> iam_pb.CreateUserRequest + 6, // 25: iam_pb.SeaweedIdentityAccessManagement.GetUser:input_type -> iam_pb.GetUserRequest + 8, // 26: iam_pb.SeaweedIdentityAccessManagement.UpdateUser:input_type -> iam_pb.UpdateUserRequest + 10, // 27: iam_pb.SeaweedIdentityAccessManagement.DeleteUser:input_type -> iam_pb.DeleteUserRequest + 12, // 28: iam_pb.SeaweedIdentityAccessManagement.ListUsers:input_type -> iam_pb.ListUsersRequest + 14, // 29: iam_pb.SeaweedIdentityAccessManagement.CreateAccessKey:input_type -> iam_pb.CreateAccessKeyRequest + 16, // 30: iam_pb.SeaweedIdentityAccessManagement.DeleteAccessKey:input_type -> iam_pb.DeleteAccessKeyRequest + 18, // 31: iam_pb.SeaweedIdentityAccessManagement.GetUserByAccessKey:input_type -> iam_pb.GetUserByAccessKeyRequest + 33, // 32: iam_pb.SeaweedIdentityAccessManagement.PutPolicy:input_type -> iam_pb.PutPolicyRequest + 35, // 33: iam_pb.SeaweedIdentityAccessManagement.GetPolicy:input_type -> iam_pb.GetPolicyRequest + 37, // 34: iam_pb.SeaweedIdentityAccessManagement.ListPolicies:input_type -> iam_pb.ListPoliciesRequest + 39, // 35: iam_pb.SeaweedIdentityAccessManagement.DeletePolicy:input_type -> iam_pb.DeletePolicyRequest + 42, // 36: iam_pb.SeaweedIdentityAccessManagement.CreateServiceAccount:input_type -> iam_pb.CreateServiceAccountRequest + 44, // 37: iam_pb.SeaweedIdentityAccessManagement.UpdateServiceAccount:input_type -> iam_pb.UpdateServiceAccountRequest + 46, // 38: iam_pb.SeaweedIdentityAccessManagement.DeleteServiceAccount:input_type -> iam_pb.DeleteServiceAccountRequest + 48, // 39: iam_pb.SeaweedIdentityAccessManagement.GetServiceAccount:input_type -> iam_pb.GetServiceAccountRequest + 50, // 40: iam_pb.SeaweedIdentityAccessManagement.ListServiceAccounts:input_type -> iam_pb.ListServiceAccountsRequest + 52, // 41: iam_pb.SeaweedIdentityAccessManagement.GetServiceAccountByAccessKey:input_type -> iam_pb.GetServiceAccountByAccessKeyRequest + 1, // 42: iam_pb.SeaweedIdentityAccessManagement.GetConfiguration:output_type -> iam_pb.GetConfigurationResponse + 3, // 43: iam_pb.SeaweedIdentityAccessManagement.PutConfiguration:output_type -> iam_pb.PutConfigurationResponse + 5, // 44: iam_pb.SeaweedIdentityAccessManagement.CreateUser:output_type -> iam_pb.CreateUserResponse + 7, // 45: iam_pb.SeaweedIdentityAccessManagement.GetUser:output_type -> iam_pb.GetUserResponse + 9, // 46: iam_pb.SeaweedIdentityAccessManagement.UpdateUser:output_type -> iam_pb.UpdateUserResponse + 11, // 47: iam_pb.SeaweedIdentityAccessManagement.DeleteUser:output_type -> iam_pb.DeleteUserResponse + 13, // 48: iam_pb.SeaweedIdentityAccessManagement.ListUsers:output_type -> iam_pb.ListUsersResponse + 15, // 49: iam_pb.SeaweedIdentityAccessManagement.CreateAccessKey:output_type -> iam_pb.CreateAccessKeyResponse + 17, // 50: iam_pb.SeaweedIdentityAccessManagement.DeleteAccessKey:output_type -> iam_pb.DeleteAccessKeyResponse + 19, // 51: iam_pb.SeaweedIdentityAccessManagement.GetUserByAccessKey:output_type -> iam_pb.GetUserByAccessKeyResponse + 34, // 52: iam_pb.SeaweedIdentityAccessManagement.PutPolicy:output_type -> iam_pb.PutPolicyResponse + 36, // 53: iam_pb.SeaweedIdentityAccessManagement.GetPolicy:output_type -> iam_pb.GetPolicyResponse + 38, // 54: iam_pb.SeaweedIdentityAccessManagement.ListPolicies:output_type -> iam_pb.ListPoliciesResponse + 40, // 55: iam_pb.SeaweedIdentityAccessManagement.DeletePolicy:output_type -> iam_pb.DeletePolicyResponse + 43, // 56: iam_pb.SeaweedIdentityAccessManagement.CreateServiceAccount:output_type -> iam_pb.CreateServiceAccountResponse + 45, // 57: iam_pb.SeaweedIdentityAccessManagement.UpdateServiceAccount:output_type -> iam_pb.UpdateServiceAccountResponse + 47, // 58: iam_pb.SeaweedIdentityAccessManagement.DeleteServiceAccount:output_type -> iam_pb.DeleteServiceAccountResponse + 49, // 59: iam_pb.SeaweedIdentityAccessManagement.GetServiceAccount:output_type -> iam_pb.GetServiceAccountResponse + 51, // 60: iam_pb.SeaweedIdentityAccessManagement.ListServiceAccounts:output_type -> iam_pb.ListServiceAccountsResponse + 53, // 61: iam_pb.SeaweedIdentityAccessManagement.GetServiceAccountByAccessKey:output_type -> iam_pb.GetServiceAccountByAccessKeyResponse + 42, // [42:62] is the sub-list for method output_type + 22, // [22:42] is the sub-list for method input_type + 22, // [22:22] is the sub-list for extension type_name + 22, // [22:22] is the sub-list for extension extendee + 0, // [0:22] is the sub-list for field type_name } func init() { file_iam_proto_init() } @@ -2863,7 +3034,7 @@ func file_iam_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: unsafe.Slice(unsafe.StringData(file_iam_proto_rawDesc), len(file_iam_proto_rawDesc)), NumEnums: 0, - NumMessages: 54, + NumMessages: 58, NumExtensions: 0, NumServices: 1, }, diff --git a/weed/pb/s3.proto b/weed/pb/s3.proto index 097c7ba26..8deb87ada 100644 --- a/weed/pb/s3.proto +++ b/weed/pb/s3.proto @@ -10,29 +10,14 @@ option java_outer_classname = "S3Proto"; import "iam.proto"; -service SeaweedS3 { - - // Explicit IAM APIs mirroring SeaweedIdentityAccessManagement - rpc ListUsers (iam_pb.ListUsersRequest) returns (iam_pb.ListUsersResponse) {} - rpc CreateUser (iam_pb.CreateUserRequest) returns (iam_pb.CreateUserResponse) {} - rpc GetUser (iam_pb.GetUserRequest) returns (iam_pb.GetUserResponse) {} - rpc UpdateUser (iam_pb.UpdateUserRequest) returns (iam_pb.UpdateUserResponse) {} - rpc DeleteUser (iam_pb.DeleteUserRequest) returns (iam_pb.DeleteUserResponse) {} - - rpc ListAccessKeys (iam_pb.ListAccessKeysRequest) returns (iam_pb.ListAccessKeysResponse) {} - rpc CreateAccessKey (iam_pb.CreateAccessKeyRequest) returns (iam_pb.CreateAccessKeyResponse) {} - rpc DeleteAccessKey (iam_pb.DeleteAccessKeyRequest) returns (iam_pb.DeleteAccessKeyResponse) {} - - rpc PutUserPolicy (iam_pb.PutUserPolicyRequest) returns (iam_pb.PutUserPolicyResponse) {} - rpc GetUserPolicy (iam_pb.GetUserPolicyRequest) returns (iam_pb.GetUserPolicyResponse) {} - rpc DeleteUserPolicy (iam_pb.DeleteUserPolicyRequest) returns (iam_pb.DeleteUserPolicyResponse) {} - - rpc ListServiceAccounts (iam_pb.ListServiceAccountsRequest) returns (iam_pb.ListServiceAccountsResponse) {} - rpc CreateServiceAccount (iam_pb.CreateServiceAccountRequest) returns (iam_pb.CreateServiceAccountResponse) {} - rpc UpdateServiceAccount (iam_pb.UpdateServiceAccountRequest) returns (iam_pb.UpdateServiceAccountResponse) {} - rpc DeleteServiceAccount (iam_pb.DeleteServiceAccountRequest) returns (iam_pb.DeleteServiceAccountResponse) {} - rpc GetServiceAccount (iam_pb.GetServiceAccountRequest) returns (iam_pb.GetServiceAccountResponse) {} - +// Designed for unidirectional propagation from Filer to S3 Servers +service SeaweedS3IamCache { + rpc PutIdentity (iam_pb.PutIdentityRequest) returns (iam_pb.PutIdentityResponse); + rpc RemoveIdentity (iam_pb.RemoveIdentityRequest) returns (iam_pb.RemoveIdentityResponse); + rpc PutPolicy (iam_pb.PutPolicyRequest) returns (iam_pb.PutPolicyResponse); + rpc GetPolicy (iam_pb.GetPolicyRequest) returns (iam_pb.GetPolicyResponse); + rpc ListPolicies (iam_pb.ListPoliciesRequest) returns (iam_pb.ListPoliciesResponse); + rpc DeletePolicy (iam_pb.DeletePolicyRequest) returns (iam_pb.DeletePolicyResponse); } ////////////////////////////////////////////////// diff --git a/weed/pb/s3_pb/s3.pb.go b/weed/pb/s3_pb/s3.pb.go index daf6fe912..308eaf95e 100644 --- a/weed/pb/s3_pb/s3.pb.go +++ b/weed/pb/s3_pb/s3.pb.go @@ -414,28 +414,14 @@ const file_s3_proto_rawDesc = "" + "\rsse_algorithm\x18\x01 \x01(\tR\fsseAlgorithm\x12\x1c\n" + "\n" + "kms_key_id\x18\x02 \x01(\tR\bkmsKeyId\x12,\n" + - "\x12bucket_key_enabled\x18\x03 \x01(\bR\x10bucketKeyEnabled2\xc7\n" + - "\n" + - "\tSeaweedS3\x12B\n" + - "\tListUsers\x12\x18.iam_pb.ListUsersRequest\x1a\x19.iam_pb.ListUsersResponse\"\x00\x12E\n" + - "\n" + - "CreateUser\x12\x19.iam_pb.CreateUserRequest\x1a\x1a.iam_pb.CreateUserResponse\"\x00\x12<\n" + - "\aGetUser\x12\x16.iam_pb.GetUserRequest\x1a\x17.iam_pb.GetUserResponse\"\x00\x12E\n" + - "\n" + - "UpdateUser\x12\x19.iam_pb.UpdateUserRequest\x1a\x1a.iam_pb.UpdateUserResponse\"\x00\x12E\n" + - "\n" + - "DeleteUser\x12\x19.iam_pb.DeleteUserRequest\x1a\x1a.iam_pb.DeleteUserResponse\"\x00\x12Q\n" + - "\x0eListAccessKeys\x12\x1d.iam_pb.ListAccessKeysRequest\x1a\x1e.iam_pb.ListAccessKeysResponse\"\x00\x12T\n" + - "\x0fCreateAccessKey\x12\x1e.iam_pb.CreateAccessKeyRequest\x1a\x1f.iam_pb.CreateAccessKeyResponse\"\x00\x12T\n" + - "\x0fDeleteAccessKey\x12\x1e.iam_pb.DeleteAccessKeyRequest\x1a\x1f.iam_pb.DeleteAccessKeyResponse\"\x00\x12N\n" + - "\rPutUserPolicy\x12\x1c.iam_pb.PutUserPolicyRequest\x1a\x1d.iam_pb.PutUserPolicyResponse\"\x00\x12N\n" + - "\rGetUserPolicy\x12\x1c.iam_pb.GetUserPolicyRequest\x1a\x1d.iam_pb.GetUserPolicyResponse\"\x00\x12W\n" + - "\x10DeleteUserPolicy\x12\x1f.iam_pb.DeleteUserPolicyRequest\x1a .iam_pb.DeleteUserPolicyResponse\"\x00\x12`\n" + - "\x13ListServiceAccounts\x12\".iam_pb.ListServiceAccountsRequest\x1a#.iam_pb.ListServiceAccountsResponse\"\x00\x12c\n" + - "\x14CreateServiceAccount\x12#.iam_pb.CreateServiceAccountRequest\x1a$.iam_pb.CreateServiceAccountResponse\"\x00\x12c\n" + - "\x14UpdateServiceAccount\x12#.iam_pb.UpdateServiceAccountRequest\x1a$.iam_pb.UpdateServiceAccountResponse\"\x00\x12c\n" + - "\x14DeleteServiceAccount\x12#.iam_pb.DeleteServiceAccountRequest\x1a$.iam_pb.DeleteServiceAccountResponse\"\x00\x12Z\n" + - "\x11GetServiceAccount\x12 .iam_pb.GetServiceAccountRequest\x1a!.iam_pb.GetServiceAccountResponse\"\x00BI\n" + + "\x12bucket_key_enabled\x18\x03 \x01(\bR\x10bucketKeyEnabled2\xc6\x03\n" + + "\x11SeaweedS3IamCache\x12F\n" + + "\vPutIdentity\x12\x1a.iam_pb.PutIdentityRequest\x1a\x1b.iam_pb.PutIdentityResponse\x12O\n" + + "\x0eRemoveIdentity\x12\x1d.iam_pb.RemoveIdentityRequest\x1a\x1e.iam_pb.RemoveIdentityResponse\x12@\n" + + "\tPutPolicy\x12\x18.iam_pb.PutPolicyRequest\x1a\x19.iam_pb.PutPolicyResponse\x12@\n" + + "\tGetPolicy\x12\x18.iam_pb.GetPolicyRequest\x1a\x19.iam_pb.GetPolicyResponse\x12I\n" + + "\fListPolicies\x12\x1b.iam_pb.ListPoliciesRequest\x1a\x1c.iam_pb.ListPoliciesResponse\x12I\n" + + "\fDeletePolicy\x12\x1b.iam_pb.DeletePolicyRequest\x1a\x1c.iam_pb.DeletePolicyResponseBI\n" + "\x10seaweedfs.clientB\aS3ProtoZ,github.com/seaweedfs/seaweedfs/weed/pb/s3_pbb\x06proto3" var ( @@ -452,47 +438,27 @@ func file_s3_proto_rawDescGZIP() []byte { var file_s3_proto_msgTypes = make([]protoimpl.MessageInfo, 9) var file_s3_proto_goTypes = []any{ - (*S3CircuitBreakerConfig)(nil), // 0: messaging_pb.S3CircuitBreakerConfig - (*S3CircuitBreakerOptions)(nil), // 1: messaging_pb.S3CircuitBreakerOptions - (*CORSRule)(nil), // 2: messaging_pb.CORSRule - (*CORSConfiguration)(nil), // 3: messaging_pb.CORSConfiguration - (*BucketMetadata)(nil), // 4: messaging_pb.BucketMetadata - (*EncryptionConfiguration)(nil), // 5: messaging_pb.EncryptionConfiguration - nil, // 6: messaging_pb.S3CircuitBreakerConfig.BucketsEntry - nil, // 7: messaging_pb.S3CircuitBreakerOptions.ActionsEntry - nil, // 8: messaging_pb.BucketMetadata.TagsEntry - (*iam_pb.ListUsersRequest)(nil), // 9: iam_pb.ListUsersRequest - (*iam_pb.CreateUserRequest)(nil), // 10: iam_pb.CreateUserRequest - (*iam_pb.GetUserRequest)(nil), // 11: iam_pb.GetUserRequest - (*iam_pb.UpdateUserRequest)(nil), // 12: iam_pb.UpdateUserRequest - (*iam_pb.DeleteUserRequest)(nil), // 13: iam_pb.DeleteUserRequest - (*iam_pb.ListAccessKeysRequest)(nil), // 14: iam_pb.ListAccessKeysRequest - (*iam_pb.CreateAccessKeyRequest)(nil), // 15: iam_pb.CreateAccessKeyRequest - (*iam_pb.DeleteAccessKeyRequest)(nil), // 16: iam_pb.DeleteAccessKeyRequest - (*iam_pb.PutUserPolicyRequest)(nil), // 17: iam_pb.PutUserPolicyRequest - (*iam_pb.GetUserPolicyRequest)(nil), // 18: iam_pb.GetUserPolicyRequest - (*iam_pb.DeleteUserPolicyRequest)(nil), // 19: iam_pb.DeleteUserPolicyRequest - (*iam_pb.ListServiceAccountsRequest)(nil), // 20: iam_pb.ListServiceAccountsRequest - (*iam_pb.CreateServiceAccountRequest)(nil), // 21: iam_pb.CreateServiceAccountRequest - (*iam_pb.UpdateServiceAccountRequest)(nil), // 22: iam_pb.UpdateServiceAccountRequest - (*iam_pb.DeleteServiceAccountRequest)(nil), // 23: iam_pb.DeleteServiceAccountRequest - (*iam_pb.GetServiceAccountRequest)(nil), // 24: iam_pb.GetServiceAccountRequest - (*iam_pb.ListUsersResponse)(nil), // 25: iam_pb.ListUsersResponse - (*iam_pb.CreateUserResponse)(nil), // 26: iam_pb.CreateUserResponse - (*iam_pb.GetUserResponse)(nil), // 27: iam_pb.GetUserResponse - (*iam_pb.UpdateUserResponse)(nil), // 28: iam_pb.UpdateUserResponse - (*iam_pb.DeleteUserResponse)(nil), // 29: iam_pb.DeleteUserResponse - (*iam_pb.ListAccessKeysResponse)(nil), // 30: iam_pb.ListAccessKeysResponse - (*iam_pb.CreateAccessKeyResponse)(nil), // 31: iam_pb.CreateAccessKeyResponse - (*iam_pb.DeleteAccessKeyResponse)(nil), // 32: iam_pb.DeleteAccessKeyResponse - (*iam_pb.PutUserPolicyResponse)(nil), // 33: iam_pb.PutUserPolicyResponse - (*iam_pb.GetUserPolicyResponse)(nil), // 34: iam_pb.GetUserPolicyResponse - (*iam_pb.DeleteUserPolicyResponse)(nil), // 35: iam_pb.DeleteUserPolicyResponse - (*iam_pb.ListServiceAccountsResponse)(nil), // 36: iam_pb.ListServiceAccountsResponse - (*iam_pb.CreateServiceAccountResponse)(nil), // 37: iam_pb.CreateServiceAccountResponse - (*iam_pb.UpdateServiceAccountResponse)(nil), // 38: iam_pb.UpdateServiceAccountResponse - (*iam_pb.DeleteServiceAccountResponse)(nil), // 39: iam_pb.DeleteServiceAccountResponse - (*iam_pb.GetServiceAccountResponse)(nil), // 40: iam_pb.GetServiceAccountResponse + (*S3CircuitBreakerConfig)(nil), // 0: messaging_pb.S3CircuitBreakerConfig + (*S3CircuitBreakerOptions)(nil), // 1: messaging_pb.S3CircuitBreakerOptions + (*CORSRule)(nil), // 2: messaging_pb.CORSRule + (*CORSConfiguration)(nil), // 3: messaging_pb.CORSConfiguration + (*BucketMetadata)(nil), // 4: messaging_pb.BucketMetadata + (*EncryptionConfiguration)(nil), // 5: messaging_pb.EncryptionConfiguration + nil, // 6: messaging_pb.S3CircuitBreakerConfig.BucketsEntry + nil, // 7: messaging_pb.S3CircuitBreakerOptions.ActionsEntry + nil, // 8: messaging_pb.BucketMetadata.TagsEntry + (*iam_pb.PutIdentityRequest)(nil), // 9: iam_pb.PutIdentityRequest + (*iam_pb.RemoveIdentityRequest)(nil), // 10: iam_pb.RemoveIdentityRequest + (*iam_pb.PutPolicyRequest)(nil), // 11: iam_pb.PutPolicyRequest + (*iam_pb.GetPolicyRequest)(nil), // 12: iam_pb.GetPolicyRequest + (*iam_pb.ListPoliciesRequest)(nil), // 13: iam_pb.ListPoliciesRequest + (*iam_pb.DeletePolicyRequest)(nil), // 14: iam_pb.DeletePolicyRequest + (*iam_pb.PutIdentityResponse)(nil), // 15: iam_pb.PutIdentityResponse + (*iam_pb.RemoveIdentityResponse)(nil), // 16: iam_pb.RemoveIdentityResponse + (*iam_pb.PutPolicyResponse)(nil), // 17: iam_pb.PutPolicyResponse + (*iam_pb.GetPolicyResponse)(nil), // 18: iam_pb.GetPolicyResponse + (*iam_pb.ListPoliciesResponse)(nil), // 19: iam_pb.ListPoliciesResponse + (*iam_pb.DeletePolicyResponse)(nil), // 20: iam_pb.DeletePolicyResponse } var file_s3_proto_depIdxs = []int32{ 1, // 0: messaging_pb.S3CircuitBreakerConfig.global:type_name -> messaging_pb.S3CircuitBreakerOptions @@ -503,40 +469,20 @@ var file_s3_proto_depIdxs = []int32{ 3, // 5: messaging_pb.BucketMetadata.cors:type_name -> messaging_pb.CORSConfiguration 5, // 6: messaging_pb.BucketMetadata.encryption:type_name -> messaging_pb.EncryptionConfiguration 1, // 7: messaging_pb.S3CircuitBreakerConfig.BucketsEntry.value:type_name -> messaging_pb.S3CircuitBreakerOptions - 9, // 8: messaging_pb.SeaweedS3.ListUsers:input_type -> iam_pb.ListUsersRequest - 10, // 9: messaging_pb.SeaweedS3.CreateUser:input_type -> iam_pb.CreateUserRequest - 11, // 10: messaging_pb.SeaweedS3.GetUser:input_type -> iam_pb.GetUserRequest - 12, // 11: messaging_pb.SeaweedS3.UpdateUser:input_type -> iam_pb.UpdateUserRequest - 13, // 12: messaging_pb.SeaweedS3.DeleteUser:input_type -> iam_pb.DeleteUserRequest - 14, // 13: messaging_pb.SeaweedS3.ListAccessKeys:input_type -> iam_pb.ListAccessKeysRequest - 15, // 14: messaging_pb.SeaweedS3.CreateAccessKey:input_type -> iam_pb.CreateAccessKeyRequest - 16, // 15: messaging_pb.SeaweedS3.DeleteAccessKey:input_type -> iam_pb.DeleteAccessKeyRequest - 17, // 16: messaging_pb.SeaweedS3.PutUserPolicy:input_type -> iam_pb.PutUserPolicyRequest - 18, // 17: messaging_pb.SeaweedS3.GetUserPolicy:input_type -> iam_pb.GetUserPolicyRequest - 19, // 18: messaging_pb.SeaweedS3.DeleteUserPolicy:input_type -> iam_pb.DeleteUserPolicyRequest - 20, // 19: messaging_pb.SeaweedS3.ListServiceAccounts:input_type -> iam_pb.ListServiceAccountsRequest - 21, // 20: messaging_pb.SeaweedS3.CreateServiceAccount:input_type -> iam_pb.CreateServiceAccountRequest - 22, // 21: messaging_pb.SeaweedS3.UpdateServiceAccount:input_type -> iam_pb.UpdateServiceAccountRequest - 23, // 22: messaging_pb.SeaweedS3.DeleteServiceAccount:input_type -> iam_pb.DeleteServiceAccountRequest - 24, // 23: messaging_pb.SeaweedS3.GetServiceAccount:input_type -> iam_pb.GetServiceAccountRequest - 25, // 24: messaging_pb.SeaweedS3.ListUsers:output_type -> iam_pb.ListUsersResponse - 26, // 25: messaging_pb.SeaweedS3.CreateUser:output_type -> iam_pb.CreateUserResponse - 27, // 26: messaging_pb.SeaweedS3.GetUser:output_type -> iam_pb.GetUserResponse - 28, // 27: messaging_pb.SeaweedS3.UpdateUser:output_type -> iam_pb.UpdateUserResponse - 29, // 28: messaging_pb.SeaweedS3.DeleteUser:output_type -> iam_pb.DeleteUserResponse - 30, // 29: messaging_pb.SeaweedS3.ListAccessKeys:output_type -> iam_pb.ListAccessKeysResponse - 31, // 30: messaging_pb.SeaweedS3.CreateAccessKey:output_type -> iam_pb.CreateAccessKeyResponse - 32, // 31: messaging_pb.SeaweedS3.DeleteAccessKey:output_type -> iam_pb.DeleteAccessKeyResponse - 33, // 32: messaging_pb.SeaweedS3.PutUserPolicy:output_type -> iam_pb.PutUserPolicyResponse - 34, // 33: messaging_pb.SeaweedS3.GetUserPolicy:output_type -> iam_pb.GetUserPolicyResponse - 35, // 34: messaging_pb.SeaweedS3.DeleteUserPolicy:output_type -> iam_pb.DeleteUserPolicyResponse - 36, // 35: messaging_pb.SeaweedS3.ListServiceAccounts:output_type -> iam_pb.ListServiceAccountsResponse - 37, // 36: messaging_pb.SeaweedS3.CreateServiceAccount:output_type -> iam_pb.CreateServiceAccountResponse - 38, // 37: messaging_pb.SeaweedS3.UpdateServiceAccount:output_type -> iam_pb.UpdateServiceAccountResponse - 39, // 38: messaging_pb.SeaweedS3.DeleteServiceAccount:output_type -> iam_pb.DeleteServiceAccountResponse - 40, // 39: messaging_pb.SeaweedS3.GetServiceAccount:output_type -> iam_pb.GetServiceAccountResponse - 24, // [24:40] is the sub-list for method output_type - 8, // [8:24] is the sub-list for method input_type + 9, // 8: messaging_pb.SeaweedS3IamCache.PutIdentity:input_type -> iam_pb.PutIdentityRequest + 10, // 9: messaging_pb.SeaweedS3IamCache.RemoveIdentity:input_type -> iam_pb.RemoveIdentityRequest + 11, // 10: messaging_pb.SeaweedS3IamCache.PutPolicy:input_type -> iam_pb.PutPolicyRequest + 12, // 11: messaging_pb.SeaweedS3IamCache.GetPolicy:input_type -> iam_pb.GetPolicyRequest + 13, // 12: messaging_pb.SeaweedS3IamCache.ListPolicies:input_type -> iam_pb.ListPoliciesRequest + 14, // 13: messaging_pb.SeaweedS3IamCache.DeletePolicy:input_type -> iam_pb.DeletePolicyRequest + 15, // 14: messaging_pb.SeaweedS3IamCache.PutIdentity:output_type -> iam_pb.PutIdentityResponse + 16, // 15: messaging_pb.SeaweedS3IamCache.RemoveIdentity:output_type -> iam_pb.RemoveIdentityResponse + 17, // 16: messaging_pb.SeaweedS3IamCache.PutPolicy:output_type -> iam_pb.PutPolicyResponse + 18, // 17: messaging_pb.SeaweedS3IamCache.GetPolicy:output_type -> iam_pb.GetPolicyResponse + 19, // 18: messaging_pb.SeaweedS3IamCache.ListPolicies:output_type -> iam_pb.ListPoliciesResponse + 20, // 19: messaging_pb.SeaweedS3IamCache.DeletePolicy:output_type -> iam_pb.DeletePolicyResponse + 14, // [14:20] is the sub-list for method output_type + 8, // [8:14] is the sub-list for method input_type 8, // [8:8] is the sub-list for extension type_name 8, // [8:8] is the sub-list for extension extendee 0, // [0:8] is the sub-list for field type_name diff --git a/weed/pb/s3_pb/s3_grpc.pb.go b/weed/pb/s3_pb/s3_grpc.pb.go index 7a5bbbfcf..7e6b46b92 100644 --- a/weed/pb/s3_pb/s3_grpc.pb.go +++ b/weed/pb/s3_pb/s3_grpc.pb.go @@ -20,673 +20,295 @@ import ( const _ = grpc.SupportPackageIsVersion9 const ( - SeaweedS3_ListUsers_FullMethodName = "/messaging_pb.SeaweedS3/ListUsers" - SeaweedS3_CreateUser_FullMethodName = "/messaging_pb.SeaweedS3/CreateUser" - SeaweedS3_GetUser_FullMethodName = "/messaging_pb.SeaweedS3/GetUser" - SeaweedS3_UpdateUser_FullMethodName = "/messaging_pb.SeaweedS3/UpdateUser" - SeaweedS3_DeleteUser_FullMethodName = "/messaging_pb.SeaweedS3/DeleteUser" - SeaweedS3_ListAccessKeys_FullMethodName = "/messaging_pb.SeaweedS3/ListAccessKeys" - SeaweedS3_CreateAccessKey_FullMethodName = "/messaging_pb.SeaweedS3/CreateAccessKey" - SeaweedS3_DeleteAccessKey_FullMethodName = "/messaging_pb.SeaweedS3/DeleteAccessKey" - SeaweedS3_PutUserPolicy_FullMethodName = "/messaging_pb.SeaweedS3/PutUserPolicy" - SeaweedS3_GetUserPolicy_FullMethodName = "/messaging_pb.SeaweedS3/GetUserPolicy" - SeaweedS3_DeleteUserPolicy_FullMethodName = "/messaging_pb.SeaweedS3/DeleteUserPolicy" - SeaweedS3_ListServiceAccounts_FullMethodName = "/messaging_pb.SeaweedS3/ListServiceAccounts" - SeaweedS3_CreateServiceAccount_FullMethodName = "/messaging_pb.SeaweedS3/CreateServiceAccount" - SeaweedS3_UpdateServiceAccount_FullMethodName = "/messaging_pb.SeaweedS3/UpdateServiceAccount" - SeaweedS3_DeleteServiceAccount_FullMethodName = "/messaging_pb.SeaweedS3/DeleteServiceAccount" - SeaweedS3_GetServiceAccount_FullMethodName = "/messaging_pb.SeaweedS3/GetServiceAccount" + SeaweedS3IamCache_PutIdentity_FullMethodName = "/messaging_pb.SeaweedS3IamCache/PutIdentity" + SeaweedS3IamCache_RemoveIdentity_FullMethodName = "/messaging_pb.SeaweedS3IamCache/RemoveIdentity" + SeaweedS3IamCache_PutPolicy_FullMethodName = "/messaging_pb.SeaweedS3IamCache/PutPolicy" + SeaweedS3IamCache_GetPolicy_FullMethodName = "/messaging_pb.SeaweedS3IamCache/GetPolicy" + SeaweedS3IamCache_ListPolicies_FullMethodName = "/messaging_pb.SeaweedS3IamCache/ListPolicies" + SeaweedS3IamCache_DeletePolicy_FullMethodName = "/messaging_pb.SeaweedS3IamCache/DeletePolicy" ) -// SeaweedS3Client is the client API for SeaweedS3 service. +// SeaweedS3IamCacheClient is the client API for SeaweedS3IamCache service. // // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. -type SeaweedS3Client interface { - // Explicit IAM APIs mirroring SeaweedIdentityAccessManagement - ListUsers(ctx context.Context, in *iam_pb.ListUsersRequest, opts ...grpc.CallOption) (*iam_pb.ListUsersResponse, error) - CreateUser(ctx context.Context, in *iam_pb.CreateUserRequest, opts ...grpc.CallOption) (*iam_pb.CreateUserResponse, error) - GetUser(ctx context.Context, in *iam_pb.GetUserRequest, opts ...grpc.CallOption) (*iam_pb.GetUserResponse, error) - UpdateUser(ctx context.Context, in *iam_pb.UpdateUserRequest, opts ...grpc.CallOption) (*iam_pb.UpdateUserResponse, error) - DeleteUser(ctx context.Context, in *iam_pb.DeleteUserRequest, opts ...grpc.CallOption) (*iam_pb.DeleteUserResponse, error) - ListAccessKeys(ctx context.Context, in *iam_pb.ListAccessKeysRequest, opts ...grpc.CallOption) (*iam_pb.ListAccessKeysResponse, error) - CreateAccessKey(ctx context.Context, in *iam_pb.CreateAccessKeyRequest, opts ...grpc.CallOption) (*iam_pb.CreateAccessKeyResponse, error) - DeleteAccessKey(ctx context.Context, in *iam_pb.DeleteAccessKeyRequest, opts ...grpc.CallOption) (*iam_pb.DeleteAccessKeyResponse, error) - PutUserPolicy(ctx context.Context, in *iam_pb.PutUserPolicyRequest, opts ...grpc.CallOption) (*iam_pb.PutUserPolicyResponse, error) - GetUserPolicy(ctx context.Context, in *iam_pb.GetUserPolicyRequest, opts ...grpc.CallOption) (*iam_pb.GetUserPolicyResponse, error) - DeleteUserPolicy(ctx context.Context, in *iam_pb.DeleteUserPolicyRequest, opts ...grpc.CallOption) (*iam_pb.DeleteUserPolicyResponse, error) - ListServiceAccounts(ctx context.Context, in *iam_pb.ListServiceAccountsRequest, opts ...grpc.CallOption) (*iam_pb.ListServiceAccountsResponse, error) - CreateServiceAccount(ctx context.Context, in *iam_pb.CreateServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.CreateServiceAccountResponse, error) - UpdateServiceAccount(ctx context.Context, in *iam_pb.UpdateServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.UpdateServiceAccountResponse, error) - DeleteServiceAccount(ctx context.Context, in *iam_pb.DeleteServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.DeleteServiceAccountResponse, error) - GetServiceAccount(ctx context.Context, in *iam_pb.GetServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.GetServiceAccountResponse, error) +// +// Designed for unidirectional propagation from Filer to S3 Servers +type SeaweedS3IamCacheClient interface { + PutIdentity(ctx context.Context, in *iam_pb.PutIdentityRequest, opts ...grpc.CallOption) (*iam_pb.PutIdentityResponse, error) + RemoveIdentity(ctx context.Context, in *iam_pb.RemoveIdentityRequest, opts ...grpc.CallOption) (*iam_pb.RemoveIdentityResponse, error) + PutPolicy(ctx context.Context, in *iam_pb.PutPolicyRequest, opts ...grpc.CallOption) (*iam_pb.PutPolicyResponse, error) + GetPolicy(ctx context.Context, in *iam_pb.GetPolicyRequest, opts ...grpc.CallOption) (*iam_pb.GetPolicyResponse, error) + ListPolicies(ctx context.Context, in *iam_pb.ListPoliciesRequest, opts ...grpc.CallOption) (*iam_pb.ListPoliciesResponse, error) + DeletePolicy(ctx context.Context, in *iam_pb.DeletePolicyRequest, opts ...grpc.CallOption) (*iam_pb.DeletePolicyResponse, error) } -type seaweedS3Client struct { +type seaweedS3IamCacheClient struct { cc grpc.ClientConnInterface } -func NewSeaweedS3Client(cc grpc.ClientConnInterface) SeaweedS3Client { - return &seaweedS3Client{cc} -} - -func (c *seaweedS3Client) ListUsers(ctx context.Context, in *iam_pb.ListUsersRequest, opts ...grpc.CallOption) (*iam_pb.ListUsersResponse, error) { - cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) - out := new(iam_pb.ListUsersResponse) - err := c.cc.Invoke(ctx, SeaweedS3_ListUsers_FullMethodName, in, out, cOpts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *seaweedS3Client) CreateUser(ctx context.Context, in *iam_pb.CreateUserRequest, opts ...grpc.CallOption) (*iam_pb.CreateUserResponse, error) { - cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) - out := new(iam_pb.CreateUserResponse) - err := c.cc.Invoke(ctx, SeaweedS3_CreateUser_FullMethodName, in, out, cOpts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *seaweedS3Client) GetUser(ctx context.Context, in *iam_pb.GetUserRequest, opts ...grpc.CallOption) (*iam_pb.GetUserResponse, error) { - cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) - out := new(iam_pb.GetUserResponse) - err := c.cc.Invoke(ctx, SeaweedS3_GetUser_FullMethodName, in, out, cOpts...) - if err != nil { - return nil, err - } - return out, nil +func NewSeaweedS3IamCacheClient(cc grpc.ClientConnInterface) SeaweedS3IamCacheClient { + return &seaweedS3IamCacheClient{cc} } -func (c *seaweedS3Client) UpdateUser(ctx context.Context, in *iam_pb.UpdateUserRequest, opts ...grpc.CallOption) (*iam_pb.UpdateUserResponse, error) { +func (c *seaweedS3IamCacheClient) PutIdentity(ctx context.Context, in *iam_pb.PutIdentityRequest, opts ...grpc.CallOption) (*iam_pb.PutIdentityResponse, error) { cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) - out := new(iam_pb.UpdateUserResponse) - err := c.cc.Invoke(ctx, SeaweedS3_UpdateUser_FullMethodName, in, out, cOpts...) + out := new(iam_pb.PutIdentityResponse) + err := c.cc.Invoke(ctx, SeaweedS3IamCache_PutIdentity_FullMethodName, in, out, cOpts...) if err != nil { return nil, err } return out, nil } -func (c *seaweedS3Client) DeleteUser(ctx context.Context, in *iam_pb.DeleteUserRequest, opts ...grpc.CallOption) (*iam_pb.DeleteUserResponse, error) { +func (c *seaweedS3IamCacheClient) RemoveIdentity(ctx context.Context, in *iam_pb.RemoveIdentityRequest, opts ...grpc.CallOption) (*iam_pb.RemoveIdentityResponse, error) { cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) - out := new(iam_pb.DeleteUserResponse) - err := c.cc.Invoke(ctx, SeaweedS3_DeleteUser_FullMethodName, in, out, cOpts...) + out := new(iam_pb.RemoveIdentityResponse) + err := c.cc.Invoke(ctx, SeaweedS3IamCache_RemoveIdentity_FullMethodName, in, out, cOpts...) if err != nil { return nil, err } return out, nil } -func (c *seaweedS3Client) ListAccessKeys(ctx context.Context, in *iam_pb.ListAccessKeysRequest, opts ...grpc.CallOption) (*iam_pb.ListAccessKeysResponse, error) { +func (c *seaweedS3IamCacheClient) PutPolicy(ctx context.Context, in *iam_pb.PutPolicyRequest, opts ...grpc.CallOption) (*iam_pb.PutPolicyResponse, error) { cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) - out := new(iam_pb.ListAccessKeysResponse) - err := c.cc.Invoke(ctx, SeaweedS3_ListAccessKeys_FullMethodName, in, out, cOpts...) + out := new(iam_pb.PutPolicyResponse) + err := c.cc.Invoke(ctx, SeaweedS3IamCache_PutPolicy_FullMethodName, in, out, cOpts...) if err != nil { return nil, err } return out, nil } -func (c *seaweedS3Client) CreateAccessKey(ctx context.Context, in *iam_pb.CreateAccessKeyRequest, opts ...grpc.CallOption) (*iam_pb.CreateAccessKeyResponse, error) { +func (c *seaweedS3IamCacheClient) GetPolicy(ctx context.Context, in *iam_pb.GetPolicyRequest, opts ...grpc.CallOption) (*iam_pb.GetPolicyResponse, error) { cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) - out := new(iam_pb.CreateAccessKeyResponse) - err := c.cc.Invoke(ctx, SeaweedS3_CreateAccessKey_FullMethodName, in, out, cOpts...) + out := new(iam_pb.GetPolicyResponse) + err := c.cc.Invoke(ctx, SeaweedS3IamCache_GetPolicy_FullMethodName, in, out, cOpts...) if err != nil { return nil, err } return out, nil } -func (c *seaweedS3Client) DeleteAccessKey(ctx context.Context, in *iam_pb.DeleteAccessKeyRequest, opts ...grpc.CallOption) (*iam_pb.DeleteAccessKeyResponse, error) { +func (c *seaweedS3IamCacheClient) ListPolicies(ctx context.Context, in *iam_pb.ListPoliciesRequest, opts ...grpc.CallOption) (*iam_pb.ListPoliciesResponse, error) { cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) - out := new(iam_pb.DeleteAccessKeyResponse) - err := c.cc.Invoke(ctx, SeaweedS3_DeleteAccessKey_FullMethodName, in, out, cOpts...) + out := new(iam_pb.ListPoliciesResponse) + err := c.cc.Invoke(ctx, SeaweedS3IamCache_ListPolicies_FullMethodName, in, out, cOpts...) if err != nil { return nil, err } return out, nil } -func (c *seaweedS3Client) PutUserPolicy(ctx context.Context, in *iam_pb.PutUserPolicyRequest, opts ...grpc.CallOption) (*iam_pb.PutUserPolicyResponse, error) { +func (c *seaweedS3IamCacheClient) DeletePolicy(ctx context.Context, in *iam_pb.DeletePolicyRequest, opts ...grpc.CallOption) (*iam_pb.DeletePolicyResponse, error) { cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) - out := new(iam_pb.PutUserPolicyResponse) - err := c.cc.Invoke(ctx, SeaweedS3_PutUserPolicy_FullMethodName, in, out, cOpts...) + out := new(iam_pb.DeletePolicyResponse) + err := c.cc.Invoke(ctx, SeaweedS3IamCache_DeletePolicy_FullMethodName, in, out, cOpts...) if err != nil { return nil, err } return out, nil } -func (c *seaweedS3Client) GetUserPolicy(ctx context.Context, in *iam_pb.GetUserPolicyRequest, opts ...grpc.CallOption) (*iam_pb.GetUserPolicyResponse, error) { - cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) - out := new(iam_pb.GetUserPolicyResponse) - err := c.cc.Invoke(ctx, SeaweedS3_GetUserPolicy_FullMethodName, in, out, cOpts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *seaweedS3Client) DeleteUserPolicy(ctx context.Context, in *iam_pb.DeleteUserPolicyRequest, opts ...grpc.CallOption) (*iam_pb.DeleteUserPolicyResponse, error) { - cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) - out := new(iam_pb.DeleteUserPolicyResponse) - err := c.cc.Invoke(ctx, SeaweedS3_DeleteUserPolicy_FullMethodName, in, out, cOpts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *seaweedS3Client) ListServiceAccounts(ctx context.Context, in *iam_pb.ListServiceAccountsRequest, opts ...grpc.CallOption) (*iam_pb.ListServiceAccountsResponse, error) { - cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) - out := new(iam_pb.ListServiceAccountsResponse) - err := c.cc.Invoke(ctx, SeaweedS3_ListServiceAccounts_FullMethodName, in, out, cOpts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *seaweedS3Client) CreateServiceAccount(ctx context.Context, in *iam_pb.CreateServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.CreateServiceAccountResponse, error) { - cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) - out := new(iam_pb.CreateServiceAccountResponse) - err := c.cc.Invoke(ctx, SeaweedS3_CreateServiceAccount_FullMethodName, in, out, cOpts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *seaweedS3Client) UpdateServiceAccount(ctx context.Context, in *iam_pb.UpdateServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.UpdateServiceAccountResponse, error) { - cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) - out := new(iam_pb.UpdateServiceAccountResponse) - err := c.cc.Invoke(ctx, SeaweedS3_UpdateServiceAccount_FullMethodName, in, out, cOpts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *seaweedS3Client) DeleteServiceAccount(ctx context.Context, in *iam_pb.DeleteServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.DeleteServiceAccountResponse, error) { - cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) - out := new(iam_pb.DeleteServiceAccountResponse) - err := c.cc.Invoke(ctx, SeaweedS3_DeleteServiceAccount_FullMethodName, in, out, cOpts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *seaweedS3Client) GetServiceAccount(ctx context.Context, in *iam_pb.GetServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.GetServiceAccountResponse, error) { - cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) - out := new(iam_pb.GetServiceAccountResponse) - err := c.cc.Invoke(ctx, SeaweedS3_GetServiceAccount_FullMethodName, in, out, cOpts...) - if err != nil { - return nil, err - } - return out, nil -} - -// SeaweedS3Server is the server API for SeaweedS3 service. -// All implementations must embed UnimplementedSeaweedS3Server +// SeaweedS3IamCacheServer is the server API for SeaweedS3IamCache service. +// All implementations must embed UnimplementedSeaweedS3IamCacheServer // for forward compatibility. -type SeaweedS3Server interface { - // Explicit IAM APIs mirroring SeaweedIdentityAccessManagement - ListUsers(context.Context, *iam_pb.ListUsersRequest) (*iam_pb.ListUsersResponse, error) - CreateUser(context.Context, *iam_pb.CreateUserRequest) (*iam_pb.CreateUserResponse, error) - GetUser(context.Context, *iam_pb.GetUserRequest) (*iam_pb.GetUserResponse, error) - UpdateUser(context.Context, *iam_pb.UpdateUserRequest) (*iam_pb.UpdateUserResponse, error) - DeleteUser(context.Context, *iam_pb.DeleteUserRequest) (*iam_pb.DeleteUserResponse, error) - ListAccessKeys(context.Context, *iam_pb.ListAccessKeysRequest) (*iam_pb.ListAccessKeysResponse, error) - CreateAccessKey(context.Context, *iam_pb.CreateAccessKeyRequest) (*iam_pb.CreateAccessKeyResponse, error) - DeleteAccessKey(context.Context, *iam_pb.DeleteAccessKeyRequest) (*iam_pb.DeleteAccessKeyResponse, error) - PutUserPolicy(context.Context, *iam_pb.PutUserPolicyRequest) (*iam_pb.PutUserPolicyResponse, error) - GetUserPolicy(context.Context, *iam_pb.GetUserPolicyRequest) (*iam_pb.GetUserPolicyResponse, error) - DeleteUserPolicy(context.Context, *iam_pb.DeleteUserPolicyRequest) (*iam_pb.DeleteUserPolicyResponse, error) - ListServiceAccounts(context.Context, *iam_pb.ListServiceAccountsRequest) (*iam_pb.ListServiceAccountsResponse, error) - CreateServiceAccount(context.Context, *iam_pb.CreateServiceAccountRequest) (*iam_pb.CreateServiceAccountResponse, error) - UpdateServiceAccount(context.Context, *iam_pb.UpdateServiceAccountRequest) (*iam_pb.UpdateServiceAccountResponse, error) - DeleteServiceAccount(context.Context, *iam_pb.DeleteServiceAccountRequest) (*iam_pb.DeleteServiceAccountResponse, error) - GetServiceAccount(context.Context, *iam_pb.GetServiceAccountRequest) (*iam_pb.GetServiceAccountResponse, error) - mustEmbedUnimplementedSeaweedS3Server() -} - -// UnimplementedSeaweedS3Server must be embedded to have +// +// Designed for unidirectional propagation from Filer to S3 Servers +type SeaweedS3IamCacheServer interface { + PutIdentity(context.Context, *iam_pb.PutIdentityRequest) (*iam_pb.PutIdentityResponse, error) + RemoveIdentity(context.Context, *iam_pb.RemoveIdentityRequest) (*iam_pb.RemoveIdentityResponse, error) + PutPolicy(context.Context, *iam_pb.PutPolicyRequest) (*iam_pb.PutPolicyResponse, error) + GetPolicy(context.Context, *iam_pb.GetPolicyRequest) (*iam_pb.GetPolicyResponse, error) + ListPolicies(context.Context, *iam_pb.ListPoliciesRequest) (*iam_pb.ListPoliciesResponse, error) + DeletePolicy(context.Context, *iam_pb.DeletePolicyRequest) (*iam_pb.DeletePolicyResponse, error) + mustEmbedUnimplementedSeaweedS3IamCacheServer() +} + +// UnimplementedSeaweedS3IamCacheServer must be embedded to have // forward compatible implementations. // // NOTE: this should be embedded by value instead of pointer to avoid a nil // pointer dereference when methods are called. -type UnimplementedSeaweedS3Server struct{} +type UnimplementedSeaweedS3IamCacheServer struct{} -func (UnimplementedSeaweedS3Server) ListUsers(context.Context, *iam_pb.ListUsersRequest) (*iam_pb.ListUsersResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method ListUsers not implemented") +func (UnimplementedSeaweedS3IamCacheServer) PutIdentity(context.Context, *iam_pb.PutIdentityRequest) (*iam_pb.PutIdentityResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method PutIdentity not implemented") } -func (UnimplementedSeaweedS3Server) CreateUser(context.Context, *iam_pb.CreateUserRequest) (*iam_pb.CreateUserResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method CreateUser not implemented") +func (UnimplementedSeaweedS3IamCacheServer) RemoveIdentity(context.Context, *iam_pb.RemoveIdentityRequest) (*iam_pb.RemoveIdentityResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method RemoveIdentity not implemented") } -func (UnimplementedSeaweedS3Server) GetUser(context.Context, *iam_pb.GetUserRequest) (*iam_pb.GetUserResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method GetUser not implemented") +func (UnimplementedSeaweedS3IamCacheServer) PutPolicy(context.Context, *iam_pb.PutPolicyRequest) (*iam_pb.PutPolicyResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method PutPolicy not implemented") } -func (UnimplementedSeaweedS3Server) UpdateUser(context.Context, *iam_pb.UpdateUserRequest) (*iam_pb.UpdateUserResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method UpdateUser not implemented") +func (UnimplementedSeaweedS3IamCacheServer) GetPolicy(context.Context, *iam_pb.GetPolicyRequest) (*iam_pb.GetPolicyResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method GetPolicy not implemented") } -func (UnimplementedSeaweedS3Server) DeleteUser(context.Context, *iam_pb.DeleteUserRequest) (*iam_pb.DeleteUserResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method DeleteUser not implemented") +func (UnimplementedSeaweedS3IamCacheServer) ListPolicies(context.Context, *iam_pb.ListPoliciesRequest) (*iam_pb.ListPoliciesResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method ListPolicies not implemented") } -func (UnimplementedSeaweedS3Server) ListAccessKeys(context.Context, *iam_pb.ListAccessKeysRequest) (*iam_pb.ListAccessKeysResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method ListAccessKeys not implemented") +func (UnimplementedSeaweedS3IamCacheServer) DeletePolicy(context.Context, *iam_pb.DeletePolicyRequest) (*iam_pb.DeletePolicyResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method DeletePolicy not implemented") } -func (UnimplementedSeaweedS3Server) CreateAccessKey(context.Context, *iam_pb.CreateAccessKeyRequest) (*iam_pb.CreateAccessKeyResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method CreateAccessKey not implemented") -} -func (UnimplementedSeaweedS3Server) DeleteAccessKey(context.Context, *iam_pb.DeleteAccessKeyRequest) (*iam_pb.DeleteAccessKeyResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method DeleteAccessKey not implemented") -} -func (UnimplementedSeaweedS3Server) PutUserPolicy(context.Context, *iam_pb.PutUserPolicyRequest) (*iam_pb.PutUserPolicyResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method PutUserPolicy not implemented") -} -func (UnimplementedSeaweedS3Server) GetUserPolicy(context.Context, *iam_pb.GetUserPolicyRequest) (*iam_pb.GetUserPolicyResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method GetUserPolicy not implemented") -} -func (UnimplementedSeaweedS3Server) DeleteUserPolicy(context.Context, *iam_pb.DeleteUserPolicyRequest) (*iam_pb.DeleteUserPolicyResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method DeleteUserPolicy not implemented") -} -func (UnimplementedSeaweedS3Server) ListServiceAccounts(context.Context, *iam_pb.ListServiceAccountsRequest) (*iam_pb.ListServiceAccountsResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method ListServiceAccounts not implemented") -} -func (UnimplementedSeaweedS3Server) CreateServiceAccount(context.Context, *iam_pb.CreateServiceAccountRequest) (*iam_pb.CreateServiceAccountResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method CreateServiceAccount not implemented") -} -func (UnimplementedSeaweedS3Server) UpdateServiceAccount(context.Context, *iam_pb.UpdateServiceAccountRequest) (*iam_pb.UpdateServiceAccountResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method UpdateServiceAccount not implemented") -} -func (UnimplementedSeaweedS3Server) DeleteServiceAccount(context.Context, *iam_pb.DeleteServiceAccountRequest) (*iam_pb.DeleteServiceAccountResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method DeleteServiceAccount not implemented") -} -func (UnimplementedSeaweedS3Server) GetServiceAccount(context.Context, *iam_pb.GetServiceAccountRequest) (*iam_pb.GetServiceAccountResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method GetServiceAccount not implemented") -} -func (UnimplementedSeaweedS3Server) mustEmbedUnimplementedSeaweedS3Server() {} -func (UnimplementedSeaweedS3Server) testEmbeddedByValue() {} +func (UnimplementedSeaweedS3IamCacheServer) mustEmbedUnimplementedSeaweedS3IamCacheServer() {} +func (UnimplementedSeaweedS3IamCacheServer) testEmbeddedByValue() {} -// UnsafeSeaweedS3Server may be embedded to opt out of forward compatibility for this service. -// Use of this interface is not recommended, as added methods to SeaweedS3Server will +// UnsafeSeaweedS3IamCacheServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to SeaweedS3IamCacheServer will // result in compilation errors. -type UnsafeSeaweedS3Server interface { - mustEmbedUnimplementedSeaweedS3Server() +type UnsafeSeaweedS3IamCacheServer interface { + mustEmbedUnimplementedSeaweedS3IamCacheServer() } -func RegisterSeaweedS3Server(s grpc.ServiceRegistrar, srv SeaweedS3Server) { - // If the following call pancis, it indicates UnimplementedSeaweedS3Server was +func RegisterSeaweedS3IamCacheServer(s grpc.ServiceRegistrar, srv SeaweedS3IamCacheServer) { + // If the following call pancis, it indicates UnimplementedSeaweedS3IamCacheServer was // embedded by pointer and is nil. This will cause panics if an // unimplemented method is ever invoked, so we test this at initialization // time to prevent it from happening at runtime later due to I/O. if t, ok := srv.(interface{ testEmbeddedByValue() }); ok { t.testEmbeddedByValue() } - s.RegisterService(&SeaweedS3_ServiceDesc, srv) -} - -func _SeaweedS3_ListUsers_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(iam_pb.ListUsersRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(SeaweedS3Server).ListUsers(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: SeaweedS3_ListUsers_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SeaweedS3Server).ListUsers(ctx, req.(*iam_pb.ListUsersRequest)) - } - return interceptor(ctx, in, info, handler) -} - -func _SeaweedS3_CreateUser_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(iam_pb.CreateUserRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(SeaweedS3Server).CreateUser(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: SeaweedS3_CreateUser_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SeaweedS3Server).CreateUser(ctx, req.(*iam_pb.CreateUserRequest)) - } - return interceptor(ctx, in, info, handler) -} - -func _SeaweedS3_GetUser_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(iam_pb.GetUserRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(SeaweedS3Server).GetUser(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: SeaweedS3_GetUser_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SeaweedS3Server).GetUser(ctx, req.(*iam_pb.GetUserRequest)) - } - return interceptor(ctx, in, info, handler) -} - -func _SeaweedS3_UpdateUser_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(iam_pb.UpdateUserRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(SeaweedS3Server).UpdateUser(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: SeaweedS3_UpdateUser_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SeaweedS3Server).UpdateUser(ctx, req.(*iam_pb.UpdateUserRequest)) - } - return interceptor(ctx, in, info, handler) + s.RegisterService(&SeaweedS3IamCache_ServiceDesc, srv) } -func _SeaweedS3_DeleteUser_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(iam_pb.DeleteUserRequest) +func _SeaweedS3IamCache_PutIdentity_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(iam_pb.PutIdentityRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { - return srv.(SeaweedS3Server).DeleteUser(ctx, in) + return srv.(SeaweedS3IamCacheServer).PutIdentity(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: SeaweedS3_DeleteUser_FullMethodName, + FullMethod: SeaweedS3IamCache_PutIdentity_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SeaweedS3Server).DeleteUser(ctx, req.(*iam_pb.DeleteUserRequest)) + return srv.(SeaweedS3IamCacheServer).PutIdentity(ctx, req.(*iam_pb.PutIdentityRequest)) } return interceptor(ctx, in, info, handler) } -func _SeaweedS3_ListAccessKeys_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(iam_pb.ListAccessKeysRequest) +func _SeaweedS3IamCache_RemoveIdentity_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(iam_pb.RemoveIdentityRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { - return srv.(SeaweedS3Server).ListAccessKeys(ctx, in) + return srv.(SeaweedS3IamCacheServer).RemoveIdentity(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: SeaweedS3_ListAccessKeys_FullMethodName, + FullMethod: SeaweedS3IamCache_RemoveIdentity_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SeaweedS3Server).ListAccessKeys(ctx, req.(*iam_pb.ListAccessKeysRequest)) + return srv.(SeaweedS3IamCacheServer).RemoveIdentity(ctx, req.(*iam_pb.RemoveIdentityRequest)) } return interceptor(ctx, in, info, handler) } -func _SeaweedS3_CreateAccessKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(iam_pb.CreateAccessKeyRequest) +func _SeaweedS3IamCache_PutPolicy_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(iam_pb.PutPolicyRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { - return srv.(SeaweedS3Server).CreateAccessKey(ctx, in) + return srv.(SeaweedS3IamCacheServer).PutPolicy(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: SeaweedS3_CreateAccessKey_FullMethodName, + FullMethod: SeaweedS3IamCache_PutPolicy_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SeaweedS3Server).CreateAccessKey(ctx, req.(*iam_pb.CreateAccessKeyRequest)) + return srv.(SeaweedS3IamCacheServer).PutPolicy(ctx, req.(*iam_pb.PutPolicyRequest)) } return interceptor(ctx, in, info, handler) } -func _SeaweedS3_DeleteAccessKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(iam_pb.DeleteAccessKeyRequest) +func _SeaweedS3IamCache_GetPolicy_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(iam_pb.GetPolicyRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { - return srv.(SeaweedS3Server).DeleteAccessKey(ctx, in) + return srv.(SeaweedS3IamCacheServer).GetPolicy(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: SeaweedS3_DeleteAccessKey_FullMethodName, + FullMethod: SeaweedS3IamCache_GetPolicy_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SeaweedS3Server).DeleteAccessKey(ctx, req.(*iam_pb.DeleteAccessKeyRequest)) + return srv.(SeaweedS3IamCacheServer).GetPolicy(ctx, req.(*iam_pb.GetPolicyRequest)) } return interceptor(ctx, in, info, handler) } -func _SeaweedS3_PutUserPolicy_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(iam_pb.PutUserPolicyRequest) +func _SeaweedS3IamCache_ListPolicies_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(iam_pb.ListPoliciesRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { - return srv.(SeaweedS3Server).PutUserPolicy(ctx, in) + return srv.(SeaweedS3IamCacheServer).ListPolicies(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: SeaweedS3_PutUserPolicy_FullMethodName, + FullMethod: SeaweedS3IamCache_ListPolicies_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SeaweedS3Server).PutUserPolicy(ctx, req.(*iam_pb.PutUserPolicyRequest)) + return srv.(SeaweedS3IamCacheServer).ListPolicies(ctx, req.(*iam_pb.ListPoliciesRequest)) } return interceptor(ctx, in, info, handler) } -func _SeaweedS3_GetUserPolicy_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(iam_pb.GetUserPolicyRequest) +func _SeaweedS3IamCache_DeletePolicy_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(iam_pb.DeletePolicyRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { - return srv.(SeaweedS3Server).GetUserPolicy(ctx, in) + return srv.(SeaweedS3IamCacheServer).DeletePolicy(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: SeaweedS3_GetUserPolicy_FullMethodName, + FullMethod: SeaweedS3IamCache_DeletePolicy_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SeaweedS3Server).GetUserPolicy(ctx, req.(*iam_pb.GetUserPolicyRequest)) + return srv.(SeaweedS3IamCacheServer).DeletePolicy(ctx, req.(*iam_pb.DeletePolicyRequest)) } return interceptor(ctx, in, info, handler) } -func _SeaweedS3_DeleteUserPolicy_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(iam_pb.DeleteUserPolicyRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(SeaweedS3Server).DeleteUserPolicy(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: SeaweedS3_DeleteUserPolicy_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SeaweedS3Server).DeleteUserPolicy(ctx, req.(*iam_pb.DeleteUserPolicyRequest)) - } - return interceptor(ctx, in, info, handler) -} - -func _SeaweedS3_ListServiceAccounts_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(iam_pb.ListServiceAccountsRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(SeaweedS3Server).ListServiceAccounts(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: SeaweedS3_ListServiceAccounts_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SeaweedS3Server).ListServiceAccounts(ctx, req.(*iam_pb.ListServiceAccountsRequest)) - } - return interceptor(ctx, in, info, handler) -} - -func _SeaweedS3_CreateServiceAccount_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(iam_pb.CreateServiceAccountRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(SeaweedS3Server).CreateServiceAccount(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: SeaweedS3_CreateServiceAccount_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SeaweedS3Server).CreateServiceAccount(ctx, req.(*iam_pb.CreateServiceAccountRequest)) - } - return interceptor(ctx, in, info, handler) -} - -func _SeaweedS3_UpdateServiceAccount_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(iam_pb.UpdateServiceAccountRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(SeaweedS3Server).UpdateServiceAccount(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: SeaweedS3_UpdateServiceAccount_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SeaweedS3Server).UpdateServiceAccount(ctx, req.(*iam_pb.UpdateServiceAccountRequest)) - } - return interceptor(ctx, in, info, handler) -} - -func _SeaweedS3_DeleteServiceAccount_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(iam_pb.DeleteServiceAccountRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(SeaweedS3Server).DeleteServiceAccount(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: SeaweedS3_DeleteServiceAccount_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SeaweedS3Server).DeleteServiceAccount(ctx, req.(*iam_pb.DeleteServiceAccountRequest)) - } - return interceptor(ctx, in, info, handler) -} - -func _SeaweedS3_GetServiceAccount_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(iam_pb.GetServiceAccountRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(SeaweedS3Server).GetServiceAccount(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: SeaweedS3_GetServiceAccount_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SeaweedS3Server).GetServiceAccount(ctx, req.(*iam_pb.GetServiceAccountRequest)) - } - return interceptor(ctx, in, info, handler) -} - -// SeaweedS3_ServiceDesc is the grpc.ServiceDesc for SeaweedS3 service. +// SeaweedS3IamCache_ServiceDesc is the grpc.ServiceDesc for SeaweedS3IamCache service. // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) -var SeaweedS3_ServiceDesc = grpc.ServiceDesc{ - ServiceName: "messaging_pb.SeaweedS3", - HandlerType: (*SeaweedS3Server)(nil), +var SeaweedS3IamCache_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "messaging_pb.SeaweedS3IamCache", + HandlerType: (*SeaweedS3IamCacheServer)(nil), Methods: []grpc.MethodDesc{ { - MethodName: "ListUsers", - Handler: _SeaweedS3_ListUsers_Handler, - }, - { - MethodName: "CreateUser", - Handler: _SeaweedS3_CreateUser_Handler, - }, - { - MethodName: "GetUser", - Handler: _SeaweedS3_GetUser_Handler, - }, - { - MethodName: "UpdateUser", - Handler: _SeaweedS3_UpdateUser_Handler, - }, - { - MethodName: "DeleteUser", - Handler: _SeaweedS3_DeleteUser_Handler, - }, - { - MethodName: "ListAccessKeys", - Handler: _SeaweedS3_ListAccessKeys_Handler, - }, - { - MethodName: "CreateAccessKey", - Handler: _SeaweedS3_CreateAccessKey_Handler, - }, - { - MethodName: "DeleteAccessKey", - Handler: _SeaweedS3_DeleteAccessKey_Handler, - }, - { - MethodName: "PutUserPolicy", - Handler: _SeaweedS3_PutUserPolicy_Handler, - }, - { - MethodName: "GetUserPolicy", - Handler: _SeaweedS3_GetUserPolicy_Handler, - }, - { - MethodName: "DeleteUserPolicy", - Handler: _SeaweedS3_DeleteUserPolicy_Handler, + MethodName: "PutIdentity", + Handler: _SeaweedS3IamCache_PutIdentity_Handler, }, { - MethodName: "ListServiceAccounts", - Handler: _SeaweedS3_ListServiceAccounts_Handler, + MethodName: "RemoveIdentity", + Handler: _SeaweedS3IamCache_RemoveIdentity_Handler, }, { - MethodName: "CreateServiceAccount", - Handler: _SeaweedS3_CreateServiceAccount_Handler, + MethodName: "PutPolicy", + Handler: _SeaweedS3IamCache_PutPolicy_Handler, }, { - MethodName: "UpdateServiceAccount", - Handler: _SeaweedS3_UpdateServiceAccount_Handler, + MethodName: "GetPolicy", + Handler: _SeaweedS3IamCache_GetPolicy_Handler, }, { - MethodName: "DeleteServiceAccount", - Handler: _SeaweedS3_DeleteServiceAccount_Handler, + MethodName: "ListPolicies", + Handler: _SeaweedS3IamCache_ListPolicies_Handler, }, { - MethodName: "GetServiceAccount", - Handler: _SeaweedS3_GetServiceAccount_Handler, + MethodName: "DeletePolicy", + Handler: _SeaweedS3IamCache_DeletePolicy_Handler, }, }, Streams: []grpc.StreamDesc{}, diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index 97a7a8a37..3e10396f1 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -44,6 +44,7 @@ type IdentityAccessManagement struct { identities []*Identity accessKeyIdent map[string]*Identity nameToIdentity map[string]*Identity // O(1) lookup by identity name + policies map[string]*iam_pb.Policy accounts map[string]*Account emailAccount map[string]*Account hashes map[string]*sync.Pool @@ -83,6 +84,7 @@ type Identity struct { PrincipalArn string // ARN for IAM authorization (e.g., "arn:aws:iam::account-id:user/username") Disabled bool // User status: false = enabled (default), true = disabled Claims map[string]interface{} // JWT claims for policy substitution + IsStatic bool // Whether identity was loaded from static config (immutable) } // Account represents a system user, a system user can @@ -187,6 +189,7 @@ func NewIdentityAccessManagementWithStore(option *S3ApiServerOption, explicitSto iam.staticIdentityNames = make(map[string]bool) for _, identity := range iam.identities { iam.staticIdentityNames[identity.Name] = true + identity.IsStatic = true } iam.m.Unlock() } @@ -294,6 +297,7 @@ func (iam *IdentityAccessManagement) loadEnvironmentVariableCredentials() { Actions: []Action{ s3_constants.ACTION_ADMIN, }, + IsStatic: true, } iam.m.Lock() @@ -407,19 +411,20 @@ func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3Api if hasStaticConfig { // Merge mode: preserve static identities, add/update dynamic ones - return iam.mergeS3ApiConfiguration(config) + return iam.MergeS3ApiConfiguration(config) } // Normal mode: completely replace configuration - return iam.replaceS3ApiConfiguration(config) + return iam.ReplaceS3ApiConfiguration(config) } -// replaceS3ApiConfiguration completely replaces the current configuration (used when no static config) -func (iam *IdentityAccessManagement) replaceS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error { +// ReplaceS3ApiConfiguration completely replaces the current configuration (used when no static config) +func (iam *IdentityAccessManagement) ReplaceS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error { var identities []*Identity var identityAnonymous *Identity accessKeyIdent := make(map[string]*Identity) nameToIdentity := make(map[string]*Identity) + policies := make(map[string]*iam_pb.Policy) accounts := make(map[string]*Account) emailAccount := make(map[string]*Account) foundAccountAdmin := false @@ -458,6 +463,9 @@ func (iam *IdentityAccessManagement) replaceS3ApiConfiguration(config *iam_pb.S3 } emailAccount[AccountAnonymous.EmailAddress] = accounts[AccountAnonymous.Id] } + for _, policy := range config.Policies { + policies[policy.Name] = policy + } for _, ident := range config.Identities { glog.V(3).Infof("loading identity %s (disabled=%v)", ident.Name, ident.Disabled) t := &Identity{ @@ -537,6 +545,7 @@ func (iam *IdentityAccessManagement) replaceS3ApiConfiguration(config *iam_pb.S3 iam.emailAccount = emailAccount iam.accessKeyIdent = accessKeyIdent iam.nameToIdentity = nameToIdentity + iam.policies = policies // Update authentication state based on whether identities exist // Once enabled, keep it enabled (one-way toggle) authJustEnabled := iam.updateAuthenticationState(len(identities)) @@ -566,10 +575,10 @@ func (iam *IdentityAccessManagement) replaceS3ApiConfiguration(config *iam_pb.S3 return nil } -// mergeS3ApiConfiguration merges dynamic configuration with existing static configuration +// MergeS3ApiConfiguration merges dynamic configuration with existing static configuration // Static identities (from file) are preserved and cannot be updated // Dynamic identities (from filer/admin) can be added or updated -func (iam *IdentityAccessManagement) mergeS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error { +func (iam *IdentityAccessManagement) MergeS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error { // Start with current configuration (which includes static identities) iam.m.RLock() identities := make([]*Identity, len(iam.identities)) @@ -583,6 +592,10 @@ func (iam *IdentityAccessManagement) mergeS3ApiConfiguration(config *iam_pb.S3Ap for k, v := range iam.nameToIdentity { nameToIdentity[k] = v } + policies := make(map[string]*iam_pb.Policy) + for k, v := range iam.policies { + policies[k] = v + } accounts := make(map[string]*Account) for k, v := range iam.accounts { accounts[k] = v @@ -755,6 +768,10 @@ func (iam *IdentityAccessManagement) mergeS3ApiConfiguration(config *iam_pb.S3Ap glog.V(3).Infof("Loaded service account %s for dynamic parent %s (expiration: %d)", sa.Id, sa.ParentUser, sa.Expiration) } + for _, policy := range config.Policies { + policies[policy.Name] = policy + } + iam.m.Lock() // atomically switch iam.identities = identities @@ -763,6 +780,7 @@ func (iam *IdentityAccessManagement) mergeS3ApiConfiguration(config *iam_pb.S3Ap iam.emailAccount = emailAccount iam.accessKeyIdent = accessKeyIdent iam.nameToIdentity = nameToIdentity + iam.policies = policies // Update authentication state based on whether identities exist // Once enabled, keep it enabled (one-way toggle) authJustEnabled := iam.updateAuthenticationState(len(identities)) @@ -792,6 +810,56 @@ func (iam *IdentityAccessManagement) mergeS3ApiConfiguration(config *iam_pb.S3Ap return nil } +func (iam *IdentityAccessManagement) RemoveIdentity(name string) { + glog.V(1).Infof("IAM: remove identity %s", name) + iam.m.Lock() + defer iam.m.Unlock() + + identity, ok := iam.nameToIdentity[name] + if !ok { + return + } + + if identity.IsStatic { + glog.V(1).Infof("IAM: skipping removal of static identity %s (immutable)", name) + return + } + + // Remove from identities slice + for i, ident := range iam.identities { + if ident.Name == name { + iam.identities = append(iam.identities[:i], iam.identities[i+1:]...) + break + } + } + + // Remove from maps + delete(iam.nameToIdentity, name) + for _, cred := range identity.Credentials { + if iam.accessKeyIdent[cred.AccessKey] == identity { + delete(iam.accessKeyIdent, cred.AccessKey) + } + } + + if identity == iam.identityAnonymous { + iam.identityAnonymous = nil + } +} + +func (iam *IdentityAccessManagement) UpsertIdentity(ident *iam_pb.Identity) error { + if ident == nil { + return fmt.Errorf("upsert identity failed: nil identity") + + } + if ident.Name == "" { + return fmt.Errorf("upsert identity failed: empty identity name") + } + glog.V(1).Infof("IAM: upsert identity %s", ident.Name) + return iam.MergeS3ApiConfiguration(&iam_pb.S3ApiConfiguration{ + Identities: []*iam_pb.Identity{ident}, + }) +} + // isEnabled reports whether S3 auth should be enforced for this server. // // Auth is considered enabled if either: @@ -1316,6 +1384,7 @@ func (iam *IdentityAccessManagement) GetCredentialManager() *credential.Credenti // LoadS3ApiConfigurationFromCredentialManager loads configuration using the credential manager func (iam *IdentityAccessManagement) LoadS3ApiConfigurationFromCredentialManager() error { + glog.V(0).Infof("IAM: reloading configuration from credential manager") glog.V(1).Infof("Loading S3 API configuration from credential manager") s3ApiConfiguration, err := iam.credentialManager.LoadConfiguration(context.Background()) @@ -1503,3 +1572,43 @@ func (iam *IdentityAccessManagement) authorizeWithIAM(r *http.Request, identity // Use IAM integration for authorization return iam.iamIntegration.AuthorizeAction(ctx, iamIdentity, action, bucket, object, r) } + +// PutPolicy adds or updates a policy +func (iam *IdentityAccessManagement) PutPolicy(name string, content string) error { + iam.m.Lock() + defer iam.m.Unlock() + if iam.policies == nil { + iam.policies = make(map[string]*iam_pb.Policy) + } + iam.policies[name] = &iam_pb.Policy{Name: name, Content: content} + return nil +} + +// GetPolicy retrieves a policy by name +func (iam *IdentityAccessManagement) GetPolicy(name string) (*iam_pb.Policy, error) { + iam.m.RLock() + defer iam.m.RUnlock() + if policy, ok := iam.policies[name]; ok { + return policy, nil + } + return nil, fmt.Errorf("policy not found: %s", name) +} + +// DeletePolicy removes a policy +func (iam *IdentityAccessManagement) DeletePolicy(name string) error { + iam.m.Lock() + defer iam.m.Unlock() + delete(iam.policies, name) + return nil +} + +// ListPolicies lists all policies +func (iam *IdentityAccessManagement) ListPolicies() []*iam_pb.Policy { + iam.m.RLock() + defer iam.m.RUnlock() + var policies []*iam_pb.Policy + for _, p := range iam.policies { + policies = append(policies, p) + } + return policies +} diff --git a/weed/s3api/auth_credentials_test.go b/weed/s3api/auth_credentials_test.go index b01d8e3ce..1db245b88 100644 --- a/weed/s3api/auth_credentials_test.go +++ b/weed/s3api/auth_credentials_test.go @@ -13,6 +13,9 @@ import ( "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb" jsonpb "google.golang.org/protobuf/encoding/protojson" + + _ "github.com/seaweedfs/seaweedfs/weed/credential/filer_etc" + _ "github.com/seaweedfs/seaweedfs/weed/credential/memory" ) func TestIdentityListFileFormat(t *testing.T) { @@ -742,3 +745,48 @@ func TestSignatureVerificationDoesNotCheckPermissions(t *testing.T) { t.Log("Signature verification no longer checks for Write permission") t.Log("This allows list-only and read-only users to authenticate via AWS Signature V4") } + +func TestStaticIdentityProtection(t *testing.T) { + iam := NewIdentityAccessManagement(&S3ApiServerOption{}) + + // Add a static identity + staticIdent := &Identity{ + Name: "static-user", + IsStatic: true, + } + iam.m.Lock() + if iam.nameToIdentity == nil { + iam.nameToIdentity = make(map[string]*Identity) + } + iam.identities = append(iam.identities, staticIdent) + iam.nameToIdentity[staticIdent.Name] = staticIdent + iam.m.Unlock() + + // Add a dynamic identity + dynamicIdent := &Identity{ + Name: "dynamic-user", + IsStatic: false, + } + iam.m.Lock() + iam.identities = append(iam.identities, dynamicIdent) + iam.nameToIdentity[dynamicIdent.Name] = dynamicIdent + iam.m.Unlock() + + // Try to remove static identity + iam.RemoveIdentity("static-user") + + // Verify static identity still exists + iam.m.RLock() + _, ok := iam.nameToIdentity["static-user"] + iam.m.RUnlock() + assert.True(t, ok, "Static identity should not be removed") + + // Try to remove dynamic identity + iam.RemoveIdentity("dynamic-user") + + // Verify dynamic identity is removed + iam.m.RLock() + _, ok = iam.nameToIdentity["dynamic-user"] + iam.m.RUnlock() + assert.False(t, ok, "Dynamic identity should have been removed") +} diff --git a/weed/s3api/s3api_bucket_policy_engine.go b/weed/s3api/s3api_bucket_policy_engine.go index 3be063b35..1a014a919 100644 --- a/weed/s3api/s3api_bucket_policy_engine.go +++ b/weed/s3api/s3api_bucket_policy_engine.go @@ -83,6 +83,16 @@ func (bpe *BucketPolicyEngine) HasPolicyForBucket(bucket string) bool { return bpe.engine.HasPolicyForBucket(bucket) } +// GetBucketPolicy gets the policy for a bucket +func (bpe *BucketPolicyEngine) GetBucketPolicy(bucket string) (*policy_engine.PolicyDocument, error) { + return bpe.engine.GetBucketPolicy(bucket) +} + +// ListBucketPolicies returns all buckets that have policies +func (bpe *BucketPolicyEngine) ListBucketPolicies() []string { + return bpe.engine.GetAllBucketsWithPolicies() +} + // EvaluatePolicy evaluates whether an action is allowed by bucket policy // // Parameters: diff --git a/weed/s3api/s3api_embedded_iam.go b/weed/s3api/s3api_embedded_iam.go index 8d775e0c7..7181410f1 100644 --- a/weed/s3api/s3api_embedded_iam.go +++ b/weed/s3api/s3api_embedded_iam.go @@ -38,13 +38,15 @@ type EmbeddedIamApi struct { getS3ApiConfigurationFunc func(*iam_pb.S3ApiConfiguration) error putS3ApiConfigurationFunc func(*iam_pb.S3ApiConfiguration) error reloadConfigurationFunc func() error + readOnly bool } // NewEmbeddedIamApi creates a new embedded IAM API handler. -func NewEmbeddedIamApi(credentialManager *credential.CredentialManager, iam *IdentityAccessManagement) *EmbeddedIamApi { +func NewEmbeddedIamApi(credentialManager *credential.CredentialManager, iam *IdentityAccessManagement, readOnly bool) *EmbeddedIamApi { return &EmbeddedIamApi{ credentialManager: credentialManager, iam: iam, + readOnly: readOnly, } } @@ -160,6 +162,8 @@ func (e *EmbeddedIamApi) writeIamErrorResponse(w http.ResponseWriter, r *http.Re s3err.WriteXMLResponse(w, r, http.StatusConflict, errorResp) case iam.ErrCodeMalformedPolicyDocumentException, iam.ErrCodeInvalidInputException: s3err.WriteXMLResponse(w, r, http.StatusBadRequest, errorResp) + case "AccessDenied", iam.ErrCodeLimitExceededException: + s3err.WriteXMLResponse(w, r, http.StatusForbidden, errorResp) case iam.ErrCodeServiceFailureException: s3err.WriteXMLResponse(w, r, http.StatusInternalServerError, internalErrorResponse) default: @@ -190,6 +194,7 @@ func (e *EmbeddedIamApi) PutS3ApiConfiguration(s3cfg *iam_pb.S3ApiConfiguration) // ReloadConfiguration reloads the IAM configuration from the credential manager. func (e *EmbeddedIamApi) ReloadConfiguration() error { + glog.V(4).Infof("IAM: reloading configuration via EmbeddedIamApi") if e.reloadConfigurationFunc != nil { return e.reloadConfigurationFunc() } @@ -1043,11 +1048,22 @@ func (e *EmbeddedIamApi) AuthIam(f http.HandlerFunc, _ Action) http.HandlerFunc } // ExecuteAction executes an IAM action with the given values. -func (e *EmbeddedIamApi) ExecuteAction(values url.Values) (interface{}, *iamError) { +// If skipPersist is true, the changed configuration is not saved to the persistent store. +func (e *EmbeddedIamApi) ExecuteAction(values url.Values, skipPersist bool) (interface{}, *iamError) { // Lock to prevent concurrent read-modify-write race conditions e.policyLock.Lock() defer e.policyLock.Unlock() + action := values.Get("Action") + if e.readOnly { + switch action { + case "ListUsers", "ListAccessKeys", "GetUser", "GetUserPolicy", "ListServiceAccounts", "GetServiceAccount": + // Allowed read-only actions + default: + return nil, &iamError{Code: s3err.GetAPIError(s3err.ErrAccessDenied).Code, Error: fmt.Errorf("IAM write operations are disabled on this server")} + } + } + s3cfg := &iam_pb.S3ApiConfiguration{} if err := e.GetS3ApiConfiguration(s3cfg); err != nil && !errors.Is(err, filer_pb.ErrNotFound) { return nil, &iamError{Code: s3err.GetAPIError(s3err.ErrInternalError).Code, Error: fmt.Errorf("failed to get s3 api configuration: %v", err)} @@ -1165,9 +1181,11 @@ func (e *EmbeddedIamApi) ExecuteAction(values url.Values) (interface{}, *iamErro return nil, &iamError{Code: s3err.GetAPIError(s3err.ErrNotImplemented).Code, Error: errors.New(s3err.GetAPIError(s3err.ErrNotImplemented).Description)} } if changed { - if err := e.PutS3ApiConfiguration(s3cfg); err != nil { - iamErr = &iamError{Code: iam.ErrCodeServiceFailureException, Error: err} - return nil, iamErr + if !skipPersist { + if err := e.PutS3ApiConfiguration(s3cfg); err != nil { + iamErr = &iamError{Code: iam.ErrCodeServiceFailureException, Error: err} + return nil, iamErr + } } // Reload in-memory identity maps so subsequent LookupByAccessKey calls // can see newly created or deleted keys immediately @@ -1196,7 +1214,7 @@ func (e *EmbeddedIamApi) DoActions(w http.ResponseWriter, r *http.Request) { values.Set("CreatedBy", createdBy) } - response, iamErr := e.ExecuteAction(values) + response, iamErr := e.ExecuteAction(values, false) if iamErr != nil { e.writeIamErrorResponse(w, r, iamErr) return diff --git a/weed/s3api/s3api_embedded_iam_test.go b/weed/s3api/s3api_embedded_iam_test.go index c5dc5d949..8ac0472cc 100644 --- a/weed/s3api/s3api_embedded_iam_test.go +++ b/weed/s3api/s3api_embedded_iam_test.go @@ -87,7 +87,19 @@ func (e *EmbeddedIamApiForTest) DoActions(w http.ResponseWriter, r *http.Request var iamErr *iamError changed := true - switch r.Form.Get("Action") { + action := r.Form.Get("Action") + + if e.readOnly { + switch action { + case "ListUsers", "ListAccessKeys", "GetUser", "GetUserPolicy", "ListServiceAccounts", "GetServiceAccount": + // Allowed read-only actions + default: + e.writeIamErrorResponse(w, r, &iamError{Code: s3err.GetAPIError(s3err.ErrAccessDenied).Code, Error: fmt.Errorf("IAM write operations are disabled on this server")}) + return + } + } + + switch action { case "ListUsers": response = e.ListUsers(s3cfg, values) changed = false @@ -1691,7 +1703,7 @@ func TestEmbeddedIamExecuteAction(t *testing.T) { vals.Set("Action", "CreateUser") vals.Set("UserName", "ExecuteActionUser") - resp, iamErr := api.ExecuteAction(vals) + resp, iamErr := api.ExecuteAction(vals, false) assert.Nil(t, iamErr) // Verify response type @@ -1703,3 +1715,33 @@ func TestEmbeddedIamExecuteAction(t *testing.T) { assert.Len(t, api.mockConfig.Identities, 1) assert.Equal(t, "ExecuteActionUser", api.mockConfig.Identities[0].Name) } + +// TestEmbeddedIamReadOnly tests that write operations are blocked when readOnly is true +func TestEmbeddedIamReadOnly(t *testing.T) { + api := NewEmbeddedIamApiForTest() + api.readOnly = true + + // Try CreateUser (Write) + userName := aws.String("ReadOnlyUser") + params := &iam.CreateUserInput{UserName: userName} + req, _ := iam.New(session.New()).CreateUserRequest(params) + _ = req.Build() + + response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, nil) + assert.NoError(t, err) + assert.Equal(t, http.StatusForbidden, response.Code) + + code, msg := extractEmbeddedIamErrorCodeAndMessage(response) + assert.Equal(t, "AccessDenied", code) + assert.Contains(t, msg, "IAM write operations are disabled") + + // Try ListUsers (Read) - Should succeed + paramsList := &iam.ListUsersInput{} + reqList, _ := iam.New(session.New()).ListUsersRequest(paramsList) + _ = reqList.Build() + + outList := iamListUsersResponse{} + responseList, err := executeEmbeddedIamRequest(api, reqList.HTTPRequest, &outList) + assert.NoError(t, err) + assert.Equal(t, http.StatusOK, responseList.Code) +} diff --git a/weed/s3api/s3api_server.go b/weed/s3api/s3api_server.go index 7670773e6..c72669795 100644 --- a/weed/s3api/s3api_server.go +++ b/weed/s3api/s3api_server.go @@ -52,11 +52,14 @@ type S3ApiServerOption struct { ConcurrentUploadLimit int64 ConcurrentFileUploadLimit int64 EnableIam bool // Enable embedded IAM API on the same port + IamReadOnly bool // Disable IAM write operations on this server Cipher bool // encrypt data on volume servers + BindIp string + GrpcPort int } type S3ApiServer struct { - s3_pb.UnimplementedSeaweedS3Server + s3_pb.UnimplementedSeaweedS3IamCacheServer option *S3ApiServerOption iam *IdentityAccessManagement iamIntegration *S3IAMIntegration // Advanced IAM integration for JWT authentication @@ -114,13 +117,17 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl // Uses the battle-tested vidMap with filer-based lookups // Supports multiple filer addresses with automatic failover for high availability var filerClient *wdclient.FilerClient - if len(option.Masters) > 0 && option.FilerGroup != "" { + if len(option.Masters) > 0 { // Enable filer discovery via master masterMap := make(map[string]pb.ServerAddress) for i, addr := range option.Masters { masterMap[fmt.Sprintf("master%d", i)] = addr } - masterClient := wdclient.NewMasterClient(option.GrpcDialOption, option.FilerGroup, cluster.S3Type, "", "", "", *pb.NewServiceDiscoveryFromMap(masterMap)) + clientHost := option.BindIp + if clientHost == "0.0.0.0" || clientHost == "" { + clientHost = util.DetectedHostAddress() + } + masterClient := wdclient.NewMasterClient(option.GrpcDialOption, option.FilerGroup, cluster.S3Type, pb.ServerAddress(util.JoinHostPort(clientHost, option.GrpcPort)), "", "", *pb.NewServiceDiscoveryFromMap(masterMap)) // Start the master client connection loop - required for GetMaster() to work go masterClient.KeepConnectedToMaster(context.Background()) @@ -203,8 +210,12 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl // Initialize embedded IAM API if enabled if option.EnableIam { - s3ApiServer.embeddedIam = NewEmbeddedIamApi(s3ApiServer.credentialManager, iam) - glog.V(1).Infof("Embedded IAM API initialized (use -iam=false to disable)") + s3ApiServer.embeddedIam = NewEmbeddedIamApi(s3ApiServer.credentialManager, iam, option.IamReadOnly) + if option.IamReadOnly { + glog.V(1).Infof("Embedded IAM API initialized in read-only mode (use -s3.iam.readOnly=false to enable write operations)") + } else { + glog.V(1).Infof("Embedded IAM API initialized in writable mode (WARNING: updates will not be propagated to other S3 servers)") + } } if option.Config != "" { diff --git a/weed/s3api/s3api_server_grpc.go b/weed/s3api/s3api_server_grpc.go index 2f6976b56..c8b55f5f1 100644 --- a/weed/s3api/s3api_server_grpc.go +++ b/weed/s3api/s3api_server_grpc.go @@ -4,341 +4,95 @@ import ( "context" "fmt" - "net/url" + "github.com/seaweedfs/seaweedfs/weed/glog" "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb" ) -func (s3a *S3ApiServer) executeAction(values url.Values) (interface{}, error) { - if s3a.embeddedIam == nil { - return nil, fmt.Errorf("embedded iam is disabled") - } - response, iamErr := s3a.embeddedIam.ExecuteAction(values) - if iamErr != nil { - return nil, fmt.Errorf("IAM error: %s - %v", iamErr.Code, iamErr.Error) - } - return response, nil -} - -func (s3a *S3ApiServer) ListUsers(ctx context.Context, req *iam_pb.ListUsersRequest) (*iam_pb.ListUsersResponse, error) { - values := url.Values{} - values.Set("Action", "ListUsers") - resp, err := s3a.executeAction(values) - if err != nil { - return nil, err - } - iamResp, ok := resp.(iamListUsersResponse) - if !ok { - return nil, fmt.Errorf("unexpected IAM ListUsers response type %T", resp) - } - var usernames []string - for _, user := range iamResp.ListUsersResult.Users { - if user != nil && user.UserName != nil { - usernames = append(usernames, *user.UserName) - } - } - return &iam_pb.ListUsersResponse{Usernames: usernames}, nil -} - -func (s3a *S3ApiServer) CreateUser(ctx context.Context, req *iam_pb.CreateUserRequest) (*iam_pb.CreateUserResponse, error) { - if req.Identity == nil || req.Identity.Name == "" { - return nil, fmt.Errorf("username name is required") - } - values := url.Values{} - values.Set("Action", "CreateUser") - values.Set("UserName", req.Identity.Name) - _, err := s3a.executeAction(values) - if err != nil { - return nil, err - } - return &iam_pb.CreateUserResponse{}, nil -} - -func (s3a *S3ApiServer) GetUser(ctx context.Context, req *iam_pb.GetUserRequest) (*iam_pb.GetUserResponse, error) { - if req.Username == "" { - return nil, fmt.Errorf("username is required") - } - values := url.Values{} - values.Set("Action", "GetUser") - values.Set("UserName", req.Username) - resp, err := s3a.executeAction(values) - if err != nil { - return nil, err - } - iamResp, ok := resp.(iamGetUserResponse) - if !ok { - return nil, fmt.Errorf("unexpected IAM GetUser response type %T", resp) - } - - var username string - if iamResp.GetUserResult.User.UserName != nil { - username = *iamResp.GetUserResult.User.UserName - } - - return &iam_pb.GetUserResponse{ - Identity: &iam_pb.Identity{ - Name: username, - }, - }, nil -} +// SeaweedS3IamCacheServer Implementation +// This interface is dedicated to UNIDIRECTIONAL updates from Filer to S3 Server. +// S3 Server acts purely as a cache. -func (s3a *S3ApiServer) UpdateUser(ctx context.Context, req *iam_pb.UpdateUserRequest) (*iam_pb.UpdateUserResponse, error) { - if req.Username == "" { - return nil, fmt.Errorf("username is required") - } - values := url.Values{} - values.Set("Action", "UpdateUser") - values.Set("UserName", req.Username) - // UpdateUser in DoActions expects "NewUserName" if renaming, but CreateUser just takes UserName. - // Looking at s3api_embedded_iam.go, UpdateUser uses "NewUserName" to change name. - if req.Identity != nil && req.Identity.Name != "" { - values.Set("NewUserName", req.Identity.Name) +func (s3a *S3ApiServer) PutIdentity(ctx context.Context, req *iam_pb.PutIdentityRequest) (*iam_pb.PutIdentityResponse, error) { + if req.Identity == nil { + return nil, fmt.Errorf("identity is required") } - _, err := s3a.executeAction(values) - if err != nil { + // Direct in-memory cache update + glog.V(1).Infof("IAM: received identity update for %s", req.Identity.Name) + if err := s3a.iam.UpsertIdentity(req.Identity); err != nil { + glog.Errorf("failed to update identity cache for %s: %v", req.Identity.Name, err) return nil, err } - return &iam_pb.UpdateUserResponse{}, nil + return &iam_pb.PutIdentityResponse{}, nil } -func (s3a *S3ApiServer) DeleteUser(ctx context.Context, req *iam_pb.DeleteUserRequest) (*iam_pb.DeleteUserResponse, error) { +func (s3a *S3ApiServer) RemoveIdentity(ctx context.Context, req *iam_pb.RemoveIdentityRequest) (*iam_pb.RemoveIdentityResponse, error) { if req.Username == "" { return nil, fmt.Errorf("username is required") } - values := url.Values{} - values.Set("Action", "DeleteUser") - values.Set("UserName", req.Username) - _, err := s3a.executeAction(values) - if err != nil { - return nil, err - } - return &iam_pb.DeleteUserResponse{}, nil + // Direct in-memory cache update + glog.V(1).Infof("IAM: received identity removal for %s", req.Username) + s3a.iam.RemoveIdentity(req.Username) + return &iam_pb.RemoveIdentityResponse{}, nil } -func (s3a *S3ApiServer) ListAccessKeys(ctx context.Context, req *iam_pb.ListAccessKeysRequest) (*iam_pb.ListAccessKeysResponse, error) { - if req.Username == "" { - return nil, fmt.Errorf("username is required") - } - values := url.Values{} - values.Set("Action", "ListAccessKeys") - values.Set("UserName", req.Username) - resp, err := s3a.executeAction(values) - if err != nil { - return nil, err - } - iamResp, ok := resp.(iamListAccessKeysResponse) - if !ok { - return nil, fmt.Errorf("unexpected IAM ListAccessKeys response type %T", resp) - } - var accessKeys []*iam_pb.Credential - for _, meta := range iamResp.ListAccessKeysResult.AccessKeyMetadata { - if meta != nil && meta.AccessKeyId != nil && meta.Status != nil { - accessKeys = append(accessKeys, &iam_pb.Credential{ - AccessKey: *meta.AccessKeyId, - Status: *meta.Status, - }) - } - } - return &iam_pb.ListAccessKeysResponse{AccessKeys: accessKeys}, nil -} - -func (s3a *S3ApiServer) CreateAccessKey(ctx context.Context, req *iam_pb.CreateAccessKeyRequest) (*iam_pb.CreateAccessKeyResponse, error) { - if req.Username == "" { - return nil, fmt.Errorf("username is required") - } - values := url.Values{} - values.Set("Action", "CreateAccessKey") - values.Set("UserName", req.Username) - _, err := s3a.executeAction(values) - if err != nil { - return nil, err - } - return &iam_pb.CreateAccessKeyResponse{}, nil -} - -func (s3a *S3ApiServer) DeleteAccessKey(ctx context.Context, req *iam_pb.DeleteAccessKeyRequest) (*iam_pb.DeleteAccessKeyResponse, error) { - if req.Username == "" { - return nil, fmt.Errorf("username is required") - } - if req.AccessKey == "" { - return nil, fmt.Errorf("access key is required") - } - values := url.Values{} - values.Set("Action", "DeleteAccessKey") - values.Set("UserName", req.Username) - values.Set("AccessKeyId", req.AccessKey) - _, err := s3a.executeAction(values) - if err != nil { - return nil, err - } - return &iam_pb.DeleteAccessKeyResponse{}, nil -} - -func (s3a *S3ApiServer) PutUserPolicy(ctx context.Context, req *iam_pb.PutUserPolicyRequest) (*iam_pb.PutUserPolicyResponse, error) { - if req.Username == "" { - return nil, fmt.Errorf("username is required") - } - if req.PolicyName == "" { +func (s3a *S3ApiServer) PutPolicy(ctx context.Context, req *iam_pb.PutPolicyRequest) (*iam_pb.PutPolicyResponse, error) { + if req.Name == "" { return nil, fmt.Errorf("policy name is required") } - values := url.Values{} - values.Set("Action", "PutUserPolicy") - values.Set("UserName", req.Username) - values.Set("PolicyName", req.PolicyName) - values.Set("PolicyDocument", req.PolicyDocument) - _, err := s3a.executeAction(values) - if err != nil { - return nil, err - } - return &iam_pb.PutUserPolicyResponse{}, nil -} -func (s3a *S3ApiServer) GetUserPolicy(ctx context.Context, req *iam_pb.GetUserPolicyRequest) (*iam_pb.GetUserPolicyResponse, error) { - if req.Username == "" { - return nil, fmt.Errorf("username is required") - } - if req.PolicyName == "" { - return nil, fmt.Errorf("policy name is required") - } - values := url.Values{} - values.Set("Action", "GetUserPolicy") - values.Set("UserName", req.Username) - values.Set("PolicyName", req.PolicyName) - resp, err := s3a.executeAction(values) - if err != nil { - return nil, err - } - iamResp, ok := resp.(iamGetUserPolicyResponse) - if !ok { - return nil, fmt.Errorf("unexpected IAM GetUserPolicy response type %T", resp) + // Update IAM policy cache + glog.V(1).Infof("IAM: received policy update for %s", req.Name) + if s3a.iam != nil { + if err := s3a.iam.PutPolicy(req.Name, req.Content); err != nil { + glog.Errorf("failed to update policy cache for %s: %v", req.Name, err) + return nil, err + } } - return &iam_pb.GetUserPolicyResponse{ - Username: iamResp.GetUserPolicyResult.UserName, - PolicyName: iamResp.GetUserPolicyResult.PolicyName, - PolicyDocument: iamResp.GetUserPolicyResult.PolicyDocument, - }, nil + return &iam_pb.PutPolicyResponse{}, nil } -func (s3a *S3ApiServer) DeleteUserPolicy(ctx context.Context, req *iam_pb.DeleteUserPolicyRequest) (*iam_pb.DeleteUserPolicyResponse, error) { - if req.Username == "" { - return nil, fmt.Errorf("username is required") - } - if req.PolicyName == "" { +func (s3a *S3ApiServer) DeletePolicy(ctx context.Context, req *iam_pb.DeletePolicyRequest) (*iam_pb.DeletePolicyResponse, error) { + if req.Name == "" { return nil, fmt.Errorf("policy name is required") } - values := url.Values{} - values.Set("Action", "DeleteUserPolicy") - values.Set("UserName", req.Username) - values.Set("PolicyName", req.PolicyName) - _, err := s3a.executeAction(values) - if err != nil { - return nil, err - } - return &iam_pb.DeleteUserPolicyResponse{}, nil -} -func (s3a *S3ApiServer) ListServiceAccounts(ctx context.Context, req *iam_pb.ListServiceAccountsRequest) (*iam_pb.ListServiceAccountsResponse, error) { - values := url.Values{} - values.Set("Action", "ListServiceAccounts") - resp, err := s3a.executeAction(values) - if err != nil { - return nil, err - } - iamResp, ok := resp.(iamListServiceAccountsResponse) - if !ok { - return nil, fmt.Errorf("unexpected IAM ListServiceAccounts response type %T", resp) - } - var serviceAccounts []*iam_pb.ServiceAccount - for _, sa := range iamResp.ListServiceAccountsResult.ServiceAccounts { - if sa != nil { - serviceAccounts = append(serviceAccounts, &iam_pb.ServiceAccount{ - Id: sa.ServiceAccountId, - ParentUser: sa.ParentUser, - Description: sa.Description, - Credential: &iam_pb.Credential{ - AccessKey: sa.AccessKeyId, - Status: sa.Status, - }, - }) + // Delete from IAM policy cache + glog.V(1).Infof("IAM: received policy removal for %s", req.Name) + if s3a.iam != nil { + if err := s3a.iam.DeletePolicy(req.Name); err != nil { + glog.Errorf("failed to delete policy cache for %s: %v", req.Name, err) + return nil, err } } - return &iam_pb.ListServiceAccountsResponse{ServiceAccounts: serviceAccounts}, nil -} - -func (s3a *S3ApiServer) CreateServiceAccount(ctx context.Context, req *iam_pb.CreateServiceAccountRequest) (*iam_pb.CreateServiceAccountResponse, error) { - if req.ServiceAccount == nil || req.ServiceAccount.CreatedBy == "" { - return nil, fmt.Errorf("service account owner is required") - } - values := url.Values{} - values.Set("Action", "CreateServiceAccount") - values.Set("CreatedBy", req.ServiceAccount.CreatedBy) - _, err := s3a.executeAction(values) - if err != nil { - return nil, err - } - return &iam_pb.CreateServiceAccountResponse{}, nil + return &iam_pb.DeletePolicyResponse{}, nil } -func (s3a *S3ApiServer) UpdateServiceAccount(ctx context.Context, req *iam_pb.UpdateServiceAccountRequest) (*iam_pb.UpdateServiceAccountResponse, error) { - if req.Id == "" { - return nil, fmt.Errorf("service account id is required") - } - values := url.Values{} - values.Set("Action", "UpdateServiceAccount") - values.Set("ServiceAccountId", req.Id) - if req.ServiceAccount != nil && req.ServiceAccount.Disabled { - values.Set("Status", "Inactive") - } - _, err := s3a.executeAction(values) - if err != nil { - return nil, err +func (s3a *S3ApiServer) GetPolicy(ctx context.Context, req *iam_pb.GetPolicyRequest) (*iam_pb.GetPolicyResponse, error) { + if req.Name == "" { + return nil, fmt.Errorf("policy name is required") } - return &iam_pb.UpdateServiceAccountResponse{}, nil -} - -func (s3a *S3ApiServer) DeleteServiceAccount(ctx context.Context, req *iam_pb.DeleteServiceAccountRequest) (*iam_pb.DeleteServiceAccountResponse, error) { - if req.Id == "" { - return nil, fmt.Errorf("service account id is required") + if s3a.iam == nil { + return &iam_pb.GetPolicyResponse{}, nil } - values := url.Values{} - values.Set("Action", "DeleteServiceAccount") - values.Set("ServiceAccountId", req.Id) - _, err := s3a.executeAction(values) + policy, err := s3a.iam.GetPolicy(req.Name) if err != nil { - return nil, err + return &iam_pb.GetPolicyResponse{}, nil // Not found is fine for cache } - return &iam_pb.DeleteServiceAccountResponse{}, nil + return &iam_pb.GetPolicyResponse{ + Name: policy.Name, + Content: policy.Content, + }, nil } -func (s3a *S3ApiServer) GetServiceAccount(ctx context.Context, req *iam_pb.GetServiceAccountRequest) (*iam_pb.GetServiceAccountResponse, error) { - if req.Id == "" { - return nil, fmt.Errorf("service account id is required") +func (s3a *S3ApiServer) ListPolicies(ctx context.Context, req *iam_pb.ListPoliciesRequest) (*iam_pb.ListPoliciesResponse, error) { + resp := &iam_pb.ListPoliciesResponse{} + if s3a.iam == nil { + return resp, nil } - values := url.Values{} - values.Set("Action", "GetServiceAccount") - values.Set("ServiceAccountId", req.Id) - resp, err := s3a.executeAction(values) - if err != nil { - return nil, err + policies := s3a.iam.ListPolicies() + for _, policy := range policies { + resp.Policies = append(resp.Policies, policy) } - iamResp, ok := resp.(iamGetServiceAccountResponse) - if !ok { - return nil, fmt.Errorf("unexpected IAM GetServiceAccount response type %T", resp) - } - - var serviceAccount *iam_pb.ServiceAccount - sa := iamResp.GetServiceAccountResult.ServiceAccount - serviceAccount = &iam_pb.ServiceAccount{ - Id: sa.ServiceAccountId, - ParentUser: sa.ParentUser, - Description: sa.Description, - Credential: &iam_pb.Credential{ - AccessKey: sa.AccessKeyId, - Status: sa.Status, - }, - } - - return &iam_pb.GetServiceAccountResponse{ - ServiceAccount: serviceAccount, - }, nil + return resp, nil } diff --git a/weed/s3api/s3api_server_routing_test.go b/weed/s3api/s3api_server_routing_test.go index 2746d59fe..52ecd20e5 100644 --- a/weed/s3api/s3api_server_routing_test.go +++ b/weed/s3api/s3api_server_routing_test.go @@ -31,7 +31,7 @@ func setupRoutingTestServer(t *testing.T) *S3ApiServer { option: opt, iam: iam, credentialManager: iam.credentialManager, - embeddedIam: NewEmbeddedIamApi(iam.credentialManager, iam), + embeddedIam: NewEmbeddedIamApi(iam.credentialManager, iam, false), stsHandlers: &STSHandlers{}, } diff --git a/weed/server/filer_server.go b/weed/server/filer_server.go index f76d215aa..3ec247ffd 100644 --- a/weed/server/filer_server.go +++ b/weed/server/filer_server.go @@ -256,6 +256,10 @@ func NewFilerServer(defaultMux, readonlyMux *http.ServeMux, option *FilerOption) fs.filer.Dlm.LockRing.SetTakeSnapshotCallback(fs.OnDlmChangeSnapshot) + if fs.CredentialManager != nil { + fs.CredentialManager.SetMasterClient(fs.filer.MasterClient, fs.grpcDialOption) + } + return fs, nil } diff --git a/weed/server/filer_server_handlers_iam_grpc.go b/weed/server/filer_server_handlers_iam_grpc.go index 777c9f2d4..c77cf8914 100644 --- a/weed/server/filer_server_handlers_iam_grpc.go +++ b/weed/server/filer_server_handlers_iam_grpc.go @@ -73,7 +73,7 @@ func (s *IamGrpcServer) CreateUser(ctx context.Context, req *iam_pb.CreateUserRe if req == nil || req.Identity == nil { return nil, status.Errorf(codes.InvalidArgument, "identity is required") } - glog.V(4).Infof("CreateUser: %s", req.Identity.Name) + glog.V(4).Infof("IAM: Filer.CreateUser %s", req.Identity.Name) if s.credentialManager == nil { return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured") @@ -113,10 +113,10 @@ func (s *IamGrpcServer) GetUser(ctx context.Context, req *iam_pb.GetUserRequest) } func (s *IamGrpcServer) UpdateUser(ctx context.Context, req *iam_pb.UpdateUserRequest) (*iam_pb.UpdateUserResponse, error) { - glog.V(4).Infof("UpdateUser: %s", req.Username) if req == nil || req.Identity == nil { return nil, status.Errorf(codes.InvalidArgument, "identity is required") } + glog.V(4).Infof("IAM: Filer.UpdateUser %s", req.Username) if s.credentialManager == nil { return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured") @@ -135,7 +135,7 @@ func (s *IamGrpcServer) UpdateUser(ctx context.Context, req *iam_pb.UpdateUserRe } func (s *IamGrpcServer) DeleteUser(ctx context.Context, req *iam_pb.DeleteUserRequest) (*iam_pb.DeleteUserResponse, error) { - glog.V(4).Infof("DeleteUser: %s", req.Username) + glog.V(4).Infof("IAM: Filer.DeleteUser %s", req.Username) if s.credentialManager == nil { return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured") @@ -243,7 +243,7 @@ func (s *IamGrpcServer) GetUserByAccessKey(ctx context.Context, req *iam_pb.GetU // Policy Management func (s *IamGrpcServer) PutPolicy(ctx context.Context, req *iam_pb.PutPolicyRequest) (*iam_pb.PutPolicyResponse, error) { - glog.V(4).Infof("PutPolicy: %s", req.Name) + glog.V(4).Infof("IAM: Filer.PutPolicy %s", req.Name) if s.credentialManager == nil { return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured") diff --git a/weed/server/master_grpc_server.go b/weed/server/master_grpc_server.go index 255a0d7a7..7c6bd1e3c 100644 --- a/weed/server/master_grpc_server.go +++ b/weed/server/master_grpc_server.go @@ -276,6 +276,7 @@ func (ms *MasterServer) KeepConnected(stream master_pb.Seaweed_KeepConnectedServ clientName, messageChan := ms.addClient(req.FilerGroup, req.ClientType, peerAddress) for _, update := range ms.Cluster.AddClusterNode(req.FilerGroup, req.ClientType, cluster.DataCenter(req.DataCenter), cluster.Rack(req.Rack), peerAddress, req.Version) { + glog.V(1).Infof("Cluster: %s node %s added to group '%s'", req.ClientType, peerAddress, req.FilerGroup) ms.broadcastToClients(update) }