@ -25,7 +25,6 @@ import (
"path"
"strings"
"sync"
"time"
miniogopolicy "github.com/minio/minio-go/v6/pkg/policy"
"github.com/minio/minio-go/v6/pkg/set"
@ -61,6 +60,11 @@ func (sys *PolicySys) removeDeletedBuckets(bucketInfos []BucketInfo) {
// Set - sets policy to given bucket name. If policy is empty, existing policy is removed.
func ( sys * PolicySys ) Set ( bucketName string , policy policy . Policy ) {
if globalIsGateway {
// Set policy is a non-op under gateway mode.
return
}
sys . Lock ( )
defer sys . Unlock ( )
@ -84,10 +88,22 @@ func (sys *PolicySys) IsAllowed(args policy.Args) bool {
sys . RLock ( )
defer sys . RUnlock ( )
if globalIsGateway {
// When gateway is enabled, no cached value
// is used to validate bucket policies.
objAPI := newObjectLayerFn ( )
if objAPI != nil {
config , err := objAPI . GetBucketPolicy ( context . Background ( ) , args . BucketName )
if err == nil {
return config . IsAllowed ( args )
}
}
} else {
// If policy is available for given bucket, check the policy.
if p , found := sys . bucketPolicyMap [ args . BucketName ] ; found {
return p . IsAllowed ( args )
}
}
// As policy is not available for given bucket name, returns IsOwner i.e.
// operation is allowed only for owner.
@ -135,21 +151,11 @@ func (sys *PolicySys) Init(objAPI ObjectLayer) error {
return errInvalidArgument
}
defer func ( ) {
// Refresh PolicySys in background.
go func ( ) {
ticker := time . NewTicker ( globalRefreshBucketPolicyInterval )
defer ticker . Stop ( )
for {
select {
case <- GlobalServiceDoneCh :
return
case <- ticker . C :
sys . refresh ( objAPI )
}
// In gateway mode, we don't need to load the policies
// from the backend.
if globalIsGateway {
return nil
}
} ( )
} ( )
doneCh := make ( chan struct { } )
defer close ( doneCh )