@ -221,13 +221,13 @@ type IAMStorageAPI interface {
// simplifies the implementation for group removal. This is called
// simplifies the implementation for group removal. This is called
// only via IAM notifications.
// only via IAM notifications.
func ( sys * IAMSys ) LoadGroup ( objAPI ObjectLayer , group string ) error {
func ( sys * IAMSys ) LoadGroup ( objAPI ObjectLayer , group string ) error {
if objAPI == nil {
return errInvalidArgument
}
sys . Lock ( )
sys . Lock ( )
defer sys . Unlock ( )
defer sys . Unlock ( )
if objAPI == nil || sys . store == nil {
return errServerNotInitialized
}
if globalEtcdClient != nil {
if globalEtcdClient != nil {
// Watch APIs cover this case, so nothing to do.
// Watch APIs cover this case, so nothing to do.
return nil
return nil
@ -262,13 +262,13 @@ func (sys *IAMSys) LoadGroup(objAPI ObjectLayer, group string) error {
// LoadPolicy - reloads a specific canned policy from backend disks or etcd.
// LoadPolicy - reloads a specific canned policy from backend disks or etcd.
func ( sys * IAMSys ) LoadPolicy ( objAPI ObjectLayer , policyName string ) error {
func ( sys * IAMSys ) LoadPolicy ( objAPI ObjectLayer , policyName string ) error {
if objAPI == nil {
return errInvalidArgument
}
sys . Lock ( )
sys . Lock ( )
defer sys . Unlock ( )
defer sys . Unlock ( )
if objAPI == nil || sys . store == nil {
return errServerNotInitialized
}
if globalEtcdClient == nil {
if globalEtcdClient == nil {
return sys . store . loadPolicyDoc ( policyName , sys . iamPolicyDocsMap )
return sys . store . loadPolicyDoc ( policyName , sys . iamPolicyDocsMap )
}
}
@ -280,13 +280,13 @@ func (sys *IAMSys) LoadPolicy(objAPI ObjectLayer, policyName string) error {
// LoadPolicyMapping - loads the mapped policy for a user or group
// LoadPolicyMapping - loads the mapped policy for a user or group
// from storage into server memory.
// from storage into server memory.
func ( sys * IAMSys ) LoadPolicyMapping ( objAPI ObjectLayer , userOrGroup string , isGroup bool ) error {
func ( sys * IAMSys ) LoadPolicyMapping ( objAPI ObjectLayer , userOrGroup string , isGroup bool ) error {
if objAPI == nil {
return errInvalidArgument
}
sys . Lock ( )
sys . Lock ( )
defer sys . Unlock ( )
defer sys . Unlock ( )
if objAPI == nil || sys . store == nil {
return errServerNotInitialized
}
if globalEtcdClient == nil {
if globalEtcdClient == nil {
var err error
var err error
if isGroup {
if isGroup {
@ -306,13 +306,13 @@ func (sys *IAMSys) LoadPolicyMapping(objAPI ObjectLayer, userOrGroup string, isG
// LoadUser - reloads a specific user from backend disks or etcd.
// LoadUser - reloads a specific user from backend disks or etcd.
func ( sys * IAMSys ) LoadUser ( objAPI ObjectLayer , accessKey string , isSTS bool ) error {
func ( sys * IAMSys ) LoadUser ( objAPI ObjectLayer , accessKey string , isSTS bool ) error {
if objAPI == nil {
return errInvalidArgument
}
sys . Lock ( )
sys . Lock ( )
defer sys . Unlock ( )
defer sys . Unlock ( )
if objAPI == nil || sys . store == nil {
return errServerNotInitialized
}
if globalEtcdClient == nil {
if globalEtcdClient == nil {
err := sys . store . loadUser ( accessKey , isSTS , sys . iamUsersMap )
err := sys . store . loadUser ( accessKey , isSTS , sys . iamUsersMap )
if err != nil {
if err != nil {
@ -351,14 +351,16 @@ func (sys *IAMSys) doIAMConfigMigration(objAPI ObjectLayer) error {
// Init - initializes config system from iam.json
// Init - initializes config system from iam.json
func ( sys * IAMSys ) Init ( objAPI ObjectLayer ) error {
func ( sys * IAMSys ) Init ( objAPI ObjectLayer ) error {
if objAPI == nil {
if objAPI == nil {
return errInvalidArgument
return errServerNotInitialized
}
}
sys . Lock ( )
if globalEtcdClient == nil {
if globalEtcdClient == nil {
sys . store = newIAMObjectStore ( )
sys . store = newIAMObjectStore ( )
} else {
} else {
sys . store = newIAMEtcdStore ( )
sys . store = newIAMEtcdStore ( )
}
}
sys . Unlock ( )
doneCh := make ( chan struct { } )
doneCh := make ( chan struct { } )
defer close ( doneCh )
defer close ( doneCh )
@ -416,6 +418,13 @@ func (sys *IAMSys) DeletePolicy(policyName string) error {
return errInvalidArgument
return errInvalidArgument
}
}
sys . Lock ( )
defer sys . Unlock ( )
if sys . store == nil {
return errServerNotInitialized
}
err := sys . store . deletePolicyDoc ( policyName )
err := sys . store . deletePolicyDoc ( policyName )
switch err . ( type ) {
switch err . ( type ) {
case ObjectNotFound :
case ObjectNotFound :
@ -423,9 +432,6 @@ func (sys *IAMSys) DeletePolicy(policyName string) error {
err = nil
err = nil
}
}
sys . Lock ( )
defer sys . Unlock ( )
delete ( sys . iamPolicyDocsMap , policyName )
delete ( sys . iamPolicyDocsMap , policyName )
return err
return err
}
}
@ -481,12 +487,17 @@ func (sys *IAMSys) SetPolicy(policyName string, p iampolicy.Policy) error {
return errInvalidArgument
return errInvalidArgument
}
}
sys . Lock ( )
defer sys . Unlock ( )
if sys . store == nil {
return errServerNotInitialized
}
if err := sys . store . savePolicyDoc ( policyName , p ) ; err != nil {
if err := sys . store . savePolicyDoc ( policyName , p ) ; err != nil {
return err
return err
}
}
sys . Lock ( )
defer sys . Unlock ( )
sys . iamPolicyDocsMap [ policyName ] = p
sys . iamPolicyDocsMap [ policyName ] = p
return nil
return nil
}
}
@ -505,6 +516,10 @@ func (sys *IAMSys) DeleteUser(accessKey string) error {
return errIAMActionNotAllowed
return errIAMActionNotAllowed
}
}
if sys . store == nil {
return errServerNotInitialized
}
// It is ok to ignore deletion error on the mapped policy
// It is ok to ignore deletion error on the mapped policy
sys . store . deleteMappedPolicy ( accessKey , false , false )
sys . store . deleteMappedPolicy ( accessKey , false , false )
err := sys . store . deleteUserIdentity ( accessKey , false )
err := sys . store . deleteUserIdentity ( accessKey , false )
@ -543,6 +558,10 @@ func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyNa
return nil
return nil
}
}
if sys . store == nil {
return errServerNotInitialized
}
mp := newMappedPolicy ( policyName )
mp := newMappedPolicy ( policyName )
if err := sys . store . saveMappedPolicy ( accessKey , true , false , mp ) ; err != nil {
if err := sys . store . saveMappedPolicy ( accessKey , true , false , mp ) ; err != nil {
return err
return err
@ -551,6 +570,10 @@ func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyNa
sys . iamUserPolicyMap [ accessKey ] = mp
sys . iamUserPolicyMap [ accessKey ] = mp
}
}
if sys . store == nil {
return errServerNotInitialized
}
u := newUserIdentity ( cred )
u := newUserIdentity ( cred )
if err := sys . store . saveUserIdentity ( accessKey , true , u ) ; err != nil {
if err := sys . store . saveUserIdentity ( accessKey , true , u ) ; err != nil {
return err
return err
@ -659,6 +682,11 @@ func (sys *IAMSys) SetUserStatus(accessKey string, status madmin.AccountStatus)
return config . EnableOff
return config . EnableOff
} ( ) ,
} ( ) ,
} )
} )
if sys . store == nil {
return errServerNotInitialized
}
if err := sys . store . saveUserIdentity ( accessKey , false , uinfo ) ; err != nil {
if err := sys . store . saveUserIdentity ( accessKey , false , uinfo ) ; err != nil {
return err
return err
}
}
@ -687,6 +715,10 @@ func (sys *IAMSys) SetUser(accessKey string, uinfo madmin.UserInfo) error {
return errIAMActionNotAllowed
return errIAMActionNotAllowed
}
}
if sys . store == nil {
return errServerNotInitialized
}
if err := sys . store . saveUserIdentity ( accessKey , false , u ) ; err != nil {
if err := sys . store . saveUserIdentity ( accessKey , false , u ) ; err != nil {
return err
return err
}
}
@ -718,6 +750,10 @@ func (sys *IAMSys) SetUserSecretKey(accessKey string, secretKey string) error {
return errNoSuchUser
return errNoSuchUser
}
}
if sys . store == nil {
return errServerNotInitialized
}
cred . SecretKey = secretKey
cred . SecretKey = secretKey
u := newUserIdentity ( cred )
u := newUserIdentity ( cred )
if err := sys . store . saveUserIdentity ( accessKey , false , u ) ; err != nil {
if err := sys . store . saveUserIdentity ( accessKey , false , u ) ; err != nil {
@ -775,6 +811,10 @@ func (sys *IAMSys) AddUsersToGroup(group string, members []string) error {
gi . Members = uniqMembers
gi . Members = uniqMembers
}
}
if sys . store == nil {
return errServerNotInitialized
}
if err := sys . store . saveGroupInfo ( group , gi ) ; err != nil {
if err := sys . store . saveGroupInfo ( group , gi ) ; err != nil {
return err
return err
}
}
@ -832,6 +872,10 @@ func (sys *IAMSys) RemoveUsersFromGroup(group string, members []string) error {
return errGroupNotEmpty
return errGroupNotEmpty
}
}
if sys . store == nil {
return errServerNotInitialized
}
if len ( members ) == 0 {
if len ( members ) == 0 {
// len(gi.Members) == 0 here.
// len(gi.Members) == 0 here.
@ -887,6 +931,10 @@ func (sys *IAMSys) SetGroupStatus(group string, enabled bool) error {
sys . Lock ( )
sys . Lock ( )
defer sys . Unlock ( )
defer sys . Unlock ( )
if sys . store == nil {
return errServerNotInitialized
}
if sys . usersSysType != MinIOUsersSysType {
if sys . usersSysType != MinIOUsersSysType {
return errIAMActionNotAllowed
return errIAMActionNotAllowed
}
}
@ -984,6 +1032,10 @@ func (sys *IAMSys) PolicyDBSet(name, policy string, isGroup bool) error {
// policyDBSet - sets a policy for user in the policy db. Assumes that
// policyDBSet - sets a policy for user in the policy db. Assumes that
// caller has sys.Lock().
// caller has sys.Lock().
func ( sys * IAMSys ) policyDBSet ( name , policy string , isSTS , isGroup bool ) error {
func ( sys * IAMSys ) policyDBSet ( name , policy string , isSTS , isGroup bool ) error {
if sys . store == nil {
return errServerNotInitialized
}
if name == "" || policy == "" {
if name == "" || policy == "" {
return errInvalidArgument
return errInvalidArgument
}
}