oyd
/
minio
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add missing TTL for STS credentials on etcd (#10828)

Browse Source
master
Harshavardhana 4 years ago committed by GitHub
parent fde3299bf3
commit 71753e21e0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 38 additions and 17 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 16
      cmd/etcd.go
  2. 12
      cmd/iam-etcd-store.go
  3. 10
      cmd/iam-object-store.go
  4. 17
      cmd/iam.go

16
cmd/etcd.go
Unescape View File

@ -38,9 +38,23 @@ func etcdErrToErr(err error, etcdEndpoints []string) error {
} }
} }
func saveKeyEtcd(ctx context.Context, client *etcd.Client, key string, data []byte) error { func saveKeyEtcdWithTTL(ctx context.Context, client *etcd.Client, key string, data []byte, ttl int64) error {
timeoutCtx, cancel := context.WithTimeout(ctx, defaultContextTimeout) timeoutCtx, cancel := context.WithTimeout(ctx, defaultContextTimeout)
defer cancel() defer cancel()
lease, err := client.Grant(timeoutCtx, ttl)
if err != nil {
return etcdErrToErr(err, client.Endpoints())
}
_, err = client.Put(timeoutCtx, key, string(data), etcd.WithLease(lease.ID))
return etcdErrToErr(err, client.Endpoints())
}
func saveKeyEtcd(ctx context.Context, client *etcd.Client, key string, data []byte, opts ...options) error {
timeoutCtx, cancel := context.WithTimeout(ctx, defaultContextTimeout)
defer cancel()
if len(opts) > 0 {
return saveKeyEtcdWithTTL(ctx, client, key, data, opts[0].ttl)
}
_, err := client.Put(timeoutCtx, key, string(data)) _, err := client.Put(timeoutCtx, key, string(data))
return etcdErrToErr(err, client.Endpoints()) return etcdErrToErr(err, client.Endpoints())
} }

12
cmd/iam-etcd-store.go
Unescape View File

@ -99,7 +99,7 @@ func (ies *IAMEtcdStore) runlock() {
ies.RUnlock() ies.RUnlock()
} }
func (ies *IAMEtcdStore) saveIAMConfig(ctx context.Context, item interface{}, path string) error { func (ies *IAMEtcdStore) saveIAMConfig(ctx context.Context, item interface{}, path string, opts ...options) error {
data, err := json.Marshal(item) data, err := json.Marshal(item)
if err != nil { if err != nil {
return err return err
@ -110,7 +110,7 @@ func (ies *IAMEtcdStore) saveIAMConfig(ctx context.Context, item interface{}, pa
return err return err
} }
} }
return saveKeyEtcd(ctx, ies.client, path, data) return saveKeyEtcd(ctx, ies.client, path, data, opts...)
} }
func (ies *IAMEtcdStore) loadIAMConfig(ctx context.Context, item interface{}, path string) error { func (ies *IAMEtcdStore) loadIAMConfig(ctx context.Context, item interface{}, path string) error {
@ -566,12 +566,12 @@ func (ies *IAMEtcdStore) savePolicyDoc(ctx context.Context, policyName string, p
return ies.saveIAMConfig(ctx, &p, getPolicyDocPath(policyName)) return ies.saveIAMConfig(ctx, &p, getPolicyDocPath(policyName))
} }
func (ies *IAMEtcdStore) saveMappedPolicy(ctx context.Context, name string, userType IAMUserType, isGroup bool, mp MappedPolicy) error { func (ies *IAMEtcdStore) saveMappedPolicy(ctx context.Context, name string, userType IAMUserType, isGroup bool, mp MappedPolicy, opts ...options) error {
return ies.saveIAMConfig(ctx, mp, getMappedPolicyPath(name, userType, isGroup)) return ies.saveIAMConfig(ctx, mp, getMappedPolicyPath(name, userType, isGroup), opts...)
} }
func (ies *IAMEtcdStore) saveUserIdentity(ctx context.Context, name string, userType IAMUserType, u UserIdentity) error { func (ies *IAMEtcdStore) saveUserIdentity(ctx context.Context, name string, userType IAMUserType, u UserIdentity, opts ...options) error {
return ies.saveIAMConfig(ctx, u, getUserIdentityPath(name, userType)) return ies.saveIAMConfig(ctx, u, getUserIdentityPath(name, userType), opts...)
} }
func (ies *IAMEtcdStore) saveGroupInfo(ctx context.Context, name string, gi GroupInfo) error { func (ies *IAMEtcdStore) saveGroupInfo(ctx context.Context, name string, gi GroupInfo) error {

10
cmd/iam-object-store.go
Unescape View File

@ -204,7 +204,7 @@ func (iamOS *IAMObjectStore) migrateBackendFormat(ctx context.Context) error {
return iamOS.migrateToV1(ctx) return iamOS.migrateToV1(ctx)
} }
func (iamOS *IAMObjectStore) saveIAMConfig(ctx context.Context, item interface{}, path string) error { func (iamOS *IAMObjectStore) saveIAMConfig(ctx context.Context, item interface{}, path string, opts ...options) error {
data, err := json.Marshal(item) data, err := json.Marshal(item)
if err != nil { if err != nil {
return err return err
@ -512,12 +512,12 @@ func (iamOS *IAMObjectStore) savePolicyDoc(ctx context.Context, policyName strin
return iamOS.saveIAMConfig(ctx, &p, getPolicyDocPath(policyName)) return iamOS.saveIAMConfig(ctx, &p, getPolicyDocPath(policyName))
} }
func (iamOS *IAMObjectStore) saveMappedPolicy(ctx context.Context, name string, userType IAMUserType, isGroup bool, mp MappedPolicy) error { func (iamOS *IAMObjectStore) saveMappedPolicy(ctx context.Context, name string, userType IAMUserType, isGroup bool, mp MappedPolicy, opts ...options) error {
return iamOS.saveIAMConfig(ctx, mp, getMappedPolicyPath(name, userType, isGroup)) return iamOS.saveIAMConfig(ctx, mp, getMappedPolicyPath(name, userType, isGroup), opts...)
} }
func (iamOS *IAMObjectStore) saveUserIdentity(ctx context.Context, name string, userType IAMUserType, u UserIdentity) error { func (iamOS *IAMObjectStore) saveUserIdentity(ctx context.Context, name string, userType IAMUserType, u UserIdentity, opts ...options) error {
return iamOS.saveIAMConfig(ctx, u, getUserIdentityPath(name, userType)) return iamOS.saveIAMConfig(ctx, u, getUserIdentityPath(name, userType), opts...)
} }
func (iamOS *IAMObjectStore) saveGroupInfo(ctx context.Context, name string, gi GroupInfo) error { func (iamOS *IAMObjectStore) saveGroupInfo(ctx context.Context, name string, gi GroupInfo) error {

17
cmd/iam.go
Unescape View File

@ -230,6 +230,11 @@ const (
srvAccUser srvAccUser
) )
// key options
type options struct {
ttl int64 //expiry in seconds
}
// IAMStorageAPI defines an interface for the IAM persistence layer // IAMStorageAPI defines an interface for the IAM persistence layer
type IAMStorageAPI interface { type IAMStorageAPI interface {
lock() lock()
@ -254,13 +259,13 @@ type IAMStorageAPI interface {
loadAll(context.Context, *IAMSys) error loadAll(context.Context, *IAMSys) error
saveIAMConfig(ctx context.Context, item interface{}, path string) error saveIAMConfig(ctx context.Context, item interface{}, path string, opts ...options) error
loadIAMConfig(ctx context.Context, item interface{}, path string) error loadIAMConfig(ctx context.Context, item interface{}, path string) error
deleteIAMConfig(ctx context.Context, path string) error deleteIAMConfig(ctx context.Context, path string) error
savePolicyDoc(ctx context.Context, policyName string, p iampolicy.Policy) error savePolicyDoc(ctx context.Context, policyName string, p iampolicy.Policy) error
saveMappedPolicy(ctx context.Context, name string, userType IAMUserType, isGroup bool, mp MappedPolicy) error saveMappedPolicy(ctx context.Context, name string, userType IAMUserType, isGroup bool, mp MappedPolicy, opts ...options) error
saveUserIdentity(ctx context.Context, name string, userType IAMUserType, u UserIdentity) error saveUserIdentity(ctx context.Context, name string, userType IAMUserType, u UserIdentity, opts ...options) error
saveGroupInfo(ctx context.Context, group string, gi GroupInfo) error saveGroupInfo(ctx context.Context, group string, gi GroupInfo) error
deletePolicyDoc(ctx context.Context, policyName string) error deletePolicyDoc(ctx context.Context, policyName string) error
@ -703,6 +708,8 @@ func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyNa
sys.store.lock() sys.store.lock()
defer sys.store.unlock() defer sys.store.unlock()
ttl := int64(UTCNow().Sub(cred.Expiration).Seconds())
// If OPA is not set we honor any policy claims for this // If OPA is not set we honor any policy claims for this
// temporary user which match with pre-configured canned // temporary user which match with pre-configured canned
// policies for this server. // policies for this server.
@ -727,7 +734,7 @@ func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyNa
return nil return nil
} }
if err := sys.store.saveMappedPolicy(context.Background(), accessKey, stsUser, false, mp); err != nil { if err := sys.store.saveMappedPolicy(context.Background(), accessKey, stsUser, false, mp, options{ttl: ttl}); err != nil {
return err return err
} }
@ -735,7 +742,7 @@ func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyNa
} }
u := newUserIdentity(cred) u := newUserIdentity(cred)
if err := sys.store.saveUserIdentity(context.Background(), accessKey, stsUser, u); err != nil { if err := sys.store.saveUserIdentity(context.Background(), accessKey, stsUser, u, options{ttl: ttl}); err != nil {
return err return err
} }

Write Preview
Loading…
Cancel
Save