Implement IAM propagation to S3 servers (#8130)

* Implement IAM propagation to S3 servers - Add PropagatingCredentialStore to propagate IAM changes to S3 servers via gRPC - Add Policy management RPCs to S3 proto and S3ApiServer - Update CredentialManager to use PropagatingCredentialStore when MasterClient is available - Wire FilerServer to enable propagation * Implement parallel IAM propagation and fix S3 cluster registration - Parallelized IAM change propagation with 10s timeout. - Refined context usage in PropagatingCredentialStore. - Added S3Type support to cluster node management. - Enabled S3 servers to register with gRPC address to the master. - Ensured IAM configuration reload after policy updates via gRPC. * Optimize IAM propagation with direct in-memory cache updates * Secure IAM propagation: Use metadata to skip persistence only on propagation * pb: refactor IAM and S3 services for unidirectional IAM propagation - Move SeaweedS3IamCache service from iam.proto to s3.proto. - Remove legacy IAM management RPCs and empty SeaweedS3 service from s3.proto. - Enforce that S3 servers only use the synchronization interface. * pb: regenerate Go code for IAM and S3 services Updated generated code following the proto refactoring of IAM synchronization services. * s3api: implement read-only mode for Embedded IAM API - Add readOnly flag to EmbeddedIamApi to reject write operations via HTTP. - Enable read-only mode by default in S3ApiServer. - Handle AccessDenied error in writeIamErrorResponse. - Embed SeaweedS3IamCacheServer in S3ApiServer. * credential: refactor PropagatingCredentialStore for unidirectional IAM flow - Update to use s3_pb.SeaweedS3IamCacheClient for propagation to S3 servers. - Propagate full Identity object via PutIdentity for consistency. - Remove redundant propagation of specific user/account/policy management RPCs. - Add timeout context for propagation calls. * s3api: implement SeaweedS3IamCacheServer for unidirectional sync - Update S3ApiServer to implement the cache synchronization gRPC interface. - Methods (PutIdentity, RemoveIdentity, etc.) now perform direct in-memory cache updates. - Register SeaweedS3IamCacheServer in command/s3.go. - Remove registration for the legacy and now empty SeaweedS3 service. * s3api: update tests for read-only IAM and propagation - Added TestEmbeddedIamReadOnly to verify rejection of write operations in read-only mode. - Update test setup to pass readOnly=false to NewEmbeddedIamApi in routing tests. - Updated EmbeddedIamApiForTest helper with read-only checks matching production behavior. * s3api: add back temporary debug logs for IAM updates Log IAM updates received via: - gRPC propagation (PutIdentity, PutPolicy, etc.) - Metadata configuration reloads (LoadS3ApiConfigurationFromCredentialManager) - Core identity management (UpsertIdentity, RemoveIdentity) * IAM: finalize propagation fix with reduced logging and clarified architecture * Allow configuring IAM read-only mode for S3 server integration tests * s3api: add defensive validation to UpsertIdentity * s3api: fix log message to reference correct IAM read-only flag * test/s3/iam: ensure WaitForS3Service checks for IAM write permissions * test: enable writable IAM in Makefile for integration tests * IAM: add GetPolicy/ListPolicies RPCs to s3.proto * S3: add GetBucketPolicy and ListBucketPolicies helpers * S3: support storing generic IAM policies in IdentityAccessManagement * S3: implement IAM policy RPCs using IdentityAccessManagement * IAM: fix stale user identity on rename propagation
2026-01-26 22:59:43 -08:00
parent 0a6b289025
commit 551a31e156
26 changed files with 1131 additions and 1036 deletions
--- a/weed/pb/s3_pb/s3.pb.go
+++ b/weed/pb/s3_pb/s3.pb.go
@@ -414,28 +414,14 @@ const file_s3_proto_rawDesc = "" +
 	"\rsse_algorithm\x18\x01 \x01(\tR\fsseAlgorithm\x12\x1c\n" +
 	"\n" +
 	"kms_key_id\x18\x02 \x01(\tR\bkmsKeyId\x12,\n" +
-	"\x12bucket_key_enabled\x18\x03 \x01(\bR\x10bucketKeyEnabled2\xc7\n" +
-	"\n" +
-	"\tSeaweedS3\x12B\n" +
-	"\tListUsers\x12\x18.iam_pb.ListUsersRequest\x1a\x19.iam_pb.ListUsersResponse\"\x00\x12E\n" +
-	"\n" +
-	"CreateUser\x12\x19.iam_pb.CreateUserRequest\x1a\x1a.iam_pb.CreateUserResponse\"\x00\x12<\n" +
-	"\aGetUser\x12\x16.iam_pb.GetUserRequest\x1a\x17.iam_pb.GetUserResponse\"\x00\x12E\n" +
-	"\n" +
-	"UpdateUser\x12\x19.iam_pb.UpdateUserRequest\x1a\x1a.iam_pb.UpdateUserResponse\"\x00\x12E\n" +
-	"\n" +
-	"DeleteUser\x12\x19.iam_pb.DeleteUserRequest\x1a\x1a.iam_pb.DeleteUserResponse\"\x00\x12Q\n" +
-	"\x0eListAccessKeys\x12\x1d.iam_pb.ListAccessKeysRequest\x1a\x1e.iam_pb.ListAccessKeysResponse\"\x00\x12T\n" +
-	"\x0fCreateAccessKey\x12\x1e.iam_pb.CreateAccessKeyRequest\x1a\x1f.iam_pb.CreateAccessKeyResponse\"\x00\x12T\n" +
-	"\x0fDeleteAccessKey\x12\x1e.iam_pb.DeleteAccessKeyRequest\x1a\x1f.iam_pb.DeleteAccessKeyResponse\"\x00\x12N\n" +
-	"\rPutUserPolicy\x12\x1c.iam_pb.PutUserPolicyRequest\x1a\x1d.iam_pb.PutUserPolicyResponse\"\x00\x12N\n" +
-	"\rGetUserPolicy\x12\x1c.iam_pb.GetUserPolicyRequest\x1a\x1d.iam_pb.GetUserPolicyResponse\"\x00\x12W\n" +
-	"\x10DeleteUserPolicy\x12\x1f.iam_pb.DeleteUserPolicyRequest\x1a .iam_pb.DeleteUserPolicyResponse\"\x00\x12`\n" +
-	"\x13ListServiceAccounts\x12\".iam_pb.ListServiceAccountsRequest\x1a#.iam_pb.ListServiceAccountsResponse\"\x00\x12c\n" +
-	"\x14CreateServiceAccount\x12#.iam_pb.CreateServiceAccountRequest\x1a$.iam_pb.CreateServiceAccountResponse\"\x00\x12c\n" +
-	"\x14UpdateServiceAccount\x12#.iam_pb.UpdateServiceAccountRequest\x1a$.iam_pb.UpdateServiceAccountResponse\"\x00\x12c\n" +
-	"\x14DeleteServiceAccount\x12#.iam_pb.DeleteServiceAccountRequest\x1a$.iam_pb.DeleteServiceAccountResponse\"\x00\x12Z\n" +
-	"\x11GetServiceAccount\x12 .iam_pb.GetServiceAccountRequest\x1a!.iam_pb.GetServiceAccountResponse\"\x00BI\n" +
+	"\x12bucket_key_enabled\x18\x03 \x01(\bR\x10bucketKeyEnabled2\xc6\x03\n" +
+	"\x11SeaweedS3IamCache\x12F\n" +
+	"\vPutIdentity\x12\x1a.iam_pb.PutIdentityRequest\x1a\x1b.iam_pb.PutIdentityResponse\x12O\n" +
+	"\x0eRemoveIdentity\x12\x1d.iam_pb.RemoveIdentityRequest\x1a\x1e.iam_pb.RemoveIdentityResponse\x12@\n" +
+	"\tPutPolicy\x12\x18.iam_pb.PutPolicyRequest\x1a\x19.iam_pb.PutPolicyResponse\x12@\n" +
+	"\tGetPolicy\x12\x18.iam_pb.GetPolicyRequest\x1a\x19.iam_pb.GetPolicyResponse\x12I\n" +
+	"\fListPolicies\x12\x1b.iam_pb.ListPoliciesRequest\x1a\x1c.iam_pb.ListPoliciesResponse\x12I\n" +
+	"\fDeletePolicy\x12\x1b.iam_pb.DeletePolicyRequest\x1a\x1c.iam_pb.DeletePolicyResponseBI\n" +
 	"\x10seaweedfs.clientB\aS3ProtoZ,github.com/seaweedfs/seaweedfs/weed/pb/s3_pbb\x06proto3"

 var (
@@ -452,47 +438,27 @@ func file_s3_proto_rawDescGZIP() []byte {

 var file_s3_proto_msgTypes = make([]protoimpl.MessageInfo, 9)
 var file_s3_proto_goTypes = []any{
-	(*S3CircuitBreakerConfig)(nil),              // 0: messaging_pb.S3CircuitBreakerConfig
-	(*S3CircuitBreakerOptions)(nil),             // 1: messaging_pb.S3CircuitBreakerOptions
-	(*CORSRule)(nil),                            // 2: messaging_pb.CORSRule
-	(*CORSConfiguration)(nil),                   // 3: messaging_pb.CORSConfiguration
-	(*BucketMetadata)(nil),                      // 4: messaging_pb.BucketMetadata
-	(*EncryptionConfiguration)(nil),             // 5: messaging_pb.EncryptionConfiguration
-	nil,                                         // 6: messaging_pb.S3CircuitBreakerConfig.BucketsEntry
-	nil,                                         // 7: messaging_pb.S3CircuitBreakerOptions.ActionsEntry
-	nil,                                         // 8: messaging_pb.BucketMetadata.TagsEntry
-	(*iam_pb.ListUsersRequest)(nil),             // 9: iam_pb.ListUsersRequest
-	(*iam_pb.CreateUserRequest)(nil),            // 10: iam_pb.CreateUserRequest
-	(*iam_pb.GetUserRequest)(nil),               // 11: iam_pb.GetUserRequest
-	(*iam_pb.UpdateUserRequest)(nil),            // 12: iam_pb.UpdateUserRequest
-	(*iam_pb.DeleteUserRequest)(nil),            // 13: iam_pb.DeleteUserRequest
-	(*iam_pb.ListAccessKeysRequest)(nil),        // 14: iam_pb.ListAccessKeysRequest
-	(*iam_pb.CreateAccessKeyRequest)(nil),       // 15: iam_pb.CreateAccessKeyRequest
-	(*iam_pb.DeleteAccessKeyRequest)(nil),       // 16: iam_pb.DeleteAccessKeyRequest
-	(*iam_pb.PutUserPolicyRequest)(nil),         // 17: iam_pb.PutUserPolicyRequest
-	(*iam_pb.GetUserPolicyRequest)(nil),         // 18: iam_pb.GetUserPolicyRequest
-	(*iam_pb.DeleteUserPolicyRequest)(nil),      // 19: iam_pb.DeleteUserPolicyRequest
-	(*iam_pb.ListServiceAccountsRequest)(nil),   // 20: iam_pb.ListServiceAccountsRequest
-	(*iam_pb.CreateServiceAccountRequest)(nil),  // 21: iam_pb.CreateServiceAccountRequest
-	(*iam_pb.UpdateServiceAccountRequest)(nil),  // 22: iam_pb.UpdateServiceAccountRequest
-	(*iam_pb.DeleteServiceAccountRequest)(nil),  // 23: iam_pb.DeleteServiceAccountRequest
-	(*iam_pb.GetServiceAccountRequest)(nil),     // 24: iam_pb.GetServiceAccountRequest
-	(*iam_pb.ListUsersResponse)(nil),            // 25: iam_pb.ListUsersResponse
-	(*iam_pb.CreateUserResponse)(nil),           // 26: iam_pb.CreateUserResponse
-	(*iam_pb.GetUserResponse)(nil),              // 27: iam_pb.GetUserResponse
-	(*iam_pb.UpdateUserResponse)(nil),           // 28: iam_pb.UpdateUserResponse
-	(*iam_pb.DeleteUserResponse)(nil),           // 29: iam_pb.DeleteUserResponse
-	(*iam_pb.ListAccessKeysResponse)(nil),       // 30: iam_pb.ListAccessKeysResponse
-	(*iam_pb.CreateAccessKeyResponse)(nil),      // 31: iam_pb.CreateAccessKeyResponse
-	(*iam_pb.DeleteAccessKeyResponse)(nil),      // 32: iam_pb.DeleteAccessKeyResponse
-	(*iam_pb.PutUserPolicyResponse)(nil),        // 33: iam_pb.PutUserPolicyResponse
-	(*iam_pb.GetUserPolicyResponse)(nil),        // 34: iam_pb.GetUserPolicyResponse
-	(*iam_pb.DeleteUserPolicyResponse)(nil),     // 35: iam_pb.DeleteUserPolicyResponse
-	(*iam_pb.ListServiceAccountsResponse)(nil),  // 36: iam_pb.ListServiceAccountsResponse
-	(*iam_pb.CreateServiceAccountResponse)(nil), // 37: iam_pb.CreateServiceAccountResponse
-	(*iam_pb.UpdateServiceAccountResponse)(nil), // 38: iam_pb.UpdateServiceAccountResponse
-	(*iam_pb.DeleteServiceAccountResponse)(nil), // 39: iam_pb.DeleteServiceAccountResponse
-	(*iam_pb.GetServiceAccountResponse)(nil),    // 40: iam_pb.GetServiceAccountResponse
+	(*S3CircuitBreakerConfig)(nil),        // 0: messaging_pb.S3CircuitBreakerConfig
+	(*S3CircuitBreakerOptions)(nil),       // 1: messaging_pb.S3CircuitBreakerOptions
+	(*CORSRule)(nil),                      // 2: messaging_pb.CORSRule
+	(*CORSConfiguration)(nil),             // 3: messaging_pb.CORSConfiguration
+	(*BucketMetadata)(nil),                // 4: messaging_pb.BucketMetadata
+	(*EncryptionConfiguration)(nil),       // 5: messaging_pb.EncryptionConfiguration
+	nil,                                   // 6: messaging_pb.S3CircuitBreakerConfig.BucketsEntry
+	nil,                                   // 7: messaging_pb.S3CircuitBreakerOptions.ActionsEntry
+	nil,                                   // 8: messaging_pb.BucketMetadata.TagsEntry
+	(*iam_pb.PutIdentityRequest)(nil),     // 9: iam_pb.PutIdentityRequest
+	(*iam_pb.RemoveIdentityRequest)(nil),  // 10: iam_pb.RemoveIdentityRequest
+	(*iam_pb.PutPolicyRequest)(nil),       // 11: iam_pb.PutPolicyRequest
+	(*iam_pb.GetPolicyRequest)(nil),       // 12: iam_pb.GetPolicyRequest
+	(*iam_pb.ListPoliciesRequest)(nil),    // 13: iam_pb.ListPoliciesRequest
+	(*iam_pb.DeletePolicyRequest)(nil),    // 14: iam_pb.DeletePolicyRequest
+	(*iam_pb.PutIdentityResponse)(nil),    // 15: iam_pb.PutIdentityResponse
+	(*iam_pb.RemoveIdentityResponse)(nil), // 16: iam_pb.RemoveIdentityResponse
+	(*iam_pb.PutPolicyResponse)(nil),      // 17: iam_pb.PutPolicyResponse
+	(*iam_pb.GetPolicyResponse)(nil),      // 18: iam_pb.GetPolicyResponse
+	(*iam_pb.ListPoliciesResponse)(nil),   // 19: iam_pb.ListPoliciesResponse
+	(*iam_pb.DeletePolicyResponse)(nil),   // 20: iam_pb.DeletePolicyResponse
 }
 var file_s3_proto_depIdxs = []int32{
 	1,  // 0: messaging_pb.S3CircuitBreakerConfig.global:type_name -> messaging_pb.S3CircuitBreakerOptions
@@ -503,40 +469,20 @@ var file_s3_proto_depIdxs = []int32{
 	3,  // 5: messaging_pb.BucketMetadata.cors:type_name -> messaging_pb.CORSConfiguration
 	5,  // 6: messaging_pb.BucketMetadata.encryption:type_name -> messaging_pb.EncryptionConfiguration
 	1,  // 7: messaging_pb.S3CircuitBreakerConfig.BucketsEntry.value:type_name -> messaging_pb.S3CircuitBreakerOptions
-	9,  // 8: messaging_pb.SeaweedS3.ListUsers:input_type -> iam_pb.ListUsersRequest
-	10, // 9: messaging_pb.SeaweedS3.CreateUser:input_type -> iam_pb.CreateUserRequest
-	11, // 10: messaging_pb.SeaweedS3.GetUser:input_type -> iam_pb.GetUserRequest
-	12, // 11: messaging_pb.SeaweedS3.UpdateUser:input_type -> iam_pb.UpdateUserRequest
-	13, // 12: messaging_pb.SeaweedS3.DeleteUser:input_type -> iam_pb.DeleteUserRequest
-	14, // 13: messaging_pb.SeaweedS3.ListAccessKeys:input_type -> iam_pb.ListAccessKeysRequest
-	15, // 14: messaging_pb.SeaweedS3.CreateAccessKey:input_type -> iam_pb.CreateAccessKeyRequest
-	16, // 15: messaging_pb.SeaweedS3.DeleteAccessKey:input_type -> iam_pb.DeleteAccessKeyRequest
-	17, // 16: messaging_pb.SeaweedS3.PutUserPolicy:input_type -> iam_pb.PutUserPolicyRequest
-	18, // 17: messaging_pb.SeaweedS3.GetUserPolicy:input_type -> iam_pb.GetUserPolicyRequest
-	19, // 18: messaging_pb.SeaweedS3.DeleteUserPolicy:input_type -> iam_pb.DeleteUserPolicyRequest
-	20, // 19: messaging_pb.SeaweedS3.ListServiceAccounts:input_type -> iam_pb.ListServiceAccountsRequest
-	21, // 20: messaging_pb.SeaweedS3.CreateServiceAccount:input_type -> iam_pb.CreateServiceAccountRequest
-	22, // 21: messaging_pb.SeaweedS3.UpdateServiceAccount:input_type -> iam_pb.UpdateServiceAccountRequest
-	23, // 22: messaging_pb.SeaweedS3.DeleteServiceAccount:input_type -> iam_pb.DeleteServiceAccountRequest
-	24, // 23: messaging_pb.SeaweedS3.GetServiceAccount:input_type -> iam_pb.GetServiceAccountRequest
-	25, // 24: messaging_pb.SeaweedS3.ListUsers:output_type -> iam_pb.ListUsersResponse
-	26, // 25: messaging_pb.SeaweedS3.CreateUser:output_type -> iam_pb.CreateUserResponse
-	27, // 26: messaging_pb.SeaweedS3.GetUser:output_type -> iam_pb.GetUserResponse
-	28, // 27: messaging_pb.SeaweedS3.UpdateUser:output_type -> iam_pb.UpdateUserResponse
-	29, // 28: messaging_pb.SeaweedS3.DeleteUser:output_type -> iam_pb.DeleteUserResponse
-	30, // 29: messaging_pb.SeaweedS3.ListAccessKeys:output_type -> iam_pb.ListAccessKeysResponse
-	31, // 30: messaging_pb.SeaweedS3.CreateAccessKey:output_type -> iam_pb.CreateAccessKeyResponse
-	32, // 31: messaging_pb.SeaweedS3.DeleteAccessKey:output_type -> iam_pb.DeleteAccessKeyResponse
-	33, // 32: messaging_pb.SeaweedS3.PutUserPolicy:output_type -> iam_pb.PutUserPolicyResponse
-	34, // 33: messaging_pb.SeaweedS3.GetUserPolicy:output_type -> iam_pb.GetUserPolicyResponse
-	35, // 34: messaging_pb.SeaweedS3.DeleteUserPolicy:output_type -> iam_pb.DeleteUserPolicyResponse
-	36, // 35: messaging_pb.SeaweedS3.ListServiceAccounts:output_type -> iam_pb.ListServiceAccountsResponse
-	37, // 36: messaging_pb.SeaweedS3.CreateServiceAccount:output_type -> iam_pb.CreateServiceAccountResponse
-	38, // 37: messaging_pb.SeaweedS3.UpdateServiceAccount:output_type -> iam_pb.UpdateServiceAccountResponse
-	39, // 38: messaging_pb.SeaweedS3.DeleteServiceAccount:output_type -> iam_pb.DeleteServiceAccountResponse
-	40, // 39: messaging_pb.SeaweedS3.GetServiceAccount:output_type -> iam_pb.GetServiceAccountResponse
-	24, // [24:40] is the sub-list for method output_type
-	8,  // [8:24] is the sub-list for method input_type
+	9,  // 8: messaging_pb.SeaweedS3IamCache.PutIdentity:input_type -> iam_pb.PutIdentityRequest
+	10, // 9: messaging_pb.SeaweedS3IamCache.RemoveIdentity:input_type -> iam_pb.RemoveIdentityRequest
+	11, // 10: messaging_pb.SeaweedS3IamCache.PutPolicy:input_type -> iam_pb.PutPolicyRequest
+	12, // 11: messaging_pb.SeaweedS3IamCache.GetPolicy:input_type -> iam_pb.GetPolicyRequest
+	13, // 12: messaging_pb.SeaweedS3IamCache.ListPolicies:input_type -> iam_pb.ListPoliciesRequest
+	14, // 13: messaging_pb.SeaweedS3IamCache.DeletePolicy:input_type -> iam_pb.DeletePolicyRequest
+	15, // 14: messaging_pb.SeaweedS3IamCache.PutIdentity:output_type -> iam_pb.PutIdentityResponse
+	16, // 15: messaging_pb.SeaweedS3IamCache.RemoveIdentity:output_type -> iam_pb.RemoveIdentityResponse
+	17, // 16: messaging_pb.SeaweedS3IamCache.PutPolicy:output_type -> iam_pb.PutPolicyResponse
+	18, // 17: messaging_pb.SeaweedS3IamCache.GetPolicy:output_type -> iam_pb.GetPolicyResponse
+	19, // 18: messaging_pb.SeaweedS3IamCache.ListPolicies:output_type -> iam_pb.ListPoliciesResponse
+	20, // 19: messaging_pb.SeaweedS3IamCache.DeletePolicy:output_type -> iam_pb.DeletePolicyResponse
+	14, // [14:20] is the sub-list for method output_type
+	8,  // [8:14] is the sub-list for method input_type
 	8,  // [8:8] is the sub-list for extension type_name
 	8,  // [8:8] is the sub-list for extension extendee
 	0,  // [0:8] is the sub-list for field type_name
--- a/weed/pb/s3_pb/s3_grpc.pb.go
+++ b/weed/pb/s3_pb/s3_grpc.pb.go
@@ -20,673 +20,295 @@ import (
 const _ = grpc.SupportPackageIsVersion9

 const (
-	SeaweedS3_ListUsers_FullMethodName            = "/messaging_pb.SeaweedS3/ListUsers"
-	SeaweedS3_CreateUser_FullMethodName           = "/messaging_pb.SeaweedS3/CreateUser"
-	SeaweedS3_GetUser_FullMethodName              = "/messaging_pb.SeaweedS3/GetUser"
-	SeaweedS3_UpdateUser_FullMethodName           = "/messaging_pb.SeaweedS3/UpdateUser"
-	SeaweedS3_DeleteUser_FullMethodName           = "/messaging_pb.SeaweedS3/DeleteUser"
-	SeaweedS3_ListAccessKeys_FullMethodName       = "/messaging_pb.SeaweedS3/ListAccessKeys"
-	SeaweedS3_CreateAccessKey_FullMethodName      = "/messaging_pb.SeaweedS3/CreateAccessKey"
-	SeaweedS3_DeleteAccessKey_FullMethodName      = "/messaging_pb.SeaweedS3/DeleteAccessKey"
-	SeaweedS3_PutUserPolicy_FullMethodName        = "/messaging_pb.SeaweedS3/PutUserPolicy"
-	SeaweedS3_GetUserPolicy_FullMethodName        = "/messaging_pb.SeaweedS3/GetUserPolicy"
-	SeaweedS3_DeleteUserPolicy_FullMethodName     = "/messaging_pb.SeaweedS3/DeleteUserPolicy"
-	SeaweedS3_ListServiceAccounts_FullMethodName  = "/messaging_pb.SeaweedS3/ListServiceAccounts"
-	SeaweedS3_CreateServiceAccount_FullMethodName = "/messaging_pb.SeaweedS3/CreateServiceAccount"
-	SeaweedS3_UpdateServiceAccount_FullMethodName = "/messaging_pb.SeaweedS3/UpdateServiceAccount"
-	SeaweedS3_DeleteServiceAccount_FullMethodName = "/messaging_pb.SeaweedS3/DeleteServiceAccount"
-	SeaweedS3_GetServiceAccount_FullMethodName    = "/messaging_pb.SeaweedS3/GetServiceAccount"
+	SeaweedS3IamCache_PutIdentity_FullMethodName    = "/messaging_pb.SeaweedS3IamCache/PutIdentity"
+	SeaweedS3IamCache_RemoveIdentity_FullMethodName = "/messaging_pb.SeaweedS3IamCache/RemoveIdentity"
+	SeaweedS3IamCache_PutPolicy_FullMethodName      = "/messaging_pb.SeaweedS3IamCache/PutPolicy"
+	SeaweedS3IamCache_GetPolicy_FullMethodName      = "/messaging_pb.SeaweedS3IamCache/GetPolicy"
+	SeaweedS3IamCache_ListPolicies_FullMethodName   = "/messaging_pb.SeaweedS3IamCache/ListPolicies"
+	SeaweedS3IamCache_DeletePolicy_FullMethodName   = "/messaging_pb.SeaweedS3IamCache/DeletePolicy"
 )

-// SeaweedS3Client is the client API for SeaweedS3 service.
+// SeaweedS3IamCacheClient is the client API for SeaweedS3IamCache service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
-type SeaweedS3Client interface {
-	// Explicit IAM APIs mirroring SeaweedIdentityAccessManagement
-	ListUsers(ctx context.Context, in *iam_pb.ListUsersRequest, opts ...grpc.CallOption) (*iam_pb.ListUsersResponse, error)
-	CreateUser(ctx context.Context, in *iam_pb.CreateUserRequest, opts ...grpc.CallOption) (*iam_pb.CreateUserResponse, error)
-	GetUser(ctx context.Context, in *iam_pb.GetUserRequest, opts ...grpc.CallOption) (*iam_pb.GetUserResponse, error)
-	UpdateUser(ctx context.Context, in *iam_pb.UpdateUserRequest, opts ...grpc.CallOption) (*iam_pb.UpdateUserResponse, error)
-	DeleteUser(ctx context.Context, in *iam_pb.DeleteUserRequest, opts ...grpc.CallOption) (*iam_pb.DeleteUserResponse, error)
-	ListAccessKeys(ctx context.Context, in *iam_pb.ListAccessKeysRequest, opts ...grpc.CallOption) (*iam_pb.ListAccessKeysResponse, error)
-	CreateAccessKey(ctx context.Context, in *iam_pb.CreateAccessKeyRequest, opts ...grpc.CallOption) (*iam_pb.CreateAccessKeyResponse, error)
-	DeleteAccessKey(ctx context.Context, in *iam_pb.DeleteAccessKeyRequest, opts ...grpc.CallOption) (*iam_pb.DeleteAccessKeyResponse, error)
-	PutUserPolicy(ctx context.Context, in *iam_pb.PutUserPolicyRequest, opts ...grpc.CallOption) (*iam_pb.PutUserPolicyResponse, error)
-	GetUserPolicy(ctx context.Context, in *iam_pb.GetUserPolicyRequest, opts ...grpc.CallOption) (*iam_pb.GetUserPolicyResponse, error)
-	DeleteUserPolicy(ctx context.Context, in *iam_pb.DeleteUserPolicyRequest, opts ...grpc.CallOption) (*iam_pb.DeleteUserPolicyResponse, error)
-	ListServiceAccounts(ctx context.Context, in *iam_pb.ListServiceAccountsRequest, opts ...grpc.CallOption) (*iam_pb.ListServiceAccountsResponse, error)
-	CreateServiceAccount(ctx context.Context, in *iam_pb.CreateServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.CreateServiceAccountResponse, error)
-	UpdateServiceAccount(ctx context.Context, in *iam_pb.UpdateServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.UpdateServiceAccountResponse, error)
-	DeleteServiceAccount(ctx context.Context, in *iam_pb.DeleteServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.DeleteServiceAccountResponse, error)
-	GetServiceAccount(ctx context.Context, in *iam_pb.GetServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.GetServiceAccountResponse, error)
+//
+// Designed for unidirectional propagation from Filer to S3 Servers
+type SeaweedS3IamCacheClient interface {
+	PutIdentity(ctx context.Context, in *iam_pb.PutIdentityRequest, opts ...grpc.CallOption) (*iam_pb.PutIdentityResponse, error)
+	RemoveIdentity(ctx context.Context, in *iam_pb.RemoveIdentityRequest, opts ...grpc.CallOption) (*iam_pb.RemoveIdentityResponse, error)
+	PutPolicy(ctx context.Context, in *iam_pb.PutPolicyRequest, opts ...grpc.CallOption) (*iam_pb.PutPolicyResponse, error)
+	GetPolicy(ctx context.Context, in *iam_pb.GetPolicyRequest, opts ...grpc.CallOption) (*iam_pb.GetPolicyResponse, error)
+	ListPolicies(ctx context.Context, in *iam_pb.ListPoliciesRequest, opts ...grpc.CallOption) (*iam_pb.ListPoliciesResponse, error)
+	DeletePolicy(ctx context.Context, in *iam_pb.DeletePolicyRequest, opts ...grpc.CallOption) (*iam_pb.DeletePolicyResponse, error)
 }

-type seaweedS3Client struct {
+type seaweedS3IamCacheClient struct {
 	cc grpc.ClientConnInterface
 }

-func NewSeaweedS3Client(cc grpc.ClientConnInterface) SeaweedS3Client {
-	return &seaweedS3Client{cc}
+func NewSeaweedS3IamCacheClient(cc grpc.ClientConnInterface) SeaweedS3IamCacheClient {
+	return &seaweedS3IamCacheClient{cc}
 }

-func (c *seaweedS3Client) ListUsers(ctx context.Context, in *iam_pb.ListUsersRequest, opts ...grpc.CallOption) (*iam_pb.ListUsersResponse, error) {
+func (c *seaweedS3IamCacheClient) PutIdentity(ctx context.Context, in *iam_pb.PutIdentityRequest, opts ...grpc.CallOption) (*iam_pb.PutIdentityResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(iam_pb.ListUsersResponse)
-	err := c.cc.Invoke(ctx, SeaweedS3_ListUsers_FullMethodName, in, out, cOpts...)
+	out := new(iam_pb.PutIdentityResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3IamCache_PutIdentity_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }

-func (c *seaweedS3Client) CreateUser(ctx context.Context, in *iam_pb.CreateUserRequest, opts ...grpc.CallOption) (*iam_pb.CreateUserResponse, error) {
+func (c *seaweedS3IamCacheClient) RemoveIdentity(ctx context.Context, in *iam_pb.RemoveIdentityRequest, opts ...grpc.CallOption) (*iam_pb.RemoveIdentityResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(iam_pb.CreateUserResponse)
-	err := c.cc.Invoke(ctx, SeaweedS3_CreateUser_FullMethodName, in, out, cOpts...)
+	out := new(iam_pb.RemoveIdentityResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3IamCache_RemoveIdentity_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }

-func (c *seaweedS3Client) GetUser(ctx context.Context, in *iam_pb.GetUserRequest, opts ...grpc.CallOption) (*iam_pb.GetUserResponse, error) {
+func (c *seaweedS3IamCacheClient) PutPolicy(ctx context.Context, in *iam_pb.PutPolicyRequest, opts ...grpc.CallOption) (*iam_pb.PutPolicyResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(iam_pb.GetUserResponse)
-	err := c.cc.Invoke(ctx, SeaweedS3_GetUser_FullMethodName, in, out, cOpts...)
+	out := new(iam_pb.PutPolicyResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3IamCache_PutPolicy_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }

-func (c *seaweedS3Client) UpdateUser(ctx context.Context, in *iam_pb.UpdateUserRequest, opts ...grpc.CallOption) (*iam_pb.UpdateUserResponse, error) {
+func (c *seaweedS3IamCacheClient) GetPolicy(ctx context.Context, in *iam_pb.GetPolicyRequest, opts ...grpc.CallOption) (*iam_pb.GetPolicyResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(iam_pb.UpdateUserResponse)
-	err := c.cc.Invoke(ctx, SeaweedS3_UpdateUser_FullMethodName, in, out, cOpts...)
+	out := new(iam_pb.GetPolicyResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3IamCache_GetPolicy_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }

-func (c *seaweedS3Client) DeleteUser(ctx context.Context, in *iam_pb.DeleteUserRequest, opts ...grpc.CallOption) (*iam_pb.DeleteUserResponse, error) {
+func (c *seaweedS3IamCacheClient) ListPolicies(ctx context.Context, in *iam_pb.ListPoliciesRequest, opts ...grpc.CallOption) (*iam_pb.ListPoliciesResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(iam_pb.DeleteUserResponse)
-	err := c.cc.Invoke(ctx, SeaweedS3_DeleteUser_FullMethodName, in, out, cOpts...)
+	out := new(iam_pb.ListPoliciesResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3IamCache_ListPolicies_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }

-func (c *seaweedS3Client) ListAccessKeys(ctx context.Context, in *iam_pb.ListAccessKeysRequest, opts ...grpc.CallOption) (*iam_pb.ListAccessKeysResponse, error) {
+func (c *seaweedS3IamCacheClient) DeletePolicy(ctx context.Context, in *iam_pb.DeletePolicyRequest, opts ...grpc.CallOption) (*iam_pb.DeletePolicyResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(iam_pb.ListAccessKeysResponse)
-	err := c.cc.Invoke(ctx, SeaweedS3_ListAccessKeys_FullMethodName, in, out, cOpts...)
+	out := new(iam_pb.DeletePolicyResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3IamCache_DeletePolicy_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }

-func (c *seaweedS3Client) CreateAccessKey(ctx context.Context, in *iam_pb.CreateAccessKeyRequest, opts ...grpc.CallOption) (*iam_pb.CreateAccessKeyResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(iam_pb.CreateAccessKeyResponse)
-	err := c.cc.Invoke(ctx, SeaweedS3_CreateAccessKey_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-func (c *seaweedS3Client) DeleteAccessKey(ctx context.Context, in *iam_pb.DeleteAccessKeyRequest, opts ...grpc.CallOption) (*iam_pb.DeleteAccessKeyResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(iam_pb.DeleteAccessKeyResponse)
-	err := c.cc.Invoke(ctx, SeaweedS3_DeleteAccessKey_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-func (c *seaweedS3Client) PutUserPolicy(ctx context.Context, in *iam_pb.PutUserPolicyRequest, opts ...grpc.CallOption) (*iam_pb.PutUserPolicyResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(iam_pb.PutUserPolicyResponse)
-	err := c.cc.Invoke(ctx, SeaweedS3_PutUserPolicy_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-func (c *seaweedS3Client) GetUserPolicy(ctx context.Context, in *iam_pb.GetUserPolicyRequest, opts ...grpc.CallOption) (*iam_pb.GetUserPolicyResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(iam_pb.GetUserPolicyResponse)
-	err := c.cc.Invoke(ctx, SeaweedS3_GetUserPolicy_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-func (c *seaweedS3Client) DeleteUserPolicy(ctx context.Context, in *iam_pb.DeleteUserPolicyRequest, opts ...grpc.CallOption) (*iam_pb.DeleteUserPolicyResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(iam_pb.DeleteUserPolicyResponse)
-	err := c.cc.Invoke(ctx, SeaweedS3_DeleteUserPolicy_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-func (c *seaweedS3Client) ListServiceAccounts(ctx context.Context, in *iam_pb.ListServiceAccountsRequest, opts ...grpc.CallOption) (*iam_pb.ListServiceAccountsResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(iam_pb.ListServiceAccountsResponse)
-	err := c.cc.Invoke(ctx, SeaweedS3_ListServiceAccounts_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-func (c *seaweedS3Client) CreateServiceAccount(ctx context.Context, in *iam_pb.CreateServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.CreateServiceAccountResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(iam_pb.CreateServiceAccountResponse)
-	err := c.cc.Invoke(ctx, SeaweedS3_CreateServiceAccount_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-func (c *seaweedS3Client) UpdateServiceAccount(ctx context.Context, in *iam_pb.UpdateServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.UpdateServiceAccountResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(iam_pb.UpdateServiceAccountResponse)
-	err := c.cc.Invoke(ctx, SeaweedS3_UpdateServiceAccount_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-func (c *seaweedS3Client) DeleteServiceAccount(ctx context.Context, in *iam_pb.DeleteServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.DeleteServiceAccountResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(iam_pb.DeleteServiceAccountResponse)
-	err := c.cc.Invoke(ctx, SeaweedS3_DeleteServiceAccount_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-func (c *seaweedS3Client) GetServiceAccount(ctx context.Context, in *iam_pb.GetServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.GetServiceAccountResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(iam_pb.GetServiceAccountResponse)
-	err := c.cc.Invoke(ctx, SeaweedS3_GetServiceAccount_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-// SeaweedS3Server is the server API for SeaweedS3 service.
-// All implementations must embed UnimplementedSeaweedS3Server
+// SeaweedS3IamCacheServer is the server API for SeaweedS3IamCache service.
+// All implementations must embed UnimplementedSeaweedS3IamCacheServer
 // for forward compatibility.
-type SeaweedS3Server interface {
-	// Explicit IAM APIs mirroring SeaweedIdentityAccessManagement
-	ListUsers(context.Context, *iam_pb.ListUsersRequest) (*iam_pb.ListUsersResponse, error)
-	CreateUser(context.Context, *iam_pb.CreateUserRequest) (*iam_pb.CreateUserResponse, error)
-	GetUser(context.Context, *iam_pb.GetUserRequest) (*iam_pb.GetUserResponse, error)
-	UpdateUser(context.Context, *iam_pb.UpdateUserRequest) (*iam_pb.UpdateUserResponse, error)
-	DeleteUser(context.Context, *iam_pb.DeleteUserRequest) (*iam_pb.DeleteUserResponse, error)
-	ListAccessKeys(context.Context, *iam_pb.ListAccessKeysRequest) (*iam_pb.ListAccessKeysResponse, error)
-	CreateAccessKey(context.Context, *iam_pb.CreateAccessKeyRequest) (*iam_pb.CreateAccessKeyResponse, error)
-	DeleteAccessKey(context.Context, *iam_pb.DeleteAccessKeyRequest) (*iam_pb.DeleteAccessKeyResponse, error)
-	PutUserPolicy(context.Context, *iam_pb.PutUserPolicyRequest) (*iam_pb.PutUserPolicyResponse, error)
-	GetUserPolicy(context.Context, *iam_pb.GetUserPolicyRequest) (*iam_pb.GetUserPolicyResponse, error)
-	DeleteUserPolicy(context.Context, *iam_pb.DeleteUserPolicyRequest) (*iam_pb.DeleteUserPolicyResponse, error)
-	ListServiceAccounts(context.Context, *iam_pb.ListServiceAccountsRequest) (*iam_pb.ListServiceAccountsResponse, error)
-	CreateServiceAccount(context.Context, *iam_pb.CreateServiceAccountRequest) (*iam_pb.CreateServiceAccountResponse, error)
-	UpdateServiceAccount(context.Context, *iam_pb.UpdateServiceAccountRequest) (*iam_pb.UpdateServiceAccountResponse, error)
-	DeleteServiceAccount(context.Context, *iam_pb.DeleteServiceAccountRequest) (*iam_pb.DeleteServiceAccountResponse, error)
-	GetServiceAccount(context.Context, *iam_pb.GetServiceAccountRequest) (*iam_pb.GetServiceAccountResponse, error)
-	mustEmbedUnimplementedSeaweedS3Server()
+//
+// Designed for unidirectional propagation from Filer to S3 Servers
+type SeaweedS3IamCacheServer interface {
+	PutIdentity(context.Context, *iam_pb.PutIdentityRequest) (*iam_pb.PutIdentityResponse, error)
+	RemoveIdentity(context.Context, *iam_pb.RemoveIdentityRequest) (*iam_pb.RemoveIdentityResponse, error)
+	PutPolicy(context.Context, *iam_pb.PutPolicyRequest) (*iam_pb.PutPolicyResponse, error)
+	GetPolicy(context.Context, *iam_pb.GetPolicyRequest) (*iam_pb.GetPolicyResponse, error)
+	ListPolicies(context.Context, *iam_pb.ListPoliciesRequest) (*iam_pb.ListPoliciesResponse, error)
+	DeletePolicy(context.Context, *iam_pb.DeletePolicyRequest) (*iam_pb.DeletePolicyResponse, error)
+	mustEmbedUnimplementedSeaweedS3IamCacheServer()
 }

-// UnimplementedSeaweedS3Server must be embedded to have
+// UnimplementedSeaweedS3IamCacheServer must be embedded to have
 // forward compatible implementations.
 //
 // NOTE: this should be embedded by value instead of pointer to avoid a nil
 // pointer dereference when methods are called.
-type UnimplementedSeaweedS3Server struct{}
+type UnimplementedSeaweedS3IamCacheServer struct{}

-func (UnimplementedSeaweedS3Server) ListUsers(context.Context, *iam_pb.ListUsersRequest) (*iam_pb.ListUsersResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method ListUsers not implemented")
+func (UnimplementedSeaweedS3IamCacheServer) PutIdentity(context.Context, *iam_pb.PutIdentityRequest) (*iam_pb.PutIdentityResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method PutIdentity not implemented")
 }
-func (UnimplementedSeaweedS3Server) CreateUser(context.Context, *iam_pb.CreateUserRequest) (*iam_pb.CreateUserResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method CreateUser not implemented")
+func (UnimplementedSeaweedS3IamCacheServer) RemoveIdentity(context.Context, *iam_pb.RemoveIdentityRequest) (*iam_pb.RemoveIdentityResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method RemoveIdentity not implemented")
 }
-func (UnimplementedSeaweedS3Server) GetUser(context.Context, *iam_pb.GetUserRequest) (*iam_pb.GetUserResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method GetUser not implemented")
+func (UnimplementedSeaweedS3IamCacheServer) PutPolicy(context.Context, *iam_pb.PutPolicyRequest) (*iam_pb.PutPolicyResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method PutPolicy not implemented")
 }
-func (UnimplementedSeaweedS3Server) UpdateUser(context.Context, *iam_pb.UpdateUserRequest) (*iam_pb.UpdateUserResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method UpdateUser not implemented")
+func (UnimplementedSeaweedS3IamCacheServer) GetPolicy(context.Context, *iam_pb.GetPolicyRequest) (*iam_pb.GetPolicyResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetPolicy not implemented")
 }
-func (UnimplementedSeaweedS3Server) DeleteUser(context.Context, *iam_pb.DeleteUserRequest) (*iam_pb.DeleteUserResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method DeleteUser not implemented")
+func (UnimplementedSeaweedS3IamCacheServer) ListPolicies(context.Context, *iam_pb.ListPoliciesRequest) (*iam_pb.ListPoliciesResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListPolicies not implemented")
 }
-func (UnimplementedSeaweedS3Server) ListAccessKeys(context.Context, *iam_pb.ListAccessKeysRequest) (*iam_pb.ListAccessKeysResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method ListAccessKeys not implemented")
+func (UnimplementedSeaweedS3IamCacheServer) DeletePolicy(context.Context, *iam_pb.DeletePolicyRequest) (*iam_pb.DeletePolicyResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeletePolicy not implemented")
 }
-func (UnimplementedSeaweedS3Server) CreateAccessKey(context.Context, *iam_pb.CreateAccessKeyRequest) (*iam_pb.CreateAccessKeyResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method CreateAccessKey not implemented")
-}
-func (UnimplementedSeaweedS3Server) DeleteAccessKey(context.Context, *iam_pb.DeleteAccessKeyRequest) (*iam_pb.DeleteAccessKeyResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method DeleteAccessKey not implemented")
-}
-func (UnimplementedSeaweedS3Server) PutUserPolicy(context.Context, *iam_pb.PutUserPolicyRequest) (*iam_pb.PutUserPolicyResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method PutUserPolicy not implemented")
-}
-func (UnimplementedSeaweedS3Server) GetUserPolicy(context.Context, *iam_pb.GetUserPolicyRequest) (*iam_pb.GetUserPolicyResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method GetUserPolicy not implemented")
-}
-func (UnimplementedSeaweedS3Server) DeleteUserPolicy(context.Context, *iam_pb.DeleteUserPolicyRequest) (*iam_pb.DeleteUserPolicyResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method DeleteUserPolicy not implemented")
-}
-func (UnimplementedSeaweedS3Server) ListServiceAccounts(context.Context, *iam_pb.ListServiceAccountsRequest) (*iam_pb.ListServiceAccountsResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method ListServiceAccounts not implemented")
-}
-func (UnimplementedSeaweedS3Server) CreateServiceAccount(context.Context, *iam_pb.CreateServiceAccountRequest) (*iam_pb.CreateServiceAccountResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method CreateServiceAccount not implemented")
-}
-func (UnimplementedSeaweedS3Server) UpdateServiceAccount(context.Context, *iam_pb.UpdateServiceAccountRequest) (*iam_pb.UpdateServiceAccountResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method UpdateServiceAccount not implemented")
-}
-func (UnimplementedSeaweedS3Server) DeleteServiceAccount(context.Context, *iam_pb.DeleteServiceAccountRequest) (*iam_pb.DeleteServiceAccountResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method DeleteServiceAccount not implemented")
-}
-func (UnimplementedSeaweedS3Server) GetServiceAccount(context.Context, *iam_pb.GetServiceAccountRequest) (*iam_pb.GetServiceAccountResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method GetServiceAccount not implemented")
-}
-func (UnimplementedSeaweedS3Server) mustEmbedUnimplementedSeaweedS3Server() {}
-func (UnimplementedSeaweedS3Server) testEmbeddedByValue()                   {}
+func (UnimplementedSeaweedS3IamCacheServer) mustEmbedUnimplementedSeaweedS3IamCacheServer() {}
+func (UnimplementedSeaweedS3IamCacheServer) testEmbeddedByValue()                           {}

-// UnsafeSeaweedS3Server may be embedded to opt out of forward compatibility for this service.
-// Use of this interface is not recommended, as added methods to SeaweedS3Server will
+// UnsafeSeaweedS3IamCacheServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to SeaweedS3IamCacheServer will
 // result in compilation errors.
-type UnsafeSeaweedS3Server interface {
-	mustEmbedUnimplementedSeaweedS3Server()
+type UnsafeSeaweedS3IamCacheServer interface {
+	mustEmbedUnimplementedSeaweedS3IamCacheServer()
 }

-func RegisterSeaweedS3Server(s grpc.ServiceRegistrar, srv SeaweedS3Server) {
-	// If the following call pancis, it indicates UnimplementedSeaweedS3Server was
+func RegisterSeaweedS3IamCacheServer(s grpc.ServiceRegistrar, srv SeaweedS3IamCacheServer) {
+	// If the following call pancis, it indicates UnimplementedSeaweedS3IamCacheServer was
 	// embedded by pointer and is nil.  This will cause panics if an
 	// unimplemented method is ever invoked, so we test this at initialization
 	// time to prevent it from happening at runtime later due to I/O.
 	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
 		t.testEmbeddedByValue()
 	}
-	s.RegisterService(&SeaweedS3_ServiceDesc, srv)
+	s.RegisterService(&SeaweedS3IamCache_ServiceDesc, srv)
 }

-func _SeaweedS3_ListUsers_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(iam_pb.ListUsersRequest)
+func _SeaweedS3IamCache_PutIdentity_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.PutIdentityRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(SeaweedS3Server).ListUsers(ctx, in)
+		return srv.(SeaweedS3IamCacheServer).PutIdentity(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: SeaweedS3_ListUsers_FullMethodName,
+		FullMethod: SeaweedS3IamCache_PutIdentity_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(SeaweedS3Server).ListUsers(ctx, req.(*iam_pb.ListUsersRequest))
+		return srv.(SeaweedS3IamCacheServer).PutIdentity(ctx, req.(*iam_pb.PutIdentityRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }

-func _SeaweedS3_CreateUser_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(iam_pb.CreateUserRequest)
+func _SeaweedS3IamCache_RemoveIdentity_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.RemoveIdentityRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(SeaweedS3Server).CreateUser(ctx, in)
+		return srv.(SeaweedS3IamCacheServer).RemoveIdentity(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: SeaweedS3_CreateUser_FullMethodName,
+		FullMethod: SeaweedS3IamCache_RemoveIdentity_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(SeaweedS3Server).CreateUser(ctx, req.(*iam_pb.CreateUserRequest))
+		return srv.(SeaweedS3IamCacheServer).RemoveIdentity(ctx, req.(*iam_pb.RemoveIdentityRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }

-func _SeaweedS3_GetUser_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(iam_pb.GetUserRequest)
+func _SeaweedS3IamCache_PutPolicy_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.PutPolicyRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(SeaweedS3Server).GetUser(ctx, in)
+		return srv.(SeaweedS3IamCacheServer).PutPolicy(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: SeaweedS3_GetUser_FullMethodName,
+		FullMethod: SeaweedS3IamCache_PutPolicy_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(SeaweedS3Server).GetUser(ctx, req.(*iam_pb.GetUserRequest))
+		return srv.(SeaweedS3IamCacheServer).PutPolicy(ctx, req.(*iam_pb.PutPolicyRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }

-func _SeaweedS3_UpdateUser_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(iam_pb.UpdateUserRequest)
+func _SeaweedS3IamCache_GetPolicy_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.GetPolicyRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(SeaweedS3Server).UpdateUser(ctx, in)
+		return srv.(SeaweedS3IamCacheServer).GetPolicy(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: SeaweedS3_UpdateUser_FullMethodName,
+		FullMethod: SeaweedS3IamCache_GetPolicy_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(SeaweedS3Server).UpdateUser(ctx, req.(*iam_pb.UpdateUserRequest))
+		return srv.(SeaweedS3IamCacheServer).GetPolicy(ctx, req.(*iam_pb.GetPolicyRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }

-func _SeaweedS3_DeleteUser_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(iam_pb.DeleteUserRequest)
+func _SeaweedS3IamCache_ListPolicies_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.ListPoliciesRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(SeaweedS3Server).DeleteUser(ctx, in)
+		return srv.(SeaweedS3IamCacheServer).ListPolicies(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: SeaweedS3_DeleteUser_FullMethodName,
+		FullMethod: SeaweedS3IamCache_ListPolicies_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(SeaweedS3Server).DeleteUser(ctx, req.(*iam_pb.DeleteUserRequest))
+		return srv.(SeaweedS3IamCacheServer).ListPolicies(ctx, req.(*iam_pb.ListPoliciesRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }

-func _SeaweedS3_ListAccessKeys_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(iam_pb.ListAccessKeysRequest)
+func _SeaweedS3IamCache_DeletePolicy_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.DeletePolicyRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(SeaweedS3Server).ListAccessKeys(ctx, in)
+		return srv.(SeaweedS3IamCacheServer).DeletePolicy(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: SeaweedS3_ListAccessKeys_FullMethodName,
+		FullMethod: SeaweedS3IamCache_DeletePolicy_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(SeaweedS3Server).ListAccessKeys(ctx, req.(*iam_pb.ListAccessKeysRequest))
+		return srv.(SeaweedS3IamCacheServer).DeletePolicy(ctx, req.(*iam_pb.DeletePolicyRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }

-func _SeaweedS3_CreateAccessKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(iam_pb.CreateAccessKeyRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(SeaweedS3Server).CreateAccessKey(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: SeaweedS3_CreateAccessKey_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(SeaweedS3Server).CreateAccessKey(ctx, req.(*iam_pb.CreateAccessKeyRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-func _SeaweedS3_DeleteAccessKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(iam_pb.DeleteAccessKeyRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(SeaweedS3Server).DeleteAccessKey(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: SeaweedS3_DeleteAccessKey_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(SeaweedS3Server).DeleteAccessKey(ctx, req.(*iam_pb.DeleteAccessKeyRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-func _SeaweedS3_PutUserPolicy_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(iam_pb.PutUserPolicyRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(SeaweedS3Server).PutUserPolicy(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: SeaweedS3_PutUserPolicy_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(SeaweedS3Server).PutUserPolicy(ctx, req.(*iam_pb.PutUserPolicyRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-func _SeaweedS3_GetUserPolicy_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(iam_pb.GetUserPolicyRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(SeaweedS3Server).GetUserPolicy(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: SeaweedS3_GetUserPolicy_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(SeaweedS3Server).GetUserPolicy(ctx, req.(*iam_pb.GetUserPolicyRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-func _SeaweedS3_DeleteUserPolicy_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(iam_pb.DeleteUserPolicyRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(SeaweedS3Server).DeleteUserPolicy(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: SeaweedS3_DeleteUserPolicy_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(SeaweedS3Server).DeleteUserPolicy(ctx, req.(*iam_pb.DeleteUserPolicyRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-func _SeaweedS3_ListServiceAccounts_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(iam_pb.ListServiceAccountsRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(SeaweedS3Server).ListServiceAccounts(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: SeaweedS3_ListServiceAccounts_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(SeaweedS3Server).ListServiceAccounts(ctx, req.(*iam_pb.ListServiceAccountsRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-func _SeaweedS3_CreateServiceAccount_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(iam_pb.CreateServiceAccountRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(SeaweedS3Server).CreateServiceAccount(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: SeaweedS3_CreateServiceAccount_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(SeaweedS3Server).CreateServiceAccount(ctx, req.(*iam_pb.CreateServiceAccountRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-func _SeaweedS3_UpdateServiceAccount_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(iam_pb.UpdateServiceAccountRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(SeaweedS3Server).UpdateServiceAccount(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: SeaweedS3_UpdateServiceAccount_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(SeaweedS3Server).UpdateServiceAccount(ctx, req.(*iam_pb.UpdateServiceAccountRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-func _SeaweedS3_DeleteServiceAccount_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(iam_pb.DeleteServiceAccountRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(SeaweedS3Server).DeleteServiceAccount(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: SeaweedS3_DeleteServiceAccount_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(SeaweedS3Server).DeleteServiceAccount(ctx, req.(*iam_pb.DeleteServiceAccountRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-func _SeaweedS3_GetServiceAccount_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(iam_pb.GetServiceAccountRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(SeaweedS3Server).GetServiceAccount(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: SeaweedS3_GetServiceAccount_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(SeaweedS3Server).GetServiceAccount(ctx, req.(*iam_pb.GetServiceAccountRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-// SeaweedS3_ServiceDesc is the grpc.ServiceDesc for SeaweedS3 service.
+// SeaweedS3IamCache_ServiceDesc is the grpc.ServiceDesc for SeaweedS3IamCache service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
-var SeaweedS3_ServiceDesc = grpc.ServiceDesc{
-	ServiceName: "messaging_pb.SeaweedS3",
-	HandlerType: (*SeaweedS3Server)(nil),
+var SeaweedS3IamCache_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "messaging_pb.SeaweedS3IamCache",
+	HandlerType: (*SeaweedS3IamCacheServer)(nil),
 	Methods: []grpc.MethodDesc{
 		{
-			MethodName: "ListUsers",
-			Handler:    _SeaweedS3_ListUsers_Handler,
+			MethodName: "PutIdentity",
+			Handler:    _SeaweedS3IamCache_PutIdentity_Handler,
 		},
 		{
-			MethodName: "CreateUser",
-			Handler:    _SeaweedS3_CreateUser_Handler,
+			MethodName: "RemoveIdentity",
+			Handler:    _SeaweedS3IamCache_RemoveIdentity_Handler,
 		},
 		{
-			MethodName: "GetUser",
-			Handler:    _SeaweedS3_GetUser_Handler,
+			MethodName: "PutPolicy",
+			Handler:    _SeaweedS3IamCache_PutPolicy_Handler,
 		},
 		{
-			MethodName: "UpdateUser",
-			Handler:    _SeaweedS3_UpdateUser_Handler,
+			MethodName: "GetPolicy",
+			Handler:    _SeaweedS3IamCache_GetPolicy_Handler,
 		},
 		{
-			MethodName: "DeleteUser",
-			Handler:    _SeaweedS3_DeleteUser_Handler,
+			MethodName: "ListPolicies",
+			Handler:    _SeaweedS3IamCache_ListPolicies_Handler,
 		},
 		{
-			MethodName: "ListAccessKeys",
-			Handler:    _SeaweedS3_ListAccessKeys_Handler,
-		},
-		{
-			MethodName: "CreateAccessKey",
-			Handler:    _SeaweedS3_CreateAccessKey_Handler,
-		},
-		{
-			MethodName: "DeleteAccessKey",
-			Handler:    _SeaweedS3_DeleteAccessKey_Handler,
-		},
-		{
-			MethodName: "PutUserPolicy",
-			Handler:    _SeaweedS3_PutUserPolicy_Handler,
-		},
-		{
-			MethodName: "GetUserPolicy",
-			Handler:    _SeaweedS3_GetUserPolicy_Handler,
-		},
-		{
-			MethodName: "DeleteUserPolicy",
-			Handler:    _SeaweedS3_DeleteUserPolicy_Handler,
-		},
-		{
-			MethodName: "ListServiceAccounts",
-			Handler:    _SeaweedS3_ListServiceAccounts_Handler,
-		},
-		{
-			MethodName: "CreateServiceAccount",
-			Handler:    _SeaweedS3_CreateServiceAccount_Handler,
-		},
-		{
-			MethodName: "UpdateServiceAccount",
-			Handler:    _SeaweedS3_UpdateServiceAccount_Handler,
-		},
-		{
-			MethodName: "DeleteServiceAccount",
-			Handler:    _SeaweedS3_DeleteServiceAccount_Handler,
-		},
-		{
-			MethodName: "GetServiceAccount",
-			Handler:    _SeaweedS3_GetServiceAccount_Handler,
+			MethodName: "DeletePolicy",
+			Handler:    _SeaweedS3IamCache_DeletePolicy_Handler,
 		},
 	},
 	Streams:  []grpc.StreamDesc{},