gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: enable dual loading of static and dynamic IAM configuration

Browse Source 
Refactored `NewIdentityAccessManagementWithStore` to remove mutual
exclusivity between static (file-based) and dynamic (filer-based)
configuration loading.

Previously, if a static config configuration was present (including the
legacy `IamConfig` option used by `weed mini`), it prevented loading
users from the filer.

Now, the system loads the static configuration first (if present), and
then *always* attempts to merge in the dynamic configuration from the
filer. This ensures that:
1. Static users (e.g. from `weed mini` env vars or `-s3.config`) are loaded and protected.
2. Dynamic users (e.g. created via Admin UI and stored in Filer) are also loaded and available.
This commit is contained in:
Chris Lu
2026-01-08 20:22:04 -08:00
parent 451b897d56
commit 7f1182472a
1 changed files with 13 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
weed/s3api/auth_credentials.go
View File

@@ -186,18 +186,21 @@ func NewIdentityAccessManagementWithStore(option *S3ApiServerOption, explicitSto
}
configLoaded = len(iam.identities) > 0
iam.m.Unlock()
} else {
glog.V(3).Infof("no static config file specified... loading config from credential manager")
if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil {
glog.Warningf("fail to load config: %v", err)
}
// Only consider config loaded if we actually have identities
// Don't block environment variable fallback just because filer call succeeded
iam.m.RLock()
configLoaded = len(iam.identities) > 0
iam.m.RUnlock()
}
// Always try to load/merge config from credential manager (filer)
// This ensures we get both static users (from file) and dynamic users (from filer)
glog.V(3).Infof("loading dynamic config from credential manager")
if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil {
glog.Warningf("fail to load config: %v", err)
}
// Only consider config loaded if we actually have identities
// Don't block environment variable fallback just because filer call succeeded
iam.m.RLock()
configLoaded = len(iam.identities) > 0
iam.m.RUnlock()
// Only use environment variables as fallback if no configuration was loaded
if !configLoaded {
accessKeyId := os.Getenv("AWS_ACCESS_KEY_ID")