7b8df39cf7
* iam: add XML responses for managed user policy APIs * s3api: implement attach/detach/list attached user policies * s3api: add embedded IAM tests for managed user policies * iam: update CredentialStore interface and Manager for managed policies Updated the `CredentialStore` interface to include `AttachUserPolicy`, `DetachUserPolicy`, and `ListAttachedUserPolicies` methods. The `CredentialManager` was updated to delegate these calls to the store. Added common error variables for policy management. * iam: implement managed policy methods in MemoryStore Implemented `AttachUserPolicy`, `DetachUserPolicy`, and `ListAttachedUserPolicies` in the MemoryStore. Also ensured deep copying of identities includes PolicyNames. * iam: implement managed policy methods in PostgresStore Modified Postgres schema to include `policy_names` JSONB column in `users`. Implemented `AttachUserPolicy`, `DetachUserPolicy`, and `ListAttachedUserPolicies`. Updated user CRUD operations to handle policy names persistence. * iam: implement managed policy methods in remaining stores Implemented user policy management in: - `FilerEtcStore` (partial implementation) - `IamGrpcStore` (delegated via GetUser/UpdateUser) - `PropagatingCredentialStore` (to broadcast updates) Ensures cluster-wide consistency for policy attachments. * s3api: refactor EmbeddedIamApi to use managed policy APIs - Refactored `AttachUserPolicy`, `DetachUserPolicy`, and `ListAttachedUserPolicies` to use `e.credentialManager` directly. - Fixed a critical error suppression bug in `ExecuteAction` that always returned success even on failure. - Implemented robust error matching using string comparison fallbacks. - Improved consistency by reloading configuration after policy changes. * s3api: update and refine IAM integration tests - Updated tests to use a real `MemoryStore`-backed `CredentialManager`. - Refined test configuration synchronization using `sync.Once` and manual deep-copying to prevent state corruption. - Improved `extractEmbeddedIamErrorCodeAndMessage` to handle more XML formats robustly. - Adjusted test expectations to match current AWS IAM behavior. * fix compilation * visibility * ensure 10 policies * reload * add integration tests * Guard raft command registration * Allow IAM actions in policy tests * Validate gRPC policy attachments * Revert Validate gRPC policy attachments * Tighten gRPC policy attach/detach * Improve IAM managed policy handling * Improve managed policy filters
175 lines
4.7 KiB
Go
175 lines
4.7 KiB
Go
package postgres
|
|
|
|
import (
|
|
"database/sql"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/credential"
|
|
"github.com/seaweedfs/seaweedfs/weed/util"
|
|
|
|
_ "github.com/jackc/pgx/v5/stdlib"
|
|
)
|
|
|
|
func init() {
|
|
credential.Stores = append(credential.Stores, &PostgresStore{})
|
|
}
|
|
|
|
// PostgresStore implements CredentialStore using PostgreSQL
|
|
type PostgresStore struct {
|
|
db *sql.DB
|
|
configured bool
|
|
}
|
|
|
|
func (store *PostgresStore) GetName() credential.CredentialStoreTypeName {
|
|
return credential.StoreTypePostgres
|
|
}
|
|
|
|
func (store *PostgresStore) Initialize(configuration util.Configuration, prefix string) error {
|
|
if store.configured {
|
|
return nil
|
|
}
|
|
|
|
hostname := configuration.GetString(prefix + "hostname")
|
|
port := configuration.GetInt(prefix + "port")
|
|
username := configuration.GetString(prefix + "username")
|
|
password := configuration.GetString(prefix + "password")
|
|
database := configuration.GetString(prefix + "database")
|
|
schema := configuration.GetString(prefix + "schema")
|
|
sslmode := configuration.GetString(prefix + "sslmode")
|
|
|
|
// Set defaults
|
|
if hostname == "" {
|
|
hostname = "localhost"
|
|
}
|
|
if port == 0 {
|
|
port = 5432
|
|
}
|
|
if schema == "" {
|
|
schema = "public"
|
|
}
|
|
if sslmode == "" {
|
|
sslmode = "disable"
|
|
}
|
|
|
|
// Build pgx-optimized connection string
|
|
// Note: prefer_simple_protocol=true is only needed for PgBouncer, not direct PostgreSQL connections
|
|
connStr := fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s sslmode=%s search_path=%s",
|
|
hostname, port, username, password, database, sslmode, schema)
|
|
|
|
db, err := sql.Open("pgx", connStr)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to open database: %w", err)
|
|
}
|
|
|
|
// Test connection
|
|
if err := db.Ping(); err != nil {
|
|
db.Close()
|
|
return fmt.Errorf("failed to ping database: %w", err)
|
|
}
|
|
|
|
// Set connection pool settings
|
|
db.SetMaxOpenConns(25)
|
|
db.SetMaxIdleConns(5)
|
|
db.SetConnMaxLifetime(5 * time.Minute)
|
|
|
|
store.db = db
|
|
|
|
// Create tables if they don't exist
|
|
if err := store.createTables(); err != nil {
|
|
db.Close()
|
|
return fmt.Errorf("failed to create tables: %w", err)
|
|
}
|
|
|
|
store.configured = true
|
|
return nil
|
|
}
|
|
|
|
func (store *PostgresStore) createTables() error {
|
|
// Create users table
|
|
usersTable := `
|
|
CREATE TABLE IF NOT EXISTS users (
|
|
username VARCHAR(255) PRIMARY KEY,
|
|
email VARCHAR(255),
|
|
account_data JSONB,
|
|
actions JSONB,
|
|
policy_names JSONB DEFAULT '[]',
|
|
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
|
|
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
|
|
);
|
|
CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);
|
|
`
|
|
|
|
// Migration: Add policy_names column if it doesn't exist (for existing installations)
|
|
addPolicyNamesColumn := `
|
|
ALTER TABLE users ADD COLUMN IF NOT EXISTS policy_names JSONB DEFAULT '[]';
|
|
`
|
|
|
|
// Create credentials table
|
|
credentialsTable := `
|
|
CREATE TABLE IF NOT EXISTS credentials (
|
|
id SERIAL PRIMARY KEY,
|
|
username VARCHAR(255) REFERENCES users(username) ON DELETE CASCADE,
|
|
access_key VARCHAR(255) UNIQUE NOT NULL,
|
|
secret_key VARCHAR(255) NOT NULL,
|
|
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
|
|
);
|
|
CREATE INDEX IF NOT EXISTS idx_credentials_username ON credentials(username);
|
|
CREATE INDEX IF NOT EXISTS idx_credentials_access_key ON credentials(access_key);
|
|
`
|
|
|
|
// Create policies table
|
|
policiesTable := `
|
|
CREATE TABLE IF NOT EXISTS policies (
|
|
name VARCHAR(255) PRIMARY KEY,
|
|
document JSONB NOT NULL,
|
|
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
|
|
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
|
|
);
|
|
CREATE INDEX IF NOT EXISTS idx_policies_name ON policies(name);
|
|
`
|
|
|
|
// Create service_accounts table
|
|
serviceAccountsTable := `
|
|
CREATE TABLE IF NOT EXISTS service_accounts (
|
|
id VARCHAR(255) PRIMARY KEY,
|
|
access_key VARCHAR(255) UNIQUE,
|
|
content JSONB NOT NULL,
|
|
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
|
|
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
|
|
);
|
|
`
|
|
|
|
// Execute table creation
|
|
if _, err := store.db.Exec(usersTable); err != nil {
|
|
return fmt.Errorf("failed to create users table: %w", err)
|
|
}
|
|
|
|
// Run migration to add policy_names column for existing installations
|
|
if _, err := store.db.Exec(addPolicyNamesColumn); err != nil {
|
|
return fmt.Errorf("failed to add policy_names column: %w", err)
|
|
}
|
|
|
|
if _, err := store.db.Exec(credentialsTable); err != nil {
|
|
return fmt.Errorf("failed to create credentials table: %w", err)
|
|
}
|
|
|
|
if _, err := store.db.Exec(policiesTable); err != nil {
|
|
return fmt.Errorf("failed to create policies table: %w", err)
|
|
}
|
|
|
|
if _, err := store.db.Exec(serviceAccountsTable); err != nil {
|
|
return fmt.Errorf("failed to create service_accounts table: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (store *PostgresStore) Shutdown() {
|
|
if store.db != nil {
|
|
store.db.Close()
|
|
store.db = nil
|
|
}
|
|
store.configured = false
|
|
}
|