e9c45144cf
* Persist managed IAM policies * Add IAM list/get policy integration test * Faster marker lookup and cleanup * Handle delete conflict and improve listing * Add delete-in-use policy integration test * Stabilize policy ID and guard path prefix * Tighten CreatePolicy guard and reload * Add ListPolicyNames to credential store
280 lines
8.1 KiB
Go
280 lines
8.1 KiB
Go
package filer_etc
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"strings"
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/credential"
|
|
"github.com/seaweedfs/seaweedfs/weed/filer"
|
|
"github.com/seaweedfs/seaweedfs/weed/glog"
|
|
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine"
|
|
)
|
|
|
|
const (
|
|
IamPoliciesDirectory = "policies"
|
|
IamLegacyPoliciesOldFile = "policies.json.old"
|
|
)
|
|
|
|
type PoliciesCollection struct {
|
|
Policies map[string]policy_engine.PolicyDocument `json:"policies"`
|
|
}
|
|
|
|
func validatePolicyName(name string) error {
|
|
return credential.ValidatePolicyName(name)
|
|
}
|
|
|
|
// GetPolicies retrieves all IAM policies from the filer
|
|
func (store *FilerEtcStore) GetPolicies(ctx context.Context) (map[string]policy_engine.PolicyDocument, error) {
|
|
policies := make(map[string]policy_engine.PolicyDocument)
|
|
|
|
// Check if filer client is configured (with mutex protection)
|
|
store.mu.RLock()
|
|
configured := store.filerAddressFunc != nil
|
|
store.mu.RUnlock()
|
|
|
|
if !configured {
|
|
glog.V(1).Infof("Filer client not configured for policy retrieval, returning empty policies")
|
|
return policies, nil
|
|
}
|
|
|
|
glog.V(2).Infof("Loading IAM policies from %s/%s (using current active filer)",
|
|
filer.IamConfigDirectory, filer.IamPoliciesFile)
|
|
|
|
// 1. Load from legacy single file (low priority)
|
|
content, foundLegacy, err := store.readInsideFiler(filer.IamConfigDirectory, filer.IamPoliciesFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if foundLegacy && len(content) > 0 {
|
|
policiesCollection := &PoliciesCollection{
|
|
Policies: make(map[string]policy_engine.PolicyDocument),
|
|
}
|
|
if err := json.Unmarshal(content, policiesCollection); err != nil {
|
|
glog.Errorf("Failed to parse legacy IAM policies from %s/%s: %v",
|
|
filer.IamConfigDirectory, filer.IamPoliciesFile, err)
|
|
} else {
|
|
for name, policy := range policiesCollection.Policies {
|
|
policies[name] = policy
|
|
}
|
|
}
|
|
}
|
|
|
|
// 2. Load from multi-file structure (high priority, overrides legacy)
|
|
if err := store.loadPoliciesFromMultiFile(ctx, policies); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// 3. Perform migration if we loaded legacy config
|
|
if foundLegacy {
|
|
if err := store.migratePoliciesToMultiFile(ctx, policies); err != nil {
|
|
glog.Errorf("Failed to migrate IAM policies to multi-file layout: %v", err)
|
|
return policies, err
|
|
}
|
|
}
|
|
|
|
return policies, nil
|
|
}
|
|
|
|
func (store *FilerEtcStore) loadPoliciesFromMultiFile(ctx context.Context, policies map[string]policy_engine.PolicyDocument) error {
|
|
return store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
|
|
dir := filer.IamConfigDirectory + "/" + IamPoliciesDirectory
|
|
entries, err := listEntries(ctx, client, dir)
|
|
if err != nil {
|
|
if err == filer_pb.ErrNotFound {
|
|
return nil
|
|
}
|
|
return err
|
|
}
|
|
|
|
for _, entry := range entries {
|
|
if entry.IsDirectory {
|
|
continue
|
|
}
|
|
|
|
var content []byte
|
|
if len(entry.Content) > 0 {
|
|
content = entry.Content
|
|
} else {
|
|
c, err := filer.ReadInsideFiler(client, dir, entry.Name)
|
|
if err != nil {
|
|
glog.Warningf("Failed to read policy file %s: %v", entry.Name, err)
|
|
continue
|
|
}
|
|
content = c
|
|
}
|
|
|
|
if len(content) > 0 {
|
|
var policy policy_engine.PolicyDocument
|
|
if err := json.Unmarshal(content, &policy); err != nil {
|
|
glog.Warningf("Failed to unmarshal policy %s: %v", entry.Name, err)
|
|
continue
|
|
}
|
|
|
|
// The file name is "policyName.json"
|
|
policyName := entry.Name
|
|
if len(policyName) > 5 && policyName[len(policyName)-5:] == ".json" {
|
|
policyName = policyName[:len(policyName)-5]
|
|
policies[policyName] = policy
|
|
}
|
|
}
|
|
}
|
|
return nil
|
|
})
|
|
}
|
|
|
|
func (store *FilerEtcStore) migratePoliciesToMultiFile(ctx context.Context, policies map[string]policy_engine.PolicyDocument) error {
|
|
glog.Infof("Migrating IAM policies to multi-file layout...")
|
|
|
|
// 1. Save all policies to individual files
|
|
for name, policy := range policies {
|
|
if err := store.savePolicy(ctx, name, policy); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// 2. Rename legacy file
|
|
return store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
|
|
_, err := client.AtomicRenameEntry(ctx, &filer_pb.AtomicRenameEntryRequest{
|
|
OldDirectory: filer.IamConfigDirectory,
|
|
OldName: filer.IamPoliciesFile,
|
|
NewDirectory: filer.IamConfigDirectory,
|
|
NewName: IamLegacyPoliciesOldFile,
|
|
})
|
|
if err != nil {
|
|
glog.Errorf("Failed to rename legacy IAM policies file %s/%s to %s: %v",
|
|
filer.IamConfigDirectory, filer.IamPoliciesFile, IamLegacyPoliciesOldFile, err)
|
|
}
|
|
return err
|
|
})
|
|
}
|
|
|
|
func (store *FilerEtcStore) savePolicy(ctx context.Context, name string, document policy_engine.PolicyDocument) error {
|
|
if err := validatePolicyName(name); err != nil {
|
|
return err
|
|
}
|
|
return store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
|
|
data, err := json.Marshal(document)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return filer.SaveInsideFiler(client, filer.IamConfigDirectory+"/"+IamPoliciesDirectory, name+".json", data)
|
|
})
|
|
}
|
|
|
|
// CreatePolicy creates a new IAM policy in the filer
|
|
func (store *FilerEtcStore) CreatePolicy(ctx context.Context, name string, document policy_engine.PolicyDocument) error {
|
|
return store.savePolicy(ctx, name, document)
|
|
}
|
|
|
|
// UpdatePolicy updates an existing IAM policy in the filer
|
|
func (store *FilerEtcStore) UpdatePolicy(ctx context.Context, name string, document policy_engine.PolicyDocument) error {
|
|
return store.savePolicy(ctx, name, document)
|
|
}
|
|
|
|
// PutPolicy creates or updates an IAM policy in the filer
|
|
func (store *FilerEtcStore) PutPolicy(ctx context.Context, name string, document policy_engine.PolicyDocument) error {
|
|
return store.UpdatePolicy(ctx, name, document)
|
|
}
|
|
|
|
// DeletePolicy deletes an IAM policy from the filer
|
|
func (store *FilerEtcStore) DeletePolicy(ctx context.Context, name string) error {
|
|
if err := validatePolicyName(name); err != nil {
|
|
return err
|
|
}
|
|
return store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
|
|
_, err := client.DeleteEntry(ctx, &filer_pb.DeleteEntryRequest{
|
|
Directory: filer.IamConfigDirectory + "/" + IamPoliciesDirectory,
|
|
Name: name + ".json",
|
|
})
|
|
if err != nil && !strings.Contains(err.Error(), filer_pb.ErrNotFound.Error()) {
|
|
return err
|
|
}
|
|
return nil
|
|
})
|
|
}
|
|
|
|
// GetPolicy retrieves a specific IAM policy by name from the filer
|
|
func (store *FilerEtcStore) GetPolicy(ctx context.Context, name string) (*policy_engine.PolicyDocument, error) {
|
|
if err := validatePolicyName(name); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var policy *policy_engine.PolicyDocument
|
|
err := store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
|
|
data, err := filer.ReadInsideFiler(client, filer.IamConfigDirectory+"/"+IamPoliciesDirectory, name+".json")
|
|
if err != nil {
|
|
if err == filer_pb.ErrNotFound {
|
|
return nil
|
|
}
|
|
return err
|
|
}
|
|
if len(data) == 0 {
|
|
return nil
|
|
}
|
|
policy = &policy_engine.PolicyDocument{}
|
|
return json.Unmarshal(data, policy)
|
|
})
|
|
|
|
if policy != nil {
|
|
return policy, err
|
|
}
|
|
|
|
// fallback to full list if single file read fails (e.g. before migration completes or if partially migrated)
|
|
// Although migration should happen on first GetPolicies call.
|
|
policies, err := store.GetPolicies(ctx)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if p, exists := policies[name]; exists {
|
|
return &p, nil
|
|
}
|
|
|
|
return nil, nil // Policy not found
|
|
}
|
|
|
|
// ListPolicyNames returns all managed policy names stored in the filer.
|
|
func (store *FilerEtcStore) ListPolicyNames(ctx context.Context) ([]string, error) {
|
|
names := make([]string, 0)
|
|
|
|
store.mu.RLock()
|
|
configured := store.filerAddressFunc != nil
|
|
store.mu.RUnlock()
|
|
|
|
if !configured {
|
|
return names, nil
|
|
}
|
|
|
|
err := store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
|
|
dir := filer.IamConfigDirectory + "/" + IamPoliciesDirectory
|
|
entries, err := listEntries(ctx, client, dir)
|
|
if err != nil {
|
|
if err == filer_pb.ErrNotFound {
|
|
return nil
|
|
}
|
|
return err
|
|
}
|
|
|
|
for _, entry := range entries {
|
|
if entry.IsDirectory {
|
|
continue
|
|
}
|
|
name := entry.Name
|
|
if strings.HasSuffix(name, ".json") {
|
|
name = name[:len(name)-5]
|
|
}
|
|
names = append(names, name)
|
|
}
|
|
|
|
return nil
|
|
})
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return names, nil
|
|
}
|