gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
baae672b6f18e077ebcc9f09d396b2df29ecd786
seaweedFS/weed/server/filer_server_handlers_iam_grpc.go
Chris Lu 551a31e156 Implement IAM propagation to S3 servers (#8130) 
* Implement IAM propagation to S3 servers

- Add PropagatingCredentialStore to propagate IAM changes to S3 servers via gRPC
- Add Policy management RPCs to S3 proto and S3ApiServer
- Update CredentialManager to use PropagatingCredentialStore when MasterClient is available
- Wire FilerServer to enable propagation

* Implement parallel IAM propagation and fix S3 cluster registration

- Parallelized IAM change propagation with 10s timeout.
- Refined context usage in PropagatingCredentialStore.
- Added S3Type support to cluster node management.
- Enabled S3 servers to register with gRPC address to the master.
- Ensured IAM configuration reload after policy updates via gRPC.

* Optimize IAM propagation with direct in-memory cache updates

* Secure IAM propagation: Use metadata to skip persistence only on propagation

* pb: refactor IAM and S3 services for unidirectional IAM propagation

- Move SeaweedS3IamCache service from iam.proto to s3.proto.
- Remove legacy IAM management RPCs and empty SeaweedS3 service from s3.proto.
- Enforce that S3 servers only use the synchronization interface.

* pb: regenerate Go code for IAM and S3 services

Updated generated code following the proto refactoring of IAM synchronization services.

* s3api: implement read-only mode for Embedded IAM API

- Add readOnly flag to EmbeddedIamApi to reject write operations via HTTP.
- Enable read-only mode by default in S3ApiServer.
- Handle AccessDenied error in writeIamErrorResponse.
- Embed SeaweedS3IamCacheServer in S3ApiServer.

* credential: refactor PropagatingCredentialStore for unidirectional IAM flow

- Update to use s3_pb.SeaweedS3IamCacheClient for propagation to S3 servers.
- Propagate full Identity object via PutIdentity for consistency.
- Remove redundant propagation of specific user/account/policy management RPCs.
- Add timeout context for propagation calls.

* s3api: implement SeaweedS3IamCacheServer for unidirectional sync

- Update S3ApiServer to implement the cache synchronization gRPC interface.
- Methods (PutIdentity, RemoveIdentity, etc.) now perform direct in-memory cache updates.
- Register SeaweedS3IamCacheServer in command/s3.go.
- Remove registration for the legacy and now empty SeaweedS3 service.

* s3api: update tests for read-only IAM and propagation

- Added TestEmbeddedIamReadOnly to verify rejection of write operations in read-only mode.
- Update test setup to pass readOnly=false to NewEmbeddedIamApi in routing tests.
- Updated EmbeddedIamApiForTest helper with read-only checks matching production behavior.

* s3api: add back temporary debug logs for IAM updates

Log IAM updates received via:
- gRPC propagation (PutIdentity, PutPolicy, etc.)
- Metadata configuration reloads (LoadS3ApiConfigurationFromCredentialManager)
- Core identity management (UpsertIdentity, RemoveIdentity)

* IAM: finalize propagation fix with reduced logging and clarified architecture

* Allow configuring IAM read-only mode for S3 server integration tests

* s3api: add defensive validation to UpsertIdentity

* s3api: fix log message to reference correct IAM read-only flag

* test/s3/iam: ensure WaitForS3Service checks for IAM write permissions

* test: enable writable IAM in Makefile for integration tests

* IAM: add GetPolicy/ListPolicies RPCs to s3.proto

* S3: add GetBucketPolicy and ListBucketPolicies helpers

* S3: support storing generic IAM policies in IdentityAccessManagement

* S3: implement IAM policy RPCs using IdentityAccessManagement

* IAM: fix stale user identity on rename propagation
2026-01-26 22:59:43 -08:00

481 lines
16 KiB
Go
Raw Blame History

package weed_server
import (
"context"
"encoding/json"
"github.com/seaweedfs/seaweedfs/weed/credential"
"github.com/seaweedfs/seaweedfs/weed/glog"
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
"github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
)
// IamGrpcServer implements the IAM gRPC service on the filer
type IamGrpcServer struct {
iam_pb.UnimplementedSeaweedIdentityAccessManagementServer
credentialManager *credential.CredentialManager
}
// NewIamGrpcServer creates a new IAM gRPC server
func NewIamGrpcServer(credentialManager *credential.CredentialManager) *IamGrpcServer {
return &IamGrpcServer{
credentialManager: credentialManager,
}
}
//////////////////////////////////////////////////
// Configuration Management
func (s *IamGrpcServer) GetConfiguration(ctx context.Context, req *iam_pb.GetConfigurationRequest) (*iam_pb.GetConfigurationResponse, error) {
glog.V(4).Infof("GetConfiguration")
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
config, err := s.credentialManager.LoadConfiguration(ctx)
if err != nil {
glog.Errorf("Failed to load configuration: %v", err)
return nil, err
}
return &iam_pb.GetConfigurationResponse{
Configuration: config,
}, nil
}
func (s *IamGrpcServer) PutConfiguration(ctx context.Context, req *iam_pb.PutConfigurationRequest) (*iam_pb.PutConfigurationResponse, error) {
glog.V(4).Infof("PutConfiguration")
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
if req.Configuration == nil {
return nil, status.Errorf(codes.InvalidArgument, "configuration is nil")
}
err := s.credentialManager.SaveConfiguration(ctx, req.Configuration)
if err != nil {
glog.Errorf("Failed to save configuration: %v", err)
return nil, err
}
return &iam_pb.PutConfigurationResponse{}, nil
}
//////////////////////////////////////////////////
// User Management
func (s *IamGrpcServer) CreateUser(ctx context.Context, req *iam_pb.CreateUserRequest) (*iam_pb.CreateUserResponse, error) {
if req == nil || req.Identity == nil {
return nil, status.Errorf(codes.InvalidArgument, "identity is required")
}
glog.V(4).Infof("IAM: Filer.CreateUser %s", req.Identity.Name)
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
err := s.credentialManager.CreateUser(ctx, req.Identity)
if err != nil {
if err == credential.ErrUserAlreadyExists {
return nil, status.Errorf(codes.AlreadyExists, "user %s already exists", req.Identity.Name)
}
glog.Errorf("Failed to create user %s: %v", req.Identity.Name, err)
return nil, status.Errorf(codes.Internal, "failed to create user: %v", err)
}
return &iam_pb.CreateUserResponse{}, nil
}
func (s *IamGrpcServer) GetUser(ctx context.Context, req *iam_pb.GetUserRequest) (*iam_pb.GetUserResponse, error) {
glog.V(4).Infof("GetUser: %s", req.Username)
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
identity, err := s.credentialManager.GetUser(ctx, req.Username)
if err != nil {
if err == credential.ErrUserNotFound {
return nil, status.Errorf(codes.NotFound, "user %s not found", req.Username)
}
glog.Errorf("Failed to get user %s: %v", req.Username, err)
return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
}
return &iam_pb.GetUserResponse{
Identity: identity,
}, nil
}
func (s *IamGrpcServer) UpdateUser(ctx context.Context, req *iam_pb.UpdateUserRequest) (*iam_pb.UpdateUserResponse, error) {
if req == nil || req.Identity == nil {
return nil, status.Errorf(codes.InvalidArgument, "identity is required")
}
glog.V(4).Infof("IAM: Filer.UpdateUser %s", req.Username)
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
err := s.credentialManager.UpdateUser(ctx, req.Username, req.Identity)
if err != nil {
if err == credential.ErrUserNotFound {
return nil, status.Errorf(codes.NotFound, "user %s not found", req.Username)
}
glog.Errorf("Failed to update user %s: %v", req.Username, err)
return nil, status.Errorf(codes.Internal, "failed to update user: %v", err)
}
return &iam_pb.UpdateUserResponse{}, nil
}
func (s *IamGrpcServer) DeleteUser(ctx context.Context, req *iam_pb.DeleteUserRequest) (*iam_pb.DeleteUserResponse, error) {
glog.V(4).Infof("IAM: Filer.DeleteUser %s", req.Username)
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
err := s.credentialManager.DeleteUser(ctx, req.Username)
if err != nil {
if err == credential.ErrUserNotFound {
return nil, status.Errorf(codes.NotFound, "user %s not found", req.Username)
}
glog.Errorf("Failed to delete user %s: %v", req.Username, err)
return nil, status.Errorf(codes.Internal, "failed to delete user: %v", err)
}
return &iam_pb.DeleteUserResponse{}, nil
}
func (s *IamGrpcServer) ListUsers(ctx context.Context, req *iam_pb.ListUsersRequest) (*iam_pb.ListUsersResponse, error) {
glog.V(4).Infof("ListUsers")
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
usernames, err := s.credentialManager.ListUsers(ctx)
if err != nil {
glog.Errorf("Failed to list users: %v", err)
return nil, err
}
return &iam_pb.ListUsersResponse{
Usernames: usernames,
}, nil
}
//////////////////////////////////////////////////
// Access Key Management
func (s *IamGrpcServer) CreateAccessKey(ctx context.Context, req *iam_pb.CreateAccessKeyRequest) (*iam_pb.CreateAccessKeyResponse, error) {
if req == nil || req.Credential == nil {
return nil, status.Errorf(codes.InvalidArgument, "credential is required")
}
glog.V(4).Infof("CreateAccessKey for user: %s", req.Username)
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
err := s.credentialManager.CreateAccessKey(ctx, req.Username, req.Credential)
if err != nil {
if err == credential.ErrUserNotFound {
return nil, status.Errorf(codes.NotFound, "user %s not found", req.Username)
}
glog.Errorf("Failed to create access key for user %s: %v", req.Username, err)
return nil, status.Errorf(codes.Internal, "failed to create access key: %v", err)
}
return &iam_pb.CreateAccessKeyResponse{}, nil
}
func (s *IamGrpcServer) DeleteAccessKey(ctx context.Context, req *iam_pb.DeleteAccessKeyRequest) (*iam_pb.DeleteAccessKeyResponse, error) {
glog.V(4).Infof("DeleteAccessKey: %s for user: %s", req.AccessKey, req.Username)
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
err := s.credentialManager.DeleteAccessKey(ctx, req.Username, req.AccessKey)
if err != nil {
if err == credential.ErrUserNotFound {
return nil, status.Errorf(codes.NotFound, "user %s not found", req.Username)
}
if err == credential.ErrAccessKeyNotFound {
return nil, status.Errorf(codes.NotFound, "access key %s not found", req.AccessKey)
}
glog.Errorf("Failed to delete access key %s for user %s: %v", req.AccessKey, req.Username, err)
return nil, status.Errorf(codes.Internal, "failed to delete access key: %v", err)
}
return &iam_pb.DeleteAccessKeyResponse{}, nil
}
func (s *IamGrpcServer) GetUserByAccessKey(ctx context.Context, req *iam_pb.GetUserByAccessKeyRequest) (*iam_pb.GetUserByAccessKeyResponse, error) {
glog.V(4).Infof("GetUserByAccessKey: %s", req.AccessKey)
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
identity, err := s.credentialManager.GetUserByAccessKey(ctx, req.AccessKey)
if err != nil {
if err == credential.ErrAccessKeyNotFound {
return nil, status.Errorf(codes.NotFound, "access key %s not found", req.AccessKey)
}
glog.Errorf("Failed to get user by access key %s: %v", req.AccessKey, err)
return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
}
return &iam_pb.GetUserByAccessKeyResponse{
Identity: identity,
}, nil
}
//////////////////////////////////////////////////
// Policy Management
func (s *IamGrpcServer) PutPolicy(ctx context.Context, req *iam_pb.PutPolicyRequest) (*iam_pb.PutPolicyResponse, error) {
glog.V(4).Infof("IAM: Filer.PutPolicy %s", req.Name)
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
if req.Name == "" {
return nil, status.Errorf(codes.InvalidArgument, "policy name is required")
}
if err := credential.ValidatePolicyName(req.Name); err != nil {
return nil, status.Errorf(codes.InvalidArgument, "%v", err)
}
if req.Content == "" {
return nil, status.Errorf(codes.InvalidArgument, "policy content is required")
}
var policy policy_engine.PolicyDocument
if err := json.Unmarshal([]byte(req.Content), &policy); err != nil {
glog.Errorf("Failed to unmarshal policy %s: %v", req.Name, err)
return nil, err
}
err := s.credentialManager.PutPolicy(ctx, req.Name, policy)
if err != nil {
glog.Errorf("Failed to put policy %s: %v", req.Name, err)
return nil, err
}
return &iam_pb.PutPolicyResponse{}, nil
}
func (s *IamGrpcServer) GetPolicy(ctx context.Context, req *iam_pb.GetPolicyRequest) (*iam_pb.GetPolicyResponse, error) {
glog.V(4).Infof("GetPolicy: %s", req.Name)
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
policy, err := s.credentialManager.GetPolicy(ctx, req.Name)
if err != nil {
glog.Errorf("Failed to get policy %s: %v", req.Name, err)
return nil, err
}
if policy == nil {
return nil, status.Errorf(codes.NotFound, "policy %s not found", req.Name)
}
jsonBytes, err := json.Marshal(policy)
if err != nil {
glog.Errorf("Failed to marshal policy %s: %v", req.Name, err)
return nil, err
}
return &iam_pb.GetPolicyResponse{
Name: req.Name,
Content: string(jsonBytes),
}, nil
}
func (s *IamGrpcServer) ListPolicies(ctx context.Context, req *iam_pb.ListPoliciesRequest) (*iam_pb.ListPoliciesResponse, error) {
glog.V(4).Infof("ListPolicies")
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
policiesData, err := s.credentialManager.GetPolicies(ctx)
if err != nil {
glog.Errorf("Failed to list policies: %v", err)
return nil, err
}
var policies []*iam_pb.Policy
for name, policy := range policiesData {
jsonBytes, err := json.Marshal(policy)
if err != nil {
return nil, status.Errorf(codes.Internal, "failed to marshal policy %s: %v", name, err)
}
policies = append(policies, &iam_pb.Policy{
Name: name,
Content: string(jsonBytes),
})
}
return &iam_pb.ListPoliciesResponse{
Policies: policies,
}, nil
}
func (s *IamGrpcServer) DeletePolicy(ctx context.Context, req *iam_pb.DeletePolicyRequest) (*iam_pb.DeletePolicyResponse, error) {
glog.V(4).Infof("DeletePolicy: %s", req.Name)
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
err := s.credentialManager.DeletePolicy(ctx, req.Name)
if err != nil {
glog.Errorf("Failed to delete policy %s: %v", req.Name, err)
return nil, err
}
return &iam_pb.DeletePolicyResponse{}, nil
}
//////////////////////////////////////////////////
// Service Account Management
func (s *IamGrpcServer) CreateServiceAccount(ctx context.Context, req *iam_pb.CreateServiceAccountRequest) (*iam_pb.CreateServiceAccountResponse, error) {
if req == nil || req.ServiceAccount == nil {
return nil, status.Errorf(codes.InvalidArgument, "service account is required")
}
if err := credential.ValidateServiceAccountId(req.ServiceAccount.Id); err != nil {
return nil, status.Errorf(codes.InvalidArgument, "%v", err)
}
glog.V(4).Infof("CreateServiceAccount: %s", req.ServiceAccount.Id)
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
err := s.credentialManager.CreateServiceAccount(ctx, req.ServiceAccount)
if err != nil {
glog.Errorf("Failed to create service account %s: %v", req.ServiceAccount.Id, err)
return nil, status.Errorf(codes.Internal, "failed to create service account: %v", err)
}
return &iam_pb.CreateServiceAccountResponse{}, nil
}
func (s *IamGrpcServer) UpdateServiceAccount(ctx context.Context, req *iam_pb.UpdateServiceAccountRequest) (*iam_pb.UpdateServiceAccountResponse, error) {
if req == nil || req.ServiceAccount == nil {
return nil, status.Errorf(codes.InvalidArgument, "service account is required")
}
glog.V(4).Infof("UpdateServiceAccount: %s", req.Id)
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
err := s.credentialManager.UpdateServiceAccount(ctx, req.Id, req.ServiceAccount)
if err != nil {
glog.Errorf("Failed to update service account %s: %v", req.Id, err)
return nil, status.Errorf(codes.Internal, "failed to update service account: %v", err)
}
return &iam_pb.UpdateServiceAccountResponse{}, nil
}
func (s *IamGrpcServer) DeleteServiceAccount(ctx context.Context, req *iam_pb.DeleteServiceAccountRequest) (*iam_pb.DeleteServiceAccountResponse, error) {
glog.V(4).Infof("DeleteServiceAccount: %s", req.Id)
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
err := s.credentialManager.DeleteServiceAccount(ctx, req.Id)
if err != nil {
if err == credential.ErrServiceAccountNotFound {
return nil, status.Errorf(codes.NotFound, "service account %s not found", req.Id)
}
glog.Errorf("Failed to delete service account %s: %v", req.Id, err)
return nil, status.Errorf(codes.Internal, "failed to delete service account: %v", err)
}
return &iam_pb.DeleteServiceAccountResponse{}, nil
}
func (s *IamGrpcServer) GetServiceAccount(ctx context.Context, req *iam_pb.GetServiceAccountRequest) (*iam_pb.GetServiceAccountResponse, error) {
glog.V(4).Infof("GetServiceAccount: %s", req.Id)
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
sa, err := s.credentialManager.GetServiceAccount(ctx, req.Id)
if err != nil {
glog.Errorf("Failed to get service account %s: %v", req.Id, err)
return nil, status.Errorf(codes.Internal, "failed to get service account: %v", err)
}
if sa == nil {
return nil, status.Errorf(codes.NotFound, "service account %s not found", req.Id)
}
return &iam_pb.GetServiceAccountResponse{
ServiceAccount: sa,
}, nil
}
func (s *IamGrpcServer) ListServiceAccounts(ctx context.Context, req *iam_pb.ListServiceAccountsRequest) (*iam_pb.ListServiceAccountsResponse, error) {
glog.V(4).Infof("ListServiceAccounts")
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
accounts, err := s.credentialManager.ListServiceAccounts(ctx)
if err != nil {
glog.Errorf("Failed to list service accounts: %v", err)
return nil, status.Errorf(codes.Internal, "failed to list service accounts: %v", err)
}
return &iam_pb.ListServiceAccountsResponse{
ServiceAccounts: accounts,
}, nil
}
func (s *IamGrpcServer) GetServiceAccountByAccessKey(ctx context.Context, req *iam_pb.GetServiceAccountByAccessKeyRequest) (*iam_pb.GetServiceAccountByAccessKeyResponse, error) {
if req == nil {
return nil, status.Errorf(codes.InvalidArgument, "request is required")
}
glog.V(4).Infof("GetServiceAccountByAccessKey: %s", req.AccessKey)
if req.AccessKey == "" {
return nil, status.Errorf(codes.InvalidArgument, "access key is required")
}
if s.credentialManager == nil {
return nil, status.Errorf(codes.FailedPrecondition, "credential manager is not configured")
}
sa, err := s.credentialManager.GetStore().GetServiceAccountByAccessKey(ctx, req.AccessKey)
if err != nil {
if err == credential.ErrAccessKeyNotFound {
return nil, status.Errorf(codes.NotFound, "access key %s not found", req.AccessKey)
}
glog.Errorf("Failed to get service account by access key %s: %v", req.AccessKey, err)
return nil, status.Errorf(codes.Internal, "failed to get service account: %v", err)
}
return &iam_pb.GetServiceAccountByAccessKeyResponse{
ServiceAccount: sa,
}, nil
}
Reference in New Issue View Git Blame Copy Permalink