From 8b52d70012659eb3f73a3e8c2d27b789c3bf4c5d Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Sun, 9 May 2021 08:14:19 -0700 Subject: [PATCH] fix: IAM not initialized then checkKeyValid() should return 503s (#12260) currently GetUser() returns 403 when IAM is not initialized this can lead to applications crashing, instead return 503 so that the applications can retry and backoff. fixes #12078 --- cmd/admin-handlers_test.go | 2 ++ cmd/auth-handler_test.go | 12 ++++++++++++ cmd/signature-v4-utils.go | 6 ++++++ cmd/test-utils_test.go | 10 ++++++++++ 4 files changed, 30 insertions(+) diff --git a/cmd/admin-handlers_test.go b/cmd/admin-handlers_test.go index 6f451a1fe..861620747 100644 --- a/cmd/admin-handlers_test.go +++ b/cmd/admin-handlers_test.go @@ -73,6 +73,8 @@ func prepareAdminErasureTestBed(ctx context.Context) (*adminErasureTestBed, erro initAllSubsystems(ctx, objLayer) + globalIAMSys.InitStore(objLayer) + // Setup admin mgmt REST API handlers. adminRouter := mux.NewRouter() registerAdminRouter(adminRouter, true, true) diff --git a/cmd/auth-handler_test.go b/cmd/auth-handler_test.go index 84357751b..f8b3a917b 100644 --- a/cmd/auth-handler_test.go +++ b/cmd/auth-handler_test.go @@ -357,6 +357,12 @@ func TestIsReqAuthenticated(t *testing.T) { t.Fatalf("unable initialize config file, %s", err) } + newAllSubsystems() + + initAllSubsystems(context.Background(), objLayer) + + globalIAMSys.InitStore(objLayer) + creds, err := auth.CreateCredentials("myuser", "mypassword") if err != nil { t.Fatalf("unable create credential, %s", err) @@ -442,6 +448,12 @@ func TestValidateAdminSignature(t *testing.T) { t.Fatalf("unable initialize config file, %s", err) } + newAllSubsystems() + + initAllSubsystems(context.Background(), objLayer) + + globalIAMSys.InitStore(objLayer) + creds, err := auth.CreateCredentials("admin", "mypassword") if err != nil { t.Fatalf("unable create credential, %s", err) diff --git a/cmd/signature-v4-utils.go b/cmd/signature-v4-utils.go index a601273a4..6a86883e1 100644 --- a/cmd/signature-v4-utils.go +++ b/cmd/signature-v4-utils.go @@ -121,6 +121,12 @@ func isValidRegion(reqRegion string, confRegion string) bool { // check if the access key is valid and recognized, additionally // also returns if the access key is owner/admin. func checkKeyValid(accessKey string) (auth.Credentials, bool, APIErrorCode) { + if !globalIAMSys.Initialized() && !globalIsGateway { + // Check if server has initialized, then only proceed + // to check for IAM users otherwise its okay for clients + // to retry with 503 errors when server is coming up. + return auth.Credentials{}, false, ErrServerNotInitialized + } var owner = true var cred = globalActiveCred if cred.AccessKey != accessKey { diff --git a/cmd/test-utils_test.go b/cmd/test-utils_test.go index 0961b7eb8..767001e79 100644 --- a/cmd/test-utils_test.go +++ b/cmd/test-utils_test.go @@ -352,6 +352,8 @@ func UnstartedTestServer(t TestErrHandler, instanceType string) TestServer { initAllSubsystems(ctx, objLayer) + globalIAMSys.InitStore(objLayer) + return testServer } @@ -1571,6 +1573,8 @@ func newTestObjectLayer(ctx context.Context, endpointServerPools EndpointServerP initAllSubsystems(ctx, z) + globalIAMSys.InitStore(z) + return z, nil } @@ -1617,6 +1621,8 @@ func initAPIHandlerTest(obj ObjectLayer, endpoints []string) (string, http.Handl initAllSubsystems(context.Background(), obj) + globalIAMSys.InitStore(obj) + // get random bucket name. bucketName := getRandomBucketName() @@ -1909,6 +1915,8 @@ func ExecObjectLayerTest(t TestErrHandler, objTest objTestType) { initAllSubsystems(ctx, objLayer) + globalIAMSys.InitStore(objLayer) + // Executing the object layer tests for single node setup. objTest(objLayer, FSTestStr, t) @@ -1928,6 +1936,8 @@ func ExecObjectLayerTest(t TestErrHandler, objTest objTestType) { initAllSubsystems(ctx, objLayer) + globalIAMSys.InitStore(objLayer) + defer removeRoots(append(fsDirs, fsDir)) // Executing the object layer tests for Erasure. objTest(objLayer, ErasureTestStr, t)