diff --git a/cmd/api-errors.go b/cmd/api-errors.go index 8c34445bb..1f0c4cd29 100644 --- a/cmd/api-errors.go +++ b/cmd/api-errors.go @@ -445,6 +445,8 @@ const ( ErrAdminNoAccessKey ErrAdminNoSecretKey + ErrIAMNotInitialized + apiErrCodeEnd // This is used only for the testing code ) @@ -1305,6 +1307,11 @@ var errorCodes = errorCodeMap{ Description: "Server not initialized yet, please try again.", HTTPStatusCode: http.StatusServiceUnavailable, }, + ErrIAMNotInitialized: { + Code: "XMinioIAMNotInitialized", + Description: "IAM sub-system not initialized yet, please try again.", + HTTPStatusCode: http.StatusServiceUnavailable, + }, ErrBucketMetadataNotInitialized: { Code: "XMinioBucketMetadataNotInitialized", Description: "Bucket metadata not initialized yet, please try again.", diff --git a/cmd/apierrorcode_string.go b/cmd/apierrorcode_string.go index 7ededb229..fbbc6618b 100644 --- a/cmd/apierrorcode_string.go +++ b/cmd/apierrorcode_string.go @@ -334,12 +334,13 @@ func _() { _ = x[ErrInvalidAttributeName-323] _ = x[ErrAdminNoAccessKey-324] _ = x[ErrAdminNoSecretKey-325] - _ = x[apiErrCodeEnd-326] + _ = x[ErrIAMNotInitialized-326] + _ = x[apiErrCodeEnd-327] } -const _APIErrorCode_name = "NoneAccessDeniedBadDigestEntityTooSmallEntityTooLargePolicyTooLargeIncompleteBodyInternalErrorInvalidAccessKeyIDAccessKeyDisabledInvalidArgumentInvalidBucketNameInvalidDigestInvalidRangeInvalidRangePartNumberInvalidCopyPartRangeInvalidCopyPartRangeSourceInvalidMaxKeysInvalidEncodingMethodInvalidMaxUploadsInvalidMaxPartsInvalidPartNumberMarkerInvalidPartNumberInvalidRequestBodyInvalidCopySourceInvalidMetadataDirectiveInvalidCopyDestInvalidPolicyDocumentInvalidObjectStateMalformedXMLMissingContentLengthMissingContentMD5MissingRequestBodyErrorMissingSecurityHeaderNoSuchBucketNoSuchBucketPolicyNoSuchBucketLifecycleNoSuchLifecycleConfigurationInvalidLifecycleWithObjectLockNoSuchBucketSSEConfigNoSuchCORSConfigurationNoSuchWebsiteConfigurationReplicationConfigurationNotFoundErrorRemoteDestinationNotFoundErrorReplicationDestinationMissingLockRemoteTargetNotFoundErrorReplicationRemoteConnectionErrorReplicationBandwidthLimitErrorBucketRemoteIdenticalToSourceBucketRemoteAlreadyExistsBucketRemoteLabelInUseBucketRemoteArnTypeInvalidBucketRemoteArnInvalidBucketRemoteRemoveDisallowedRemoteTargetNotVersionedErrorReplicationSourceNotVersionedErrorReplicationNeedsVersioningErrorReplicationBucketNeedsVersioningErrorReplicationDenyEditErrorRemoteTargetDenyAddErrorReplicationNoExistingObjectsReplicationValidationErrorReplicationPermissionCheckErrorObjectRestoreAlreadyInProgressNoSuchKeyNoSuchUploadInvalidVersionIDNoSuchVersionNotImplementedPreconditionFailedRequestTimeTooSkewedSignatureDoesNotMatchMethodNotAllowedInvalidPartInvalidPartOrderMissingPartAuthorizationHeaderMalformedMalformedPOSTRequestPOSTFileRequiredSignatureVersionNotSupportedBucketNotEmptyAllAccessDisabledPolicyInvalidVersionMissingFieldsMissingCredTagCredMalformedInvalidRegionInvalidServiceS3InvalidServiceSTSInvalidRequestVersionMissingSignTagMissingSignHeadersTagMalformedDateMalformedPresignedDateMalformedCredentialDateMalformedExpiresNegativeExpiresAuthHeaderEmptyExpiredPresignRequestRequestNotReadyYetUnsignedHeadersMissingDateHeaderInvalidQuerySignatureAlgoInvalidQueryParamsBucketAlreadyOwnedByYouInvalidDurationBucketAlreadyExistsMetadataTooLargeUnsupportedMetadataUnsupportedHostHeaderMaximumExpiresSlowDownReadSlowDownWriteMaxVersionsExceededInvalidPrefixMarkerBadRequestKeyTooLongErrorInvalidBucketObjectLockConfigurationObjectLockConfigurationNotFoundObjectLockConfigurationNotAllowedNoSuchObjectLockConfigurationObjectLockedInvalidRetentionDatePastObjectLockRetainDateUnknownWORMModeDirectiveBucketTaggingNotFoundObjectLockInvalidHeadersInvalidTagDirectivePolicyAlreadyAttachedPolicyNotAttachedExcessDataInvalidEncryptionMethodInvalidEncryptionKeyIDInsecureSSECustomerRequestSSEMultipartEncryptedSSEEncryptedObjectInvalidEncryptionParametersInvalidEncryptionParametersSSECInvalidSSECustomerAlgorithmInvalidSSECustomerKeyMissingSSECustomerKeyMissingSSECustomerKeyMD5SSECustomerKeyMD5MismatchInvalidSSECustomerParametersIncompatibleEncryptionMethodKMSNotConfiguredKMSKeyNotFoundExceptionKMSDefaultKeyAlreadyConfiguredNoAccessKeyInvalidTokenEventNotificationARNNotificationRegionNotificationOverlappingFilterNotificationFilterNameInvalidFilterNamePrefixFilterNameSuffixFilterValueInvalidOverlappingConfigsUnsupportedNotificationContentSHA256MismatchContentChecksumMismatchStorageFullRequestBodyParseObjectExistsAsDirectoryInvalidObjectNameInvalidObjectNamePrefixSlashInvalidResourceNameInvalidLifecycleQueryParameterServerNotInitializedBucketMetadataNotInitializedRequestTimedoutClientDisconnectedTooManyRequestsInvalidRequestTransitionStorageClassNotFoundErrorInvalidStorageClassBackendDownMalformedJSONAdminNoSuchUserAdminNoSuchUserLDAPWarnAdminLDAPExpectedLoginNameAdminNoSuchGroupAdminGroupNotEmptyAdminGroupDisabledAdminInvalidGroupNameAdminNoSuchJobAdminNoSuchPolicyAdminPolicyChangeAlreadyAppliedAdminInvalidArgumentAdminInvalidAccessKeyAdminInvalidSecretKeyAdminConfigNoQuorumAdminConfigTooLargeAdminConfigBadJSONAdminNoSuchConfigTargetAdminConfigEnvOverriddenAdminConfigDuplicateKeysAdminConfigInvalidIDPTypeAdminConfigLDAPNonDefaultConfigNameAdminConfigLDAPValidationAdminConfigIDPCfgNameAlreadyExistsAdminConfigIDPCfgNameDoesNotExistInsecureClientRequestObjectTamperedAdminLDAPNotEnabledSiteReplicationInvalidRequestSiteReplicationPeerRespSiteReplicationBackendIssueSiteReplicationServiceAccountErrorSiteReplicationBucketConfigErrorSiteReplicationBucketMetaErrorSiteReplicationIAMErrorSiteReplicationConfigMissingSiteReplicationIAMConfigMismatchAdminRebalanceAlreadyStartedAdminRebalanceNotStartedAdminBucketQuotaExceededAdminNoSuchQuotaConfigurationHealNotImplementedHealNoSuchProcessHealInvalidClientTokenHealMissingBucketHealAlreadyRunningHealOverlappingPathsIncorrectContinuationTokenEmptyRequestBodyUnsupportedFunctionInvalidExpressionTypeBusyUnauthorizedAccessExpressionTooLongIllegalSQLFunctionArgumentInvalidKeyPathInvalidCompressionFormatInvalidFileHeaderInfoInvalidJSONTypeInvalidQuoteFieldsInvalidRequestParameterInvalidDataTypeInvalidTextEncodingInvalidDataSourceInvalidTableAliasMissingRequiredParameterObjectSerializationConflictUnsupportedSQLOperationUnsupportedSQLStructureUnsupportedSyntaxUnsupportedRangeHeaderLexerInvalidCharLexerInvalidOperatorLexerInvalidLiteralLexerInvalidIONLiteralParseExpectedDatePartParseExpectedKeywordParseExpectedTokenTypeParseExpected2TokenTypesParseExpectedNumberParseExpectedRightParenBuiltinFunctionCallParseExpectedTypeNameParseExpectedWhenClauseParseUnsupportedTokenParseUnsupportedLiteralsGroupByParseExpectedMemberParseUnsupportedSelectParseUnsupportedCaseParseUnsupportedCaseClauseParseUnsupportedAliasParseUnsupportedSyntaxParseUnknownOperatorParseMissingIdentAfterAtParseUnexpectedOperatorParseUnexpectedTermParseUnexpectedTokenParseUnexpectedKeywordParseExpectedExpressionParseExpectedLeftParenAfterCastParseExpectedLeftParenValueConstructorParseExpectedLeftParenBuiltinFunctionCallParseExpectedArgumentDelimiterParseCastArityParseInvalidTypeParamParseEmptySelectParseSelectMissingFromParseExpectedIdentForGroupNameParseExpectedIdentForAliasParseUnsupportedCallWithStarParseNonUnaryAggregateFunctionCallParseMalformedJoinParseExpectedIdentForAtParseAsteriskIsNotAloneInSelectListParseCannotMixSqbAndWildcardInSelectListParseInvalidContextForWildcardInSelectListIncorrectSQLFunctionArgumentTypeValueParseFailureEvaluatorInvalidArgumentsIntegerOverflowLikeInvalidInputsCastFailedInvalidCastEvaluatorInvalidTimestampFormatPatternEvaluatorInvalidTimestampFormatPatternSymbolForParsingEvaluatorTimestampFormatPatternDuplicateFieldsEvaluatorTimestampFormatPatternHourClockAmPmMismatchEvaluatorUnterminatedTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternSymbolEvaluatorBindingDoesNotExistMissingHeadersInvalidColumnIndexAdminConfigNotificationTargetsFailedAdminProfilerNotEnabledInvalidDecompressedSizeAddUserInvalidArgumentAddUserValidUTFAdminResourceInvalidArgumentAdminAccountNotEligibleAccountNotEligibleAdminServiceAccountNotFoundPostPolicyConditionInvalidFormatInvalidChecksumLambdaARNInvalidLambdaARNNotFoundInvalidAttributeNameAdminNoAccessKeyAdminNoSecretKeyapiErrCodeEnd" +const _APIErrorCode_name = "NoneAccessDeniedBadDigestEntityTooSmallEntityTooLargePolicyTooLargeIncompleteBodyInternalErrorInvalidAccessKeyIDAccessKeyDisabledInvalidArgumentInvalidBucketNameInvalidDigestInvalidRangeInvalidRangePartNumberInvalidCopyPartRangeInvalidCopyPartRangeSourceInvalidMaxKeysInvalidEncodingMethodInvalidMaxUploadsInvalidMaxPartsInvalidPartNumberMarkerInvalidPartNumberInvalidRequestBodyInvalidCopySourceInvalidMetadataDirectiveInvalidCopyDestInvalidPolicyDocumentInvalidObjectStateMalformedXMLMissingContentLengthMissingContentMD5MissingRequestBodyErrorMissingSecurityHeaderNoSuchBucketNoSuchBucketPolicyNoSuchBucketLifecycleNoSuchLifecycleConfigurationInvalidLifecycleWithObjectLockNoSuchBucketSSEConfigNoSuchCORSConfigurationNoSuchWebsiteConfigurationReplicationConfigurationNotFoundErrorRemoteDestinationNotFoundErrorReplicationDestinationMissingLockRemoteTargetNotFoundErrorReplicationRemoteConnectionErrorReplicationBandwidthLimitErrorBucketRemoteIdenticalToSourceBucketRemoteAlreadyExistsBucketRemoteLabelInUseBucketRemoteArnTypeInvalidBucketRemoteArnInvalidBucketRemoteRemoveDisallowedRemoteTargetNotVersionedErrorReplicationSourceNotVersionedErrorReplicationNeedsVersioningErrorReplicationBucketNeedsVersioningErrorReplicationDenyEditErrorRemoteTargetDenyAddErrorReplicationNoExistingObjectsReplicationValidationErrorReplicationPermissionCheckErrorObjectRestoreAlreadyInProgressNoSuchKeyNoSuchUploadInvalidVersionIDNoSuchVersionNotImplementedPreconditionFailedRequestTimeTooSkewedSignatureDoesNotMatchMethodNotAllowedInvalidPartInvalidPartOrderMissingPartAuthorizationHeaderMalformedMalformedPOSTRequestPOSTFileRequiredSignatureVersionNotSupportedBucketNotEmptyAllAccessDisabledPolicyInvalidVersionMissingFieldsMissingCredTagCredMalformedInvalidRegionInvalidServiceS3InvalidServiceSTSInvalidRequestVersionMissingSignTagMissingSignHeadersTagMalformedDateMalformedPresignedDateMalformedCredentialDateMalformedExpiresNegativeExpiresAuthHeaderEmptyExpiredPresignRequestRequestNotReadyYetUnsignedHeadersMissingDateHeaderInvalidQuerySignatureAlgoInvalidQueryParamsBucketAlreadyOwnedByYouInvalidDurationBucketAlreadyExistsMetadataTooLargeUnsupportedMetadataUnsupportedHostHeaderMaximumExpiresSlowDownReadSlowDownWriteMaxVersionsExceededInvalidPrefixMarkerBadRequestKeyTooLongErrorInvalidBucketObjectLockConfigurationObjectLockConfigurationNotFoundObjectLockConfigurationNotAllowedNoSuchObjectLockConfigurationObjectLockedInvalidRetentionDatePastObjectLockRetainDateUnknownWORMModeDirectiveBucketTaggingNotFoundObjectLockInvalidHeadersInvalidTagDirectivePolicyAlreadyAttachedPolicyNotAttachedExcessDataInvalidEncryptionMethodInvalidEncryptionKeyIDInsecureSSECustomerRequestSSEMultipartEncryptedSSEEncryptedObjectInvalidEncryptionParametersInvalidEncryptionParametersSSECInvalidSSECustomerAlgorithmInvalidSSECustomerKeyMissingSSECustomerKeyMissingSSECustomerKeyMD5SSECustomerKeyMD5MismatchInvalidSSECustomerParametersIncompatibleEncryptionMethodKMSNotConfiguredKMSKeyNotFoundExceptionKMSDefaultKeyAlreadyConfiguredNoAccessKeyInvalidTokenEventNotificationARNNotificationRegionNotificationOverlappingFilterNotificationFilterNameInvalidFilterNamePrefixFilterNameSuffixFilterValueInvalidOverlappingConfigsUnsupportedNotificationContentSHA256MismatchContentChecksumMismatchStorageFullRequestBodyParseObjectExistsAsDirectoryInvalidObjectNameInvalidObjectNamePrefixSlashInvalidResourceNameInvalidLifecycleQueryParameterServerNotInitializedBucketMetadataNotInitializedRequestTimedoutClientDisconnectedTooManyRequestsInvalidRequestTransitionStorageClassNotFoundErrorInvalidStorageClassBackendDownMalformedJSONAdminNoSuchUserAdminNoSuchUserLDAPWarnAdminLDAPExpectedLoginNameAdminNoSuchGroupAdminGroupNotEmptyAdminGroupDisabledAdminInvalidGroupNameAdminNoSuchJobAdminNoSuchPolicyAdminPolicyChangeAlreadyAppliedAdminInvalidArgumentAdminInvalidAccessKeyAdminInvalidSecretKeyAdminConfigNoQuorumAdminConfigTooLargeAdminConfigBadJSONAdminNoSuchConfigTargetAdminConfigEnvOverriddenAdminConfigDuplicateKeysAdminConfigInvalidIDPTypeAdminConfigLDAPNonDefaultConfigNameAdminConfigLDAPValidationAdminConfigIDPCfgNameAlreadyExistsAdminConfigIDPCfgNameDoesNotExistInsecureClientRequestObjectTamperedAdminLDAPNotEnabledSiteReplicationInvalidRequestSiteReplicationPeerRespSiteReplicationBackendIssueSiteReplicationServiceAccountErrorSiteReplicationBucketConfigErrorSiteReplicationBucketMetaErrorSiteReplicationIAMErrorSiteReplicationConfigMissingSiteReplicationIAMConfigMismatchAdminRebalanceAlreadyStartedAdminRebalanceNotStartedAdminBucketQuotaExceededAdminNoSuchQuotaConfigurationHealNotImplementedHealNoSuchProcessHealInvalidClientTokenHealMissingBucketHealAlreadyRunningHealOverlappingPathsIncorrectContinuationTokenEmptyRequestBodyUnsupportedFunctionInvalidExpressionTypeBusyUnauthorizedAccessExpressionTooLongIllegalSQLFunctionArgumentInvalidKeyPathInvalidCompressionFormatInvalidFileHeaderInfoInvalidJSONTypeInvalidQuoteFieldsInvalidRequestParameterInvalidDataTypeInvalidTextEncodingInvalidDataSourceInvalidTableAliasMissingRequiredParameterObjectSerializationConflictUnsupportedSQLOperationUnsupportedSQLStructureUnsupportedSyntaxUnsupportedRangeHeaderLexerInvalidCharLexerInvalidOperatorLexerInvalidLiteralLexerInvalidIONLiteralParseExpectedDatePartParseExpectedKeywordParseExpectedTokenTypeParseExpected2TokenTypesParseExpectedNumberParseExpectedRightParenBuiltinFunctionCallParseExpectedTypeNameParseExpectedWhenClauseParseUnsupportedTokenParseUnsupportedLiteralsGroupByParseExpectedMemberParseUnsupportedSelectParseUnsupportedCaseParseUnsupportedCaseClauseParseUnsupportedAliasParseUnsupportedSyntaxParseUnknownOperatorParseMissingIdentAfterAtParseUnexpectedOperatorParseUnexpectedTermParseUnexpectedTokenParseUnexpectedKeywordParseExpectedExpressionParseExpectedLeftParenAfterCastParseExpectedLeftParenValueConstructorParseExpectedLeftParenBuiltinFunctionCallParseExpectedArgumentDelimiterParseCastArityParseInvalidTypeParamParseEmptySelectParseSelectMissingFromParseExpectedIdentForGroupNameParseExpectedIdentForAliasParseUnsupportedCallWithStarParseNonUnaryAggregateFunctionCallParseMalformedJoinParseExpectedIdentForAtParseAsteriskIsNotAloneInSelectListParseCannotMixSqbAndWildcardInSelectListParseInvalidContextForWildcardInSelectListIncorrectSQLFunctionArgumentTypeValueParseFailureEvaluatorInvalidArgumentsIntegerOverflowLikeInvalidInputsCastFailedInvalidCastEvaluatorInvalidTimestampFormatPatternEvaluatorInvalidTimestampFormatPatternSymbolForParsingEvaluatorTimestampFormatPatternDuplicateFieldsEvaluatorTimestampFormatPatternHourClockAmPmMismatchEvaluatorUnterminatedTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternSymbolEvaluatorBindingDoesNotExistMissingHeadersInvalidColumnIndexAdminConfigNotificationTargetsFailedAdminProfilerNotEnabledInvalidDecompressedSizeAddUserInvalidArgumentAddUserValidUTFAdminResourceInvalidArgumentAdminAccountNotEligibleAccountNotEligibleAdminServiceAccountNotFoundPostPolicyConditionInvalidFormatInvalidChecksumLambdaARNInvalidLambdaARNNotFoundInvalidAttributeNameAdminNoAccessKeyAdminNoSecretKeyIAMNotInitializedapiErrCodeEnd" -var _APIErrorCode_index = [...]uint16{0, 4, 16, 25, 39, 53, 67, 81, 94, 112, 129, 144, 161, 174, 186, 208, 228, 254, 268, 289, 306, 321, 344, 361, 379, 396, 420, 435, 456, 474, 486, 506, 523, 546, 567, 579, 597, 618, 646, 676, 697, 720, 746, 783, 813, 846, 871, 903, 933, 962, 987, 1009, 1035, 1057, 1085, 1114, 1148, 1179, 1216, 1240, 1264, 1292, 1318, 1349, 1379, 1388, 1400, 1416, 1429, 1443, 1461, 1481, 1502, 1518, 1529, 1545, 1556, 1584, 1604, 1620, 1648, 1662, 1679, 1699, 1712, 1726, 1739, 1752, 1768, 1785, 1806, 1820, 1841, 1854, 1876, 1899, 1915, 1930, 1945, 1966, 1984, 1999, 2016, 2041, 2059, 2082, 2097, 2116, 2132, 2151, 2172, 2186, 2198, 2211, 2230, 2249, 2259, 2274, 2310, 2341, 2374, 2403, 2415, 2435, 2459, 2483, 2504, 2528, 2547, 2568, 2585, 2595, 2618, 2640, 2666, 2687, 2705, 2732, 2763, 2790, 2811, 2832, 2856, 2881, 2909, 2937, 2953, 2976, 3006, 3017, 3029, 3046, 3061, 3079, 3108, 3125, 3141, 3157, 3175, 3193, 3216, 3237, 3260, 3271, 3287, 3310, 3327, 3355, 3374, 3404, 3424, 3452, 3467, 3485, 3500, 3514, 3549, 3568, 3579, 3592, 3607, 3630, 3656, 3672, 3690, 3708, 3729, 3743, 3760, 3791, 3811, 3832, 3853, 3872, 3891, 3909, 3932, 3956, 3980, 4005, 4040, 4065, 4099, 4132, 4153, 4167, 4186, 4215, 4238, 4265, 4299, 4331, 4361, 4384, 4412, 4444, 4472, 4496, 4520, 4549, 4567, 4584, 4606, 4623, 4641, 4661, 4687, 4703, 4722, 4743, 4747, 4765, 4782, 4808, 4822, 4846, 4867, 4882, 4900, 4923, 4938, 4957, 4974, 4991, 5015, 5042, 5065, 5088, 5105, 5127, 5143, 5163, 5182, 5204, 5225, 5245, 5267, 5291, 5310, 5352, 5373, 5396, 5417, 5448, 5467, 5489, 5509, 5535, 5556, 5578, 5598, 5622, 5645, 5664, 5684, 5706, 5729, 5760, 5798, 5839, 5869, 5883, 5904, 5920, 5942, 5972, 5998, 6026, 6060, 6078, 6101, 6136, 6176, 6218, 6250, 6267, 6292, 6307, 6324, 6334, 6345, 6383, 6437, 6483, 6535, 6583, 6626, 6670, 6698, 6712, 6730, 6766, 6789, 6812, 6834, 6849, 6877, 6900, 6918, 6945, 6977, 6992, 7008, 7025, 7045, 7061, 7077, 7090} +var _APIErrorCode_index = [...]uint16{0, 4, 16, 25, 39, 53, 67, 81, 94, 112, 129, 144, 161, 174, 186, 208, 228, 254, 268, 289, 306, 321, 344, 361, 379, 396, 420, 435, 456, 474, 486, 506, 523, 546, 567, 579, 597, 618, 646, 676, 697, 720, 746, 783, 813, 846, 871, 903, 933, 962, 987, 1009, 1035, 1057, 1085, 1114, 1148, 1179, 1216, 1240, 1264, 1292, 1318, 1349, 1379, 1388, 1400, 1416, 1429, 1443, 1461, 1481, 1502, 1518, 1529, 1545, 1556, 1584, 1604, 1620, 1648, 1662, 1679, 1699, 1712, 1726, 1739, 1752, 1768, 1785, 1806, 1820, 1841, 1854, 1876, 1899, 1915, 1930, 1945, 1966, 1984, 1999, 2016, 2041, 2059, 2082, 2097, 2116, 2132, 2151, 2172, 2186, 2198, 2211, 2230, 2249, 2259, 2274, 2310, 2341, 2374, 2403, 2415, 2435, 2459, 2483, 2504, 2528, 2547, 2568, 2585, 2595, 2618, 2640, 2666, 2687, 2705, 2732, 2763, 2790, 2811, 2832, 2856, 2881, 2909, 2937, 2953, 2976, 3006, 3017, 3029, 3046, 3061, 3079, 3108, 3125, 3141, 3157, 3175, 3193, 3216, 3237, 3260, 3271, 3287, 3310, 3327, 3355, 3374, 3404, 3424, 3452, 3467, 3485, 3500, 3514, 3549, 3568, 3579, 3592, 3607, 3630, 3656, 3672, 3690, 3708, 3729, 3743, 3760, 3791, 3811, 3832, 3853, 3872, 3891, 3909, 3932, 3956, 3980, 4005, 4040, 4065, 4099, 4132, 4153, 4167, 4186, 4215, 4238, 4265, 4299, 4331, 4361, 4384, 4412, 4444, 4472, 4496, 4520, 4549, 4567, 4584, 4606, 4623, 4641, 4661, 4687, 4703, 4722, 4743, 4747, 4765, 4782, 4808, 4822, 4846, 4867, 4882, 4900, 4923, 4938, 4957, 4974, 4991, 5015, 5042, 5065, 5088, 5105, 5127, 5143, 5163, 5182, 5204, 5225, 5245, 5267, 5291, 5310, 5352, 5373, 5396, 5417, 5448, 5467, 5489, 5509, 5535, 5556, 5578, 5598, 5622, 5645, 5664, 5684, 5706, 5729, 5760, 5798, 5839, 5869, 5883, 5904, 5920, 5942, 5972, 5998, 6026, 6060, 6078, 6101, 6136, 6176, 6218, 6250, 6267, 6292, 6307, 6324, 6334, 6345, 6383, 6437, 6483, 6535, 6583, 6626, 6670, 6698, 6712, 6730, 6766, 6789, 6812, 6834, 6849, 6877, 6900, 6918, 6945, 6977, 6992, 7008, 7025, 7045, 7061, 7077, 7094, 7107} func (i APIErrorCode) String() string { if i < 0 || i >= APIErrorCode(len(_APIErrorCode_index)-1) { diff --git a/cmd/iam-etcd-store.go b/cmd/iam-etcd-store.go index 2fe388dc8..ea80e9064 100644 --- a/cmd/iam-etcd-store.go +++ b/cmd/iam-etcd-store.go @@ -236,9 +236,8 @@ func (ies *IAMEtcdStore) addUser(ctx context.Context, user string, userType IAMU // for the expiring credentials. deleteKeyEtcd(ctx, ies.client, getUserIdentityPath(user, userType)) deleteKeyEtcd(ctx, ies.client, getMappedPolicyPath(user, userType, false)) - return nil } - return err + return nil } u.Credentials.Claims = jwtClaims.Map() } diff --git a/cmd/iam-object-store.go b/cmd/iam-object-store.go index 26bb01468..7ef1e406c 100644 --- a/cmd/iam-object-store.go +++ b/cmd/iam-object-store.go @@ -254,9 +254,8 @@ func (iamOS *IAMObjectStore) loadUser(ctx context.Context, user string, userType // for the expiring credentials. iamOS.deleteIAMConfig(ctx, getUserIdentityPath(user, userType)) iamOS.deleteIAMConfig(ctx, getMappedPolicyPath(user, userType, false)) - return nil } - return err + return nil } u.Credentials.Claims = jwtClaims.Map() diff --git a/cmd/iam-store.go b/cmd/iam-store.go index b4bbecd7d..5b00c499c 100644 --- a/cmd/iam-store.go +++ b/cmd/iam-store.go @@ -2568,10 +2568,10 @@ func (store *IAMStoreSys) UpdateUserIdentity(ctx context.Context, cred auth.Cred } // LoadUser - attempts to load user info from storage and updates cache. -func (store *IAMStoreSys) LoadUser(ctx context.Context, accessKey string) { +func (store *IAMStoreSys) LoadUser(ctx context.Context, accessKey string) error { // We use singleflight to de-duplicate requests when server // is coming up and loading accessKey and its associated assets - val, err, shared := store.group.Do(accessKey, func() (interface{}, error) { + val, err, shared := store.group.Do(accessKey, func() (val interface{}, err error) { cache := store.lock() defer func() { cache.updatedAt = time.Now() @@ -2582,27 +2582,29 @@ func (store *IAMStoreSys) LoadUser(ctx context.Context, accessKey string) { // Check for regular user access key if !found { - store.loadUser(ctx, accessKey, regUser, cache.iamUsersMap) + err = store.loadUser(ctx, accessKey, regUser, cache.iamUsersMap) if _, found = cache.iamUsersMap[accessKey]; found { // load mapped policies - store.loadMappedPolicyWithRetry(ctx, accessKey, regUser, false, cache.iamUserPolicyMap, 3) + err = store.loadMappedPolicyWithRetry(ctx, accessKey, regUser, false, cache.iamUserPolicyMap, 3) } } // Check for service account if !found { - store.loadUser(ctx, accessKey, svcUser, cache.iamUsersMap) + err = store.loadUser(ctx, accessKey, svcUser, cache.iamUsersMap) var svc UserIdentity svc, found = cache.iamUsersMap[accessKey] if found { // Load parent user and mapped policies. if store.getUsersSysType() == MinIOUsersSysType { - store.loadUser(ctx, svc.Credentials.ParentUser, regUser, cache.iamUsersMap) - store.loadMappedPolicyWithRetry(ctx, svc.Credentials.ParentUser, regUser, false, cache.iamUserPolicyMap, 3) + err = store.loadUser(ctx, svc.Credentials.ParentUser, regUser, cache.iamUsersMap) + if err == nil { + err = store.loadMappedPolicyWithRetry(ctx, svc.Credentials.ParentUser, regUser, false, cache.iamUserPolicyMap, 3) + } } else { // In case of LDAP the parent user's policy mapping needs to be // loaded into sts map - store.loadMappedPolicyWithRetry(ctx, svc.Credentials.ParentUser, stsUser, false, cache.iamSTSPolicyMap, 3) + err = store.loadMappedPolicyWithRetry(ctx, svc.Credentials.ParentUser, stsUser, false, cache.iamSTSPolicyMap, 3) } } } @@ -2611,10 +2613,10 @@ func (store *IAMStoreSys) LoadUser(ctx context.Context, accessKey string) { stsAccountFound := false var stsUserCred UserIdentity if !found { - store.loadUser(ctx, accessKey, stsUser, cache.iamSTSAccountsMap) + err = store.loadUser(ctx, accessKey, stsUser, cache.iamSTSAccountsMap) if stsUserCred, found = cache.iamSTSAccountsMap[accessKey]; found { // Load mapped policy - store.loadMappedPolicyWithRetry(ctx, stsUserCred.Credentials.ParentUser, stsUser, false, cache.iamSTSPolicyMap, 3) + err = store.loadMappedPolicyWithRetry(ctx, stsUserCred.Credentials.ParentUser, stsUser, false, cache.iamSTSPolicyMap, 3) stsAccountFound = true } } @@ -2624,24 +2626,30 @@ func (store *IAMStoreSys) LoadUser(ctx context.Context, accessKey string) { pols, _ := cache.iamUserPolicyMap.Load(accessKey) for _, policy := range pols.toSlice() { if _, found = cache.iamPolicyDocsMap[policy]; !found { - store.loadPolicyDocWithRetry(ctx, policy, cache.iamPolicyDocsMap, 3) + err = store.loadPolicyDocWithRetry(ctx, policy, cache.iamPolicyDocsMap, 3) } } } else { pols, _ := cache.iamSTSPolicyMap.Load(stsUserCred.Credentials.AccessKey) for _, policy := range pols.toSlice() { if _, found = cache.iamPolicyDocsMap[policy]; !found { - store.loadPolicyDocWithRetry(ctx, policy, cache.iamPolicyDocsMap, 3) + err = store.loadPolicyDocWithRetry(ctx, policy, cache.iamPolicyDocsMap, 3) } } } - return "done", nil + return "done", err }) if serverDebugLog { console.Debugln("loadUser: loading shared", val, err, shared) } + + if IsErr(err, errNoSuchUser, errNoSuchPolicy, errNoSuchGroup) { + return nil + } + + return err } func extractJWTClaims(u UserIdentity) (*jwt.MapClaims, error) { diff --git a/cmd/iam.go b/cmd/iam.go index 46873de12..f2e5a0c41 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -1703,31 +1703,46 @@ func (sys *IAMSys) NormalizeLDAPMappingImport(ctx context.Context, isGroup bool, return nil } -// GetUser - get user credentials -func (sys *IAMSys) GetUser(ctx context.Context, accessKey string) (u UserIdentity, ok bool) { +// CheckKey validates the incoming accessKey +func (sys *IAMSys) CheckKey(ctx context.Context, accessKey string) (u UserIdentity, ok bool, err error) { if !sys.Initialized() { - return u, false + return u, false, nil } if accessKey == globalActiveCred.AccessKey { - return newUserIdentity(globalActiveCred), true + return newUserIdentity(globalActiveCred), true, nil } loadUserCalled := false select { case <-sys.configLoaded: default: - sys.store.LoadUser(ctx, accessKey) + err = sys.store.LoadUser(ctx, accessKey) loadUserCalled = true } u, ok = sys.store.GetUser(accessKey) if !ok && !loadUserCalled { - sys.store.LoadUser(ctx, accessKey) + err = sys.store.LoadUser(ctx, accessKey) + loadUserCalled = true + u, ok = sys.store.GetUser(accessKey) } - return u, ok && u.Credentials.IsValid() + if !ok && loadUserCalled && err != nil { + iamLogOnceIf(ctx, err, accessKey) + + // return 503 to application + return u, false, errIAMNotInitialized + } + + return u, ok && u.Credentials.IsValid(), nil +} + +// GetUser - get user credentials +func (sys *IAMSys) GetUser(ctx context.Context, accessKey string) (u UserIdentity, ok bool) { + u, ok, _ = sys.CheckKey(ctx, accessKey) + return u, ok } // Notify all other MinIO peers to load group. diff --git a/cmd/logging.go b/cmd/logging.go index 9f3088d2c..db173a650 100644 --- a/cmd/logging.go +++ b/cmd/logging.go @@ -20,6 +20,10 @@ func replLogOnceIf(ctx context.Context, err error, id string, errKind ...interfa logger.LogOnceIf(ctx, "replication", err, id, errKind...) } +func iamLogOnceIf(ctx context.Context, err error, id string, errKind ...interface{}) { + logger.LogOnceIf(ctx, "iam", err, id, errKind...) +} + func iamLogIf(ctx context.Context, err error, errKind ...interface{}) { if !errors.Is(err, grid.ErrDisconnected) { logger.LogIf(ctx, "iam", err, errKind...) diff --git a/cmd/signature-v4-utils.go b/cmd/signature-v4-utils.go index c821c3ebc..5fa823aec 100644 --- a/cmd/signature-v4-utils.go +++ b/cmd/signature-v4-utils.go @@ -152,11 +152,14 @@ func checkKeyValid(r *http.Request, accessKey string) (auth.Credentials, bool, A // Check if server has initialized, then only proceed // to check for IAM users otherwise its okay for clients // to retry with 503 errors when server is coming up. - return auth.Credentials{}, false, ErrServerNotInitialized + return auth.Credentials{}, false, ErrIAMNotInitialized } // Check if the access key is part of users credentials. - u, ok := globalIAMSys.GetUser(r.Context(), accessKey) + u, ok, err := globalIAMSys.CheckKey(r.Context(), accessKey) + if err != nil { + return auth.Credentials{}, false, ErrIAMNotInitialized + } if !ok { // Credentials could be valid but disabled - return a different // error in such a scenario. diff --git a/cmd/signature-v4_test.go b/cmd/signature-v4_test.go index b7aa09daa..395c4cc34 100644 --- a/cmd/signature-v4_test.go +++ b/cmd/signature-v4_test.go @@ -37,6 +37,12 @@ func niceError(code APIErrorCode) string { } func TestDoesPolicySignatureMatch(t *testing.T) { + _, fsDir, err := prepareFS(context.Background()) + if err != nil { + t.Fatal(err) + } + defer removeRoots([]string{fsDir}) + credentialTemplate := "%s/%s/%s/s3/aws4_request" now := UTCNow() accessKey := globalActiveCred.AccessKey