Checking IAM for permissions #5387
Conversation
There was a problem hiding this comment.
Reviewable status: 0 of 1 files reviewed, 2 unresolved discussions (waiting on @manishrjain and @martinmr)
worker/s3_handler.go, line 64 at r1 (raw file):
return err }
I moved this check up because there is no need to make API calls to get IAM credentials if the request has AccessKey and SecretKey
worker/s3_handler.go, line 114 at r1 (raw file):
var creds credentials.Value switch { case h.creds.isAnonymous():
Technically, all of these cases could have also been handled with credentials.Chain, but I'm doing minimal changes here.
There was a problem hiding this comment.
One comment.
Also, we don't have automatic tests for s3 so you'd need to write one for minio if possible. Otherwise manual tests are fine.
Reviewed 1 of 1 files at r1.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @gja and @manishrjain)
worker/s3_handler.go, line 84 at r1 (raw file):
Quoted 8 lines of code…
req.AccessKey = defaultCreds.AccessKeyID req.SecretKey = defaultCreds.SecretAccessKey req.SessionToken = defaultCreds.SessionToken
This logic is different now. I think the original only filled the the empty values.
The if above covers the access and secret key but not the session token.
worker/s3_handler.go, line 114 at r1 (raw file):
Previously, gja (Tejas Dinkar) wrote…
Technically, all of these cases could have also been handled with credentials.Chain, but I'm doing minimal changes here.
Ok. I was not very familiar with the minio library but I can look into this later.
There was a problem hiding this comment.
Defer to @martinmr .
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @gja and @manishrjain)
There was a problem hiding this comment.
If we are going to make the credentials all be the default or all be in the request, then this is good with me.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @gja)
There was a problem hiding this comment.
Just a couple of comments but otherwise it
Reviewed 7 of 7 files at r2.
Reviewable status: all files reviewed, 5 unresolved discussions (waiting on @gja)
worker/s3_handler.go, line 59 at r1 (raw file):
// FillRestoreCredentials fills the empty values with the default credentials so that // a restore request is sent to all the groups with the same credentials. func FillRestoreCredentials(location string, req *pb.RestoreRequest) error {
You should cherry pick these changes into the 1.2 and 20.03 branches.
However, this function is part of the online restore, which is not in any of those branches. So if there's a conflict, you can just drop this function.
worker/s3_handler.go, line 100 at r2 (raw file):
if h.creds.isAnonymous() { return minio.New(uri.Host, h.creds.AccessKey, h.creds.SecretKey, secure) }
Is this the right thing to do if the bucket is anonymous? Wouldn't we want to pass an empty access and secret key?
|
@martinmr I just kept the existing behavior for anonymous. I think this is a new feature, so I don't think it's worth it to backport it (maybe to 20.03 at the most) |
|
@martinmr I took your suggestion, and anonymous now takes empty string as credentials. |
* Checking IAM for permissions * FillRestoreCredentials uses IAM * Upgrading minio
This PR allows you to create backups with credentials provided from IAM roles
This change is