From 5018b22f368731ca5791c73790c63e0e0a3579c7 Mon Sep 17 00:00:00 2001 From: Bl1tz23 Date: Tue, 9 Nov 2021 12:19:50 +0300 Subject: [PATCH 1/2] s3: fix potencial iam identities data race --- weed/s3api/auth_credentials.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index 78b82589e..8d05f2a03 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -5,6 +5,7 @@ import ( "net/http" "os" "strings" + "sync" "github.com/chrislusf/seaweedfs/weed/filer" "github.com/chrislusf/seaweedfs/weed/glog" @@ -23,6 +24,8 @@ type Iam interface { } type IdentityAccessManagement struct { + m sync.Mutex + identities []*Identity domain string } @@ -131,9 +134,12 @@ func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3Api } identities = append(identities, t) } - + iam.m.Lock() + // atomically switch iam.identities = identities + + iam.m.Unlock() return nil } From c683409e9275d6d059de12e88df3b5275e47cb04 Mon Sep 17 00:00:00 2001 From: Bl1tz23 Date: Tue, 9 Nov 2021 18:11:06 +0300 Subject: [PATCH 2/2] s3: add RWMutex to iam, use RLock for concurrent reading --- weed/s3api/auth_credentials.go | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index 8d05f2a03..9e1cd7f86 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -24,7 +24,7 @@ type Iam interface { } type IdentityAccessManagement struct { - m sync.Mutex + m sync.RWMutex identities []*Identity domain string @@ -135,21 +135,22 @@ func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3Api identities = append(identities, t) } iam.m.Lock() - // atomically switch iam.identities = identities - iam.m.Unlock() return nil } func (iam *IdentityAccessManagement) isEnabled() bool { - + iam.m.RLock() + defer iam.m.RUnlock() return len(iam.identities) > 0 } func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) { + iam.m.RLock() + defer iam.m.RUnlock() for _, ident := range iam.identities { for _, cred := range ident.Credentials { // println("checking", ident.Name, cred.AccessKey) @@ -163,7 +164,8 @@ func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identi } func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) { - + iam.m.RLock() + defer iam.m.RUnlock() for _, ident := range iam.identities { if ident.Name == "anonymous" { return ident, true