diff options
| author | Chris Lu <chrislusf@users.noreply.github.com> | 2025-07-23 11:44:36 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-07-23 11:44:36 -0700 |
| commit | 5ac037f763e20ffb9559e3ea0caf3bbe82589650 (patch) | |
| tree | ff733250ab085669c7cb35630579e44e1fc22a17 /weed/s3api/auth_credentials.go | |
| parent | dd464cd339de354937bc6af4fec6e12211cece69 (diff) | |
| download | seaweedfs-5ac037f763e20ffb9559e3ea0caf3bbe82589650.tar.xz seaweedfs-5ac037f763e20ffb9559e3ea0caf3bbe82589650.zip | |
change priority of admin credentials from env varaibles (#7032)
* change priority of admin credentials from env varaibles
* address comment
Diffstat (limited to 'weed/s3api/auth_credentials.go')
| -rw-r--r-- | weed/s3api/auth_credentials.go | 41 |
1 files changed, 22 insertions, 19 deletions
diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index 4f00639ff..e2e8c1752 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -131,33 +131,38 @@ func NewIdentityAccessManagementWithStore(option *S3ApiServerOption, explicitSto iam.credentialManager = credentialManager - // First, load configurations from file or filer + // Track whether any configuration was successfully loaded + configLoaded := false + + // First, try to load configurations from file or filer if option.Config != "" { glog.V(3).Infof("loading static config file %s", option.Config) if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil { glog.Fatalf("fail to load config file %s: %v", option.Config, err) } + configLoaded = true } else { glog.V(3).Infof("no static config file specified... loading config from credential manager") if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil { glog.Warningf("fail to load config: %v", err) + } else { + // Check if any identities were actually loaded from filer + iam.m.RLock() + if len(iam.identities) > 0 { + configLoaded = true + } + iam.m.RUnlock() } } - // Then, add admin credentials from environment variables if available -// This supplements the configuration by adding admin credentials from environment variables if they don't already exist. - accessKeyId := os.Getenv("AWS_ACCESS_KEY_ID") - secretAccessKey := os.Getenv("AWS_SECRET_ACCESS_KEY") + // Only use environment variables as fallback if no configuration was loaded + if !configLoaded { + accessKeyId := os.Getenv("AWS_ACCESS_KEY_ID") + secretAccessKey := os.Getenv("AWS_SECRET_ACCESS_KEY") - if accessKeyId != "" && secretAccessKey != "" { - glog.V(0).Infof("Adding S3 admin credentials from AWS environment variables") + if accessKeyId != "" && secretAccessKey != "" { + glog.V(0).Infof("No S3 configuration found, using AWS environment variables as fallback") - // Check if an identity with this access key already exists - iam.m.RLock() - _, accessKeyExists := iam.accessKeyIdent[accessKeyId] - iam.m.RUnlock() - - if !accessKeyExists { // Create environment variable identity name identityNameSuffix := accessKeyId if len(accessKeyId) > 8 { @@ -179,18 +184,16 @@ func NewIdentityAccessManagementWithStore(option *S3ApiServerOption, explicitSto }, } - // Add to existing configuration + // Set as the only configuration iam.m.Lock() - iam.identities = append(iam.identities, envIdentity) - iam.accessKeyIdent[accessKeyId] = envIdentity - if !iam.isAuthEnabled { + if len(iam.identities) == 0 { + iam.identities = []*Identity{envIdentity} + iam.accessKeyIdent = map[string]*Identity{accessKeyId: envIdentity} iam.isAuthEnabled = true } iam.m.Unlock() glog.V(0).Infof("Added admin identity from AWS environment variables: %s", envIdentity.Name) - } else { - glog.V(0).Infof("Access key %s already exists, skipping environment variable credentials", accessKeyId) } } |