IAM: Block while loading users #11671

klauspost · 2021-03-01T15:17:40Z

Description

While starting up a request that needs all IAM data will start another load operation if the first on startup hasn't finished. This slows down both operations.

Block these requests until initial load has completed.

Blocking calls will be ListPolicies, ListUsers, ListServiceAccounts, ListGroups - and the calls that eventually trigger these. These will wait for the initial load to complete.

Fixes issue seen in #11305

How to test this PR?

Have a huge number of IAM users.

Types of changes

Optimization (provides speedup with no functional changes)

While starting up a request that needs all IAM data will start another load operation if the first on startup hasn't finished. This slows down both operations. Block these requests until initial load has completed. Blocking calls will be ListPolicies, ListUsers, ListServiceAccounts, ListGroups - and the calls that eventually trigger these. These will wait for the initial load to complete. Fixes issue seen in minio#11305

cmd/iam.go

minio-trusted · 2021-03-01T16:21:36Z

Mint Automation

Test	Result
mint-large-bucket.sh	✔️
mint-fs.sh	✔️
mint-gateway-s3.sh	✔️
mint-erasure.sh	✔️
mint-dist-erasure.sh	✔️
mint-zoned.sh	✔️
mint-gateway-nas.sh	✔️
mint-compress-encrypt-dist-erasure.sh	❌ more...

11671-40b4429/mint-compress-encrypt-dist-erasure.sh.log:

Running with
SERVER_ENDPOINT:      minio-c2.minio.io:31606
ACCESS_KEY:           minio
SECRET_KEY:           ***REDACTED***
ENABLE_HTTPS:         0
SERVER_REGION:        us-east-1
MINT_DATA_DIR:        /mint/data
MINT_MODE:            full
ENABLE_VIRTUAL_STYLE: 0

To get logs, run 'docker cp 1f4887af1adf:/mint/log /tmp/mint-logs'

(1/15) Running aws-sdk-go tests ... done in 1 seconds
(2/15) Running aws-sdk-java tests ... done in 2 seconds
(3/15) Running aws-sdk-php tests ... done in 43 seconds
(4/15) Running aws-sdk-ruby tests ... done in 4 seconds
(5/15) Running awscli tests ... FAILED in 33 seconds
{
  "name": "awscli",
  "duration": 2797,
  "function": "aws --endpoint-url http://minio-c2.minio.io:31606 s3api copy-object --bucket awscli-mint-test-bucket-32727 --key datafile-1-kB-copy --copy-source awscli-mint-test-bucket-32727/datafile-1-kB\n",
  "status": "FAIL",
  "error": "Hash mismatch expected 084e1383b70fb0c51acc680fef370023, got ac57de7156d7fc25ac1a65f81fa3989b"
}
(5/15) Running healthcheck tests ... done in 0 seconds
(6/15) Running mc tests ... done in 46 seconds
(7/15) Running minio-dotnet tests ... done in 47 seconds
(8/15) Running minio-go tests ... FAILED in 2 minutes and 31 seconds
{
  "args": {
    "destination": {
      "Bucket": "minio-go-test-ynttdlfa0dxntnwg",
      "Object": "dstObject",
      "Encryption": {},
      "UserMetadata": null,
      "ReplaceMetadata": false,
      "UserTags": null,
      "ReplaceTags": false,
      "LegalHold": "",
      "Mode": "",
      "RetainUntilDate": "0001-01-01T00:00:00Z",
      "Size": 0,
      "Progress": null
    },
    "source": {
      "Bucket": "minio-go-test-ynttdlfa0dxntnwg",
      "Object": "srcObject",
      "VersionID": "",
      "MatchETag": "",
      "NoMatchETag": "",
      "MatchModifiedSince": "0001-01-01T00:00:00Z",
      "MatchUnmodifiedSince": "0001-01-01T00:00:00Z",
      "MatchRange": false,
      "Start": 0,
      "End": 0,
      "Encryption": null
    }
  },
  "duration": 4106,
  "error": "We encountered an internal error, please try again.: cause(s2: corrupt input)",
  "function": "CopyObject(destination, source)",
  "message": "GetObject failed",
  "name": "minio-go: testUnencryptedToSSES3CopyObject",
  "status": "FAIL"
}
(8/15) Running minio-java tests ... FAILED in 1 minutes and 35 seconds
{
  "name": "minio-java",
  "function": "copyObject()",
  "args": "[match etag]",
  "duration": 356,
  "status": "FAIL",
  "error": "error occurred\nErrorResponse(code = PreconditionFailed, message = At least one of the pre-conditions you specified did not hold, bucketName = minio-java-test-3dnmjvn, objectName = minio-java-test-3u1fp22-copy, resource = /minio-java-test-3dnmjvn/minio-java-test-3u1fp22-copy, requestId = 1668440968A0AC1F, hostId = 6a887683-1807-474a-84d5-d01172708232)\nrequest={method=PUT, url=http://minio-c2.minio.io:31606/minio-java-test-3dnmjvn/minio-java-test-3u1fp22-copy, headers=x-amz-copy-source-if-match: 71cff0a060f852067e443ad1e24ae26c-1\nx-amz-copy-source: /minio-java-test-10es2en/minio-java-test-3u1fp22\nHost: minio-c2.minio.io:31606\nAccept-Encoding: identity\nUser-Agent: MinIO (Linux; amd64) minio-java/8.0.3\nContent-MD5: 1B2M2Y8AsgTpgAmY7PhCfg==\nx-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\nx-amz-date: 20210301T161433Z\nAuthorization: AWS4-HMAC-SHA256 Credential=*REDACTED*/20210301/us-east-1/s3/aws4_request, SignedHeaders=content-md5;host;x-amz-content-sha256;x-amz-copy-source;x-amz-copy-source-if-match;x-amz-date, Signature=*REDACTED*\n}\nresponse={code=412, headers=Accept-Ranges: bytes\nContent-Length: 418\nContent-Security-Policy: block-all-mixed-content\nContent-Type: application/xml\nETag: \"71cff0a060f852067e443ad1e24ae26c\"\nLast-Modified: Mon, 01 Mar 2021 16:14:33 GMT\nServer: MinIO\nVary: Origin\nX-Amz-Request-Id: 1668440968A0AC1F\nX-Xss-Protection: 1; mode=block\nDate: Mon, 01 Mar 2021 16:14:33 GMT\n}\n >>> [io.minio.MinioClient.execute(MinioClient.java:775), io.minio.MinioClient.execute(MinioClient.java:563), io.minio.MinioClient.executePut(MinioClient.java:904), io.minio.MinioClient.copyObject(MinioClient.java:1232), FunctionalTest.testCopyObjectMatchETag(FunctionalTest.java:1850), FunctionalTest.copyObject(FunctionalTest.java:2016), FunctionalTest.runObjectTests(FunctionalTest.java:3757), FunctionalTest.runTests(FunctionalTest.java:3783), FunctionalTest.main(FunctionalTest.java:3927)]"
}
(8/15) Running minio-js tests ... done in 55 seconds
(9/15) Running minio-py tests ... done in 3 minutes and 10 seconds
(10/15) Running s3cmd tests ... FAILED in 5 seconds
{
  "name": "s3cmd",
  "duration": "2944",
  "function": "test_put_object_multipart",
  "status": "FAIL",
  "error": "WARNING: MD5 Sums don't match!\nWARNING: Retrying upload of /mint/data/datafile-65-MB\nWARNING: MD5 Sums don't match!\nWARNING: Retrying upload of /mint/data/datafile-65-MB\nWARNING: MD5 Sums don't match!\nWARNING: Retrying upload of /mint/data/datafile-65-MB\nWARNING: MD5 Sums don't match!\nWARNING: Retrying upload of /mint/data/datafile-65-MB\nWARNING: MD5 Sums don't match!\nWARNING: Retrying upload of /mint/data/datafile-65-MB\nWARNING: MD5 Sums don't match!\nWARNING: Too many failures. Giving up on '/mint/data/datafile-65-MB'\nERROR: \nUpload of '/mint/data/datafile-65-MB' part 1 failed. Use\n  /usr/local/bin/s3cmd abortmp s3://s3cmd-test-bucket-16444/s3cmd-test-object-3547 a161ed98-a1dc-43a4-9841-23e31c4957d9\nto abort the upload, or\n  /usr/local/bin/s3cmd --upload-id a161ed98-a1dc-43a4-9841-23e31c4957d9 put ...\nto continue the upload.\nERROR: Upload of '/mint/data/datafile-65-MB' failed too many times (Last reason: )"
}
(10/15) Running s3select tests ... done in 9 seconds
(11/15) Running security tests ... done in 0 seconds

Executed 11 out of 15 tests successfully.

Deleting image on docker hub
Deleting image locally

sgandon reviewed Mar 1, 2021

View reviewed changes

cmd/iam.go Show resolved Hide resolved

klauspost mentioned this pull request Mar 1, 2021

Support high number of users in IAM #11305

Closed

harshavardhana approved these changes Mar 3, 2021

View reviewed changes

harshavardhana merged commit cd9e30c into minio:master Mar 3, 2021

klauspost deleted the iam-block-while-loading branch March 3, 2021 08:20

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

IAM: Block while loading users #11671

IAM: Block while loading users #11671

klauspost commented Mar 1, 2021

minio-trusted commented Mar 1, 2021

IAM: Block while loading users #11671

IAM: Block while loading users #11671

Conversation

klauspost commented Mar 1, 2021

Description

How to test this PR?

Types of changes

minio-trusted commented Mar 1, 2021

Mint Automation

11671-40b4429/mint-compress-encrypt-dist-erasure.sh.log: