minio/cmd/admin-handler-utils.go

// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package cmd

import (
	"context"
	"errors"
	"fmt"
	"net/http"

	"github.com/minio/kms-go/kes"
	"github.com/minio/madmin-go/v3"
	"github.com/minio/minio/internal/auth"
	"github.com/minio/minio/internal/config"
	"github.com/minio/pkg/v2/policy"
)

// validateAdminReq will validate request against and return whether it is allowed.
// If any of the supplied actions are allowed it will be successful.
// If nil ObjectLayer is returned, the operation is not permitted.
// When nil ObjectLayer has been returned an error has always been sent to w.
func validateAdminReq(ctx context.Context, w http.ResponseWriter, r *http.Request, actions ...policy.AdminAction) (ObjectLayer, auth.Credentials) {
	// Get current object layer instance.
	objectAPI := newObjectLayerFn()
	if objectAPI == nil || globalNotificationSys == nil {
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
		return nil, auth.Credentials{}
	}

	for _, action := range actions {
		// Validate request signature.
		cred, adminAPIErr := checkAdminRequestAuth(ctx, r, action, "")
		switch adminAPIErr {
		case ErrNone:
			return objectAPI, cred
		case ErrAccessDenied:
			// Try another
			continue
		default:
			writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL)
			return nil, cred
		}
	}
	writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
	return nil, auth.Credentials{}
}

// AdminError - is a generic error for all admin APIs.
type AdminError struct {
	Code       string
	Message    string
	StatusCode int
}

func (ae AdminError) Error() string {
	return ae.Message
}

func toAdminAPIErr(ctx context.Context, err error) APIError {
	if err == nil {
		return noError
	}

	var apiErr APIError
	switch e := err.(type) {
	case policy.Error:
		apiErr = APIError{
			Code:           "XMinioMalformedIAMPolicy",
			Description:    e.Error(),
			HTTPStatusCode: http.StatusBadRequest,
		}
	case config.ErrConfigNotFound:
		apiErr = APIError{
			Code:           "XMinioConfigNotFoundError",
			Description:    e.Error(),
			HTTPStatusCode: http.StatusNotFound,
		}
	case config.ErrConfigGeneric:
		apiErr = APIError{
			Code:           "XMinioConfigError",
			Description:    e.Error(),
			HTTPStatusCode: http.StatusBadRequest,
		}
	case AdminError:
		apiErr = APIError{
			Code:           e.Code,
			Description:    e.Message,
			HTTPStatusCode: e.StatusCode,
		}
	case SRError:
		apiErr = errorCodes.ToAPIErrWithErr(e.Code, e.Cause)
	case decomError:
		apiErr = APIError{
			Code:           "XMinioDecommissionNotAllowed",
			Description:    e.Err,
			HTTPStatusCode: http.StatusBadRequest,
		}
	default:
		switch {
		case errors.Is(err, errTooManyPolicies):
			apiErr = APIError{
				Code:           "XMinioAdminInvalidRequest",
				Description:    err.Error(),
				HTTPStatusCode: http.StatusBadRequest,
			}
		case errors.Is(err, errDecommissionAlreadyRunning):
			apiErr = APIError{
				Code:           "XMinioDecommissionNotAllowed",
				Description:    err.Error(),
				HTTPStatusCode: http.StatusBadRequest,
			}
		case errors.Is(err, errDecommissionComplete):
			apiErr = APIError{
				Code:           "XMinioDecommissionNotAllowed",
				Description:    err.Error(),
				HTTPStatusCode: http.StatusBadRequest,
			}
		case errors.Is(err, errDecommissionRebalanceAlreadyRunning):
			apiErr = APIError{
				Code:           "XMinioDecommissionNotAllowed",
				Description:    err.Error(),
				HTTPStatusCode: http.StatusBadRequest,
			}
		case errors.Is(err, errRebalanceDecommissionAlreadyRunning):
			apiErr = APIError{
				Code:           "XMinioRebalanceNotAllowed",
				Description:    err.Error(),
				HTTPStatusCode: http.StatusBadRequest,
			}
		case errors.Is(err, errConfigNotFound):
			apiErr = APIError{
				Code:           "XMinioConfigError",
				Description:    err.Error(),
				HTTPStatusCode: http.StatusNotFound,
			}
		case errors.Is(err, errIAMActionNotAllowed):
			apiErr = APIError{
				Code:           "XMinioIAMActionNotAllowed",
				Description:    err.Error(),
				HTTPStatusCode: http.StatusForbidden,
			}
		case errors.Is(err, errIAMServiceAccountNotAllowed):
			apiErr = APIError{
				Code:           "XMinioIAMServiceAccountNotAllowed",
				Description:    err.Error(),
				HTTPStatusCode: http.StatusBadRequest,
			}
		case errors.Is(err, errIAMNotInitialized):
			apiErr = APIError{
				Code:           "XMinioIAMNotInitialized",
				Description:    err.Error(),
				HTTPStatusCode: http.StatusServiceUnavailable,
			}
		case errors.Is(err, errPolicyInUse):
			apiErr = APIError{
				Code:           "XMinioIAMPolicyInUse",
				Description:    "The policy cannot be removed, as it is in use",
				HTTPStatusCode: http.StatusBadRequest,
			}
		case errors.Is(err, errSessionPolicyTooLarge):
			apiErr = APIError{
				Code:           "XMinioIAMServiceAccountSessionPolicyTooLarge",
				Description:    err.Error(),
				HTTPStatusCode: http.StatusBadRequest,
			}
		case errors.Is(err, kes.ErrKeyExists):
			apiErr = APIError{
				Code:           "XMinioKMSKeyExists",
				Description:    err.Error(),
				HTTPStatusCode: http.StatusConflict,
			}

		// Tier admin API errors
		case errors.Is(err, madmin.ErrTierNameEmpty):
			apiErr = APIError{
				Code:           "XMinioAdminTierNameEmpty",
				Description:    err.Error(),
				HTTPStatusCode: http.StatusBadRequest,
			}
		case errors.Is(err, madmin.ErrTierInvalidConfig):
			apiErr = APIError{
				Code:           "XMinioAdminTierInvalidConfig",
				Description:    err.Error(),
				HTTPStatusCode: http.StatusBadRequest,
			}
		case errors.Is(err, madmin.ErrTierInvalidConfigVersion):
			apiErr = APIError{
				Code:           "XMinioAdminTierInvalidConfigVersion",
				Description:    err.Error(),
				HTTPStatusCode: http.StatusBadRequest,
			}
		case errors.Is(err, madmin.ErrTierTypeUnsupported):
			apiErr = APIError{
				Code:           "XMinioAdminTierTypeUnsupported",
				Description:    err.Error(),
				HTTPStatusCode: http.StatusBadRequest,
			}
		case errIsTierPermError(err):
			apiErr = APIError{
				Code:           "XMinioAdminTierInsufficientPermissions",
				Description:    err.Error(),
				HTTPStatusCode: http.StatusBadRequest,
			}
		default:
			apiErr = errorCodes.ToAPIErrWithErr(toAdminAPIErrCode(ctx, err), err)
		}
	}
	return apiErr
}

// toAdminAPIErrCode - converts errErasureWriteQuorum error to admin API
// specific error.
func toAdminAPIErrCode(ctx context.Context, err error) APIErrorCode {
	if errors.Is(err, errErasureWriteQuorum) {
		return ErrAdminConfigNoQuorum
	}
	return toAPIErrorCode(ctx, err)
}

// wraps export error for more context
func exportError(ctx context.Context, err error, fname, entity string) APIError {
	if entity == "" {
		return toAPIError(ctx, fmt.Errorf("error exporting %s with: %w", fname, err))
	}
	return toAPIError(ctx, fmt.Errorf("error exporting %s from %s with: %w", entity, fname, err))
}

// wraps import error for more context
func importError(ctx context.Context, err error, fname, entity string) APIError {
	if entity == "" {
		return toAPIError(ctx, fmt.Errorf("error importing %s with: %w", fname, err))
	}
	return toAPIError(ctx, fmt.Errorf("error importing %s from %s with: %w", entity, fname, err))
}

// wraps import error for more context
func importErrorWithAPIErr(ctx context.Context, apiErr APIErrorCode, err error, fname, entity string) APIError {
	if entity == "" {
		return errorCodes.ToAPIErrWithErr(apiErr, fmt.Errorf("error importing %s with: %w", fname, err))
	}
	return errorCodes.ToAPIErrWithErr(apiErr, fmt.Errorf("error importing %s from %s with: %w", entity, fname, err))
}
Use common function for authenticating admin requests (#12915) 2021-08-10 09:14:38 +08:00			`// Copyright (c) 2015-2021 MinIO, Inc.`
			`//`
			`// This file is part of MinIO Object Storage stack`
			`//`
			`// This program is free software: you can redistribute it and/or modify`
			`// it under the terms of the GNU Affero General Public License as published by`
			`// the Free Software Foundation, either version 3 of the License, or`
			`// (at your option) any later version.`
			`//`
			`// This program is distributed in the hope that it will be useful`
			`// but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`// GNU Affero General Public License for more details.`
			`//`
			`// You should have received a copy of the GNU Affero General Public License`
			`// along with this program. If not, see <http://www.gnu.org/licenses/>.`

			`package cmd`

			`import (`
			`"context"`
			`"errors"`
improve error message for bucket metadata export/import API (#15120) 2022-06-21 07:13:45 +08:00			`"fmt"`
Use common function for authenticating admin requests (#12915) 2021-08-10 09:14:38 +08:00			`"net/http"`

automatically generate root credentials with KMS (#19025) With this commit, MinIO generates root credentials automatically and deterministically if: - No root credentials have been set. - A KMS (KES) is configured. - API access for the root credentials is disabled (lockdown mode). Before, MinIO defaults to `minioadmin` for both the access and secret keys. Now, MinIO generates unique root credentials automatically on startup using the KMS. Therefore, it uses the KMS HMAC function to generate pseudo-random values. These values never change as long as the KMS key remains the same, and the KMS key must continue to exist since all IAM data is encrypted with it. Backward compatibility: This commit should not cause existing deployments to break. It only changes the root credentials of deployments that have a KMS configured (KES, not a static key) but have not set any admin credentials. Such implementations should be rare or not exist at all. Even if the worst case would be updating root credentials in mc or other clients used to administer the cluster. Root credentials are anyway not intended for regular S3 operations. Signed-off-by: Andreas Auernhammer <github@aead.dev> 2024-03-02 05:09:42 +08:00			`"github.com/minio/kms-go/kes"`
Bump up madmin-go and pkg deps (#17469) 2023-06-20 08:53:08 +08:00			`"github.com/minio/madmin-go/v3"`
Use common function for authenticating admin requests (#12915) 2021-08-10 09:14:38 +08:00			`"github.com/minio/minio/internal/auth"`
			`"github.com/minio/minio/internal/config"`
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more. 2023-09-15 05:50:16 +08:00			`"github.com/minio/pkg/v2/policy"`
Use common function for authenticating admin requests (#12915) 2021-08-10 09:14:38 +08:00			`)`

fix: support multiple validateAdminReq actions (#15372) handle multiple validateAdminReq actions and remove duplicate error responses. 2022-07-22 01:26:59 +08:00			`// validateAdminReq will validate request against and return whether it is allowed.`
			`// If any of the supplied actions are allowed it will be successful.`
			`// If nil ObjectLayer is returned, the operation is not permitted.`
			`// When nil ObjectLayer has been returned an error has always been sent to w.`
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more. 2023-09-15 05:50:16 +08:00			`func validateAdminReq(ctx context.Context, w http.ResponseWriter, r *http.Request, actions ...policy.AdminAction) (ObjectLayer, auth.Credentials) {`
Use common function for authenticating admin requests (#12915) 2021-08-10 09:14:38 +08:00			`// Get current object layer instance.`
			`objectAPI := newObjectLayerFn()`
			`if objectAPI == nil \|\| globalNotificationSys == nil {`
			`writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)`
			`return nil, auth.Credentials{}`
			`}`

allow service freeze/unfreeze on a setup (#13707) an active running speedTest will reject all new S3 requests to the server, until speedTest is complete. this is to ensure that speedTest results are accurate and trusted. Co-authored-by: Klaus Post <klauspost@gmail.com> 2021-11-24 04:02:16 +08:00			`for _, action := range actions {`
			`// Validate request signature.`
			`cred, adminAPIErr := checkAdminRequestAuth(ctx, r, action, "")`
fix: support multiple validateAdminReq actions (#15372) handle multiple validateAdminReq actions and remove duplicate error responses. 2022-07-22 01:26:59 +08:00			`switch adminAPIErr {`
			`case ErrNone:`
			`return objectAPI, cred`
			`case ErrAccessDenied:`
			`// Try another`
			`continue`
			`default:`
allow service freeze/unfreeze on a setup (#13707) an active running speedTest will reject all new S3 requests to the server, until speedTest is complete. this is to ensure that speedTest results are accurate and trusted. Co-authored-by: Klaus Post <klauspost@gmail.com> 2021-11-24 04:02:16 +08:00			`writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL)`
			`return nil, cred`
			`}`
Use common function for authenticating admin requests (#12915) 2021-08-10 09:14:38 +08:00			`}`
allow service freeze/unfreeze on a setup (#13707) an active running speedTest will reject all new S3 requests to the server, until speedTest is complete. this is to ensure that speedTest results are accurate and trusted. Co-authored-by: Klaus Post <klauspost@gmail.com> 2021-11-24 04:02:16 +08:00			`writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)`
			`return nil, auth.Credentials{}`
Use common function for authenticating admin requests (#12915) 2021-08-10 09:14:38 +08:00			`}`

			`// AdminError - is a generic error for all admin APIs.`
			`type AdminError struct {`
			`Code string`
			`Message string`
			`StatusCode int`
			`}`

			`func (ae AdminError) Error() string {`
			`return ae.Message`
			`}`

			`func toAdminAPIErr(ctx context.Context, err error) APIError {`
			`if err == nil {`
			`return noError`
			`}`

			`var apiErr APIError`
			`switch e := err.(type) {`
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more. 2023-09-15 05:50:16 +08:00			`case policy.Error:`
Use common function for authenticating admin requests (#12915) 2021-08-10 09:14:38 +08:00			`apiErr = APIError{`
			`Code: "XMinioMalformedIAMPolicy",`
			`Description: e.Error(),`
			`HTTPStatusCode: http.StatusBadRequest,`
			`}`
config: return XMinioConfigNotFound code for non existing config (#16065) 2022-11-19 02:28:14 +08:00			`case config.ErrConfigNotFound:`
			`apiErr = APIError{`
			`Code: "XMinioConfigNotFoundError",`
			`Description: e.Error(),`
			`HTTPStatusCode: http.StatusNotFound,`
			`}`
			`case config.ErrConfigGeneric:`
Use common function for authenticating admin requests (#12915) 2021-08-10 09:14:38 +08:00			`apiErr = APIError{`
			`Code: "XMinioConfigError",`
			`Description: e.Error(),`
			`HTTPStatusCode: http.StatusBadRequest,`
			`}`
			`case AdminError:`
			`apiErr = APIError{`
			`Code: e.Code,`
			`Description: e.Message,`
			`HTTPStatusCode: e.StatusCode,`
			`}`
fix: error handling cases in site-replication (#13901) - Allow proper SRError to be propagated to handlers and converted appropriately. - Make sure to enable object locking on buckets when requested in MakeBucketHook. - When DNSConfig is enabled attempt to delete it first before deleting buckets locally. 2021-12-15 06:09:57 +08:00			`case SRError:`
			`apiErr = errorCodes.ToAPIErrWithErr(e.Code, e.Cause)`
fix: simplify usage calculation and progress (#14086) 2022-01-12 10:48:43 +08:00			`case decomError:`
			`apiErr = APIError{`
			`Code: "XMinioDecommissionNotAllowed",`
			`Description: e.Err,`
			`HTTPStatusCode: http.StatusBadRequest,`
			`}`
Use common function for authenticating admin requests (#12915) 2021-08-10 09:14:38 +08:00			`default:`
			`switch {`
cleanup site replication error handling (#15113) site replication errors were printed at various random locations, repeatedly - this PR attempts to remove double logging and capture all of them at a common place. This PR also enhances the code to show partial success and errors as well. 2022-06-21 01:48:11 +08:00			`case errors.Is(err, errTooManyPolicies):`
			`apiErr = APIError{`
			`Code: "XMinioAdminInvalidRequest",`
			`Description: err.Error(),`
			`HTTPStatusCode: http.StatusBadRequest,`
			`}`
fix: decommission bugfixes found during migration of .minio.sys/config (#14078) 2022-01-11 09:26:00 +08:00			`case errors.Is(err, errDecommissionAlreadyRunning):`
			`apiErr = APIError{`
			`Code: "XMinioDecommissionNotAllowed",`
			`Description: err.Error(),`
			`HTTPStatusCode: http.StatusBadRequest,`
			`}`
			`case errors.Is(err, errDecommissionComplete):`
			`apiErr = APIError{`
			`Code: "XMinioDecommissionNotAllowed",`
			`Description: err.Error(),`
			`HTTPStatusCode: http.StatusBadRequest,`
			`}`
feat: introduce pool-level rebalance (#15483) 2022-10-26 03:36:57 +08:00			`case errors.Is(err, errDecommissionRebalanceAlreadyRunning):`
			`apiErr = APIError{`
			`Code: "XMinioDecommissionNotAllowed",`
			`Description: err.Error(),`
			`HTTPStatusCode: http.StatusBadRequest,`
			`}`
			`case errors.Is(err, errRebalanceDecommissionAlreadyRunning):`
			`apiErr = APIError{`
			`Code: "XMinioRebalanceNotAllowed",`
			`Description: err.Error(),`
			`HTTPStatusCode: http.StatusBadRequest,`
			`}`
Use common function for authenticating admin requests (#12915) 2021-08-10 09:14:38 +08:00			`case errors.Is(err, errConfigNotFound):`
			`apiErr = APIError{`
			`Code: "XMinioConfigError",`
			`Description: err.Error(),`
			`HTTPStatusCode: http.StatusNotFound,`
			`}`
			`case errors.Is(err, errIAMActionNotAllowed):`
			`apiErr = APIError{`
			`Code: "XMinioIAMActionNotAllowed",`
			`Description: err.Error(),`
			`HTTPStatusCode: http.StatusForbidden,`
			`}`
Better error when setting up replication with a service account alias (#16472) 2023-01-26 00:20:12 +08:00			`case errors.Is(err, errIAMServiceAccountNotAllowed):`
do not remove Sid from svcaccount policies (#14064) fixes #13905 2022-01-11 06:26:26 +08:00			`apiErr = APIError{`
Better error when setting up replication with a service account alias (#16472) 2023-01-26 00:20:12 +08:00			`Code: "XMinioIAMServiceAccountNotAllowed",`
do not remove Sid from svcaccount policies (#14064) fixes #13905 2022-01-11 06:26:26 +08:00			`Description: err.Error(),`
			`HTTPStatusCode: http.StatusBadRequest,`
			`}`
Use common function for authenticating admin requests (#12915) 2021-08-10 09:14:38 +08:00			`case errors.Is(err, errIAMNotInitialized):`
			`apiErr = APIError{`
			`Code: "XMinioIAMNotInitialized",`
			`Description: err.Error(),`
			`HTTPStatusCode: http.StatusServiceUnavailable,`
			`}`
Move all IAM storage functionality into iam store type (#13567) This reverts commit 091a7ae3590a510c51cd84981dccd6d45879b1d6. - Ensure all actions accessing storage lock properly. - Behavior change: policies can be deleted only when they are not associated with any active credentials. Also adds fix for accidental canned policy removal that was present in the reverted version of the change. 2021-11-04 10:47:49 +08:00			`case errors.Is(err, errPolicyInUse):`
			`apiErr = APIError{`
allow JWT parsing on large session policy based tokens (#17167) 2023-05-09 15:53:08 +08:00			`Code: "XMinioIAMPolicyInUse",`
Move all IAM storage functionality into iam store type (#13567) This reverts commit 091a7ae3590a510c51cd84981dccd6d45879b1d6. - Ensure all actions accessing storage lock properly. - Behavior change: policies can be deleted only when they are not associated with any active credentials. Also adds fix for accidental canned policy removal that was present in the reverted version of the change. 2021-11-04 10:47:49 +08:00			`Description: "The policy cannot be removed, as it is in use",`
			`HTTPStatusCode: http.StatusBadRequest,`
			`}`
allow JWT parsing on large session policy based tokens (#17167) 2023-05-09 15:53:08 +08:00			`case errors.Is(err, errSessionPolicyTooLarge):`
			`apiErr = APIError{`
			`Code: "XMinioIAMServiceAccountSessionPolicyTooLarge",`
			`Description: err.Error(),`
			`HTTPStatusCode: http.StatusBadRequest,`
			`}`
kes: remove unnecessary error conversion (#14459) This commit removes some duplicate code that converts KES API errors. This code was added since KES `0.18.0` changed some exported API errors. However, the KES SDK handles this error conversion itself. Therefore, it is not necessary to duplicate this behavior in MinIO. See: https://github.com/minio/kes/blob/21555fa624420def4aa4766686baa553b692010a/error.go#L94 Signed-off-by: Andreas Auernhammer <hi@aead.dev> 2022-03-04 01:42:37 +08:00			`case errors.Is(err, kes.ErrKeyExists):`
Use common function for authenticating admin requests (#12915) 2021-08-10 09:14:38 +08:00			`apiErr = APIError{`
			`Code: "XMinioKMSKeyExists",`
			`Description: err.Error(),`
			`HTTPStatusCode: http.StatusConflict,`
			`}`

			`// Tier admin API errors`
			`case errors.Is(err, madmin.ErrTierNameEmpty):`
			`apiErr = APIError{`
			`Code: "XMinioAdminTierNameEmpty",`
			`Description: err.Error(),`
			`HTTPStatusCode: http.StatusBadRequest,`
			`}`
			`case errors.Is(err, madmin.ErrTierInvalidConfig):`
			`apiErr = APIError{`
			`Code: "XMinioAdminTierInvalidConfig",`
			`Description: err.Error(),`
			`HTTPStatusCode: http.StatusBadRequest,`
			`}`
			`case errors.Is(err, madmin.ErrTierInvalidConfigVersion):`
			`apiErr = APIError{`
			`Code: "XMinioAdminTierInvalidConfigVersion",`
			`Description: err.Error(),`
			`HTTPStatusCode: http.StatusBadRequest,`
			`}`
			`case errors.Is(err, madmin.ErrTierTypeUnsupported):`
			`apiErr = APIError{`
			`Code: "XMinioAdminTierTypeUnsupported",`
			`Description: err.Error(),`
			`HTTPStatusCode: http.StatusBadRequest,`
			`}`
			`case errIsTierPermError(err):`
			`apiErr = APIError{`
			`Code: "XMinioAdminTierInsufficientPermissions",`
			`Description: err.Error(),`
			`HTTPStatusCode: http.StatusBadRequest,`
			`}`
			`default:`
			`apiErr = errorCodes.ToAPIErrWithErr(toAdminAPIErrCode(ctx, err), err)`
			`}`
			`}`
			`return apiErr`
			`}`

			`// toAdminAPIErrCode - converts errErasureWriteQuorum error to admin API`
			`// specific error.`
			`func toAdminAPIErrCode(ctx context.Context, err error) APIErrorCode {`
Add number of offline disks in quorum errors (#16822) 2023-05-26 00:39:06 +08:00			`if errors.Is(err, errErasureWriteQuorum) {`
Use common function for authenticating admin requests (#12915) 2021-08-10 09:14:38 +08:00			`return ErrAdminConfigNoQuorum`
			`}`
Add number of offline disks in quorum errors (#16822) 2023-05-26 00:39:06 +08:00			`return toAPIErrorCode(ctx, err)`
Use common function for authenticating admin requests (#12915) 2021-08-10 09:14:38 +08:00			`}`
improve error message for bucket metadata export/import API (#15120) 2022-06-21 07:13:45 +08:00
			`// wraps export error for more context`
			`func exportError(ctx context.Context, err error, fname, entity string) APIError {`
			`if entity == "" {`
			`return toAPIError(ctx, fmt.Errorf("error exporting %s with: %w", fname, err))`
			`}`
			`return toAPIError(ctx, fmt.Errorf("error exporting %s from %s with: %w", entity, fname, err))`
			`}`

			`// wraps import error for more context`
			`func importError(ctx context.Context, err error, fname, entity string) APIError {`
			`if entity == "" {`
			`return toAPIError(ctx, fmt.Errorf("error importing %s with: %w", fname, err))`
			`}`
			`return toAPIError(ctx, fmt.Errorf("error importing %s from %s with: %w", entity, fname, err))`
			`}`
Add APIs to import/export IAM data (#15014) 2022-06-24 00:25:15 +08:00
			`// wraps import error for more context`
			`func importErrorWithAPIErr(ctx context.Context, apiErr APIErrorCode, err error, fname, entity string) APIError {`
			`if entity == "" {`
			`return errorCodes.ToAPIErrWithErr(apiErr, fmt.Errorf("error importing %s with: %w", fname, err))`
			`}`
			`return errorCodes.ToAPIErrWithErr(apiErr, fmt.Errorf("error importing %s from %s with: %w", entity, fname, err))`
			`}`