2018-07-22 01:39:02 +08:00
|
|
|
package s3api
|
|
|
|
|
|
|
|
import (
|
2021-10-14 18:03:11 +08:00
|
|
|
"bytes"
|
2018-09-12 16:00:57 +08:00
|
|
|
"crypto/md5"
|
2018-07-22 08:39:10 +08:00
|
|
|
"encoding/json"
|
2020-02-26 06:38:36 +08:00
|
|
|
"encoding/xml"
|
2018-07-22 01:39:02 +08:00
|
|
|
"fmt"
|
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client
- one JWT for reading and one for writing, analogous to how the JWT
between Master and Volume Server works
- I did not implement IP `whiteList` parameter on the filer
Additionally, because http_util.DownloadFile now sets the JWT,
the `download` command should now work when `jwt.signing.read` is
configured. By looking at the code, I think this case did not work
before.
## Docs to be adjusted after a release
Page `Amazon-S3-API`:
```
# Authentication with Filer
You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as
explained in [Security-Configuration](Security-Configuration) -
controlled by the `grpc.*` configuration in `security.toml`.
Starting with version XX, it is also possible to authenticate the HTTP
operations between the S3-API-Proxy and the Filer (especially
uploading new files). This is configured by setting
`filer_jwt.signing.key` and `filer_jwt.signing.read.key` in
`security.toml`.
With both configurations (gRPC and JWT), it is possible to have Filer
and S3 communicate in fully authenticated fashion; so Filer will reject
any unauthenticated communication.
```
Page `Security Overview`:
```
The following items are not covered, yet:
- master server http REST services
Starting with version XX, the Filer HTTP REST services can be secured
with a JWT, by setting `filer_jwt.signing.key` and
`filer_jwt.signing.read.key` in `security.toml`.
...
Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer.
Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).**
...
# Securing Filer HTTP with JWT
To enable JWT-based access control for the Filer,
1. generate `security.toml` file by `weed scaffold -config=security`
2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string
3. copy the same `security.toml` file to the filers and all S3 proxies.
If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`.
If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`.
The S3 API Gateway reads the above JWT keys and sends authenticated
HTTP requests to the filer.
```
Page `Security Configuration`:
```
(update scaffold file)
...
[filer_jwt.signing]
key = "blahblahblahblah"
[filer_jwt.signing.read]
key = "blahblahblahblah"
```
Resolves: #158
2021-12-30 02:47:53 +08:00
|
|
|
"github.com/chrislusf/seaweedfs/weed/security"
|
2022-03-03 12:15:28 +08:00
|
|
|
"github.com/chrislusf/seaweedfs/weed/util/mem"
|
2018-07-22 16:15:11 +08:00
|
|
|
"io"
|
2018-07-22 08:39:10 +08:00
|
|
|
"net/http"
|
2021-03-11 05:19:28 +08:00
|
|
|
"net/url"
|
2021-01-29 06:28:40 +08:00
|
|
|
"sort"
|
2018-07-23 16:15:59 +08:00
|
|
|
"strings"
|
2021-05-24 18:43:55 +08:00
|
|
|
"time"
|
2018-09-12 15:46:12 +08:00
|
|
|
|
2021-10-14 12:27:58 +08:00
|
|
|
"github.com/chrislusf/seaweedfs/weed/filer"
|
|
|
|
"github.com/pquerna/cachecontrol/cacheobject"
|
|
|
|
|
2021-12-07 15:15:48 +08:00
|
|
|
xhttp "github.com/chrislusf/seaweedfs/weed/s3api/http"
|
2020-10-21 01:25:16 +08:00
|
|
|
"github.com/chrislusf/seaweedfs/weed/s3api/s3err"
|
|
|
|
|
2018-09-12 15:46:12 +08:00
|
|
|
"github.com/chrislusf/seaweedfs/weed/glog"
|
2020-03-21 05:17:31 +08:00
|
|
|
"github.com/chrislusf/seaweedfs/weed/pb/filer_pb"
|
2020-06-11 20:00:47 +08:00
|
|
|
weed_server "github.com/chrislusf/seaweedfs/weed/server"
|
2020-02-15 01:46:36 +08:00
|
|
|
"github.com/chrislusf/seaweedfs/weed/util"
|
2018-07-22 01:39:02 +08:00
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
client *http.Client
|
|
|
|
)
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
client = &http.Client{Transport: &http.Transport{
|
2021-02-12 19:47:15 +08:00
|
|
|
MaxIdleConns: 1024,
|
2018-07-22 01:39:02 +08:00
|
|
|
MaxIdleConnsPerHost: 1024,
|
|
|
|
}}
|
|
|
|
}
|
|
|
|
|
2021-10-14 18:03:11 +08:00
|
|
|
func mimeDetect(r *http.Request, dataReader io.Reader) io.ReadCloser {
|
|
|
|
mimeBuffer := make([]byte, 512)
|
2021-10-18 19:27:57 +08:00
|
|
|
size, _ := dataReader.Read(mimeBuffer)
|
|
|
|
if size > 0 {
|
2021-10-19 01:47:39 +08:00
|
|
|
r.Header.Set("Content-Type", http.DetectContentType(mimeBuffer[:size]))
|
2021-10-18 19:27:57 +08:00
|
|
|
return io.NopCloser(io.MultiReader(bytes.NewReader(mimeBuffer[:size]), dataReader))
|
|
|
|
}
|
|
|
|
return io.NopCloser(dataReader)
|
2021-10-14 18:03:11 +08:00
|
|
|
}
|
|
|
|
|
2018-07-22 01:39:02 +08:00
|
|
|
func (s3a *S3ApiServer) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
|
|
|
// http://docs.aws.amazon.com/AmazonS3/latest/dev/UploadingObjects.html
|
|
|
|
|
2021-12-07 15:15:48 +08:00
|
|
|
bucket, object := xhttp.GetBucketAndObject(r)
|
2021-09-19 15:29:51 +08:00
|
|
|
glog.V(3).Infof("PutObjectHandler %s %s", bucket, object)
|
2018-07-22 01:39:02 +08:00
|
|
|
|
|
|
|
_, err := validateContentMd5(r.Header)
|
|
|
|
if err != nil {
|
2021-11-01 09:05:34 +08:00
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidDigest)
|
2018-07-22 01:39:02 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-05-24 18:43:55 +08:00
|
|
|
if r.Header.Get("Cache-Control") != "" {
|
|
|
|
if _, err = cacheobject.ParseRequestCacheControl(r.Header.Get("Cache-Control")); err != nil {
|
2021-11-01 09:05:34 +08:00
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidDigest)
|
2021-05-24 18:43:55 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if r.Header.Get("Expires") != "" {
|
|
|
|
if _, err = time.Parse(http.TimeFormat, r.Header.Get("Expires")); err != nil {
|
2021-11-01 09:05:34 +08:00
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidDigest)
|
2021-05-24 18:43:55 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-09-03 05:20:47 +08:00
|
|
|
dataReader := r.Body
|
2021-05-31 16:03:04 +08:00
|
|
|
rAuthType := getRequestAuthType(r)
|
2020-08-09 00:11:40 +08:00
|
|
|
if s3a.iam.isEnabled() {
|
2020-09-20 05:09:58 +08:00
|
|
|
var s3ErrCode s3err.ErrorCode
|
2020-08-09 00:11:40 +08:00
|
|
|
switch rAuthType {
|
|
|
|
case authTypeStreamingSigned:
|
|
|
|
dataReader, s3ErrCode = s3a.iam.newSignV4ChunkedReader(r)
|
|
|
|
case authTypeSignedV2, authTypePresignedV2:
|
|
|
|
_, s3ErrCode = s3a.iam.isReqAuthenticatedV2(r)
|
|
|
|
case authTypePresigned, authTypeSigned:
|
|
|
|
_, s3ErrCode = s3a.iam.reqSignatureV4Verify(r)
|
|
|
|
}
|
2020-09-20 05:09:58 +08:00
|
|
|
if s3ErrCode != s3err.ErrNone {
|
2021-11-01 09:05:34 +08:00
|
|
|
s3err.WriteErrorResponse(w, r, s3ErrCode)
|
2020-08-09 00:11:40 +08:00
|
|
|
return
|
|
|
|
}
|
2021-05-22 05:08:47 +08:00
|
|
|
} else {
|
2021-05-31 16:03:04 +08:00
|
|
|
if authTypeStreamingSigned == rAuthType {
|
2021-11-01 09:05:34 +08:00
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrAuthNotSetup)
|
2021-05-22 05:08:47 +08:00
|
|
|
return
|
|
|
|
}
|
2018-09-03 05:20:47 +08:00
|
|
|
}
|
2020-02-15 01:09:15 +08:00
|
|
|
defer dataReader.Close()
|
2018-09-03 05:20:47 +08:00
|
|
|
|
2020-07-28 00:58:42 +08:00
|
|
|
if strings.HasSuffix(object, "/") {
|
|
|
|
if err := s3a.mkdir(s3a.option.BucketsPath, bucket+object, nil); err != nil {
|
2021-11-01 09:05:34 +08:00
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
|
2020-07-28 00:58:42 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
} else {
|
2021-09-13 13:47:52 +08:00
|
|
|
uploadUrl := fmt.Sprintf("http://%s%s/%s%s", s3a.option.Filer.ToHttpAddress(), s3a.option.BucketsPath, bucket, urlPathEscape(object))
|
2020-07-28 00:58:42 +08:00
|
|
|
|
2021-10-14 18:03:11 +08:00
|
|
|
if r.Header.Get("Content-Type") == "" {
|
|
|
|
dataReader = mimeDetect(r, dataReader)
|
|
|
|
}
|
|
|
|
|
2020-07-28 00:58:42 +08:00
|
|
|
etag, errCode := s3a.putToFiler(r, uploadUrl, dataReader)
|
|
|
|
|
2020-09-20 05:09:58 +08:00
|
|
|
if errCode != s3err.ErrNone {
|
2021-11-01 09:05:34 +08:00
|
|
|
s3err.WriteErrorResponse(w, r, errCode)
|
2020-07-28 00:58:42 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
setEtag(w, etag)
|
2018-07-22 01:39:02 +08:00
|
|
|
}
|
|
|
|
|
2021-11-01 09:02:08 +08:00
|
|
|
writeSuccessResponseEmpty(w, r)
|
2018-07-22 01:39:02 +08:00
|
|
|
}
|
2018-07-22 09:49:47 +08:00
|
|
|
|
2021-03-12 01:49:40 +08:00
|
|
|
func urlPathEscape(object string) string {
|
2021-03-11 05:19:28 +08:00
|
|
|
var escapedParts []string
|
|
|
|
for _, part := range strings.Split(object, "/") {
|
|
|
|
escapedParts = append(escapedParts, url.PathEscape(part))
|
|
|
|
}
|
2021-03-12 01:49:40 +08:00
|
|
|
return strings.Join(escapedParts, "/")
|
2021-03-11 05:19:28 +08:00
|
|
|
}
|
|
|
|
|
2018-07-22 09:49:47 +08:00
|
|
|
func (s3a *S3ApiServer) GetObjectHandler(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
2021-12-07 15:15:48 +08:00
|
|
|
bucket, object := xhttp.GetBucketAndObject(r)
|
2021-09-19 15:28:22 +08:00
|
|
|
glog.V(3).Infof("GetObjectHandler %s %s", bucket, object)
|
2018-09-20 13:01:41 +08:00
|
|
|
|
2018-07-23 16:15:59 +08:00
|
|
|
if strings.HasSuffix(r.URL.Path, "/") {
|
2021-11-01 09:05:34 +08:00
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrNotImplemented)
|
2018-07-23 16:15:59 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2018-09-20 13:01:41 +08:00
|
|
|
destUrl := fmt.Sprintf("http://%s%s/%s%s",
|
2021-09-13 13:47:52 +08:00
|
|
|
s3a.option.Filer.ToHttpAddress(), s3a.option.BucketsPath, bucket, urlPathEscape(object))
|
2018-07-22 09:49:47 +08:00
|
|
|
|
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client
- one JWT for reading and one for writing, analogous to how the JWT
between Master and Volume Server works
- I did not implement IP `whiteList` parameter on the filer
Additionally, because http_util.DownloadFile now sets the JWT,
the `download` command should now work when `jwt.signing.read` is
configured. By looking at the code, I think this case did not work
before.
## Docs to be adjusted after a release
Page `Amazon-S3-API`:
```
# Authentication with Filer
You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as
explained in [Security-Configuration](Security-Configuration) -
controlled by the `grpc.*` configuration in `security.toml`.
Starting with version XX, it is also possible to authenticate the HTTP
operations between the S3-API-Proxy and the Filer (especially
uploading new files). This is configured by setting
`filer_jwt.signing.key` and `filer_jwt.signing.read.key` in
`security.toml`.
With both configurations (gRPC and JWT), it is possible to have Filer
and S3 communicate in fully authenticated fashion; so Filer will reject
any unauthenticated communication.
```
Page `Security Overview`:
```
The following items are not covered, yet:
- master server http REST services
Starting with version XX, the Filer HTTP REST services can be secured
with a JWT, by setting `filer_jwt.signing.key` and
`filer_jwt.signing.read.key` in `security.toml`.
...
Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer.
Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).**
...
# Securing Filer HTTP with JWT
To enable JWT-based access control for the Filer,
1. generate `security.toml` file by `weed scaffold -config=security`
2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string
3. copy the same `security.toml` file to the filers and all S3 proxies.
If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`.
If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`.
The S3 API Gateway reads the above JWT keys and sends authenticated
HTTP requests to the filer.
```
Page `Security Configuration`:
```
(update scaffold file)
...
[filer_jwt.signing]
key = "blahblahblahblah"
[filer_jwt.signing.read]
key = "blahblahblahblah"
```
Resolves: #158
2021-12-30 02:47:53 +08:00
|
|
|
s3a.proxyToFiler(w, r, destUrl, false, passThroughResponse)
|
2018-07-22 09:49:47 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s3a *S3ApiServer) HeadObjectHandler(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
2021-12-07 15:15:48 +08:00
|
|
|
bucket, object := xhttp.GetBucketAndObject(r)
|
2021-09-19 15:28:22 +08:00
|
|
|
glog.V(3).Infof("HeadObjectHandler %s %s", bucket, object)
|
2018-09-20 13:01:41 +08:00
|
|
|
|
|
|
|
destUrl := fmt.Sprintf("http://%s%s/%s%s",
|
2021-09-13 13:47:52 +08:00
|
|
|
s3a.option.Filer.ToHttpAddress(), s3a.option.BucketsPath, bucket, urlPathEscape(object))
|
2018-07-22 09:49:47 +08:00
|
|
|
|
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client
- one JWT for reading and one for writing, analogous to how the JWT
between Master and Volume Server works
- I did not implement IP `whiteList` parameter on the filer
Additionally, because http_util.DownloadFile now sets the JWT,
the `download` command should now work when `jwt.signing.read` is
configured. By looking at the code, I think this case did not work
before.
## Docs to be adjusted after a release
Page `Amazon-S3-API`:
```
# Authentication with Filer
You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as
explained in [Security-Configuration](Security-Configuration) -
controlled by the `grpc.*` configuration in `security.toml`.
Starting with version XX, it is also possible to authenticate the HTTP
operations between the S3-API-Proxy and the Filer (especially
uploading new files). This is configured by setting
`filer_jwt.signing.key` and `filer_jwt.signing.read.key` in
`security.toml`.
With both configurations (gRPC and JWT), it is possible to have Filer
and S3 communicate in fully authenticated fashion; so Filer will reject
any unauthenticated communication.
```
Page `Security Overview`:
```
The following items are not covered, yet:
- master server http REST services
Starting with version XX, the Filer HTTP REST services can be secured
with a JWT, by setting `filer_jwt.signing.key` and
`filer_jwt.signing.read.key` in `security.toml`.
...
Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer.
Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).**
...
# Securing Filer HTTP with JWT
To enable JWT-based access control for the Filer,
1. generate `security.toml` file by `weed scaffold -config=security`
2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string
3. copy the same `security.toml` file to the filers and all S3 proxies.
If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`.
If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`.
The S3 API Gateway reads the above JWT keys and sends authenticated
HTTP requests to the filer.
```
Page `Security Configuration`:
```
(update scaffold file)
...
[filer_jwt.signing]
key = "blahblahblahblah"
[filer_jwt.signing.read]
key = "blahblahblahblah"
```
Resolves: #158
2021-12-30 02:47:53 +08:00
|
|
|
s3a.proxyToFiler(w, r, destUrl, false, passThroughResponse)
|
2018-07-22 09:49:47 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s3a *S3ApiServer) DeleteObjectHandler(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
2021-12-07 15:15:48 +08:00
|
|
|
bucket, object := xhttp.GetBucketAndObject(r)
|
2021-09-19 15:28:22 +08:00
|
|
|
glog.V(3).Infof("DeleteObjectHandler %s %s", bucket, object)
|
2018-09-20 13:01:41 +08:00
|
|
|
|
2020-06-23 01:01:00 +08:00
|
|
|
destUrl := fmt.Sprintf("http://%s%s/%s%s?recursive=true",
|
2021-09-13 13:47:52 +08:00
|
|
|
s3a.option.Filer.ToHttpAddress(), s3a.option.BucketsPath, bucket, urlPathEscape(object))
|
2018-07-22 09:49:47 +08:00
|
|
|
|
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client
- one JWT for reading and one for writing, analogous to how the JWT
between Master and Volume Server works
- I did not implement IP `whiteList` parameter on the filer
Additionally, because http_util.DownloadFile now sets the JWT,
the `download` command should now work when `jwt.signing.read` is
configured. By looking at the code, I think this case did not work
before.
## Docs to be adjusted after a release
Page `Amazon-S3-API`:
```
# Authentication with Filer
You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as
explained in [Security-Configuration](Security-Configuration) -
controlled by the `grpc.*` configuration in `security.toml`.
Starting with version XX, it is also possible to authenticate the HTTP
operations between the S3-API-Proxy and the Filer (especially
uploading new files). This is configured by setting
`filer_jwt.signing.key` and `filer_jwt.signing.read.key` in
`security.toml`.
With both configurations (gRPC and JWT), it is possible to have Filer
and S3 communicate in fully authenticated fashion; so Filer will reject
any unauthenticated communication.
```
Page `Security Overview`:
```
The following items are not covered, yet:
- master server http REST services
Starting with version XX, the Filer HTTP REST services can be secured
with a JWT, by setting `filer_jwt.signing.key` and
`filer_jwt.signing.read.key` in `security.toml`.
...
Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer.
Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).**
...
# Securing Filer HTTP with JWT
To enable JWT-based access control for the Filer,
1. generate `security.toml` file by `weed scaffold -config=security`
2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string
3. copy the same `security.toml` file to the filers and all S3 proxies.
If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`.
If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`.
The S3 API Gateway reads the above JWT keys and sends authenticated
HTTP requests to the filer.
```
Page `Security Configuration`:
```
(update scaffold file)
...
[filer_jwt.signing]
key = "blahblahblahblah"
[filer_jwt.signing.read]
key = "blahblahblahblah"
```
Resolves: #158
2021-12-30 02:47:53 +08:00
|
|
|
s3a.proxyToFiler(w, r, destUrl, true, func(proxyResponse *http.Response, w http.ResponseWriter) (statusCode int) {
|
2021-12-07 21:20:52 +08:00
|
|
|
statusCode = http.StatusNoContent
|
2020-06-11 20:00:47 +08:00
|
|
|
for k, v := range proxyResponse.Header {
|
2018-07-22 10:12:44 +08:00
|
|
|
w.Header()[k] = v
|
|
|
|
}
|
2021-12-07 21:20:52 +08:00
|
|
|
w.WriteHeader(statusCode)
|
|
|
|
return statusCode
|
2018-07-22 10:12:44 +08:00
|
|
|
})
|
2018-07-22 09:49:47 +08:00
|
|
|
}
|
|
|
|
|
2020-07-27 03:58:58 +08:00
|
|
|
// / ObjectIdentifier carries key name for the object to delete.
|
2020-02-26 06:38:36 +08:00
|
|
|
type ObjectIdentifier struct {
|
|
|
|
ObjectName string `xml:"Key"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// DeleteObjectsRequest - xml carrying the object key names which needs to be deleted.
|
|
|
|
type DeleteObjectsRequest struct {
|
|
|
|
// Element to enable quiet mode for the request
|
|
|
|
Quiet bool
|
|
|
|
// List of objects to be deleted
|
|
|
|
Objects []ObjectIdentifier `xml:"Object"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// DeleteError structure.
|
|
|
|
type DeleteError struct {
|
|
|
|
Code string
|
|
|
|
Message string
|
|
|
|
Key string
|
|
|
|
}
|
|
|
|
|
|
|
|
// DeleteObjectsResponse container for multiple object deletes.
|
|
|
|
type DeleteObjectsResponse struct {
|
|
|
|
XMLName xml.Name `xml:"http://s3.amazonaws.com/doc/2006-03-01/ DeleteResult" json:"-"`
|
|
|
|
|
|
|
|
// Collection of all deleted objects
|
|
|
|
DeletedObjects []ObjectIdentifier `xml:"Deleted,omitempty"`
|
|
|
|
|
|
|
|
// Collection of errors deleting certain objects.
|
|
|
|
Errors []DeleteError `xml:"Error,omitempty"`
|
|
|
|
}
|
|
|
|
|
2018-09-04 15:42:44 +08:00
|
|
|
// DeleteMultipleObjectsHandler - Delete multiple objects
|
|
|
|
func (s3a *S3ApiServer) DeleteMultipleObjectsHandler(w http.ResponseWriter, r *http.Request) {
|
2020-02-26 06:38:36 +08:00
|
|
|
|
2021-12-07 15:15:48 +08:00
|
|
|
bucket, _ := xhttp.GetBucketAndObject(r)
|
2021-09-19 15:18:59 +08:00
|
|
|
glog.V(3).Infof("DeleteMultipleObjectsHandler %s", bucket)
|
|
|
|
|
2021-10-14 12:27:58 +08:00
|
|
|
deleteXMLBytes, err := io.ReadAll(r.Body)
|
2020-02-26 06:38:36 +08:00
|
|
|
if err != nil {
|
2021-11-01 09:05:34 +08:00
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
|
2020-02-26 06:38:36 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
deleteObjects := &DeleteObjectsRequest{}
|
|
|
|
if err := xml.Unmarshal(deleteXMLBytes, deleteObjects); err != nil {
|
2021-11-01 09:05:34 +08:00
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrMalformedXML)
|
2020-02-26 06:38:36 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
var deletedObjects []ObjectIdentifier
|
|
|
|
var deleteErrors []DeleteError
|
2021-12-07 21:20:52 +08:00
|
|
|
var auditLog *s3err.AccessLog
|
2020-02-26 06:38:36 +08:00
|
|
|
|
2021-01-29 05:20:06 +08:00
|
|
|
directoriesWithDeletion := make(map[string]int)
|
|
|
|
|
2021-12-07 21:20:52 +08:00
|
|
|
if s3err.Logger != nil {
|
|
|
|
auditLog = s3err.GetAccessLog(r, http.StatusNoContent, s3err.ErrNone)
|
|
|
|
}
|
2021-12-26 16:15:03 +08:00
|
|
|
s3a.WithFilerClient(false, func(client filer_pb.SeaweedFilerClient) error {
|
2020-03-21 05:17:31 +08:00
|
|
|
|
2021-01-29 05:20:06 +08:00
|
|
|
// delete file entries
|
2020-03-21 05:17:31 +08:00
|
|
|
for _, object := range deleteObjects.Objects {
|
|
|
|
lastSeparator := strings.LastIndex(object.ObjectName, "/")
|
2021-03-10 02:07:22 +08:00
|
|
|
parentDirectoryPath, entryName, isDeleteData, isRecursive := "", object.ObjectName, true, false
|
2020-03-21 05:17:31 +08:00
|
|
|
if lastSeparator > 0 && lastSeparator+1 < len(object.ObjectName) {
|
|
|
|
entryName = object.ObjectName[lastSeparator+1:]
|
|
|
|
parentDirectoryPath = "/" + object.ObjectName[:lastSeparator]
|
|
|
|
}
|
|
|
|
parentDirectoryPath = fmt.Sprintf("%s/%s%s", s3a.option.BucketsPath, bucket, parentDirectoryPath)
|
|
|
|
|
|
|
|
err := doDeleteEntry(client, parentDirectoryPath, entryName, isDeleteData, isRecursive)
|
|
|
|
if err == nil {
|
2021-01-29 05:20:06 +08:00
|
|
|
directoriesWithDeletion[parentDirectoryPath]++
|
2020-03-21 05:17:31 +08:00
|
|
|
deletedObjects = append(deletedObjects, object)
|
2021-03-10 22:52:41 +08:00
|
|
|
} else if strings.Contains(err.Error(), filer.MsgFailDelNonEmptyFolder) {
|
|
|
|
deletedObjects = append(deletedObjects, object)
|
2020-03-21 05:17:31 +08:00
|
|
|
} else {
|
2021-01-29 05:20:06 +08:00
|
|
|
delete(directoriesWithDeletion, parentDirectoryPath)
|
2020-03-21 05:17:31 +08:00
|
|
|
deleteErrors = append(deleteErrors, DeleteError{
|
|
|
|
Code: "",
|
|
|
|
Message: err.Error(),
|
|
|
|
Key: object.ObjectName,
|
|
|
|
})
|
|
|
|
}
|
2021-12-07 21:20:52 +08:00
|
|
|
if auditLog != nil {
|
|
|
|
auditLog.Key = entryName
|
2021-12-13 16:39:39 +08:00
|
|
|
s3err.PostAccessLog(*auditLog)
|
2021-12-07 21:20:52 +08:00
|
|
|
}
|
2020-02-26 06:38:36 +08:00
|
|
|
}
|
2021-01-29 05:20:06 +08:00
|
|
|
|
|
|
|
// purge empty folders, only checking folders with deletions
|
2021-02-02 02:49:17 +08:00
|
|
|
for len(directoriesWithDeletion) > 0 {
|
2021-02-16 05:38:29 +08:00
|
|
|
directoriesWithDeletion = s3a.doDeleteEmptyDirectories(client, directoriesWithDeletion)
|
2021-01-29 05:20:06 +08:00
|
|
|
}
|
|
|
|
|
2020-03-21 05:17:31 +08:00
|
|
|
return nil
|
2020-02-26 06:38:36 +08:00
|
|
|
})
|
|
|
|
|
|
|
|
deleteResp := DeleteObjectsResponse{}
|
|
|
|
if !deleteObjects.Quiet {
|
|
|
|
deleteResp.DeletedObjects = deletedObjects
|
|
|
|
}
|
|
|
|
deleteResp.Errors = deleteErrors
|
|
|
|
|
2021-11-01 09:02:08 +08:00
|
|
|
writeSuccessResponseXML(w, r, deleteResp)
|
2020-02-26 06:38:36 +08:00
|
|
|
|
2018-09-04 15:42:44 +08:00
|
|
|
}
|
|
|
|
|
2021-02-16 05:38:29 +08:00
|
|
|
func (s3a *S3ApiServer) doDeleteEmptyDirectories(client filer_pb.SeaweedFilerClient, directoriesWithDeletion map[string]int) (newDirectoriesWithDeletion map[string]int) {
|
2021-02-02 02:49:17 +08:00
|
|
|
var allDirs []string
|
|
|
|
for dir, _ := range directoriesWithDeletion {
|
|
|
|
allDirs = append(allDirs, dir)
|
|
|
|
}
|
|
|
|
sort.Slice(allDirs, func(i, j int) bool {
|
|
|
|
return len(allDirs[i]) > len(allDirs[j])
|
|
|
|
})
|
|
|
|
newDirectoriesWithDeletion = make(map[string]int)
|
|
|
|
for _, dir := range allDirs {
|
|
|
|
parentDir, dirName := util.FullPath(dir).DirAndName()
|
2021-02-16 05:38:29 +08:00
|
|
|
if parentDir == s3a.option.BucketsPath {
|
|
|
|
continue
|
|
|
|
}
|
2021-02-02 02:49:17 +08:00
|
|
|
if err := doDeleteEntry(client, parentDir, dirName, false, false); err != nil {
|
|
|
|
glog.V(4).Infof("directory %s has %d deletion but still not empty: %v", dir, directoriesWithDeletion[dir], err)
|
|
|
|
} else {
|
|
|
|
newDirectoriesWithDeletion[parentDir]++
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client
- one JWT for reading and one for writing, analogous to how the JWT
between Master and Volume Server works
- I did not implement IP `whiteList` parameter on the filer
Additionally, because http_util.DownloadFile now sets the JWT,
the `download` command should now work when `jwt.signing.read` is
configured. By looking at the code, I think this case did not work
before.
## Docs to be adjusted after a release
Page `Amazon-S3-API`:
```
# Authentication with Filer
You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as
explained in [Security-Configuration](Security-Configuration) -
controlled by the `grpc.*` configuration in `security.toml`.
Starting with version XX, it is also possible to authenticate the HTTP
operations between the S3-API-Proxy and the Filer (especially
uploading new files). This is configured by setting
`filer_jwt.signing.key` and `filer_jwt.signing.read.key` in
`security.toml`.
With both configurations (gRPC and JWT), it is possible to have Filer
and S3 communicate in fully authenticated fashion; so Filer will reject
any unauthenticated communication.
```
Page `Security Overview`:
```
The following items are not covered, yet:
- master server http REST services
Starting with version XX, the Filer HTTP REST services can be secured
with a JWT, by setting `filer_jwt.signing.key` and
`filer_jwt.signing.read.key` in `security.toml`.
...
Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer.
Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).**
...
# Securing Filer HTTP with JWT
To enable JWT-based access control for the Filer,
1. generate `security.toml` file by `weed scaffold -config=security`
2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string
3. copy the same `security.toml` file to the filers and all S3 proxies.
If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`.
If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`.
The S3 API Gateway reads the above JWT keys and sends authenticated
HTTP requests to the filer.
```
Page `Security Configuration`:
```
(update scaffold file)
...
[filer_jwt.signing]
key = "blahblahblahblah"
[filer_jwt.signing.read]
key = "blahblahblahblah"
```
Resolves: #158
2021-12-30 02:47:53 +08:00
|
|
|
func (s3a *S3ApiServer) proxyToFiler(w http.ResponseWriter, r *http.Request, destUrl string, isWrite bool, responseFn func(proxyResponse *http.Response, w http.ResponseWriter) (statusCode int)) {
|
2018-07-22 09:49:47 +08:00
|
|
|
|
2021-09-19 15:18:59 +08:00
|
|
|
glog.V(3).Infof("s3 proxying %s to %s", r.Method, destUrl)
|
2018-07-22 09:49:47 +08:00
|
|
|
|
|
|
|
proxyReq, err := http.NewRequest(r.Method, destUrl, r.Body)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
glog.Errorf("NewRequest %s: %v", destUrl, err)
|
2021-11-01 09:05:34 +08:00
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
|
2018-07-22 09:49:47 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
proxyReq.Header.Set("X-Forwarded-For", r.RemoteAddr)
|
2021-12-16 05:18:53 +08:00
|
|
|
for k, v := range r.URL.Query() {
|
|
|
|
if _, ok := xhttp.PassThroughHeaders[strings.ToLower(k)]; ok {
|
|
|
|
proxyReq.Header[k] = v
|
2018-07-22 09:49:47 +08:00
|
|
|
}
|
|
|
|
}
|
2021-12-16 05:18:53 +08:00
|
|
|
for header, values := range r.Header {
|
|
|
|
proxyReq.Header[header] = values
|
|
|
|
}
|
2018-07-22 09:49:47 +08:00
|
|
|
|
2022-01-01 05:06:18 +08:00
|
|
|
// ensure that the Authorization header is overriding any previous
|
|
|
|
// Authorization header which might be already present in proxyReq
|
|
|
|
s3a.maybeAddFilerJwtAuthorization(proxyReq, isWrite)
|
2018-07-22 09:49:47 +08:00
|
|
|
resp, postErr := client.Do(proxyReq)
|
|
|
|
|
|
|
|
if postErr != nil {
|
|
|
|
glog.Errorf("post to filer: %v", postErr)
|
2021-11-01 09:05:34 +08:00
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
|
2018-07-22 09:49:47 +08:00
|
|
|
return
|
|
|
|
}
|
2020-02-15 01:46:36 +08:00
|
|
|
defer util.CloseResponse(resp)
|
2021-03-18 02:41:34 +08:00
|
|
|
|
2021-05-24 19:59:44 +08:00
|
|
|
if resp.StatusCode == http.StatusPreconditionFailed {
|
2021-11-01 09:05:34 +08:00
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrPreconditionFailed)
|
2021-05-24 19:59:44 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-04-09 18:13:19 +08:00
|
|
|
if (resp.ContentLength == -1 || resp.StatusCode == 404) && resp.StatusCode != 304 {
|
2021-02-03 16:35:44 +08:00
|
|
|
if r.Method != "DELETE" {
|
2021-11-01 09:05:34 +08:00
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrNoSuchKey)
|
2021-02-03 16:35:44 +08:00
|
|
|
return
|
|
|
|
}
|
2020-11-18 03:23:13 +08:00
|
|
|
}
|
|
|
|
|
2021-12-07 21:20:52 +08:00
|
|
|
responseStatusCode := responseFn(resp, w)
|
|
|
|
s3err.PostLog(r, responseStatusCode, s3err.ErrNone)
|
2018-07-22 10:12:44 +08:00
|
|
|
}
|
2020-09-25 09:09:52 +08:00
|
|
|
|
2021-12-07 21:20:52 +08:00
|
|
|
func passThroughResponse(proxyResponse *http.Response, w http.ResponseWriter) (statusCode int) {
|
2020-06-12 01:53:25 +08:00
|
|
|
for k, v := range proxyResponse.Header {
|
2018-07-22 09:49:47 +08:00
|
|
|
w.Header()[k] = v
|
|
|
|
}
|
2021-05-20 14:45:21 +08:00
|
|
|
if proxyResponse.Header.Get("Content-Range") != "" && proxyResponse.StatusCode == 200 {
|
|
|
|
w.WriteHeader(http.StatusPartialContent)
|
2021-12-07 21:20:52 +08:00
|
|
|
statusCode = http.StatusPartialContent
|
2021-05-20 14:45:21 +08:00
|
|
|
} else {
|
2021-12-07 21:20:52 +08:00
|
|
|
statusCode = proxyResponse.StatusCode
|
2021-05-20 14:45:21 +08:00
|
|
|
}
|
2021-12-07 21:20:52 +08:00
|
|
|
w.WriteHeader(statusCode)
|
2022-03-03 12:15:28 +08:00
|
|
|
buf := mem.Allocate(128 * 1024)
|
|
|
|
defer mem.Free(buf)
|
|
|
|
if n, err := io.CopyBuffer(w, proxyResponse.Body, buf); err != nil {
|
2021-12-30 14:21:02 +08:00
|
|
|
glog.V(1).Infof("passthrough response read %d bytes: %v", n, err)
|
|
|
|
}
|
2021-12-07 21:20:52 +08:00
|
|
|
return statusCode
|
2018-07-22 09:49:47 +08:00
|
|
|
}
|
2018-09-04 15:42:44 +08:00
|
|
|
|
2020-09-20 05:09:58 +08:00
|
|
|
func (s3a *S3ApiServer) putToFiler(r *http.Request, uploadUrl string, dataReader io.Reader) (etag string, code s3err.ErrorCode) {
|
2018-09-04 15:42:44 +08:00
|
|
|
|
2018-09-12 15:46:12 +08:00
|
|
|
hash := md5.New()
|
2020-02-25 14:28:45 +08:00
|
|
|
var body = io.TeeReader(dataReader, hash)
|
2018-09-12 15:46:12 +08:00
|
|
|
|
|
|
|
proxyReq, err := http.NewRequest("PUT", uploadUrl, body)
|
2018-09-04 15:42:44 +08:00
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
glog.Errorf("NewRequest %s: %v", uploadUrl, err)
|
2020-09-20 05:09:58 +08:00
|
|
|
return "", s3err.ErrInternalError
|
2018-09-04 15:42:44 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
proxyReq.Header.Set("X-Forwarded-For", r.RemoteAddr)
|
|
|
|
|
|
|
|
for header, values := range r.Header {
|
|
|
|
for _, value := range values {
|
|
|
|
proxyReq.Header.Add(header, value)
|
|
|
|
}
|
|
|
|
}
|
2022-01-01 05:06:18 +08:00
|
|
|
// ensure that the Authorization header is overriding any previous
|
|
|
|
// Authorization header which might be already present in proxyReq
|
|
|
|
s3a.maybeAddFilerJwtAuthorization(proxyReq, true)
|
2018-09-04 15:42:44 +08:00
|
|
|
resp, postErr := client.Do(proxyReq)
|
|
|
|
|
|
|
|
if postErr != nil {
|
|
|
|
glog.Errorf("post to filer: %v", postErr)
|
2020-09-20 05:09:58 +08:00
|
|
|
return "", s3err.ErrInternalError
|
2018-09-04 15:42:44 +08:00
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
2018-09-12 15:46:12 +08:00
|
|
|
etag = fmt.Sprintf("%x", hash.Sum(nil))
|
2018-09-04 15:42:44 +08:00
|
|
|
|
2021-10-14 12:27:58 +08:00
|
|
|
resp_body, ra_err := io.ReadAll(resp.Body)
|
2018-09-04 15:42:44 +08:00
|
|
|
if ra_err != nil {
|
2020-11-11 18:01:24 +08:00
|
|
|
glog.Errorf("upload to filer response read %d: %v", resp.StatusCode, ra_err)
|
2020-09-20 05:09:58 +08:00
|
|
|
return etag, s3err.ErrInternalError
|
2018-09-04 15:42:44 +08:00
|
|
|
}
|
2018-09-12 15:46:12 +08:00
|
|
|
var ret weed_server.FilerPostResult
|
2018-09-04 15:42:44 +08:00
|
|
|
unmarshal_err := json.Unmarshal(resp_body, &ret)
|
|
|
|
if unmarshal_err != nil {
|
|
|
|
glog.Errorf("failing to read upload to %s : %v", uploadUrl, string(resp_body))
|
2020-09-20 05:09:58 +08:00
|
|
|
return "", s3err.ErrInternalError
|
2018-09-04 15:42:44 +08:00
|
|
|
}
|
|
|
|
if ret.Error != "" {
|
|
|
|
glog.Errorf("upload to filer error: %v", ret.Error)
|
2020-10-21 01:25:16 +08:00
|
|
|
return "", filerErrorToS3Error(ret.Error)
|
2018-09-04 15:42:44 +08:00
|
|
|
}
|
|
|
|
|
2020-09-20 05:09:58 +08:00
|
|
|
return etag, s3err.ErrNone
|
2018-09-04 15:42:44 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
func setEtag(w http.ResponseWriter, etag string) {
|
|
|
|
if etag != "" {
|
2018-09-12 15:46:12 +08:00
|
|
|
if strings.HasPrefix(etag, "\"") {
|
|
|
|
w.Header().Set("ETag", etag)
|
|
|
|
} else {
|
|
|
|
w.Header().Set("ETag", "\""+etag+"\"")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-10-21 01:25:16 +08:00
|
|
|
func filerErrorToS3Error(errString string) s3err.ErrorCode {
|
2022-02-04 08:28:37 +08:00
|
|
|
switch {
|
|
|
|
case strings.HasPrefix(errString, "existing ") && strings.HasSuffix(errString, "is a directory"):
|
2020-10-21 01:25:16 +08:00
|
|
|
return s3err.ErrExistingObjectIsDirectory
|
2022-02-04 08:28:37 +08:00
|
|
|
case strings.HasSuffix(errString, "is a file"):
|
|
|
|
return s3err.ErrExistingObjectIsFile
|
|
|
|
default:
|
|
|
|
return s3err.ErrInternalError
|
2020-10-21 01:25:16 +08:00
|
|
|
}
|
|
|
|
}
|
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client
- one JWT for reading and one for writing, analogous to how the JWT
between Master and Volume Server works
- I did not implement IP `whiteList` parameter on the filer
Additionally, because http_util.DownloadFile now sets the JWT,
the `download` command should now work when `jwt.signing.read` is
configured. By looking at the code, I think this case did not work
before.
## Docs to be adjusted after a release
Page `Amazon-S3-API`:
```
# Authentication with Filer
You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as
explained in [Security-Configuration](Security-Configuration) -
controlled by the `grpc.*` configuration in `security.toml`.
Starting with version XX, it is also possible to authenticate the HTTP
operations between the S3-API-Proxy and the Filer (especially
uploading new files). This is configured by setting
`filer_jwt.signing.key` and `filer_jwt.signing.read.key` in
`security.toml`.
With both configurations (gRPC and JWT), it is possible to have Filer
and S3 communicate in fully authenticated fashion; so Filer will reject
any unauthenticated communication.
```
Page `Security Overview`:
```
The following items are not covered, yet:
- master server http REST services
Starting with version XX, the Filer HTTP REST services can be secured
with a JWT, by setting `filer_jwt.signing.key` and
`filer_jwt.signing.read.key` in `security.toml`.
...
Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer.
Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).**
...
# Securing Filer HTTP with JWT
To enable JWT-based access control for the Filer,
1. generate `security.toml` file by `weed scaffold -config=security`
2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string
3. copy the same `security.toml` file to the filers and all S3 proxies.
If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`.
If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`.
The S3 API Gateway reads the above JWT keys and sends authenticated
HTTP requests to the filer.
```
Page `Security Configuration`:
```
(update scaffold file)
...
[filer_jwt.signing]
key = "blahblahblahblah"
[filer_jwt.signing.read]
key = "blahblahblahblah"
```
Resolves: #158
2021-12-30 02:47:53 +08:00
|
|
|
|
|
|
|
func (s3a *S3ApiServer) maybeAddFilerJwtAuthorization(r *http.Request, isWrite bool) {
|
|
|
|
encodedJwt := s3a.maybeGetFilerJwtAuthorizationToken(isWrite)
|
|
|
|
|
|
|
|
if encodedJwt == "" {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-01-01 05:06:18 +08:00
|
|
|
r.Header.Set("Authorization", "BEARER "+string(encodedJwt))
|
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client
- one JWT for reading and one for writing, analogous to how the JWT
between Master and Volume Server works
- I did not implement IP `whiteList` parameter on the filer
Additionally, because http_util.DownloadFile now sets the JWT,
the `download` command should now work when `jwt.signing.read` is
configured. By looking at the code, I think this case did not work
before.
## Docs to be adjusted after a release
Page `Amazon-S3-API`:
```
# Authentication with Filer
You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as
explained in [Security-Configuration](Security-Configuration) -
controlled by the `grpc.*` configuration in `security.toml`.
Starting with version XX, it is also possible to authenticate the HTTP
operations between the S3-API-Proxy and the Filer (especially
uploading new files). This is configured by setting
`filer_jwt.signing.key` and `filer_jwt.signing.read.key` in
`security.toml`.
With both configurations (gRPC and JWT), it is possible to have Filer
and S3 communicate in fully authenticated fashion; so Filer will reject
any unauthenticated communication.
```
Page `Security Overview`:
```
The following items are not covered, yet:
- master server http REST services
Starting with version XX, the Filer HTTP REST services can be secured
with a JWT, by setting `filer_jwt.signing.key` and
`filer_jwt.signing.read.key` in `security.toml`.
...
Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer.
Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).**
...
# Securing Filer HTTP with JWT
To enable JWT-based access control for the Filer,
1. generate `security.toml` file by `weed scaffold -config=security`
2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string
3. copy the same `security.toml` file to the filers and all S3 proxies.
If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`.
If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`.
The S3 API Gateway reads the above JWT keys and sends authenticated
HTTP requests to the filer.
```
Page `Security Configuration`:
```
(update scaffold file)
...
[filer_jwt.signing]
key = "blahblahblahblah"
[filer_jwt.signing.read]
key = "blahblahblahblah"
```
Resolves: #158
2021-12-30 02:47:53 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s3a *S3ApiServer) maybeGetFilerJwtAuthorizationToken(isWrite bool) string {
|
|
|
|
var encodedJwt security.EncodedJwt
|
|
|
|
if isWrite {
|
|
|
|
encodedJwt = security.GenJwtForFilerServer(s3a.filerGuard.SigningKey, s3a.filerGuard.ExpiresAfterSec)
|
|
|
|
} else {
|
|
|
|
encodedJwt = security.GenJwtForFilerServer(s3a.filerGuard.ReadSigningKey, s3a.filerGuard.ReadExpiresAfterSec)
|
|
|
|
}
|
|
|
|
return string(encodedJwt)
|
|
|
|
}
|