mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2024-12-24 17:47:57 +08:00
[security] reload whiteList on http seerver (#6302)
* reload whiteList * white_list add to scaffold
This commit is contained in:
parent
b2ba7d7408
commit
b65eb2ec45
@ -121,3 +121,7 @@ cert = ""
|
|||||||
key = ""
|
key = ""
|
||||||
ca = ""
|
ca = ""
|
||||||
# disable_tls_verify_client_cert = true|false (default: false)
|
# disable_tls_verify_client_cert = true|false (default: false)
|
||||||
|
|
||||||
|
# white list. It's checking request ip address.
|
||||||
|
[guard]
|
||||||
|
white_list = ""
|
||||||
|
@ -280,6 +280,7 @@ func (v VolumeServerOptions) startVolumeServer(volumeFolders, maxVolumeCounts, v
|
|||||||
clusterHttpServer := v.startClusterHttpService(volumeMux)
|
clusterHttpServer := v.startClusterHttpService(volumeMux)
|
||||||
|
|
||||||
grace.OnReload(volumeServer.LoadNewVolumes)
|
grace.OnReload(volumeServer.LoadNewVolumes)
|
||||||
|
grace.OnReload(volumeServer.Reload)
|
||||||
|
|
||||||
stopChan := make(chan bool)
|
stopChan := make(chan bool)
|
||||||
grace.OnInterrupt(func() {
|
grace.OnInterrupt(func() {
|
||||||
|
@ -3,11 +3,10 @@ package security
|
|||||||
import (
|
import (
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"github.com/seaweedfs/seaweedfs/weed/glog"
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/seaweedfs/seaweedfs/weed/glog"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
@ -40,24 +39,25 @@ Referenced:
|
|||||||
https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go
|
https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go
|
||||||
*/
|
*/
|
||||||
type Guard struct {
|
type Guard struct {
|
||||||
whiteList []string
|
whiteListIp map[string]struct{}
|
||||||
|
whiteListCIDR map[string]*net.IPNet
|
||||||
SigningKey SigningKey
|
SigningKey SigningKey
|
||||||
ExpiresAfterSec int
|
ExpiresAfterSec int
|
||||||
ReadSigningKey SigningKey
|
ReadSigningKey SigningKey
|
||||||
ReadExpiresAfterSec int
|
ReadExpiresAfterSec int
|
||||||
|
|
||||||
isWriteActive bool
|
isWriteActive bool
|
||||||
|
isEmptyWhiteList bool
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewGuard(whiteList []string, signingKey string, expiresAfterSec int, readSigningKey string, readExpiresAfterSec int) *Guard {
|
func NewGuard(whiteList []string, signingKey string, expiresAfterSec int, readSigningKey string, readExpiresAfterSec int) *Guard {
|
||||||
g := &Guard{
|
g := &Guard{
|
||||||
whiteList: whiteList,
|
|
||||||
SigningKey: SigningKey(signingKey),
|
SigningKey: SigningKey(signingKey),
|
||||||
ExpiresAfterSec: expiresAfterSec,
|
ExpiresAfterSec: expiresAfterSec,
|
||||||
ReadSigningKey: SigningKey(readSigningKey),
|
ReadSigningKey: SigningKey(readSigningKey),
|
||||||
ReadExpiresAfterSec: readExpiresAfterSec,
|
ReadExpiresAfterSec: readExpiresAfterSec,
|
||||||
}
|
}
|
||||||
g.isWriteActive = len(g.whiteList) != 0 || len(g.SigningKey) != 0
|
g.UpdateWhiteList(whiteList)
|
||||||
return g
|
return g
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -90,37 +90,48 @@ func GetActualRemoteHost(r *http.Request) (host string, err error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error {
|
func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error {
|
||||||
if len(g.whiteList) == 0 {
|
if g.isEmptyWhiteList {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
host, err := GetActualRemoteHost(r)
|
host, err := GetActualRemoteHost(r)
|
||||||
if err == nil {
|
if err != nil {
|
||||||
for _, ip := range g.whiteList {
|
return fmt.Errorf("get actual remote host %s in checkWhiteList failed: %v", r.RemoteAddr, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if _, ok := g.whiteListIp[host]; ok {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, cidrnet := range g.whiteListCIDR {
|
||||||
// If the whitelist entry contains a "/" it
|
// If the whitelist entry contains a "/" it
|
||||||
// is a CIDR range, and we should check the
|
// is a CIDR range, and we should check the
|
||||||
// remote host is within it
|
|
||||||
if strings.Contains(ip, "/") {
|
|
||||||
_, cidrnet, err := net.ParseCIDR(ip)
|
|
||||||
if err != nil {
|
|
||||||
panic(err)
|
|
||||||
}
|
|
||||||
remote := net.ParseIP(host)
|
remote := net.ParseIP(host)
|
||||||
if cidrnet.Contains(remote) {
|
if cidrnet.Contains(remote) {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
//
|
|
||||||
// Otherwise we're looking for a literal match.
|
|
||||||
//
|
|
||||||
if ip == host {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
glog.V(0).Infof("Not in whitelist: %s", r.RemoteAddr)
|
glog.V(0).Infof("Not in whitelist: %s", r.RemoteAddr)
|
||||||
return fmt.Errorf("Not in whitelist: %s", r.RemoteAddr)
|
return fmt.Errorf("Not in whitelist: %s", r.RemoteAddr)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (g *Guard) UpdateWhiteList(whiteList []string) {
|
||||||
|
whiteListIp := make(map[string]struct{})
|
||||||
|
whiteListCIDR := make(map[string]*net.IPNet)
|
||||||
|
for _, ip := range whiteList {
|
||||||
|
if strings.Contains(ip, "/") {
|
||||||
|
_, cidrnet, err := net.ParseCIDR(ip)
|
||||||
|
if err != nil {
|
||||||
|
glog.Errorf("Parse CIDR %s in whitelist failed: %v", ip, err)
|
||||||
|
}
|
||||||
|
whiteListCIDR[ip] = cidrnet
|
||||||
|
} else {
|
||||||
|
whiteListIp[ip] = struct{}{}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
g.isEmptyWhiteList = len(whiteListIp) == 0 && len(whiteListCIDR) == 0
|
||||||
|
g.isWriteActive = !g.isEmptyWhiteList || len(g.SigningKey) != 0
|
||||||
|
g.whiteListIp = whiteListIp
|
||||||
|
g.whiteListCIDR = whiteListCIDR
|
||||||
|
}
|
||||||
|
@ -152,8 +152,8 @@ func NewFilerServer(defaultMux, readonlyMux *http.ServeMux, option *FilerOption)
|
|||||||
}
|
}
|
||||||
})
|
})
|
||||||
fs.filer.Cipher = option.Cipher
|
fs.filer.Cipher = option.Cipher
|
||||||
// we do not support IP whitelist right now
|
whiteList := util.StringSplit(v.GetString("guard.white_list"), ",")
|
||||||
fs.filerGuard = security.NewGuard([]string{}, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec)
|
fs.filerGuard = security.NewGuard(whiteList, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec)
|
||||||
fs.volumeGuard = security.NewGuard([]string{}, volumeSigningKey, volumeExpiresAfterSec, volumeReadSigningKey, volumeReadExpiresAfterSec)
|
fs.volumeGuard = security.NewGuard([]string{}, volumeSigningKey, volumeExpiresAfterSec, volumeReadSigningKey, volumeReadExpiresAfterSec)
|
||||||
|
|
||||||
fs.checkWithMaster()
|
fs.checkWithMaster()
|
||||||
@ -187,12 +187,12 @@ func NewFilerServer(defaultMux, readonlyMux *http.ServeMux, option *FilerOption)
|
|||||||
handleStaticResources(defaultMux)
|
handleStaticResources(defaultMux)
|
||||||
if !option.DisableHttp {
|
if !option.DisableHttp {
|
||||||
defaultMux.HandleFunc("/healthz", fs.filerHealthzHandler)
|
defaultMux.HandleFunc("/healthz", fs.filerHealthzHandler)
|
||||||
defaultMux.HandleFunc("/", fs.filerHandler)
|
defaultMux.HandleFunc("/", fs.filerGuard.WhiteList(fs.filerHandler))
|
||||||
}
|
}
|
||||||
if defaultMux != readonlyMux {
|
if defaultMux != readonlyMux {
|
||||||
handleStaticResources(readonlyMux)
|
handleStaticResources(readonlyMux)
|
||||||
readonlyMux.HandleFunc("/healthz", fs.filerHealthzHandler)
|
readonlyMux.HandleFunc("/healthz", fs.filerHealthzHandler)
|
||||||
readonlyMux.HandleFunc("/", fs.readonlyFilerHandler)
|
readonlyMux.HandleFunc("/", fs.filerGuard.WhiteList(fs.readonlyFilerHandler))
|
||||||
}
|
}
|
||||||
|
|
||||||
existingNodes := fs.filer.ListExistingPeerUpdates(context.Background())
|
existingNodes := fs.filer.ListExistingPeerUpdates(context.Background())
|
||||||
@ -209,6 +209,7 @@ func NewFilerServer(defaultMux, readonlyMux *http.ServeMux, option *FilerOption)
|
|||||||
|
|
||||||
fs.filer.LoadRemoteStorageConfAndMapping()
|
fs.filer.LoadRemoteStorageConfAndMapping()
|
||||||
|
|
||||||
|
grace.OnReload(fs.Reload)
|
||||||
grace.OnInterrupt(func() {
|
grace.OnInterrupt(func() {
|
||||||
fs.filer.Shutdown()
|
fs.filer.Shutdown()
|
||||||
})
|
})
|
||||||
@ -239,5 +240,12 @@ func (fs *FilerServer) checkWithMaster() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (fs *FilerServer) Reload() {
|
||||||
|
glog.V(0).Infoln("Reload filer server...")
|
||||||
|
|
||||||
|
util.LoadConfiguration("security", false)
|
||||||
|
v := util.GetViper()
|
||||||
|
fs.filerGuard.UpdateWhiteList(util.StringSplit(v.GetString("guard.white_list"), ","))
|
||||||
}
|
}
|
||||||
|
@ -104,6 +104,7 @@ func NewMasterServer(r *mux.Router, option *MasterOption, peers map[string]pb.Se
|
|||||||
topology.VolumeGrowStrategy.Copy3Count = v.GetUint32("master.volume_growth.copy_3")
|
topology.VolumeGrowStrategy.Copy3Count = v.GetUint32("master.volume_growth.copy_3")
|
||||||
topology.VolumeGrowStrategy.CopyOtherCount = v.GetUint32("master.volume_growth.copy_other")
|
topology.VolumeGrowStrategy.CopyOtherCount = v.GetUint32("master.volume_growth.copy_other")
|
||||||
topology.VolumeGrowStrategy.Threshold = v.GetFloat64("master.volume_growth.threshold")
|
topology.VolumeGrowStrategy.Threshold = v.GetFloat64("master.volume_growth.threshold")
|
||||||
|
whiteList := util.StringSplit(v.GetString("guard.white_list"), ",")
|
||||||
|
|
||||||
var preallocateSize int64
|
var preallocateSize int64
|
||||||
if option.VolumePreallocate {
|
if option.VolumePreallocate {
|
||||||
@ -133,7 +134,7 @@ func NewMasterServer(r *mux.Router, option *MasterOption, peers map[string]pb.Se
|
|||||||
ms.vg = topology.NewDefaultVolumeGrowth()
|
ms.vg = topology.NewDefaultVolumeGrowth()
|
||||||
glog.V(0).Infoln("Volume Size Limit is", ms.option.VolumeSizeLimitMB, "MB")
|
glog.V(0).Infoln("Volume Size Limit is", ms.option.VolumeSizeLimitMB, "MB")
|
||||||
|
|
||||||
ms.guard = security.NewGuard(ms.option.WhiteList, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec)
|
ms.guard = security.NewGuard(append(ms.option.WhiteList, whiteList...), signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec)
|
||||||
|
|
||||||
handleStaticResources2(r)
|
handleStaticResources2(r)
|
||||||
r.HandleFunc("/", ms.proxyToLeader(ms.uiStatusHandler))
|
r.HandleFunc("/", ms.proxyToLeader(ms.uiStatusHandler))
|
||||||
@ -410,3 +411,13 @@ func (ms *MasterServer) Shutdown() {
|
|||||||
}
|
}
|
||||||
ms.Topo.HashicorpRaft.Shutdown()
|
ms.Topo.HashicorpRaft.Shutdown()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (ms *MasterServer) Reload() {
|
||||||
|
glog.V(0).Infoln("Reload master server...")
|
||||||
|
|
||||||
|
util.LoadConfiguration("security", false)
|
||||||
|
v := util.GetViper()
|
||||||
|
ms.guard.UpdateWhiteList(append(ms.option.WhiteList,
|
||||||
|
util.StringSplit(v.GetString("guard.white_list"), ",")...),
|
||||||
|
)
|
||||||
|
}
|
||||||
|
@ -32,6 +32,7 @@ type VolumeServer struct {
|
|||||||
readBufferSizeMB int
|
readBufferSizeMB int
|
||||||
|
|
||||||
SeedMasterNodes []pb.ServerAddress
|
SeedMasterNodes []pb.ServerAddress
|
||||||
|
whiteList []string
|
||||||
currentMaster pb.ServerAddress
|
currentMaster pb.ServerAddress
|
||||||
pulseSeconds int
|
pulseSeconds int
|
||||||
dataCenter string
|
dataCenter string
|
||||||
@ -102,7 +103,10 @@ func NewVolumeServer(adminMux, publicMux *http.ServeMux, ip string,
|
|||||||
hasSlowRead: hasSlowRead,
|
hasSlowRead: hasSlowRead,
|
||||||
readBufferSizeMB: readBufferSizeMB,
|
readBufferSizeMB: readBufferSizeMB,
|
||||||
ldbTimout: ldbTimeout,
|
ldbTimout: ldbTimeout,
|
||||||
|
whiteList: whiteList,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
whiteList = append(whiteList, util.StringSplit(v.GetString("guard.white_list"), ",")...)
|
||||||
vs.SeedMasterNodes = masterNodes
|
vs.SeedMasterNodes = masterNodes
|
||||||
|
|
||||||
vs.checkWithMaster()
|
vs.checkWithMaster()
|
||||||
@ -150,3 +154,11 @@ func (vs *VolumeServer) Shutdown() {
|
|||||||
vs.store.Close()
|
vs.store.Close()
|
||||||
glog.V(0).Infoln("Shut down successfully!")
|
glog.V(0).Infoln("Shut down successfully!")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (vs *VolumeServer) Reload() {
|
||||||
|
glog.V(0).Infoln("Reload volume server...")
|
||||||
|
|
||||||
|
util.LoadConfiguration("security", false)
|
||||||
|
v := util.GetViper()
|
||||||
|
vs.guard.UpdateWhiteList(append(vs.whiteList, util.StringSplit(v.GetString("guard.white_list"), ",")...))
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user