Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7080 Commits
37 Branches
296 Tags
161 MiB
Tree: d2ec62656d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd2ec62656d'
${ noResults }
seaweedfs/weed/security/jwt.go

97 lines
2.6 KiB
Raw Normal View History

merge conflicts
10 years ago
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc
6 years ago
merge conflicts
10 years ago
directory structure change to work with glide glide has its own requirements. My previous workaround caused me some code checkin errors. Need to fix this.
9 years ago
fix security alert on github.com/dgrijalva/jwt-go resolve https://github.com/chrislusf/seaweedfs/security/dependabot/go.mod/github.com%2Fdgrijalva%2Fjwt-go/open
3 years ago
merge conflicts
10 years ago
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc
6 years ago
rename security.GenJwt to security.GenJwtForVolumeServer
3 years ago
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc
6 years ago
merge conflicts
10 years ago
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client - one JWT for reading and one for writing, analogous to how the JWT between Master and Volume Server works - I did not implement IP `whiteList` parameter on the filer Additionally, because http_util.DownloadFile now sets the JWT, the `download` command should now work when `jwt.signing.read` is configured. By looking at the code, I think this case did not work before. ## Docs to be adjusted after a release Page `Amazon-S3-API`: ``` # Authentication with Filer You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as explained in [Security-Configuration](Security-Configuration) - controlled by the `grpc.*` configuration in `security.toml`. Starting with version XX, it is also possible to authenticate the HTTP operations between the S3-API-Proxy and the Filer (especially uploading new files). This is configured by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. With both configurations (gRPC and JWT), it is possible to have Filer and S3 communicate in fully authenticated fashion; so Filer will reject any unauthenticated communication. ``` Page `Security Overview`: ``` The following items are not covered, yet: - master server http REST services Starting with version XX, the Filer HTTP REST services can be secured with a JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. ... Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer. Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).** ... # Securing Filer HTTP with JWT To enable JWT-based access control for the Filer, 1. generate `security.toml` file by `weed scaffold -config=security` 2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string 3. copy the same `security.toml` file to the filers and all S3 proxies. If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`. If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`. The S3 API Gateway reads the above JWT keys and sends authenticated HTTP requests to the filer. ``` Page `Security Configuration`: ``` (update scaffold file) ... [filer_jwt.signing] key = "blahblahblahblah" [filer_jwt.signing.read] key = "blahblahblahblah" ``` Resolves: #158
3 years ago
rename security.GenJwt to security.GenJwtForVolumeServer
3 years ago
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc
6 years ago
merge conflicts
10 years ago
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc
6 years ago
master: add jwt expires_after_seconds
6 years ago
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client - one JWT for reading and one for writing, analogous to how the JWT between Master and Volume Server works - I did not implement IP `whiteList` parameter on the filer Additionally, because http_util.DownloadFile now sets the JWT, the `download` command should now work when `jwt.signing.read` is configured. By looking at the code, I think this case did not work before. ## Docs to be adjusted after a release Page `Amazon-S3-API`: ``` # Authentication with Filer You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as explained in [Security-Configuration](Security-Configuration) - controlled by the `grpc.*` configuration in `security.toml`. Starting with version XX, it is also possible to authenticate the HTTP operations between the S3-API-Proxy and the Filer (especially uploading new files). This is configured by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. With both configurations (gRPC and JWT), it is possible to have Filer and S3 communicate in fully authenticated fashion; so Filer will reject any unauthenticated communication. ``` Page `Security Overview`: ``` The following items are not covered, yet: - master server http REST services Starting with version XX, the Filer HTTP REST services can be secured with a JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. ... Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer. Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).** ... # Securing Filer HTTP with JWT To enable JWT-based access control for the Filer, 1. generate `security.toml` file by `weed scaffold -config=security` 2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string 3. copy the same `security.toml` file to the filers and all S3 proxies. If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`. If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`. The S3 API Gateway reads the above JWT keys and sends authenticated HTTP requests to the filer. ``` Page `Security Configuration`: ``` (update scaffold file) ... [filer_jwt.signing] key = "blahblahblahblah" [filer_jwt.signing.read] key = "blahblahblahblah" ``` Resolves: #158
3 years ago
fix compilation problem due to API changes
9 years ago
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc
6 years ago
merge conflicts
10 years ago
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc
6 years ago
merge conflicts
10 years ago
Refactor: pass in claim type into security.DecodeJwt
3 years ago
merge conflicts
10 years ago
Refactor: pass in claim type into security.DecodeJwt
3 years ago
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc
6 years ago
benchmark can work in secure mode
6 years ago
merge conflicts
10 years ago
  1. package security
  3. import (
  4. "fmt"
  5. "net/http"
  6. "strings"
  7. "time"
  9. "github.com/chrislusf/seaweedfs/weed/glog"
  10. "github.com/golang-jwt/jwt"
  11. )
  13. type EncodedJwt string
  14. type SigningKey []byte
  16. // SeaweedFileIdClaims is created by Master server(s) and consumed by Volume server(s),
  17. // restricting the access this JWT allows to only a single file.
  18. type SeaweedFileIdClaims struct {
  19. Fid string `json:"fid"`
  20. jwt.StandardClaims
  21. }
  23. // SeaweedFilerClaims is created e.g. by S3 proxy server and consumed by Filer server.
  24. // Right now, it only contains the standard claims; but this might be extended later
  25. // for more fine-grained permissions.
  26. type SeaweedFilerClaims struct {
  27. jwt.StandardClaims
  28. }
  30. func GenJwtForVolumeServer(signingKey SigningKey, expiresAfterSec int, fileId string) EncodedJwt {
  31. if len(signingKey) == 0 {
  32. return ""
  33. }
  35. claims := SeaweedFileIdClaims{
  36. fileId,
  37. jwt.StandardClaims{},
  38. }
  39. if expiresAfterSec > 0 {
  40. claims.ExpiresAt = time.Now().Add(time.Second * time.Duration(expiresAfterSec)).Unix()
  41. }
  42. t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
  43. encoded, e := t.SignedString([]byte(signingKey))
  44. if e != nil {
  45. glog.V(0).Infof("Failed to sign claims %+v: %v", t.Claims, e)
  46. return ""
  47. }
  48. return EncodedJwt(encoded)
  49. }
  51. // GenJwtForFilerServer creates a JSON-web-token for using the authenticated Filer API. Used f.e. inside
  52. // the S3 API
  53. func GenJwtForFilerServer(signingKey SigningKey, expiresAfterSec int) EncodedJwt {
  54. if len(signingKey) == 0 {
  55. return ""
  56. }
  58. claims := SeaweedFilerClaims{
  59. jwt.StandardClaims{},
  60. }
  61. if expiresAfterSec > 0 {
  62. claims.ExpiresAt = time.Now().Add(time.Second * time.Duration(expiresAfterSec)).Unix()
  63. }
  64. t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
  65. encoded, e := t.SignedString([]byte(signingKey))
  66. if e != nil {
  67. glog.V(0).Infof("Failed to sign claims %+v: %v", t.Claims, e)
  68. return ""
  69. }
  70. return EncodedJwt(encoded)
  71. }
  73. func GetJwt(r *http.Request) EncodedJwt {
  75. // Get token from query params
  76. tokenStr := r.URL.Query().Get("jwt")
  78. // Get token from authorization header
  79. if tokenStr == "" {
  80. bearer := r.Header.Get("Authorization")
  81. if len(bearer) > 7 && strings.ToUpper(bearer[0:6]) == "BEARER" {
  82. tokenStr = bearer[7:]
  83. }
  84. }
  86. return EncodedJwt(tokenStr)
  87. }
  89. func DecodeJwt(signingKey SigningKey, tokenString EncodedJwt, claims jwt.Claims) (token *jwt.Token, err error) {
  90. // check exp, nbf
  91. return jwt.ParseWithClaims(string(tokenString), claims, func(token *jwt.Token) (interface{}, error) {
  92. if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
  93. return nil, fmt.Errorf("unknown token method")
  94. }
  95. return []byte(signingKey), nil
  96. })
  97. }