diff --git a/docker/compose/tls.env b/docker/compose/tls.env index e03f42e95..a82954c4f 100644 --- a/docker/compose/tls.env +++ b/docker/compose/tls.env @@ -7,4 +7,8 @@ WEED_GRPC_VOLUME_KEY=/etc/seaweedfs/tls/volume01.dev.key WEED_GRPC_FILER_CERT=/etc/seaweedfs/tls/filer01.dev.crt WEED_GRPC_FILER_KEY=/etc/seaweedfs/tls/filer01.dev.key WEED_GRPC_CLIENT_CERT=/etc/seaweedfs/tls/client01.dev.crt -WEED_GRPC_CLIENT_KEY=/etc/seaweedfs/tls/client01.dev.key \ No newline at end of file +WEED_GRPC_CLIENT_KEY=/etc/seaweedfs/tls/client01.dev.key +WEED_GRPC_MASTER_ALLOWED_COMMONNAMES="volume01.dev,master01.dev,filer01.dev,client01.dev" +WEED_GRPC_VOLUME_ALLOWED_COMMONNAMES="volume01.dev,master01.dev,filer01.dev,client01.dev" +WEED_GRPC_FILER_ALLOWED_COMMONNAMES="volume01.dev,master01.dev,filer01.dev,client01.dev" +WEED_GRPC_CLIENT_ALLOWED_COMMONNAMES="volume01.dev,master01.dev,filer01.dev,client01.dev" \ No newline at end of file diff --git a/weed/command/scaffold.go b/weed/command/scaffold.go index 1e81d4d58..07d448042 100644 --- a/weed/command/scaffold.go +++ b/weed/command/scaffold.go @@ -440,6 +440,7 @@ expires_after_seconds = 10 # seconds # the host name is not checked, so the PERM files can be shared. [grpc] ca = "" +# Set wildcard domain for enable TLS authentication by common names allowed_wildcard_domain = "" # .mycompany.com [grpc.volume] diff --git a/weed/security/tls.go b/weed/security/tls.go index 59714d103..7d3ffcdca 100644 --- a/weed/security/tls.go +++ b/weed/security/tls.go @@ -50,11 +50,11 @@ func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption ClientAuth: tls.RequireAndVerifyClientCert, }) - allowedCommonNames := strings.Split(config.GetString(component+".allowed_commonNames"), ",") + allowedCommonNames := config.GetString(component + ".allowed_commonNames") allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain") - if len(allowedCommonNames) > 0 || allowedWildcardDomain != "" { + if allowedCommonNames != "" || allowedWildcardDomain != "" { allowedCommonNamesMap := make(map[string]bool) - for _, s := range allowedCommonNames { + for _, s := range strings.Split(allowedCommonNames, ",") { allowedCommonNamesMap[s] = true } auther := Authenticator{ @@ -108,10 +108,10 @@ func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context if !ok { return ctx, status.Error(codes.Unauthenticated, "unexpected peer transport credentials") } - if len(tlsAuth.State.VerifiedChains) == 0 || len(tlsAuth.State.VerifiedChains[0]) == 0 { return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate") } + commonName := tlsAuth.State.VerifiedChains[0][0].Subject.CommonName if a.AllowedWildcardDomain != "" && strings.HasSuffix(commonName, a.AllowedWildcardDomain) { return ctx, nil @@ -119,5 +119,6 @@ func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context if _, ok := a.AllowedCommonNames[commonName]; ok { return ctx, nil } - return ctx, status.Error(codes.Unauthenticated, "invalid subject common name") + + return ctx, status.Errorf(codes.Unauthenticated, "invalid subject common name: %s", commonName) }