diff --git a/docker/Dockerfile.local b/docker/Dockerfile.local index 125dc7c9b..9ea378401 100644 --- a/docker/Dockerfile.local +++ b/docker/Dockerfile.local @@ -4,7 +4,6 @@ COPY ./weed /usr/bin/weed RUN chmod +x /usr/bin/weed && ls -la /usr/bin/weed RUN mkdir -p /etc/seaweedfs COPY ./filer.toml /etc/seaweedfs/filer.toml -COPY ./security.toml.example /etc/seaweedfs/security.toml COPY ./entrypoint.sh /entrypoint.sh # Install dependencies and create non-root user diff --git a/docker/security.toml.example b/docker/security.toml.example index 2d1702759..eeaec8209 100644 --- a/docker/security.toml.example +++ b/docker/security.toml.example @@ -13,22 +13,22 @@ values = "*" # - the Master server generates the JWT, which can be used to write a certain file on a volume server # - the Volume server validates the JWT on writing # the jwt defaults to expire after 10 seconds. -[jwt.signing] -key = "V1JJVEVTRUNSRVRFWEFNUExFMTIzNDU2Nzg5MDEy" # Example: WRITESECRETEXAMPLE123456789012 +# [jwt.signing] +# key = "V1JJVEVTRUNSRVRFWEFNUExFMTIzNDU2Nzg5MDEy" # Example: WRITESECRETEXAMPLE123456789012 # this jwt signing key is read by master and volume server, and it is used for read operations: # - the Master server generates the JWT, which can be used to read a certain file on a volume server # - the Volume server validates the JWT on reading -[jwt.signing.read] -key = "UkVBRFNFQ1JFVUVYQU1QTEUxMjM0NTY3ODkwMTI=" # Example: READSECRETEXAMPLE123456789012 +# [jwt.signing.read] +# key = "UkVBRFNFQ1JFVUVYQU1QTEUxMjM0NTY3ODkwMTI=" # Example: READSECRETEXAMPLE123456789012 # If this JWT key is configured, Filer only accepts writes over HTTP if they are signed with this JWT: # - f.e. the S3 API Shim generates the JWT # - the Filer server validates the JWT on writing # the jwt defaults to expire after 10 seconds. -[jwt.filer_signing] -key = "RklMRVJXUklURVNFQ1JFVEVYQU1QTEUxMjM0NTY3OA==" # Example: FILERWRITESECRETEXAMPLE12345678 +# [jwt.filer_signing] +# key = "RklMRVJXUklURVNFQ1JFVEVYQU1QTEUxMjM0NTY3OA==" # Example: FILERWRITESECRETEXAMPLE12345678 # If this JWT key is configured, Filer only accepts reads over HTTP if they are signed with this JWT: # - f.e. the S3 API Shim generates the JWT # - the Filer server validates the JWT on reading # the jwt defaults to expire after 10 seconds. -[jwt.filer_signing.read] -key = "RklMRVJSRUFEU0VDUkVURVhBTVBMRTEyMzQ1Njc4OQ==" # Example: FILERREADSECRETEXAMPLE123456789 +# [jwt.filer_signing.read] +# key = "RklMRVJSRUFEU0VDUkVURVhBTVBMRTEyMzQ1Njc4OQ==" # Example: FILERREADSECRETEXAMPLE123456789 diff --git a/weed/server/filer_jwt_test.go b/weed/server/filer_jwt_test.go index 81539a124..bc9709c27 100644 --- a/weed/server/filer_jwt_test.go +++ b/weed/server/filer_jwt_test.go @@ -119,7 +119,15 @@ func TestFilerServer_maybeCheckJwtAuthorization_Scoped(t *testing.T) { method: "GET", path: "/", isWrite: false, - expectAuthorized: false, + expectAuthorized: true, + }, + { + name: "root path without token", + token: "", + method: "GET", + path: "/", + isWrite: false, + expectAuthorized: true, }, { name: "exact prefix match", @@ -134,7 +142,9 @@ func TestFilerServer_maybeCheckJwtAuthorization_Scoped(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { req := httptest.NewRequest(tt.method, tt.path, nil) - req.Header.Set("Authorization", "Bearer "+tt.token) + if tt.token != "" { + req.Header.Set("Authorization", "Bearer "+tt.token) + } if authorized := fs.maybeCheckJwtAuthorization(req, tt.isWrite); authorized != tt.expectAuthorized { t.Errorf("expected authorized=%v, got %v", tt.expectAuthorized, authorized) } diff --git a/weed/server/filer_server_handlers.go b/weed/server/filer_server_handlers.go index 45653be0f..8c27244f6 100644 --- a/weed/server/filer_server_handlers.go +++ b/weed/server/filer_server_handlers.go @@ -211,6 +211,10 @@ func OptionsHandler(w http.ResponseWriter, r *http.Request, isReadOnly bool) { // maybeCheckJwtAuthorization returns true if access should be granted, false if it should be denied func (fs *FilerServer) maybeCheckJwtAuthorization(r *http.Request, isWrite bool) bool { + if !isWrite && r.URL.Path == "/" { + return true + } + var signingKey security.SigningKey if isWrite {