Browse Source
Disable filer UI in configuration (#5297 )
* Add filer.ui.enabled configuration property
* Add filer.expose_directory_metadata to config
* Ammend commit
* Remove ShowUI reference
* Update all routes that allow directory metadata
* Add cmd flag to server.go
pull/5351/head
jerebear12
11 months ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with
23 additions and
2 deletions
weed/command/filer.go
weed/command/scaffold/security.toml
weed/command/server.go
weed/server/filer_server.go
weed/server/filer_server_handlers_read.go
weed/server/filer_server_handlers_read_dir.go
@ -62,6 +62,7 @@ type FilerOptions struct {
downloadMaxMBps * int
diskType * string
allowedOrigins * string
exposeDirectoryData * bool
}
func init ( ) {
@ -93,6 +94,7 @@ func init() {
f . downloadMaxMBps = cmdFiler . Flag . Int ( "downloadMaxMBps" , 0 , "download max speed for each download request, in MB per second" )
f . diskType = cmdFiler . Flag . String ( "disk" , "" , "[hdd|ssd|<tag>] hard drive or solid state drive or any tag" )
f . allowedOrigins = cmdFiler . Flag . String ( "allowedOrigins" , "*" , "comma separated list of allowed origins" )
f . exposeDirectoryData = cmdFiler . Flag . Bool ( "exposeDirectoryData" , true , "whether to return directory metadata and content in Filer UI" )
// start s3 on filer
filerStartS3 = cmdFiler . Flag . Bool ( "s3" , false , "whether to start S3 gateway" )
@ -24,6 +24,13 @@ expires_after_seconds = 10 # seconds
[ access ]
ui = false
# by default the filer UI is enabled. This can be a security risk if the filer is exposed to the public
# and the JWT for reads is not set. If you don't want the public to have access to the objects in your
# storage, and you haven't set the JWT for reads it is wise to disable access to directory metadata.
# This disables access to the Filer UI, and will no longer return directory metadata in GET requests.
[ filer . expose_directory_metadata ]
enabled = true
# this jwt signing key is read by master and volume server, and it is used for read operations:
# - the Master server generates the JWT, which can be used to read a certain file on a volume server
# - the Volume server validates the JWT on reading
@ -118,6 +118,7 @@ func init() {
filerOptions . showUIDirectoryDelete = cmdServer . Flag . Bool ( "filer.ui.deleteDir" , true , "enable filer UI show delete directory button" )
filerOptions . downloadMaxMBps = cmdServer . Flag . Int ( "filer.downloadMaxMBps" , 0 , "download max speed for each download request, in MB per second" )
filerOptions . diskType = cmdServer . Flag . String ( "filer.disk" , "" , "[hdd|ssd|<tag>] hard drive or solid state drive or any tag" )
filerOptions . exposeDirectoryData = cmdServer . Flag . Bool ( "filer.exposeDirectoryData" , true , "expose directory data via filer. If false, filer UI will be innaccessible." )
serverOptions . v . port = cmdServer . Flag . Int ( "volume.port" , 8080 , "volume server http listen port" )
serverOptions . v . portGrpc = cmdServer . Flag . Int ( "volume.port.grpc" , 0 , "volume server grpc listen port" )
@ -72,6 +72,7 @@ type FilerOption struct {
DownloadMaxBytesPs int64
DiskType string
AllowedOrigins [ ] string
ExposeDirectoryData bool
}
type FilerServer struct {
@ -115,6 +116,10 @@ func NewFilerServer(defaultMux, readonlyMux *http.ServeMux, option *FilerOption)
domains := strings . Split ( allowedOrigins , "," )
option . AllowedOrigins = domains
v . SetDefault ( "filer.expose_directory_metadata.enabled" , true )
returnDirMetadata := v . GetBool ( "filer.expose_directory_metadata.enabled" )
option . ExposeDirectoryData = returnDirMetadata
fs = & FilerServer {
option : option ,
grpcDialOption : security . LoadClientTLS ( util . GetViper ( ) , "grpc.filer" ) ,
@ -117,7 +117,7 @@ func (fs *FilerServer) GetOrHeadHandler(w http.ResponseWriter, r *http.Request)
w . WriteHeader ( http . StatusForbidden )
return
}
if query . Get ( "metadata" ) == "true" {
if query . Get ( "metadata" ) == "true" && fs . option . ExposeDirectoryData != false {
writeJsonQuiet ( w , r , http . StatusOK , entry )
return
}
@ -135,7 +135,7 @@ func (fs *FilerServer) GetOrHeadHandler(w http.ResponseWriter, r *http.Request)
return
}
if query . Get ( "metadata" ) == "true" {
if query . Get ( "metadata" ) == "true" && fs . option . ExposeDirectoryData != false {
if query . Get ( "resolveManifest" ) == "true" {
if entry . Chunks , _ , err = filer . ResolveChunkManifest (
fs . filer . MasterClient . GetLookupFileIdFunction ( ) ,
@ -18,6 +18,11 @@ import (
// is empty.
func ( fs * FilerServer ) listDirectoryHandler ( w http . ResponseWriter , r * http . Request ) {
if fs . option . ExposeDirectoryData == false {
http . NotFound ( w , r )
return
}
stats . FilerHandlerCounter . WithLabelValues ( stats . DirList ) . Inc ( )
path := r . URL . Path
@ -95,4 +100,5 @@ func (fs *FilerServer) listDirectoryHandler(w http.ResponseWriter, r *http.Reque
if err != nil {
glog . V ( 0 ) . Infof ( "Template Execute Error: %v" , err )
}
}