Browse Source

Add mTLS support for both master and volume http server.

pull/2760/head
Berck Nash 3 years ago
parent
commit
9b14f0c81a
  1. 41
      weed/command/master.go
  2. 6
      weed/command/scaffold/security.toml
  3. 14
      weed/command/volume.go
  4. 18
      weed/security/tls.go

41
weed/command/master.go

@ -1,23 +1,25 @@
package command package command
import ( import (
"github.com/chrislusf/raft/protobuf"
stats_collect "github.com/chrislusf/seaweedfs/weed/stats"
"github.com/gorilla/mux"
"google.golang.org/grpc/reflection"
"net/http" "net/http"
"os" "os"
"sort" "sort"
"strings" "strings"
"time" "time"
"github.com/chrislusf/raft/protobuf"
stats_collect "github.com/chrislusf/seaweedfs/weed/stats"
"github.com/gorilla/mux"
"github.com/spf13/viper"
"google.golang.org/grpc/reflection"
"github.com/chrislusf/seaweedfs/weed/util/grace" "github.com/chrislusf/seaweedfs/weed/util/grace"
"github.com/chrislusf/seaweedfs/weed/glog" "github.com/chrislusf/seaweedfs/weed/glog"
"github.com/chrislusf/seaweedfs/weed/pb" "github.com/chrislusf/seaweedfs/weed/pb"
"github.com/chrislusf/seaweedfs/weed/pb/master_pb" "github.com/chrislusf/seaweedfs/weed/pb/master_pb"
"github.com/chrislusf/seaweedfs/weed/security" "github.com/chrislusf/seaweedfs/weed/security"
"github.com/chrislusf/seaweedfs/weed/server"
weed_server "github.com/chrislusf/seaweedfs/weed/server"
"github.com/chrislusf/seaweedfs/weed/storage/backend" "github.com/chrislusf/seaweedfs/weed/storage/backend"
"github.com/chrislusf/seaweedfs/weed/util" "github.com/chrislusf/seaweedfs/weed/util"
) )
@ -138,6 +140,7 @@ func startMaster(masterOption MasterOptions, masterWhiteList []string) {
if e != nil { if e != nil {
glog.Fatalf("Master startup error: %v", e) glog.Fatalf("Master startup error: %v", e)
} }
// start raftServer // start raftServer
raftServerOption := &weed_server.RaftServerOption{ raftServerOption := &weed_server.RaftServerOption{
GrpcDialOption: security.LoadClientTLS(util.GetViper(), "grpc.master"), GrpcDialOption: security.LoadClientTLS(util.GetViper(), "grpc.master"),
@ -183,11 +186,39 @@ func startMaster(masterOption MasterOptions, masterWhiteList []string) {
go ms.MasterClient.KeepConnectedToMaster() go ms.MasterClient.KeepConnectedToMaster()
// start http server // start http server
var (
clientCertFile,
certFile,
keyFile string
)
useTLS := false
useMTLS := false
if viper.GetString("https.master.key") != "" {
useTLS = true
certFile = viper.GetString("https.master.cert")
keyFile = viper.GetString("https.master.key")
}
if viper.GetString("https.master.ca") != "" {
useMTLS = true
clientCertFile = viper.GetString("https.master.ca")
}
httpS := &http.Server{Handler: r} httpS := &http.Server{Handler: r}
if masterLocalListner != nil { if masterLocalListner != nil {
go httpS.Serve(masterLocalListner) go httpS.Serve(masterLocalListner)
} }
if useMTLS {
httpS.TLSConfig = security.LoadClientTLSHTTP(clientCertFile)
}
if useTLS {
go httpS.ServeTLS(masterListener, certFile, keyFile)
} else {
go httpS.Serve(masterListener) go httpS.Serve(masterListener)
}
select {} select {}
} }

6
weed/command/scaffold/security.toml

@ -83,7 +83,13 @@ key = ""
# this does not work with other clients, e.g., "weed filer|mount" etc, yet. # this does not work with other clients, e.g., "weed filer|mount" etc, yet.
[https.client] [https.client]
enabled = true enabled = true
[https.volume] [https.volume]
cert = "" cert = ""
key = "" key = ""
ca = ""
[https.master]
cert = ""
key = ""
ca = ""

14
weed/command/volume.go

@ -2,7 +2,6 @@ package command
import ( import (
"fmt" "fmt"
"github.com/chrislusf/seaweedfs/weed/storage/types"
"net/http" "net/http"
httppprof "net/http/pprof" httppprof "net/http/pprof"
"os" "os"
@ -11,6 +10,8 @@ import (
"strings" "strings"
"time" "time"
"github.com/chrislusf/seaweedfs/weed/storage/types"
"github.com/spf13/viper" "github.com/spf13/viper"
"google.golang.org/grpc" "google.golang.org/grpc"
@ -24,7 +25,7 @@ import (
"github.com/chrislusf/seaweedfs/weed/glog" "github.com/chrislusf/seaweedfs/weed/glog"
"github.com/chrislusf/seaweedfs/weed/pb/volume_server_pb" "github.com/chrislusf/seaweedfs/weed/pb/volume_server_pb"
"github.com/chrislusf/seaweedfs/weed/server"
weed_server "github.com/chrislusf/seaweedfs/weed/server"
stats_collect "github.com/chrislusf/seaweedfs/weed/stats" stats_collect "github.com/chrislusf/seaweedfs/weed/stats"
"github.com/chrislusf/seaweedfs/weed/storage" "github.com/chrislusf/seaweedfs/weed/storage"
"github.com/chrislusf/seaweedfs/weed/util" "github.com/chrislusf/seaweedfs/weed/util"
@ -371,7 +372,14 @@ func (v VolumeServerOptions) startClusterHttpService(handler http.Handler) httpd
StopTimeout: 30 * time.Second, StopTimeout: 30 * time.Second,
CertFile: certFile, CertFile: certFile,
KeyFile: keyFile} KeyFile: keyFile}
clusterHttpServer := httpDown.Serve(&http.Server{Handler: handler}, listener)
httpS := &http.Server{Handler: handler}
if viper.GetString("https.volume.ca") != "" {
clientCertFile := viper.GetString("https.volume.ca")
httpS.TLSConfig = security.LoadClientTLSHTTP(clientCertFile)
}
clusterHttpServer := httpDown.Serve(httpS, listener)
go func() { go func() {
if e := clusterHttpServer.Wait(); e != nil { if e := clusterHttpServer.Wait(); e != nil {
glog.Fatalf("Volume server fail to serve: %v", e) glog.Fatalf("Volume server fail to serve: %v", e)

18
weed/security/tls.go

@ -4,6 +4,7 @@ import (
"context" "context"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"io/ioutil"
"os" "os"
"strings" "strings"
@ -98,6 +99,23 @@ func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
return grpc.WithTransportCredentials(ta) return grpc.WithTransportCredentials(ta)
} }
func LoadClientTLSHTTP(clientCertFile string) *tls.Config {
clientCerts, err := ioutil.ReadFile(clientCertFile)
if err != nil {
glog.Fatal(err)
}
certPool := x509.NewCertPool()
ok := certPool.AppendCertsFromPEM(clientCerts)
if !ok {
glog.Fatalf("Error processing client certificate in %s\n", clientCertFile)
}
return &tls.Config{
ClientCAs: certPool,
ClientAuth: tls.RequireAndVerifyClientCert,
}
}
func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context, err error) { func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context, err error) {
p, ok := peer.FromContext(ctx) p, ok := peer.FromContext(ctx)
if !ok { if !ok {

Loading…
Cancel
Save