Browse Source
			
			
			Merge pull request #2543 from skurfuerst/seaweedfs-158
			
				
		Merge pull request #2543 from skurfuerst/seaweedfs-158
	
		
	
			
				FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Clientpull/2564/head
							committed by
							
								 GitHub
								GitHub
							
						
					
				
				
				  
				  No known key found for this signature in database
				  
				  	
						GPG Key ID: 4AEE18F83AFDEB23
				  	
				  
				
			
		
		
		
	
				 18 changed files with 376 additions and 36 deletions
			
			
		- 
					2test/s3/compatibility/.gitignore
- 
					11test/s3/compatibility/Dockerfile
- 
					13test/s3/compatibility/README.md
- 
					5test/s3/compatibility/prepare.sh
- 
					24test/s3/compatibility/run.sh
- 
					109test/s3/compatibility/s3tests.conf
- 
					30weed/command/scaffold/security.toml
- 
					4weed/s3api/s3api_object_copy_handlers.go
- 
					36weed/s3api/s3api_object_handlers.go
- 
					21weed/s3api/s3api_server.go
- 
					2weed/security/guard.go
- 
					37weed/security/jwt.go
- 
					13weed/server/filer_server.go
- 
					78weed/server/filer_server_handlers.go
- 
					4weed/server/master_grpc_server_volume.go
- 
					4weed/server/master_server_handlers.go
- 
					2weed/server/volume_server_handlers.go
- 
					17weed/util/http_util.go
| @ -0,0 +1,2 @@ | |||
| /s3-tests | |||
| /tmp | |||
| @ -0,0 +1,11 @@ | |||
| # the tests only support python 3.6, not newer | |||
| FROM ubuntu:latest | |||
| 
 | |||
| RUN apt-get update && DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get install -y git-core sudo tzdata | |||
| RUN git clone https://github.com/ceph/s3-tests.git | |||
| WORKDIR s3-tests | |||
| 
 | |||
| # we pin a certain commit | |||
| RUN git checkout 9a6a1e9f197fc9fb031b809d1e057635c2ff8d4e | |||
| 
 | |||
| RUN ./bootstrap | |||
| @ -0,0 +1,13 @@ | |||
| # Running S3 Compatibility tests against SeaweedFS | |||
| 
 | |||
| This is using [the tests from CephFS](https://github.com/ceph/s3-tests). | |||
| 
 | |||
| ## Prerequisites | |||
| 
 | |||
| - have Docker installed | |||
| - this has been executed on Mac. On Linux, the hostname in `s3tests.conf`  needs to be adjusted. | |||
| 
 | |||
| ## Running tests | |||
| 
 | |||
| - `./prepare.sh` to build the docker image | |||
| - `./run.sh` to execute all tests | |||
| @ -0,0 +1,5 @@ | |||
| #!/usr/bin/env bash | |||
| 
 | |||
| set -ex | |||
| 
 | |||
| docker build  --progress=plain  -t s3tests . | |||
| @ -0,0 +1,24 @@ | |||
| #!/usr/bin/env bash | |||
| 
 | |||
| set -ex | |||
| 
 | |||
| killall -9 weed || echo "already stopped" | |||
| rm -Rf tmp | |||
| mkdir tmp | |||
| docker stop s3test-instance || echo "already stopped" | |||
| 
 | |||
| ulimit -n 10000 | |||
| ../../../weed/weed server -filer -s3 -volume.max 0   -master.volumeSizeLimitMB 5 -dir "$(pwd)/tmp" 1>&2>weed.log & | |||
| 
 | |||
| until $(curl --output /dev/null --silent --head --fail http://127.0.0.1:9333); do | |||
|     printf '.' | |||
|     sleep 5 | |||
| done | |||
| sleep 3 | |||
| 
 | |||
| rm -Rf logs-full.txt logs-summary.txt | |||
| # docker run --name s3test-instance --rm -e S3TEST_CONF=s3tests.conf -v `pwd`/s3tests.conf:/s3-tests/s3tests.conf -it s3tests    ./virtualenv/bin/nosetests s3tests_boto3/functional/test_s3.py:test_get_obj_tagging -v  -a 'resource=object,!bucket-policy,!versioning,!encryption' | |||
| docker run --name s3test-instance --rm -e S3TEST_CONF=s3tests.conf -v `pwd`/s3tests.conf:/s3-tests/s3tests.conf -it s3tests    ./virtualenv/bin/nosetests s3tests_boto3/functional/test_s3.py -v  -a 'resource=object,!bucket-policy,!versioning,!encryption' | sed -n -e '/botocore.hooks/!p;//q' | tee logs-summary.txt | |||
| 
 | |||
| docker stop s3test-instance || echo "already stopped" | |||
| killall -9 weed | |||
| @ -0,0 +1,109 @@ | |||
| [DEFAULT] | |||
| ## this section is just used for host, port and bucket_prefix | |||
| 
 | |||
| # host set for rgw in vstart.sh | |||
| host = host.docker.internal | |||
| 
 | |||
| # port set for rgw in vstart.sh | |||
| port = 8333 | |||
| 
 | |||
| ## say "False" to disable TLS | |||
| is_secure = False | |||
| 
 | |||
| ## say "False" to disable SSL Verify | |||
| ssl_verify = False | |||
| 
 | |||
| [fixtures] | |||
| ## all the buckets created will start with this prefix; | |||
| ## {random} will be filled with random characters to pad | |||
| ## the prefix to 30 characters long, and avoid collisions | |||
| bucket prefix = yournamehere-{random}- | |||
| 
 | |||
| [s3 main] | |||
| # main display_name set in vstart.sh | |||
| display_name = M. Tester | |||
| 
 | |||
| # main user_idname set in vstart.sh | |||
| user_id = testid | |||
| 
 | |||
| # main email set in vstart.sh | |||
| email = tester@ceph.com | |||
| 
 | |||
| # zonegroup api_name for bucket location | |||
| api_name = default | |||
| 
 | |||
| ## main AWS access key | |||
| access_key = 0555b35654ad1656d804 | |||
| 
 | |||
| ## main AWS secret key | |||
| secret_key = h7GhxuBLTrlhVUyxSPUKUV8r/2EI4ngqJxD7iBdBYLhwluN30JaT3Q== | |||
| 
 | |||
| ## replace with key id obtained when secret is created, or delete if KMS not tested | |||
| #kms_keyid = 01234567-89ab-cdef-0123-456789abcdef | |||
| 
 | |||
| [s3 alt] | |||
| # alt display_name set in vstart.sh | |||
| display_name = john.doe | |||
| ## alt email set in vstart.sh | |||
| email = john.doe@example.com | |||
| 
 | |||
| # alt user_id set in vstart.sh | |||
| user_id = 56789abcdef0123456789abcdef0123456789abcdef0123456789abcdef01234 | |||
| 
 | |||
| # alt AWS access key set in vstart.sh | |||
| access_key = NOPQRSTUVWXYZABCDEFG | |||
| 
 | |||
| # alt AWS secret key set in vstart.sh | |||
| secret_key = nopqrstuvwxyzabcdefghijklmnabcdefghijklm | |||
| 
 | |||
| [s3 tenant] | |||
| # tenant display_name set in vstart.sh | |||
| display_name = testx$tenanteduser | |||
| 
 | |||
| # tenant user_id set in vstart.sh | |||
| user_id = 9876543210abcdef0123456789abcdef0123456789abcdef0123456789abcdef | |||
| 
 | |||
| # tenant AWS secret key set in vstart.sh | |||
| access_key = HIJKLMNOPQRSTUVWXYZA | |||
| 
 | |||
| # tenant AWS secret key set in vstart.sh | |||
| secret_key = opqrstuvwxyzabcdefghijklmnopqrstuvwxyzab | |||
| 
 | |||
| # tenant email set in vstart.sh | |||
| email = tenanteduser@example.com | |||
| 
 | |||
| #following section needs to be added for all sts-tests | |||
| [iam] | |||
| #used for iam operations in sts-tests | |||
| #email from vstart.sh | |||
| email = s3@example.com | |||
| 
 | |||
| #user_id from vstart.sh | |||
| user_id = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef | |||
| 
 | |||
| #access_key from vstart.sh | |||
| access_key = ABCDEFGHIJKLMNOPQRST | |||
| 
 | |||
| #secret_key vstart.sh | |||
| secret_key = abcdefghijklmnopqrstuvwxyzabcdefghijklmn | |||
| 
 | |||
| #display_name from vstart.sh | |||
| display_name = youruseridhere | |||
| 
 | |||
| #following section needs to be added when you want to run Assume Role With Webidentity test | |||
| [webidentity] | |||
| #used for assume role with web identity test in sts-tests | |||
| #all parameters will be obtained from ceph/qa/tasks/keycloak.py | |||
| token=<access_token> | |||
| 
 | |||
| aud=<obtained after introspecting token> | |||
| 
 | |||
| sub=<obtained after introspecting token> | |||
| 
 | |||
| azp=<obtained after introspecting token> | |||
| 
 | |||
| user_token=<access token for a user, with attribute Department=[Engineering, Marketing>] | |||
| 
 | |||
| thumbprint=<obtained from x509 certificate> | |||
| 
 | |||
| KC_REALM=<name of the realm> | |||
						Write
						Preview
					
					
					Loading…
					
					Cancel
						Save
					
		Reference in new issue