Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

refactor: Surface credential generation errors and remove sensitive logging 

Two improvements to error handling and security:

1. weed/iam/sts/session_claims.go:
   - Add logging for credential generation failures in ToSessionInfo()
   - Wrap errors with context (session ID) to aid debugging
   - Use glog.Warningf() to surface errors instead of silently swallowing them
   - Add fmt import for error wrapping

2. weed/s3api/auth_signature_v4.go:
   - Remove debug logging of actual access key IDs (glog.V(2) call)
   - Security improvement: avoid exposing sensitive access keys even at debug level
   - Keep warning-level logging that shows only count of available keys

This ensures credential generation failures are observable while protecting
sensitive authentication material from logs.
pull/7944/head
Chris Lu 1 month ago
parent
371b311493
commit
d405a5df35
2 changed files with 6 additions and 7 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      weed/iam/sts/session_claims.go
  2. 5
      weed/s3api/auth_signature_v4.go

8
weed/iam/sts/session_claims.go
View File

@ -1,9 +1,11 @@
package sts package sts
import ( import (
"fmt"
"time" "time"
"github.com/golang-jwt/jwt/v5" "github.com/golang-jwt/jwt/v5"
"github.com/seaweedfs/seaweedfs/weed/glog"
) )
// defaultCredentialGenerator is a reusable instance for generating temporary credentials // defaultCredentialGenerator is a reusable instance for generating temporary credentials
@ -72,8 +74,10 @@ func (c *STSSessionClaims) ToSessionInfo() *SessionInfo {
// This is deterministic based on the session ID, so the same credentials are regenerated // This is deterministic based on the session ID, so the same credentials are regenerated
credentials, err := defaultCredentialGenerator.GenerateTemporaryCredentials(c.SessionId, expiresAt) credentials, err := defaultCredentialGenerator.GenerateTemporaryCredentials(c.SessionId, expiresAt)
if err != nil { if err != nil {
// If credential generation fails, return session info without credentials
// The validation code will catch this as invalid credentials
// Log the error with context - credential generation failure is important for debugging
errMsg := fmt.Errorf("generate temporary credentials for session %s: %w", c.SessionId, err)
glog.Warningf("Failed to generate credentials for STS session: %v", errMsg)
// Return session info without credentials - validation will catch this as invalid
credentials = nil credentials = nil
} }

5
weed/s3api/auth_signature_v4.go
View File

@ -234,11 +234,6 @@ func (iam *IdentityAccessManagement) verifyV4Signature(r *http.Request, shouldCh
glog.Warningf("InvalidAccessKeyId: attempted key '%s' not found. Available keys: %d, Auth enabled: %v", glog.Warningf("InvalidAccessKeyId: attempted key '%s' not found. Available keys: %d, Auth enabled: %v",
authInfo.AccessKey, len(availableKeys), iam.isAuthEnabled) authInfo.AccessKey, len(availableKeys), iam.isAuthEnabled)
if glog.V(2) && len(availableKeys) > 0 {
glog.V(2).Infof("Available access keys: %v", availableKeys)
}
return nil, nil, "", nil, s3err.ErrInvalidAccessKeyID
} }
// Check service account expiration // Check service account expiration

Write Preview
Loading…
Cancel
Save