seaweedfs

11879 Commits

49 Branches

313 Tags

352 MiB

Tree: beb23b0ab5

Commit Graph

Author	SHA1	Message	Date
chrislu	beb23b0ab5	feat: Implement configuration-driven identity providers for distributed STS PROBLEM SOLVED: - Identity providers were registered manually on each STS instance - No guarantee of provider consistency across distributed deployments - Authentication behavior could differ between S3 gateway instances - Operational complexity in managing provider configurations at scale IMPLEMENTATION: - Add provider configuration support to STSConfig schema - Create ProviderFactory for automatic provider loading from config - Update STSService.Initialize() to load providers from configuration - Support OIDC and mock providers with extensible factory pattern - Comprehensive validation and error handling for provider configs NEW COMPONENTS: - weed/iam/sts/provider_factory.go - Factory for creating providers from config - weed/iam/sts/provider_factory_test.go - Comprehensive factory tests - weed/iam/sts/distributed_sts_test.go - Distributed STS integration tests - test/s3/iam/STS_DISTRIBUTED.md - Complete deployment and operations guide CONFIGURATION SCHEMA: { 'sts': { 'providers': [ { 'name': 'keycloak-oidc', 'type': 'oidc', 'enabled': true, 'config': { 'issuer': 'https://keycloak.company.com/realms/seaweedfs', 'clientId': 'seaweedfs-s3', 'clientSecret': 'secret', 'scopes': ['openid', 'profile', 'email', 'roles'] } } ] } } DISTRIBUTED BENEFITS: - ✅ Consistent providers across all S3 gateway instances - ✅ Configuration-driven - no manual provider registration needed - ✅ Automatic validation and initialization of all providers - ✅ Support for provider enable/disable without code changes - ✅ Extensible factory pattern for adding new provider types - ✅ Comprehensive testing for distributed deployment scenarios This completes the distributed STS implementation, making SeaweedFS S3 Gateway truly production-ready for multi-instance deployments with consistent, reliable authentication across all instances.	2 months ago
chrislu	ce17743275	feat: Implement distributed IAM role storage for multi-instance deployments PROBLEM SOLVED: - Roles were stored in memory per-instance, causing inconsistencies - Sessions and policies had filer storage but roles didn't - Multi-instance deployments had authentication failures IMPLEMENTATION: - Add RoleStore interface for pluggable role storage backends - Implement FilerRoleStore using SeaweedFS filer as distributed backend - Update IAMManager to use RoleStore instead of in-memory map - Add role store configuration to IAM config schema - Support both memory and filer storage for roles NEW COMPONENTS: - weed/iam/integration/role_store.go - Role storage interface & implementations - weed/iam/integration/role_store_test.go - Unit tests for role storage - test/s3/iam/iam_config_distributed.json - Sample distributed config - test/s3/iam/DISTRIBUTED.md - Complete deployment guide CONFIGURATION: { 'roleStore': { 'storeType': 'filer', 'storeConfig': { 'filerAddress': 'localhost:8888', 'basePath': '/seaweedfs/iam/roles' } } } BENEFITS: - ✅ Consistent role definitions across all S3 gateway instances - ✅ Persistent role storage survives instance restarts - ✅ Scales to unlimited number of gateway instances - ✅ No session affinity required in load balancers - ✅ Production-ready distributed IAM system This completes the distributed IAM implementation, making SeaweedFS S3 Gateway truly scalable for production multi-instance deployments.	2 months ago
chrislu	299c86f002	feat: Add Keycloak OIDC integration for S3 IAM tests - Add Docker Compose setup with Keycloak OIDC provider - Configure test realm with users, roles, and S3 client - Implement automatic detection between Keycloak and mock OIDC modes - Add comprehensive Keycloak integration tests for authentication and authorization - Support real JWT token validation with production-like OIDC flow - Add Docker-specific IAM configuration for containerized testing - Include detailed documentation for Keycloak integration setup Integration includes: - Real OIDC authentication flow with username/password - JWT Bearer token authentication for S3 operations - Role mapping from Keycloak roles to SeaweedFS IAM policies - Comprehensive test coverage for production scenarios - Automatic fallback to mock mode when Keycloak unavailable	2 months ago

Author

SHA1

Message

Date

chrislu

beb23b0ab5

feat: Implement configuration-driven identity providers for distributed STS

PROBLEM SOLVED:
- Identity providers were registered manually on each STS instance
- No guarantee of provider consistency across distributed deployments
- Authentication behavior could differ between S3 gateway instances
- Operational complexity in managing provider configurations at scale

IMPLEMENTATION:
- Add provider configuration support to STSConfig schema
- Create ProviderFactory for automatic provider loading from config
- Update STSService.Initialize() to load providers from configuration
- Support OIDC and mock providers with extensible factory pattern
- Comprehensive validation and error handling for provider configs

NEW COMPONENTS:
- weed/iam/sts/provider_factory.go - Factory for creating providers from config
- weed/iam/sts/provider_factory_test.go - Comprehensive factory tests
- weed/iam/sts/distributed_sts_test.go - Distributed STS integration tests
- test/s3/iam/STS_DISTRIBUTED.md - Complete deployment and operations guide

CONFIGURATION SCHEMA:
{
  'sts': {
    'providers': [
      {
        'name': 'keycloak-oidc',
        'type': 'oidc',
        'enabled': true,
        'config': {
          'issuer': 'https://keycloak.company.com/realms/seaweedfs',
          'clientId': 'seaweedfs-s3',
          'clientSecret': 'secret',
          'scopes': ['openid', 'profile', 'email', 'roles']
        }
      }
    ]
  }
}

DISTRIBUTED BENEFITS:
- ✅ Consistent providers across all S3 gateway instances
- ✅ Configuration-driven - no manual provider registration needed
- ✅ Automatic validation and initialization of all providers
- ✅ Support for provider enable/disable without code changes
- ✅ Extensible factory pattern for adding new provider types
- ✅ Comprehensive testing for distributed deployment scenarios

This completes the distributed STS implementation, making SeaweedFS
S3 Gateway truly production-ready for multi-instance deployments
with consistent, reliable authentication across all instances.

2 months ago

chrislu

ce17743275

feat: Implement distributed IAM role storage for multi-instance deployments

PROBLEM SOLVED:
- Roles were stored in memory per-instance, causing inconsistencies
- Sessions and policies had filer storage but roles didn't
- Multi-instance deployments had authentication failures

IMPLEMENTATION:
- Add RoleStore interface for pluggable role storage backends
- Implement FilerRoleStore using SeaweedFS filer as distributed backend
- Update IAMManager to use RoleStore instead of in-memory map
- Add role store configuration to IAM config schema
- Support both memory and filer storage for roles

NEW COMPONENTS:
- weed/iam/integration/role_store.go - Role storage interface & implementations
- weed/iam/integration/role_store_test.go - Unit tests for role storage
- test/s3/iam/iam_config_distributed.json - Sample distributed config
- test/s3/iam/DISTRIBUTED.md - Complete deployment guide

CONFIGURATION:
{
  'roleStore': {
    'storeType': 'filer',
    'storeConfig': {
      'filerAddress': 'localhost:8888',
      'basePath': '/seaweedfs/iam/roles'
    }
  }
}

BENEFITS:
- ✅ Consistent role definitions across all S3 gateway instances
- ✅ Persistent role storage survives instance restarts
- ✅ Scales to unlimited number of gateway instances
- ✅ No session affinity required in load balancers
- ✅ Production-ready distributed IAM system

This completes the distributed IAM implementation, making SeaweedFS
S3 Gateway truly scalable for production multi-instance deployments.

2 months ago

chrislu

299c86f002

feat: Add Keycloak OIDC integration for S3 IAM tests

- Add Docker Compose setup with Keycloak OIDC provider
- Configure test realm with users, roles, and S3 client
- Implement automatic detection between Keycloak and mock OIDC modes
- Add comprehensive Keycloak integration tests for authentication and authorization
- Support real JWT token validation with production-like OIDC flow
- Add Docker-specific IAM configuration for containerized testing
- Include detailed documentation for Keycloak integration setup

Integration includes:
- Real OIDC authentication flow with username/password
- JWT Bearer token authentication for S3 operations
- Role mapping from Keycloak roles to SeaweedFS IAM policies
- Comprehensive test coverage for production scenarios
- Automatic fallback to mock mode when Keycloak unavailable

2 months ago

2 Commits (beb23b0ab51a92b6c8930559fcfd401e7c209db3)