seaweedfs/weed/server/volume_server_handlers.go

package weed_server

import (
	"fmt"
	"net/http"
	"strconv"
	"strings"
	"sync/atomic"
	"time"

	"github.com/seaweedfs/seaweedfs/weed/util"

	"github.com/seaweedfs/seaweedfs/weed/glog"
	"github.com/seaweedfs/seaweedfs/weed/security"
	"github.com/seaweedfs/seaweedfs/weed/stats"
)

/*

If volume server is started with a separated public port, the public port will
be more "secure".

Public port currently only supports reads.

Later writes on public port can have one of the 3
security settings:
1. not secured
2. secured by white list
3. secured by JWT(Json Web Token)

*/

func (vs *VolumeServer) privateStoreHandler(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Server", "SeaweedFS Volume "+util.VERSION)
	if r.Header.Get("Origin") != "" {
		w.Header().Set("Access-Control-Allow-Origin", "*")
		w.Header().Set("Access-Control-Allow-Credentials", "true")
	}
	switch r.Method {
	case "GET", "HEAD":
		stats.ReadRequest()
		vs.inFlightDownloadDataLimitCond.L.Lock()
		for vs.concurrentDownloadLimit != 0 && atomic.LoadInt64(&vs.inFlightDownloadDataSize) > vs.concurrentDownloadLimit {
			select {
			case <-r.Context().Done():
				glog.V(4).Infof("request cancelled from %s: %v", r.RemoteAddr, r.Context().Err())
				return
			default:
				glog.V(4).Infof("wait because inflight download data %d > %d", vs.inFlightDownloadDataSize, vs.concurrentDownloadLimit)
				vs.inFlightDownloadDataLimitCond.Wait()
			}
		}
		vs.inFlightDownloadDataLimitCond.L.Unlock()
		vs.GetOrHeadHandler(w, r)
	case "DELETE":
		stats.DeleteRequest()
		vs.guard.WhiteList(vs.DeleteHandler)(w, r)
	case "PUT", "POST":

		contentLength := getContentLength(r)
		// exclude the replication from the concurrentUploadLimitMB
		if r.URL.Query().Get("type") != "replicate" && vs.concurrentUploadLimit != 0 {
			startTime := time.Now()
			vs.inFlightUploadDataLimitCond.L.Lock()
			for vs.inFlightUploadDataSize > vs.concurrentUploadLimit {
				//wait timeout check
				if startTime.Add(vs.inflightUploadDataTimeout).Before(time.Now()) {
					vs.inFlightUploadDataLimitCond.L.Unlock()
					err := fmt.Errorf("reject because inflight upload data %d > %d, and wait timeout", vs.inFlightUploadDataSize, vs.concurrentUploadLimit)
					glog.V(1).Infof("too many requests: %v", err)
					writeJsonError(w, r, http.StatusTooManyRequests, err)
					return
				}
				glog.V(4).Infof("wait because inflight upload data %d > %d", vs.inFlightUploadDataSize, vs.concurrentUploadLimit)
				vs.inFlightUploadDataLimitCond.Wait()
			}
			vs.inFlightUploadDataLimitCond.L.Unlock()
		}
		atomic.AddInt64(&vs.inFlightUploadDataSize, contentLength)
		defer func() {
			atomic.AddInt64(&vs.inFlightUploadDataSize, -contentLength)
			if vs.concurrentUploadLimit != 0 {
				vs.inFlightUploadDataLimitCond.Signal()
			}
		}()

		// processs uploads
		stats.WriteRequest()
		vs.guard.WhiteList(vs.PostHandler)(w, r)

	case "OPTIONS":
		stats.ReadRequest()
		w.Header().Add("Access-Control-Allow-Methods", "PUT, POST, GET, DELETE, OPTIONS")
		w.Header().Add("Access-Control-Allow-Headers", "*")
	}
}

func getContentLength(r *http.Request) int64 {
	contentLength := r.Header.Get("Content-Length")
	if contentLength != "" {
		length, err := strconv.ParseInt(contentLength, 10, 64)
		if err != nil {
			return 0
		}
		return length
	}
	return 0
}

func (vs *VolumeServer) publicReadOnlyHandler(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Server", "SeaweedFS Volume "+util.VERSION)
	if r.Header.Get("Origin") != "" {
		w.Header().Set("Access-Control-Allow-Origin", "*")
		w.Header().Set("Access-Control-Allow-Credentials", "true")
	}
	switch r.Method {
	case "GET", "HEAD":
		stats.ReadRequest()
		vs.inFlightDownloadDataLimitCond.L.Lock()
		for vs.concurrentDownloadLimit != 0 && atomic.LoadInt64(&vs.inFlightDownloadDataSize) > vs.concurrentDownloadLimit {
			glog.V(4).Infof("wait because inflight download data %d > %d", vs.inFlightDownloadDataSize, vs.concurrentDownloadLimit)
			vs.inFlightDownloadDataLimitCond.Wait()
		}
		vs.inFlightDownloadDataLimitCond.L.Unlock()
		vs.GetOrHeadHandler(w, r)
	case "OPTIONS":
		stats.ReadRequest()
		w.Header().Add("Access-Control-Allow-Methods", "GET, OPTIONS")
		w.Header().Add("Access-Control-Allow-Headers", "*")
	}
}

func (vs *VolumeServer) maybeCheckJwtAuthorization(r *http.Request, vid, fid string, isWrite bool) bool {

	var signingKey security.SigningKey

	if isWrite {
		if len(vs.guard.SigningKey) == 0 {
			return true
		} else {
			signingKey = vs.guard.SigningKey
		}
	} else {
		if len(vs.guard.ReadSigningKey) == 0 {
			return true
		} else {
			signingKey = vs.guard.ReadSigningKey
		}
	}

	tokenStr := security.GetJwt(r)
	if tokenStr == "" {
		glog.V(1).Infof("missing jwt from %s", r.RemoteAddr)
		return false
	}

	token, err := security.DecodeJwt(signingKey, tokenStr, &security.SeaweedFileIdClaims{})
	if err != nil {
		glog.V(1).Infof("jwt verification error from %s: %v", r.RemoteAddr, err)
		return false
	}
	if !token.Valid {
		glog.V(1).Infof("jwt invalid from %s: %v", r.RemoteAddr, tokenStr)
		return false
	}

	if sc, ok := token.Claims.(*security.SeaweedFileIdClaims); ok {
		if sepIndex := strings.LastIndex(fid, "_"); sepIndex > 0 {
			fid = fid[:sepIndex]
		}
		return sc.Fid == vid+","+fid
	}
	glog.V(1).Infof("unexpected jwt from %s: %v", r.RemoteAddr, tokenStr)
	return false
}
refactoring to separate master and volume server, so that these servers can be embedded into other applications 2013-12-02 09:37:36 +00:00			`package weed_server`

			`import (`
add inflight upload data wait timeout 2022-05-20 10:18:20 +00:00			`"fmt"`
refactoring to separate master and volume server, so that these servers can be embedded into other applications 2013-12-02 09:37:36 +00:00			`"net/http"`
filer, volume: add concurrent upload size limit to avoid OOM add some back pressure when writes are slow 2021-03-30 09:10:50 +00:00			`"strconv"`
jwt check the base file id fix https://github.com/chrislusf/seaweedfs/issues/867 2019-03-03 18:17:44 +00:00			`"strings"`
filer, volume: add concurrent upload size limit to avoid OOM add some back pressure when writes are slow 2021-03-30 09:10:50 +00:00			`"sync/atomic"`
add inflight upload data wait timeout 2022-05-20 10:18:20 +00:00			`"time"`
formatting code by: goimports -w=true . 2014-10-26 18:34:55 +00:00
move to https://github.com/seaweedfs/seaweedfs 2022-07-29 07:17:28 +00:00			`"github.com/seaweedfs/seaweedfs/weed/util"`
volume: add CORS support 2020-10-31 23:31:39 +00:00
move to https://github.com/seaweedfs/seaweedfs 2022-07-29 07:17:28 +00:00			`"github.com/seaweedfs/seaweedfs/weed/glog"`
			`"github.com/seaweedfs/seaweedfs/weed/security"`
			`"github.com/seaweedfs/seaweedfs/weed/stats"`
refactoring to separate master and volume server, so that these servers can be embedded into other applications 2013-12-02 09:37:36 +00:00			`)`

Separate read and write volume handlers. 2015-02-26 07:59:07 +00:00			`/*`
refactoring to separate master and volume server, so that these servers can be embedded into other applications 2013-12-02 09:37:36 +00:00
Add read only public port on volume server Add read only public port on volume server 2015-03-09 08:10:01 +00:00			`If volume server is started with a separated public port, the public port will`
			`be more "secure".`

			`Public port currently only supports reads.`

			`Later writes on public port can have one of the 3`
Separate read and write volume handlers. 2015-02-26 07:59:07 +00:00			`security settings:`
			`1. not secured`
			`2. secured by white list`
			`3. secured by JWT(Json Web Token)`

			`*/`

			`func (vs VolumeServer) privateStoreHandler(w http.ResponseWriter, r http.Request) {`
adjust printout 2020-09-20 23:01:56 +00:00			`w.Header().Set("Server", "SeaweedFS Volume "+util.VERSION)`
volume: add CORS support 2020-10-31 23:31:39 +00:00			`if r.Header.Get("Origin") != "" {`
			`w.Header().Set("Access-Control-Allow-Origin", "*")`
			`w.Header().Set("Access-Control-Allow-Credentials", "true")`
			`}`
refactoring to separate master and volume server, so that these servers can be embedded into other applications 2013-12-02 09:37:36 +00:00			`switch r.Method {`
better way to handler switch case 2018-07-22 17:27:10 +00:00			`case "GET", "HEAD":`
1. adding statistics reporting 2. refactor version to util package 2014-03-25 20:46:59 +00:00			`stats.ReadRequest()`
volume: support concurrent download data size limit 2021-08-09 06:25:16 +00:00			`vs.inFlightDownloadDataLimitCond.L.Lock()`
			`for vs.concurrentDownloadLimit != 0 && atomic.LoadInt64(&vs.inFlightDownloadDataSize) > vs.concurrentDownloadLimit {`
Need to exit waiting if request is was canceled 2022-03-15 14:55:22 +00:00			`select {`
			`case <-r.Context().Done():`
			`glog.V(4).Infof("request cancelled from %s: %v", r.RemoteAddr, r.Context().Err())`
			`return`
			`default:`
			`glog.V(4).Infof("wait because inflight download data %d > %d", vs.inFlightDownloadDataSize, vs.concurrentDownloadLimit)`
			`vs.inFlightDownloadDataLimitCond.Wait()`
			`}`
volume: support concurrent download data size limit 2021-08-09 06:25:16 +00:00			`}`
fix avoid lock error fix https://github.com/chrislusf/seaweedfs/issues/2247 2021-08-10 21:34:13 +00:00			`vs.inFlightDownloadDataLimitCond.L.Unlock()`
Add partial content request support. 2014-05-27 04:15:05 +00:00			`vs.GetOrHeadHandler(w, r)`
refactoring to separate master and volume server, so that these servers can be embedded into other applications 2013-12-02 09:37:36 +00:00			`case "DELETE":`
1. adding statistics reporting 2. refactor version to util package 2014-03-25 20:46:59 +00:00			`stats.DeleteRequest()`
Separate read and write volume handlers. 2015-02-26 07:59:07 +00:00			`vs.guard.WhiteList(vs.DeleteHandler)(w, r)`
better way to handler switch case 2018-07-22 17:27:10 +00:00			`case "PUT", "POST":`
filer, volume: add concurrent upload size limit to avoid OOM add some back pressure when writes are slow 2021-03-30 09:10:50 +00:00
			`contentLength := getContentLength(r)`
exclude the replication from the concurrentUploadLimitMB 2022-03-24 08:54:42 +00:00			`// exclude the replication from the concurrentUploadLimitMB`
Revert "adjust conditions" This reverts commit e024586ff11d025ce2dd27822a2b04e01260fb6c. 2022-06-16 08:26:36 +00:00			`if r.URL.Query().Get("type") != "replicate" && vs.concurrentUploadLimit != 0 {`
reduce the scope of inFlightUploadDataLimitCond lock 2022-05-31 01:40:25 +00:00			`startTime := time.Now()`
			`vs.inFlightUploadDataLimitCond.L.Lock()`
move vs.concurrentUploadLimit != 0 out of the lock 2022-06-16 01:58:44 +00:00			`for vs.inFlightUploadDataSize > vs.concurrentUploadLimit {`
reduce the scope of inFlightUploadDataLimitCond lock 2022-05-31 01:40:25 +00:00			`//wait timeout check`
add inflight upload data wait timeout 2022-05-20 10:18:20 +00:00			`if startTime.Add(vs.inflightUploadDataTimeout).Before(time.Now()) {`
			`vs.inFlightUploadDataLimitCond.L.Unlock()`
reduce the scope of inFlightUploadDataLimitCond lock 2022-05-31 01:40:25 +00:00			`err := fmt.Errorf("reject because inflight upload data %d > %d, and wait timeout", vs.inFlightUploadDataSize, vs.concurrentUploadLimit)`
add inflight upload data wait timeout 2022-05-20 10:18:20 +00:00			`glog.V(1).Infof("too many requests: %v", err)`
			`writeJsonError(w, r, http.StatusTooManyRequests, err)`
			`return`
			`}`
exclude replication from the concurrentUploadLimitMB 2022-05-20 06:33:47 +00:00			`glog.V(4).Infof("wait because inflight upload data %d > %d", vs.inFlightUploadDataSize, vs.concurrentUploadLimit)`
			`vs.inFlightUploadDataLimitCond.Wait()`
			`}`
reduce the scope of inFlightUploadDataLimitCond lock 2022-05-31 01:40:25 +00:00			`vs.inFlightUploadDataLimitCond.L.Unlock()`
filer, volume: add concurrent upload size limit to avoid OOM add some back pressure when writes are slow 2021-03-30 09:10:50 +00:00			`}`
reduce the scope of inFlightUploadDataLimitCond lock 2022-05-31 01:40:25 +00:00			`atomic.AddInt64(&vs.inFlightUploadDataSize, contentLength)`
filer, volume: add concurrent upload size limit to avoid OOM add some back pressure when writes are slow 2021-03-30 09:10:50 +00:00			`defer func() {`
reduce the scope of inFlightUploadDataLimitCond lock 2022-05-31 01:40:25 +00:00			`atomic.AddInt64(&vs.inFlightUploadDataSize, -contentLength)`
Revert "adjust conditions" This reverts commit e024586ff11d025ce2dd27822a2b04e01260fb6c. 2022-06-16 08:26:36 +00:00			`if vs.concurrentUploadLimit != 0 {`
add condition when inFlightUploadDataLimitCond signal 2022-06-16 06:07:11 +00:00			`vs.inFlightUploadDataLimitCond.Signal()`
			`}`
filer, volume: add concurrent upload size limit to avoid OOM add some back pressure when writes are slow 2021-03-30 09:10:50 +00:00			`}()`

			`// processs uploads`
1. adding statistics reporting 2. refactor version to util package 2014-03-25 20:46:59 +00:00			`stats.WriteRequest()`
Separate read and write volume handlers. 2015-02-26 07:59:07 +00:00			`vs.guard.WhiteList(vs.PostHandler)(w, r)`
filer, volume: add concurrent upload size limit to avoid OOM add some back pressure when writes are slow 2021-03-30 09:10:50 +00:00
volume: add CORS support 2020-10-31 23:31:39 +00:00			`case "OPTIONS":`
			`stats.ReadRequest()`
filer: add CORS support 2020-10-31 23:44:03 +00:00			`w.Header().Add("Access-Control-Allow-Methods", "PUT, POST, GET, DELETE, OPTIONS")`
			`w.Header().Add("Access-Control-Allow-Headers", "*")`
refactoring to separate master and volume server, so that these servers can be embedded into other applications 2013-12-02 09:37:36 +00:00			`}`
			`}`
refactor: split volume handlers into 3 files 2014-04-14 07:13:18 +00:00
filer, volume: add concurrent upload size limit to avoid OOM add some back pressure when writes are slow 2021-03-30 09:10:50 +00:00			`func getContentLength(r *http.Request) int64 {`
			`contentLength := r.Header.Get("Content-Length")`
			`if contentLength != "" {`
			`length, err := strconv.ParseInt(contentLength, 10, 64)`
			`if err != nil {`
			`return 0`
			`}`
			`return length`
			`}`
			`return 0`
			`}`

Add read only public port on volume server Add read only public port on volume server 2015-03-09 08:10:01 +00:00			`func (vs VolumeServer) publicReadOnlyHandler(w http.ResponseWriter, r http.Request) {`
adjust printout 2020-09-20 23:01:56 +00:00			`w.Header().Set("Server", "SeaweedFS Volume "+util.VERSION)`
volume: add CORS support 2020-10-31 23:31:39 +00:00			`if r.Header.Get("Origin") != "" {`
			`w.Header().Set("Access-Control-Allow-Origin", "*")`
			`w.Header().Set("Access-Control-Allow-Credentials", "true")`
			`}`
Separate read and write volume handlers. 2015-02-26 07:59:07 +00:00			`switch r.Method {`
fix avoid lock error fix https://github.com/chrislusf/seaweedfs/issues/2247 2021-08-10 21:34:13 +00:00			`case "GET", "HEAD":`
Separate read and write volume handlers. 2015-02-26 07:59:07 +00:00			`stats.ReadRequest()`
fix avoid lock error fix https://github.com/chrislusf/seaweedfs/issues/2247 2021-08-10 21:34:13 +00:00			`vs.inFlightDownloadDataLimitCond.L.Lock()`
			`for vs.concurrentDownloadLimit != 0 && atomic.LoadInt64(&vs.inFlightDownloadDataSize) > vs.concurrentDownloadLimit {`
			`glog.V(4).Infof("wait because inflight download data %d > %d", vs.inFlightDownloadDataSize, vs.concurrentDownloadLimit)`
			`vs.inFlightDownloadDataLimitCond.Wait()`
			`}`
			`vs.inFlightDownloadDataLimitCond.L.Unlock()`
Separate read and write volume handlers. 2015-02-26 07:59:07 +00:00			`vs.GetOrHeadHandler(w, r)`
volume: add CORS support 2020-10-31 23:31:39 +00:00			`case "OPTIONS":`
			`stats.ReadRequest()`
filer: add CORS support 2020-10-31 23:44:03 +00:00			`w.Header().Add("Access-Control-Allow-Methods", "GET, OPTIONS")`
			`w.Header().Add("Access-Control-Allow-Headers", "*")`
batch delete on volume servers 2014-04-14 08:00:09 +00:00			`}`
			`}`
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc 2019-02-14 08:08:20 +00:00
jwt for read access control 2019-06-06 07:29:02 +00:00			`func (vs VolumeServer) maybeCheckJwtAuthorization(r http.Request, vid, fid string, isWrite bool) bool {`
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc 2019-02-14 08:08:20 +00:00
jwt for read access control 2019-06-06 07:29:02 +00:00			`var signingKey security.SigningKey`

			`if isWrite {`
			`if len(vs.guard.SigningKey) == 0 {`
			`return true`
			`} else {`
			`signingKey = vs.guard.SigningKey`
			`}`
go fmt 2019-06-11 04:33:32 +00:00			`} else {`
jwt for read access control 2019-06-06 07:29:02 +00:00			`if len(vs.guard.ReadSigningKey) == 0 {`
			`return true`
			`} else {`
			`signingKey = vs.guard.ReadSigningKey`
			`}`
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc 2019-02-14 08:08:20 +00:00			`}`

			`tokenStr := security.GetJwt(r)`
			`if tokenStr == "" {`
			`glog.V(1).Infof("missing jwt from %s", r.RemoteAddr)`
			`return false`
			`}`

Refactor: pass in claim type into security.DecodeJwt 2021-12-29 11:40:41 +00:00			`token, err := security.DecodeJwt(signingKey, tokenStr, &security.SeaweedFileIdClaims{})`
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc 2019-02-14 08:08:20 +00:00			`if err != nil {`
			`glog.V(1).Infof("jwt verification error from %s: %v", r.RemoteAddr, err)`
			`return false`
			`}`
			`if !token.Valid {`
			`glog.V(1).Infof("jwt invalid from %s: %v", r.RemoteAddr, tokenStr)`
			`return false`
			`}`

			`if sc, ok := token.Claims.(*security.SeaweedFileIdClaims); ok {`
jwt check the base file id fix https://github.com/chrislusf/seaweedfs/issues/867 2019-03-03 18:17:44 +00:00			`if sepIndex := strings.LastIndex(fid, "_"); sepIndex > 0 {`
			`fid = fid[:sepIndex]`
			`}`
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc 2019-02-14 08:08:20 +00:00			`return sc.Fid == vid+","+fid`
			`}`
			`glog.V(1).Infof("unexpected jwt from %s: %v", r.RemoteAddr, tokenStr)`
			`return false`
			`}`