gitlab-com-seaweedfs/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2024-01-19 02:48:24 +00:00
Code Issues Projects Releases Wiki Activity

master: add jwt expires_after_seconds

Browse source
This commit is contained in:
Chris Lu 2019-05-04 08:42:25 -07:00
parent bd8af92b54
commit 25941e0500
7 changed files with 21 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
weed/command/scaffold.go
View file

@ -262,10 +262,11 @@ directory = "/" # destination directory
# /etc/seaweedfs/security.toml # /etc/seaweedfs/security.toml
# this file is read by master, volume server, and filer # this file is read by master, volume server, and filer
# the jwt signing key is read by master and volume server # the jwt signing key is read by master and volume server.
# a jwt expires in 10 seconds # a jwt defaults to expire after 10 seconds.
[jwt.signing] [jwt.signing]
key = "" key = ""
expires_after_seconds = 10 # seconds
# all grpc tls authentications are mutual # all grpc tls authentications are mutual
# the values for the following ca, cert, and key are paths to the PERM files. # the values for the following ca, cert, and key are paths to the PERM files.

5
weed/security/guard.go
View file

@ -43,12 +43,13 @@ https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go
type Guard struct { type Guard struct {
whiteList []string whiteList []string
SigningKey SigningKey SigningKey SigningKey
ExpiresAfterSec int
isActive bool isActive bool
} }
func NewGuard(whiteList []string, signingKey string) *Guard { func NewGuard(whiteList []string, signingKey string, expiresAfterSec int) *Guard {
g := &Guard{whiteList: whiteList, SigningKey: SigningKey(signingKey)} g := &Guard{whiteList: whiteList, SigningKey: SigningKey(signingKey), ExpiresAfterSec:expiresAfterSec}
g.isActive = len(g.whiteList) != 0 || len(g.SigningKey) != 0 g.isActive = len(g.whiteList) != 0 || len(g.SigningKey) != 0
return g return g
} }

9
weed/security/jwt.go
View file

@ -18,16 +18,17 @@ type SeaweedFileIdClaims struct {
jwt.StandardClaims jwt.StandardClaims
} }
func GenJwt(signingKey SigningKey, fileId string) EncodedJwt { func GenJwt(signingKey SigningKey, expiresAfterSec int, fileId string) EncodedJwt {
if len(signingKey) == 0 { if len(signingKey) == 0 {
return "" return ""
} }
claims := SeaweedFileIdClaims{ claims := SeaweedFileIdClaims{
fileId, fileId,
jwt.StandardClaims{ jwt.StandardClaims{},
ExpiresAt: time.Now().Add(time.Second * 10).Unix(), }
}, if expiresAfterSec > 0 {
claims.ExpiresAt = time.Now().Add(time.Second * time.Duration(expiresAfterSec)).Unix()
} }
t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
encoded, e := t.SignedString([]byte(signingKey)) encoded, e := t.SignedString([]byte(signingKey))

2
weed/server/master_grpc_server_volume.go
View file

@ -94,7 +94,7 @@ func (ms *MasterServer) Assign(ctx context.Context, req *master_pb.AssignRequest
Url: dn.Url(), Url: dn.Url(),
PublicUrl: dn.PublicUrl, PublicUrl: dn.PublicUrl,
Count: count, Count: count,
Auth: string(security.GenJwt(ms.guard.SigningKey, fid)), Auth: string(security.GenJwt(ms.guard.SigningKey, ms.guard.ExpiresAfterSec, fid)),
}, nil }, nil
} }

4
weed/server/master_server.go
View file

@ -54,6 +54,8 @@ func NewMasterServer(r *mux.Router, port int, metaFolder string,
v := viper.GetViper() v := viper.GetViper()
signingKey := v.GetString("jwt.signing.key") signingKey := v.GetString("jwt.signing.key")
v.SetDefault("jwt.signing.expires_after_seconds", 10)
expiresAfterSec := v.GetInt("jwt.signing.expires_after_seconds")
var preallocateSize int64 var preallocateSize int64
if preallocate { if preallocate {
@ -75,7 +77,7 @@ func NewMasterServer(r *mux.Router, port int, metaFolder string,
ms.vg = topology.NewDefaultVolumeGrowth() ms.vg = topology.NewDefaultVolumeGrowth()
glog.V(0).Infoln("Volume Size Limit is", volumeSizeLimitMB, "MB") glog.V(0).Infoln("Volume Size Limit is", volumeSizeLimitMB, "MB")
ms.guard = security.NewGuard(whiteList, signingKey) ms.guard = security.NewGuard(whiteList, signingKey, expiresAfterSec)
if !disableHttp { if !disableHttp {
handleStaticResources2(r) handleStaticResources2(r)

2
weed/server/master_server_handlers.go
View file

@ -110,7 +110,7 @@ func (ms *MasterServer) dirAssignHandler(w http.ResponseWriter, r *http.Request)
} }
func (ms *MasterServer) maybeAddJwtAuthorization(w http.ResponseWriter, fileId string) { func (ms *MasterServer) maybeAddJwtAuthorization(w http.ResponseWriter, fileId string) {
encodedJwt := security.GenJwt(ms.guard.SigningKey, fileId) encodedJwt := security.GenJwt(ms.guard.SigningKey, ms.guard.ExpiresAfterSec, fileId)
if encodedJwt == "" { if encodedJwt == "" {
return return
} }

4
weed/server/volume_server.go
View file

@ -40,6 +40,8 @@ func NewVolumeServer(adminMux, publicMux *http.ServeMux, ip string,
v := viper.GetViper() v := viper.GetViper()
signingKey := v.GetString("jwt.signing.key") signingKey := v.GetString("jwt.signing.key")
v.SetDefault("jwt.signing.expires_after_seconds", 10)
expiresAfterSec := v.GetInt("jwt.signing.expires_after_seconds")
enableUiAccess := v.GetBool("access.ui") enableUiAccess := v.GetBool("access.ui")
vs := &VolumeServer{ vs := &VolumeServer{
@ -55,7 +57,7 @@ func NewVolumeServer(adminMux, publicMux *http.ServeMux, ip string,
vs.MasterNodes = masterNodes vs.MasterNodes = masterNodes
vs.store = storage.NewStore(port, ip, publicUrl, folders, maxCounts, vs.needleMapKind) vs.store = storage.NewStore(port, ip, publicUrl, folders, maxCounts, vs.needleMapKind)
vs.guard = security.NewGuard(whiteList, signingKey) vs.guard = security.NewGuard(whiteList, signingKey, expiresAfterSec)
handleStaticResources(adminMux) handleStaticResources(adminMux)
if signingKey == "" || enableUiAccess { if signingKey == "" || enableUiAccess {