mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2024-01-19 02:48:24 +00:00
master: add jwt expires_after_seconds
This commit is contained in:
parent
bd8af92b54
commit
25941e0500
|
@ -262,10 +262,11 @@ directory = "/" # destination directory
|
||||||
# /etc/seaweedfs/security.toml
|
# /etc/seaweedfs/security.toml
|
||||||
# this file is read by master, volume server, and filer
|
# this file is read by master, volume server, and filer
|
||||||
|
|
||||||
# the jwt signing key is read by master and volume server
|
# the jwt signing key is read by master and volume server.
|
||||||
# a jwt expires in 10 seconds
|
# a jwt defaults to expire after 10 seconds.
|
||||||
[jwt.signing]
|
[jwt.signing]
|
||||||
key = ""
|
key = ""
|
||||||
|
expires_after_seconds = 10 # seconds
|
||||||
|
|
||||||
# all grpc tls authentications are mutual
|
# all grpc tls authentications are mutual
|
||||||
# the values for the following ca, cert, and key are paths to the PERM files.
|
# the values for the following ca, cert, and key are paths to the PERM files.
|
||||||
|
|
|
@ -41,14 +41,15 @@ https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go
|
||||||
|
|
||||||
*/
|
*/
|
||||||
type Guard struct {
|
type Guard struct {
|
||||||
whiteList []string
|
whiteList []string
|
||||||
SigningKey SigningKey
|
SigningKey SigningKey
|
||||||
|
ExpiresAfterSec int
|
||||||
|
|
||||||
isActive bool
|
isActive bool
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewGuard(whiteList []string, signingKey string) *Guard {
|
func NewGuard(whiteList []string, signingKey string, expiresAfterSec int) *Guard {
|
||||||
g := &Guard{whiteList: whiteList, SigningKey: SigningKey(signingKey)}
|
g := &Guard{whiteList: whiteList, SigningKey: SigningKey(signingKey), ExpiresAfterSec:expiresAfterSec}
|
||||||
g.isActive = len(g.whiteList) != 0 || len(g.SigningKey) != 0
|
g.isActive = len(g.whiteList) != 0 || len(g.SigningKey) != 0
|
||||||
return g
|
return g
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,16 +18,17 @@ type SeaweedFileIdClaims struct {
|
||||||
jwt.StandardClaims
|
jwt.StandardClaims
|
||||||
}
|
}
|
||||||
|
|
||||||
func GenJwt(signingKey SigningKey, fileId string) EncodedJwt {
|
func GenJwt(signingKey SigningKey, expiresAfterSec int, fileId string) EncodedJwt {
|
||||||
if len(signingKey) == 0 {
|
if len(signingKey) == 0 {
|
||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
|
|
||||||
claims := SeaweedFileIdClaims{
|
claims := SeaweedFileIdClaims{
|
||||||
fileId,
|
fileId,
|
||||||
jwt.StandardClaims{
|
jwt.StandardClaims{},
|
||||||
ExpiresAt: time.Now().Add(time.Second * 10).Unix(),
|
}
|
||||||
},
|
if expiresAfterSec > 0 {
|
||||||
|
claims.ExpiresAt = time.Now().Add(time.Second * time.Duration(expiresAfterSec)).Unix()
|
||||||
}
|
}
|
||||||
t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
||||||
encoded, e := t.SignedString([]byte(signingKey))
|
encoded, e := t.SignedString([]byte(signingKey))
|
||||||
|
|
|
@ -94,7 +94,7 @@ func (ms *MasterServer) Assign(ctx context.Context, req *master_pb.AssignRequest
|
||||||
Url: dn.Url(),
|
Url: dn.Url(),
|
||||||
PublicUrl: dn.PublicUrl,
|
PublicUrl: dn.PublicUrl,
|
||||||
Count: count,
|
Count: count,
|
||||||
Auth: string(security.GenJwt(ms.guard.SigningKey, fid)),
|
Auth: string(security.GenJwt(ms.guard.SigningKey, ms.guard.ExpiresAfterSec, fid)),
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -54,6 +54,8 @@ func NewMasterServer(r *mux.Router, port int, metaFolder string,
|
||||||
|
|
||||||
v := viper.GetViper()
|
v := viper.GetViper()
|
||||||
signingKey := v.GetString("jwt.signing.key")
|
signingKey := v.GetString("jwt.signing.key")
|
||||||
|
v.SetDefault("jwt.signing.expires_after_seconds", 10)
|
||||||
|
expiresAfterSec := v.GetInt("jwt.signing.expires_after_seconds")
|
||||||
|
|
||||||
var preallocateSize int64
|
var preallocateSize int64
|
||||||
if preallocate {
|
if preallocate {
|
||||||
|
@ -75,7 +77,7 @@ func NewMasterServer(r *mux.Router, port int, metaFolder string,
|
||||||
ms.vg = topology.NewDefaultVolumeGrowth()
|
ms.vg = topology.NewDefaultVolumeGrowth()
|
||||||
glog.V(0).Infoln("Volume Size Limit is", volumeSizeLimitMB, "MB")
|
glog.V(0).Infoln("Volume Size Limit is", volumeSizeLimitMB, "MB")
|
||||||
|
|
||||||
ms.guard = security.NewGuard(whiteList, signingKey)
|
ms.guard = security.NewGuard(whiteList, signingKey, expiresAfterSec)
|
||||||
|
|
||||||
if !disableHttp {
|
if !disableHttp {
|
||||||
handleStaticResources2(r)
|
handleStaticResources2(r)
|
||||||
|
|
|
@ -110,7 +110,7 @@ func (ms *MasterServer) dirAssignHandler(w http.ResponseWriter, r *http.Request)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ms *MasterServer) maybeAddJwtAuthorization(w http.ResponseWriter, fileId string) {
|
func (ms *MasterServer) maybeAddJwtAuthorization(w http.ResponseWriter, fileId string) {
|
||||||
encodedJwt := security.GenJwt(ms.guard.SigningKey, fileId)
|
encodedJwt := security.GenJwt(ms.guard.SigningKey, ms.guard.ExpiresAfterSec, fileId)
|
||||||
if encodedJwt == "" {
|
if encodedJwt == "" {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
|
@ -40,6 +40,8 @@ func NewVolumeServer(adminMux, publicMux *http.ServeMux, ip string,
|
||||||
|
|
||||||
v := viper.GetViper()
|
v := viper.GetViper()
|
||||||
signingKey := v.GetString("jwt.signing.key")
|
signingKey := v.GetString("jwt.signing.key")
|
||||||
|
v.SetDefault("jwt.signing.expires_after_seconds", 10)
|
||||||
|
expiresAfterSec := v.GetInt("jwt.signing.expires_after_seconds")
|
||||||
enableUiAccess := v.GetBool("access.ui")
|
enableUiAccess := v.GetBool("access.ui")
|
||||||
|
|
||||||
vs := &VolumeServer{
|
vs := &VolumeServer{
|
||||||
|
@ -55,7 +57,7 @@ func NewVolumeServer(adminMux, publicMux *http.ServeMux, ip string,
|
||||||
vs.MasterNodes = masterNodes
|
vs.MasterNodes = masterNodes
|
||||||
vs.store = storage.NewStore(port, ip, publicUrl, folders, maxCounts, vs.needleMapKind)
|
vs.store = storage.NewStore(port, ip, publicUrl, folders, maxCounts, vs.needleMapKind)
|
||||||
|
|
||||||
vs.guard = security.NewGuard(whiteList, signingKey)
|
vs.guard = security.NewGuard(whiteList, signingKey, expiresAfterSec)
|
||||||
|
|
||||||
handleStaticResources(adminMux)
|
handleStaticResources(adminMux)
|
||||||
if signingKey == "" || enableUiAccess {
|
if signingKey == "" || enableUiAccess {
|
||||||
|
|
Loading…
Reference in a new issue