Add mTLS support for both master and volume http server.

This commit is contained in:
Berck Nash 2022-03-14 17:22:52 -06:00
parent b5b97a4799
commit 9b14f0c81a
4 changed files with 72 additions and 9 deletions

View file

@ -1,23 +1,25 @@
package command
import (
"github.com/chrislusf/raft/protobuf"
stats_collect "github.com/chrislusf/seaweedfs/weed/stats"
"github.com/gorilla/mux"
"google.golang.org/grpc/reflection"
"net/http"
"os"
"sort"
"strings"
"time"
"github.com/chrislusf/raft/protobuf"
stats_collect "github.com/chrislusf/seaweedfs/weed/stats"
"github.com/gorilla/mux"
"github.com/spf13/viper"
"google.golang.org/grpc/reflection"
"github.com/chrislusf/seaweedfs/weed/util/grace"
"github.com/chrislusf/seaweedfs/weed/glog"
"github.com/chrislusf/seaweedfs/weed/pb"
"github.com/chrislusf/seaweedfs/weed/pb/master_pb"
"github.com/chrislusf/seaweedfs/weed/security"
"github.com/chrislusf/seaweedfs/weed/server"
weed_server "github.com/chrislusf/seaweedfs/weed/server"
"github.com/chrislusf/seaweedfs/weed/storage/backend"
"github.com/chrislusf/seaweedfs/weed/util"
)
@ -138,6 +140,7 @@ func startMaster(masterOption MasterOptions, masterWhiteList []string) {
if e != nil {
glog.Fatalf("Master startup error: %v", e)
}
// start raftServer
raftServerOption := &weed_server.RaftServerOption{
GrpcDialOption: security.LoadClientTLS(util.GetViper(), "grpc.master"),
@ -183,11 +186,39 @@ func startMaster(masterOption MasterOptions, masterWhiteList []string) {
go ms.MasterClient.KeepConnectedToMaster()
// start http server
var (
clientCertFile,
certFile,
keyFile string
)
useTLS := false
useMTLS := false
if viper.GetString("https.master.key") != "" {
useTLS = true
certFile = viper.GetString("https.master.cert")
keyFile = viper.GetString("https.master.key")
}
if viper.GetString("https.master.ca") != "" {
useMTLS = true
clientCertFile = viper.GetString("https.master.ca")
}
httpS := &http.Server{Handler: r}
if masterLocalListner != nil {
go httpS.Serve(masterLocalListner)
}
go httpS.Serve(masterListener)
if useMTLS {
httpS.TLSConfig = security.LoadClientTLSHTTP(clientCertFile)
}
if useTLS {
go httpS.ServeTLS(masterListener, certFile, keyFile)
} else {
go httpS.Serve(masterListener)
}
select {}
}

View file

@ -83,7 +83,13 @@ key = ""
# this does not work with other clients, e.g., "weed filer|mount" etc, yet.
[https.client]
enabled = true
[https.volume]
cert = ""
key = ""
ca = ""
[https.master]
cert = ""
key = ""
ca = ""

View file

@ -2,7 +2,6 @@ package command
import (
"fmt"
"github.com/chrislusf/seaweedfs/weed/storage/types"
"net/http"
httppprof "net/http/pprof"
"os"
@ -11,6 +10,8 @@ import (
"strings"
"time"
"github.com/chrislusf/seaweedfs/weed/storage/types"
"github.com/spf13/viper"
"google.golang.org/grpc"
@ -24,7 +25,7 @@ import (
"github.com/chrislusf/seaweedfs/weed/glog"
"github.com/chrislusf/seaweedfs/weed/pb/volume_server_pb"
"github.com/chrislusf/seaweedfs/weed/server"
weed_server "github.com/chrislusf/seaweedfs/weed/server"
stats_collect "github.com/chrislusf/seaweedfs/weed/stats"
"github.com/chrislusf/seaweedfs/weed/storage"
"github.com/chrislusf/seaweedfs/weed/util"
@ -371,7 +372,14 @@ func (v VolumeServerOptions) startClusterHttpService(handler http.Handler) httpd
StopTimeout: 30 * time.Second,
CertFile: certFile,
KeyFile: keyFile}
clusterHttpServer := httpDown.Serve(&http.Server{Handler: handler}, listener)
httpS := &http.Server{Handler: handler}
if viper.GetString("https.volume.ca") != "" {
clientCertFile := viper.GetString("https.volume.ca")
httpS.TLSConfig = security.LoadClientTLSHTTP(clientCertFile)
}
clusterHttpServer := httpDown.Serve(httpS, listener)
go func() {
if e := clusterHttpServer.Wait(); e != nil {
glog.Fatalf("Volume server fail to serve: %v", e)

View file

@ -4,6 +4,7 @@ import (
"context"
"crypto/tls"
"crypto/x509"
"io/ioutil"
"os"
"strings"
@ -98,6 +99,23 @@ func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
return grpc.WithTransportCredentials(ta)
}
func LoadClientTLSHTTP(clientCertFile string) *tls.Config {
clientCerts, err := ioutil.ReadFile(clientCertFile)
if err != nil {
glog.Fatal(err)
}
certPool := x509.NewCertPool()
ok := certPool.AppendCertsFromPEM(clientCerts)
if !ok {
glog.Fatalf("Error processing client certificate in %s\n", clientCertFile)
}
return &tls.Config{
ClientCAs: certPool,
ClientAuth: tls.RequireAndVerifyClientCert,
}
}
func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context, err error) {
p, ok := peer.FromContext(ctx)
if !ok {