seperate option

This commit is contained in:
Konstantin Lebedev 2022-06-24 00:26:56 +05:00
parent 5b388ed6c1
commit ea7cdb8b0e

View file

@ -21,7 +21,7 @@ import (
"github.com/chrislusf/seaweedfs/weed/util" "github.com/chrislusf/seaweedfs/weed/util"
) )
const credRefreshingInterval = 5 * time.Minute const credRefreshingInterval = time.Duration(5) * time.Hour
type Authenticator struct { type Authenticator struct {
AllowedWildcardDomain string AllowedWildcardDomain string
@ -64,12 +64,12 @@ func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption
RootOptions: advancedtls.RootCertificateOptions{ RootOptions: advancedtls.RootCertificateOptions{
RootProvider: serverRootProvider, RootProvider: serverRootProvider,
}, },
RequireClientCert: true, RequireClientCert: false,
VerifyPeer: func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) { VerifyPeer: func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) {
glog.V(0).Infof("Client common name: %s.\n", params.Leaf.Subject.CommonName) glog.V(0).Infof("Client common name: %s.\n", params.Leaf.Subject.CommonName)
return &advancedtls.VerificationResults{}, nil return &advancedtls.VerificationResults{}, nil
}, },
VType: advancedtls.CertVerification, VType: advancedtls.SkipVerification,
} }
ta, err := advancedtls.NewServerCreds(options) ta, err := advancedtls.NewServerCreds(options)
if err != nil { if err != nil {
@ -106,7 +106,6 @@ func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
clientOptions := pemfile.Options{ clientOptions := pemfile.Options{
CertFile: certFileName, CertFile: certFileName,
KeyFile: keyFileName, KeyFile: keyFileName,
RootFile: caFileName,
RefreshDuration: credRefreshingInterval, RefreshDuration: credRefreshingInterval,
} }
clientProvider, err := pemfile.NewProvider(clientOptions) clientProvider, err := pemfile.NewProvider(clientOptions)
@ -115,14 +114,27 @@ func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
return grpc.WithInsecure() return grpc.WithInsecure()
} }
defer clientProvider.Close() defer clientProvider.Close()
clientRootOptions := pemfile.Options{
RootFile: config.GetString("grpc.ca"),
RefreshDuration: credRefreshingInterval,
}
clientRootProvider, err := pemfile.NewProvider(clientRootOptions)
if err != nil {
glog.Warningf("pemfile.NewProvider(%v) failed: %v", clientRootOptions, err)
return grpc.WithInsecure()
}
defer clientRootProvider.Close()
options := &advancedtls.ClientOptions{ options := &advancedtls.ClientOptions{
IdentityOptions: advancedtls.IdentityCertificateOptions{
IdentityProvider: clientProvider,
},
VerifyPeer: func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) { VerifyPeer: func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) {
return &advancedtls.VerificationResults{}, nil return &advancedtls.VerificationResults{}, nil
}, },
RootOptions: advancedtls.RootCertificateOptions{ RootOptions: advancedtls.RootCertificateOptions{
RootProvider: clientProvider, RootProvider: clientRootProvider,
}, },
VType: advancedtls.CertVerification, VType: advancedtls.SkipVerification,
} }
ta, err := advancedtls.NewClientCreds(options) ta, err := advancedtls.NewClientCreds(options)
if err != nil { if err != nil {