gitlab-com-seaweedfs/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2024-01-19 02:48:24 +00:00
Code Issues Projects Releases Wiki Activity
7908 commits 28 branches 278 tags 135 MiB
Commit graph

599 commits

Author SHA1 Message Date
Sebastian Kurfuerst 10404c4275 FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client 
- one JWT for reading and one for writing, analogous to how the JWT
  between Master and Volume Server works
- I did not implement IP `whiteList` parameter on the filer

Additionally, because http_util.DownloadFile now sets the JWT,
the `download` command should now work when `jwt.signing.read` is
configured. By looking at the code, I think this case did not work
before.

## Docs to be adjusted after a release

Page `Amazon-S3-API`:

```
# Authentication with Filer

You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as
explained in [Security-Configuration](Security-Configuration) -
controlled by the `grpc.*` configuration in `security.toml`.

Starting with version XX, it is also possible to authenticate the HTTP
operations between the S3-API-Proxy and the Filer (especially
uploading new files). This is configured by setting
`filer_jwt.signing.key` and `filer_jwt.signing.read.key` in
`security.toml`.

With both configurations (gRPC and JWT), it is possible to have Filer
and S3 communicate in fully authenticated fashion; so Filer will reject
any unauthenticated communication.
```

Page `Security Overview`:

```
The following items are not covered, yet:

- master server http REST services

Starting with version XX, the Filer HTTP REST services can be secured
with a JWT, by setting `filer_jwt.signing.key` and
`filer_jwt.signing.read.key` in `security.toml`.

...

Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer.
Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).**

...

# Securing Filer HTTP with JWT

To enable JWT-based access control for the Filer,

1. generate `security.toml` file by `weed scaffold -config=security`
2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string
3. copy the same `security.toml` file to the filers and all S3 proxies.

If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`.

If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`.

The S3 API Gateway reads the above JWT keys and sends authenticated
HTTP requests to the filer.
```

Page `Security Configuration`:

```
(update scaffold file)

...

[filer_jwt.signing]
key = "blahblahblahblah"

[filer_jwt.signing.read]
key = "blahblahblahblah"
```

Resolves: #158
 2021-12-30 14:45:27 +01:00
chrislu fb434318e3 dynamically adjust connection timeout 
better fix for https://github.com/chrislusf/seaweedfs/issues/2541
 2021-12-29 22:44:39 -08:00
chrislu 5788bf2270 s3: increase timeout limit 
https://github.com/chrislusf/seaweedfs/issues/2541
 2021-12-29 22:21:02 -08:00
chrislu c935b9669e 2.83 2021-12-25 01:01:34 -08:00
chrislu c3b73ec23b 2.82 2021-12-12 23:25:24 -08:00
chrislu 5ea9715721 2.81 
also sync java client version to SeaweedFS version
 2021-12-05 18:05:24 -08:00
Tanmoy Majumdar ea09fb477a return ' shouldRetry=true' so that filer can retry the failed chunk 2021-12-03 11:54:20 +06:00
Chris Lu 7227cfddf5 2.80 2021-11-29 00:57:08 -08:00
Chris Lu 3a19eea97c allocate memory by slabs 2021-11-27 12:13:00 -08:00
Chris Lu f3c789d662 2.79 2021-11-21 18:40:24 -08:00
Chris Lu 100c654ec3 2.78 2021-11-14 23:29:59 -08:00
Chris Lu 5cf332357b 2.77 2021-11-07 13:52:45 -08:00
Chris Lu fc9e246592 2.76 2021-10-31 18:08:28 -07:00
Chris Lu c9d3fb4a30 2.75 2021-10-24 18:15:59 -07:00
Chris Lu 182f43ae5f 2.74 2021-10-18 14:23:54 -07:00
Chris Lu cd4fa7561b 2.73 2021-10-18 10:47:48 -07:00
Chris Lu 97c963bac9 2.72 2021-10-17 17:40:27 -07:00
Chris Lu 3833dac3f7 continue to read from memory if there is no flush 2021-10-17 13:53:04 -07:00
Chris Lu 8965a53c4d add warning error 2021-10-16 15:57:30 -07:00
Chris Lu 5fd4b05c5e
Merge pull request #2381 from Juneezee/deprecate-ioutil 
refactor: move from io/ioutil to io and os package
 2021-10-13 22:38:58 -07:00
Chris Lu 46a09c6074 adjust test 2021-10-13 22:38:47 -07:00
Eng Zer Jun a23bcbb7ec
refactor: move from io/ioutil to io and os package 
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil. This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
 2021-10-14 12:27:58 +08:00
Chris Lu 4cbd390fbe test: add fail message 2021-10-13 20:42:20 -07:00
Chris Lu 3d586be552 2.71 2021-10-10 22:40:44 -07:00
Chris Lu e4830bd93d go fmt 2021-10-07 21:13:31 -07:00
Chris Lu f3d8232e14 reduce one redis lookup on hot path 2021-10-06 22:01:19 -07:00
Chris Lu 371fead8a5 redis3 using redis native sorted set 2021-10-06 18:18:24 -07:00
Chris Lu 893f0587b1 redis3 adds distributed locking 2021-10-06 00:03:54 -07:00
Chris Lu 4ed2994555 use tsMemory to determine whether read from disk or memory 
remove lastFlushTime
 2021-10-04 16:02:56 -07:00
Chris Lu 513fed323a SkipListElementReference can be an empty object 2021-10-04 02:30:44 -07:00
Chris Lu 280ab7f95c add test 2021-10-04 02:30:24 -07:00
Chris Lu 366f522a2d add redis3 2021-10-04 01:01:31 -07:00
Chris Lu ba7fbac07f rename 2021-10-03 19:23:34 -07:00
Chris Lu e6196cdc50 add name list 2021-10-03 17:54:25 -07:00
Chris Lu a481c4a45e return previous element if visited 2021-10-03 13:50:52 -07:00
Chris Lu 22d8684e88 refactor out listStore 2021-10-03 02:19:21 -07:00
Chris Lu d343b0db57 update value 2021-10-03 01:15:14 -07:00
Chris Lu 4f50f8c2ca insert key and value 2021-10-03 01:07:35 -07:00
Chris Lu 69b84bb771 TestFindGreaterOrEqual 2021-10-02 14:15:49 -07:00
Chris Lu 57e2fd3f9b remove bptree 2021-10-02 14:03:54 -07:00
Chris Lu 4c1741fdbb working skiplist 2021-10-02 14:02:56 -07:00
Chris Lu b6694279d7 Merge branch 'master' into bptree 2021-10-01 16:55:44 -07:00
Chris Lu 1e3fdf366f go fmt 2021-10-01 12:10:24 -07:00
Chris Lu cee4d20bc1 2.70 2021-09-26 17:37:46 -07:00
Chris Lu 603ea2db73 avoid looping forever if there are no more metadata updates 2021-09-26 11:55:27 -07:00
Chris Lu 9887610b54 log tsNs should be processing time 2021-09-26 11:54:13 -07:00
Chris Lu 2baed2e1e9 avoid possible metadata subscription data loss 
Previous implementation append filer logs into one file. So one file is not always sorted, which can lead to miss reading some entries, especially when different filers have different write throughput.
 2021-09-25 01:18:44 -07:00
Chris Lu b3d88180ca Merge branch 'master' into bptree 2021-09-19 23:56:59 -07:00
Chris Lu fa7c65bd4b 2.69 2021-09-19 21:44:06 -07:00
Chris Lu e066e2642c add NodeStore 2021-09-18 15:32:17 -07:00
Chris Lu 8f2e4be074 wip 2021-09-18 14:04:30 -07:00
Chris Lu b751debd31 split node based on the last inserted key 2021-09-18 01:29:47 -07:00
Chris Lu 2226c3c8b6 Merge branch 'master' into bptree 2021-09-17 10:35:21 -07:00
Chris Lu 2789d10342 go fmt 2021-09-14 10:37:06 -07:00
Chris Lu 20ac710ceb 2.68 2021-09-13 02:16:09 -07:00
Chris Lu 574485ec69 better IP v6 support 2021-09-07 19:29:42 -07:00
Chris Lu 0128239c0f handle ipv6 addresses 2021-09-07 16:43:54 -07:00
Chris Lu 9fdf02bcda remove detecting ipv6 
Got this error on my local:

transport: Error while dialing dial tcp [fe80::1]:19333: connect: no route to host

related to https://github.com/chrislusf/seaweedfs/pull/2310
 2021-09-07 02:31:34 -07:00
Chris Lu 8c6d706328 2.67 2021-09-07 00:08:03 -07:00
Chris Lu 6022db6d6a 2.66 2021-09-05 16:21:14 -07:00
Chris Lu 2348e8d8da
Merge pull request #2310 from nivekuil/ipv6 
Detect ipv6 addresses
 2021-09-05 10:56:44 -07:00
nivekuil 0fe9d2997b Detect ipv6 addresses 2021-09-05 06:21:40 -07:00
Chris Lu c5ee03d6af format 2021-09-04 13:57:55 -07:00
Chris Lu 8ec357b3d3 go mod 2021-09-03 23:25:33 -07:00
Chris Lu 03a31587ce go fmt 2021-09-03 20:42:28 -07:00
Chris Lu bca4a9de78 simplify 2021-09-02 23:09:24 -07:00
Chris Lu 958125bd02 conforming to http user agent common practice 2021-09-02 22:55:35 -07:00
Chris Lu 11a496404b reset wait time 2021-09-02 19:55:01 -07:00
Chris Lu 7ce97b59d8 go fmt 2021-09-01 02:45:42 -07:00
Chris Lu bec3f63298 2.65 2021-08-28 05:27:33 -07:00
Chris Lu ff7dc3b44c 2.64 2021-08-23 00:39:15 -07:00
Chris Lu df1d6133a8 bptree does not work well for auto-increasing keys 2021-08-22 18:19:26 -07:00
Chris Lu 51c8f2518f change key type to ItemKey 2021-08-21 15:54:42 -07:00
Chris Lu b3e49d2758 change value type to ItemValue 2021-08-21 15:52:17 -07:00
Chris Lu 38c8470d1d add back non_dedup 2021-08-21 15:13:13 -07:00
Chris Lu 849f185a20 add memory kv store 2021-08-21 15:00:44 -07:00
Chris Lu 5f6cc9a814 make proto node 2021-08-21 13:36:52 -07:00
Chris Lu 172da83449 bpnode use get prev and next 2021-08-20 18:50:16 -07:00
Chris Lu 01661ec6a7 move to getter setter file 2021-08-20 18:37:34 -07:00
Chris Lu 0c360eb6b2 add getter and setter for root of tree and map 2021-08-20 18:34:50 -07:00
Chris Lu 88d68cad87 remove dedup 2021-08-20 04:14:52 -07:00
qieqieplus 7720533f84 reduce gzip allocation 2021-08-20 18:38:18 +08:00
Chris Lu 2d237da74a remove size since each put/get will have to update the root node 2021-08-20 01:19:11 -07:00
Chris Lu ec72547c8d started by copying from https://sourcegraph.com/github.com/timtadh/data-structures@master/-/tree/tree/bptree 2021-08-20 01:12:52 -07:00
Chris Lu 1f35d32be0 2.63 2021-08-15 23:14:59 -07:00
Chris Lu bb94930196 add some delays if error 2021-08-15 20:06:47 -07:00
Chris Lu c3ffd457ef fix compilation error 2021-08-15 12:40:22 -07:00
Chris Lu fda2fc47b1 add RetryForever 2021-08-15 12:37:35 -07:00
Chris Lu 9462f5129a shell: add "remote.meta.sync" 2021-08-15 01:53:46 -07:00
Chris Lu 5a0f92423e use grpc and jwt 2021-08-12 21:40:33 -07:00
Chris Lu 8cfd487608 2.62 2021-08-08 23:33:12 -07:00
Chris Lu 56ee1d5ef1 2.61 2021-08-01 15:50:19 -07:00
Chris Lu 5dede5d38d 2.60 2021-07-25 22:09:09 -07:00
Chris Lu 7359193e97 go fmt 2021-07-21 14:38:12 -07:00
Chris Lu a45bbc0b75 2.59 2021-07-15 15:52:22 -07:00
Chris Lu 297b41266b 2.58 2021-07-12 01:33:47 -07:00
bingoohuang ed57a55eae show RemoteVolumes/EcVolumes only if it is not empty 2021-07-06 15:20:18 +08:00
Chris Lu f5fa0b08fd 2.57 2021-07-03 15:10:57 -07:00
Chris Lu 2420c60fc4 log reading adds delay between retries 2021-07-01 14:01:25 -07:00
Chris Lu b624090398 go fmt 2021-07-01 01:21:14 -07:00