TASK: add docs for access.ui

Sebastian Kurfürst 2021-12-25 10:07:13 +01:00
parent d7c8569288
commit 28f7038b31

@ -41,9 +41,15 @@ Besides gRPC mentioned above, volume servers can only be changed by file upload,
## JWT-based access control ## JWT-based access control
To enable JWT-based access control, To enable JWT-based access control,
1. generate `security.toml` file by `weed scaffold -config=security` 1. generate `security.toml` file by `weed scaffold -config=security`
1. set `jwt.signing.key` to a secrete string 1. set `jwt.signing.key` to a secret string
1. copy the same `security.toml` file to the masters and all volume servers. 1. copy the same `security.toml` file to the masters and all volume servers.
> **Re-enabling Volume UI**
>
> By default, if the `jwt.signing.key` is set, the web UI on the volume servers is disabled. You can re-enable the web UI by
> setting `access.ui=true` in `security.toml`. Despite some information leakage (as the UI is unauthenticted), this should not
> pose a security risk, as the UI is purely read-only.
## How JWT-based access control works ## How JWT-based access control works
* To upload a new file, when requesting a new fileId via `http://<master>:<port>/dir/assign`, the master will use the `jwt.signing.key` to generate and sign a JWT, and set it to response header `Authorization`. The JWT is valid for 10 seconds. * To upload a new file, when requesting a new fileId via `http://<master>:<port>/dir/assign`, the master will use the `jwt.signing.key` to generate and sign a JWT, and set it to response header `Authorization`. The JWT is valid for 10 seconds.
* To update or delete a file by fileId, the JWT can be read from the response header `Authorization` of `http://<master>:<port>/dir/lookup?fileId=xxxxx`. * To update or delete a file by fileId, the JWT can be read from the response header `Authorization` of `http://<master>:<port>/dir/lookup?fileId=xxxxx`.