From 3483418d46f57937919c16a822eee137d4793fb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Kurf=C3=BCrst?= Date: Mon, 3 Jan 2022 13:42:28 +0100 Subject: [PATCH] Add Authentication with Filer block --- Amazon-S3-API.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/Amazon-S3-API.md b/Amazon-S3-API.md index e76b8a7..0f470ed 100644 --- a/Amazon-S3-API.md +++ b/Amazon-S3-API.md @@ -85,7 +85,7 @@ This is not so ideal. Another approach is to list current directory when deletin The last approach, which is most efficient, is to maintain counters for each folder, and drop the folder as soon as it becomes empty. This is implemented in [[Cloud Monitoring]]. -# Authentication +# S3 Authentication By default, the access key and secret key to access `weed s3` is not authenticated. To enable credential based access, you can choose static or dynamic configuration: * **Dynamic Configuration**: setup auth with `s3.configure` in `weed shell` * **Static Configuration**: create a config.json file similar to the example below, and specify it via `weed s3 -config=config.json` @@ -223,3 +223,19 @@ Usually you would also want to have multiple filers. The easiest way is to run f weed filer -s3 ``` + +# Authentication with Filer + +You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as +explained in [[Security-Configuration]] - +controlled by the `grpc.*` configuration in `security.toml`. + +**Starting with version 2.84, it is also possible to authenticate the HTTP +operations between the S3-API-Proxy and the Filer (especially +uploading new files).** This is configured by setting +`jwt.filer_signing.key` and `jwt.filer_signing.read.key` in +`security.toml`. + +With both configurations (gRPC and JWT), it is possible to have Filer +and S3 communicate in fully authenticated fashion; so Filer will reject +any unauthenticated communication. \ No newline at end of file