Add Authentication with Filer block

Sebastian Kurfürst 2022-01-03 13:42:28 +01:00
parent dd712a3851
commit 3483418d46

@ -85,7 +85,7 @@ This is not so ideal. Another approach is to list current directory when deletin
The last approach, which is most efficient, is to maintain counters for each folder, and drop the folder as soon as it becomes empty. This is implemented in [[Cloud Monitoring]]. The last approach, which is most efficient, is to maintain counters for each folder, and drop the folder as soon as it becomes empty. This is implemented in [[Cloud Monitoring]].
# Authentication # S3 Authentication
By default, the access key and secret key to access `weed s3` is not authenticated. To enable credential based access, you can choose static or dynamic configuration: By default, the access key and secret key to access `weed s3` is not authenticated. To enable credential based access, you can choose static or dynamic configuration:
* **Dynamic Configuration**: setup auth with `s3.configure` in `weed shell` * **Dynamic Configuration**: setup auth with `s3.configure` in `weed shell`
* **Static Configuration**: create a config.json file similar to the example below, and specify it via `weed s3 -config=config.json` * **Static Configuration**: create a config.json file similar to the example below, and specify it via `weed s3 -config=config.json`
@ -223,3 +223,19 @@ Usually you would also want to have multiple filers. The easiest way is to run f
weed filer -s3 weed filer -s3
``` ```
# Authentication with Filer
You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as
explained in [[Security-Configuration]] -
controlled by the `grpc.*` configuration in `security.toml`.
**Starting with version 2.84, it is also possible to authenticate the HTTP
operations between the S3-API-Proxy and the Filer (especially
uploading new files).** This is configured by setting
`jwt.filer_signing.key` and `jwt.filer_signing.read.key` in
`security.toml`.
With both configurations (gRPC and JWT), it is possible to have Filer
and S3 communicate in fully authenticated fashion; so Filer will reject
any unauthenticated communication.