2022-01-25 10:48:49 -08:00
|
|
|
// This file is part of MinIO Console Server
|
2021-01-19 17:04:13 -06:00
|
|
|
// Copyright (c) 2021 MinIO, Inc.
|
2020-04-01 18:18:57 -07:00
|
|
|
//
|
|
|
|
|
// This program is free software: you can redistribute it and/or modify
|
|
|
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
|
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
// (at your option) any later version.
|
|
|
|
|
//
|
|
|
|
|
// This program is distributed in the hope that it will be useful,
|
|
|
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
// GNU Affero General Public License for more details.
|
|
|
|
|
//
|
|
|
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
|
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
|
|
package restapi
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
2022-05-05 13:44:10 -07:00
|
|
|
"errors"
|
2020-04-02 20:09:36 -07:00
|
|
|
"fmt"
|
2020-10-09 11:43:15 -07:00
|
|
|
"io"
|
2021-11-15 14:13:39 -08:00
|
|
|
"path"
|
2020-05-15 14:24:29 -07:00
|
|
|
"strings"
|
2020-10-06 16:07:33 -07:00
|
|
|
"time"
|
2020-04-01 18:18:57 -07:00
|
|
|
|
2020-09-28 12:46:08 -05:00
|
|
|
"github.com/minio/minio-go/v7/pkg/replication"
|
2020-10-25 12:56:23 -07:00
|
|
|
"github.com/minio/minio-go/v7/pkg/sse"
|
2022-05-09 11:24:43 -07:00
|
|
|
xnet "github.com/minio/pkg/net"
|
2020-09-28 12:46:08 -05:00
|
|
|
|
2020-07-26 00:34:17 -07:00
|
|
|
"github.com/minio/console/models"
|
2021-02-16 12:53:18 -08:00
|
|
|
"github.com/minio/console/pkg"
|
2020-07-26 00:34:17 -07:00
|
|
|
"github.com/minio/console/pkg/auth"
|
|
|
|
|
"github.com/minio/console/pkg/auth/ldap"
|
TLS with user provided certificates and KES support for MinIO (#213)
This PR adds the following features:
- Allow user to provide its own keypair certificates for enable TLS in
MinIO
- Allow user to configure data encryption at rest in MinIO with KES
- Removes JWT schema for login and instead Console authentication will use
encrypted session tokens
Enable TLS between client and MinIO with user provided certificates
Instead of using AutoCert feature now the user can provide `cert` and
`key` via `tls` object, values must be valid `x509.Certificate`
formatted files encoded in `base64`
Enable encryption at rest configuring KES
User can deploy KES via Console/Operator by defining the encryption
object, AutoCert must be enabled or custom certificates for KES must be
provided, KES support 3 KMS backends: `Vault`, `AWS KMS` and `Gemalto`,
previous configuration of the KMS is necessary.
eg of body request for create-tenant
```
{
"name": "honeywell",
"access_key": "minio",
"secret_key": "minio123",
"enable_mcs": false,
"enable_ssl": false,
"service_name": "honeywell",
"zones": [
{
"name": "honeywell-zone-1",
"servers": 1,
"volumes_per_server": 4,
"volume_configuration": {
"size": 256000000,
"storage_class": "vsan-default-storage-policy"
}
}
],
"namespace": "default",
"tls": {
"tls.crt": "",
"tls.key": ""
},
"encryption": {
"server": {
"tls.crt": "",
"tls.key": ""
},
"client": {
"tls.crt": "",
"tls.key": ""
},
"vault": {
"endpoint": "http://vault:8200",
"prefix": "",
"approle": {
"id": "",
"secret": ""
}
}
}
}
```
2020-07-30 17:49:56 -07:00
|
|
|
xjwt "github.com/minio/console/pkg/auth/token"
|
2020-04-02 20:09:36 -07:00
|
|
|
mc "github.com/minio/mc/cmd"
|
|
|
|
|
"github.com/minio/mc/pkg/probe"
|
2020-07-25 14:38:16 -07:00
|
|
|
"github.com/minio/minio-go/v7"
|
|
|
|
|
"github.com/minio/minio-go/v7/pkg/credentials"
|
2021-04-24 16:31:47 -05:00
|
|
|
"github.com/minio/minio-go/v7/pkg/lifecycle"
|
2020-07-25 14:38:16 -07:00
|
|
|
"github.com/minio/minio-go/v7/pkg/notification"
|
2020-10-28 16:08:26 -07:00
|
|
|
"github.com/minio/minio-go/v7/pkg/tags"
|
2020-04-01 18:18:57 -07:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
|
// All minio-go API operations shall be performed only once,
|
|
|
|
|
// another way to look at this is we are turning off retries.
|
|
|
|
|
minio.MaxRetry = 1
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-30 10:50:51 -07:00
|
|
|
// MinioClient interface with all functions to be implemented
|
2020-04-01 18:18:57 -07:00
|
|
|
// by mock when testing, it should include all MinioClient respective api calls
|
|
|
|
|
// that are used within this project.
|
|
|
|
|
type MinioClient interface {
|
|
|
|
|
listBucketsWithContext(ctx context.Context) ([]minio.BucketInfo, error)
|
2020-11-25 12:40:39 -06:00
|
|
|
makeBucketWithContext(ctx context.Context, bucketName, location string, objectLocking bool) error
|
2020-04-01 18:18:57 -07:00
|
|
|
setBucketPolicyWithContext(ctx context.Context, bucketName, policy string) error
|
2020-07-25 14:38:16 -07:00
|
|
|
removeBucket(ctx context.Context, bucketName string) error
|
|
|
|
|
getBucketNotification(ctx context.Context, bucketName string) (config notification.Configuration, err error)
|
|
|
|
|
getBucketPolicy(ctx context.Context, bucketName string) (string, error)
|
2020-09-29 14:34:51 -07:00
|
|
|
listObjects(ctx context.Context, bucket string, opts minio.ListObjectsOptions) <-chan minio.ObjectInfo
|
2020-10-06 16:07:33 -07:00
|
|
|
getObjectRetention(ctx context.Context, bucketName, objectName, versionID string) (mode *minio.RetentionMode, retainUntilDate *time.Time, err error)
|
|
|
|
|
getObjectLegalHold(ctx context.Context, bucketName, objectName string, opts minio.GetObjectLegalHoldOptions) (status *minio.LegalHoldStatus, err error)
|
2020-10-14 23:09:33 -07:00
|
|
|
putObject(ctx context.Context, bucketName, objectName string, reader io.Reader, objectSize int64, opts minio.PutObjectOptions) (info minio.UploadInfo, err error)
|
2020-10-22 16:23:29 -07:00
|
|
|
putObjectLegalHold(ctx context.Context, bucketName, objectName string, opts minio.PutObjectLegalHoldOptions) error
|
2020-10-23 15:04:02 -07:00
|
|
|
putObjectRetention(ctx context.Context, bucketName, objectName string, opts minio.PutObjectRetentionOptions) error
|
2021-12-15 10:50:34 -06:00
|
|
|
statObject(ctx context.Context, bucketName, prefix string, opts minio.GetObjectOptions) (objectInfo minio.ObjectInfo, err error)
|
2020-10-25 12:56:23 -07:00
|
|
|
setBucketEncryption(ctx context.Context, bucketName string, config *sse.Configuration) error
|
|
|
|
|
removeBucketEncryption(ctx context.Context, bucketName string) error
|
|
|
|
|
getBucketEncryption(ctx context.Context, bucketName string) (*sse.Configuration, error)
|
2020-10-28 16:08:26 -07:00
|
|
|
putObjectTagging(ctx context.Context, bucketName, objectName string, otags *tags.Tags, opts minio.PutObjectTaggingOptions) error
|
|
|
|
|
getObjectTagging(ctx context.Context, bucketName, objectName string, opts minio.GetObjectTaggingOptions) (*tags.Tags, error)
|
2020-12-03 13:45:45 -06:00
|
|
|
setObjectLockConfig(ctx context.Context, bucketName string, mode *minio.RetentionMode, validity *uint, unit *minio.ValidityUnit) error
|
2020-12-15 19:25:43 -06:00
|
|
|
getBucketObjectLockConfig(ctx context.Context, bucketName string) (mode *minio.RetentionMode, validity *uint, unit *minio.ValidityUnit, err error)
|
2021-03-22 16:28:07 -07:00
|
|
|
getObjectLockConfig(ctx context.Context, bucketName string) (lock string, mode *minio.RetentionMode, validity *uint, unit *minio.ValidityUnit, err error)
|
2021-04-24 16:31:47 -05:00
|
|
|
getLifecycleRules(ctx context.Context, bucketName string) (lifecycle *lifecycle.Configuration, err error)
|
|
|
|
|
setBucketLifecycle(ctx context.Context, bucketName string, config *lifecycle.Configuration) error
|
2021-11-02 17:59:52 -07:00
|
|
|
copyObject(ctx context.Context, dst minio.CopyDestOptions, src minio.CopySrcOptions) (minio.UploadInfo, error)
|
2021-11-11 18:36:18 -08:00
|
|
|
GetBucketTagging(ctx context.Context, bucketName string) (*tags.Tags, error)
|
|
|
|
|
SetBucketTagging(ctx context.Context, bucketName string, tags *tags.Tags) error
|
|
|
|
|
RemoveBucketTagging(ctx context.Context, bucketName string) error
|
2020-04-01 18:18:57 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Interface implementation
|
|
|
|
|
//
|
|
|
|
|
// Define the structure of a minIO Client and define the functions that are actually used
|
|
|
|
|
// from minIO api.
|
|
|
|
|
type minioClient struct {
|
|
|
|
|
client *minio.Client
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-11 18:36:18 -08:00
|
|
|
func (c minioClient) GetBucketTagging(ctx context.Context, bucketName string) (*tags.Tags, error) {
|
|
|
|
|
return c.client.GetBucketTagging(ctx, bucketName)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c minioClient) SetBucketTagging(ctx context.Context, bucketName string, tags *tags.Tags) error {
|
|
|
|
|
return c.client.SetBucketTagging(ctx, bucketName, tags)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c minioClient) RemoveBucketTagging(ctx context.Context, bucketName string) error {
|
|
|
|
|
return c.client.RemoveBucketTagging(ctx, bucketName)
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-28 16:08:26 -07:00
|
|
|
// implements minio.ListBuckets(ctx)
|
2020-04-02 20:09:36 -07:00
|
|
|
func (c minioClient) listBucketsWithContext(ctx context.Context) ([]minio.BucketInfo, error) {
|
2020-07-25 14:38:16 -07:00
|
|
|
return c.client.ListBuckets(ctx)
|
2020-04-01 18:18:57 -07:00
|
|
|
}
|
|
|
|
|
|
2020-11-25 12:40:39 -06:00
|
|
|
// implements minio.MakeBucketWithContext(ctx, bucketName, location, objectLocking)
|
|
|
|
|
func (c minioClient) makeBucketWithContext(ctx context.Context, bucketName, location string, objectLocking bool) error {
|
2020-07-25 14:38:16 -07:00
|
|
|
return c.client.MakeBucket(ctx, bucketName, minio.MakeBucketOptions{
|
2020-11-25 12:40:39 -06:00
|
|
|
Region: location,
|
|
|
|
|
ObjectLocking: objectLocking,
|
2020-07-25 14:38:16 -07:00
|
|
|
})
|
2020-04-01 18:18:57 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// implements minio.SetBucketPolicyWithContext(ctx, bucketName, policy)
|
2020-04-02 20:09:36 -07:00
|
|
|
func (c minioClient) setBucketPolicyWithContext(ctx context.Context, bucketName, policy string) error {
|
2020-07-25 14:38:16 -07:00
|
|
|
return c.client.SetBucketPolicy(ctx, bucketName, policy)
|
2020-04-01 18:18:57 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// implements minio.RemoveBucket(bucketName)
|
2020-07-25 14:38:16 -07:00
|
|
|
func (c minioClient) removeBucket(ctx context.Context, bucketName string) error {
|
|
|
|
|
return c.client.RemoveBucket(ctx, bucketName)
|
2020-04-01 18:18:57 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// implements minio.GetBucketNotification(bucketName)
|
2020-07-25 14:38:16 -07:00
|
|
|
func (c minioClient) getBucketNotification(ctx context.Context, bucketName string) (config notification.Configuration, err error) {
|
|
|
|
|
return c.client.GetBucketNotification(ctx, bucketName)
|
2020-04-01 18:18:57 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// implements minio.GetBucketPolicy(bucketName)
|
2020-07-25 14:38:16 -07:00
|
|
|
func (c minioClient) getBucketPolicy(ctx context.Context, bucketName string) (string, error) {
|
|
|
|
|
return c.client.GetBucketPolicy(ctx, bucketName)
|
2020-04-02 20:09:36 -07:00
|
|
|
}
|
|
|
|
|
|
2020-09-28 12:46:08 -05:00
|
|
|
// implements minio.getBucketVersioning(ctx, bucketName)
|
|
|
|
|
func (c minioClient) getBucketVersioning(ctx context.Context, bucketName string) (minio.BucketVersioningConfiguration, error) {
|
|
|
|
|
return c.client.GetBucketVersioning(ctx, bucketName)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// implements minio.getBucketVersioning(ctx, bucketName)
|
|
|
|
|
func (c minioClient) getBucketReplication(ctx context.Context, bucketName string) (replication.Config, error) {
|
|
|
|
|
return c.client.GetBucketReplication(ctx, bucketName)
|
|
|
|
|
}
|
|
|
|
|
|
2020-09-29 14:34:51 -07:00
|
|
|
// implements minio.listObjects(ctx)
|
|
|
|
|
func (c minioClient) listObjects(ctx context.Context, bucket string, opts minio.ListObjectsOptions) <-chan minio.ObjectInfo {
|
|
|
|
|
return c.client.ListObjects(ctx, bucket, opts)
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-06 16:07:33 -07:00
|
|
|
func (c minioClient) getObjectRetention(ctx context.Context, bucketName, objectName, versionID string) (mode *minio.RetentionMode, retainUntilDate *time.Time, err error) {
|
|
|
|
|
return c.client.GetObjectRetention(ctx, bucketName, objectName, versionID)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c minioClient) getObjectLegalHold(ctx context.Context, bucketName, objectName string, opts minio.GetObjectLegalHoldOptions) (status *minio.LegalHoldStatus, err error) {
|
|
|
|
|
return c.client.GetObjectLegalHold(ctx, bucketName, objectName, opts)
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-14 23:09:33 -07:00
|
|
|
func (c minioClient) putObject(ctx context.Context, bucketName, objectName string, reader io.Reader, objectSize int64, opts minio.PutObjectOptions) (info minio.UploadInfo, err error) {
|
|
|
|
|
return c.client.PutObject(ctx, bucketName, objectName, reader, objectSize, opts)
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-22 16:23:29 -07:00
|
|
|
func (c minioClient) putObjectLegalHold(ctx context.Context, bucketName, objectName string, opts minio.PutObjectLegalHoldOptions) error {
|
|
|
|
|
return c.client.PutObjectLegalHold(ctx, bucketName, objectName, opts)
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-23 15:04:02 -07:00
|
|
|
func (c minioClient) putObjectRetention(ctx context.Context, bucketName, objectName string, opts minio.PutObjectRetentionOptions) error {
|
|
|
|
|
return c.client.PutObjectRetention(ctx, bucketName, objectName, opts)
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-15 10:50:34 -06:00
|
|
|
func (c minioClient) statObject(ctx context.Context, bucketName, prefix string, opts minio.GetObjectOptions) (objectInfo minio.ObjectInfo, err error) {
|
|
|
|
|
return c.client.StatObject(ctx, bucketName, prefix, opts)
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-25 12:56:23 -07:00
|
|
|
// implements minio.SetBucketEncryption(ctx, bucketName, config)
|
|
|
|
|
func (c minioClient) setBucketEncryption(ctx context.Context, bucketName string, config *sse.Configuration) error {
|
|
|
|
|
return c.client.SetBucketEncryption(ctx, bucketName, config)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// implements minio.RemoveBucketEncryption(ctx, bucketName)
|
|
|
|
|
func (c minioClient) removeBucketEncryption(ctx context.Context, bucketName string) error {
|
|
|
|
|
return c.client.RemoveBucketEncryption(ctx, bucketName)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// implements minio.GetBucketEncryption(ctx, bucketName, config)
|
|
|
|
|
func (c minioClient) getBucketEncryption(ctx context.Context, bucketName string) (*sse.Configuration, error) {
|
|
|
|
|
return c.client.GetBucketEncryption(ctx, bucketName)
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-28 16:08:26 -07:00
|
|
|
func (c minioClient) putObjectTagging(ctx context.Context, bucketName, objectName string, otags *tags.Tags, opts minio.PutObjectTaggingOptions) error {
|
|
|
|
|
return c.client.PutObjectTagging(ctx, bucketName, objectName, otags, opts)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c minioClient) getObjectTagging(ctx context.Context, bucketName, objectName string, opts minio.GetObjectTaggingOptions) (*tags.Tags, error) {
|
|
|
|
|
return c.client.GetObjectTagging(ctx, bucketName, objectName, opts)
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-03 13:45:45 -06:00
|
|
|
func (c minioClient) setObjectLockConfig(ctx context.Context, bucketName string, mode *minio.RetentionMode, validity *uint, unit *minio.ValidityUnit) error {
|
|
|
|
|
return c.client.SetObjectLockConfig(ctx, bucketName, mode, validity, unit)
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-15 19:25:43 -06:00
|
|
|
func (c minioClient) getBucketObjectLockConfig(ctx context.Context, bucketName string) (mode *minio.RetentionMode, validity *uint, unit *minio.ValidityUnit, err error) {
|
|
|
|
|
return c.client.GetBucketObjectLockConfig(ctx, bucketName)
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-22 16:28:07 -07:00
|
|
|
func (c minioClient) getObjectLockConfig(ctx context.Context, bucketName string) (lock string, mode *minio.RetentionMode, validity *uint, unit *minio.ValidityUnit, err error) {
|
|
|
|
|
return c.client.GetObjectLockConfig(ctx, bucketName)
|
|
|
|
|
}
|
|
|
|
|
|
2021-04-24 16:31:47 -05:00
|
|
|
func (c minioClient) getLifecycleRules(ctx context.Context, bucketName string) (lifecycle *lifecycle.Configuration, err error) {
|
|
|
|
|
return c.client.GetBucketLifecycle(ctx, bucketName)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c minioClient) setBucketLifecycle(ctx context.Context, bucketName string, config *lifecycle.Configuration) error {
|
|
|
|
|
return c.client.SetBucketLifecycle(ctx, bucketName, config)
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-02 17:59:52 -07:00
|
|
|
func (c minioClient) copyObject(ctx context.Context, dst minio.CopyDestOptions, src minio.CopySrcOptions) (minio.UploadInfo, error) {
|
|
|
|
|
return c.client.CopyObject(ctx, dst, src)
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-28 13:11:03 -07:00
|
|
|
// MCClient interface with all functions to be implemented
|
2020-04-02 20:09:36 -07:00
|
|
|
// by mock when testing, it should include all mc/S3Client respective api calls
|
|
|
|
|
// that are used within this project.
|
2020-07-28 13:11:03 -07:00
|
|
|
type MCClient interface {
|
2020-07-23 11:13:05 -07:00
|
|
|
addNotificationConfig(ctx context.Context, arn string, events []string, prefix, suffix string, ignoreExisting bool) *probe.Error
|
|
|
|
|
removeNotificationConfig(ctx context.Context, arn string, event string, prefix string, suffix string) *probe.Error
|
|
|
|
|
watch(ctx context.Context, options mc.WatchOptions) (*mc.WatchObject, *probe.Error)
|
2022-01-31 09:10:06 -08:00
|
|
|
remove(ctx context.Context, isIncomplete, isRemoveBucket, isBypass bool, contentCh <-chan *mc.ClientContent) <-chan mc.RemoveResult
|
2020-10-01 17:00:32 -07:00
|
|
|
list(ctx context.Context, opts mc.ListOptions) <-chan *mc.ClientContent
|
2020-10-09 11:43:15 -07:00
|
|
|
get(ctx context.Context, opts mc.GetOptions) (io.ReadCloser, *probe.Error)
|
2020-10-22 11:18:27 -07:00
|
|
|
shareDownload(ctx context.Context, versionID string, expires time.Duration) (string, *probe.Error)
|
2021-03-19 18:48:58 -06:00
|
|
|
setVersioning(ctx context.Context, status string) *probe.Error
|
2020-04-02 20:09:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Interface implementation
|
|
|
|
|
//
|
|
|
|
|
// Define the structure of a mc S3Client and define the functions that are actually used
|
|
|
|
|
// from mcS3client api.
|
2020-07-28 13:11:03 -07:00
|
|
|
type mcClient struct {
|
2020-04-02 20:09:36 -07:00
|
|
|
client *mc.S3Client
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-07 09:27:25 -07:00
|
|
|
// implements S3Client.AddNotificationConfig()
|
2020-07-28 13:11:03 -07:00
|
|
|
func (c mcClient) addNotificationConfig(ctx context.Context, arn string, events []string, prefix, suffix string, ignoreExisting bool) *probe.Error {
|
2020-07-23 11:13:05 -07:00
|
|
|
return c.client.AddNotificationConfig(ctx, arn, events, prefix, suffix, ignoreExisting)
|
2020-04-01 18:18:57 -07:00
|
|
|
}
|
|
|
|
|
|
2020-04-07 09:27:25 -07:00
|
|
|
// implements S3Client.RemoveNotificationConfig()
|
2020-07-28 13:11:03 -07:00
|
|
|
func (c mcClient) removeNotificationConfig(ctx context.Context, arn string, event string, prefix string, suffix string) *probe.Error {
|
2020-07-23 11:13:05 -07:00
|
|
|
return c.client.RemoveNotificationConfig(ctx, arn, event, prefix, suffix)
|
2020-04-07 09:27:25 -07:00
|
|
|
}
|
|
|
|
|
|
2020-07-28 13:11:03 -07:00
|
|
|
func (c mcClient) watch(ctx context.Context, options mc.WatchOptions) (*mc.WatchObject, *probe.Error) {
|
2020-07-23 11:13:05 -07:00
|
|
|
return c.client.Watch(ctx, options)
|
2020-05-15 14:24:29 -07:00
|
|
|
}
|
|
|
|
|
|
2020-09-28 12:46:08 -05:00
|
|
|
func (c mcClient) setReplication(ctx context.Context, cfg *replication.Config, opts replication.Options) *probe.Error {
|
|
|
|
|
return c.client.SetReplication(ctx, cfg, opts)
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-15 18:14:23 -07:00
|
|
|
func (c mcClient) deleteAllReplicationRules(ctx context.Context) *probe.Error {
|
|
|
|
|
return c.client.RemoveReplication(ctx)
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-19 18:48:58 -06:00
|
|
|
func (c mcClient) setVersioning(ctx context.Context, status string) *probe.Error {
|
2022-05-14 15:50:59 -07:00
|
|
|
return c.client.SetVersion(ctx, status, []string{}, false)
|
2021-03-19 18:48:58 -06:00
|
|
|
}
|
|
|
|
|
|
2022-01-31 09:10:06 -08:00
|
|
|
func (c mcClient) remove(ctx context.Context, isIncomplete, isRemoveBucket, isBypass bool, contentCh <-chan *mc.ClientContent) <-chan mc.RemoveResult {
|
2022-07-05 13:36:12 -07:00
|
|
|
return c.client.Remove(ctx, isIncomplete, isRemoveBucket, isBypass, false, contentCh)
|
2020-10-01 17:00:32 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c mcClient) list(ctx context.Context, opts mc.ListOptions) <-chan *mc.ClientContent {
|
|
|
|
|
return c.client.List(ctx, opts)
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-09 11:43:15 -07:00
|
|
|
func (c mcClient) get(ctx context.Context, opts mc.GetOptions) (io.ReadCloser, *probe.Error) {
|
|
|
|
|
return c.client.Get(ctx, opts)
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-22 11:18:27 -07:00
|
|
|
func (c mcClient) shareDownload(ctx context.Context, versionID string, expires time.Duration) (string, *probe.Error) {
|
|
|
|
|
return c.client.ShareDownload(ctx, versionID, expires)
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-07 17:11:08 -06:00
|
|
|
// ConsoleCredentialsI interface with all functions to be implemented
|
TLS with user provided certificates and KES support for MinIO (#213)
This PR adds the following features:
- Allow user to provide its own keypair certificates for enable TLS in
MinIO
- Allow user to configure data encryption at rest in MinIO with KES
- Removes JWT schema for login and instead Console authentication will use
encrypted session tokens
Enable TLS between client and MinIO with user provided certificates
Instead of using AutoCert feature now the user can provide `cert` and
`key` via `tls` object, values must be valid `x509.Certificate`
formatted files encoded in `base64`
Enable encryption at rest configuring KES
User can deploy KES via Console/Operator by defining the encryption
object, AutoCert must be enabled or custom certificates for KES must be
provided, KES support 3 KMS backends: `Vault`, `AWS KMS` and `Gemalto`,
previous configuration of the KMS is necessary.
eg of body request for create-tenant
```
{
"name": "honeywell",
"access_key": "minio",
"secret_key": "minio123",
"enable_mcs": false,
"enable_ssl": false,
"service_name": "honeywell",
"zones": [
{
"name": "honeywell-zone-1",
"servers": 1,
"volumes_per_server": 4,
"volume_configuration": {
"size": 256000000,
"storage_class": "vsan-default-storage-policy"
}
}
],
"namespace": "default",
"tls": {
"tls.crt": "",
"tls.key": ""
},
"encryption": {
"server": {
"tls.crt": "",
"tls.key": ""
},
"client": {
"tls.crt": "",
"tls.key": ""
},
"vault": {
"endpoint": "http://vault:8200",
"prefix": "",
"approle": {
"id": "",
"secret": ""
}
}
}
}
```
2020-07-30 17:49:56 -07:00
|
|
|
// by mock when testing, it should include all needed consoleCredentials.Login api calls
|
2020-04-22 23:43:17 -07:00
|
|
|
// that are used within this project.
|
2020-12-07 17:11:08 -06:00
|
|
|
type ConsoleCredentialsI interface {
|
2020-04-22 23:43:17 -07:00
|
|
|
Get() (credentials.Value, error)
|
|
|
|
|
Expire()
|
2020-12-07 17:11:08 -06:00
|
|
|
GetAccountAccessKey() string
|
2020-04-22 23:43:17 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Interface implementation
|
2021-07-19 11:48:50 -07:00
|
|
|
type ConsoleCredentials struct {
|
|
|
|
|
ConsoleCredentials *credentials.Credentials
|
|
|
|
|
AccountAccessKey string
|
2020-12-07 17:11:08 -06:00
|
|
|
}
|
|
|
|
|
|
2021-07-19 11:48:50 -07:00
|
|
|
func (c ConsoleCredentials) GetAccountAccessKey() string {
|
|
|
|
|
return c.AccountAccessKey
|
2020-12-07 17:11:08 -06:00
|
|
|
}
|
|
|
|
|
|
2021-07-19 11:48:50 -07:00
|
|
|
// Get implements *Login.Get()
|
|
|
|
|
func (c ConsoleCredentials) Get() (credentials.Value, error) {
|
|
|
|
|
return c.ConsoleCredentials.Get()
|
2020-04-22 23:43:17 -07:00
|
|
|
}
|
2020-04-01 18:18:57 -07:00
|
|
|
|
2021-07-19 11:48:50 -07:00
|
|
|
// Expire implements *Login.Expire()
|
|
|
|
|
func (c ConsoleCredentials) Expire() {
|
|
|
|
|
c.ConsoleCredentials.Expire()
|
2020-04-22 23:43:17 -07:00
|
|
|
}
|
|
|
|
|
|
2020-07-26 00:34:17 -07:00
|
|
|
// consoleSTSAssumeRole it's a STSAssumeRole wrapper, in general
|
2020-05-08 17:11:47 -07:00
|
|
|
// there's no need to use this struct anywhere else in the project, it's only required
|
|
|
|
|
// for passing a custom *http.Client to *credentials.STSAssumeRole
|
2020-07-26 00:34:17 -07:00
|
|
|
type consoleSTSAssumeRole struct {
|
2020-05-08 17:11:47 -07:00
|
|
|
stsAssumeRole *credentials.STSAssumeRole
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-26 00:34:17 -07:00
|
|
|
func (s consoleSTSAssumeRole) Retrieve() (credentials.Value, error) {
|
2020-05-08 17:11:47 -07:00
|
|
|
return s.stsAssumeRole.Retrieve()
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-26 00:34:17 -07:00
|
|
|
func (s consoleSTSAssumeRole) IsExpired() bool {
|
2020-05-08 17:11:47 -07:00
|
|
|
return s.stsAssumeRole.IsExpired()
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-19 11:48:50 -07:00
|
|
|
func NewConsoleCredentials(accessKey, secretKey, location string) (*credentials.Credentials, error) {
|
LDAP authentication support for MCS (#114)
This PR adds ldap authentication support for mcs based on
https://github.com/minio/minio/blob/master/docs/sts/ldap.md
How to test:
```
$ docker run --rm -p 389:389 -p 636:636 --name my-openldap-container
--detach osixia/openldap:1.3.0
```
Run the `billy.ldif` file using `ldapadd` command to create a new user
and assign it to a group.
```
$ cat > billy.ldif << EOF
dn: uid=billy,dc=example,dc=org
uid: billy
cn: billy
sn: 3
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/billy
uidNumber: 14583102
gidNumber: 14564100
userPassword: {SSHA}j3lBh1Seqe4rqF1+NuWmjhvtAni1JC5A
mail: billy@example.org
gecos: Billy User
dn: ou=groups,dc=example,dc=org
objectclass:organizationalunit
ou: groups
description: generic groups branch
of s3::*)
dn: cn=mcsAdmin,ou=groups,dc=example,dc=org
objectClass: top
objectClass: posixGroup
gidNumber: 678
dn: cn=mcsAdmin,ou=groups,dc=example,dc=org
changetype: modify
add: memberuid
memberuid: billy
EOF
$ docker cp billy.ldif
my-openldap-container:/container/service/slapd/assets/test/billy.ldif
$ docker exec my-openldap-container ldapadd -x -D
"cn=admin,dc=example,dc=org" -w admin -f
/container/service/slapd/assets/test/billy.ldif -H ldap://localhost -ZZ
```
Query the ldap server to check the user billy was created correctly and
got assigned to the mcsAdmin group, you should get a list
containing ldap users and groups.
```
$ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b
dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
```
Query the ldap server again, this time filtering only for the user
`billy`, you should see only 1 record.
```
$ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b
uid=billy,dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
```
Change the password for user billy
Set the new password for `billy` to `minio123` and enter `admin` as the
default `LDAP Password`
```
$ docker exec -it my-openldap-container /bin/bash
ldappasswd -H ldap://localhost -x -D "cn=admin,dc=example,dc=org" -W
-S "uid=billy,dc=example,dc=org"
New password:
Re-enter new password:
Enter LDAP Password:
```
Add the mcsAdmin policy to user billy on MinIO
```
$ cat > mcsAdmin.json << EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"admin:*"
],
"Effect": "Allow",
"Sid": ""
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
],
"Sid": ""
}
]
}
EOF
$ mc admin policy add myminio mcsAdmin mcsAdmin.json
$ mc admin policy set myminio mcsAdmin user=billy
```
Run MinIO
```
export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=minio123
export MINIO_IDENTITY_LDAP_SERVER_ADDR='localhost:389'
export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='uid=%s,dc=example,dc=org'
export
MINIO_IDENTITY_LDAP_USERNAME_SEARCH_FILTER='(|(objectclass=posixAccount)(uid=%s))'
export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on
export MINIO_IDENTITY_LDAP_SERVER_INSECURE=on
./minio server ~/Data
```
Run MCS
```
export MCS_ACCESS_KEY=minio
export MCS_SECRET_KEY=minio123
...
export MCS_LDAP_ENABLED=on
./mcs server
```
2020-05-12 10:26:38 -07:00
|
|
|
// Future authentication methods can be added under this switch statement
|
|
|
|
|
switch {
|
2020-07-26 00:34:17 -07:00
|
|
|
// LDAP authentication for Console
|
LDAP authentication support for MCS (#114)
This PR adds ldap authentication support for mcs based on
https://github.com/minio/minio/blob/master/docs/sts/ldap.md
How to test:
```
$ docker run --rm -p 389:389 -p 636:636 --name my-openldap-container
--detach osixia/openldap:1.3.0
```
Run the `billy.ldif` file using `ldapadd` command to create a new user
and assign it to a group.
```
$ cat > billy.ldif << EOF
dn: uid=billy,dc=example,dc=org
uid: billy
cn: billy
sn: 3
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/billy
uidNumber: 14583102
gidNumber: 14564100
userPassword: {SSHA}j3lBh1Seqe4rqF1+NuWmjhvtAni1JC5A
mail: billy@example.org
gecos: Billy User
dn: ou=groups,dc=example,dc=org
objectclass:organizationalunit
ou: groups
description: generic groups branch
of s3::*)
dn: cn=mcsAdmin,ou=groups,dc=example,dc=org
objectClass: top
objectClass: posixGroup
gidNumber: 678
dn: cn=mcsAdmin,ou=groups,dc=example,dc=org
changetype: modify
add: memberuid
memberuid: billy
EOF
$ docker cp billy.ldif
my-openldap-container:/container/service/slapd/assets/test/billy.ldif
$ docker exec my-openldap-container ldapadd -x -D
"cn=admin,dc=example,dc=org" -w admin -f
/container/service/slapd/assets/test/billy.ldif -H ldap://localhost -ZZ
```
Query the ldap server to check the user billy was created correctly and
got assigned to the mcsAdmin group, you should get a list
containing ldap users and groups.
```
$ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b
dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
```
Query the ldap server again, this time filtering only for the user
`billy`, you should see only 1 record.
```
$ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b
uid=billy,dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
```
Change the password for user billy
Set the new password for `billy` to `minio123` and enter `admin` as the
default `LDAP Password`
```
$ docker exec -it my-openldap-container /bin/bash
ldappasswd -H ldap://localhost -x -D "cn=admin,dc=example,dc=org" -W
-S "uid=billy,dc=example,dc=org"
New password:
Re-enter new password:
Enter LDAP Password:
```
Add the mcsAdmin policy to user billy on MinIO
```
$ cat > mcsAdmin.json << EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"admin:*"
],
"Effect": "Allow",
"Sid": ""
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
],
"Sid": ""
}
]
}
EOF
$ mc admin policy add myminio mcsAdmin mcsAdmin.json
$ mc admin policy set myminio mcsAdmin user=billy
```
Run MinIO
```
export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=minio123
export MINIO_IDENTITY_LDAP_SERVER_ADDR='localhost:389'
export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='uid=%s,dc=example,dc=org'
export
MINIO_IDENTITY_LDAP_USERNAME_SEARCH_FILTER='(|(objectclass=posixAccount)(uid=%s))'
export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on
export MINIO_IDENTITY_LDAP_SERVER_INSECURE=on
./minio server ~/Data
```
Run MCS
```
export MCS_ACCESS_KEY=minio
export MCS_SECRET_KEY=minio123
...
export MCS_LDAP_ENABLED=on
./mcs server
```
2020-05-12 10:26:38 -07:00
|
|
|
case ldap.GetLDAPEnabled():
|
|
|
|
|
{
|
2021-08-16 12:09:03 -07:00
|
|
|
creds, err := auth.GetCredentialsFromLDAP(GetConsoleHTTPClient(), getMinIOServer(), accessKey, secretKey)
|
LDAP authentication support for MCS (#114)
This PR adds ldap authentication support for mcs based on
https://github.com/minio/minio/blob/master/docs/sts/ldap.md
How to test:
```
$ docker run --rm -p 389:389 -p 636:636 --name my-openldap-container
--detach osixia/openldap:1.3.0
```
Run the `billy.ldif` file using `ldapadd` command to create a new user
and assign it to a group.
```
$ cat > billy.ldif << EOF
dn: uid=billy,dc=example,dc=org
uid: billy
cn: billy
sn: 3
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/billy
uidNumber: 14583102
gidNumber: 14564100
userPassword: {SSHA}j3lBh1Seqe4rqF1+NuWmjhvtAni1JC5A
mail: billy@example.org
gecos: Billy User
dn: ou=groups,dc=example,dc=org
objectclass:organizationalunit
ou: groups
description: generic groups branch
of s3::*)
dn: cn=mcsAdmin,ou=groups,dc=example,dc=org
objectClass: top
objectClass: posixGroup
gidNumber: 678
dn: cn=mcsAdmin,ou=groups,dc=example,dc=org
changetype: modify
add: memberuid
memberuid: billy
EOF
$ docker cp billy.ldif
my-openldap-container:/container/service/slapd/assets/test/billy.ldif
$ docker exec my-openldap-container ldapadd -x -D
"cn=admin,dc=example,dc=org" -w admin -f
/container/service/slapd/assets/test/billy.ldif -H ldap://localhost -ZZ
```
Query the ldap server to check the user billy was created correctly and
got assigned to the mcsAdmin group, you should get a list
containing ldap users and groups.
```
$ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b
dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
```
Query the ldap server again, this time filtering only for the user
`billy`, you should see only 1 record.
```
$ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b
uid=billy,dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
```
Change the password for user billy
Set the new password for `billy` to `minio123` and enter `admin` as the
default `LDAP Password`
```
$ docker exec -it my-openldap-container /bin/bash
ldappasswd -H ldap://localhost -x -D "cn=admin,dc=example,dc=org" -W
-S "uid=billy,dc=example,dc=org"
New password:
Re-enter new password:
Enter LDAP Password:
```
Add the mcsAdmin policy to user billy on MinIO
```
$ cat > mcsAdmin.json << EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"admin:*"
],
"Effect": "Allow",
"Sid": ""
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
],
"Sid": ""
}
]
}
EOF
$ mc admin policy add myminio mcsAdmin mcsAdmin.json
$ mc admin policy set myminio mcsAdmin user=billy
```
Run MinIO
```
export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=minio123
export MINIO_IDENTITY_LDAP_SERVER_ADDR='localhost:389'
export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='uid=%s,dc=example,dc=org'
export
MINIO_IDENTITY_LDAP_USERNAME_SEARCH_FILTER='(|(objectclass=posixAccount)(uid=%s))'
export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on
export MINIO_IDENTITY_LDAP_SERVER_INSECURE=on
./minio server ~/Data
```
Run MCS
```
export MCS_ACCESS_KEY=minio
export MCS_SECRET_KEY=minio123
...
export MCS_LDAP_ENABLED=on
./mcs server
```
2020-05-12 10:26:38 -07:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return creds, nil
|
|
|
|
|
}
|
2020-07-26 00:34:17 -07:00
|
|
|
// default authentication for Console is via STS (Security Token Service) against MinIO
|
LDAP authentication support for MCS (#114)
This PR adds ldap authentication support for mcs based on
https://github.com/minio/minio/blob/master/docs/sts/ldap.md
How to test:
```
$ docker run --rm -p 389:389 -p 636:636 --name my-openldap-container
--detach osixia/openldap:1.3.0
```
Run the `billy.ldif` file using `ldapadd` command to create a new user
and assign it to a group.
```
$ cat > billy.ldif << EOF
dn: uid=billy,dc=example,dc=org
uid: billy
cn: billy
sn: 3
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/billy
uidNumber: 14583102
gidNumber: 14564100
userPassword: {SSHA}j3lBh1Seqe4rqF1+NuWmjhvtAni1JC5A
mail: billy@example.org
gecos: Billy User
dn: ou=groups,dc=example,dc=org
objectclass:organizationalunit
ou: groups
description: generic groups branch
of s3::*)
dn: cn=mcsAdmin,ou=groups,dc=example,dc=org
objectClass: top
objectClass: posixGroup
gidNumber: 678
dn: cn=mcsAdmin,ou=groups,dc=example,dc=org
changetype: modify
add: memberuid
memberuid: billy
EOF
$ docker cp billy.ldif
my-openldap-container:/container/service/slapd/assets/test/billy.ldif
$ docker exec my-openldap-container ldapadd -x -D
"cn=admin,dc=example,dc=org" -w admin -f
/container/service/slapd/assets/test/billy.ldif -H ldap://localhost -ZZ
```
Query the ldap server to check the user billy was created correctly and
got assigned to the mcsAdmin group, you should get a list
containing ldap users and groups.
```
$ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b
dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
```
Query the ldap server again, this time filtering only for the user
`billy`, you should see only 1 record.
```
$ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b
uid=billy,dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
```
Change the password for user billy
Set the new password for `billy` to `minio123` and enter `admin` as the
default `LDAP Password`
```
$ docker exec -it my-openldap-container /bin/bash
ldappasswd -H ldap://localhost -x -D "cn=admin,dc=example,dc=org" -W
-S "uid=billy,dc=example,dc=org"
New password:
Re-enter new password:
Enter LDAP Password:
```
Add the mcsAdmin policy to user billy on MinIO
```
$ cat > mcsAdmin.json << EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"admin:*"
],
"Effect": "Allow",
"Sid": ""
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
],
"Sid": ""
}
]
}
EOF
$ mc admin policy add myminio mcsAdmin mcsAdmin.json
$ mc admin policy set myminio mcsAdmin user=billy
```
Run MinIO
```
export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=minio123
export MINIO_IDENTITY_LDAP_SERVER_ADDR='localhost:389'
export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='uid=%s,dc=example,dc=org'
export
MINIO_IDENTITY_LDAP_USERNAME_SEARCH_FILTER='(|(objectclass=posixAccount)(uid=%s))'
export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on
export MINIO_IDENTITY_LDAP_SERVER_INSECURE=on
./minio server ~/Data
```
Run MCS
```
export MCS_ACCESS_KEY=minio
export MCS_SECRET_KEY=minio123
...
export MCS_LDAP_ENABLED=on
./mcs server
```
2020-05-12 10:26:38 -07:00
|
|
|
default:
|
|
|
|
|
{
|
2021-06-17 00:50:56 -07:00
|
|
|
if accessKey == "" || secretKey == "" {
|
2020-12-16 14:41:27 -06:00
|
|
|
return nil, errors.New("credentials endpoint, access and secret key are mandatory for AssumeRoleSTS")
|
MCS service account authentication with Mkube (#166)
`MCS` will authenticate against `Mkube`using bearer tokens via HTTP
`Authorization` header. The user will provide this token once
in the login form, MCS will validate it against Mkube (list tenants) and
if valid will generate and return a new MCS sessions
with encrypted claims (the user Service account token will be inside the
JWT in the data field)
Kubernetes
The provided `JWT token` corresponds to the `Kubernetes service account`
that `Mkube` will use to run tasks on behalf of the
user, ie: list, create, edit, delete tenants, storage class, etc.
Development
If you are running mcs in your local environment and wish to make
request to `Mkube` you can set `MCS_M3_HOSTNAME`, if
the environment variable is not present by default `MCS` will use
`"http://m3:8787"`, additionally you will need to set the
`MCS_MKUBE_ADMIN_ONLY=on` variable to make MCS display the Mkube UI
Extract the Service account token and use it with MCS
For local development you can use the jwt associated to the `m3-sa`
service account, you can get the token running
the following command in your terminal:
```
kubectl get secret $(kubectl get serviceaccount m3-sa -o
jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64
--decode
```
Then run the mcs server
```
MCS_M3_HOSTNAME=http://localhost:8787 MCS_MKUBE_ADMIN_ONLY=on ./mcs
server
```
Self-signed certificates and Custom certificate authority for Mkube
If Mkube uses TLS with a self-signed certificate, or a certificate
issued by a custom certificate authority you can add those
certificates usinng the `MCS_M3_SERVER_TLS_CA_CERTIFICATE` env variable
````
MCS_M3_SERVER_TLS_CA_CERTIFICATE=cert1.pem,cert2.pem,cert3.pem ./mcs
server
````
2020-06-23 11:37:46 -07:00
|
|
|
}
|
LDAP authentication support for MCS (#114)
This PR adds ldap authentication support for mcs based on
https://github.com/minio/minio/blob/master/docs/sts/ldap.md
How to test:
```
$ docker run --rm -p 389:389 -p 636:636 --name my-openldap-container
--detach osixia/openldap:1.3.0
```
Run the `billy.ldif` file using `ldapadd` command to create a new user
and assign it to a group.
```
$ cat > billy.ldif << EOF
dn: uid=billy,dc=example,dc=org
uid: billy
cn: billy
sn: 3
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/billy
uidNumber: 14583102
gidNumber: 14564100
userPassword: {SSHA}j3lBh1Seqe4rqF1+NuWmjhvtAni1JC5A
mail: billy@example.org
gecos: Billy User
dn: ou=groups,dc=example,dc=org
objectclass:organizationalunit
ou: groups
description: generic groups branch
of s3::*)
dn: cn=mcsAdmin,ou=groups,dc=example,dc=org
objectClass: top
objectClass: posixGroup
gidNumber: 678
dn: cn=mcsAdmin,ou=groups,dc=example,dc=org
changetype: modify
add: memberuid
memberuid: billy
EOF
$ docker cp billy.ldif
my-openldap-container:/container/service/slapd/assets/test/billy.ldif
$ docker exec my-openldap-container ldapadd -x -D
"cn=admin,dc=example,dc=org" -w admin -f
/container/service/slapd/assets/test/billy.ldif -H ldap://localhost -ZZ
```
Query the ldap server to check the user billy was created correctly and
got assigned to the mcsAdmin group, you should get a list
containing ldap users and groups.
```
$ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b
dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
```
Query the ldap server again, this time filtering only for the user
`billy`, you should see only 1 record.
```
$ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b
uid=billy,dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
```
Change the password for user billy
Set the new password for `billy` to `minio123` and enter `admin` as the
default `LDAP Password`
```
$ docker exec -it my-openldap-container /bin/bash
ldappasswd -H ldap://localhost -x -D "cn=admin,dc=example,dc=org" -W
-S "uid=billy,dc=example,dc=org"
New password:
Re-enter new password:
Enter LDAP Password:
```
Add the mcsAdmin policy to user billy on MinIO
```
$ cat > mcsAdmin.json << EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"admin:*"
],
"Effect": "Allow",
"Sid": ""
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
],
"Sid": ""
}
]
}
EOF
$ mc admin policy add myminio mcsAdmin mcsAdmin.json
$ mc admin policy set myminio mcsAdmin user=billy
```
Run MinIO
```
export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=minio123
export MINIO_IDENTITY_LDAP_SERVER_ADDR='localhost:389'
export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='uid=%s,dc=example,dc=org'
export
MINIO_IDENTITY_LDAP_USERNAME_SEARCH_FILTER='(|(objectclass=posixAccount)(uid=%s))'
export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on
export MINIO_IDENTITY_LDAP_SERVER_INSECURE=on
./minio server ~/Data
```
Run MCS
```
export MCS_ACCESS_KEY=minio
export MCS_SECRET_KEY=minio123
...
export MCS_LDAP_ENABLED=on
./mcs server
```
2020-05-12 10:26:38 -07:00
|
|
|
opts := credentials.STSAssumeRoleOptions{
|
|
|
|
|
AccessKey: accessKey,
|
|
|
|
|
SecretKey: secretKey,
|
|
|
|
|
Location: location,
|
2021-11-10 10:26:27 -08:00
|
|
|
DurationSeconds: int(xjwt.GetConsoleSTSDuration().Seconds()),
|
LDAP authentication support for MCS (#114)
This PR adds ldap authentication support for mcs based on
https://github.com/minio/minio/blob/master/docs/sts/ldap.md
How to test:
```
$ docker run --rm -p 389:389 -p 636:636 --name my-openldap-container
--detach osixia/openldap:1.3.0
```
Run the `billy.ldif` file using `ldapadd` command to create a new user
and assign it to a group.
```
$ cat > billy.ldif << EOF
dn: uid=billy,dc=example,dc=org
uid: billy
cn: billy
sn: 3
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/billy
uidNumber: 14583102
gidNumber: 14564100
userPassword: {SSHA}j3lBh1Seqe4rqF1+NuWmjhvtAni1JC5A
mail: billy@example.org
gecos: Billy User
dn: ou=groups,dc=example,dc=org
objectclass:organizationalunit
ou: groups
description: generic groups branch
of s3::*)
dn: cn=mcsAdmin,ou=groups,dc=example,dc=org
objectClass: top
objectClass: posixGroup
gidNumber: 678
dn: cn=mcsAdmin,ou=groups,dc=example,dc=org
changetype: modify
add: memberuid
memberuid: billy
EOF
$ docker cp billy.ldif
my-openldap-container:/container/service/slapd/assets/test/billy.ldif
$ docker exec my-openldap-container ldapadd -x -D
"cn=admin,dc=example,dc=org" -w admin -f
/container/service/slapd/assets/test/billy.ldif -H ldap://localhost -ZZ
```
Query the ldap server to check the user billy was created correctly and
got assigned to the mcsAdmin group, you should get a list
containing ldap users and groups.
```
$ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b
dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
```
Query the ldap server again, this time filtering only for the user
`billy`, you should see only 1 record.
```
$ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b
uid=billy,dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
```
Change the password for user billy
Set the new password for `billy` to `minio123` and enter `admin` as the
default `LDAP Password`
```
$ docker exec -it my-openldap-container /bin/bash
ldappasswd -H ldap://localhost -x -D "cn=admin,dc=example,dc=org" -W
-S "uid=billy,dc=example,dc=org"
New password:
Re-enter new password:
Enter LDAP Password:
```
Add the mcsAdmin policy to user billy on MinIO
```
$ cat > mcsAdmin.json << EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"admin:*"
],
"Effect": "Allow",
"Sid": ""
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
],
"Sid": ""
}
]
}
EOF
$ mc admin policy add myminio mcsAdmin mcsAdmin.json
$ mc admin policy set myminio mcsAdmin user=billy
```
Run MinIO
```
export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=minio123
export MINIO_IDENTITY_LDAP_SERVER_ADDR='localhost:389'
export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='uid=%s,dc=example,dc=org'
export
MINIO_IDENTITY_LDAP_USERNAME_SEARCH_FILTER='(|(objectclass=posixAccount)(uid=%s))'
export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on
export MINIO_IDENTITY_LDAP_SERVER_INSECURE=on
./minio server ~/Data
```
Run MCS
```
export MCS_ACCESS_KEY=minio
export MCS_SECRET_KEY=minio123
...
export MCS_LDAP_ENABLED=on
./mcs server
```
2020-05-12 10:26:38 -07:00
|
|
|
}
|
|
|
|
|
stsAssumeRole := &credentials.STSAssumeRole{
|
2021-08-16 12:09:03 -07:00
|
|
|
Client: GetConsoleHTTPClient(),
|
2021-06-17 00:50:56 -07:00
|
|
|
STSEndpoint: getMinIOServer(),
|
LDAP authentication support for MCS (#114)
This PR adds ldap authentication support for mcs based on
https://github.com/minio/minio/blob/master/docs/sts/ldap.md
How to test:
```
$ docker run --rm -p 389:389 -p 636:636 --name my-openldap-container
--detach osixia/openldap:1.3.0
```
Run the `billy.ldif` file using `ldapadd` command to create a new user
and assign it to a group.
```
$ cat > billy.ldif << EOF
dn: uid=billy,dc=example,dc=org
uid: billy
cn: billy
sn: 3
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/billy
uidNumber: 14583102
gidNumber: 14564100
userPassword: {SSHA}j3lBh1Seqe4rqF1+NuWmjhvtAni1JC5A
mail: billy@example.org
gecos: Billy User
dn: ou=groups,dc=example,dc=org
objectclass:organizationalunit
ou: groups
description: generic groups branch
of s3::*)
dn: cn=mcsAdmin,ou=groups,dc=example,dc=org
objectClass: top
objectClass: posixGroup
gidNumber: 678
dn: cn=mcsAdmin,ou=groups,dc=example,dc=org
changetype: modify
add: memberuid
memberuid: billy
EOF
$ docker cp billy.ldif
my-openldap-container:/container/service/slapd/assets/test/billy.ldif
$ docker exec my-openldap-container ldapadd -x -D
"cn=admin,dc=example,dc=org" -w admin -f
/container/service/slapd/assets/test/billy.ldif -H ldap://localhost -ZZ
```
Query the ldap server to check the user billy was created correctly and
got assigned to the mcsAdmin group, you should get a list
containing ldap users and groups.
```
$ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b
dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
```
Query the ldap server again, this time filtering only for the user
`billy`, you should see only 1 record.
```
$ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b
uid=billy,dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
```
Change the password for user billy
Set the new password for `billy` to `minio123` and enter `admin` as the
default `LDAP Password`
```
$ docker exec -it my-openldap-container /bin/bash
ldappasswd -H ldap://localhost -x -D "cn=admin,dc=example,dc=org" -W
-S "uid=billy,dc=example,dc=org"
New password:
Re-enter new password:
Enter LDAP Password:
```
Add the mcsAdmin policy to user billy on MinIO
```
$ cat > mcsAdmin.json << EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"admin:*"
],
"Effect": "Allow",
"Sid": ""
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
],
"Sid": ""
}
]
}
EOF
$ mc admin policy add myminio mcsAdmin mcsAdmin.json
$ mc admin policy set myminio mcsAdmin user=billy
```
Run MinIO
```
export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=minio123
export MINIO_IDENTITY_LDAP_SERVER_ADDR='localhost:389'
export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='uid=%s,dc=example,dc=org'
export
MINIO_IDENTITY_LDAP_USERNAME_SEARCH_FILTER='(|(objectclass=posixAccount)(uid=%s))'
export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on
export MINIO_IDENTITY_LDAP_SERVER_INSECURE=on
./minio server ~/Data
```
Run MCS
```
export MCS_ACCESS_KEY=minio
export MCS_SECRET_KEY=minio123
...
export MCS_LDAP_ENABLED=on
./mcs server
```
2020-05-12 10:26:38 -07:00
|
|
|
Options: opts,
|
|
|
|
|
}
|
2020-07-26 00:34:17 -07:00
|
|
|
consoleSTSWrapper := consoleSTSAssumeRole{stsAssumeRole: stsAssumeRole}
|
|
|
|
|
return credentials.New(consoleSTSWrapper), nil
|
LDAP authentication support for MCS (#114)
This PR adds ldap authentication support for mcs based on
https://github.com/minio/minio/blob/master/docs/sts/ldap.md
How to test:
```
$ docker run --rm -p 389:389 -p 636:636 --name my-openldap-container
--detach osixia/openldap:1.3.0
```
Run the `billy.ldif` file using `ldapadd` command to create a new user
and assign it to a group.
```
$ cat > billy.ldif << EOF
dn: uid=billy,dc=example,dc=org
uid: billy
cn: billy
sn: 3
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/billy
uidNumber: 14583102
gidNumber: 14564100
userPassword: {SSHA}j3lBh1Seqe4rqF1+NuWmjhvtAni1JC5A
mail: billy@example.org
gecos: Billy User
dn: ou=groups,dc=example,dc=org
objectclass:organizationalunit
ou: groups
description: generic groups branch
of s3::*)
dn: cn=mcsAdmin,ou=groups,dc=example,dc=org
objectClass: top
objectClass: posixGroup
gidNumber: 678
dn: cn=mcsAdmin,ou=groups,dc=example,dc=org
changetype: modify
add: memberuid
memberuid: billy
EOF
$ docker cp billy.ldif
my-openldap-container:/container/service/slapd/assets/test/billy.ldif
$ docker exec my-openldap-container ldapadd -x -D
"cn=admin,dc=example,dc=org" -w admin -f
/container/service/slapd/assets/test/billy.ldif -H ldap://localhost -ZZ
```
Query the ldap server to check the user billy was created correctly and
got assigned to the mcsAdmin group, you should get a list
containing ldap users and groups.
```
$ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b
dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
```
Query the ldap server again, this time filtering only for the user
`billy`, you should see only 1 record.
```
$ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b
uid=billy,dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
```
Change the password for user billy
Set the new password for `billy` to `minio123` and enter `admin` as the
default `LDAP Password`
```
$ docker exec -it my-openldap-container /bin/bash
ldappasswd -H ldap://localhost -x -D "cn=admin,dc=example,dc=org" -W
-S "uid=billy,dc=example,dc=org"
New password:
Re-enter new password:
Enter LDAP Password:
```
Add the mcsAdmin policy to user billy on MinIO
```
$ cat > mcsAdmin.json << EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"admin:*"
],
"Effect": "Allow",
"Sid": ""
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
],
"Sid": ""
}
]
}
EOF
$ mc admin policy add myminio mcsAdmin mcsAdmin.json
$ mc admin policy set myminio mcsAdmin user=billy
```
Run MinIO
```
export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=minio123
export MINIO_IDENTITY_LDAP_SERVER_ADDR='localhost:389'
export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='uid=%s,dc=example,dc=org'
export
MINIO_IDENTITY_LDAP_USERNAME_SEARCH_FILTER='(|(objectclass=posixAccount)(uid=%s))'
export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on
export MINIO_IDENTITY_LDAP_SERVER_INSECURE=on
./minio server ~/Data
```
Run MCS
```
export MCS_ACCESS_KEY=minio
export MCS_SECRET_KEY=minio123
...
export MCS_LDAP_ENABLED=on
./mcs server
```
2020-05-12 10:26:38 -07:00
|
|
|
}
|
2020-05-08 17:11:47 -07:00
|
|
|
}
|
2020-04-22 23:43:17 -07:00
|
|
|
}
|
|
|
|
|
|
TLS with user provided certificates and KES support for MinIO (#213)
This PR adds the following features:
- Allow user to provide its own keypair certificates for enable TLS in
MinIO
- Allow user to configure data encryption at rest in MinIO with KES
- Removes JWT schema for login and instead Console authentication will use
encrypted session tokens
Enable TLS between client and MinIO with user provided certificates
Instead of using AutoCert feature now the user can provide `cert` and
`key` via `tls` object, values must be valid `x509.Certificate`
formatted files encoded in `base64`
Enable encryption at rest configuring KES
User can deploy KES via Console/Operator by defining the encryption
object, AutoCert must be enabled or custom certificates for KES must be
provided, KES support 3 KMS backends: `Vault`, `AWS KMS` and `Gemalto`,
previous configuration of the KMS is necessary.
eg of body request for create-tenant
```
{
"name": "honeywell",
"access_key": "minio",
"secret_key": "minio123",
"enable_mcs": false,
"enable_ssl": false,
"service_name": "honeywell",
"zones": [
{
"name": "honeywell-zone-1",
"servers": 1,
"volumes_per_server": 4,
"volume_configuration": {
"size": 256000000,
"storage_class": "vsan-default-storage-policy"
}
}
],
"namespace": "default",
"tls": {
"tls.crt": "",
"tls.key": ""
},
"encryption": {
"server": {
"tls.crt": "",
"tls.key": ""
},
"client": {
"tls.crt": "",
"tls.key": ""
},
"vault": {
"endpoint": "http://vault:8200",
"prefix": "",
"approle": {
"id": "",
"secret": ""
}
}
}
}
```
2020-07-30 17:49:56 -07:00
|
|
|
// getConsoleCredentialsFromSession returns the *consoleCredentials.Login associated to the
|
2020-10-19 15:32:21 -07:00
|
|
|
// provided session token, this is useful for running the Expire() or IsExpired() operations
|
2020-07-26 00:34:17 -07:00
|
|
|
func getConsoleCredentialsFromSession(claims *models.Principal) *credentials.Credentials {
|
2020-12-07 17:11:08 -06:00
|
|
|
return credentials.NewStaticV4(claims.STSAccessKeyID, claims.STSSecretAccessKey, claims.STSSessionToken)
|
2020-04-22 23:43:17 -07:00
|
|
|
}
|
2020-04-01 18:18:57 -07:00
|
|
|
|
2021-07-19 11:48:50 -07:00
|
|
|
// newMinioClient creates a new MinIO client based on the ConsoleCredentials extracted
|
2020-10-19 15:32:21 -07:00
|
|
|
// from the provided session token
|
2020-07-10 19:14:28 -07:00
|
|
|
func newMinioClient(claims *models.Principal) (*minio.Client, error) {
|
2020-07-26 00:34:17 -07:00
|
|
|
creds := getConsoleCredentialsFromSession(claims)
|
2020-07-25 14:38:16 -07:00
|
|
|
minioClient, err := minio.New(getMinIOEndpoint(), &minio.Options{
|
|
|
|
|
Creds: creds,
|
|
|
|
|
Secure: getMinIOEndpointIsSecure(),
|
2021-08-16 12:09:03 -07:00
|
|
|
Transport: GetConsoleHTTPClient().Transport,
|
2020-04-22 23:43:17 -07:00
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2020-05-08 17:11:47 -07:00
|
|
|
return minioClient, nil
|
2020-04-01 18:18:57 -07:00
|
|
|
}
|
2020-04-02 20:09:36 -07:00
|
|
|
|
2021-12-06 13:49:13 -08:00
|
|
|
// computeObjectURLWithoutEncode returns a MinIO url containing the object filename without encoding
|
|
|
|
|
func computeObjectURLWithoutEncode(bucketName, prefix string) (string, error) {
|
2020-04-02 20:09:36 -07:00
|
|
|
endpoint := getMinIOServer()
|
2022-05-09 11:24:43 -07:00
|
|
|
u, err := xnet.ParseHTTPURL(endpoint)
|
2021-11-15 14:13:39 -08:00
|
|
|
if err != nil {
|
2021-12-06 13:49:13 -08:00
|
|
|
return "", fmt.Errorf("the provided endpoint is invalid")
|
2021-11-15 14:13:39 -08:00
|
|
|
}
|
2022-05-09 11:24:43 -07:00
|
|
|
var p string
|
2020-05-15 14:24:29 -07:00
|
|
|
if strings.TrimSpace(bucketName) != "" {
|
2022-05-09 11:24:43 -07:00
|
|
|
p = path.Join(p, bucketName)
|
2020-05-15 14:24:29 -07:00
|
|
|
}
|
2020-10-01 17:00:32 -07:00
|
|
|
if strings.TrimSpace(prefix) != "" {
|
2022-05-09 11:24:43 -07:00
|
|
|
p = pathJoinFinalSlash(p, prefix)
|
2021-12-06 13:49:13 -08:00
|
|
|
}
|
2022-05-09 11:24:43 -07:00
|
|
|
return fmt.Sprintf("%s://%s/%s", u.Scheme, u.Host, p), nil
|
2021-12-06 13:49:13 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// newS3BucketClient creates a new mc S3Client to talk to the server based on a bucket
|
|
|
|
|
func newS3BucketClient(claims *models.Principal, bucketName string, prefix string) (*mc.S3Client, error) {
|
|
|
|
|
if claims == nil {
|
|
|
|
|
return nil, fmt.Errorf("the provided credentials are invalid")
|
|
|
|
|
}
|
|
|
|
|
// It's very important to avoid encoding the prefix since the minio client will encode the path itself
|
|
|
|
|
objectURL, err := computeObjectURLWithoutEncode(bucketName, prefix)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("the provided endpoint is invalid")
|
2020-10-01 17:00:32 -07:00
|
|
|
}
|
2021-12-06 13:49:13 -08:00
|
|
|
s3Config := newS3Config(objectURL, claims.STSAccessKeyID, claims.STSSecretAccessKey, claims.STSSessionToken, false)
|
2020-05-15 14:24:29 -07:00
|
|
|
client, pErr := mc.S3New(s3Config)
|
2020-11-30 12:41:58 -08:00
|
|
|
if pErr != nil {
|
|
|
|
|
return nil, pErr.Cause
|
|
|
|
|
}
|
|
|
|
|
s3Client, ok := client.(*mc.S3Client)
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, fmt.Errorf("the provided url doesn't point to a S3 server")
|
|
|
|
|
}
|
|
|
|
|
return s3Client, nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-07 18:01:44 -08:00
|
|
|
// pathJoinFinalSlash - like path.Join() but retains trailing slashSeparator of the last element
|
|
|
|
|
func pathJoinFinalSlash(elem ...string) string {
|
|
|
|
|
if len(elem) > 0 {
|
|
|
|
|
if strings.HasSuffix(elem[len(elem)-1], SlashSeparator) {
|
|
|
|
|
return path.Join(elem...) + SlashSeparator
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return path.Join(elem...)
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-02 20:09:36 -07:00
|
|
|
// newS3Config simply creates a new Config struct using the passed
|
|
|
|
|
// parameters.
|
2020-11-30 12:41:58 -08:00
|
|
|
func newS3Config(endpoint, accessKey, secretKey, sessionToken string, insecure bool) *mc.Config {
|
2020-12-07 13:49:00 -06:00
|
|
|
// We have a valid alias and hostConfig. We populate the/
|
2020-07-26 00:34:17 -07:00
|
|
|
// consoleCredentials from the match found in the config file.
|
2020-04-02 20:09:36 -07:00
|
|
|
s3Config := new(mc.Config)
|
|
|
|
|
|
2021-02-16 12:53:18 -08:00
|
|
|
s3Config.AppName = globalAppName
|
|
|
|
|
s3Config.AppVersion = pkg.Version
|
2020-04-02 20:09:36 -07:00
|
|
|
s3Config.Debug = false
|
2020-11-30 12:41:58 -08:00
|
|
|
s3Config.Insecure = insecure
|
2020-04-02 20:09:36 -07:00
|
|
|
|
|
|
|
|
s3Config.HostURL = endpoint
|
|
|
|
|
s3Config.AccessKey = accessKey
|
|
|
|
|
s3Config.SecretKey = secretKey
|
2020-05-15 14:24:29 -07:00
|
|
|
s3Config.SessionToken = sessionToken
|
2020-04-02 20:09:36 -07:00
|
|
|
s3Config.Signature = "S3v4"
|
2022-04-28 12:55:06 -07:00
|
|
|
s3Config.Transport = PrepareSTSClientTransport(insecure)
|
2020-11-30 12:41:58 -08:00
|
|
|
|
2020-04-02 20:09:36 -07:00
|
|
|
return s3Config
|
|
|
|
|
}
|