2021-04-18 12:41:13 -07:00
|
|
|
// Copyright (c) 2015-2021 MinIO, Inc.
|
|
|
|
//
|
|
|
|
// This file is part of MinIO Object Storage stack
|
|
|
|
//
|
|
|
|
// This program is free software: you can redistribute it and/or modify
|
|
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
|
|
// (at your option) any later version.
|
|
|
|
//
|
|
|
|
// This program is distributed in the hope that it will be useful
|
|
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
// GNU Affero General Public License for more details.
|
|
|
|
//
|
|
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
config/main: Re-write config files - add to new config v3
- New config format.
```
{
"version": "3",
"address": ":9000",
"backend": {
"type": "fs",
"disk": "/path"
},
"credential": {
"accessKey": "WLGDGYAQYIGI833EV05A",
"secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"
},
"region": "us-east-1",
"logger": {
"file": {
"enable": false,
"fileName": "",
"level": "error"
},
"syslog": {
"enable": false,
"address": "",
"level": "debug"
},
"console": {
"enable": true,
"level": "fatal"
}
}
}
```
New command lines in lieu of supporting XL.
Minio initialize filesystem backend.
~~~
$ minio init fs <path>
~~~
Minio initialize XL backend.
~~~
$ minio init xl <url1>...<url16>
~~~
For 'fs' backend it starts the server.
~~~
$ minio server
~~~
For 'xl' backend it waits for servers to join.
~~~
$ minio server
... [PROGRESS BAR] of servers connecting
~~~
Now on other servers execute 'join' and they connect.
~~~
....
minio join <url1> -- from <url2> && minio server
minio join <url1> -- from <url3> && minio server
...
...
minio join <url1> -- from <url16> && minio server
~~~
2016-02-12 15:27:10 -08:00
|
|
|
|
2016-08-18 16:23:42 -07:00
|
|
|
package cmd
|
config/main: Re-write config files - add to new config v3
- New config format.
```
{
"version": "3",
"address": ":9000",
"backend": {
"type": "fs",
"disk": "/path"
},
"credential": {
"accessKey": "WLGDGYAQYIGI833EV05A",
"secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"
},
"region": "us-east-1",
"logger": {
"file": {
"enable": false,
"fileName": "",
"level": "error"
},
"syslog": {
"enable": false,
"address": "",
"level": "debug"
},
"console": {
"enable": true,
"level": "fatal"
}
}
}
```
New command lines in lieu of supporting XL.
Minio initialize filesystem backend.
~~~
$ minio init fs <path>
~~~
Minio initialize XL backend.
~~~
$ minio init xl <url1>...<url16>
~~~
For 'fs' backend it starts the server.
~~~
$ minio server
~~~
For 'xl' backend it waits for servers to join.
~~~
$ minio server
... [PROGRESS BAR] of servers connecting
~~~
Now on other servers execute 'join' and they connect.
~~~
....
minio join <url1> -- from <url2> && minio server
minio join <url1> -- from <url3> && minio server
...
...
minio join <url1> -- from <url16> && minio server
~~~
2016-02-12 15:27:10 -08:00
|
|
|
|
|
|
|
import (
|
2020-12-04 09:32:35 -08:00
|
|
|
"context"
|
2021-04-22 17:45:30 +02:00
|
|
|
"errors"
|
2019-12-04 15:32:37 -08:00
|
|
|
"fmt"
|
2019-10-07 22:47:56 -07:00
|
|
|
"strings"
|
config/main: Re-write config files - add to new config v3
- New config format.
```
{
"version": "3",
"address": ":9000",
"backend": {
"type": "fs",
"disk": "/path"
},
"credential": {
"accessKey": "WLGDGYAQYIGI833EV05A",
"secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"
},
"region": "us-east-1",
"logger": {
"file": {
"enable": false,
"fileName": "",
"level": "error"
},
"syslog": {
"enable": false,
"address": "",
"level": "debug"
},
"console": {
"enable": true,
"level": "fatal"
}
}
}
```
New command lines in lieu of supporting XL.
Minio initialize filesystem backend.
~~~
$ minio init fs <path>
~~~
Minio initialize XL backend.
~~~
$ minio init xl <url1>...<url16>
~~~
For 'fs' backend it starts the server.
~~~
$ minio server
~~~
For 'xl' backend it waits for servers to join.
~~~
$ minio server
... [PROGRESS BAR] of servers connecting
~~~
Now on other servers execute 'join' and they connect.
~~~
....
minio join <url1> -- from <url2> && minio server
minio join <url1> -- from <url3> && minio server
...
...
minio join <url1> -- from <url16> && minio server
~~~
2016-02-12 15:27:10 -08:00
|
|
|
"sync"
|
|
|
|
|
2021-05-06 08:52:02 -07:00
|
|
|
"github.com/minio/madmin-go"
|
2021-06-01 14:59:40 -07:00
|
|
|
"github.com/minio/minio/internal/config"
|
|
|
|
"github.com/minio/minio/internal/config/api"
|
|
|
|
"github.com/minio/minio/internal/config/cache"
|
|
|
|
"github.com/minio/minio/internal/config/compress"
|
|
|
|
"github.com/minio/minio/internal/config/dns"
|
|
|
|
"github.com/minio/minio/internal/config/etcd"
|
|
|
|
"github.com/minio/minio/internal/config/heal"
|
|
|
|
xldap "github.com/minio/minio/internal/config/identity/ldap"
|
|
|
|
"github.com/minio/minio/internal/config/identity/openid"
|
2021-09-08 04:03:48 +02:00
|
|
|
xtls "github.com/minio/minio/internal/config/identity/tls"
|
2021-06-01 14:59:40 -07:00
|
|
|
"github.com/minio/minio/internal/config/notify"
|
|
|
|
"github.com/minio/minio/internal/config/policy/opa"
|
2022-05-10 17:14:55 -07:00
|
|
|
polplugin "github.com/minio/minio/internal/config/policy/plugin"
|
2021-06-01 14:59:40 -07:00
|
|
|
"github.com/minio/minio/internal/config/scanner"
|
|
|
|
"github.com/minio/minio/internal/config/storageclass"
|
2021-09-15 10:24:25 +05:30
|
|
|
"github.com/minio/minio/internal/config/subnet"
|
2021-06-01 14:59:40 -07:00
|
|
|
"github.com/minio/minio/internal/crypto"
|
|
|
|
xhttp "github.com/minio/minio/internal/http"
|
|
|
|
"github.com/minio/minio/internal/kms"
|
|
|
|
"github.com/minio/minio/internal/logger"
|
2021-05-28 15:17:01 -07:00
|
|
|
"github.com/minio/pkg/env"
|
config/main: Re-write config files - add to new config v3
- New config format.
```
{
"version": "3",
"address": ":9000",
"backend": {
"type": "fs",
"disk": "/path"
},
"credential": {
"accessKey": "WLGDGYAQYIGI833EV05A",
"secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"
},
"region": "us-east-1",
"logger": {
"file": {
"enable": false,
"fileName": "",
"level": "error"
},
"syslog": {
"enable": false,
"address": "",
"level": "debug"
},
"console": {
"enable": true,
"level": "fatal"
}
}
}
```
New command lines in lieu of supporting XL.
Minio initialize filesystem backend.
~~~
$ minio init fs <path>
~~~
Minio initialize XL backend.
~~~
$ minio init xl <url1>...<url16>
~~~
For 'fs' backend it starts the server.
~~~
$ minio server
~~~
For 'xl' backend it waits for servers to join.
~~~
$ minio server
... [PROGRESS BAR] of servers connecting
~~~
Now on other servers execute 'join' and they connect.
~~~
....
minio join <url1> -- from <url2> && minio server
minio join <url1> -- from <url3> && minio server
...
...
minio join <url1> -- from <url16> && minio server
~~~
2016-02-12 15:27:10 -08:00
|
|
|
)
|
|
|
|
|
2019-12-04 15:32:37 -08:00
|
|
|
func initHelp() {
|
2022-01-02 09:15:06 -08:00
|
|
|
kvs := map[string]config.KVS{
|
2019-11-27 09:36:08 -08:00
|
|
|
config.EtcdSubSys: etcd.DefaultKVS,
|
|
|
|
config.CacheSubSys: cache.DefaultKVS,
|
|
|
|
config.CompressionSubSys: compress.DefaultKVS,
|
|
|
|
config.IdentityLDAPSubSys: xldap.DefaultKVS,
|
|
|
|
config.IdentityOpenIDSubSys: openid.DefaultKVS,
|
2021-09-08 04:03:48 +02:00
|
|
|
config.IdentityTLSSubSys: xtls.DefaultKVS,
|
2019-11-27 09:36:08 -08:00
|
|
|
config.PolicyOPASubSys: opa.DefaultKVS,
|
2022-05-10 17:14:55 -07:00
|
|
|
config.PolicyPluginSubSys: polplugin.DefaultKVS,
|
2021-11-25 13:06:25 -08:00
|
|
|
config.SiteSubSys: config.DefaultSiteKVS,
|
2019-11-27 09:36:08 -08:00
|
|
|
config.RegionSubSys: config.DefaultRegionKVS,
|
2020-04-14 20:46:37 +01:00
|
|
|
config.APISubSys: api.DefaultKVS,
|
2019-11-27 09:36:08 -08:00
|
|
|
config.CredentialsSubSys: config.DefaultCredentialKVS,
|
2021-12-20 13:16:53 -08:00
|
|
|
config.LoggerWebhookSubSys: logger.DefaultLoggerWebhookKVS,
|
2021-07-13 09:39:13 -07:00
|
|
|
config.AuditWebhookSubSys: logger.DefaultAuditWebhookKVS,
|
|
|
|
config.AuditKafkaSubSys: logger.DefaultAuditKafkaKVS,
|
2020-10-14 13:51:51 -07:00
|
|
|
config.HealSubSys: heal.DefaultKVS,
|
2021-02-17 12:04:11 -08:00
|
|
|
config.ScannerSubSys: scanner.DefaultKVS,
|
2021-09-15 10:24:25 +05:30
|
|
|
config.SubnetSubSys: subnet.DefaultKVS,
|
2019-11-27 09:36:08 -08:00
|
|
|
}
|
|
|
|
for k, v := range notify.DefaultNotificationKVS {
|
|
|
|
kvs[k] = v
|
|
|
|
}
|
2020-06-12 20:04:01 -07:00
|
|
|
if globalIsErasure {
|
2019-12-04 15:32:37 -08:00
|
|
|
kvs[config.StorageClassSubSys] = storageclass.DefaultKVS
|
|
|
|
}
|
2019-11-27 09:36:08 -08:00
|
|
|
config.RegisterDefaultKVS(kvs)
|
|
|
|
|
|
|
|
// Captures help for each sub-system
|
2022-01-02 09:15:06 -08:00
|
|
|
helpSubSys := config.HelpKVS{
|
2019-11-27 09:36:08 -08:00
|
|
|
config.HelpKV{
|
2021-11-25 13:06:25 -08:00
|
|
|
Key: config.SiteSubSys,
|
|
|
|
Description: "label the server and its location",
|
2019-11-27 09:36:08 -08:00
|
|
|
},
|
|
|
|
config.HelpKV{
|
|
|
|
Key: config.CacheSubSys,
|
2019-12-04 15:32:37 -08:00
|
|
|
Description: "add caching storage tier",
|
2019-11-27 09:36:08 -08:00
|
|
|
},
|
|
|
|
config.HelpKV{
|
|
|
|
Key: config.CompressionSubSys,
|
2019-12-04 15:32:37 -08:00
|
|
|
Description: "enable server side compression of objects",
|
2019-11-27 09:36:08 -08:00
|
|
|
},
|
|
|
|
config.HelpKV{
|
|
|
|
Key: config.EtcdSubSys,
|
2019-12-04 15:32:37 -08:00
|
|
|
Description: "federate multiple clusters for IAM and Bucket DNS",
|
2019-11-27 09:36:08 -08:00
|
|
|
},
|
|
|
|
config.HelpKV{
|
2022-04-28 18:27:09 -07:00
|
|
|
Key: config.IdentityOpenIDSubSys,
|
|
|
|
Description: "enable OpenID SSO support",
|
|
|
|
MultipleTargets: true,
|
2019-11-27 09:36:08 -08:00
|
|
|
},
|
|
|
|
config.HelpKV{
|
|
|
|
Key: config.IdentityLDAPSubSys,
|
2019-12-04 15:32:37 -08:00
|
|
|
Description: "enable LDAP SSO support",
|
2019-11-27 09:36:08 -08:00
|
|
|
},
|
2021-09-08 04:03:48 +02:00
|
|
|
config.HelpKV{
|
|
|
|
Key: config.IdentityTLSSubSys,
|
|
|
|
Description: "enable X.509 TLS certificate SSO support",
|
|
|
|
},
|
2019-11-27 09:36:08 -08:00
|
|
|
config.HelpKV{
|
2022-05-10 17:14:55 -07:00
|
|
|
Key: config.PolicyPluginSubSys,
|
|
|
|
Description: "enable Access Management Plugin for policy enforcement",
|
2019-11-27 09:36:08 -08:00
|
|
|
},
|
2020-04-14 20:46:37 +01:00
|
|
|
config.HelpKV{
|
|
|
|
Key: config.APISubSys,
|
|
|
|
Description: "manage global HTTP API call specific features, such as throttling, authentication types, etc.",
|
|
|
|
},
|
2020-09-12 00:08:12 -07:00
|
|
|
config.HelpKV{
|
2020-10-14 13:51:51 -07:00
|
|
|
Key: config.HealSubSys,
|
|
|
|
Description: "manage object healing frequency and bitrot verification checks",
|
2020-09-12 00:08:12 -07:00
|
|
|
},
|
2020-12-04 09:32:35 -08:00
|
|
|
config.HelpKV{
|
2021-02-17 12:04:11 -08:00
|
|
|
Key: config.ScannerSubSys,
|
2021-02-26 15:11:42 -08:00
|
|
|
Description: "manage namespace scanning for usage calculation, lifecycle, healing and more",
|
2020-12-04 09:32:35 -08:00
|
|
|
},
|
2019-11-27 09:36:08 -08:00
|
|
|
config.HelpKV{
|
|
|
|
Key: config.LoggerWebhookSubSys,
|
2019-12-04 15:32:37 -08:00
|
|
|
Description: "send server logs to webhook endpoints",
|
2019-11-27 09:36:08 -08:00
|
|
|
MultipleTargets: true,
|
|
|
|
},
|
|
|
|
config.HelpKV{
|
|
|
|
Key: config.AuditWebhookSubSys,
|
2019-12-04 15:32:37 -08:00
|
|
|
Description: "send audit logs to webhook endpoints",
|
2019-11-27 09:36:08 -08:00
|
|
|
MultipleTargets: true,
|
|
|
|
},
|
2021-07-13 09:39:13 -07:00
|
|
|
config.HelpKV{
|
|
|
|
Key: config.AuditKafkaSubSys,
|
|
|
|
Description: "send audit logs to kafka endpoints",
|
|
|
|
MultipleTargets: true,
|
|
|
|
},
|
2019-11-27 09:36:08 -08:00
|
|
|
config.HelpKV{
|
|
|
|
Key: config.NotifyWebhookSubSys,
|
2019-12-04 15:32:37 -08:00
|
|
|
Description: "publish bucket notifications to webhook endpoints",
|
2019-11-27 09:36:08 -08:00
|
|
|
MultipleTargets: true,
|
|
|
|
},
|
|
|
|
config.HelpKV{
|
|
|
|
Key: config.NotifyAMQPSubSys,
|
2019-12-04 15:32:37 -08:00
|
|
|
Description: "publish bucket notifications to AMQP endpoints",
|
2019-11-27 09:36:08 -08:00
|
|
|
MultipleTargets: true,
|
|
|
|
},
|
|
|
|
config.HelpKV{
|
|
|
|
Key: config.NotifyKafkaSubSys,
|
2019-12-04 15:32:37 -08:00
|
|
|
Description: "publish bucket notifications to Kafka endpoints",
|
2019-11-27 09:36:08 -08:00
|
|
|
MultipleTargets: true,
|
|
|
|
},
|
|
|
|
config.HelpKV{
|
|
|
|
Key: config.NotifyMQTTSubSys,
|
2019-12-04 15:32:37 -08:00
|
|
|
Description: "publish bucket notifications to MQTT endpoints",
|
2019-11-27 09:36:08 -08:00
|
|
|
MultipleTargets: true,
|
|
|
|
},
|
|
|
|
config.HelpKV{
|
|
|
|
Key: config.NotifyNATSSubSys,
|
2019-12-04 15:32:37 -08:00
|
|
|
Description: "publish bucket notifications to NATS endpoints",
|
2019-11-27 09:36:08 -08:00
|
|
|
MultipleTargets: true,
|
|
|
|
},
|
|
|
|
config.HelpKV{
|
|
|
|
Key: config.NotifyNSQSubSys,
|
2019-12-04 15:32:37 -08:00
|
|
|
Description: "publish bucket notifications to NSQ endpoints",
|
2019-11-27 09:36:08 -08:00
|
|
|
MultipleTargets: true,
|
|
|
|
},
|
|
|
|
config.HelpKV{
|
|
|
|
Key: config.NotifyMySQLSubSys,
|
2019-12-06 13:53:51 -08:00
|
|
|
Description: "publish bucket notifications to MySQL databases",
|
2019-11-27 09:36:08 -08:00
|
|
|
MultipleTargets: true,
|
|
|
|
},
|
|
|
|
config.HelpKV{
|
|
|
|
Key: config.NotifyPostgresSubSys,
|
2019-12-06 13:53:51 -08:00
|
|
|
Description: "publish bucket notifications to Postgres databases",
|
2019-11-27 09:36:08 -08:00
|
|
|
MultipleTargets: true,
|
|
|
|
},
|
|
|
|
config.HelpKV{
|
2019-12-06 13:53:51 -08:00
|
|
|
Key: config.NotifyESSubSys,
|
|
|
|
Description: "publish bucket notifications to Elasticsearch endpoints",
|
2019-11-27 09:36:08 -08:00
|
|
|
MultipleTargets: true,
|
|
|
|
},
|
|
|
|
config.HelpKV{
|
2019-12-06 13:53:51 -08:00
|
|
|
Key: config.NotifyRedisSubSys,
|
|
|
|
Description: "publish bucket notifications to Redis datastores",
|
2019-11-27 09:36:08 -08:00
|
|
|
MultipleTargets: true,
|
|
|
|
},
|
2021-09-15 10:24:25 +05:30
|
|
|
config.HelpKV{
|
|
|
|
Key: config.SubnetSubSys,
|
|
|
|
Type: "string",
|
2021-12-03 23:02:11 +05:30
|
|
|
Description: "set subnet config for the cluster e.g. api key",
|
2021-09-15 10:24:25 +05:30
|
|
|
Optional: true,
|
|
|
|
},
|
2019-11-27 09:36:08 -08:00
|
|
|
}
|
|
|
|
|
2020-06-12 20:04:01 -07:00
|
|
|
if globalIsErasure {
|
2019-12-04 15:32:37 -08:00
|
|
|
helpSubSys = append(helpSubSys, config.HelpKV{})
|
|
|
|
copy(helpSubSys[2:], helpSubSys[1:])
|
|
|
|
helpSubSys[1] = config.HelpKV{
|
|
|
|
Key: config.StorageClassSubSys,
|
|
|
|
Description: "define object level redundancy",
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-01-02 09:15:06 -08:00
|
|
|
helpMap := map[string]config.HelpKVS{
|
2019-11-27 09:36:08 -08:00
|
|
|
"": helpSubSys, // Help for all sub-systems.
|
2021-11-25 13:06:25 -08:00
|
|
|
config.SiteSubSys: config.SiteHelp,
|
2019-11-27 09:36:08 -08:00
|
|
|
config.RegionSubSys: config.RegionHelp,
|
2020-04-14 20:46:37 +01:00
|
|
|
config.APISubSys: api.Help,
|
2019-12-04 15:32:37 -08:00
|
|
|
config.StorageClassSubSys: storageclass.Help,
|
2019-11-27 09:36:08 -08:00
|
|
|
config.EtcdSubSys: etcd.Help,
|
|
|
|
config.CacheSubSys: cache.Help,
|
|
|
|
config.CompressionSubSys: compress.Help,
|
2020-10-14 13:51:51 -07:00
|
|
|
config.HealSubSys: heal.Help,
|
2021-02-17 12:04:11 -08:00
|
|
|
config.ScannerSubSys: scanner.Help,
|
2019-11-27 09:36:08 -08:00
|
|
|
config.IdentityOpenIDSubSys: openid.Help,
|
|
|
|
config.IdentityLDAPSubSys: xldap.Help,
|
2021-09-08 04:03:48 +02:00
|
|
|
config.IdentityTLSSubSys: xtls.Help,
|
2019-11-27 09:36:08 -08:00
|
|
|
config.PolicyOPASubSys: opa.Help,
|
2022-05-10 17:14:55 -07:00
|
|
|
config.PolicyPluginSubSys: polplugin.Help,
|
2019-11-27 09:36:08 -08:00
|
|
|
config.LoggerWebhookSubSys: logger.Help,
|
2021-07-13 09:39:13 -07:00
|
|
|
config.AuditWebhookSubSys: logger.HelpWebhook,
|
|
|
|
config.AuditKafkaSubSys: logger.HelpKafka,
|
2019-11-27 09:36:08 -08:00
|
|
|
config.NotifyAMQPSubSys: notify.HelpAMQP,
|
|
|
|
config.NotifyKafkaSubSys: notify.HelpKafka,
|
|
|
|
config.NotifyMQTTSubSys: notify.HelpMQTT,
|
|
|
|
config.NotifyNATSSubSys: notify.HelpNATS,
|
|
|
|
config.NotifyNSQSubSys: notify.HelpNSQ,
|
|
|
|
config.NotifyMySQLSubSys: notify.HelpMySQL,
|
|
|
|
config.NotifyPostgresSubSys: notify.HelpPostgres,
|
|
|
|
config.NotifyRedisSubSys: notify.HelpRedis,
|
|
|
|
config.NotifyWebhookSubSys: notify.HelpWebhook,
|
|
|
|
config.NotifyESSubSys: notify.HelpES,
|
2021-12-03 23:02:11 +05:30
|
|
|
config.SubnetSubSys: subnet.HelpSubnet,
|
2019-11-27 09:36:08 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
config.RegisterHelpSubSys(helpMap)
|
2021-11-25 13:06:25 -08:00
|
|
|
|
|
|
|
// save top-level help for deprecated sub-systems in a separate map.
|
|
|
|
deprecatedHelpKVMap := map[string]config.HelpKV{
|
|
|
|
config.RegionSubSys: {
|
|
|
|
Key: config.RegionSubSys,
|
|
|
|
Description: "[DEPRECATED - use `site` instead] label the location of the server",
|
|
|
|
},
|
2022-05-10 17:14:55 -07:00
|
|
|
config.PolicyOPASubSys: {
|
|
|
|
Key: config.PolicyOPASubSys,
|
|
|
|
Description: "[DEPRECATED - use `policy_plugin` instead] enable external OPA for policy enforcement",
|
|
|
|
},
|
2021-11-25 13:06:25 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
config.RegisterHelpDeprecatedSubSys(deprecatedHelpKVMap)
|
2019-11-27 09:36:08 -08:00
|
|
|
}
|
|
|
|
|
2017-03-31 10:56:24 +05:30
|
|
|
var (
|
2017-11-29 13:12:47 -08:00
|
|
|
// globalServerConfig server config.
|
2019-10-22 22:59:13 -07:00
|
|
|
globalServerConfig config.Config
|
2017-11-29 13:12:47 -08:00
|
|
|
globalServerConfigMu sync.RWMutex
|
2017-03-31 10:56:24 +05:30
|
|
|
)
|
|
|
|
|
2022-02-09 00:06:41 +05:30
|
|
|
func validateSubSysConfig(s config.Config, subSys string, objAPI ObjectLayer) error {
|
|
|
|
switch subSys {
|
|
|
|
case config.CredentialsSubSys:
|
|
|
|
if _, err := config.LookupCreds(s[config.CredentialsSubSys][config.Default]); err != nil {
|
|
|
|
return err
|
2021-09-01 11:34:07 -07:00
|
|
|
}
|
2022-02-09 00:06:41 +05:30
|
|
|
case config.SiteSubSys:
|
|
|
|
if _, err := config.LookupSite(s[config.SiteSubSys][config.Default], s[config.RegionSubSys][config.Default]); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
case config.APISubSys:
|
|
|
|
if _, err := api.LookupConfig(s[config.APISubSys][config.Default]); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
case config.StorageClassSubSys:
|
|
|
|
if globalIsErasure {
|
|
|
|
if objAPI == nil {
|
|
|
|
return errServerNotInitialized
|
|
|
|
}
|
|
|
|
for _, setDriveCount := range objAPI.SetDriveCounts() {
|
|
|
|
if _, err := storageclass.LookupConfig(s[config.StorageClassSubSys][config.Default], setDriveCount); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2021-01-22 12:09:24 -08:00
|
|
|
}
|
2018-08-19 13:57:18 -07:00
|
|
|
}
|
2022-02-09 00:06:41 +05:30
|
|
|
case config.CacheSubSys:
|
|
|
|
if _, err := cache.LookupConfig(s[config.CacheSubSys][config.Default]); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
case config.CompressionSubSys:
|
|
|
|
compCfg, err := compress.LookupConfig(s[config.CompressionSubSys][config.Default])
|
|
|
|
if err != nil {
|
|
|
|
return err
|
2020-12-04 09:32:35 -08:00
|
|
|
}
|
|
|
|
|
2022-02-09 00:06:41 +05:30
|
|
|
if objAPI != nil {
|
|
|
|
if compCfg.Enabled && !objAPI.IsCompressionSupported() {
|
|
|
|
return fmt.Errorf("Backend does not support compression")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
case config.HealSubSys:
|
|
|
|
if _, err := heal.LookupConfig(s[config.HealSubSys][config.Default]); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
case config.ScannerSubSys:
|
|
|
|
if _, err := scanner.LookupConfig(s[config.ScannerSubSys][config.Default]); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
case config.EtcdSubSys:
|
2019-11-09 09:27:23 -08:00
|
|
|
etcdCfg, err := etcd.LookupConfig(s[config.EtcdSubSys][config.Default], globalRootCAs)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if etcdCfg.Enabled {
|
|
|
|
etcdClnt, err := etcd.New(etcdCfg)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
etcdClnt.Close()
|
|
|
|
}
|
2022-02-09 00:06:41 +05:30
|
|
|
case config.IdentityOpenIDSubSys:
|
2022-04-28 18:27:09 -07:00
|
|
|
if _, err := openid.LookupConfig(s[config.IdentityOpenIDSubSys],
|
2022-02-09 00:06:41 +05:30
|
|
|
NewGatewayHTTPTransport(), xhttp.DrainBody, globalSite.Region); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
case config.IdentityLDAPSubSys:
|
|
|
|
cfg, err := xldap.Lookup(s[config.IdentityLDAPSubSys][config.Default], globalRootCAs)
|
2020-03-21 22:47:26 -07:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if cfg.Enabled {
|
|
|
|
conn, cerr := cfg.Connect()
|
|
|
|
if cerr != nil {
|
|
|
|
return cerr
|
|
|
|
}
|
|
|
|
conn.Close()
|
|
|
|
}
|
2022-02-09 00:06:41 +05:30
|
|
|
case config.IdentityTLSSubSys:
|
|
|
|
if _, err := xtls.Lookup(s[config.IdentityTLSSubSys][config.Default]); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
case config.SubnetSubSys:
|
|
|
|
if _, err := subnet.LookupConfig(s[config.SubnetSubSys][config.Default]); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
case config.PolicyOPASubSys:
|
2022-05-10 17:14:55 -07:00
|
|
|
// In case legacy OPA config is being set, we treat it as if the
|
|
|
|
// AuthZPlugin is being set.
|
|
|
|
subSys = config.PolicyPluginSubSys
|
|
|
|
fallthrough
|
|
|
|
case config.PolicyPluginSubSys:
|
|
|
|
if ppargs, err := polplugin.LookupConfig(s[config.PolicyPluginSubSys][config.Default],
|
2022-02-09 00:06:41 +05:30
|
|
|
NewGatewayHTTPTransport(), xhttp.DrainBody); err != nil {
|
|
|
|
return err
|
2022-05-10 17:14:55 -07:00
|
|
|
} else if ppargs.URL == nil {
|
|
|
|
// Check if legacy opa is configured.
|
|
|
|
if _, err := opa.LookupConfig(s[config.PolicyOPASubSys][config.Default],
|
|
|
|
NewGatewayHTTPTransport(), xhttp.DrainBody); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2022-02-09 00:06:41 +05:30
|
|
|
}
|
|
|
|
default:
|
|
|
|
if config.LoggerSubSystems.Contains(subSys) {
|
|
|
|
if err := logger.ValidateSubSysConfig(s, subSys); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
2018-07-18 20:22:29 +02:00
|
|
|
}
|
2022-02-09 00:06:41 +05:30
|
|
|
|
|
|
|
if config.NotifySubSystems.Contains(subSys) {
|
|
|
|
if err := notify.TestSubSysNotificationTargets(GlobalContext, s, NewGatewayHTTPTransport(), globalNotificationSys.ConfiguredTargetIDs(), subSys); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2018-07-18 20:22:29 +02:00
|
|
|
}
|
2022-02-09 00:06:41 +05:30
|
|
|
return nil
|
|
|
|
}
|
2019-11-09 09:27:23 -08:00
|
|
|
|
2022-02-09 00:06:41 +05:30
|
|
|
func validateConfig(s config.Config, subSys string) error {
|
|
|
|
objAPI := newObjectLayerFn()
|
|
|
|
|
|
|
|
// We must have a global lock for this so nobody else modifies env while we do.
|
|
|
|
defer env.LockSetEnv()()
|
|
|
|
|
|
|
|
// Disable merging env values with config for validation.
|
|
|
|
env.SetEnvOff()
|
|
|
|
|
|
|
|
// Enable env values to validate KMS.
|
|
|
|
defer env.SetEnvOn()
|
|
|
|
if subSys != "" {
|
|
|
|
return validateSubSysConfig(s, subSys, objAPI)
|
2018-07-18 20:22:29 +02:00
|
|
|
}
|
2019-11-09 09:27:23 -08:00
|
|
|
|
2022-02-09 00:06:41 +05:30
|
|
|
// No sub-system passed. Validate all of them.
|
|
|
|
for _, ss := range config.SubSystems.ToSlice() {
|
|
|
|
if err := validateSubSysConfig(s, ss, objAPI); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2022-02-01 23:22:38 +05:30
|
|
|
}
|
|
|
|
|
2022-02-09 00:06:41 +05:30
|
|
|
return nil
|
2019-10-22 22:59:13 -07:00
|
|
|
}
|
2018-07-18 20:22:29 +02:00
|
|
|
|
2021-09-01 11:34:07 -07:00
|
|
|
func lookupConfigs(s config.Config, objAPI ObjectLayer) {
|
2020-04-09 09:30:02 -07:00
|
|
|
ctx := GlobalContext
|
2019-12-14 17:27:57 -08:00
|
|
|
|
|
|
|
var err error
|
2019-10-22 22:59:13 -07:00
|
|
|
if !globalActiveCred.IsValid() {
|
2019-10-30 00:04:39 -07:00
|
|
|
// Env doesn't seem to be set, we fallback to lookup creds from the config.
|
2019-10-22 22:59:13 -07:00
|
|
|
globalActiveCred, err = config.LookupCreds(s[config.CredentialsSubSys][config.Default])
|
|
|
|
if err != nil {
|
2019-12-14 17:27:57 -08:00
|
|
|
logger.LogIf(ctx, fmt.Errorf("Invalid credentials configuration: %w", err))
|
2018-07-18 20:22:29 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-09-01 11:34:07 -07:00
|
|
|
dnsURL, dnsUser, dnsPass, err := env.LookupEnv(config.EnvDNSWebhook)
|
|
|
|
if err != nil {
|
|
|
|
if globalIsGateway {
|
|
|
|
logger.FatalIf(err, "Unable to initialize remote webhook DNS config")
|
|
|
|
} else {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to initialize remote webhook DNS config %w", err))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if err == nil && dnsURL != "" {
|
2020-09-10 14:19:32 -07:00
|
|
|
globalDNSConfig, err = dns.NewOperatorDNS(dnsURL,
|
|
|
|
dns.Authentication(dnsUser, dnsPass),
|
|
|
|
dns.RootCAs(globalRootCAs))
|
|
|
|
if err != nil {
|
|
|
|
if globalIsGateway {
|
|
|
|
logger.FatalIf(err, "Unable to initialize remote webhook DNS config")
|
|
|
|
} else {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to initialize remote webhook DNS config %w", err))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-03-19 00:19:29 +01:00
|
|
|
etcdCfg, err := etcd.LookupConfig(s[config.EtcdSubSys][config.Default], globalRootCAs)
|
2019-10-30 00:04:39 -07:00
|
|
|
if err != nil {
|
2020-06-15 22:09:39 -07:00
|
|
|
if globalIsGateway {
|
|
|
|
logger.FatalIf(err, "Unable to initialize etcd config")
|
|
|
|
} else {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to initialize etcd config: %w", err))
|
|
|
|
}
|
2019-10-30 00:04:39 -07:00
|
|
|
}
|
|
|
|
|
2019-12-14 17:27:57 -08:00
|
|
|
if etcdCfg.Enabled {
|
2020-06-18 17:31:56 -07:00
|
|
|
if globalEtcdClient == nil {
|
|
|
|
globalEtcdClient, err = etcd.New(etcdCfg)
|
|
|
|
if err != nil {
|
|
|
|
if globalIsGateway {
|
|
|
|
logger.FatalIf(err, "Unable to initialize etcd config")
|
|
|
|
} else {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to initialize etcd config: %w", err))
|
|
|
|
}
|
2020-06-16 20:15:21 -07:00
|
|
|
}
|
|
|
|
}
|
2020-06-18 17:31:56 -07:00
|
|
|
|
2020-09-10 14:19:32 -07:00
|
|
|
if len(globalDomainNames) != 0 && !globalDomainIPs.IsEmpty() && globalEtcdClient != nil {
|
|
|
|
if globalDNSConfig != nil {
|
|
|
|
// if global DNS is already configured, indicate with a warning, incase
|
|
|
|
// users are confused.
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("DNS store is already configured with %s, not using etcd for DNS store", globalDNSConfig))
|
|
|
|
} else {
|
|
|
|
globalDNSConfig, err = dns.NewCoreDNS(etcdCfg.Config,
|
|
|
|
dns.DomainNames(globalDomainNames),
|
|
|
|
dns.DomainIPs(globalDomainIPs),
|
|
|
|
dns.DomainPort(globalMinioPort),
|
|
|
|
dns.CoreDNSPath(etcdCfg.CoreDNSPath),
|
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
if globalIsGateway {
|
|
|
|
logger.FatalIf(err, "Unable to initialize DNS config")
|
|
|
|
} else {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to initialize DNS config for %s: %w",
|
|
|
|
globalDomainNames, err))
|
|
|
|
}
|
2020-06-15 22:09:39 -07:00
|
|
|
}
|
|
|
|
}
|
2020-06-16 20:15:21 -07:00
|
|
|
}
|
2019-10-30 00:04:39 -07:00
|
|
|
}
|
|
|
|
|
2019-12-29 08:56:45 -08:00
|
|
|
// Bucket federation is 'true' only when IAM assets are not namespaced
|
|
|
|
// per tenant and all tenants interested in globally available users
|
|
|
|
// if namespace was requested such as specifying etcdPathPrefix then
|
|
|
|
// we assume that users are interested in global bucket support
|
|
|
|
// but not federation.
|
|
|
|
globalBucketFederation = etcdCfg.PathPrefix == "" && etcdCfg.Enabled
|
|
|
|
|
2021-11-25 13:06:25 -08:00
|
|
|
globalSite, err = config.LookupSite(s[config.SiteSubSys][config.Default], s[config.RegionSubSys][config.Default])
|
2019-10-22 22:59:13 -07:00
|
|
|
if err != nil {
|
2021-11-25 13:06:25 -08:00
|
|
|
logger.LogIf(ctx, fmt.Errorf("Invalid site configuration: %w", err))
|
2018-08-14 21:41:47 -07:00
|
|
|
}
|
|
|
|
|
2020-04-14 20:46:37 +01:00
|
|
|
apiConfig, err := api.LookupConfig(s[config.APISubSys][config.Default])
|
|
|
|
if err != nil {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Invalid api configuration: %w", err))
|
|
|
|
}
|
|
|
|
|
2020-09-11 23:03:08 -07:00
|
|
|
// Initialize remote instance transport once.
|
|
|
|
getRemoteInstanceTransportOnce.Do(func() {
|
|
|
|
getRemoteInstanceTransport = newGatewayHTTPTransport(apiConfig.RemoteTransportDeadline)
|
|
|
|
})
|
|
|
|
|
2019-10-22 22:59:13 -07:00
|
|
|
globalCacheConfig, err = cache.LookupConfig(s[config.CacheSubSys][config.Default])
|
2019-10-04 10:35:33 -07:00
|
|
|
if err != nil {
|
2020-06-15 22:09:39 -07:00
|
|
|
if globalIsGateway {
|
|
|
|
logger.FatalIf(err, "Unable to setup cache")
|
|
|
|
} else {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to setup cache: %w", err))
|
|
|
|
}
|
2018-08-14 21:41:47 -07:00
|
|
|
}
|
2018-08-17 12:52:14 -07:00
|
|
|
|
2019-10-22 22:59:13 -07:00
|
|
|
if globalCacheConfig.Enabled {
|
2021-04-22 17:45:30 +02:00
|
|
|
if cacheEncKey := env.Get(cache.EnvCacheEncryptionKey, ""); cacheEncKey != "" {
|
|
|
|
globalCacheKMS, err = kms.Parse(cacheEncKey)
|
2019-10-04 10:35:33 -07:00
|
|
|
if err != nil {
|
2019-12-14 17:27:57 -08:00
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to setup encryption cache: %w", err))
|
2019-10-04 10:35:33 -07:00
|
|
|
}
|
|
|
|
}
|
2018-08-17 12:52:14 -07:00
|
|
|
}
|
2018-09-28 09:06:17 +05:30
|
|
|
|
2021-04-22 17:45:30 +02:00
|
|
|
globalAutoEncryption = crypto.LookupAutoEncryption() // Enable auto-encryption if enabled
|
|
|
|
if globalAutoEncryption && GlobalKMS == nil {
|
|
|
|
logger.Fatal(errors.New("no KMS configured"), "MINIO_KMS_AUTO_ENCRYPTION requires a valid KMS configuration")
|
2020-09-03 12:43:45 -07:00
|
|
|
}
|
2018-10-12 11:32:18 -07:00
|
|
|
|
2021-09-08 04:03:48 +02:00
|
|
|
globalSTSTLSConfig, err = xtls.Lookup(s[config.IdentityTLSSubSys][config.Default])
|
|
|
|
if err != nil {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to initialize X.509/TLS STS API: %w", err))
|
|
|
|
}
|
|
|
|
|
2021-10-11 14:23:51 -07:00
|
|
|
if globalSTSTLSConfig.InsecureSkipVerify {
|
2022-03-03 13:21:16 -08:00
|
|
|
logger.LogIf(ctx, fmt.Errorf("CRITICAL: enabling %s is not recommended in a production environment", xtls.EnvIdentityTLSSkipVerify))
|
2021-10-11 14:23:51 -07:00
|
|
|
}
|
|
|
|
|
2022-04-28 18:27:09 -07:00
|
|
|
globalOpenIDConfig, err = openid.LookupConfig(s[config.IdentityOpenIDSubSys],
|
2021-11-26 19:22:40 -08:00
|
|
|
NewGatewayHTTPTransport(), xhttp.DrainBody, globalSite.Region)
|
2019-10-06 22:50:24 -07:00
|
|
|
if err != nil {
|
2019-12-14 17:27:57 -08:00
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to initialize OpenID: %w", err))
|
2019-10-06 22:50:24 -07:00
|
|
|
}
|
|
|
|
|
2022-05-10 17:14:55 -07:00
|
|
|
authZPluginCfg, err := polplugin.LookupConfig(s[config.PolicyPluginSubSys][config.Default],
|
2020-03-21 22:10:13 -07:00
|
|
|
NewGatewayHTTPTransport(), xhttp.DrainBody)
|
2019-10-06 22:50:24 -07:00
|
|
|
if err != nil {
|
2022-05-10 17:14:55 -07:00
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to initialize AuthZPlugin: %w", err))
|
|
|
|
}
|
|
|
|
if authZPluginCfg.URL == nil {
|
|
|
|
opaCfg, err := opa.LookupConfig(s[config.PolicyOPASubSys][config.Default],
|
|
|
|
NewGatewayHTTPTransport(), xhttp.DrainBody)
|
|
|
|
if err != nil {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to initialize AuthZPlugin from legacy OPA config: %w", err))
|
|
|
|
} else {
|
|
|
|
authZPluginCfg.URL = opaCfg.URL
|
|
|
|
authZPluginCfg.AuthToken = opaCfg.AuthToken
|
|
|
|
authZPluginCfg.Transport = opaCfg.Transport
|
|
|
|
authZPluginCfg.CloseRespFn = opaCfg.CloseRespFn
|
|
|
|
}
|
2018-10-12 11:32:18 -07:00
|
|
|
}
|
2022-05-10 17:14:55 -07:00
|
|
|
globalAuthZPlugin = polplugin.New(authZPluginCfg)
|
2019-10-06 22:50:24 -07:00
|
|
|
|
2019-10-22 22:59:13 -07:00
|
|
|
globalLDAPConfig, err = xldap.Lookup(s[config.IdentityLDAPSubSys][config.Default],
|
|
|
|
globalRootCAs)
|
2019-09-09 16:12:29 -07:00
|
|
|
if err != nil {
|
2019-12-14 17:27:57 -08:00
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to parse LDAP configuration: %w", err))
|
2019-09-09 16:12:29 -07:00
|
|
|
}
|
2019-10-07 22:47:56 -07:00
|
|
|
|
2021-09-15 10:24:25 +05:30
|
|
|
globalSubnetConfig, err = subnet.LookupConfig(s[config.SubnetSubSys][config.Default])
|
|
|
|
if err != nil {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to parse subnet configuration: %w", err))
|
|
|
|
}
|
|
|
|
|
certs: refactor cert manager to support multiple certificates (#10207)
This commit refactors the certificate management implementation
in the `certs` package such that multiple certificates can be
specified at the same time. Therefore, the following layout of
the `certs/` directory is expected:
```
certs/
│
├─ public.crt
├─ private.key
├─ CAs/ // CAs directory is ignored
│ │
│ ...
│
├─ example.com/
│ │
│ ├─ public.crt
│ └─ private.key
└─ foobar.org/
│
├─ public.crt
└─ private.key
...
```
However, directory names like `example.com` are just for human
readability/organization and don't have any meaning w.r.t whether
a particular certificate is served or not. This decision is made based
on the SNI sent by the client and the SAN of the certificate.
***
The `Manager` will pick a certificate based on the client trying
to establish a TLS connection. In particular, it looks at the client
hello (i.e. SNI) to determine which host the client tries to access.
If the manager can find a certificate that matches the SNI it
returns this certificate to the client.
However, the client may choose to not send an SNI or tries to access
a server directly via IP (`https://<ip>:<port>`). In this case, we
cannot use the SNI to determine which certificate to serve. However,
we also should not pick "the first" certificate that would be accepted
by the client (based on crypto. parameters - like a signature algorithm)
because it may be an internal certificate that contains internal hostnames.
We would disclose internal infrastructure details doing so.
Therefore, the `Manager` returns the "default" certificate when the
client does not specify an SNI. The default certificate the top-level
`public.crt` - i.e. `certs/public.crt`.
This approach has some consequences:
- It's the operator's responsibility to ensure that the top-level
`public.crt` does not disclose any information (i.e. hostnames)
that are not publicly visible. However, this was the case in the
past already.
- Any other `public.crt` - except for the top-level one - must not
contain any IP SAN. The reason for this restriction is that the
Manager cannot match a SNI to an IP b/c the SNI is the server host
name. The entire purpose of SNI is to indicate which host the client
tries to connect to when multiple hosts run on the same IP. So, a
client will not set the SNI to an IP.
If we would allow IP SANs in a lower-level `public.crt` a user would
expect that it is possible to connect to MinIO directly via IP address
and that the MinIO server would pick "the right" certificate. However,
the MinIO server cannot determine which certificate to serve, and
therefore always picks the "default" one. This may lead to all sorts
of confusing errors like:
"It works if I use `https:instance.minio.local` but not when I use
`https://10.0.2.1`.
These consequences/limitations should be pointed out / explained in our
docs in an appropriate way. However, the support for multiple
certificates should not have any impact on how deployment with a single
certificate function today.
Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
|
|
|
globalConfigTargetList, err = notify.GetNotificationTargets(GlobalContext, s, NewGatewayHTTPTransport(), false)
|
2019-12-21 22:35:50 -08:00
|
|
|
if err != nil {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to initialize notification target(s): %w", err))
|
|
|
|
}
|
2020-03-21 22:10:13 -07:00
|
|
|
|
certs: refactor cert manager to support multiple certificates (#10207)
This commit refactors the certificate management implementation
in the `certs` package such that multiple certificates can be
specified at the same time. Therefore, the following layout of
the `certs/` directory is expected:
```
certs/
│
├─ public.crt
├─ private.key
├─ CAs/ // CAs directory is ignored
│ │
│ ...
│
├─ example.com/
│ │
│ ├─ public.crt
│ └─ private.key
└─ foobar.org/
│
├─ public.crt
└─ private.key
...
```
However, directory names like `example.com` are just for human
readability/organization and don't have any meaning w.r.t whether
a particular certificate is served or not. This decision is made based
on the SNI sent by the client and the SAN of the certificate.
***
The `Manager` will pick a certificate based on the client trying
to establish a TLS connection. In particular, it looks at the client
hello (i.e. SNI) to determine which host the client tries to access.
If the manager can find a certificate that matches the SNI it
returns this certificate to the client.
However, the client may choose to not send an SNI or tries to access
a server directly via IP (`https://<ip>:<port>`). In this case, we
cannot use the SNI to determine which certificate to serve. However,
we also should not pick "the first" certificate that would be accepted
by the client (based on crypto. parameters - like a signature algorithm)
because it may be an internal certificate that contains internal hostnames.
We would disclose internal infrastructure details doing so.
Therefore, the `Manager` returns the "default" certificate when the
client does not specify an SNI. The default certificate the top-level
`public.crt` - i.e. `certs/public.crt`.
This approach has some consequences:
- It's the operator's responsibility to ensure that the top-level
`public.crt` does not disclose any information (i.e. hostnames)
that are not publicly visible. However, this was the case in the
past already.
- Any other `public.crt` - except for the top-level one - must not
contain any IP SAN. The reason for this restriction is that the
Manager cannot match a SNI to an IP b/c the SNI is the server host
name. The entire purpose of SNI is to indicate which host the client
tries to connect to when multiple hosts run on the same IP. So, a
client will not set the SNI to an IP.
If we would allow IP SANs in a lower-level `public.crt` a user would
expect that it is possible to connect to MinIO directly via IP address
and that the MinIO server would pick "the right" certificate. However,
the MinIO server cannot determine which certificate to serve, and
therefore always picks the "default" one. This may lead to all sorts
of confusing errors like:
"It works if I use `https:instance.minio.local` but not when I use
`https://10.0.2.1`.
These consequences/limitations should be pointed out / explained in our
docs in an appropriate way. However, the support for multiple
certificates should not have any impact on how deployment with a single
certificate function today.
Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
|
|
|
globalEnvTargetList, err = notify.GetNotificationTargets(GlobalContext, newServerConfig(), NewGatewayHTTPTransport(), true)
|
2020-03-14 00:01:15 -07:00
|
|
|
if err != nil {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to initialize notification target(s): %w", err))
|
|
|
|
}
|
2020-12-04 09:32:35 -08:00
|
|
|
|
|
|
|
// Apply dynamic config values
|
2021-09-01 11:34:07 -07:00
|
|
|
if err := applyDynamicConfig(ctx, objAPI, s); err != nil {
|
|
|
|
if globalIsGateway {
|
|
|
|
logger.FatalIf(err, "Unable to initialize dynamic configuration")
|
|
|
|
} else {
|
|
|
|
logger.LogIf(ctx, err)
|
|
|
|
}
|
|
|
|
}
|
2020-12-04 09:32:35 -08:00
|
|
|
}
|
|
|
|
|
2022-02-23 00:29:28 +05:30
|
|
|
func applyDynamicConfigForSubSys(ctx context.Context, objAPI ObjectLayer, s config.Config, subSys string) error {
|
|
|
|
switch subSys {
|
|
|
|
case config.APISubSys:
|
|
|
|
apiConfig, err := api.LookupConfig(s[config.APISubSys][config.Default])
|
|
|
|
if err != nil {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Invalid api configuration: %w", err))
|
2021-09-01 11:34:07 -07:00
|
|
|
}
|
2022-02-23 00:29:28 +05:30
|
|
|
var setDriveCounts []int
|
|
|
|
if objAPI != nil {
|
|
|
|
setDriveCounts = objAPI.SetDriveCounts()
|
|
|
|
}
|
|
|
|
globalAPIConfig.init(apiConfig, setDriveCounts)
|
|
|
|
case config.CompressionSubSys:
|
|
|
|
cmpCfg, err := compress.LookupConfig(s[config.CompressionSubSys][config.Default])
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Unable to setup Compression: %w", err)
|
|
|
|
}
|
|
|
|
// Validate if the object layer supports compression.
|
|
|
|
if objAPI != nil {
|
|
|
|
if cmpCfg.Enabled && !objAPI.IsCompressionSupported() {
|
|
|
|
return fmt.Errorf("Backend does not support compression")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
globalCompressConfigMu.Lock()
|
|
|
|
globalCompressConfig = cmpCfg
|
|
|
|
globalCompressConfigMu.Unlock()
|
|
|
|
case config.HealSubSys:
|
|
|
|
healCfg, err := heal.LookupConfig(s[config.HealSubSys][config.Default])
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Unable to apply heal config: %w", err)
|
|
|
|
}
|
|
|
|
globalHealConfig.Update(healCfg)
|
|
|
|
case config.ScannerSubSys:
|
|
|
|
scannerCfg, err := scanner.LookupConfig(s[config.ScannerSubSys][config.Default])
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Unable to apply scanner config: %w", err)
|
|
|
|
}
|
|
|
|
// update dynamic scanner values.
|
|
|
|
scannerCycle.Update(scannerCfg.Cycle)
|
|
|
|
logger.LogIf(ctx, scannerSleeper.Update(scannerCfg.Delay, scannerCfg.MaxWait))
|
|
|
|
case config.LoggerWebhookSubSys:
|
2022-02-24 22:35:33 +05:30
|
|
|
loggerCfg, err := logger.LookupConfigForSubSys(s, config.LoggerWebhookSubSys)
|
2022-02-23 00:29:28 +05:30
|
|
|
if err != nil {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to load logger webhook config: %w", err))
|
|
|
|
}
|
|
|
|
userAgent := getUserAgent(getMinioMode())
|
|
|
|
for n, l := range loggerCfg.HTTP {
|
|
|
|
if l.Enabled {
|
2022-05-12 07:20:58 -07:00
|
|
|
l.LogOnce = logger.LogOnceConsoleIf
|
2022-02-23 00:29:28 +05:30
|
|
|
l.UserAgent = userAgent
|
|
|
|
l.Transport = NewGatewayHTTPTransportWithClientCerts(l.ClientCert, l.ClientKey)
|
|
|
|
loggerCfg.HTTP[n] = l
|
|
|
|
}
|
|
|
|
}
|
2022-02-24 22:35:33 +05:30
|
|
|
err = logger.UpdateSystemTargets(loggerCfg)
|
2022-02-23 00:29:28 +05:30
|
|
|
if err != nil {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to update logger webhook config: %w", err))
|
2022-02-18 00:41:15 +05:30
|
|
|
}
|
2022-02-24 22:35:33 +05:30
|
|
|
case config.AuditWebhookSubSys:
|
|
|
|
loggerCfg, err := logger.LookupConfigForSubSys(s, config.AuditWebhookSubSys)
|
|
|
|
if err != nil {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to load audit webhook config: %w", err))
|
|
|
|
}
|
|
|
|
userAgent := getUserAgent(getMinioMode())
|
|
|
|
for n, l := range loggerCfg.AuditWebhook {
|
|
|
|
if l.Enabled {
|
2022-05-12 07:20:58 -07:00
|
|
|
l.LogOnce = logger.LogOnceConsoleIf
|
2022-02-24 22:35:33 +05:30
|
|
|
l.UserAgent = userAgent
|
|
|
|
l.Transport = NewGatewayHTTPTransportWithClientCerts(l.ClientCert, l.ClientKey)
|
|
|
|
loggerCfg.AuditWebhook[n] = l
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
err = logger.UpdateAuditWebhookTargets(loggerCfg)
|
|
|
|
if err != nil {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to update audit webhook targets: %w", err))
|
|
|
|
}
|
|
|
|
case config.AuditKafkaSubSys:
|
|
|
|
loggerCfg, err := logger.LookupConfigForSubSys(s, config.AuditKafkaSubSys)
|
|
|
|
if err != nil {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to load audit kafka config: %w", err))
|
|
|
|
}
|
|
|
|
for n, l := range loggerCfg.AuditKafka {
|
|
|
|
if l.Enabled {
|
|
|
|
l.LogOnce = logger.LogOnceIf
|
|
|
|
loggerCfg.AuditKafka[n] = l
|
|
|
|
}
|
|
|
|
}
|
|
|
|
err = logger.UpdateAuditKafkaTargets(loggerCfg)
|
|
|
|
if err != nil {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to update audit kafka targets: %w", err))
|
|
|
|
}
|
2022-04-21 12:07:33 -07:00
|
|
|
case config.StorageClassSubSys:
|
|
|
|
if globalIsErasure && objAPI != nil {
|
|
|
|
setDriveCounts := objAPI.SetDriveCounts()
|
|
|
|
for i, setDriveCount := range setDriveCounts {
|
|
|
|
sc, err := storageclass.LookupConfig(s[config.StorageClassSubSys][config.Default], setDriveCount)
|
|
|
|
if err != nil {
|
|
|
|
logger.LogIf(ctx, fmt.Errorf("Unable to initialize storage class config: %w", err))
|
|
|
|
break
|
|
|
|
}
|
|
|
|
// if we validated all setDriveCounts and it was successful
|
|
|
|
// proceed to store the correct storage class globally.
|
|
|
|
if i == len(setDriveCounts)-1 {
|
|
|
|
globalStorageClass.Update(sc)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2022-02-18 00:41:15 +05:30
|
|
|
}
|
2020-12-04 09:32:35 -08:00
|
|
|
globalServerConfigMu.Lock()
|
|
|
|
defer globalServerConfigMu.Unlock()
|
|
|
|
if globalServerConfig != nil {
|
2022-02-23 00:29:28 +05:30
|
|
|
globalServerConfig[subSys] = s[subSys]
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// applyDynamicConfig will apply dynamic config values.
|
|
|
|
// Dynamic systems should be in config.SubSystemsDynamic as well.
|
|
|
|
func applyDynamicConfig(ctx context.Context, objAPI ObjectLayer, s config.Config) error {
|
|
|
|
for subSys := range config.SubSystemsDynamic {
|
|
|
|
err := applyDynamicConfigForSubSys(ctx, objAPI, s, subSys)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
2020-12-04 09:32:35 -08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
2017-03-31 10:56:24 +05:30
|
|
|
}
|
|
|
|
|
2019-11-19 13:48:13 -08:00
|
|
|
// Help - return sub-system level help
|
|
|
|
type Help struct {
|
|
|
|
SubSys string `json:"subSys"`
|
|
|
|
Description string `json:"description"`
|
|
|
|
MultipleTargets bool `json:"multipleTargets"`
|
|
|
|
KeysHelp config.HelpKVS `json:"keysHelp"`
|
|
|
|
}
|
|
|
|
|
2019-10-22 22:59:13 -07:00
|
|
|
// GetHelp - returns help for sub-sys, a key for a sub-system or all the help.
|
2019-11-19 13:48:13 -08:00
|
|
|
func GetHelp(subSys, key string, envOnly bool) (Help, error) {
|
2019-10-22 22:59:13 -07:00
|
|
|
if len(subSys) == 0 {
|
2019-11-27 09:36:08 -08:00
|
|
|
return Help{KeysHelp: config.HelpSubSysMap[subSys]}, nil
|
2018-09-06 17:03:18 +02:00
|
|
|
}
|
2019-10-30 00:04:39 -07:00
|
|
|
subSystemValue := strings.SplitN(subSys, config.SubSystemSeparator, 2)
|
|
|
|
if len(subSystemValue) == 0 {
|
2019-12-14 17:27:57 -08:00
|
|
|
return Help{}, config.Errorf("invalid number of arguments %s", subSys)
|
2019-10-30 00:04:39 -07:00
|
|
|
}
|
|
|
|
|
2019-11-27 09:36:08 -08:00
|
|
|
subSys = subSystemValue[0]
|
|
|
|
|
|
|
|
subSysHelp, ok := config.HelpSubSysMap[""].Lookup(subSys)
|
|
|
|
if !ok {
|
2021-11-25 13:06:25 -08:00
|
|
|
subSysHelp, ok = config.HelpDeprecatedSubSysMap[subSys]
|
|
|
|
if !ok {
|
|
|
|
return Help{}, config.Errorf("unknown sub-system %s", subSys)
|
|
|
|
}
|
2018-09-06 17:03:18 +02:00
|
|
|
}
|
2019-10-30 00:04:39 -07:00
|
|
|
|
2019-11-27 09:36:08 -08:00
|
|
|
h, ok := config.HelpSubSysMap[subSys]
|
|
|
|
if !ok {
|
2019-12-14 17:27:57 -08:00
|
|
|
return Help{}, config.Errorf("unknown sub-system %s", subSys)
|
2019-11-27 09:36:08 -08:00
|
|
|
}
|
2019-10-22 22:59:13 -07:00
|
|
|
if key != "" {
|
2019-11-19 13:48:13 -08:00
|
|
|
value, ok := h.Lookup(key)
|
2019-10-22 22:59:13 -07:00
|
|
|
if !ok {
|
2019-12-14 17:27:57 -08:00
|
|
|
return Help{}, config.Errorf("unknown key %s for sub-system %s",
|
|
|
|
key, subSys)
|
2019-10-30 00:04:39 -07:00
|
|
|
}
|
2019-11-19 13:48:13 -08:00
|
|
|
h = config.HelpKVS{value}
|
2018-11-07 19:23:13 +01:00
|
|
|
}
|
|
|
|
|
2019-11-19 13:48:13 -08:00
|
|
|
envHelp := config.HelpKVS{}
|
2019-10-30 00:04:39 -07:00
|
|
|
if envOnly {
|
2020-01-20 16:48:19 -08:00
|
|
|
// Only for multiple targets, make sure
|
|
|
|
// to list the ENV, for regular k/v EnableKey is
|
|
|
|
// implicit, for ENVs we cannot make it implicit.
|
|
|
|
if subSysHelp.MultipleTargets {
|
2021-11-16 09:28:29 -08:00
|
|
|
envK := config.EnvPrefix + strings.ToTitle(subSys) + config.EnvWordDelimiter + strings.ToTitle(madmin.EnableKey)
|
2020-01-20 16:48:19 -08:00
|
|
|
envHelp = append(envHelp, config.HelpKV{
|
|
|
|
Key: envK,
|
|
|
|
Description: fmt.Sprintf("enable %s target, default is 'off'", subSys),
|
|
|
|
Optional: false,
|
|
|
|
Type: "on|off",
|
|
|
|
})
|
|
|
|
}
|
2019-11-19 13:48:13 -08:00
|
|
|
for _, hkv := range h {
|
2021-11-16 09:28:29 -08:00
|
|
|
envK := config.EnvPrefix + strings.ToTitle(subSys) + config.EnvWordDelimiter + strings.ToTitle(hkv.Key)
|
2019-11-19 13:48:13 -08:00
|
|
|
envHelp = append(envHelp, config.HelpKV{
|
|
|
|
Key: envK,
|
|
|
|
Description: hkv.Description,
|
|
|
|
Optional: hkv.Optional,
|
|
|
|
Type: hkv.Type,
|
|
|
|
})
|
2019-10-30 00:04:39 -07:00
|
|
|
}
|
2019-11-19 13:48:13 -08:00
|
|
|
h = envHelp
|
|
|
|
}
|
|
|
|
|
|
|
|
return Help{
|
|
|
|
SubSys: subSys,
|
|
|
|
Description: subSysHelp.Description,
|
|
|
|
MultipleTargets: subSysHelp.MultipleTargets,
|
|
|
|
KeysHelp: h,
|
|
|
|
}, nil
|
2019-10-22 22:59:13 -07:00
|
|
|
}
|
2018-09-06 17:03:18 +02:00
|
|
|
|
2019-10-22 22:59:13 -07:00
|
|
|
func newServerConfig() config.Config {
|
2019-11-13 17:38:05 -08:00
|
|
|
return config.New()
|
2017-03-01 18:17:04 +01:00
|
|
|
}
|
|
|
|
|
2018-10-09 14:00:01 -07:00
|
|
|
// newSrvConfig - initialize a new server config, saves env parameters if
|
2018-08-14 21:41:47 -07:00
|
|
|
// found, otherwise use default parameters
|
2018-10-09 14:00:01 -07:00
|
|
|
func newSrvConfig(objAPI ObjectLayer) error {
|
2018-08-14 21:41:47 -07:00
|
|
|
// Initialize server config.
|
|
|
|
srvCfg := newServerConfig()
|
|
|
|
|
2017-02-07 12:51:43 -08:00
|
|
|
// hold the mutex lock before a new config is assigned.
|
2017-11-29 13:12:47 -08:00
|
|
|
globalServerConfigMu.Lock()
|
|
|
|
globalServerConfig = srvCfg
|
|
|
|
globalServerConfigMu.Unlock()
|
2017-02-07 12:51:43 -08:00
|
|
|
|
|
|
|
// Save config into file.
|
2020-04-09 09:30:02 -07:00
|
|
|
return saveServerConfig(GlobalContext, objAPI, globalServerConfig)
|
2017-02-07 12:51:43 -08:00
|
|
|
}
|
|
|
|
|
2019-10-22 22:59:13 -07:00
|
|
|
func getValidConfig(objAPI ObjectLayer) (config.Config, error) {
|
2020-04-09 09:30:02 -07:00
|
|
|
return readServerConfig(GlobalContext, objAPI)
|
config/main: Re-write config files - add to new config v3
- New config format.
```
{
"version": "3",
"address": ":9000",
"backend": {
"type": "fs",
"disk": "/path"
},
"credential": {
"accessKey": "WLGDGYAQYIGI833EV05A",
"secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"
},
"region": "us-east-1",
"logger": {
"file": {
"enable": false,
"fileName": "",
"level": "error"
},
"syslog": {
"enable": false,
"address": "",
"level": "debug"
},
"console": {
"enable": true,
"level": "fatal"
}
}
}
```
New command lines in lieu of supporting XL.
Minio initialize filesystem backend.
~~~
$ minio init fs <path>
~~~
Minio initialize XL backend.
~~~
$ minio init xl <url1>...<url16>
~~~
For 'fs' backend it starts the server.
~~~
$ minio server
~~~
For 'xl' backend it waits for servers to join.
~~~
$ minio server
... [PROGRESS BAR] of servers connecting
~~~
Now on other servers execute 'join' and they connect.
~~~
....
minio join <url1> -- from <url2> && minio server
minio join <url1> -- from <url3> && minio server
...
...
minio join <url1> -- from <url16> && minio server
~~~
2016-02-12 15:27:10 -08:00
|
|
|
}
|
|
|
|
|
2019-10-30 00:04:39 -07:00
|
|
|
// loadConfig - loads a new config from disk, overrides params
|
|
|
|
// from env if found and valid
|
2020-12-01 11:59:03 -08:00
|
|
|
func loadConfig(objAPI ObjectLayer) error {
|
|
|
|
srvCfg, err := getValidConfig(objAPI)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
2017-03-16 11:06:17 -07:00
|
|
|
}
|
2016-12-07 17:11:54 +05:30
|
|
|
|
2018-08-14 21:41:47 -07:00
|
|
|
// Override any values from ENVs.
|
2021-09-01 11:34:07 -07:00
|
|
|
lookupConfigs(srvCfg, objAPI)
|
2018-03-29 14:38:26 -07:00
|
|
|
|
2017-03-31 10:56:24 +05:30
|
|
|
// hold the mutex lock before a new config is assigned.
|
2017-11-29 13:12:47 -08:00
|
|
|
globalServerConfigMu.Lock()
|
|
|
|
globalServerConfig = srvCfg
|
|
|
|
globalServerConfigMu.Unlock()
|
config/main: Re-write config files - add to new config v3
- New config format.
```
{
"version": "3",
"address": ":9000",
"backend": {
"type": "fs",
"disk": "/path"
},
"credential": {
"accessKey": "WLGDGYAQYIGI833EV05A",
"secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"
},
"region": "us-east-1",
"logger": {
"file": {
"enable": false,
"fileName": "",
"level": "error"
},
"syslog": {
"enable": false,
"address": "",
"level": "debug"
},
"console": {
"enable": true,
"level": "fatal"
}
}
}
```
New command lines in lieu of supporting XL.
Minio initialize filesystem backend.
~~~
$ minio init fs <path>
~~~
Minio initialize XL backend.
~~~
$ minio init xl <url1>...<url16>
~~~
For 'fs' backend it starts the server.
~~~
$ minio server
~~~
For 'xl' backend it waits for servers to join.
~~~
$ minio server
... [PROGRESS BAR] of servers connecting
~~~
Now on other servers execute 'join' and they connect.
~~~
....
minio join <url1> -- from <url2> && minio server
minio join <url1> -- from <url3> && minio server
...
...
minio join <url1> -- from <url16> && minio server
~~~
2016-02-12 15:27:10 -08:00
|
|
|
|
2017-03-31 10:56:24 +05:30
|
|
|
return nil
|
config/main: Re-write config files - add to new config v3
- New config format.
```
{
"version": "3",
"address": ":9000",
"backend": {
"type": "fs",
"disk": "/path"
},
"credential": {
"accessKey": "WLGDGYAQYIGI833EV05A",
"secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"
},
"region": "us-east-1",
"logger": {
"file": {
"enable": false,
"fileName": "",
"level": "error"
},
"syslog": {
"enable": false,
"address": "",
"level": "debug"
},
"console": {
"enable": true,
"level": "fatal"
}
}
}
```
New command lines in lieu of supporting XL.
Minio initialize filesystem backend.
~~~
$ minio init fs <path>
~~~
Minio initialize XL backend.
~~~
$ minio init xl <url1>...<url16>
~~~
For 'fs' backend it starts the server.
~~~
$ minio server
~~~
For 'xl' backend it waits for servers to join.
~~~
$ minio server
... [PROGRESS BAR] of servers connecting
~~~
Now on other servers execute 'join' and they connect.
~~~
....
minio join <url1> -- from <url2> && minio server
minio join <url1> -- from <url3> && minio server
...
...
minio join <url1> -- from <url16> && minio server
~~~
2016-02-12 15:27:10 -08:00
|
|
|
}
|