MyFavMirrors
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
minio/cmd/jwt.go

200 lines
6.2 KiB
Go
Raw Normal View History

update license change for MinIO Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-18 15:41:13 -04:00
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
Have simpler JWT authentication. (#3501)
2016-12-27 11:28:10 -05:00
package cmd
import (
add thread context in surrounding function into IAM functions (#13658)
2021-11-15 17:14:22 -05:00
"context"
Have simpler JWT authentication. (#3501)
2016-12-27 11:28:10 -05:00
"errors"
"net/http"
"time"
move to jwt-go v4 with correct releases (#13586)
2021-11-05 15:20:08 -04:00
jwtgo "github.com/golang-jwt/jwt/v4"
jwtreq "github.com/golang-jwt/jwt/v4/request"
Reduce JWT overhead for internode tokens (#13738) Since JWT tokens remain valid for up to 15 minutes, we don't have to regenerate tokens for every call. Cache tokens for matching access+secret+audience for up to 15 seconds. ``` BenchmarkAuthenticateNode/uncached-32 270567 4179 ns/op 2961 B/op 33 allocs/op BenchmarkAuthenticateNode/cached-32 7684824 157.5 ns/op 48 B/op 1 allocs/op ``` Reduces internode call allocations a great deal.
2021-11-23 12:51:53 -05:00
lru "github.com/hashicorp/golang-lru"
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
2021-06-01 17:59:40 -04:00
"github.com/minio/minio/internal/auth"
xjwt "github.com/minio/minio/internal/jwt"
"github.com/minio/minio/internal/logger"
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
2021-08-20 14:32:01 -04:00
iampolicy "github.com/minio/pkg/iam/policy"
Have simpler JWT authentication. (#3501)
2016-12-27 11:28:10 -05:00
)
const (
jwtAlgorithm = "Bearer"
// Default JWT token for web handlers is one day.
defaultJWTExpiry = 24 * time.Hour
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-30 21:59:22 -05:00
// Inter-node JWT token expiry is 15 minutes.
defaultInterNodeJWTExpiry = 15 * time.Minute
jwt,browser: allow short-expiry tokens for GETs (#4684) This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673
2017-07-24 15:46:37 -04:00
// URL JWT token expiry is one minute (might be exposed).
defaultURLJWTExpiry = time.Minute
Have simpler JWT authentication. (#3501)
2016-12-27 11:28:10 -05:00
)
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup)
2017-02-07 15:51:43 -05:00
var (
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
errInvalidAccessKeyID = errors.New("The access key ID you provided does not exist in our records")
errAuthentication = errors.New("Authentication failed, check your access credentials")
errNoAuthToken = errors.New("JWT token missing")
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup)
2017-02-07 15:51:43 -05:00
)
Have simpler JWT authentication. (#3501)
2016-12-27 11:28:10 -05:00
Fix browser login with multi users (#6644)
2018-10-16 21:44:58 -04:00
func authenticateJWTUsers(accessKey, secretKey string, expiry time.Duration) (string, error) {
passedCredential, err := auth.CreateCredentials(accessKey, secretKey)
if err != nil {
return "", err
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
expiresAt := UTCNow().Add(expiry)
return authenticateJWTUsersWithCredentials(passedCredential, expiresAt)
}
Fix browser login with multi users (#6644)
2018-10-16 21:44:58 -04:00
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
func authenticateJWTUsersWithCredentials(credentials auth.Credentials, expiresAt time.Time) (string, error) {
serverCred := globalActiveCred
if serverCred.AccessKey != credentials.AccessKey {
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-01 16:19:13 -04:00
u, ok := globalIAMSys.GetUser(context.TODO(), credentials.AccessKey)
Fix browser login with multi users (#6644)
2018-10-16 21:44:58 -04:00
if !ok {
return "", errInvalidAccessKeyID
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-01 16:19:13 -04:00
serverCred = u.Credentials
Fix browser login with multi users (#6644)
2018-10-16 21:44:58 -04:00
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
if !serverCred.Equal(credentials) {
Fix browser login with multi users (#6644)
2018-10-16 21:44:58 -04:00
return "", errAuthentication
}
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-30 21:59:22 -05:00
claims := xjwt.NewMapClaims()
claims.SetExpiry(expiresAt)
claims.SetAccessKey(credentials.AccessKey)
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, claims)
Fix browser login with multi users (#6644)
2018-10-16 21:44:58 -04:00
return jwt.SignedString([]byte(serverCred.SecretKey))
}
Reduce JWT overhead for internode tokens (#13738) Since JWT tokens remain valid for up to 15 minutes, we don't have to regenerate tokens for every call. Cache tokens for matching access+secret+audience for up to 15 seconds. ``` BenchmarkAuthenticateNode/uncached-32 270567 4179 ns/op 2961 B/op 33 allocs/op BenchmarkAuthenticateNode/cached-32 7684824 157.5 ns/op 48 B/op 1 allocs/op ``` Reduces internode call allocations a great deal.
2021-11-23 12:51:53 -05:00
// cachedAuthenticateNode will cache authenticateNode results for given values up to ttl.
func cachedAuthenticateNode(ttl time.Duration) func(accessKey, secretKey, audience string) (string, error) {
type key struct {
accessKey, secretKey, audience string
}
type value struct {
created time.Time
res string
err error
}
cache, err := lru.NewARC(100)
if err != nil {
logger.LogIf(GlobalContext, err)
return authenticateNode
}
return func(accessKey, secretKey, audience string) (string, error) {
k := key{accessKey: accessKey, secretKey: secretKey, audience: audience}
v, ok := cache.Get(k)
if ok {
if val, ok := v.(*value); ok && time.Since(val.created) < ttl {
return val.res, val.err
}
}
s, err := authenticateNode(accessKey, secretKey, audience)
cache.Add(k, &value{created: time.Now(), res: s, err: err})
return s, err
}
}
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-30 21:59:22 -05:00
func authenticateNode(accessKey, secretKey, audience string) (string, error) {
claims := xjwt.NewStandardClaims()
claims.SetExpiry(UTCNow().Add(defaultInterNodeJWTExpiry))
claims.SetAccessKey(accessKey)
claims.SetAudience(audience)
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, claims)
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-30 21:59:22 -05:00
return jwt.SignedString([]byte(secretKey))
Have simpler JWT authentication. (#3501)
2016-12-27 11:28:10 -05:00
}
func authenticateWeb(accessKey, secretKey string) (string, error) {
Fix browser login with multi users (#6644)
2018-10-16 21:44:58 -04:00
return authenticateJWTUsers(accessKey, secretKey, defaultJWTExpiry)
Have simpler JWT authentication. (#3501)
2016-12-27 11:28:10 -05:00
}
jwt,browser: allow short-expiry tokens for GETs (#4684) This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673
2017-07-24 15:46:37 -04:00
func authenticateURL(accessKey, secretKey string) (string, error) {
Fix browser login with multi users (#6644)
2018-10-16 21:44:58 -04:00
return authenticateJWTUsers(accessKey, secretKey, defaultURLJWTExpiry)
jwt,browser: allow short-expiry tokens for GETs (#4684) This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673
2017-07-24 15:46:37 -04:00
}
browser: Allow anonymous browsing of readable buckets. (#3515)
2017-01-11 16:26:42 -05:00
// Check if the request is authenticated.
// Returns nil if the request is authenticated. errNoAuthToken if token missing.
// Returns errAuthentication for all other errors.
decouple service accounts from root credentials (#14534) changing root credentials makes service accounts in-operable, this PR changes the way sessionToken is generated for service accounts. It changes service account behavior to generate sessionToken claims from its own secret instead of using global root credential. Existing credentials will be supported by falling back to verify using root credential. fixes #14530
2022-03-14 12:09:22 -04:00
func metricsRequestAuthenticate(req *http.Request) (*xjwt.MapClaims, []string, bool, error) {
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-30 21:59:22 -05:00
token, err := jwtreq.AuthorizationHeaderExtractor.ExtractToken(req)
Have simpler JWT authentication. (#3501)
2016-12-27 11:28:10 -05:00
if err != nil {
browser: Allow anonymous browsing of readable buckets. (#3515)
2017-01-11 16:26:42 -05:00
if err == jwtreq.ErrNoTokenInRequest {
make sure to pass groups for all credentials while verifying policies (#14193) fixes #14180
2022-01-27 00:53:36 -05:00
return nil, nil, false, errNoAuthToken
browser: Allow anonymous browsing of readable buckets. (#3515)
2017-01-11 16:26:42 -05:00
}
make sure to pass groups for all credentials while verifying policies (#14193) fixes #14180
2022-01-27 00:53:36 -05:00
return nil, nil, false, err
[security] rpc: Do not transfer access/secret key. (#4857) This is an improvement upon existing implementation by avoiding transfer of access and secret keys over the network. This change only exchanges JWT tokens generated by an rpc client. Even if the JWT can be traced over the network on a non-TLS connection, this change makes sure that we never really expose the secret key over the network.
2017-09-19 15:37:56 -04:00
}
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-30 21:59:22 -05:00
claims := xjwt.NewMapClaims()
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
2021-08-20 14:32:01 -04:00
if err := xjwt.ParseWithClaims(token, claims, func(claims *xjwt.MapClaims) ([]byte, error) {
if claims.AccessKey == globalActiveCred.AccessKey {
return []byte(globalActiveCred.SecretKey), nil
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-01 16:19:13 -04:00
u, ok := globalIAMSys.GetUser(req.Context(), claims.AccessKey)
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
2021-08-20 14:32:01 -04:00
if !ok {
return nil, errInvalidAccessKeyID
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-01 16:19:13 -04:00
cred := u.Credentials
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
2021-08-20 14:32:01 -04:00
return []byte(cred.SecretKey), nil
}); err != nil {
make sure to pass groups for all credentials while verifying policies (#14193) fixes #14180
2022-01-27 00:53:36 -05:00
return claims, nil, false, errAuthentication
browser: Allow anonymous browsing of readable buckets. (#3515)
2017-01-11 16:26:42 -05:00
}
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
2021-08-20 14:32:01 -04:00
owner := true
make sure to pass groups for all credentials while verifying policies (#14193) fixes #14180
2022-01-27 00:53:36 -05:00
var groups []string
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
2021-08-20 14:32:01 -04:00
if globalActiveCred.AccessKey != claims.AccessKey {
// Check if the access key is part of users credentials.
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-01 16:19:13 -04:00
u, ok := globalIAMSys.GetUser(req.Context(), claims.AccessKey)
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
2021-08-20 14:32:01 -04:00
if !ok {
make sure to pass groups for all credentials while verifying policies (#14193) fixes #14180
2022-01-27 00:53:36 -05:00
return nil, nil, false, errInvalidAccessKeyID
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
2021-08-20 14:32:01 -04:00
}
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
2022-07-01 16:19:13 -04:00
ucred := u.Credentials
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
2021-08-20 14:32:01 -04:00
// get embedded claims
eclaims, s3Err := checkClaimsFromToken(req, ucred)
if s3Err != ErrNone {
make sure to pass groups for all credentials while verifying policies (#14193) fixes #14180
2022-01-27 00:53:36 -05:00
return nil, nil, false, errAuthentication
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
2021-08-20 14:32:01 -04:00
}
for k, v := range eclaims {
claims.MapClaims[k] = v
}
// Now check if we have a sessionPolicy.
if _, ok = eclaims[iampolicy.SessionPolicyName]; ok {
owner = false
} else {
owner = globalActiveCred.AccessKey == ucred.ParentUser
}
make sure to pass groups for all credentials while verifying policies (#14193) fixes #14180
2022-01-27 00:53:36 -05:00
groups = ucred.Groups
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
2021-08-20 14:32:01 -04:00
}
make sure to pass groups for all credentials while verifying policies (#14193) fixes #14180
2022-01-27 00:53:36 -05:00
return claims, groups, owner, nil
Have simpler JWT authentication. (#3501)
2016-12-27 11:28:10 -05:00
}
Implement HTTP POST based RPC (#5840) Added support for new RPC support using HTTP POST. RPC's arguments and reply are Gob encoded and sent as HTTP request/response body. This patch also removes Go RPC based implementation.
2018-06-06 04:51:56 -04:00
Reduce JWT overhead for internode tokens (#13738) Since JWT tokens remain valid for up to 15 minutes, we don't have to regenerate tokens for every call. Cache tokens for matching access+secret+audience for up to 15 seconds. ``` BenchmarkAuthenticateNode/uncached-32 270567 4179 ns/op 2961 B/op 33 allocs/op BenchmarkAuthenticateNode/cached-32 7684824 157.5 ns/op 48 B/op 1 allocs/op ``` Reduces internode call allocations a great deal.
2021-11-23 12:51:53 -05:00
// newCachedAuthToken returns a token that is cached up to 15 seconds.
// If globalActiveCred is updated it is reflected at once.
func newCachedAuthToken() func(audience string) string {
fn := cachedAuthenticateNode(15 * time.Second)
return func(audience string) string {
cred := globalActiveCred
token, err := fn(cred.AccessKey, cred.SecretKey, audience)
logger.CriticalIf(GlobalContext, err)
return token
}
Implement HTTP POST based RPC (#5840) Added support for new RPC support using HTTP POST. RPC's arguments and reply are Gob encoded and sent as HTTP request/response body. This patch also removes Go RPC based implementation.
2018-06-06 04:51:56 -04:00
}