From 35cbe43b6df48927a1574829b13f9ed5d3af99d3 Mon Sep 17 00:00:00 2001 From: Anis Elleuch Date: Sun, 8 Aug 2021 20:51:48 +0100 Subject: [PATCH] Start gateway when KMS is enabled and encryption is unsupported (#12808) Before, the gateway will complain that it found KMS configured in the environment but the gateway mode does not support encryption. This commit will allow starting of the gateway but ensure that S3 operations with encryption headers will fail when the gateway doesn't support encryption. That way, the user can use etcd + KMS and have IAM data encrypted in the etcd store. Co-authored-by: Anis Elleuch --- cmd/common-main.go | 5 --- cmd/object-handlers.go | 74 ++++++++---------------------------------- 2 files changed, 14 insertions(+), 65 deletions(-) diff --git a/cmd/common-main.go b/cmd/common-main.go index 952f31165..55a8aa8cf 100644 --- a/cmd/common-main.go +++ b/cmd/common-main.go @@ -215,11 +215,6 @@ func initConsoleServer() (*restapi.Server, error) { } func verifyObjectLayerFeatures(name string, objAPI ObjectLayer) { - if (GlobalKMS != nil) && !objAPI.IsEncryptionSupported() { - logger.Fatal(errInvalidArgument, - "Encryption support is requested but '%s' does not support encryption", name) - } - if strings.HasPrefix(name, "gateway") { if GlobalGatewaySSE.IsSet() && GlobalKMS == nil { uiErr := config.ErrInvalidGWSSEEnvValue(nil).Msg("MINIO_GATEWAY_SSE set but KMS is not configured") diff --git a/cmd/object-handlers.go b/cmd/object-handlers.go index b64e64c95..d349c3df8 100644 --- a/cmd/object-handlers.go +++ b/cmd/object-handlers.go @@ -900,18 +900,9 @@ func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Re return } - if _, ok := crypto.IsRequested(r.Header); ok { - if globalIsGateway { - if crypto.SSEC.IsRequested(r.Header) && !objectAPI.IsEncryptionSupported() { - writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL) - return - } - } else { - if !objectAPI.IsEncryptionSupported() { - writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL) - return - } - } + if _, ok := crypto.IsRequested(r.Header); ok && !objectAPI.IsEncryptionSupported() { + writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL) + return } vars := mux.Vars(r) @@ -1455,18 +1446,9 @@ func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Req return } - if _, ok := crypto.IsRequested(r.Header); ok { - if globalIsGateway { - if crypto.SSEC.IsRequested(r.Header) && !objectAPI.IsEncryptionSupported() { - writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL) - return - } - } else { - if !objectAPI.IsEncryptionSupported() { - writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL) - return - } - } + if _, ok := crypto.IsRequested(r.Header); ok && !objectAPI.IsEncryptionSupported() { + writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL) + return } vars := mux.Vars(r) @@ -1791,18 +1773,9 @@ func (api objectAPIHandlers) PutObjectExtractHandler(w http.ResponseWriter, r *h return } - if _, ok := crypto.IsRequested(r.Header); ok { - if globalIsGateway { - if crypto.SSEC.IsRequested(r.Header) && !objectAPI.IsEncryptionSupported() { - writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL) - return - } - } else { - if !objectAPI.IsEncryptionSupported() { - writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL) - return - } - } + if _, ok := crypto.IsRequested(r.Header); ok && !objectAPI.IsEncryptionSupported() { + writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL) + return } vars := mux.Vars(r) @@ -2077,18 +2050,9 @@ func (api objectAPIHandlers) NewMultipartUploadHandler(w http.ResponseWriter, r return } - if _, ok := crypto.IsRequested(r.Header); ok { - if globalIsGateway { - if crypto.SSEC.IsRequested(r.Header) && !objectAPI.IsEncryptionSupported() { - writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL) - return - } - } else { - if !objectAPI.IsEncryptionSupported() { - writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL) - return - } - } + if _, ok := crypto.IsRequested(r.Header); ok && !objectAPI.IsEncryptionSupported() { + writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL) + return } vars := mux.Vars(r) @@ -2528,18 +2492,8 @@ func (api objectAPIHandlers) PutObjectPartHandler(w http.ResponseWriter, r *http return } - if _, ok := crypto.IsRequested(r.Header); ok { - if globalIsGateway { - if crypto.SSEC.IsRequested(r.Header) && !objectAPI.IsEncryptionSupported() { - writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL) - return - } - } else { - if !objectAPI.IsEncryptionSupported() { - writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL) - return - } - } + if _, ok := crypto.IsRequested(r.Header); ok && !objectAPI.IsEncryptionSupported() { + writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL) } vars := mux.Vars(r)