fix: etcd IAM encryption fails due to incorrect kms.Context (#12431)

Due to incorrect KMS context constructed, we need to add
additional fallbacks and also fix the original root cause
to fix already migrated deployments.

Bonus remove double migration is avoided in gateway mode
for etcd, instead do it once in iam.Init(), also simplify
the migration by not migrating STS users instead let the
clients regenerate them.
This commit is contained in:
Harshavardhana 2021-06-04 11:15:13 -07:00 committed by GitHub
parent c0e41356f5
commit 36b2f6d11d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 50 additions and 90 deletions

View File

@ -69,14 +69,12 @@ func migrateIAMConfigsEtcdToEncrypted(ctx context.Context, client *etcd.Client)
return err return err
} }
if encrypted { if encrypted && GlobalKMS != nil {
if GlobalKMS != nil {
stat, err := GlobalKMS.Stat() stat, err := GlobalKMS.Stat()
if err != nil { if err != nil {
return err return err
} }
logger.Info("Attempting to re-encrypt config, IAM users and policies on MinIO with %q (%s)", stat.DefaultKey, stat.Name) logger.Info("Attempting to re-encrypt IAM users and policies on etcd with %q (%s)", stat.DefaultKey, stat.Name)
}
} }
listCtx, cancel := context.WithTimeout(ctx, 1*time.Minute) listCtx, cancel := context.WithTimeout(ctx, 1*time.Minute)
@ -97,15 +95,26 @@ func migrateIAMConfigsEtcdToEncrypted(ctx context.Context, client *etcd.Client)
} }
if !utf8.Valid(data) { if !utf8.Valid(data) {
data, err = madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data)) pdata, err := madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
if err != nil { if err != nil {
return fmt.Errorf("Decrypting config failed %w, possibly credentials are incorrect", err) pdata, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
minioMetaBucket: path.Join(minioMetaBucket, string(kv.Key)),
})
if err != nil {
pdata, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
minioMetaBucket: string(kv.Key),
})
if err != nil {
return fmt.Errorf("Decrypting IAM config failed %w, possibly credentials are incorrect", err)
} }
} }
}
data = pdata
}
if GlobalKMS != nil { if GlobalKMS != nil {
data, err = config.EncryptBytes(GlobalKMS, data, kms.Context{ data, err = config.EncryptBytes(GlobalKMS, data, kms.Context{
minioMetaBucket: string(kv.Key), minioMetaBucket: path.Join(minioMetaBucket, string(kv.Key)),
}) })
if err != nil { if err != nil {
return err return err
@ -117,10 +126,8 @@ func migrateIAMConfigsEtcdToEncrypted(ctx context.Context, client *etcd.Client)
} }
} }
if encrypted { if encrypted && GlobalKMS != nil {
if GlobalKMS != nil { logger.Info("Migration of encrypted IAM config data completed. All data is now encrypted on etcd.")
logger.Info("Migration of encrypted config data completed. All config data is now encrypted.")
}
} }
return deleteKeyEtcd(ctx, client, backendEncryptedFile) return deleteKeyEtcd(ctx, client, backendEncryptedFile)
} }
@ -129,15 +136,13 @@ func migrateConfigPrefixToEncrypted(objAPI ObjectLayer, encrypted bool) error {
if !encrypted { if !encrypted {
return nil return nil
} }
if encrypted { if encrypted && GlobalKMS != nil {
if GlobalKMS != nil {
stat, err := GlobalKMS.Stat() stat, err := GlobalKMS.Stat()
if err != nil { if err != nil {
return err return err
} }
logger.Info("Attempting to re-encrypt config, IAM users and policies on MinIO with %q (%s)", stat.DefaultKey, stat.Name) logger.Info("Attempting to re-encrypt config, IAM users and policies on MinIO with %q (%s)", stat.DefaultKey, stat.Name)
} }
}
var marker string var marker string
for { for {
@ -175,10 +180,8 @@ func migrateConfigPrefixToEncrypted(objAPI ObjectLayer, encrypted bool) error {
} }
marker = res.NextMarker marker = res.NextMarker
} }
if encrypted { if encrypted && GlobalKMS != nil {
if GlobalKMS != nil {
logger.Info("Migration of encrypted config data completed. All config data is now encrypted.") logger.Info("Migration of encrypted config data completed. All config data is now encrypted.")
} }
}
return deleteConfig(GlobalContext, globalObjectAPI, backendEncryptedFile) return deleteConfig(GlobalContext, globalObjectAPI, backendEncryptedFile)
} }

View File

@ -317,14 +317,6 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
logger.FatalIf(globalNotificationSys.Init(GlobalContext, buckets, newObject), "Unable to initialize notification system") logger.FatalIf(globalNotificationSys.Init(GlobalContext, buckets, newObject), "Unable to initialize notification system")
} }
if globalEtcdClient != nil {
// **** WARNING ****
// Migrating to encrypted backend on etcd should happen before initialization of
// IAM sub-systems, make sure that we do not move the above codeblock elsewhere.
logger.FatalIf(migrateIAMConfigsEtcdToEncrypted(GlobalContext, globalEtcdClient),
"Unable to handle encrypted backend for iam and policies")
}
if enableIAMOps { if enableIAMOps {
// Initialize users credentials and policies in background. // Initialize users credentials and policies in background.
globalIAMSys.InitStore(newObject) globalIAMSys.InitStore(newObject)

View File

@ -212,9 +212,6 @@ var (
globalActiveCred auth.Credentials globalActiveCred auth.Credentials
// Hold the old server credentials passed by the environment
globalOldCred auth.Credentials
globalPublicCerts []*x509.Certificate globalPublicCerts []*x509.Certificate
globalDomainNames []string // Root domains for virtual host style requests globalDomainNames []string // Root domains for virtual host style requests

View File

@ -20,14 +20,12 @@ package cmd
import ( import (
"context" "context"
"encoding/json" "encoding/json"
"errors"
"path" "path"
"strings" "strings"
"sync" "sync"
"time" "time"
"unicode/utf8" "unicode/utf8"
jwtgo "github.com/dgrijalva/jwt-go"
jsoniter "github.com/json-iterator/go" jsoniter "github.com/json-iterator/go"
"github.com/minio/minio-go/v7/pkg/set" "github.com/minio/minio-go/v7/pkg/set"
"github.com/minio/minio/internal/auth" "github.com/minio/minio/internal/auth"
@ -109,10 +107,17 @@ func getIAMConfig(item interface{}, data []byte, itemPath string) error {
data, err = config.DecryptBytes(GlobalKMS, data, kms.Context{ data, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
minioMetaBucket: path.Join(minioMetaBucket, itemPath), minioMetaBucket: path.Join(minioMetaBucket, itemPath),
}) })
if err != nil {
// This fallback is needed because of a bug, in kms.Context{}
// construction during migration.
data, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
minioMetaBucket: itemPath,
})
if err != nil { if err != nil {
return err return err
} }
} }
}
var json = jsoniter.ConfigCompatibleWithStandardLibrary var json = jsoniter.ConfigCompatibleWithStandardLibrary
return json.Unmarshal(data, item) return json.Unmarshal(data, item)
} }
@ -129,12 +134,8 @@ func (ies *IAMEtcdStore) deleteIAMConfig(ctx context.Context, path string) error
return deleteKeyEtcd(ctx, ies.client, path) return deleteKeyEtcd(ctx, ies.client, path)
} }
func (ies *IAMEtcdStore) migrateUsersConfigToV1(ctx context.Context, isSTS bool) error { func (ies *IAMEtcdStore) migrateUsersConfigToV1(ctx context.Context) error {
basePrefix := iamConfigUsersPrefix basePrefix := iamConfigUsersPrefix
if isSTS {
basePrefix = iamConfigSTSPrefix
}
ctx, cancel := context.WithTimeout(ctx, defaultContextTimeout) ctx, cancel := context.WithTimeout(ctx, defaultContextTimeout)
defer cancel() defer cancel()
r, err := ies.client.Get(ctx, basePrefix, etcd.WithPrefix(), etcd.WithKeysOnly()) r, err := ies.client.Get(ctx, basePrefix, etcd.WithPrefix(), etcd.WithKeysOnly())
@ -162,9 +163,6 @@ func (ies *IAMEtcdStore) migrateUsersConfigToV1(ctx context.Context, isSTS bool)
// 2. copy policy to new loc. // 2. copy policy to new loc.
mp := newMappedPolicy(policyName) mp := newMappedPolicy(policyName)
userType := regularUser userType := regularUser
if isSTS {
userType = stsUser
}
path := getMappedPolicyPath(user, userType, false) path := getMappedPolicyPath(user, userType, false)
if err := ies.saveIAMConfig(ctx, mp, path); err != nil { if err := ies.saveIAMConfig(ctx, mp, path); err != nil {
return err return err
@ -220,34 +218,27 @@ func (ies *IAMEtcdStore) migrateToV1(ctx context.Context) error {
case errConfigNotFound: case errConfigNotFound:
// Need to migrate to V1. // Need to migrate to V1.
default: default:
// if IAM format
return err return err
} }
} else { }
if iamFmt.Version >= iamFormatVersion1 { if iamFmt.Version >= iamFormatVersion1 {
// Already migrated to V1 of higher! // Nothing to do.
return nil return nil
} }
// This case should not happen
// (i.e. Version is 0 or negative.)
return errors.New("got an invalid IAM format version")
} if err := ies.migrateUsersConfigToV1(ctx); err != nil {
// Migrate long-term users
if err := ies.migrateUsersConfigToV1(ctx, false); err != nil {
logger.LogIf(ctx, err) logger.LogIf(ctx, err)
return err return err
} }
// Migrate STS users
if err := ies.migrateUsersConfigToV1(ctx, true); err != nil { // Save iam format to version 1.
logger.LogIf(ctx, err)
return err
}
// Save iam version file.
if err := ies.saveIAMConfig(ctx, newIAMFormatVersion1(), path); err != nil { if err := ies.saveIAMConfig(ctx, newIAMFormatVersion1(), path); err != nil {
logger.LogIf(ctx, err) logger.LogIf(ctx, err)
return err return err
} }
return nil return nil
} }
@ -322,27 +313,6 @@ func (ies *IAMEtcdStore) addUser(ctx context.Context, user string, userType IAMU
deleteKeyEtcd(ctx, ies.client, getMappedPolicyPath(user, userType, false)) deleteKeyEtcd(ctx, ies.client, getMappedPolicyPath(user, userType, false))
return nil return nil
} }
// If this is a service account, rotate the session key if we are changing the server creds
if globalOldCred.IsValid() && u.Credentials.IsServiceAccount() {
if !globalOldCred.Equal(globalActiveCred) {
m := jwtgo.MapClaims{}
stsTokenCallback := func(t *jwtgo.Token) (interface{}, error) {
return []byte(globalOldCred.SecretKey), nil
}
if _, err := jwtgo.ParseWithClaims(u.Credentials.SessionToken, m, stsTokenCallback); err == nil {
jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, m)
if token, err := jwt.SignedString([]byte(globalActiveCred.SecretKey)); err == nil {
u.Credentials.SessionToken = token
err := ies.saveIAMConfig(ctx, &u, getUserIdentityPath(user, userType))
if err != nil {
return err
}
}
}
}
}
if u.Credentials.AccessKey == "" { if u.Credentials.AccessKey == "" {
u.Credentials.AccessKey = user u.Credentials.AccessKey = user
} }

View File

@ -668,8 +668,6 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer) {
break break
} }
// Invalidate the old cred always, even upon error to avoid any leakage.
globalOldCred = auth.Credentials{}
go sys.store.watch(ctx, sys) go sys.store.watch(ctx, sys)
logger.Info("IAM initialization complete") logger.Info("IAM initialization complete")

View File

@ -548,6 +548,9 @@ func serverMain(ctx *cli.Context) {
logger.LogIf(GlobalContext, err) logger.LogIf(GlobalContext, err)
} }
// Initialize users credentials and policies in background right after config has initialized.
go globalIAMSys.Init(GlobalContext, newObject)
initDataScanner(GlobalContext, newObject) initDataScanner(GlobalContext, newObject)
if globalIsErasure { // to be done after config init if globalIsErasure { // to be done after config init
@ -567,9 +570,6 @@ func serverMain(ctx *cli.Context) {
setCacheObjectLayer(cacheAPI) setCacheObjectLayer(cacheAPI)
} }
// Initialize users credentials and policies in background right after config has initialized.
go globalIAMSys.Init(GlobalContext, newObject)
// Prints the formatted startup message, if err is not nil then it prints additional information as well. // Prints the formatted startup message, if err is not nil then it prints additional information as well.
printStartupMessage(getAPIEndpoints(), err) printStartupMessage(getAPIEndpoints(), err)