MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-10 14:09:48 -05:00
Code Issues Packages Projects Releases Wiki Activity

Introduce STS client grants API and OPA policy integration (#6168)

Browse Source 
This PR introduces two new features

- AWS STS compatible STS API named AssumeRoleWithClientGrants

```
POST /?Action=AssumeRoleWithClientGrants&Token=<jwt>
```

This API endpoint returns temporary access credentials, access
tokens signature types supported by this API

  - RSA keys
  - ECDSA keys

Fetches the required public key from the JWKS endpoints, provides
them as rsa or ecdsa public keys.

- External policy engine support, in this case OPA policy engine

- Credentials are stored on disks
This commit is contained in:
Harshavardhana
2018-10-09 14:00:01 -07:00
committed by kannappanr
parent 16a100b597
commit 54ae364def
76 changed files with 7249 additions and 713 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
pkg/madmin/API.md
View File

@@ -36,10 +36,10 @@ func main() {
```
| Service operations | Info operations | Healing operations | Config operations | Misc |
|:----------------------------|:----------------------------|:--------------------------------------|:--------------------------|:------------------------------------|
| [`ServiceStatus`](#ServiceStatus) | [`ServerInfo`](#ServerInfo) | [`Heal`](#Heal) | [`GetConfig`](#GetConfig) | [`SetCredentials`](#SetCredentials) |
| [`ServiceSendAction`](#ServiceSendAction) | | | [`SetConfig`](#SetConfig) | [`StartProfiling`](#StartProfiling) |
| Service operations | Info operations | Healing operations | Config operations | IAM operations | Misc |
|:----------------------------|:----------------------------|:--------------------------------------|:--------------------------|:------------------------------------|:------------------------------------|
| [`ServiceStatus`](#ServiceStatus) | [`ServerInfo`](#ServerInfo) | [`Heal`](#Heal) | [`GetConfig`](#GetConfig) | [`AddUser()`](#AddUser) | [`SetAdminCredentials`](#SetAdminCredentials) |
| [`ServiceSendAction`](#ServiceSendAction) | | | [`SetConfig`](#SetConfig) | [`AddUserPolicy`](#AddUserPolicy) | [`StartProfiling`](#StartProfiling) |
| | | | [`GetConfigKeys`](#GetConfigKeys) | [`DownloadProfilingData`](#DownloadProfilingData) |
| | | | [`SetConfigKeys`](#SetConfigKeys) | |
@@ -273,7 +273,7 @@ __Example__
<a name="GetConfig"></a>
### GetConfig() ([]byte, error)
Get config.json of a minio setup.
Get current `config.json` of a Minio server.
__Example__
@@ -295,37 +295,17 @@ __Example__
<a name="SetConfig"></a>
### SetConfig(config io.Reader) (SetConfigResult, error)
Set config.json of a minio setup and restart setup for configuration
change to take effect.
| Param | Type | Description |
|---|---|---|
|`st.Status` | _bool_ | true if set-config succeeded, false otherwise. |
|`st.NodeSummary.Name` | _string_ | Network address of the node. |
|`st.NodeSummary.ErrSet` | _bool_ | Bool representation indicating if an error is encountered with the node.|
|`st.NodeSummary.ErrMsg` | _string_ | String representation of the error (if any) on the node.|
### SetConfig(config io.Reader) error
Set a new `config.json` for a Minio server.
__Example__
``` go
config := bytes.NewReader([]byte(`config.json contents go here`))
result, err := madmClnt.SetConfig(config)
if err != nil {
if err := madmClnt.SetConfig(config); err != nil {
log.Fatalf("failed due to: %v", err)
}
var buf bytes.Buffer
enc := json.NewEncoder(&buf)
enc.SetEscapeHTML(false)
enc.SetIndent("", "\t")
err = enc.Encode(result)
if err != nil {
log.Fatalln(err)
}
log.Println("SetConfig: ", string(buf.Bytes()))
log.Println("SetConfig was successful")
```
<a name="GetConfigKeys"></a>
@@ -367,18 +347,44 @@ __Example__
log.Println("New configuration successfully set")
```
## 8. IAM operations
<a name="AddUser"></a>
### AddUser(user string, secret string) error
Add a new user on a Minio server.
## 8. Misc operations
__Example__
<a name="SetCredentials"></a>
### SetCredentials() error
``` go
if err = madmClnt.AddUser("newuser", "newstrongpassword"); err != nil {
log.Fatalln(err)
}
```
<a name="AddUserPolicy"></a>
### AddUserPolicy(user string, policy string) error
Set a new policy for a given user on Minio server.
__Example__
``` go
policy := `{"Version": "2012-10-17","Statement": [{"Action": ["s3:GetObject"],"Effect": "Allow","Resource": ["arn:aws:s3:::my-bucketname/*"],"Sid": ""}]}`
if err = madmClnt.AddUserPolicy("newuser", policy); err != nil {
log.Fatalln(err)
}
```
## 9. Misc operations
<a name="SetAdminCredentials"></a>
### SetAdminCredentials() error
Set new credentials of a Minio setup.
__Example__
``` go
err = madmClnt.SetCredentials("YOUR-NEW-ACCESSKEY", "YOUR-NEW-SECRETKEY")
err = madmClnt.SetAdminCredentials("YOUR-NEW-ACCESSKEY", "YOUR-NEW-SECRETKEY")
if err != nil {
log.Fatalln(err)
}

55
pkg/madmin/config-commands.go
View File

@@ -19,61 +19,16 @@ package madmin
import (
"bytes"
"crypto/rand"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"io"
"io/ioutil"
"net/http"
"net/url"
"github.com/minio/minio/pkg/quick"
"github.com/minio/sio"
"golang.org/x/crypto/argon2"
)
// EncryptServerConfigData - encrypts server config data.
func EncryptServerConfigData(password string, data []byte) ([]byte, error) {
salt := make([]byte, 32)
if _, err := io.ReadFull(rand.Reader, salt); err != nil {
return nil, err
}
// derive an encryption key from the master key and the nonce
var key [32]byte
copy(key[:], argon2.IDKey([]byte(password), salt, 1, 64*1024, 4, 32))
encrypted, err := sio.EncryptReader(bytes.NewReader(data), sio.Config{
Key: key[:]},
)
if err != nil {
return nil, err
}
edata, err := ioutil.ReadAll(encrypted)
return append(salt, edata...), err
}
// DecryptServerConfigData - decrypts server config data.
func DecryptServerConfigData(password string, data io.Reader) ([]byte, error) {
salt := make([]byte, 32)
if _, err := io.ReadFull(data, salt); err != nil {
return nil, err
}
// derive an encryption key from the master key and the nonce
var key [32]byte
copy(key[:], argon2.IDKey([]byte(password), salt, 1, 64*1024, 4, 32))
decrypted, err := sio.DecryptReader(data, sio.Config{
Key: key[:]},
)
if err != nil {
return nil, err
}
return ioutil.ReadAll(decrypted)
}
// GetConfig - returns the config.json of a minio setup, incoming data is encrypted.
func (adm *AdminClient) GetConfig() ([]byte, error) {
// Execute GET on /minio/admin/v1/config to get config of a setup.
@@ -89,7 +44,7 @@ func (adm *AdminClient) GetConfig() ([]byte, error) {
}
defer closeResponse(resp)
return DecryptServerConfigData(adm.secretAccessKey, resp.Body)
return DecryptData(adm.secretAccessKey, resp.Body)
}
// GetConfigKeys - returns partial json or json value from config.json of a minio setup.
@@ -114,7 +69,7 @@ func (adm *AdminClient) GetConfigKeys(keys []string) ([]byte, error) {
return nil, httpRespToErrorResponse(resp)
}
return DecryptServerConfigData(adm.secretAccessKey, resp.Body)
return DecryptData(adm.secretAccessKey, resp.Body)
}
// SetConfig - set config supplied as config.json for the setup.
@@ -125,7 +80,7 @@ func (adm *AdminClient) SetConfig(config io.Reader) (err error) {
configBuf := make([]byte, maxConfigJSONSize+1)
n, err := io.ReadFull(config, configBuf)
if err == nil {
return fmt.Errorf("too large file")
return bytes.ErrTooLarge
}
if err != io.ErrUnexpectedEOF {
return err
@@ -151,7 +106,7 @@ func (adm *AdminClient) SetConfig(config io.Reader) (err error) {
return errors.New("Duplicate key in json file: " + err.Error())
}
econfigBytes, err := EncryptServerConfigData(adm.secretAccessKey, configBytes)
econfigBytes, err := EncryptData(adm.secretAccessKey, configBytes)
if err != nil {
return err
}
@@ -180,7 +135,7 @@ func (adm *AdminClient) SetConfig(config io.Reader) (err error) {
func (adm *AdminClient) SetConfigKeys(params map[string]string) error {
queryVals := make(url.Values)
for k, v := range params {
encryptedVal, err := EncryptServerConfigData(adm.secretAccessKey, []byte(v))
encryptedVal, err := EncryptData(adm.secretAccessKey, []byte(v))
if err != nil {
return err
}

68
pkg/madmin/encrypt.go Normal file
View File

@@ -0,0 +1,68 @@
/*
* Minio Cloud Storage, (C) 2018 Minio, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package madmin
import (
"bytes"
"crypto/rand"
"io"
"io/ioutil"
"github.com/minio/sio"
"golang.org/x/crypto/argon2"
)
// EncryptData - encrypts server config data.
func EncryptData(password string, data []byte) ([]byte, error) {
salt := make([]byte, 32)
if _, err := io.ReadFull(rand.Reader, salt); err != nil {
return nil, err
}
// derive an encryption key from the master key and the nonce
var key [32]byte
copy(key[:], argon2.IDKey([]byte(password), salt, 1, 64*1024, 4, 32))
encrypted, err := sio.EncryptReader(bytes.NewReader(data), sio.Config{
Key: key[:]},
)
if err != nil {
return nil, err
}
edata, err := ioutil.ReadAll(encrypted)
return append(salt, edata...), err
}
// DecryptData - decrypts server config data.
func DecryptData(password string, data io.Reader) ([]byte, error) {
salt := make([]byte, 32)
if _, err := io.ReadFull(data, salt); err != nil {
return nil, err
}
// derive an encryption key from the master key and the nonce
var key [32]byte
copy(key[:], argon2.IDKey([]byte(password), salt, 1, 64*1024, 4, 32))
decrypted, err := sio.DecryptReader(data, sio.Config{
Key: key[:]},
)
if err != nil {
return nil, err
}
return ioutil.ReadAll(decrypted)
}

52
pkg/madmin/examples/add-user-and-policy.go Normal file
View File

@@ -0,0 +1,52 @@
// +build ignore
/*
* Minio Cloud Storage, (C) 2017 Minio, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package main
import (
"log"
"github.com/minio/minio/pkg/madmin"
)
func main() {
// Note: YOUR-ACCESSKEYID, YOUR-SECRETACCESSKEY are
// dummy values, please replace them with original values.
// Note: YOUR-ACCESSKEYID, YOUR-SECRETACCESSKEY are
// dummy values, please replace them with original values.
// API requests are secure (HTTPS) if secure=true and insecure (HTTPS) otherwise.
// New returns an Minio Admin client object.
madmClnt, err := madmin.New("your-minio.example.com:9000", "YOUR-ACCESSKEYID", "YOUR-SECRETACCESSKEY", true)
if err != nil {
log.Fatalln(err)
}
if err = madmClnt.AddUser("newuser", "newstrongpassword"); err != nil {
log.Fatalln(err)
}
// Create policy
policy := `{"Version": "2012-10-17","Statement": [{"Action": ["s3:GetObject"],"Effect": "Allow","Resource": ["arn:aws:s3:::my-bucketname/*"],"Sid": ""}]}`
if err = madmClnt.AddUserPolicy("newuser", policy); err != nil {
log.Fatalln(err)
}
}

2
pkg/madmin/examples/set-credentials.go
View File

@@ -36,7 +36,7 @@ func main() {
log.Fatalln(err)
}
err = madmClnt.SetCredentials("YOUR-NEW-ACCESSKEY", "YOUR-NEW-SECRETKEY")
err = madmClnt.SetAdminCredentials("YOUR-NEW-ACCESSKEY", "YOUR-NEW-SECRETKEY")
if err != nil {
log.Fatalln(err)
}

6
pkg/madmin/generic-commands.go
View File

@@ -28,16 +28,16 @@ type SetCredsReq struct {
SecretKey string `json:"secretKey"`
}
// SetCredentials - Call Set Credentials API to set new access and
// SetAdminCredentials - Call Set Credentials API to set new access and
// secret keys in the specified Minio server
func (adm *AdminClient) SetCredentials(access, secret string) error {
func (adm *AdminClient) SetAdminCredentials(access, secret string) error {
// Setup request's body
body, err := json.Marshal(SetCredsReq{access, secret})
if err != nil {
return err
}
ebody, err := EncryptServerConfigData(adm.secretAccessKey, body)
ebody, err := EncryptData(adm.secretAccessKey, body)
if err != nil {
return err
}

158
pkg/madmin/user-commands.go Normal file
View File

@@ -0,0 +1,158 @@
/*
* Minio Cloud Storage, (C) 2018 Minio, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package madmin
import (
"encoding/json"
"net/http"
"net/url"
)
// AccountStatus - account status.
type AccountStatus string
// Account status per user.
const (
AccountEnabled AccountStatus = "enabled"
AccountDisabled AccountStatus = "disabled"
)
// UserInfo carries information about long term users.
type UserInfo struct {
SecretKey string `json:"secretKey"`
Status AccountStatus `json:"status"`
}
// RemoveUser - remove a user.
func (adm *AdminClient) RemoveUser(accessKey string) error {
queryValues := url.Values{}
queryValues.Set("accessKey", accessKey)
reqData := requestData{
relPath: "/v1/remove-user",
queryValues: queryValues,
}
// Execute DELETE on /minio/admin/v1/remove-user to remove a user.
resp, err := adm.executeMethod("DELETE", reqData)
defer closeResponse(resp)
if err != nil {
return err
}
if resp.StatusCode != http.StatusOK {
return httpRespToErrorResponse(resp)
}
return nil
}
// SetUser - sets a user info.
func (adm *AdminClient) SetUser(accessKey, secretKey string, status AccountStatus) error {
data, err := json.Marshal(UserInfo{
SecretKey: secretKey,
Status: status,
})
if err != nil {
return err
}
econfigBytes, err := EncryptData(adm.secretAccessKey, data)
if err != nil {
return err
}
queryValues := url.Values{}
queryValues.Set("accessKey", accessKey)
reqData := requestData{
relPath: "/v1/add-user",
queryValues: queryValues,
content: econfigBytes,
}
// Execute PUT on /minio/admin/v1/add-user to set a user.
resp, err := adm.executeMethod("PUT", reqData)
defer closeResponse(resp)
if err != nil {
return err
}
if resp.StatusCode != http.StatusOK {
return httpRespToErrorResponse(resp)
}
return nil
}
// AddUser - adds a user.
func (adm *AdminClient) AddUser(accessKey, secretKey string) error {
return adm.SetUser(accessKey, secretKey, AccountEnabled)
}
// RemoveUserPolicy - remove a policy for a user.
func (adm *AdminClient) RemoveUserPolicy(accessKey string) error {
queryValues := url.Values{}
queryValues.Set("accessKey", accessKey)
reqData := requestData{
relPath: "/v1/remove-user-policy",
queryValues: queryValues,
}
// Execute DELETE on /minio/admin/v1/remove-user-policy to remove policy.
resp, err := adm.executeMethod("DELETE", reqData)
defer closeResponse(resp)
if err != nil {
return err
}
if resp.StatusCode != http.StatusOK {
return httpRespToErrorResponse(resp)
}
return nil
}
// AddUserPolicy - adds a policy for a user.
func (adm *AdminClient) AddUserPolicy(accessKey, policy string) error {
queryValues := url.Values{}
queryValues.Set("accessKey", accessKey)
reqData := requestData{
relPath: "/v1/add-user-policy",
queryValues: queryValues,
content: []byte(policy),
}
// Execute PUT on /minio/admin/v1/add-user-policy to set policy.
resp, err := adm.executeMethod("PUT", reqData)
defer closeResponse(resp)
if err != nil {
return err
}
if resp.StatusCode != http.StatusOK {
return httpRespToErrorResponse(resp)
}
return nil
}