mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
Set meaningful message from minio with env variable KMS_SECRET_KEY (#16584)
This commit is contained in:
parent
fd6622458b
commit
8bfe972bab
@ -28,6 +28,7 @@ import (
|
|||||||
|
|
||||||
"github.com/minio/madmin-go/v2"
|
"github.com/minio/madmin-go/v2"
|
||||||
"github.com/minio/minio/internal/config"
|
"github.com/minio/minio/internal/config"
|
||||||
|
"github.com/minio/minio/internal/kms"
|
||||||
"github.com/minio/minio/internal/logger"
|
"github.com/minio/minio/internal/logger"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -118,7 +119,7 @@ func getLocalServerProperty(endpointServerPools EndpointServerPools, r *http.Req
|
|||||||
config.EnvRootUser: {},
|
config.EnvRootUser: {},
|
||||||
config.EnvRootPassword: {},
|
config.EnvRootPassword: {},
|
||||||
config.EnvMinIOSubnetAPIKey: {},
|
config.EnvMinIOSubnetAPIKey: {},
|
||||||
config.EnvKMSSecretKey: {},
|
kms.EnvKMSSecretKey: {},
|
||||||
}
|
}
|
||||||
for _, v := range os.Environ() {
|
for _, v := range os.Environ() {
|
||||||
if !strings.HasPrefix(v, "MINIO") && !strings.HasPrefix(v, "_MINIO") {
|
if !strings.HasPrefix(v, "MINIO") && !strings.HasPrefix(v, "_MINIO") {
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright (c) 2015-2021 MinIO, Inc.
|
// Copyright (c) 2015-2023 MinIO, Inc.
|
||||||
//
|
//
|
||||||
// This file is part of MinIO Object Storage stack
|
// This file is part of MinIO Object Storage stack
|
||||||
//
|
//
|
||||||
@ -220,6 +220,7 @@ const (
|
|||||||
ErrIncompatibleEncryptionMethod
|
ErrIncompatibleEncryptionMethod
|
||||||
ErrKMSNotConfigured
|
ErrKMSNotConfigured
|
||||||
ErrKMSKeyNotFoundException
|
ErrKMSKeyNotFoundException
|
||||||
|
ErrKMSDefaultKeyAlreadyConfigured
|
||||||
|
|
||||||
ErrNoAccessKey
|
ErrNoAccessKey
|
||||||
ErrInvalidToken
|
ErrInvalidToken
|
||||||
@ -1172,6 +1173,11 @@ var errorCodes = errorCodeMap{
|
|||||||
Description: "Invalid keyId",
|
Description: "Invalid keyId",
|
||||||
HTTPStatusCode: http.StatusBadRequest,
|
HTTPStatusCode: http.StatusBadRequest,
|
||||||
},
|
},
|
||||||
|
ErrKMSDefaultKeyAlreadyConfigured: {
|
||||||
|
Code: "KMS.DefaultKeyAlreadyConfiguredException",
|
||||||
|
Description: "A default encryption already exists and cannot be changed on KMS",
|
||||||
|
HTTPStatusCode: http.StatusConflict,
|
||||||
|
},
|
||||||
ErrNoAccessKey: {
|
ErrNoAccessKey: {
|
||||||
Code: "AccessDenied",
|
Code: "AccessDenied",
|
||||||
Description: "No AWSAccessKey was presented",
|
Description: "No AWSAccessKey was presented",
|
||||||
@ -2047,6 +2053,8 @@ func toAPIErrorCode(ctx context.Context, err error) (apiErr APIErrorCode) {
|
|||||||
apiErr = ErrKMSNotConfigured
|
apiErr = ErrKMSNotConfigured
|
||||||
case errKMSKeyNotFound:
|
case errKMSKeyNotFound:
|
||||||
apiErr = ErrKMSKeyNotFoundException
|
apiErr = ErrKMSKeyNotFoundException
|
||||||
|
case errKMSDefaultKeyAlreadyConfigured:
|
||||||
|
apiErr = ErrKMSDefaultKeyAlreadyConfigured
|
||||||
|
|
||||||
case context.Canceled, context.DeadlineExceeded:
|
case context.Canceled, context.DeadlineExceeded:
|
||||||
apiErr = ErrOperationTimedOut
|
apiErr = ErrOperationTimedOut
|
||||||
|
File diff suppressed because one or more lines are too long
@ -600,13 +600,13 @@ func loadEnvVarsFromFiles() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if env.IsSet(config.EnvKMSSecretKeyFile) {
|
if env.IsSet(kms.EnvKMSSecretKeyFile) {
|
||||||
kmsSecret, err := readFromSecret(env.Get(config.EnvKMSSecretKeyFile, ""))
|
kmsSecret, err := readFromSecret(env.Get(kms.EnvKMSSecretKeyFile, ""))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Fatal(err, "Unable to read the KMS secret key inherited from secret file")
|
logger.Fatal(err, "Unable to read the KMS secret key inherited from secret file")
|
||||||
}
|
}
|
||||||
if kmsSecret != "" {
|
if kmsSecret != "" {
|
||||||
os.Setenv(config.EnvKMSSecretKey, kmsSecret)
|
os.Setenv(kms.EnvKMSSecretKey, kmsSecret)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -783,29 +783,29 @@ func handleCommonEnvVars() {
|
|||||||
// It depends on KMS env variables and global cli flags.
|
// It depends on KMS env variables and global cli flags.
|
||||||
func handleKMSConfig() {
|
func handleKMSConfig() {
|
||||||
switch {
|
switch {
|
||||||
case env.IsSet(config.EnvKMSSecretKey) && env.IsSet(config.EnvKESEndpoint):
|
case env.IsSet(kms.EnvKMSSecretKey) && env.IsSet(kms.EnvKESEndpoint):
|
||||||
logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKMSSecretKey, config.EnvKESEndpoint))
|
logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", kms.EnvKMSSecretKey, kms.EnvKESEndpoint))
|
||||||
}
|
}
|
||||||
|
|
||||||
if env.IsSet(config.EnvKMSSecretKey) {
|
if env.IsSet(kms.EnvKMSSecretKey) {
|
||||||
KMS, err := kms.Parse(env.Get(config.EnvKMSSecretKey, ""))
|
KMS, err := kms.Parse(env.Get(kms.EnvKMSSecretKey, ""))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Fatal(err, "Unable to parse the KMS secret key inherited from the shell environment")
|
logger.Fatal(err, "Unable to parse the KMS secret key inherited from the shell environment")
|
||||||
}
|
}
|
||||||
GlobalKMS = KMS
|
GlobalKMS = KMS
|
||||||
}
|
}
|
||||||
if env.IsSet(config.EnvKESEndpoint) {
|
if env.IsSet(kms.EnvKESEndpoint) {
|
||||||
if env.IsSet(config.EnvKESAPIKey) {
|
if env.IsSet(kms.EnvKESAPIKey) {
|
||||||
if env.IsSet(config.EnvKESClientKey) {
|
if env.IsSet(kms.EnvKESClientKey) {
|
||||||
logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKESAPIKey, config.EnvKESClientKey))
|
logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", kms.EnvKESAPIKey, kms.EnvKESClientKey))
|
||||||
}
|
}
|
||||||
if env.IsSet(config.EnvKESClientCert) {
|
if env.IsSet(kms.EnvKESClientCert) {
|
||||||
logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKESAPIKey, config.EnvKESClientCert))
|
logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", kms.EnvKESAPIKey, kms.EnvKESClientCert))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
var endpoints []string
|
var endpoints []string
|
||||||
for _, endpoint := range strings.Split(env.Get(config.EnvKESEndpoint, ""), ",") {
|
for _, endpoint := range strings.Split(env.Get(kms.EnvKESEndpoint, ""), ",") {
|
||||||
if strings.TrimSpace(endpoint) == "" {
|
if strings.TrimSpace(endpoint) == "" {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
@ -821,21 +821,21 @@ func handleKMSConfig() {
|
|||||||
endpoints = append(endpoints, strings.Join(lbls, ""))
|
endpoints = append(endpoints, strings.Join(lbls, ""))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
rootCAs, err := certs.GetRootCAs(env.Get(config.EnvKESServerCA, globalCertsCADir.Get()))
|
rootCAs, err := certs.GetRootCAs(env.Get(kms.EnvKESServerCA, globalCertsCADir.Get()))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Fatal(err, fmt.Sprintf("Unable to load X.509 root CAs for KES from %q", env.Get(config.EnvKESServerCA, globalCertsCADir.Get())))
|
logger.Fatal(err, fmt.Sprintf("Unable to load X.509 root CAs for KES from %q", env.Get(kms.EnvKESServerCA, globalCertsCADir.Get())))
|
||||||
}
|
}
|
||||||
|
|
||||||
var kmsConf kms.Config
|
var kmsConf kms.Config
|
||||||
if env.IsSet(config.EnvKESAPIKey) {
|
if env.IsSet(kms.EnvKESAPIKey) {
|
||||||
key, err := kes.ParseAPIKey(env.Get(config.EnvKESAPIKey, ""))
|
key, err := kes.ParseAPIKey(env.Get(kms.EnvKESAPIKey, ""))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Fatal(err, fmt.Sprintf("Failed to parse KES API key from %q", env.Get(config.EnvKESAPIKey, "")))
|
logger.Fatal(err, fmt.Sprintf("Failed to parse KES API key from %q", env.Get(kms.EnvKESAPIKey, "")))
|
||||||
}
|
}
|
||||||
kmsConf = kms.Config{
|
kmsConf = kms.Config{
|
||||||
Endpoints: endpoints,
|
Endpoints: endpoints,
|
||||||
Enclave: env.Get(config.EnvKESEnclave, ""),
|
Enclave: env.Get(kms.EnvKESEnclave, ""),
|
||||||
DefaultKeyID: env.Get(config.EnvKESKeyName, ""),
|
DefaultKeyID: env.Get(kms.EnvKESKeyName, ""),
|
||||||
APIKey: key,
|
APIKey: key,
|
||||||
RootCAs: rootCAs,
|
RootCAs: rootCAs,
|
||||||
}
|
}
|
||||||
@ -857,7 +857,7 @@ func handleKMSConfig() {
|
|||||||
return tls.Certificate{}, errors.New("Unable to load KES client private key as specified by the shell environment: private key contains additional data")
|
return tls.Certificate{}, errors.New("Unable to load KES client private key as specified by the shell environment: private key contains additional data")
|
||||||
}
|
}
|
||||||
if x509.IsEncryptedPEMBlock(privateKeyPEM) {
|
if x509.IsEncryptedPEMBlock(privateKeyPEM) {
|
||||||
keyBytes, err = x509.DecryptPEMBlock(privateKeyPEM, []byte(env.Get(config.EnvKESClientPassword, "")))
|
keyBytes, err = x509.DecryptPEMBlock(privateKeyPEM, []byte(env.Get(kms.EnvKESClientPassword, "")))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return tls.Certificate{}, fmt.Errorf("Unable to decrypt KES client private key as specified by the shell environment: %v", err)
|
return tls.Certificate{}, fmt.Errorf("Unable to decrypt KES client private key as specified by the shell environment: %v", err)
|
||||||
}
|
}
|
||||||
@ -871,7 +871,7 @@ func handleKMSConfig() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
reloadCertEvents := make(chan tls.Certificate, 1)
|
reloadCertEvents := make(chan tls.Certificate, 1)
|
||||||
certificate, err := certs.NewCertificate(env.Get(config.EnvKESClientCert, ""), env.Get(config.EnvKESClientKey, ""), loadX509KeyPair)
|
certificate, err := certs.NewCertificate(env.Get(kms.EnvKESClientCert, ""), env.Get(kms.EnvKESClientKey, ""), loadX509KeyPair)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Fatal(err, "Failed to load KES client certificate")
|
logger.Fatal(err, "Failed to load KES client certificate")
|
||||||
}
|
}
|
||||||
@ -880,8 +880,8 @@ func handleKMSConfig() {
|
|||||||
|
|
||||||
kmsConf = kms.Config{
|
kmsConf = kms.Config{
|
||||||
Endpoints: endpoints,
|
Endpoints: endpoints,
|
||||||
Enclave: env.Get(config.EnvKESEnclave, ""),
|
Enclave: env.Get(kms.EnvKESEnclave, ""),
|
||||||
DefaultKeyID: env.Get(config.EnvKESKeyName, ""),
|
DefaultKeyID: env.Get(kms.EnvKESKeyName, ""),
|
||||||
Certificate: certificate,
|
Certificate: certificate,
|
||||||
ReloadCertEvents: reloadCertEvents,
|
ReloadCertEvents: reloadCertEvents,
|
||||||
RootCAs: rootCAs,
|
RootCAs: rootCAs,
|
||||||
@ -896,7 +896,7 @@ func handleKMSConfig() {
|
|||||||
// This implicitly checks that we can communicate to KES. We don't treat
|
// This implicitly checks that we can communicate to KES. We don't treat
|
||||||
// a policy error as failure condition since MinIO may not have the permission
|
// a policy error as failure condition since MinIO may not have the permission
|
||||||
// to create keys - just to generate/decrypt data encryption keys.
|
// to create keys - just to generate/decrypt data encryption keys.
|
||||||
if err = KMS.CreateKey(context.Background(), env.Get(config.EnvKESKeyName, "")); err != nil && !errors.Is(err, kes.ErrKeyExists) && !errors.Is(err, kes.ErrNotAllowed) {
|
if err = KMS.CreateKey(context.Background(), env.Get(kms.EnvKESKeyName, "")); err != nil && !errors.Is(err, kes.ErrKeyExists) && !errors.Is(err, kes.ErrNotAllowed) {
|
||||||
logger.Fatal(err, "Unable to initialize a connection to KES as specified by the shell environment")
|
logger.Fatal(err, "Unable to initialize a connection to KES as specified by the shell environment")
|
||||||
}
|
}
|
||||||
GlobalKMS = KMS
|
GlobalKMS = KMS
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright (c) 2015-2021 MinIO, Inc.
|
// Copyright (c) 2015-2023 MinIO, Inc.
|
||||||
//
|
//
|
||||||
// This file is part of MinIO Object Storage stack
|
// This file is part of MinIO Object Storage stack
|
||||||
//
|
//
|
||||||
@ -48,10 +48,11 @@ import (
|
|||||||
|
|
||||||
var (
|
var (
|
||||||
// AWS errors for invalid SSE-C requests.
|
// AWS errors for invalid SSE-C requests.
|
||||||
errEncryptedObject = errors.New("The object was stored using a form of SSE")
|
errEncryptedObject = errors.New("The object was stored using a form of SSE")
|
||||||
errInvalidSSEParameters = errors.New("The SSE-C key for key-rotation is not correct") // special access denied
|
errInvalidSSEParameters = errors.New("The SSE-C key for key-rotation is not correct") // special access denied
|
||||||
errKMSNotConfigured = errors.New("KMS not configured for a server side encrypted object")
|
errKMSNotConfigured = errors.New("KMS not configured for a server side encrypted objects")
|
||||||
errKMSKeyNotFound = errors.New("Invalid KMS keyId")
|
errKMSKeyNotFound = errors.New("Unknown KMS key ID")
|
||||||
|
errKMSDefaultKeyAlreadyConfigured = errors.New("A default encryption already exists on KMS")
|
||||||
// Additional MinIO errors for SSE-C requests.
|
// Additional MinIO errors for SSE-C requests.
|
||||||
errObjectTampered = errors.New("The requested object was modified and may be compromised")
|
errObjectTampered = errors.New("The requested object was modified and may be compromised")
|
||||||
// error returned when invalid encryption parameters are specified
|
// error returned when invalid encryption parameters are specified
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright (c) 2015-2022 MinIO, Inc.
|
// Copyright (c) 2015-2023 MinIO, Inc.
|
||||||
//
|
//
|
||||||
// This file is part of MinIO Object Storage stack
|
// This file is part of MinIO Object Storage stack
|
||||||
//
|
//
|
||||||
@ -173,7 +173,12 @@ func (a kmsAPIHandlers) KMSVersionHandler(w http.ResponseWriter, r *http.Request
|
|||||||
|
|
||||||
// KMSCreateKeyHandler - POST /minio/kms/v1/key/create?key-id=<master-key-id>
|
// KMSCreateKeyHandler - POST /minio/kms/v1/key/create?key-id=<master-key-id>
|
||||||
func (a kmsAPIHandlers) KMSCreateKeyHandler(w http.ResponseWriter, r *http.Request) {
|
func (a kmsAPIHandlers) KMSCreateKeyHandler(w http.ResponseWriter, r *http.Request) {
|
||||||
|
// If env variable MINIO_KMS_SECRET_KEY is populated, prevent creation of new keys
|
||||||
ctx := newContext(r, w, "KMSCreateKey")
|
ctx := newContext(r, w, "KMSCreateKey")
|
||||||
|
if GlobalKMS != nil && GlobalKMS.IsLocal() {
|
||||||
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrKMSDefaultKeyAlreadyConfigured), r.URL)
|
||||||
|
return
|
||||||
|
}
|
||||||
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
|
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
|
||||||
|
|
||||||
objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSCreateKeyAction)
|
objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSCreateKeyAction)
|
||||||
@ -228,6 +233,15 @@ func (a kmsAPIHandlers) KMSDeleteKeyHandler(w http.ResponseWriter, r *http.Reque
|
|||||||
// KMSListKeysHandler - GET /minio/kms/v1/key/list?pattern=<pattern>
|
// KMSListKeysHandler - GET /minio/kms/v1/key/list?pattern=<pattern>
|
||||||
func (a kmsAPIHandlers) KMSListKeysHandler(w http.ResponseWriter, r *http.Request) {
|
func (a kmsAPIHandlers) KMSListKeysHandler(w http.ResponseWriter, r *http.Request) {
|
||||||
ctx := newContext(r, w, "KMSListKeys")
|
ctx := newContext(r, w, "KMSListKeys")
|
||||||
|
if GlobalKMS != nil && GlobalKMS.IsLocal() {
|
||||||
|
res, err := json.Marshal(GlobalKMS.List())
|
||||||
|
if err != nil {
|
||||||
|
writeCustomErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInternalError), err.Error(), r.URL)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
writeSuccessResponseJSON(w, res)
|
||||||
|
return
|
||||||
|
}
|
||||||
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
|
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
|
||||||
|
|
||||||
objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSListKeysAction)
|
objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSListKeysAction)
|
||||||
@ -241,7 +255,7 @@ func (a kmsAPIHandlers) KMSListKeysHandler(w http.ResponseWriter, r *http.Reques
|
|||||||
}
|
}
|
||||||
manager, ok := GlobalKMS.(kms.KeyManager)
|
manager, ok := GlobalKMS.(kms.KeyManager)
|
||||||
if !ok {
|
if !ok {
|
||||||
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL)
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrKMSNotConfigured), r.URL)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
keys, err := manager.ListKeys(ctx, r.Form.Get("pattern"))
|
keys, err := manager.ListKeys(ctx, r.Form.Get("pattern"))
|
||||||
|
@ -67,17 +67,6 @@ const (
|
|||||||
|
|
||||||
EnvUpdate = "MINIO_UPDATE"
|
EnvUpdate = "MINIO_UPDATE"
|
||||||
|
|
||||||
EnvKMSSecretKey = "MINIO_KMS_SECRET_KEY"
|
|
||||||
EnvKMSSecretKeyFile = "MINIO_KMS_SECRET_KEY_FILE"
|
|
||||||
EnvKESEndpoint = "MINIO_KMS_KES_ENDPOINT" // One or multiple KES endpoints, separated by ','
|
|
||||||
EnvKESEnclave = "MINIO_KMS_KES_ENCLAVE" // Optional "namespace" within a KES cluster - not required for stateless KES
|
|
||||||
EnvKESKeyName = "MINIO_KMS_KES_KEY_NAME" // The default key name used for IAM data and when no key ID is specified on a bucket
|
|
||||||
EnvKESAPIKey = "MINIO_KMS_KES_API_KEY" // Access credential for KES - API keys and private key / certificate are mutually exclusive
|
|
||||||
EnvKESClientKey = "MINIO_KMS_KES_KEY_FILE" // Path to TLS private key for authenticating to KES with mTLS - usually prefer API keys
|
|
||||||
EnvKESClientPassword = "MINIO_KMS_KES_KEY_PASSWORD" // Optional password to decrypt an encrypt TLS private key
|
|
||||||
EnvKESClientCert = "MINIO_KMS_KES_CERT_FILE" // Path to TLS certificate for authenticating to KES with mTLS - usually prefer API keys
|
|
||||||
EnvKESServerCA = "MINIO_KMS_KES_CAPATH" // Path to file/directory containing CA certificates to verify the KES server certificate
|
|
||||||
|
|
||||||
EnvEndpoints = "MINIO_ENDPOINTS" // legacy
|
EnvEndpoints = "MINIO_ENDPOINTS" // legacy
|
||||||
EnvWorm = "MINIO_WORM" // legacy
|
EnvWorm = "MINIO_WORM" // legacy
|
||||||
EnvRegion = "MINIO_REGION" // legacy
|
EnvRegion = "MINIO_REGION" // legacy
|
||||||
|
32
internal/kms/config.go
Normal file
32
internal/kms/config.go
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
// Copyright (c) 2015-2023 MinIO, Inc.
|
||||||
|
//
|
||||||
|
// This file is part of MinIO Object Storage stack
|
||||||
|
//
|
||||||
|
// This program is free software: you can redistribute it and/or modify
|
||||||
|
// it under the terms of the GNU Affero General Public License as published by
|
||||||
|
// the Free Software Foundation, either version 3 of the License, or
|
||||||
|
// (at your option) any later version.
|
||||||
|
//
|
||||||
|
// This program is distributed in the hope that it will be useful
|
||||||
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
// GNU Affero General Public License for more details.
|
||||||
|
//
|
||||||
|
// You should have received a copy of the GNU Affero General Public License
|
||||||
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
package kms
|
||||||
|
|
||||||
|
// Top level config constants for KMS
|
||||||
|
const (
|
||||||
|
EnvKMSSecretKey = "MINIO_KMS_SECRET_KEY"
|
||||||
|
EnvKMSSecretKeyFile = "MINIO_KMS_SECRET_KEY_FILE"
|
||||||
|
EnvKESEndpoint = "MINIO_KMS_KES_ENDPOINT" // One or multiple KES endpoints, separated by ','
|
||||||
|
EnvKESEnclave = "MINIO_KMS_KES_ENCLAVE" // Optional "namespace" within a KES cluster - not required for stateless KES
|
||||||
|
EnvKESKeyName = "MINIO_KMS_KES_KEY_NAME" // The default key name used for IAM data and when no key ID is specified on a bucket
|
||||||
|
EnvKESAPIKey = "MINIO_KMS_KES_API_KEY" // Access credential for KES - API keys and private key / certificate are mutually exclusive
|
||||||
|
EnvKESClientKey = "MINIO_KMS_KES_KEY_FILE" // Path to TLS private key for authenticating to KES with mTLS - usually prefer API keys
|
||||||
|
EnvKESClientPassword = "MINIO_KMS_KES_KEY_PASSWORD" // Optional password to decrypt an encrypt TLS private key
|
||||||
|
EnvKESClientCert = "MINIO_KMS_KES_CERT_FILE" // Path to TLS certificate for authenticating to KES with mTLS - usually prefer API keys
|
||||||
|
EnvKESServerCA = "MINIO_KMS_KES_CAPATH" // Path to file/directory containing CA certificates to verify the KES server certificate
|
||||||
|
)
|
@ -28,6 +28,7 @@ import (
|
|||||||
|
|
||||||
"github.com/minio/kes-go"
|
"github.com/minio/kes-go"
|
||||||
"github.com/minio/pkg/certs"
|
"github.com/minio/pkg/certs"
|
||||||
|
"github.com/minio/pkg/env"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
@ -189,6 +190,26 @@ func (c *kesClient) Stat(ctx context.Context) (Status, error) {
|
|||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// IsLocal returns true if the KMS is a local implementation
|
||||||
|
func (c *kesClient) IsLocal() bool {
|
||||||
|
return env.IsSet(EnvKMSSecretKey)
|
||||||
|
}
|
||||||
|
|
||||||
|
// List returns an array of local KMS Names
|
||||||
|
func (c *kesClient) List() []kes.KeyInfo {
|
||||||
|
var kmsSecret []kes.KeyInfo
|
||||||
|
envKMSSecretKey := env.Get(EnvKMSSecretKey, "")
|
||||||
|
values := strings.SplitN(envKMSSecretKey, ":", 2)
|
||||||
|
if len(values) == 2 {
|
||||||
|
kmsSecret = []kes.KeyInfo{
|
||||||
|
{
|
||||||
|
Name: values[0],
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return kmsSecret
|
||||||
|
}
|
||||||
|
|
||||||
// Metrics retrieves server metrics in the Prometheus exposition format.
|
// Metrics retrieves server metrics in the Prometheus exposition format.
|
||||||
func (c *kesClient) Metrics(ctx context.Context) (kes.Metric, error) {
|
func (c *kesClient) Metrics(ctx context.Context) (kes.Metric, error) {
|
||||||
c.lock.RLock()
|
c.lock.RLock()
|
||||||
|
@ -32,6 +32,12 @@ type KMS interface {
|
|||||||
// Stat returns the current KMS status.
|
// Stat returns the current KMS status.
|
||||||
Stat(cxt context.Context) (Status, error)
|
Stat(cxt context.Context) (Status, error)
|
||||||
|
|
||||||
|
// IsLocal returns true if the KMS is a local implementation
|
||||||
|
IsLocal() bool
|
||||||
|
|
||||||
|
// List returns an array of local KMS Names
|
||||||
|
List() []kes.KeyInfo
|
||||||
|
|
||||||
// Metrics returns a KMS metric snapshot.
|
// Metrics returns a KMS metric snapshot.
|
||||||
Metrics(ctx context.Context) (kes.Metric, error)
|
Metrics(ctx context.Context) (kes.Metric, error)
|
||||||
|
|
||||||
|
@ -91,8 +91,23 @@ func (kms secretKey) Stat(context.Context) (Status, error) {
|
|||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (secretKey) Metrics(context.Context) (kes.Metric, error) {
|
// IsLocal returns true if the KMS is a local implementation
|
||||||
return kes.Metric{}, errors.New("kms: metrics not supported")
|
func (kms secretKey) IsLocal() bool {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
// List returns an array of local KMS Names
|
||||||
|
func (kms secretKey) List() []kes.KeyInfo {
|
||||||
|
kmsSecret := []kes.KeyInfo{
|
||||||
|
{
|
||||||
|
Name: kms.keyID,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
return kmsSecret
|
||||||
|
}
|
||||||
|
|
||||||
|
func (secretKey) Metrics(ctx context.Context) (kes.Metric, error) {
|
||||||
|
return kes.Metric{}, errors.New("kms: metrics are not supported")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (kms secretKey) CreateKey(_ context.Context, keyID string) error {
|
func (kms secretKey) CreateKey(_ context.Context, keyID string) error {
|
||||||
|
Loading…
Reference in New Issue
Block a user