Set meaningful message from minio with env variable KMS_SECRET_KEY (#16584)

This commit is contained in:
Allan Roger Reid 2023-02-21 17:43:01 -08:00 committed by GitHub
parent fd6622458b
commit 8bfe972bab
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 304 additions and 216 deletions

View File

@ -28,6 +28,7 @@ import (
"github.com/minio/madmin-go/v2" "github.com/minio/madmin-go/v2"
"github.com/minio/minio/internal/config" "github.com/minio/minio/internal/config"
"github.com/minio/minio/internal/kms"
"github.com/minio/minio/internal/logger" "github.com/minio/minio/internal/logger"
) )
@ -118,7 +119,7 @@ func getLocalServerProperty(endpointServerPools EndpointServerPools, r *http.Req
config.EnvRootUser: {}, config.EnvRootUser: {},
config.EnvRootPassword: {}, config.EnvRootPassword: {},
config.EnvMinIOSubnetAPIKey: {}, config.EnvMinIOSubnetAPIKey: {},
config.EnvKMSSecretKey: {}, kms.EnvKMSSecretKey: {},
} }
for _, v := range os.Environ() { for _, v := range os.Environ() {
if !strings.HasPrefix(v, "MINIO") && !strings.HasPrefix(v, "_MINIO") { if !strings.HasPrefix(v, "MINIO") && !strings.HasPrefix(v, "_MINIO") {

View File

@ -1,4 +1,4 @@
// Copyright (c) 2015-2021 MinIO, Inc. // Copyright (c) 2015-2023 MinIO, Inc.
// //
// This file is part of MinIO Object Storage stack // This file is part of MinIO Object Storage stack
// //
@ -220,6 +220,7 @@ const (
ErrIncompatibleEncryptionMethod ErrIncompatibleEncryptionMethod
ErrKMSNotConfigured ErrKMSNotConfigured
ErrKMSKeyNotFoundException ErrKMSKeyNotFoundException
ErrKMSDefaultKeyAlreadyConfigured
ErrNoAccessKey ErrNoAccessKey
ErrInvalidToken ErrInvalidToken
@ -1172,6 +1173,11 @@ var errorCodes = errorCodeMap{
Description: "Invalid keyId", Description: "Invalid keyId",
HTTPStatusCode: http.StatusBadRequest, HTTPStatusCode: http.StatusBadRequest,
}, },
ErrKMSDefaultKeyAlreadyConfigured: {
Code: "KMS.DefaultKeyAlreadyConfiguredException",
Description: "A default encryption already exists and cannot be changed on KMS",
HTTPStatusCode: http.StatusConflict,
},
ErrNoAccessKey: { ErrNoAccessKey: {
Code: "AccessDenied", Code: "AccessDenied",
Description: "No AWSAccessKey was presented", Description: "No AWSAccessKey was presented",
@ -2047,6 +2053,8 @@ func toAPIErrorCode(ctx context.Context, err error) (apiErr APIErrorCode) {
apiErr = ErrKMSNotConfigured apiErr = ErrKMSNotConfigured
case errKMSKeyNotFound: case errKMSKeyNotFound:
apiErr = ErrKMSKeyNotFoundException apiErr = ErrKMSKeyNotFoundException
case errKMSDefaultKeyAlreadyConfigured:
apiErr = ErrKMSDefaultKeyAlreadyConfigured
case context.Canceled, context.DeadlineExceeded: case context.Canceled, context.DeadlineExceeded:
apiErr = ErrOperationTimedOut apiErr = ErrOperationTimedOut

File diff suppressed because one or more lines are too long

View File

@ -600,13 +600,13 @@ func loadEnvVarsFromFiles() {
} }
} }
if env.IsSet(config.EnvKMSSecretKeyFile) { if env.IsSet(kms.EnvKMSSecretKeyFile) {
kmsSecret, err := readFromSecret(env.Get(config.EnvKMSSecretKeyFile, "")) kmsSecret, err := readFromSecret(env.Get(kms.EnvKMSSecretKeyFile, ""))
if err != nil { if err != nil {
logger.Fatal(err, "Unable to read the KMS secret key inherited from secret file") logger.Fatal(err, "Unable to read the KMS secret key inherited from secret file")
} }
if kmsSecret != "" { if kmsSecret != "" {
os.Setenv(config.EnvKMSSecretKey, kmsSecret) os.Setenv(kms.EnvKMSSecretKey, kmsSecret)
} }
} }
@ -783,29 +783,29 @@ func handleCommonEnvVars() {
// It depends on KMS env variables and global cli flags. // It depends on KMS env variables and global cli flags.
func handleKMSConfig() { func handleKMSConfig() {
switch { switch {
case env.IsSet(config.EnvKMSSecretKey) && env.IsSet(config.EnvKESEndpoint): case env.IsSet(kms.EnvKMSSecretKey) && env.IsSet(kms.EnvKESEndpoint):
logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKMSSecretKey, config.EnvKESEndpoint)) logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", kms.EnvKMSSecretKey, kms.EnvKESEndpoint))
} }
if env.IsSet(config.EnvKMSSecretKey) { if env.IsSet(kms.EnvKMSSecretKey) {
KMS, err := kms.Parse(env.Get(config.EnvKMSSecretKey, "")) KMS, err := kms.Parse(env.Get(kms.EnvKMSSecretKey, ""))
if err != nil { if err != nil {
logger.Fatal(err, "Unable to parse the KMS secret key inherited from the shell environment") logger.Fatal(err, "Unable to parse the KMS secret key inherited from the shell environment")
} }
GlobalKMS = KMS GlobalKMS = KMS
} }
if env.IsSet(config.EnvKESEndpoint) { if env.IsSet(kms.EnvKESEndpoint) {
if env.IsSet(config.EnvKESAPIKey) { if env.IsSet(kms.EnvKESAPIKey) {
if env.IsSet(config.EnvKESClientKey) { if env.IsSet(kms.EnvKESClientKey) {
logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKESAPIKey, config.EnvKESClientKey)) logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", kms.EnvKESAPIKey, kms.EnvKESClientKey))
} }
if env.IsSet(config.EnvKESClientCert) { if env.IsSet(kms.EnvKESClientCert) {
logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKESAPIKey, config.EnvKESClientCert)) logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", kms.EnvKESAPIKey, kms.EnvKESClientCert))
} }
} }
var endpoints []string var endpoints []string
for _, endpoint := range strings.Split(env.Get(config.EnvKESEndpoint, ""), ",") { for _, endpoint := range strings.Split(env.Get(kms.EnvKESEndpoint, ""), ",") {
if strings.TrimSpace(endpoint) == "" { if strings.TrimSpace(endpoint) == "" {
continue continue
} }
@ -821,21 +821,21 @@ func handleKMSConfig() {
endpoints = append(endpoints, strings.Join(lbls, "")) endpoints = append(endpoints, strings.Join(lbls, ""))
} }
} }
rootCAs, err := certs.GetRootCAs(env.Get(config.EnvKESServerCA, globalCertsCADir.Get())) rootCAs, err := certs.GetRootCAs(env.Get(kms.EnvKESServerCA, globalCertsCADir.Get()))
if err != nil { if err != nil {
logger.Fatal(err, fmt.Sprintf("Unable to load X.509 root CAs for KES from %q", env.Get(config.EnvKESServerCA, globalCertsCADir.Get()))) logger.Fatal(err, fmt.Sprintf("Unable to load X.509 root CAs for KES from %q", env.Get(kms.EnvKESServerCA, globalCertsCADir.Get())))
} }
var kmsConf kms.Config var kmsConf kms.Config
if env.IsSet(config.EnvKESAPIKey) { if env.IsSet(kms.EnvKESAPIKey) {
key, err := kes.ParseAPIKey(env.Get(config.EnvKESAPIKey, "")) key, err := kes.ParseAPIKey(env.Get(kms.EnvKESAPIKey, ""))
if err != nil { if err != nil {
logger.Fatal(err, fmt.Sprintf("Failed to parse KES API key from %q", env.Get(config.EnvKESAPIKey, ""))) logger.Fatal(err, fmt.Sprintf("Failed to parse KES API key from %q", env.Get(kms.EnvKESAPIKey, "")))
} }
kmsConf = kms.Config{ kmsConf = kms.Config{
Endpoints: endpoints, Endpoints: endpoints,
Enclave: env.Get(config.EnvKESEnclave, ""), Enclave: env.Get(kms.EnvKESEnclave, ""),
DefaultKeyID: env.Get(config.EnvKESKeyName, ""), DefaultKeyID: env.Get(kms.EnvKESKeyName, ""),
APIKey: key, APIKey: key,
RootCAs: rootCAs, RootCAs: rootCAs,
} }
@ -857,7 +857,7 @@ func handleKMSConfig() {
return tls.Certificate{}, errors.New("Unable to load KES client private key as specified by the shell environment: private key contains additional data") return tls.Certificate{}, errors.New("Unable to load KES client private key as specified by the shell environment: private key contains additional data")
} }
if x509.IsEncryptedPEMBlock(privateKeyPEM) { if x509.IsEncryptedPEMBlock(privateKeyPEM) {
keyBytes, err = x509.DecryptPEMBlock(privateKeyPEM, []byte(env.Get(config.EnvKESClientPassword, ""))) keyBytes, err = x509.DecryptPEMBlock(privateKeyPEM, []byte(env.Get(kms.EnvKESClientPassword, "")))
if err != nil { if err != nil {
return tls.Certificate{}, fmt.Errorf("Unable to decrypt KES client private key as specified by the shell environment: %v", err) return tls.Certificate{}, fmt.Errorf("Unable to decrypt KES client private key as specified by the shell environment: %v", err)
} }
@ -871,7 +871,7 @@ func handleKMSConfig() {
} }
reloadCertEvents := make(chan tls.Certificate, 1) reloadCertEvents := make(chan tls.Certificate, 1)
certificate, err := certs.NewCertificate(env.Get(config.EnvKESClientCert, ""), env.Get(config.EnvKESClientKey, ""), loadX509KeyPair) certificate, err := certs.NewCertificate(env.Get(kms.EnvKESClientCert, ""), env.Get(kms.EnvKESClientKey, ""), loadX509KeyPair)
if err != nil { if err != nil {
logger.Fatal(err, "Failed to load KES client certificate") logger.Fatal(err, "Failed to load KES client certificate")
} }
@ -880,8 +880,8 @@ func handleKMSConfig() {
kmsConf = kms.Config{ kmsConf = kms.Config{
Endpoints: endpoints, Endpoints: endpoints,
Enclave: env.Get(config.EnvKESEnclave, ""), Enclave: env.Get(kms.EnvKESEnclave, ""),
DefaultKeyID: env.Get(config.EnvKESKeyName, ""), DefaultKeyID: env.Get(kms.EnvKESKeyName, ""),
Certificate: certificate, Certificate: certificate,
ReloadCertEvents: reloadCertEvents, ReloadCertEvents: reloadCertEvents,
RootCAs: rootCAs, RootCAs: rootCAs,
@ -896,7 +896,7 @@ func handleKMSConfig() {
// This implicitly checks that we can communicate to KES. We don't treat // This implicitly checks that we can communicate to KES. We don't treat
// a policy error as failure condition since MinIO may not have the permission // a policy error as failure condition since MinIO may not have the permission
// to create keys - just to generate/decrypt data encryption keys. // to create keys - just to generate/decrypt data encryption keys.
if err = KMS.CreateKey(context.Background(), env.Get(config.EnvKESKeyName, "")); err != nil && !errors.Is(err, kes.ErrKeyExists) && !errors.Is(err, kes.ErrNotAllowed) { if err = KMS.CreateKey(context.Background(), env.Get(kms.EnvKESKeyName, "")); err != nil && !errors.Is(err, kes.ErrKeyExists) && !errors.Is(err, kes.ErrNotAllowed) {
logger.Fatal(err, "Unable to initialize a connection to KES as specified by the shell environment") logger.Fatal(err, "Unable to initialize a connection to KES as specified by the shell environment")
} }
GlobalKMS = KMS GlobalKMS = KMS

View File

@ -1,4 +1,4 @@
// Copyright (c) 2015-2021 MinIO, Inc. // Copyright (c) 2015-2023 MinIO, Inc.
// //
// This file is part of MinIO Object Storage stack // This file is part of MinIO Object Storage stack
// //
@ -48,10 +48,11 @@ import (
var ( var (
// AWS errors for invalid SSE-C requests. // AWS errors for invalid SSE-C requests.
errEncryptedObject = errors.New("The object was stored using a form of SSE") errEncryptedObject = errors.New("The object was stored using a form of SSE")
errInvalidSSEParameters = errors.New("The SSE-C key for key-rotation is not correct") // special access denied errInvalidSSEParameters = errors.New("The SSE-C key for key-rotation is not correct") // special access denied
errKMSNotConfigured = errors.New("KMS not configured for a server side encrypted object") errKMSNotConfigured = errors.New("KMS not configured for a server side encrypted objects")
errKMSKeyNotFound = errors.New("Invalid KMS keyId") errKMSKeyNotFound = errors.New("Unknown KMS key ID")
errKMSDefaultKeyAlreadyConfigured = errors.New("A default encryption already exists on KMS")
// Additional MinIO errors for SSE-C requests. // Additional MinIO errors for SSE-C requests.
errObjectTampered = errors.New("The requested object was modified and may be compromised") errObjectTampered = errors.New("The requested object was modified and may be compromised")
// error returned when invalid encryption parameters are specified // error returned when invalid encryption parameters are specified

View File

@ -1,4 +1,4 @@
// Copyright (c) 2015-2022 MinIO, Inc. // Copyright (c) 2015-2023 MinIO, Inc.
// //
// This file is part of MinIO Object Storage stack // This file is part of MinIO Object Storage stack
// //
@ -173,7 +173,12 @@ func (a kmsAPIHandlers) KMSVersionHandler(w http.ResponseWriter, r *http.Request
// KMSCreateKeyHandler - POST /minio/kms/v1/key/create?key-id=<master-key-id> // KMSCreateKeyHandler - POST /minio/kms/v1/key/create?key-id=<master-key-id>
func (a kmsAPIHandlers) KMSCreateKeyHandler(w http.ResponseWriter, r *http.Request) { func (a kmsAPIHandlers) KMSCreateKeyHandler(w http.ResponseWriter, r *http.Request) {
// If env variable MINIO_KMS_SECRET_KEY is populated, prevent creation of new keys
ctx := newContext(r, w, "KMSCreateKey") ctx := newContext(r, w, "KMSCreateKey")
if GlobalKMS != nil && GlobalKMS.IsLocal() {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrKMSDefaultKeyAlreadyConfigured), r.URL)
return
}
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSCreateKeyAction) objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSCreateKeyAction)
@ -228,6 +233,15 @@ func (a kmsAPIHandlers) KMSDeleteKeyHandler(w http.ResponseWriter, r *http.Reque
// KMSListKeysHandler - GET /minio/kms/v1/key/list?pattern=<pattern> // KMSListKeysHandler - GET /minio/kms/v1/key/list?pattern=<pattern>
func (a kmsAPIHandlers) KMSListKeysHandler(w http.ResponseWriter, r *http.Request) { func (a kmsAPIHandlers) KMSListKeysHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "KMSListKeys") ctx := newContext(r, w, "KMSListKeys")
if GlobalKMS != nil && GlobalKMS.IsLocal() {
res, err := json.Marshal(GlobalKMS.List())
if err != nil {
writeCustomErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInternalError), err.Error(), r.URL)
return
}
writeSuccessResponseJSON(w, res)
return
}
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSListKeysAction) objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSListKeysAction)
@ -241,7 +255,7 @@ func (a kmsAPIHandlers) KMSListKeysHandler(w http.ResponseWriter, r *http.Reques
} }
manager, ok := GlobalKMS.(kms.KeyManager) manager, ok := GlobalKMS.(kms.KeyManager)
if !ok { if !ok {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL) writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrKMSNotConfigured), r.URL)
return return
} }
keys, err := manager.ListKeys(ctx, r.Form.Get("pattern")) keys, err := manager.ListKeys(ctx, r.Form.Get("pattern"))

View File

@ -67,17 +67,6 @@ const (
EnvUpdate = "MINIO_UPDATE" EnvUpdate = "MINIO_UPDATE"
EnvKMSSecretKey = "MINIO_KMS_SECRET_KEY"
EnvKMSSecretKeyFile = "MINIO_KMS_SECRET_KEY_FILE"
EnvKESEndpoint = "MINIO_KMS_KES_ENDPOINT" // One or multiple KES endpoints, separated by ','
EnvKESEnclave = "MINIO_KMS_KES_ENCLAVE" // Optional "namespace" within a KES cluster - not required for stateless KES
EnvKESKeyName = "MINIO_KMS_KES_KEY_NAME" // The default key name used for IAM data and when no key ID is specified on a bucket
EnvKESAPIKey = "MINIO_KMS_KES_API_KEY" // Access credential for KES - API keys and private key / certificate are mutually exclusive
EnvKESClientKey = "MINIO_KMS_KES_KEY_FILE" // Path to TLS private key for authenticating to KES with mTLS - usually prefer API keys
EnvKESClientPassword = "MINIO_KMS_KES_KEY_PASSWORD" // Optional password to decrypt an encrypt TLS private key
EnvKESClientCert = "MINIO_KMS_KES_CERT_FILE" // Path to TLS certificate for authenticating to KES with mTLS - usually prefer API keys
EnvKESServerCA = "MINIO_KMS_KES_CAPATH" // Path to file/directory containing CA certificates to verify the KES server certificate
EnvEndpoints = "MINIO_ENDPOINTS" // legacy EnvEndpoints = "MINIO_ENDPOINTS" // legacy
EnvWorm = "MINIO_WORM" // legacy EnvWorm = "MINIO_WORM" // legacy
EnvRegion = "MINIO_REGION" // legacy EnvRegion = "MINIO_REGION" // legacy

32
internal/kms/config.go Normal file
View File

@ -0,0 +1,32 @@
// Copyright (c) 2015-2023 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package kms
// Top level config constants for KMS
const (
EnvKMSSecretKey = "MINIO_KMS_SECRET_KEY"
EnvKMSSecretKeyFile = "MINIO_KMS_SECRET_KEY_FILE"
EnvKESEndpoint = "MINIO_KMS_KES_ENDPOINT" // One or multiple KES endpoints, separated by ','
EnvKESEnclave = "MINIO_KMS_KES_ENCLAVE" // Optional "namespace" within a KES cluster - not required for stateless KES
EnvKESKeyName = "MINIO_KMS_KES_KEY_NAME" // The default key name used for IAM data and when no key ID is specified on a bucket
EnvKESAPIKey = "MINIO_KMS_KES_API_KEY" // Access credential for KES - API keys and private key / certificate are mutually exclusive
EnvKESClientKey = "MINIO_KMS_KES_KEY_FILE" // Path to TLS private key for authenticating to KES with mTLS - usually prefer API keys
EnvKESClientPassword = "MINIO_KMS_KES_KEY_PASSWORD" // Optional password to decrypt an encrypt TLS private key
EnvKESClientCert = "MINIO_KMS_KES_CERT_FILE" // Path to TLS certificate for authenticating to KES with mTLS - usually prefer API keys
EnvKESServerCA = "MINIO_KMS_KES_CAPATH" // Path to file/directory containing CA certificates to verify the KES server certificate
)

View File

@ -28,6 +28,7 @@ import (
"github.com/minio/kes-go" "github.com/minio/kes-go"
"github.com/minio/pkg/certs" "github.com/minio/pkg/certs"
"github.com/minio/pkg/env"
) )
const ( const (
@ -189,6 +190,26 @@ func (c *kesClient) Stat(ctx context.Context) (Status, error) {
}, nil }, nil
} }
// IsLocal returns true if the KMS is a local implementation
func (c *kesClient) IsLocal() bool {
return env.IsSet(EnvKMSSecretKey)
}
// List returns an array of local KMS Names
func (c *kesClient) List() []kes.KeyInfo {
var kmsSecret []kes.KeyInfo
envKMSSecretKey := env.Get(EnvKMSSecretKey, "")
values := strings.SplitN(envKMSSecretKey, ":", 2)
if len(values) == 2 {
kmsSecret = []kes.KeyInfo{
{
Name: values[0],
},
}
}
return kmsSecret
}
// Metrics retrieves server metrics in the Prometheus exposition format. // Metrics retrieves server metrics in the Prometheus exposition format.
func (c *kesClient) Metrics(ctx context.Context) (kes.Metric, error) { func (c *kesClient) Metrics(ctx context.Context) (kes.Metric, error) {
c.lock.RLock() c.lock.RLock()

View File

@ -32,6 +32,12 @@ type KMS interface {
// Stat returns the current KMS status. // Stat returns the current KMS status.
Stat(cxt context.Context) (Status, error) Stat(cxt context.Context) (Status, error)
// IsLocal returns true if the KMS is a local implementation
IsLocal() bool
// List returns an array of local KMS Names
List() []kes.KeyInfo
// Metrics returns a KMS metric snapshot. // Metrics returns a KMS metric snapshot.
Metrics(ctx context.Context) (kes.Metric, error) Metrics(ctx context.Context) (kes.Metric, error)

View File

@ -91,8 +91,23 @@ func (kms secretKey) Stat(context.Context) (Status, error) {
}, nil }, nil
} }
func (secretKey) Metrics(context.Context) (kes.Metric, error) { // IsLocal returns true if the KMS is a local implementation
return kes.Metric{}, errors.New("kms: metrics not supported") func (kms secretKey) IsLocal() bool {
return true
}
// List returns an array of local KMS Names
func (kms secretKey) List() []kes.KeyInfo {
kmsSecret := []kes.KeyInfo{
{
Name: kms.keyID,
},
}
return kmsSecret
}
func (secretKey) Metrics(ctx context.Context) (kes.Metric, error) {
return kes.Metric{}, errors.New("kms: metrics are not supported")
} }
func (kms secretKey) CreateKey(_ context.Context, keyID string) error { func (kms secretKey) CreateKey(_ context.Context, keyID string) error {