mirror of
https://github.com/minio/minio.git
synced 2025-04-04 11:50:36 -04:00
allow resetting and reapply config on broken clusters (#12554)
Bonus: remove kms_kes as sub-system, since its ENV only. - also fixes a crash with etcd cluster without KMS configured and also if KMS decryption is missing.
This commit is contained in:
Harshavardhana
GitHub
parent
fe49d03fd8
commit
8d1bc65757
@ -178,16 +178,7 @@ func (a adminAPIHandlers) GetConfigKVHandler(w http.ResponseWriter, r *http.Requ
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
cfg := globalServerConfig
|
cfg := globalServerConfig.Clone()
|
||||||
if newObjectLayerFn() == nil {
|
|
||||||
var err error
|
|
||||||
cfg, err = getValidConfig(objectAPI)
|
|
||||||
if err != nil {
|
|
||||||
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
vars := mux.Vars(r)
|
vars := mux.Vars(r)
|
||||||
var buf = &bytes.Buffer{}
|
var buf = &bytes.Buffer{}
|
||||||
cw := config.NewConfigWriteTo(cfg, vars["key"])
|
cw := config.NewConfigWriteTo(cfg, vars["key"])
|
||||||
@ -421,11 +412,7 @@ func (a adminAPIHandlers) GetConfigHandler(w http.ResponseWriter, r *http.Reques
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
cfg, err := readServerConfig(ctx, objectAPI)
|
cfg := globalServerConfig.Clone()
|
||||||
if err != nil {
|
|
||||||
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
var s strings.Builder
|
var s strings.Builder
|
||||||
hkvs := config.HelpSubSysMap[""]
|
hkvs := config.HelpSubSysMap[""]
|
||||||
|
|||||||
@ -575,6 +575,7 @@ func handleCommonEnvVars() {
|
|||||||
}
|
}
|
||||||
GlobalKMS = KMS
|
GlobalKMS = KMS
|
||||||
}
|
}
|
||||||
|
|
||||||
if tiers := env.Get("_MINIO_DEBUG_REMOTE_TIERS_IMMEDIATELY", ""); tiers != "" {
|
if tiers := env.Get("_MINIO_DEBUG_REMOTE_TIERS_IMMEDIATELY", ""); tiers != "" {
|
||||||
globalDebugRemoteTiersImmediately = strings.Split(tiers, ",")
|
globalDebugRemoteTiersImmediately = strings.Split(tiers, ",")
|
||||||
}
|
}
|
||||||
|
|||||||
@ -100,10 +100,6 @@ func initHelp() {
|
|||||||
Key: config.PolicyOPASubSys,
|
Key: config.PolicyOPASubSys,
|
||||||
Description: "[DEPRECATED] enable external OPA for policy enforcement",
|
Description: "[DEPRECATED] enable external OPA for policy enforcement",
|
||||||
},
|
},
|
||||||
config.HelpKV{
|
|
||||||
Key: config.KmsKesSubSys,
|
|
||||||
Description: "enable external MinIO key encryption service",
|
|
||||||
},
|
|
||||||
config.HelpKV{
|
config.HelpKV{
|
||||||
Key: config.APISubSys,
|
Key: config.APISubSys,
|
||||||
Description: "manage global HTTP API call specific features, such as throttling, authentication types, etc.",
|
Description: "manage global HTTP API call specific features, such as throttling, authentication types, etc.",
|
||||||
|
|||||||
@ -97,15 +97,17 @@ func migrateIAMConfigsEtcdToEncrypted(ctx context.Context, client *etcd.Client)
|
|||||||
if !utf8.Valid(data) {
|
if !utf8.Valid(data) {
|
||||||
pdata, err := madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
|
pdata, err := madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
pdata, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
|
if GlobalKMS != nil {
|
||||||
minioMetaBucket: path.Join(minioMetaBucket, string(kv.Key)),
|
|
||||||
})
|
|
||||||
if err != nil {
|
|
||||||
pdata, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
|
pdata, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
|
||||||
minioMetaBucket: string(kv.Key),
|
minioMetaBucket: path.Join(minioMetaBucket, string(kv.Key)),
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("Decrypting IAM config failed %w, possibly credentials are incorrect", err)
|
pdata, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
|
||||||
|
minioMetaBucket: string(kv.Key),
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("Decrypting IAM config failed %w, possibly credentials are incorrect", err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -20,6 +20,7 @@ package cmd
|
|||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
"errors"
|
||||||
"path"
|
"path"
|
||||||
"sort"
|
"sort"
|
||||||
"strings"
|
"strings"
|
||||||
@ -149,13 +150,13 @@ func saveServerConfig(ctx context.Context, objAPI ObjectLayer, cfg interface{})
|
|||||||
}
|
}
|
||||||
|
|
||||||
func readServerConfig(ctx context.Context, objAPI ObjectLayer) (config.Config, error) {
|
func readServerConfig(ctx context.Context, objAPI ObjectLayer) (config.Config, error) {
|
||||||
|
var srvCfg = config.New()
|
||||||
configFile := path.Join(minioConfigPrefix, minioConfigFile)
|
configFile := path.Join(minioConfigPrefix, minioConfigFile)
|
||||||
data, err := readConfig(ctx, objAPI, configFile)
|
data, err := readConfig(ctx, objAPI, configFile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// Config not found for some reason, allow things to continue
|
if errors.Is(err, errConfigNotFound) {
|
||||||
// by initializing a new fresh config in safe mode.
|
lookupConfigs(srvCfg, objAPI.SetDriveCounts())
|
||||||
if err == errConfigNotFound && newObjectLayerFn() == nil {
|
return srvCfg, nil
|
||||||
return newServerConfig(), nil
|
|
||||||
}
|
}
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@ -165,11 +166,11 @@ func readServerConfig(ctx context.Context, objAPI ObjectLayer) (config.Config, e
|
|||||||
minioMetaBucket: path.Join(minioMetaBucket, configFile),
|
minioMetaBucket: path.Join(minioMetaBucket, configFile),
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
lookupConfigs(srvCfg, objAPI.SetDriveCounts())
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
var srvCfg = config.New()
|
|
||||||
var json = jsoniter.ConfigCompatibleWithStandardLibrary
|
var json = jsoniter.ConfigCompatibleWithStandardLibrary
|
||||||
if err = json.Unmarshal(data, &srvCfg); err != nil {
|
if err = json.Unmarshal(data, &srvCfg); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|||||||
@ -845,22 +845,14 @@ var (
|
|||||||
// Returns a minio-go Client configured to access remote host described by destDNSRecord
|
// Returns a minio-go Client configured to access remote host described by destDNSRecord
|
||||||
// Applicable only in a federated deployment
|
// Applicable only in a federated deployment
|
||||||
var getRemoteInstanceClient = func(r *http.Request, host string) (*miniogo.Core, error) {
|
var getRemoteInstanceClient = func(r *http.Request, host string) (*miniogo.Core, error) {
|
||||||
if newObjectLayerFn() == nil {
|
|
||||||
return nil, errServerNotInitialized
|
|
||||||
}
|
|
||||||
|
|
||||||
cred := getReqAccessCred(r, globalServerRegion)
|
cred := getReqAccessCred(r, globalServerRegion)
|
||||||
// In a federated deployment, all the instances share config files
|
// In a federated deployment, all the instances share config files
|
||||||
// and hence expected to have same credentials.
|
// and hence expected to have same credentials.
|
||||||
core, err := miniogo.NewCore(host, &miniogo.Options{
|
return miniogo.NewCore(host, &miniogo.Options{
|
||||||
Creds: credentials.NewStaticV4(cred.AccessKey, cred.SecretKey, ""),
|
Creds: credentials.NewStaticV4(cred.AccessKey, cred.SecretKey, ""),
|
||||||
Secure: globalIsTLS,
|
Secure: globalIsTLS,
|
||||||
Transport: getRemoteInstanceTransport,
|
Transport: getRemoteInstanceTransport,
|
||||||
})
|
})
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
return core, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check if the destination bucket is on a remote site, this code only gets executed
|
// Check if the destination bucket is on a remote site, this code only gets executed
|
||||||
|
|||||||
@ -72,7 +72,6 @@ const (
|
|||||||
StorageClassSubSys = "storage_class"
|
StorageClassSubSys = "storage_class"
|
||||||
APISubSys = "api"
|
APISubSys = "api"
|
||||||
CompressionSubSys = "compression"
|
CompressionSubSys = "compression"
|
||||||
KmsKesSubSys = "kms_kes"
|
|
||||||
LoggerWebhookSubSys = "logger_webhook"
|
LoggerWebhookSubSys = "logger_webhook"
|
||||||
AuditWebhookSubSys = "audit_webhook"
|
AuditWebhookSubSys = "audit_webhook"
|
||||||
HealSubSys = "heal"
|
HealSubSys = "heal"
|
||||||
@ -107,7 +106,6 @@ var SubSystems = set.CreateStringSet(
|
|||||||
APISubSys,
|
APISubSys,
|
||||||
StorageClassSubSys,
|
StorageClassSubSys,
|
||||||
CompressionSubSys,
|
CompressionSubSys,
|
||||||
KmsKesSubSys,
|
|
||||||
LoggerWebhookSubSys,
|
LoggerWebhookSubSys,
|
||||||
AuditWebhookSubSys,
|
AuditWebhookSubSys,
|
||||||
PolicyOPASubSys,
|
PolicyOPASubSys,
|
||||||
@ -144,7 +142,6 @@ var SubSystemsSingleTargets = set.CreateStringSet([]string{
|
|||||||
APISubSys,
|
APISubSys,
|
||||||
StorageClassSubSys,
|
StorageClassSubSys,
|
||||||
CompressionSubSys,
|
CompressionSubSys,
|
||||||
KmsKesSubSys,
|
|
||||||
PolicyOPASubSys,
|
PolicyOPASubSys,
|
||||||
IdentityLDAPSubSys,
|
IdentityLDAPSubSys,
|
||||||
IdentityOpenIDSubSys,
|
IdentityOpenIDSubSys,
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user