mirror of
https://github.com/minio/minio.git
synced 2025-11-07 12:52:58 -05:00
remove unnecessary LRU for internode auth token (#20119)
removes contentious usage of mutexes in LRU, which were never really reused in any manner; we do not need it. To trust hosts, the correct way is TLS certs; this PR completely removes this dependency, which has never been useful. ``` 0 0% 100% 25.83s 26.76% github.com/hashicorp/golang-lru/v2/expirable.(*LRU[...]) 0 0% 100% 28.03s 29.04% github.com/hashicorp/golang-lru/v2/expirable.(*LRU[...]) ``` Bonus: use `x-minio-time` as a nanosecond to avoid unnecessary parsing logic of time strings instead of using a more straightforward mechanism.
This commit is contained in:
Harshavardhana
GitHub
@@ -871,6 +871,12 @@ func loadRootCredentials() {
|
||||
} else {
|
||||
globalActiveCred = auth.DefaultCredentials
|
||||
}
|
||||
|
||||
var err error
|
||||
globalNodeAuthToken, err = authenticateNode(globalActiveCred.AccessKey, globalActiveCred.SecretKey)
|
||||
if err != nil {
|
||||
logger.Fatal(err, "Unable to generate internode credentials")
|
||||
}
|
||||
}
|
||||
|
||||
// Initialize KMS global variable after valiadating and loading the configuration.
|
||||
|
||||
@@ -310,6 +310,7 @@ var (
|
||||
globalBootTime = UTCNow()
|
||||
|
||||
globalActiveCred auth.Credentials
|
||||
globalNodeAuthToken string
|
||||
globalSiteReplicatorCred siteReplicatorCred
|
||||
|
||||
// Captures if root credentials are set via ENV.
|
||||
|
||||
41
cmd/jwt.go
41
cmd/jwt.go
@@ -24,10 +24,8 @@ import (
|
||||
|
||||
jwtgo "github.com/golang-jwt/jwt/v4"
|
||||
jwtreq "github.com/golang-jwt/jwt/v4/request"
|
||||
"github.com/hashicorp/golang-lru/v2/expirable"
|
||||
"github.com/minio/minio/internal/auth"
|
||||
xjwt "github.com/minio/minio/internal/jwt"
|
||||
"github.com/minio/minio/internal/logger"
|
||||
"github.com/minio/pkg/v3/policy"
|
||||
)
|
||||
|
||||
@@ -37,8 +35,8 @@ const (
|
||||
// Default JWT token for web handlers is one day.
|
||||
defaultJWTExpiry = 24 * time.Hour
|
||||
|
||||
// Inter-node JWT token expiry is 15 minutes.
|
||||
defaultInterNodeJWTExpiry = 15 * time.Minute
|
||||
// Inter-node JWT token expiry is 100 years approx.
|
||||
defaultInterNodeJWTExpiry = 100 * 365 * 24 * time.Hour
|
||||
)
|
||||
|
||||
var (
|
||||
@@ -50,17 +48,10 @@ var (
|
||||
errMalformedAuth = errors.New("Malformed authentication input")
|
||||
)
|
||||
|
||||
type cacheKey struct {
|
||||
accessKey, secretKey, audience string
|
||||
}
|
||||
|
||||
var cacheLRU = expirable.NewLRU[cacheKey, string](1000, nil, 15*time.Second)
|
||||
|
||||
func authenticateNode(accessKey, secretKey, audience string) (string, error) {
|
||||
func authenticateNode(accessKey, secretKey string) (string, error) {
|
||||
claims := xjwt.NewStandardClaims()
|
||||
claims.SetExpiry(UTCNow().Add(defaultInterNodeJWTExpiry))
|
||||
claims.SetAccessKey(accessKey)
|
||||
claims.SetAudience(audience)
|
||||
|
||||
jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, claims)
|
||||
return jwt.SignedString([]byte(secretKey))
|
||||
@@ -141,27 +132,9 @@ func metricsRequestAuthenticate(req *http.Request) (*xjwt.MapClaims, []string, b
|
||||
return claims, groups, owner, nil
|
||||
}
|
||||
|
||||
// newCachedAuthToken returns a token that is cached up to 15 seconds.
|
||||
// If globalActiveCred is updated it is reflected at once.
|
||||
func newCachedAuthToken() func(audience string) string {
|
||||
fn := func(accessKey, secretKey, audience string) (s string, err error) {
|
||||
k := cacheKey{accessKey: accessKey, secretKey: secretKey, audience: audience}
|
||||
|
||||
var ok bool
|
||||
s, ok = cacheLRU.Get(k)
|
||||
if !ok {
|
||||
s, err = authenticateNode(accessKey, secretKey, audience)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
cacheLRU.Add(k, s)
|
||||
}
|
||||
return s, nil
|
||||
}
|
||||
return func(audience string) string {
|
||||
cred := globalActiveCred
|
||||
token, err := fn(cred.AccessKey, cred.SecretKey, audience)
|
||||
logger.CriticalIf(GlobalContext, err)
|
||||
return token
|
||||
// newCachedAuthToken returns the cached token.
|
||||
func newCachedAuthToken() func() string {
|
||||
return func() string {
|
||||
return globalNodeAuthToken
|
||||
}
|
||||
}
|
||||
|
||||
@@ -107,7 +107,7 @@ func BenchmarkParseJWTStandardClaims(b *testing.B) {
|
||||
}
|
||||
|
||||
creds := globalActiveCred
|
||||
token, err := authenticateNode(creds.AccessKey, creds.SecretKey, "")
|
||||
token, err := authenticateNode(creds.AccessKey, creds.SecretKey)
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
@@ -138,7 +138,7 @@ func BenchmarkParseJWTMapClaims(b *testing.B) {
|
||||
}
|
||||
|
||||
creds := globalActiveCred
|
||||
token, err := authenticateNode(creds.AccessKey, creds.SecretKey, "")
|
||||
token, err := authenticateNode(creds.AccessKey, creds.SecretKey)
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
@@ -176,7 +176,7 @@ func BenchmarkAuthenticateNode(b *testing.B) {
|
||||
b.ResetTimer()
|
||||
b.ReportAllocs()
|
||||
for i := 0; i < b.N; i++ {
|
||||
fn(creds.AccessKey, creds.SecretKey, "aud")
|
||||
fn(creds.AccessKey, creds.SecretKey)
|
||||
}
|
||||
})
|
||||
b.Run("cached", func(b *testing.B) {
|
||||
@@ -184,7 +184,7 @@ func BenchmarkAuthenticateNode(b *testing.B) {
|
||||
b.ResetTimer()
|
||||
b.ReportAllocs()
|
||||
for i := 0; i < b.N; i++ {
|
||||
fn("aud")
|
||||
fn()
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
@@ -44,7 +44,7 @@ func createLockTestServer(ctx context.Context, t *testing.T) (string, *lockRESTS
|
||||
},
|
||||
}
|
||||
creds := globalActiveCred
|
||||
token, err := authenticateNode(creds.AccessKey, creds.SecretKey, "")
|
||||
token, err := authenticateNode(creds.AccessKey, creds.SecretKey)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
@@ -19,6 +19,7 @@ package cmd
|
||||
|
||||
import (
|
||||
"crypto/subtle"
|
||||
"encoding/hex"
|
||||
"io"
|
||||
"net/http"
|
||||
"net/url"
|
||||
@@ -33,6 +34,7 @@ import (
|
||||
|
||||
"github.com/minio/minio/internal/auth"
|
||||
levent "github.com/minio/minio/internal/config/lambda/event"
|
||||
"github.com/minio/minio/internal/hash/sha256"
|
||||
xhttp "github.com/minio/minio/internal/http"
|
||||
"github.com/minio/minio/internal/logger"
|
||||
)
|
||||
@@ -77,16 +79,13 @@ func getLambdaEventData(bucket, object string, cred auth.Credentials, r *http.Re
|
||||
return levent.Event{}, err
|
||||
}
|
||||
|
||||
token, err := authenticateNode(cred.AccessKey, cred.SecretKey, u.RawQuery)
|
||||
if err != nil {
|
||||
return levent.Event{}, err
|
||||
}
|
||||
ckSum := sha256.Sum256([]byte(cred.AccessKey + u.RawQuery))
|
||||
|
||||
eventData := levent.Event{
|
||||
GetObjectContext: &levent.GetObjectContext{
|
||||
InputS3URL: u.String(),
|
||||
OutputRoute: shortuuid.New(),
|
||||
OutputToken: token,
|
||||
OutputToken: hex.EncodeToString(ckSum[:]),
|
||||
},
|
||||
UserRequest: levent.UserRequest{
|
||||
URL: r.URL.String(),
|
||||
|
||||
@@ -110,7 +110,7 @@ func (s *storageRESTServer) writeErrorResponse(w http.ResponseWriter, err error)
|
||||
const DefaultSkewTime = 15 * time.Minute
|
||||
|
||||
// validateStorageRequestToken will validate the token against the provided audience.
|
||||
func validateStorageRequestToken(token, audience string) error {
|
||||
func validateStorageRequestToken(token string) error {
|
||||
claims := xjwt.NewStandardClaims()
|
||||
if err := xjwt.ParseWithStandardClaims(token, claims, []byte(globalActiveCred.SecretKey)); err != nil {
|
||||
return errAuthentication
|
||||
@@ -121,9 +121,6 @@ func validateStorageRequestToken(token, audience string) error {
|
||||
return errAuthentication
|
||||
}
|
||||
|
||||
if claims.Audience != audience {
|
||||
return errAuthentication
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -136,20 +133,24 @@ func storageServerRequestValidate(r *http.Request) error {
|
||||
}
|
||||
return errMalformedAuth
|
||||
}
|
||||
if err = validateStorageRequestToken(token, r.URL.RawQuery); err != nil {
|
||||
|
||||
if err = validateStorageRequestToken(token); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
requestTimeStr := r.Header.Get("X-Minio-Time")
|
||||
requestTime, err := time.Parse(time.RFC3339, requestTimeStr)
|
||||
nanoTime, err := strconv.ParseInt(r.Header.Get("X-Minio-Time"), 10, 64)
|
||||
if err != nil {
|
||||
return errMalformedAuth
|
||||
}
|
||||
utcNow := UTCNow()
|
||||
delta := requestTime.Sub(utcNow)
|
||||
|
||||
localTime := UTCNow()
|
||||
remoteTime := time.Unix(0, nanoTime)
|
||||
|
||||
delta := remoteTime.Sub(localTime)
|
||||
if delta < 0 {
|
||||
delta *= -1
|
||||
}
|
||||
|
||||
if delta > DefaultSkewTime {
|
||||
return errSkewedAuthTime
|
||||
}
|
||||
|
||||
@@ -315,6 +315,7 @@ func newStorageRESTHTTPServerClient(t testing.TB) *storageRESTClient {
|
||||
url.Path = t.TempDir()
|
||||
|
||||
globalMinioHost, globalMinioPort = mustSplitHostPort(url.Host)
|
||||
globalNodeAuthToken, _ = authenticateNode(globalActiveCred.AccessKey, globalActiveCred.SecretKey)
|
||||
|
||||
endpoint, err := NewEndpoint(url.String())
|
||||
if err != nil {
|
||||
|
||||
@@ -83,6 +83,8 @@ func TestMain(m *testing.M) {
|
||||
SecretKey: auth.DefaultSecretKey,
|
||||
}
|
||||
|
||||
globalNodeAuthToken, _ = authenticateNode(auth.DefaultAccessKey, auth.DefaultSecretKey)
|
||||
|
||||
// disable ENVs which interfere with tests.
|
||||
for _, env := range []string{
|
||||
crypto.EnvKMSAutoEncryption,
|
||||
|
||||
Reference in New Issue
Block a user