mirror of
https://github.com/minio/minio.git
synced 2025-01-26 14:13:16 -05:00
Added endpoint
and versions
attributes to KMS details (#17350)
Now it would list details of all KMS instances with additional attributes `endpoint` and `version`. In the case of k8s-based deployment the list would consist of a single entry. Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
This commit is contained in:
parent
f80b6926d3
commit
9b9871cfbb
@ -1868,8 +1868,6 @@ func getPoolsInfo(ctx context.Context, allDisks []madmin.Disk) (map[int]map[int]
|
|||||||
}
|
}
|
||||||
|
|
||||||
func getServerInfo(ctx context.Context, poolsInfoEnabled bool, r *http.Request) madmin.InfoMessage {
|
func getServerInfo(ctx context.Context, poolsInfoEnabled bool, r *http.Request) madmin.InfoMessage {
|
||||||
kmsStat := fetchKMSStatus()
|
|
||||||
|
|
||||||
ldap := madmin.LDAP{}
|
ldap := madmin.LDAP{}
|
||||||
if globalIAMSys.LDAPConfig.Enabled() {
|
if globalIAMSys.LDAPConfig.Enabled() {
|
||||||
ldapConn, err := globalIAMSys.LDAPConfig.LDAP.Connect()
|
ldapConn, err := globalIAMSys.LDAPConfig.LDAP.Connect()
|
||||||
@ -1949,7 +1947,8 @@ func getServerInfo(ctx context.Context, poolsInfoEnabled bool, r *http.Request)
|
|||||||
|
|
||||||
domain := globalDomainNames
|
domain := globalDomainNames
|
||||||
services := madmin.Services{
|
services := madmin.Services{
|
||||||
KMS: kmsStat,
|
KMS: fetchKMSStatus(),
|
||||||
|
KMSStatus: fetchKMSStatusV2(ctx),
|
||||||
LDAP: ldap,
|
LDAP: ldap,
|
||||||
Logger: log,
|
Logger: log,
|
||||||
Audit: audit,
|
Audit: audit,
|
||||||
@ -2569,6 +2568,28 @@ func fetchKMSStatus() madmin.KMS {
|
|||||||
return kmsStat
|
return kmsStat
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// fetchKMSStatusV2 fetches KMS-related status information for all instances
|
||||||
|
func fetchKMSStatusV2(ctx context.Context) []madmin.KMS {
|
||||||
|
if GlobalKMS == nil {
|
||||||
|
return []madmin.KMS{}
|
||||||
|
}
|
||||||
|
|
||||||
|
results := GlobalKMS.Verify(ctx)
|
||||||
|
|
||||||
|
stats := []madmin.KMS{}
|
||||||
|
for _, result := range results {
|
||||||
|
stats = append(stats, madmin.KMS{
|
||||||
|
Status: result.Status,
|
||||||
|
Endpoint: result.Endpoint,
|
||||||
|
Encrypt: result.Encrypt,
|
||||||
|
Decrypt: result.Decrypt,
|
||||||
|
Version: result.Version,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
return stats
|
||||||
|
}
|
||||||
|
|
||||||
// fetchLoggerDetails return log info
|
// fetchLoggerDetails return log info
|
||||||
func fetchLoggerInfo() ([]madmin.Logger, []madmin.Audit) {
|
func fetchLoggerInfo() ([]madmin.Logger, []madmin.Audit) {
|
||||||
var loggerInfo []madmin.Logger
|
var loggerInfo []madmin.Logger
|
||||||
|
2
go.mod
2
go.mod
@ -49,7 +49,7 @@ require (
|
|||||||
github.com/minio/dperf v0.5.0
|
github.com/minio/dperf v0.5.0
|
||||||
github.com/minio/highwayhash v1.0.2
|
github.com/minio/highwayhash v1.0.2
|
||||||
github.com/minio/kes-go v0.1.0
|
github.com/minio/kes-go v0.1.0
|
||||||
github.com/minio/madmin-go/v3 v3.0.5
|
github.com/minio/madmin-go/v3 v3.0.6
|
||||||
github.com/minio/minio-go/v7 v7.0.59
|
github.com/minio/minio-go/v7 v7.0.59
|
||||||
github.com/minio/mux v1.9.0
|
github.com/minio/mux v1.9.0
|
||||||
github.com/minio/pkg v1.7.5
|
github.com/minio/pkg v1.7.5
|
||||||
|
4
go.sum
4
go.sum
@ -483,8 +483,8 @@ github.com/minio/highwayhash v1.0.2 h1:Aak5U0nElisjDCfPSG79Tgzkn2gl66NxOMspRrKnA
|
|||||||
github.com/minio/highwayhash v1.0.2/go.mod h1:BQskDq+xkJ12lmlUUi7U0M5Swg3EWR+dLTk+kldvVxY=
|
github.com/minio/highwayhash v1.0.2/go.mod h1:BQskDq+xkJ12lmlUUi7U0M5Swg3EWR+dLTk+kldvVxY=
|
||||||
github.com/minio/kes-go v0.1.0 h1:h201DyOYP5sTqajkxFGxmXz/kPbT8HQNX1uh3Yx2PFc=
|
github.com/minio/kes-go v0.1.0 h1:h201DyOYP5sTqajkxFGxmXz/kPbT8HQNX1uh3Yx2PFc=
|
||||||
github.com/minio/kes-go v0.1.0/go.mod h1:VorHLaIYis9/MxAHAtXN4d8PUMNKhIxTIlvFt0hBOEo=
|
github.com/minio/kes-go v0.1.0/go.mod h1:VorHLaIYis9/MxAHAtXN4d8PUMNKhIxTIlvFt0hBOEo=
|
||||||
github.com/minio/madmin-go/v3 v3.0.5 h1:ynWTsnszHnQVJWRL2OE4ysCvCNG0uHgdTvJpdLazf9c=
|
github.com/minio/madmin-go/v3 v3.0.6 h1:rlU0UCwRhi/bI5R9Pg5df88ddqFNFA5mpmxScAanQCA=
|
||||||
github.com/minio/madmin-go/v3 v3.0.5/go.mod h1:lPrMoc1aeiIWmmrxBthkDqzMPQwC/Lu9ByuyM2wenJk=
|
github.com/minio/madmin-go/v3 v3.0.6/go.mod h1:lPrMoc1aeiIWmmrxBthkDqzMPQwC/Lu9ByuyM2wenJk=
|
||||||
github.com/minio/mc v0.0.0-20230706154612-72958227ad65 h1:27INveRWSp7yAEy4szNp15DOA2dyOwnxTGt/p0JuTh4=
|
github.com/minio/mc v0.0.0-20230706154612-72958227ad65 h1:27INveRWSp7yAEy4szNp15DOA2dyOwnxTGt/p0JuTh4=
|
||||||
github.com/minio/mc v0.0.0-20230706154612-72958227ad65/go.mod h1:41ndsUBIAA/dRjOQ/0KY4d8vI70gDiKeMo1zusOQRWk=
|
github.com/minio/mc v0.0.0-20230706154612-72958227ad65/go.mod h1:41ndsUBIAA/dRjOQ/0KY4d8vI70gDiKeMo1zusOQRWk=
|
||||||
github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
|
github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
|
||||||
|
@ -20,9 +20,11 @@ package kms
|
|||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"context"
|
"context"
|
||||||
|
"crypto/subtle"
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"errors"
|
"errors"
|
||||||
|
"fmt"
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
@ -467,3 +469,51 @@ func (c *kesClient) ListIdentities(ctx context.Context, pattern string) (*kes.Id
|
|||||||
|
|
||||||
return c.enclave.ListIdentities(ctx, pattern)
|
return c.enclave.ListIdentities(ctx, pattern)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Verify verifies all KMS endpoints and returns details
|
||||||
|
func (c *kesClient) Verify(ctx context.Context) []VerifyResult {
|
||||||
|
c.lock.RLock()
|
||||||
|
defer c.lock.RUnlock()
|
||||||
|
|
||||||
|
results := []VerifyResult{}
|
||||||
|
kmsContext := Context{"MinIO admin API": "ServerInfoHandler"} // Context for a test key operation
|
||||||
|
for _, endpoint := range c.client.Endpoints {
|
||||||
|
client := kes.Client{
|
||||||
|
Endpoints: []string{endpoint},
|
||||||
|
HTTPClient: c.client.HTTPClient,
|
||||||
|
}
|
||||||
|
|
||||||
|
// 1. Get stats for the KES instance
|
||||||
|
state, err := client.Status(ctx)
|
||||||
|
if err != nil {
|
||||||
|
results = append(results, VerifyResult{Status: "offline", Endpoint: endpoint})
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// 2. Generate a new key using the KMS.
|
||||||
|
kmsCtx, err := kmsContext.MarshalText()
|
||||||
|
if err != nil {
|
||||||
|
results = append(results, VerifyResult{Status: "offline", Endpoint: endpoint})
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
result := VerifyResult{Status: "online", Endpoint: endpoint, Version: state.Version}
|
||||||
|
key, err := client.GenerateKey(ctx, env.Get(EnvKESKeyName, ""), kmsCtx)
|
||||||
|
if err != nil {
|
||||||
|
result.Encrypt = fmt.Sprintf("Encryption failed: %v", err)
|
||||||
|
} else {
|
||||||
|
result.Encrypt = "success"
|
||||||
|
}
|
||||||
|
// 3. Verify that we can indeed decrypt the (encrypted) key
|
||||||
|
decryptedKey, err := client.Decrypt(ctx, env.Get(EnvKESKeyName, ""), key.Ciphertext, kmsCtx)
|
||||||
|
switch {
|
||||||
|
case err != nil:
|
||||||
|
result.Decrypt = fmt.Sprintf("Decryption failed: %v", err)
|
||||||
|
case subtle.ConstantTimeCompare(key.Plaintext, decryptedKey) != 1:
|
||||||
|
result.Decrypt = "Decryption failed: decrypted key does not match generated key"
|
||||||
|
default:
|
||||||
|
result.Decrypt = "success"
|
||||||
|
}
|
||||||
|
results = append(results, result)
|
||||||
|
}
|
||||||
|
return results
|
||||||
|
}
|
||||||
|
@ -67,6 +67,18 @@ type KMS interface {
|
|||||||
// by the key ID. The contexts must match the context value
|
// by the key ID. The contexts must match the context value
|
||||||
// used to generate the ciphertexts.
|
// used to generate the ciphertexts.
|
||||||
DecryptAll(ctx context.Context, keyID string, ciphertext [][]byte, context []Context) ([][]byte, error)
|
DecryptAll(ctx context.Context, keyID string, ciphertext [][]byte, context []Context) ([][]byte, error)
|
||||||
|
|
||||||
|
// Verify verifies all KMS endpoints and returns the details
|
||||||
|
Verify(cxt context.Context) []VerifyResult
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyResult describes the verification result details a KMS endpoint
|
||||||
|
type VerifyResult struct {
|
||||||
|
Endpoint string
|
||||||
|
Decrypt string
|
||||||
|
Encrypt string
|
||||||
|
Version string
|
||||||
|
Status string
|
||||||
}
|
}
|
||||||
|
|
||||||
// Status describes the current state of a KMS.
|
// Status describes the current state of a KMS.
|
||||||
|
@ -303,6 +303,13 @@ func (kms secretKey) DecryptAll(_ context.Context, keyID string, ciphertexts [][
|
|||||||
return plaintexts, nil
|
return plaintexts, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Verify verifies all KMS endpoints and returns details
|
||||||
|
func (kms secretKey) Verify(cxt context.Context) []VerifyResult {
|
||||||
|
return []VerifyResult{
|
||||||
|
{Endpoint: "self"},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
type encryptedKey struct {
|
type encryptedKey struct {
|
||||||
Algorithm string `json:"aead"`
|
Algorithm string `json:"aead"`
|
||||||
IV []byte `json:"iv"`
|
IV []byte `json:"iv"`
|
||||||
|
Loading…
x
Reference in New Issue
Block a user