fix: enable AssumeRoleWithCertificate API only when asked (#13410)

This is a breaking change but we need to do this to avoid
issues discussed in #13409 based on discussions from #13371

fixes #13371
fixes #13409
This commit is contained in:
Harshavardhana 2021-10-11 14:23:51 -07:00 committed by GitHub
parent c19b1a143e
commit 9ea45399ce
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 24 additions and 14 deletions

View File

@ -496,6 +496,10 @@ func lookupConfigs(s config.Config, objAPI ObjectLayer) {
logger.LogIf(ctx, fmt.Errorf("Unable to initialize X.509/TLS STS API: %w", err)) logger.LogIf(ctx, fmt.Errorf("Unable to initialize X.509/TLS STS API: %w", err))
} }
if globalSTSTLSConfig.InsecureSkipVerify {
logger.Info("CRITICAL: enabling %s is not recommended in a production environment", xtls.EnvIdentityTLSSkipVerify)
}
globalOpenIDConfig, err = openid.LookupConfig(s[config.IdentityOpenIDSubSys][config.Default], globalOpenIDConfig, err = openid.LookupConfig(s[config.IdentityOpenIDSubSys][config.Default],
NewGatewayHTTPTransport(), xhttp.DrainBody) NewGatewayHTTPTransport(), xhttp.DrainBody)
if err != nil { if err != nil {

View File

@ -16,9 +16,9 @@ ARGS:
MINIO_IDENTITY_TLS_SKIP_VERIFY (on|off) trust client certificates without verification. Defaults to "off" (verify) MINIO_IDENTITY_TLS_SKIP_VERIFY (on|off) trust client certificates without verification. Defaults to "off" (verify)
``` ```
The MinIO TLS STS API is enabled by default. However, it can be completely *disabled* by setting: The MinIO TLS STS API is disabled by default. However, it can be *enabled* by setting environment variable:
``` ```
MINIO_IDENTITY_TLS_ENABLE=off export MINIO_IDENTITY_TLS_ENABLE=on
``` ```
## Example ## Example
@ -102,6 +102,11 @@ The returned credentials expiry after a certain period of time that can be confi
Further, the temp. S3 credentials will never out-live the client certificate. For example, if the `MINIO_IDENTITY_TLS_STS_EXPIRY` is 7 days but the certificate itself is only valid for the next 3 days, then MinIO will return S3 credentials that are valid for 3 days only. Further, the temp. S3 credentials will never out-live the client certificate. For example, if the `MINIO_IDENTITY_TLS_STS_EXPIRY` is 7 days but the certificate itself is only valid for the next 3 days, then MinIO will return S3 credentials that are valid for 3 days only.
## Caveat
*Applications that use direct S3 API will work fine, however interactive users uploading content using (when POSTing to the presigned URL an app generates) a popup becomes visible on browser to provide client certs, you would have to manually cancel and continue. This may be annoying to use but there is no workaround for now.*
## Explore Further ## Explore Further
- [MinIO Admin Complete Guide](https://docs.min.io/docs/minio-admin-complete-guide.html) - [MinIO Admin Complete Guide](https://docs.min.io/docs/minio-admin-complete-guide.html)
- [The MinIO documentation website](https://docs.min.io) - [The MinIO documentation website](https://docs.min.io)

View File

@ -23,16 +23,15 @@ import (
"github.com/minio/minio/internal/auth" "github.com/minio/minio/internal/auth"
"github.com/minio/minio/internal/config" "github.com/minio/minio/internal/config"
"github.com/minio/minio/internal/logger"
"github.com/minio/pkg/env" "github.com/minio/pkg/env"
) )
const ( const (
// EnvEnabled is an environment variable that controls whether the X.509 // EnvIdentityTLSEnabled is an environment variable that controls whether the X.509
// TLS STS API is enabled. By default, if not set, it is enabled. // TLS STS API is enabled. By default, if not set, it is enabled.
EnvEnabled = "MINIO_IDENTITY_TLS_ENABLE" EnvIdentityTLSEnabled = "MINIO_IDENTITY_TLS_ENABLE"
// EnvSkipVerify is an environment variable that controls whether // EnvIdentityTLSSkipVerify is an environment variable that controls whether
// MinIO verifies the client certificate present by the client // MinIO verifies the client certificate present by the client
// when requesting temp. credentials. // when requesting temp. credentials.
// By default, MinIO always verify the client certificate. // By default, MinIO always verify the client certificate.
@ -41,7 +40,7 @@ const (
// when debugging or testing a setup since it allows arbitrary // when debugging or testing a setup since it allows arbitrary
// clients to obtain temp. credentials with arbitrary policy // clients to obtain temp. credentials with arbitrary policy
// permissions - including admin permissions. // permissions - including admin permissions.
EnvSkipVerify = "MINIO_IDENTITY_TLS_SKIP_VERIFY" EnvIdentityTLSSkipVerify = "MINIO_IDENTITY_TLS_SKIP_VERIFY"
) )
// Config contains the STS TLS configuration for generating temp. // Config contains the STS TLS configuration for generating temp.
@ -86,14 +85,11 @@ func Lookup(kvs config.KVS) (Config, error) {
if err := config.CheckValidKeys(config.IdentityTLSSubSys, kvs, DefaultKVS); err != nil { if err := config.CheckValidKeys(config.IdentityTLSSubSys, kvs, DefaultKVS); err != nil {
return Config{}, err return Config{}, err
} }
insecureSkipVerify, err := config.ParseBool(env.Get(EnvSkipVerify, kvs.Get(skipVerify))) insecureSkipVerify, err := config.ParseBool(env.Get(EnvIdentityTLSSkipVerify, kvs.Get(skipVerify)))
if err != nil { if err != nil {
return Config{}, err return Config{}, err
} }
if insecureSkipVerify { enabled, err := config.ParseBool(env.Get(EnvIdentityTLSEnabled, ""))
logger.Info("CRITICAL: enabling MINIO_IDENTITY_TLS_SKIP_VERIFY is not recommended in a production environment")
}
enabled, err := config.ParseBool(env.Get(EnvEnabled, config.EnableOn))
if err != nil { if err != nil {
return Config{}, err return Config{}, err
} }

View File

@ -32,6 +32,7 @@ import (
"github.com/minio/minio/internal/config" "github.com/minio/minio/internal/config"
"github.com/minio/minio/internal/config/api" "github.com/minio/minio/internal/config/api"
xtls "github.com/minio/minio/internal/config/identity/tls"
"github.com/minio/minio/internal/fips" "github.com/minio/minio/internal/fips"
"github.com/minio/pkg/certs" "github.com/minio/pkg/certs"
"github.com/minio/pkg/env" "github.com/minio/pkg/env"
@ -163,7 +164,6 @@ func (srv *Server) Shutdown() error {
// NewServer - creates new HTTP server using given arguments. // NewServer - creates new HTTP server using given arguments.
func NewServer(addrs []string, handler http.Handler, getCert certs.GetCertificateFunc) *Server { func NewServer(addrs []string, handler http.Handler, getCert certs.GetCertificateFunc) *Server {
secureCiphers := env.Get(api.EnvAPISecureCiphers, config.EnableOn) == config.EnableOn secureCiphers := env.Get(api.EnvAPISecureCiphers, config.EnableOn) == config.EnableOn
var tlsConfig *tls.Config var tlsConfig *tls.Config
if getCert != nil { if getCert != nil {
tlsConfig = &tls.Config{ tlsConfig = &tls.Config{
@ -171,8 +171,13 @@ func NewServer(addrs []string, handler http.Handler, getCert certs.GetCertificat
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
NextProtos: []string{"http/1.1", "h2"}, NextProtos: []string{"http/1.1", "h2"},
GetCertificate: getCert, GetCertificate: getCert,
ClientAuth: tls.RequestClientCert,
} }
tlsClientIdentity := env.Get(xtls.EnvIdentityTLSEnabled, "") == config.EnableOn
if tlsClientIdentity {
tlsConfig.ClientAuth = tls.RequestClientCert
}
if secureCiphers || fips.Enabled { if secureCiphers || fips.Enabled {
tlsConfig.CipherSuites = fips.CipherSuitesTLS() tlsConfig.CipherSuites = fips.CipherSuitesTLS()
tlsConfig.CurvePreferences = fips.EllipticCurvesTLS() tlsConfig.CurvePreferences = fips.EllipticCurvesTLS()