mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
fix: enable AssumeRoleWithCertificate API only when asked (#13410)
This is a breaking change but we need to do this to avoid issues discussed in #13409 based on discussions from #13371 fixes #13371 fixes #13409
This commit is contained in:
parent
c19b1a143e
commit
9ea45399ce
@ -496,6 +496,10 @@ func lookupConfigs(s config.Config, objAPI ObjectLayer) {
|
|||||||
logger.LogIf(ctx, fmt.Errorf("Unable to initialize X.509/TLS STS API: %w", err))
|
logger.LogIf(ctx, fmt.Errorf("Unable to initialize X.509/TLS STS API: %w", err))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if globalSTSTLSConfig.InsecureSkipVerify {
|
||||||
|
logger.Info("CRITICAL: enabling %s is not recommended in a production environment", xtls.EnvIdentityTLSSkipVerify)
|
||||||
|
}
|
||||||
|
|
||||||
globalOpenIDConfig, err = openid.LookupConfig(s[config.IdentityOpenIDSubSys][config.Default],
|
globalOpenIDConfig, err = openid.LookupConfig(s[config.IdentityOpenIDSubSys][config.Default],
|
||||||
NewGatewayHTTPTransport(), xhttp.DrainBody)
|
NewGatewayHTTPTransport(), xhttp.DrainBody)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -16,9 +16,9 @@ ARGS:
|
|||||||
MINIO_IDENTITY_TLS_SKIP_VERIFY (on|off) trust client certificates without verification. Defaults to "off" (verify)
|
MINIO_IDENTITY_TLS_SKIP_VERIFY (on|off) trust client certificates without verification. Defaults to "off" (verify)
|
||||||
```
|
```
|
||||||
|
|
||||||
The MinIO TLS STS API is enabled by default. However, it can be completely *disabled* by setting:
|
The MinIO TLS STS API is disabled by default. However, it can be *enabled* by setting environment variable:
|
||||||
```
|
```
|
||||||
MINIO_IDENTITY_TLS_ENABLE=off
|
export MINIO_IDENTITY_TLS_ENABLE=on
|
||||||
```
|
```
|
||||||
|
|
||||||
## Example
|
## Example
|
||||||
@ -102,6 +102,11 @@ The returned credentials expiry after a certain period of time that can be confi
|
|||||||
|
|
||||||
Further, the temp. S3 credentials will never out-live the client certificate. For example, if the `MINIO_IDENTITY_TLS_STS_EXPIRY` is 7 days but the certificate itself is only valid for the next 3 days, then MinIO will return S3 credentials that are valid for 3 days only.
|
Further, the temp. S3 credentials will never out-live the client certificate. For example, if the `MINIO_IDENTITY_TLS_STS_EXPIRY` is 7 days but the certificate itself is only valid for the next 3 days, then MinIO will return S3 credentials that are valid for 3 days only.
|
||||||
|
|
||||||
|
## Caveat
|
||||||
|
|
||||||
|
*Applications that use direct S3 API will work fine, however interactive users uploading content using (when POSTing to the presigned URL an app generates) a popup becomes visible on browser to provide client certs, you would have to manually cancel and continue. This may be annoying to use but there is no workaround for now.*
|
||||||
|
|
||||||
|
|
||||||
## Explore Further
|
## Explore Further
|
||||||
- [MinIO Admin Complete Guide](https://docs.min.io/docs/minio-admin-complete-guide.html)
|
- [MinIO Admin Complete Guide](https://docs.min.io/docs/minio-admin-complete-guide.html)
|
||||||
- [The MinIO documentation website](https://docs.min.io)
|
- [The MinIO documentation website](https://docs.min.io)
|
||||||
|
@ -23,16 +23,15 @@ import (
|
|||||||
|
|
||||||
"github.com/minio/minio/internal/auth"
|
"github.com/minio/minio/internal/auth"
|
||||||
"github.com/minio/minio/internal/config"
|
"github.com/minio/minio/internal/config"
|
||||||
"github.com/minio/minio/internal/logger"
|
|
||||||
"github.com/minio/pkg/env"
|
"github.com/minio/pkg/env"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// EnvEnabled is an environment variable that controls whether the X.509
|
// EnvIdentityTLSEnabled is an environment variable that controls whether the X.509
|
||||||
// TLS STS API is enabled. By default, if not set, it is enabled.
|
// TLS STS API is enabled. By default, if not set, it is enabled.
|
||||||
EnvEnabled = "MINIO_IDENTITY_TLS_ENABLE"
|
EnvIdentityTLSEnabled = "MINIO_IDENTITY_TLS_ENABLE"
|
||||||
|
|
||||||
// EnvSkipVerify is an environment variable that controls whether
|
// EnvIdentityTLSSkipVerify is an environment variable that controls whether
|
||||||
// MinIO verifies the client certificate present by the client
|
// MinIO verifies the client certificate present by the client
|
||||||
// when requesting temp. credentials.
|
// when requesting temp. credentials.
|
||||||
// By default, MinIO always verify the client certificate.
|
// By default, MinIO always verify the client certificate.
|
||||||
@ -41,7 +40,7 @@ const (
|
|||||||
// when debugging or testing a setup since it allows arbitrary
|
// when debugging or testing a setup since it allows arbitrary
|
||||||
// clients to obtain temp. credentials with arbitrary policy
|
// clients to obtain temp. credentials with arbitrary policy
|
||||||
// permissions - including admin permissions.
|
// permissions - including admin permissions.
|
||||||
EnvSkipVerify = "MINIO_IDENTITY_TLS_SKIP_VERIFY"
|
EnvIdentityTLSSkipVerify = "MINIO_IDENTITY_TLS_SKIP_VERIFY"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Config contains the STS TLS configuration for generating temp.
|
// Config contains the STS TLS configuration for generating temp.
|
||||||
@ -86,14 +85,11 @@ func Lookup(kvs config.KVS) (Config, error) {
|
|||||||
if err := config.CheckValidKeys(config.IdentityTLSSubSys, kvs, DefaultKVS); err != nil {
|
if err := config.CheckValidKeys(config.IdentityTLSSubSys, kvs, DefaultKVS); err != nil {
|
||||||
return Config{}, err
|
return Config{}, err
|
||||||
}
|
}
|
||||||
insecureSkipVerify, err := config.ParseBool(env.Get(EnvSkipVerify, kvs.Get(skipVerify)))
|
insecureSkipVerify, err := config.ParseBool(env.Get(EnvIdentityTLSSkipVerify, kvs.Get(skipVerify)))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return Config{}, err
|
return Config{}, err
|
||||||
}
|
}
|
||||||
if insecureSkipVerify {
|
enabled, err := config.ParseBool(env.Get(EnvIdentityTLSEnabled, ""))
|
||||||
logger.Info("CRITICAL: enabling MINIO_IDENTITY_TLS_SKIP_VERIFY is not recommended in a production environment")
|
|
||||||
}
|
|
||||||
enabled, err := config.ParseBool(env.Get(EnvEnabled, config.EnableOn))
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return Config{}, err
|
return Config{}, err
|
||||||
}
|
}
|
||||||
|
@ -32,6 +32,7 @@ import (
|
|||||||
|
|
||||||
"github.com/minio/minio/internal/config"
|
"github.com/minio/minio/internal/config"
|
||||||
"github.com/minio/minio/internal/config/api"
|
"github.com/minio/minio/internal/config/api"
|
||||||
|
xtls "github.com/minio/minio/internal/config/identity/tls"
|
||||||
"github.com/minio/minio/internal/fips"
|
"github.com/minio/minio/internal/fips"
|
||||||
"github.com/minio/pkg/certs"
|
"github.com/minio/pkg/certs"
|
||||||
"github.com/minio/pkg/env"
|
"github.com/minio/pkg/env"
|
||||||
@ -163,7 +164,6 @@ func (srv *Server) Shutdown() error {
|
|||||||
// NewServer - creates new HTTP server using given arguments.
|
// NewServer - creates new HTTP server using given arguments.
|
||||||
func NewServer(addrs []string, handler http.Handler, getCert certs.GetCertificateFunc) *Server {
|
func NewServer(addrs []string, handler http.Handler, getCert certs.GetCertificateFunc) *Server {
|
||||||
secureCiphers := env.Get(api.EnvAPISecureCiphers, config.EnableOn) == config.EnableOn
|
secureCiphers := env.Get(api.EnvAPISecureCiphers, config.EnableOn) == config.EnableOn
|
||||||
|
|
||||||
var tlsConfig *tls.Config
|
var tlsConfig *tls.Config
|
||||||
if getCert != nil {
|
if getCert != nil {
|
||||||
tlsConfig = &tls.Config{
|
tlsConfig = &tls.Config{
|
||||||
@ -171,8 +171,13 @@ func NewServer(addrs []string, handler http.Handler, getCert certs.GetCertificat
|
|||||||
MinVersion: tls.VersionTLS12,
|
MinVersion: tls.VersionTLS12,
|
||||||
NextProtos: []string{"http/1.1", "h2"},
|
NextProtos: []string{"http/1.1", "h2"},
|
||||||
GetCertificate: getCert,
|
GetCertificate: getCert,
|
||||||
ClientAuth: tls.RequestClientCert,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
tlsClientIdentity := env.Get(xtls.EnvIdentityTLSEnabled, "") == config.EnableOn
|
||||||
|
if tlsClientIdentity {
|
||||||
|
tlsConfig.ClientAuth = tls.RequestClientCert
|
||||||
|
}
|
||||||
|
|
||||||
if secureCiphers || fips.Enabled {
|
if secureCiphers || fips.Enabled {
|
||||||
tlsConfig.CipherSuites = fips.CipherSuitesTLS()
|
tlsConfig.CipherSuites = fips.CipherSuitesTLS()
|
||||||
tlsConfig.CurvePreferences = fips.EllipticCurvesTLS()
|
tlsConfig.CurvePreferences = fips.EllipticCurvesTLS()
|
||||||
|
Loading…
Reference in New Issue
Block a user