mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
fix: enable AssumeRoleWithCertificate API only when asked (#13410)
This is a breaking change but we need to do this to avoid issues discussed in #13409 based on discussions from #13371 fixes #13371 fixes #13409
This commit is contained in:
parent
c19b1a143e
commit
9ea45399ce
@ -496,6 +496,10 @@ func lookupConfigs(s config.Config, objAPI ObjectLayer) {
|
||||
logger.LogIf(ctx, fmt.Errorf("Unable to initialize X.509/TLS STS API: %w", err))
|
||||
}
|
||||
|
||||
if globalSTSTLSConfig.InsecureSkipVerify {
|
||||
logger.Info("CRITICAL: enabling %s is not recommended in a production environment", xtls.EnvIdentityTLSSkipVerify)
|
||||
}
|
||||
|
||||
globalOpenIDConfig, err = openid.LookupConfig(s[config.IdentityOpenIDSubSys][config.Default],
|
||||
NewGatewayHTTPTransport(), xhttp.DrainBody)
|
||||
if err != nil {
|
||||
|
@ -16,9 +16,9 @@ ARGS:
|
||||
MINIO_IDENTITY_TLS_SKIP_VERIFY (on|off) trust client certificates without verification. Defaults to "off" (verify)
|
||||
```
|
||||
|
||||
The MinIO TLS STS API is enabled by default. However, it can be completely *disabled* by setting:
|
||||
The MinIO TLS STS API is disabled by default. However, it can be *enabled* by setting environment variable:
|
||||
```
|
||||
MINIO_IDENTITY_TLS_ENABLE=off
|
||||
export MINIO_IDENTITY_TLS_ENABLE=on
|
||||
```
|
||||
|
||||
## Example
|
||||
@ -102,6 +102,11 @@ The returned credentials expiry after a certain period of time that can be confi
|
||||
|
||||
Further, the temp. S3 credentials will never out-live the client certificate. For example, if the `MINIO_IDENTITY_TLS_STS_EXPIRY` is 7 days but the certificate itself is only valid for the next 3 days, then MinIO will return S3 credentials that are valid for 3 days only.
|
||||
|
||||
## Caveat
|
||||
|
||||
*Applications that use direct S3 API will work fine, however interactive users uploading content using (when POSTing to the presigned URL an app generates) a popup becomes visible on browser to provide client certs, you would have to manually cancel and continue. This may be annoying to use but there is no workaround for now.*
|
||||
|
||||
|
||||
## Explore Further
|
||||
- [MinIO Admin Complete Guide](https://docs.min.io/docs/minio-admin-complete-guide.html)
|
||||
- [The MinIO documentation website](https://docs.min.io)
|
||||
|
@ -23,16 +23,15 @@ import (
|
||||
|
||||
"github.com/minio/minio/internal/auth"
|
||||
"github.com/minio/minio/internal/config"
|
||||
"github.com/minio/minio/internal/logger"
|
||||
"github.com/minio/pkg/env"
|
||||
)
|
||||
|
||||
const (
|
||||
// EnvEnabled is an environment variable that controls whether the X.509
|
||||
// EnvIdentityTLSEnabled is an environment variable that controls whether the X.509
|
||||
// TLS STS API is enabled. By default, if not set, it is enabled.
|
||||
EnvEnabled = "MINIO_IDENTITY_TLS_ENABLE"
|
||||
EnvIdentityTLSEnabled = "MINIO_IDENTITY_TLS_ENABLE"
|
||||
|
||||
// EnvSkipVerify is an environment variable that controls whether
|
||||
// EnvIdentityTLSSkipVerify is an environment variable that controls whether
|
||||
// MinIO verifies the client certificate present by the client
|
||||
// when requesting temp. credentials.
|
||||
// By default, MinIO always verify the client certificate.
|
||||
@ -41,7 +40,7 @@ const (
|
||||
// when debugging or testing a setup since it allows arbitrary
|
||||
// clients to obtain temp. credentials with arbitrary policy
|
||||
// permissions - including admin permissions.
|
||||
EnvSkipVerify = "MINIO_IDENTITY_TLS_SKIP_VERIFY"
|
||||
EnvIdentityTLSSkipVerify = "MINIO_IDENTITY_TLS_SKIP_VERIFY"
|
||||
)
|
||||
|
||||
// Config contains the STS TLS configuration for generating temp.
|
||||
@ -86,14 +85,11 @@ func Lookup(kvs config.KVS) (Config, error) {
|
||||
if err := config.CheckValidKeys(config.IdentityTLSSubSys, kvs, DefaultKVS); err != nil {
|
||||
return Config{}, err
|
||||
}
|
||||
insecureSkipVerify, err := config.ParseBool(env.Get(EnvSkipVerify, kvs.Get(skipVerify)))
|
||||
insecureSkipVerify, err := config.ParseBool(env.Get(EnvIdentityTLSSkipVerify, kvs.Get(skipVerify)))
|
||||
if err != nil {
|
||||
return Config{}, err
|
||||
}
|
||||
if insecureSkipVerify {
|
||||
logger.Info("CRITICAL: enabling MINIO_IDENTITY_TLS_SKIP_VERIFY is not recommended in a production environment")
|
||||
}
|
||||
enabled, err := config.ParseBool(env.Get(EnvEnabled, config.EnableOn))
|
||||
enabled, err := config.ParseBool(env.Get(EnvIdentityTLSEnabled, ""))
|
||||
if err != nil {
|
||||
return Config{}, err
|
||||
}
|
||||
|
@ -32,6 +32,7 @@ import (
|
||||
|
||||
"github.com/minio/minio/internal/config"
|
||||
"github.com/minio/minio/internal/config/api"
|
||||
xtls "github.com/minio/minio/internal/config/identity/tls"
|
||||
"github.com/minio/minio/internal/fips"
|
||||
"github.com/minio/pkg/certs"
|
||||
"github.com/minio/pkg/env"
|
||||
@ -163,7 +164,6 @@ func (srv *Server) Shutdown() error {
|
||||
// NewServer - creates new HTTP server using given arguments.
|
||||
func NewServer(addrs []string, handler http.Handler, getCert certs.GetCertificateFunc) *Server {
|
||||
secureCiphers := env.Get(api.EnvAPISecureCiphers, config.EnableOn) == config.EnableOn
|
||||
|
||||
var tlsConfig *tls.Config
|
||||
if getCert != nil {
|
||||
tlsConfig = &tls.Config{
|
||||
@ -171,8 +171,13 @@ func NewServer(addrs []string, handler http.Handler, getCert certs.GetCertificat
|
||||
MinVersion: tls.VersionTLS12,
|
||||
NextProtos: []string{"http/1.1", "h2"},
|
||||
GetCertificate: getCert,
|
||||
ClientAuth: tls.RequestClientCert,
|
||||
}
|
||||
|
||||
tlsClientIdentity := env.Get(xtls.EnvIdentityTLSEnabled, "") == config.EnableOn
|
||||
if tlsClientIdentity {
|
||||
tlsConfig.ClientAuth = tls.RequestClientCert
|
||||
}
|
||||
|
||||
if secureCiphers || fips.Enabled {
|
||||
tlsConfig.CipherSuites = fips.CipherSuitesTLS()
|
||||
tlsConfig.CurvePreferences = fips.EllipticCurvesTLS()
|
||||
|
Loading…
Reference in New Issue
Block a user