MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-20 18:06:10 -05:00
Code Issues Packages Projects Releases Wiki Activity

Migrate all backend at .minio.sys/config to encrypted backend (#8474)

Browse Source 
- Supports migrating only when the credential ENVs are set,
  so any FS mode deployments which do not have ENVs set will
  continue to remain as is.
- Credential ENVs can be rotated using MINIO_ACCESS_KEY_OLD
  and MINIO_SECRET_KEY_OLD envs, in such scenarios it allowed
  to rotate the encrypted content to a new admin key.
This commit is contained in:
Harshavardhana
2019-11-01 15:53:16 -07:00
committed by kannappanr
parent fa325665b1
commit d28bcb4f84
15 changed files with 510 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
cmd/server-main.go
View File

@@ -178,18 +178,6 @@ func serverHandleCmdArgs(ctx *cli.Context) {
func serverHandleEnvVars() {
// Handle common environment variables.
handleCommonEnvVars()
accessKey := env.Get(config.EnvAccessKey, "")
secretKey := env.Get(config.EnvSecretKey, "")
if accessKey != "" && secretKey != "" {
cred, err := auth.CreateCredentials(accessKey, secretKey)
if err != nil {
logger.Fatal(config.ErrInvalidCredentials(err),
"Unable to validate credentials inherited from the shell environment")
}
globalActiveCred = cred
}
}
func initAllSubsystems(newObject ObjectLayer) {
@@ -350,9 +338,25 @@ func serverMain(ctx *cli.Context) {
// Re-enable logging
logger.Disable = false
// Migrate all backend configs to encrypted backend, also handles rotation as well.
logger.FatalIf(handleEncryptedConfigBackend(newObject, true),
"Unable to handle encrypted backend for config, iam and policies")
// **** WARNING ****
// Migrating to encrypted backend should happen before initialization of any
// sub-systems, make sure that we do not move the above codeblock elsewhere.
// Validate and initialize all subsystems.
initAllSubsystems(newObject)
if globalEtcdClient != nil {
// **** WARNING ****
// Migrating to encrypted backend on etcd should happen before initialization of
// IAM sub-systems, make sure that we do not move the above codeblock elsewhere.
logger.FatalIf(migrateIAMConfigsEtcdToEncrypted(globalEtcdClient),
"Unable to handle encrypted backend for iam and policies")
}
if globalCacheConfig.Enabled {
logger.StartupMessage(color.Red(color.Bold("Disk caching is recommended only for gateway deployments")))