flags: Remove anonymous, ratelimit, json and web-address flags.

- Web address now uses the port + 1 from the API address port directly.
- Remove ratelimiting, ratelimiting will be achieved if necessary through
  iptables.
- Remove json flag, not needed anymore.
- Remove anonymous flag, server will be no more anonymous for play.minio.io
  we will use demo credentials.
This commit is contained in:
Harshavardhana 2016-02-02 17:38:02 -08:00
parent b01594ac33
commit df91661ec6
8 changed files with 98 additions and 282 deletions

View File

@ -34,13 +34,6 @@ func (api CloudStorageAPI) GetBucketLocationHandler(w http.ResponseWriter, req *
vars := mux.Vars(req)
bucket := vars["bucket"]
if !api.Anonymous {
if isRequestRequiresACLCheck(req) {
writeErrorResponse(w, req, AccessDenied, req.URL.Path)
return
}
}
_, err := api.Filesystem.GetBucketMetadata(bucket)
if err != nil {
errorIf(err.Trace(), "GetBucketMetadata failed.", nil)
@ -75,13 +68,6 @@ func (api CloudStorageAPI) ListMultipartUploadsHandler(w http.ResponseWriter, re
vars := mux.Vars(req)
bucket := vars["bucket"]
if !api.Anonymous {
if isRequestRequiresACLCheck(req) {
writeErrorResponse(w, req, AccessDenied, req.URL.Path)
return
}
}
resources := getBucketMultipartResources(req.URL.Query())
if resources.MaxUploads < 0 {
writeErrorResponse(w, req, InvalidMaxUploads, req.URL.Path)
@ -121,15 +107,6 @@ func (api CloudStorageAPI) ListObjectsHandler(w http.ResponseWriter, req *http.R
vars := mux.Vars(req)
bucket := vars["bucket"]
if !api.Anonymous {
if isRequestRequiresACLCheck(req) {
if api.Filesystem.IsPrivateBucket(bucket) {
writeErrorResponse(w, req, AccessDenied, req.URL.Path)
return
}
}
}
// TODO handle encoding type.
prefix, marker, delimiter, maxkeys, _ := getBucketResources(req.URL.Query())
if maxkeys < 0 {
@ -171,12 +148,6 @@ func (api CloudStorageAPI) ListObjectsHandler(w http.ResponseWriter, req *http.R
// This implementation of the GET operation returns a list of all buckets
// owned by the authenticated sender of the request.
func (api CloudStorageAPI) ListBucketsHandler(w http.ResponseWriter, req *http.Request) {
if !api.Anonymous {
if isRequestRequiresACLCheck(req) {
writeErrorResponse(w, req, AccessDenied, req.URL.Path)
return
}
}
buckets, err := api.Filesystem.ListBuckets()
if err == nil {
// generate response
@ -199,13 +170,6 @@ func (api CloudStorageAPI) PutBucketHandler(w http.ResponseWriter, req *http.Req
vars := mux.Vars(req)
bucket := vars["bucket"]
if !api.Anonymous {
if isRequestRequiresACLCheck(req) {
writeErrorResponse(w, req, AccessDenied, req.URL.Path)
return
}
}
// read from 'x-amz-acl'
aclType := getACLType(req)
if aclType == unsupportedACLType {
@ -214,26 +178,24 @@ func (api CloudStorageAPI) PutBucketHandler(w http.ResponseWriter, req *http.Req
}
var signature *fs.Signature
if !api.Anonymous {
// Init signature V4 verification
if isRequestSignatureV4(req) {
var err *probe.Error
signature, err = initSignatureV4(req)
if err != nil {
switch err.ToGoError() {
case errInvalidRegion:
errorIf(err.Trace(), "Unknown region in authorization header.", nil)
writeErrorResponse(w, req, AuthorizationHeaderMalformed, req.URL.Path)
return
case errAccessKeyIDInvalid:
errorIf(err.Trace(), "Invalid access key id.", nil)
writeErrorResponse(w, req, InvalidAccessKeyID, req.URL.Path)
return
default:
errorIf(err.Trace(), "Initializing signature v4 failed.", nil)
writeErrorResponse(w, req, InternalError, req.URL.Path)
return
}
// Init signature V4 verification
if isRequestSignatureV4(req) {
var err *probe.Error
signature, err = initSignatureV4(req)
if err != nil {
switch err.ToGoError() {
case errInvalidRegion:
errorIf(err.Trace(), "Unknown region in authorization header.", nil)
writeErrorResponse(w, req, AuthorizationHeaderMalformed, req.URL.Path)
return
case errAccessKeyIDInvalid:
errorIf(err.Trace(), "Invalid access key id.", nil)
writeErrorResponse(w, req, InvalidAccessKeyID, req.URL.Path)
return
default:
errorIf(err.Trace(), "Initializing signature v4 failed.", nil)
writeErrorResponse(w, req, InternalError, req.URL.Path)
return
}
}
}
@ -374,13 +336,6 @@ func (api CloudStorageAPI) PutBucketACLHandler(w http.ResponseWriter, req *http.
vars := mux.Vars(req)
bucket := vars["bucket"]
if !api.Anonymous {
if isRequestRequiresACLCheck(req) {
writeErrorResponse(w, req, AccessDenied, req.URL.Path)
return
}
}
// read from 'x-amz-acl'
aclType := getACLType(req)
if aclType == unsupportedACLType {
@ -413,13 +368,6 @@ func (api CloudStorageAPI) GetBucketACLHandler(w http.ResponseWriter, req *http.
vars := mux.Vars(req)
bucket := vars["bucket"]
if !api.Anonymous {
if isRequestRequiresACLCheck(req) {
writeErrorResponse(w, req, AccessDenied, req.URL.Path)
return
}
}
bucketMetadata, err := api.Filesystem.GetBucketMetadata(bucket)
if err != nil {
errorIf(err.Trace(), "GetBucketMetadata failed.", nil)
@ -452,15 +400,6 @@ func (api CloudStorageAPI) HeadBucketHandler(w http.ResponseWriter, req *http.Re
vars := mux.Vars(req)
bucket := vars["bucket"]
if !api.Anonymous {
if isRequestRequiresACLCheck(req) {
if api.Filesystem.IsPrivateBucket(bucket) {
writeErrorResponse(w, req, AccessDenied, req.URL.Path)
return
}
}
}
_, err := api.Filesystem.GetBucketMetadata(bucket)
if err != nil {
errorIf(err.Trace(), "GetBucketMetadata failed.", nil)
@ -482,13 +421,6 @@ func (api CloudStorageAPI) DeleteBucketHandler(w http.ResponseWriter, req *http.
vars := mux.Vars(req)
bucket := vars["bucket"]
if !api.Anonymous {
if isRequestRequiresACLCheck(req) {
writeErrorResponse(w, req, AccessDenied, req.URL.Path)
return
}
}
err := api.Filesystem.DeleteBucket(bucket)
if err != nil {
errorIf(err.Trace(), "DeleteBucket failed.", nil)

View File

@ -34,32 +34,12 @@ var (
Usage: "ADDRESS:PORT for cloud storage access.",
}
webAddressFlag = cli.StringFlag{
Name: "web-address",
Value: ":9001",
Hide: true,
Usage: "WEBADDRESS:PORT for cloud storage access.",
}
accessLogFlag = cli.BoolFlag{
Name: "enable-accesslog",
Hide: true,
Usage: "Enable access logs for all incoming HTTP request.",
}
rateLimitFlag = cli.IntFlag{
Name: "ratelimit",
Hide: true,
Value: 0,
Usage: "Limit for total concurrent requests: [DEFAULT: 0].",
}
anonymousFlag = cli.BoolFlag{
Name: "anonymous",
Hide: true,
Usage: "Make server run in anonymous mode where all client connections are accepted.",
}
certFlag = cli.StringFlag{
Name: "cert",
Usage: "Provide your domain certificate.",
@ -69,11 +49,6 @@ var (
Name: "key",
Usage: "Provide your domain private key.",
}
jsonFlag = cli.BoolFlag{
Name: "json",
Usage: "Enable json formatted output.",
}
)
// registerFlag registers a cli flag

View File

@ -121,13 +121,9 @@ func registerApp() *cli.App {
// register all flags
registerFlag(configFolderFlag)
registerFlag(addressFlag)
registerFlag(webAddressFlag)
registerFlag(accessLogFlag)
registerFlag(rateLimitFlag)
registerFlag(anonymousFlag)
registerFlag(certFlag)
registerFlag(keyFlag)
registerFlag(jsonFlag)
// set up app
app := cli.NewApp()

View File

@ -39,15 +39,6 @@ func (api CloudStorageAPI) GetObjectHandler(w http.ResponseWriter, req *http.Req
bucket = vars["bucket"]
object = vars["object"]
if !api.Anonymous {
if isRequestRequiresACLCheck(req) {
if api.Filesystem.IsPrivateBucket(bucket) {
writeErrorResponse(w, req, AccessDenied, req.URL.Path)
return
}
}
}
metadata, err := api.Filesystem.GetObjectMetadata(bucket, object)
if err != nil {
errorIf(err.Trace(), "GetObject failed.", nil)
@ -87,15 +78,6 @@ func (api CloudStorageAPI) HeadObjectHandler(w http.ResponseWriter, req *http.Re
bucket = vars["bucket"]
object = vars["object"]
if !api.Anonymous {
if isRequestRequiresACLCheck(req) {
if api.Filesystem.IsPrivateBucket(bucket) {
writeErrorResponse(w, req, AccessDenied, req.URL.Path)
return
}
}
}
metadata, err := api.Filesystem.GetObjectMetadata(bucket, object)
if err != nil {
switch err.ToGoError().(type) {
@ -125,15 +107,6 @@ func (api CloudStorageAPI) PutObjectHandler(w http.ResponseWriter, req *http.Req
bucket = vars["bucket"]
object = vars["object"]
if !api.Anonymous {
if isRequestRequiresACLCheck(req) {
if api.Filesystem.IsPrivateBucket(bucket) || api.Filesystem.IsReadOnlyBucket(bucket) {
writeErrorResponse(w, req, AccessDenied, req.URL.Path)
return
}
}
}
// get Content-MD5 sent by client and verify if valid
md5 := req.Header.Get("Content-MD5")
if !isValidMD5(md5) {
@ -153,26 +126,24 @@ func (api CloudStorageAPI) PutObjectHandler(w http.ResponseWriter, req *http.Req
}
var signature *fs.Signature
if !api.Anonymous {
if isRequestSignatureV4(req) {
// Init signature V4 verification
var err *probe.Error
signature, err = initSignatureV4(req)
if err != nil {
switch err.ToGoError() {
case errInvalidRegion:
errorIf(err.Trace(), "Unknown region in authorization header.", nil)
writeErrorResponse(w, req, AuthorizationHeaderMalformed, req.URL.Path)
return
case errAccessKeyIDInvalid:
errorIf(err.Trace(), "Invalid access key id.", nil)
writeErrorResponse(w, req, InvalidAccessKeyID, req.URL.Path)
return
default:
errorIf(err.Trace(), "Initializing signature v4 failed.", nil)
writeErrorResponse(w, req, InternalError, req.URL.Path)
return
}
if isRequestSignatureV4(req) {
// Init signature V4 verification
var err *probe.Error
signature, err = initSignatureV4(req)
if err != nil {
switch err.ToGoError() {
case errInvalidRegion:
errorIf(err.Trace(), "Unknown region in authorization header.", nil)
writeErrorResponse(w, req, AuthorizationHeaderMalformed, req.URL.Path)
return
case errAccessKeyIDInvalid:
errorIf(err.Trace(), "Invalid access key id.", nil)
writeErrorResponse(w, req, InvalidAccessKeyID, req.URL.Path)
return
default:
errorIf(err.Trace(), "Initializing signature v4 failed.", nil)
writeErrorResponse(w, req, InternalError, req.URL.Path)
return
}
}
}
@ -219,14 +190,6 @@ func (api CloudStorageAPI) NewMultipartUploadHandler(w http.ResponseWriter, req
bucket = vars["bucket"]
object = vars["object"]
if !api.Anonymous {
// Unauthorized multipart uploads are not supported
if isRequestRequiresACLCheck(req) {
writeErrorResponse(w, req, AccessDenied, req.URL.Path)
return
}
}
uploadID, err := api.Filesystem.NewMultipartUpload(bucket, object)
if err != nil {
errorIf(err.Trace(), "NewMultipartUpload failed.", nil)
@ -261,13 +224,6 @@ func (api CloudStorageAPI) PutObjectPartHandler(w http.ResponseWriter, req *http
bucket := vars["bucket"]
object := vars["object"]
if !api.Anonymous {
if isRequestRequiresACLCheck(req) {
writeErrorResponse(w, req, AccessDenied, req.URL.Path)
return
}
}
// get Content-MD5 sent by client and verify if valid
md5 := req.Header.Get("Content-MD5")
if !isValidMD5(md5) {
@ -302,26 +258,24 @@ func (api CloudStorageAPI) PutObjectPartHandler(w http.ResponseWriter, req *http
}
var signature *fs.Signature
if !api.Anonymous {
if isRequestSignatureV4(req) {
// Init signature V4 verification
var err *probe.Error
signature, err = initSignatureV4(req)
if err != nil {
switch err.ToGoError() {
case errInvalidRegion:
errorIf(err.Trace(), "Unknown region in authorization header.", nil)
writeErrorResponse(w, req, AuthorizationHeaderMalformed, req.URL.Path)
return
case errAccessKeyIDInvalid:
errorIf(err.Trace(), "Invalid access key id.", nil)
writeErrorResponse(w, req, InvalidAccessKeyID, req.URL.Path)
return
default:
errorIf(err.Trace(), "Initializing signature v4 failed.", nil)
writeErrorResponse(w, req, InternalError, req.URL.Path)
return
}
if isRequestSignatureV4(req) {
// Init signature V4 verification
var err *probe.Error
signature, err = initSignatureV4(req)
if err != nil {
switch err.ToGoError() {
case errInvalidRegion:
errorIf(err.Trace(), "Unknown region in authorization header.", nil)
writeErrorResponse(w, req, AuthorizationHeaderMalformed, req.URL.Path)
return
case errAccessKeyIDInvalid:
errorIf(err.Trace(), "Invalid access key id.", nil)
writeErrorResponse(w, req, InvalidAccessKeyID, req.URL.Path)
return
default:
errorIf(err.Trace(), "Initializing signature v4 failed.", nil)
writeErrorResponse(w, req, InternalError, req.URL.Path)
return
}
}
}
@ -361,13 +315,6 @@ func (api CloudStorageAPI) AbortMultipartUploadHandler(w http.ResponseWriter, re
bucket := vars["bucket"]
object := vars["object"]
if !api.Anonymous {
if isRequestRequiresACLCheck(req) {
writeErrorResponse(w, req, AccessDenied, req.URL.Path)
return
}
}
objectResourcesMetadata := getObjectResources(req.URL.Query())
err := api.Filesystem.AbortMultipartUpload(bucket, object, objectResourcesMetadata.UploadID)
if err != nil {
@ -397,13 +344,6 @@ func (api CloudStorageAPI) ListObjectPartsHandler(w http.ResponseWriter, req *ht
bucket := vars["bucket"]
object := vars["object"]
if !api.Anonymous {
if isRequestRequiresACLCheck(req) {
writeErrorResponse(w, req, AccessDenied, req.URL.Path)
return
}
}
objectResourcesMetadata := getObjectResources(req.URL.Query())
if objectResourcesMetadata.PartNumberMarker < 0 {
writeErrorResponse(w, req, InvalidPartNumberMarker, req.URL.Path)
@ -450,35 +390,26 @@ func (api CloudStorageAPI) CompleteMultipartUploadHandler(w http.ResponseWriter,
bucket := vars["bucket"]
object := vars["object"]
if !api.Anonymous {
if isRequestRequiresACLCheck(req) {
writeErrorResponse(w, req, AccessDenied, req.URL.Path)
return
}
}
objectResourcesMetadata := getObjectResources(req.URL.Query())
var signature *fs.Signature
if !api.Anonymous {
if isRequestSignatureV4(req) {
// Init signature V4 verification
var err *probe.Error
signature, err = initSignatureV4(req)
if err != nil {
switch err.ToGoError() {
case errInvalidRegion:
errorIf(err.Trace(), "Unknown region in authorization header.", nil)
writeErrorResponse(w, req, AuthorizationHeaderMalformed, req.URL.Path)
return
case errAccessKeyIDInvalid:
errorIf(err.Trace(), "Invalid access key id.", nil)
writeErrorResponse(w, req, InvalidAccessKeyID, req.URL.Path)
return
default:
errorIf(err.Trace(), "Initializing signature v4 failed.", nil)
writeErrorResponse(w, req, InternalError, req.URL.Path)
return
}
if isRequestSignatureV4(req) {
// Init signature V4 verification
var err *probe.Error
signature, err = initSignatureV4(req)
if err != nil {
switch err.ToGoError() {
case errInvalidRegion:
errorIf(err.Trace(), "Unknown region in authorization header.", nil)
writeErrorResponse(w, req, AuthorizationHeaderMalformed, req.URL.Path)
return
case errAccessKeyIDInvalid:
errorIf(err.Trace(), "Invalid access key id.", nil)
writeErrorResponse(w, req, InvalidAccessKeyID, req.URL.Path)
return
default:
errorIf(err.Trace(), "Initializing signature v4 failed.", nil)
writeErrorResponse(w, req, InternalError, req.URL.Path)
return
}
}
}
@ -528,15 +459,6 @@ func (api CloudStorageAPI) DeleteObjectHandler(w http.ResponseWriter, req *http.
bucket := vars["bucket"]
object := vars["object"]
if !api.Anonymous {
if isRequestRequiresACLCheck(req) {
if api.Filesystem.IsPrivateBucket(bucket) || api.Filesystem.IsReadOnlyBucket(bucket) {
writeErrorResponse(w, req, AccessDenied, req.URL.Path)
return
}
}
}
err := api.Filesystem.DeleteObject(bucket, object)
if err != nil {
errorIf(err.Trace(), "DeleteObject failed.", nil)

View File

@ -30,8 +30,6 @@ import (
// CloudStorageAPI container for S3 compatible API.
type CloudStorageAPI struct {
// Do not check for incoming signatures, allow all requests.
Anonymous bool
// Once true log all incoming requests.
AccessLog bool
// Filesystem instance.
@ -153,7 +151,6 @@ func getNewCloudStorageAPI(conf cloudServerConfig) CloudStorageAPI {
}
return CloudStorageAPI{
Filesystem: fs,
Anonymous: conf.Anonymous,
AccessLog: conf.AccessLog,
}
}
@ -163,9 +160,7 @@ func getCloudStorageAPIHandler(api CloudStorageAPI) http.Handler {
TimeValidityHandler,
IgnoreResourcesHandler,
IgnoreSignatureV2RequestHandler,
}
if !api.Anonymous {
mwHandlers = append(mwHandlers, SignatureHandler)
SignatureHandler,
}
if api.AccessLog {
mwHandlers = append(mwHandlers, AccessLogHandler)

View File

@ -69,10 +69,8 @@ EXAMPLES:
// cloudServerConfig - http server config
type cloudServerConfig struct {
/// HTTP server options
Address string // Address:Port listening
WebAddress string // WebAddress:Port listening
AccessLog bool // Enable access log handler
Anonymous bool // No signature turn off
Address string // Address:Port listening
AccessLog bool // Enable access log handler
// Credentials.
AccessKeyID string // Access key id.
@ -87,15 +85,25 @@ type cloudServerConfig struct {
TLS bool // TLS on when certs are specified
CertFile string // Domain certificate
KeyFile string // Domain key
/// Advanced HTTP server options
RateLimit int // Ratelimited server of incoming connections
}
func configureWebServer(conf cloudServerConfig) (*http.Server, *probe.Error) {
// Split the api address into host and port.
host, port, e := net.SplitHostPort(conf.Address)
if e != nil {
return nil, probe.NewError(e)
}
webPort, e := strconv.Atoi(port)
if e != nil {
return nil, probe.NewError(e)
}
// Always choose the next port, based on the API address port.
webPort = webPort + 1
webAddress := net.JoinHostPort(host, strconv.Itoa(webPort))
// Minio server config
webServer := &http.Server{
Addr: conf.WebAddress,
Addr: webAddress,
Handler: getWebAPIHandler(getNewWebAPI(conf)),
MaxHeaderBytes: 1 << 20,
}
@ -133,8 +141,8 @@ func configureAPIServer(conf cloudServerConfig) (*http.Server, *probe.Error) {
return apiServer, nil
}
func printServerMsg(conf cloudServerConfig) {
host, port, e := net.SplitHostPort(conf.Address)
func printServerMsg(serverConf *http.Server) {
host, port, e := net.SplitHostPort(serverConf.Addr)
fatalIf(probe.NewError(e), "Unable to split host port.", nil)
var hosts []string
@ -155,7 +163,7 @@ func printServerMsg(conf cloudServerConfig) {
}
}
for _, host := range hosts {
if conf.TLS {
if serverConf.TLSConfig != nil {
Printf(" https://%s:%s\n", host, port)
} else {
Printf(" http://%s:%s\n", host, port)
@ -328,9 +336,7 @@ func serverMain(c *cli.Context) {
tls := (certFile != "" && keyFile != "")
serverConfig := cloudServerConfig{
Address: c.GlobalString("address"),
WebAddress: c.GlobalString("web-address"),
AccessLog: c.GlobalBool("enable-accesslog"),
Anonymous: c.GlobalBool("anonymous"),
AccessKeyID: conf.Credentials.AccessKeyID,
SecretAccessKey: conf.Credentials.SecretAccessKey,
Path: path,
@ -339,23 +345,22 @@ func serverMain(c *cli.Context) {
TLS: tls,
CertFile: certFile,
KeyFile: keyFile,
RateLimit: c.GlobalInt("ratelimit"),
}
Println("\nMinio Object Storage:")
printServerMsg(serverConfig)
// configure API server.
apiServer, err := configureAPIServer(serverConfig)
errorIf(err.Trace(), "Failed to configure API server.", nil)
Println("\nMinio Browser:")
printServerMsg(serverConfig)
Println("\nMinio Object Storage:")
printServerMsg(apiServer)
// configure Web server.
webServer, err := configureWebServer(serverConfig)
errorIf(err.Trace(), "Failed to configure Web server.", nil)
Println("\nMinio Browser:")
printServerMsg(webServer)
Println("\nTo configure Minio Client:")
if runtime.GOOS == "windows" {
Println(" Download \"mc\" from https://dl.minio.io/client/mc/release/" + runtime.GOOS + "-" + runtime.GOARCH + "/mc.exe")
@ -367,7 +372,6 @@ func serverMain(c *cli.Context) {
}
// Start server.
rateLimit := serverConfig.RateLimit
err = minhttp.ListenAndServeLimited(rateLimit, apiServer, webServer)
err = minhttp.ListenAndServe(apiServer, webServer)
errorIf(err.Trace(), "Failed to start the minio server.", nil)
}

View File

@ -78,7 +78,6 @@ func (s *MyAPIFSCacheSuite) SetUpSuite(c *C) {
cloudServer := cloudServerConfig{
Path: fsroot,
MinFreeDisk: 0,
Anonymous: false,
}
cloudStorageAPI := getNewCloudStorageAPI(cloudServer)
httpHandler := getCloudStorageAPIHandler(cloudStorageAPI)

View File

@ -60,13 +60,6 @@ func isRequestPostPolicySignatureV4(req *http.Request) bool {
return false
}
func isRequestRequiresACLCheck(req *http.Request) bool {
if isRequestSignatureV4(req) || isRequestPresignedSignatureV4(req) || isRequestPostPolicySignatureV4(req) {
return false
}
return true
}
func (s signatureHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if isRequestPostPolicySignatureV4(r) && r.Method == "POST" {
s.handler.ServeHTTP(w, r)