From e57e946206064be858b5bed8aca38a7479ac7849 Mon Sep 17 00:00:00 2001 From: Anis Elleuch Date: Mon, 19 Dec 2022 21:27:06 +0100 Subject: [PATCH] Do not save credentials in config.json (#16275) --- cmd/common-main.go | 2 ++ cmd/config-current.go | 18 ------------------ cmd/config-migrate.go | 2 -- cmd/config-migrate_test.go | 13 ------------- cmd/server-main.go | 23 ++++++----------------- internal/config/config.go | 19 ------------------- internal/config/legacy.go | 23 ----------------------- 7 files changed, 8 insertions(+), 92 deletions(-) diff --git a/cmd/common-main.go b/cmd/common-main.go index 051e16eee..b0cec4205 100644 --- a/cmd/common-main.go +++ b/cmd/common-main.go @@ -773,6 +773,8 @@ func handleCommonEnvVars() { logger.Info(color.RedBold(msg)) } globalActiveCred = cred + } else { + globalActiveCred = auth.DefaultCredentials } } diff --git a/cmd/config-current.go b/cmd/config-current.go index 61a7b5c59..0797e4578 100644 --- a/cmd/config-current.go +++ b/cmd/config-current.go @@ -25,7 +25,6 @@ import ( "sync" "github.com/minio/madmin-go/v2" - "github.com/minio/minio/internal/auth" "github.com/minio/minio/internal/config" "github.com/minio/minio/internal/config/api" "github.com/minio/minio/internal/config/cache" @@ -65,7 +64,6 @@ func initHelp() { config.SiteSubSys: config.DefaultSiteKVS, config.RegionSubSys: config.DefaultRegionKVS, config.APISubSys: api.DefaultKVS, - config.CredentialsSubSys: config.DefaultCredentialKVS, config.LoggerWebhookSubSys: logger.DefaultLoggerWebhookKVS, config.AuditWebhookSubSys: logger.DefaultAuditWebhookKVS, config.AuditKafkaSubSys: logger.DefaultAuditKafkaKVS, @@ -427,15 +425,6 @@ func validateConfig(s config.Config, subSys string) error { func lookupConfigs(s config.Config, objAPI ObjectLayer) { ctx := GlobalContext - var err error - if !globalActiveCred.IsValid() { - // Env doesn't seem to be set, we fallback to lookup creds from the config. - globalActiveCred, err = config.LookupCreds(s[config.CredentialsSubSys][config.Default]) - if err != nil { - logger.LogIf(ctx, fmt.Errorf("Invalid credentials configuration: %w", err)) - } - } - dnsURL, dnsUser, dnsPass, err := env.LookupEnv(config.EnvDNSWebhook) if err != nil { logger.LogIf(ctx, fmt.Errorf("Unable to initialize remote webhook DNS config %w", err)) @@ -765,13 +754,6 @@ func newSrvConfig(objAPI ObjectLayer) error { // Initialize server config. srvCfg := newServerConfig() - if globalActiveCred.IsValid() && !globalActiveCred.Equal(auth.DefaultCredentials) { - kvs := srvCfg[config.CredentialsSubSys][config.Default] - kvs.Set(config.AccessKey, globalActiveCred.AccessKey) - kvs.Set(config.SecretKey, globalActiveCred.SecretKey) - srvCfg[config.CredentialsSubSys][config.Default] = kvs - } - // hold the mutex lock before a new config is assigned. globalServerConfigMu.Lock() globalServerConfig = srvCfg diff --git a/cmd/config-migrate.go b/cmd/config-migrate.go index 343b0047e..075e0720d 100644 --- a/cmd/config-migrate.go +++ b/cmd/config-migrate.go @@ -2755,9 +2755,7 @@ func migrateMinioSysConfigToKV(objAPI ObjectLayer) error { newCfg := newServerConfig() - config.SetCredentials(newCfg, cfg.Credential) config.SetRegion(newCfg, cfg.Region) - storageclass.SetStorageClass(newCfg, cfg.StorageClass) for k, loggerArgs := range cfg.Logger.HTTP { diff --git a/cmd/config-migrate_test.go b/cmd/config-migrate_test.go index ff0a8207d..6a25cd290 100644 --- a/cmd/config-migrate_test.go +++ b/cmd/config-migrate_test.go @@ -22,8 +22,6 @@ import ( "fmt" "os" "testing" - - "github.com/minio/minio/internal/config" ) // Test if config v1 is purged @@ -210,17 +208,6 @@ func TestServerConfigMigrateV2toV33(t *testing.T) { if err := loadConfig(objLayer, nil); err != nil { t.Fatalf("Unable to initialize from updated config file %s", err) } - - // Check if accessKey and secretKey are not altered during migration - caccessKey := globalServerConfig[config.CredentialsSubSys][config.Default].Get(config.AccessKey) - if caccessKey != accessKey { - t.Fatalf("Access key lost during migration, expected: %v, found:%v", accessKey, caccessKey) - } - - csecretKey := globalServerConfig[config.CredentialsSubSys][config.Default].Get(config.SecretKey) - if csecretKey != secretKey { - t.Fatalf("Secret key lost during migration, expected: %v, found: %v", secretKey, csecretKey) - } } // Test if all migrate code returns error with corrupted config files diff --git a/cmd/server-main.go b/cmd/server-main.go index 75174f30f..965ca6145 100644 --- a/cmd/server-main.go +++ b/cmd/server-main.go @@ -535,10 +535,6 @@ func serverMain(ctx *cli.Context) { } }() - if !globalActiveCred.IsValid() && globalIsDistErasure { - globalActiveCred = auth.DefaultCredentials - } - // Set system resources to maximum. setMaxResources() @@ -605,6 +601,12 @@ func serverMain(ctx *cli.Context) { logger.Info(color.RedBold("WARNING: Strict AWS S3 compatible incoming PUT, POST content payload validation is turned off, caution is advised do not use in production")) } + if globalActiveCred.Equal(auth.DefaultCredentials) { + msg := fmt.Sprintf("WARNING: Detected default credentials '%s', we recommend that you change these values with 'MINIO_ROOT_USER' and 'MINIO_ROOT_PASSWORD' environment variables", + globalActiveCred) + logger.Info(color.RedBold(msg)) + } + if err = initServer(GlobalContext, newObject); err != nil { var cerr config.Err // For any config error, we don't need to drop into safe-mode @@ -621,19 +623,6 @@ func serverMain(ctx *cli.Context) { logger.LogIf(GlobalContext, err) } - if globalActiveCred.Equal(auth.DefaultCredentials) { - msg := fmt.Sprintf("WARNING: Detected default credentials '%s', we recommend that you change these values with 'MINIO_ROOT_USER' and 'MINIO_ROOT_PASSWORD' environment variables", - globalActiveCred) - logger.Info(color.RedBold(msg)) - } - - savedCreds, _ := config.LookupCreds(globalServerConfig[config.CredentialsSubSys][config.Default]) - if globalActiveCred.Equal(auth.DefaultCredentials) && !globalActiveCred.Equal(savedCreds) { - msg := fmt.Sprintf("WARNING: Detected credentials changed to '%s', please set them back to previously set values", - globalActiveCred) - logger.Info(color.RedBold(msg)) - } - // Initialize users credentials and policies in background right after config has initialized. go func() { globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient, globalRefreshIAMInterval) diff --git a/internal/config/config.go b/internal/config/config.go index 7ad90f4d2..47be93a50 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -96,7 +96,6 @@ const ( // Top level config constants. const ( - CredentialsSubSys = madmin.CredentialsSubSys PolicyOPASubSys = madmin.PolicyOPASubSys PolicyPluginSubSys = madmin.PolicyPluginSubSys IdentityOpenIDSubSys = madmin.IdentityOpenIDSubSys @@ -178,7 +177,6 @@ var SubSystemsDynamic = set.CreateStringSet( // SubSystemsSingleTargets - subsystems which only support single target. var SubSystemsSingleTargets = set.CreateStringSet( - CredentialsSubSys, SiteSubSys, RegionSubSys, EtcdSubSys, @@ -463,9 +461,6 @@ func (c Config) RedactSensitiveInfo() Config { } } - // Remove the server credentials altogether - nc.DelKVS(CredentialsSubSys) - return nc } @@ -501,20 +496,6 @@ var ( } ) -// LookupCreds - lookup credentials from config. -func LookupCreds(kv KVS) (auth.Credentials, error) { - if err := CheckValidKeys(CredentialsSubSys, kv, DefaultCredentialKVS); err != nil { - return auth.Credentials{}, err - } - accessKey := kv.Get(AccessKey) - secretKey := kv.Get(SecretKey) - if accessKey == "" || secretKey == "" { - accessKey = auth.DefaultAccessKey - secretKey = auth.DefaultSecretKey - } - return auth.CreateCredentials(accessKey, secretKey) -} - // Site - holds site info - name and region. type Site struct { Name string diff --git a/internal/config/legacy.go b/internal/config/legacy.go index 45b134ce4..e76bdefeb 100644 --- a/internal/config/legacy.go +++ b/internal/config/legacy.go @@ -17,31 +17,8 @@ package config -import "github.com/minio/minio/internal/auth" - // One time migration code section -// SetCredentials - One time migration code needed, for migrating from older config to new for server credentials. -func SetCredentials(c Config, cred auth.Credentials) { - creds, err := auth.CreateCredentials(cred.AccessKey, cred.SecretKey) - if err != nil { - return - } - if !creds.IsValid() { - return - } - c[CredentialsSubSys][Default] = KVS{ - KV{ - Key: AccessKey, - Value: cred.AccessKey, - }, - KV{ - Key: SecretKey, - Value: cred.SecretKey, - }, - } -} - // SetRegion - One time migration code needed, for migrating from older config to new for server Region. func SetRegion(c Config, name string) { if name == "" {