mirror of
https://github.com/minio/minio.git
synced 2024-12-24 22:25:54 -05:00
Do not save credentials in config.json (#16275)
This commit is contained in:
parent
b4f71362e9
commit
e57e946206
@ -773,6 +773,8 @@ func handleCommonEnvVars() {
|
|||||||
logger.Info(color.RedBold(msg))
|
logger.Info(color.RedBold(msg))
|
||||||
}
|
}
|
||||||
globalActiveCred = cred
|
globalActiveCred = cred
|
||||||
|
} else {
|
||||||
|
globalActiveCred = auth.DefaultCredentials
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -25,7 +25,6 @@ import (
|
|||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
"github.com/minio/madmin-go/v2"
|
"github.com/minio/madmin-go/v2"
|
||||||
"github.com/minio/minio/internal/auth"
|
|
||||||
"github.com/minio/minio/internal/config"
|
"github.com/minio/minio/internal/config"
|
||||||
"github.com/minio/minio/internal/config/api"
|
"github.com/minio/minio/internal/config/api"
|
||||||
"github.com/minio/minio/internal/config/cache"
|
"github.com/minio/minio/internal/config/cache"
|
||||||
@ -65,7 +64,6 @@ func initHelp() {
|
|||||||
config.SiteSubSys: config.DefaultSiteKVS,
|
config.SiteSubSys: config.DefaultSiteKVS,
|
||||||
config.RegionSubSys: config.DefaultRegionKVS,
|
config.RegionSubSys: config.DefaultRegionKVS,
|
||||||
config.APISubSys: api.DefaultKVS,
|
config.APISubSys: api.DefaultKVS,
|
||||||
config.CredentialsSubSys: config.DefaultCredentialKVS,
|
|
||||||
config.LoggerWebhookSubSys: logger.DefaultLoggerWebhookKVS,
|
config.LoggerWebhookSubSys: logger.DefaultLoggerWebhookKVS,
|
||||||
config.AuditWebhookSubSys: logger.DefaultAuditWebhookKVS,
|
config.AuditWebhookSubSys: logger.DefaultAuditWebhookKVS,
|
||||||
config.AuditKafkaSubSys: logger.DefaultAuditKafkaKVS,
|
config.AuditKafkaSubSys: logger.DefaultAuditKafkaKVS,
|
||||||
@ -427,15 +425,6 @@ func validateConfig(s config.Config, subSys string) error {
|
|||||||
func lookupConfigs(s config.Config, objAPI ObjectLayer) {
|
func lookupConfigs(s config.Config, objAPI ObjectLayer) {
|
||||||
ctx := GlobalContext
|
ctx := GlobalContext
|
||||||
|
|
||||||
var err error
|
|
||||||
if !globalActiveCred.IsValid() {
|
|
||||||
// Env doesn't seem to be set, we fallback to lookup creds from the config.
|
|
||||||
globalActiveCred, err = config.LookupCreds(s[config.CredentialsSubSys][config.Default])
|
|
||||||
if err != nil {
|
|
||||||
logger.LogIf(ctx, fmt.Errorf("Invalid credentials configuration: %w", err))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
dnsURL, dnsUser, dnsPass, err := env.LookupEnv(config.EnvDNSWebhook)
|
dnsURL, dnsUser, dnsPass, err := env.LookupEnv(config.EnvDNSWebhook)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.LogIf(ctx, fmt.Errorf("Unable to initialize remote webhook DNS config %w", err))
|
logger.LogIf(ctx, fmt.Errorf("Unable to initialize remote webhook DNS config %w", err))
|
||||||
@ -765,13 +754,6 @@ func newSrvConfig(objAPI ObjectLayer) error {
|
|||||||
// Initialize server config.
|
// Initialize server config.
|
||||||
srvCfg := newServerConfig()
|
srvCfg := newServerConfig()
|
||||||
|
|
||||||
if globalActiveCred.IsValid() && !globalActiveCred.Equal(auth.DefaultCredentials) {
|
|
||||||
kvs := srvCfg[config.CredentialsSubSys][config.Default]
|
|
||||||
kvs.Set(config.AccessKey, globalActiveCred.AccessKey)
|
|
||||||
kvs.Set(config.SecretKey, globalActiveCred.SecretKey)
|
|
||||||
srvCfg[config.CredentialsSubSys][config.Default] = kvs
|
|
||||||
}
|
|
||||||
|
|
||||||
// hold the mutex lock before a new config is assigned.
|
// hold the mutex lock before a new config is assigned.
|
||||||
globalServerConfigMu.Lock()
|
globalServerConfigMu.Lock()
|
||||||
globalServerConfig = srvCfg
|
globalServerConfig = srvCfg
|
||||||
|
@ -2755,9 +2755,7 @@ func migrateMinioSysConfigToKV(objAPI ObjectLayer) error {
|
|||||||
|
|
||||||
newCfg := newServerConfig()
|
newCfg := newServerConfig()
|
||||||
|
|
||||||
config.SetCredentials(newCfg, cfg.Credential)
|
|
||||||
config.SetRegion(newCfg, cfg.Region)
|
config.SetRegion(newCfg, cfg.Region)
|
||||||
|
|
||||||
storageclass.SetStorageClass(newCfg, cfg.StorageClass)
|
storageclass.SetStorageClass(newCfg, cfg.StorageClass)
|
||||||
|
|
||||||
for k, loggerArgs := range cfg.Logger.HTTP {
|
for k, loggerArgs := range cfg.Logger.HTTP {
|
||||||
|
@ -22,8 +22,6 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/minio/minio/internal/config"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// Test if config v1 is purged
|
// Test if config v1 is purged
|
||||||
@ -210,17 +208,6 @@ func TestServerConfigMigrateV2toV33(t *testing.T) {
|
|||||||
if err := loadConfig(objLayer, nil); err != nil {
|
if err := loadConfig(objLayer, nil); err != nil {
|
||||||
t.Fatalf("Unable to initialize from updated config file %s", err)
|
t.Fatalf("Unable to initialize from updated config file %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check if accessKey and secretKey are not altered during migration
|
|
||||||
caccessKey := globalServerConfig[config.CredentialsSubSys][config.Default].Get(config.AccessKey)
|
|
||||||
if caccessKey != accessKey {
|
|
||||||
t.Fatalf("Access key lost during migration, expected: %v, found:%v", accessKey, caccessKey)
|
|
||||||
}
|
|
||||||
|
|
||||||
csecretKey := globalServerConfig[config.CredentialsSubSys][config.Default].Get(config.SecretKey)
|
|
||||||
if csecretKey != secretKey {
|
|
||||||
t.Fatalf("Secret key lost during migration, expected: %v, found: %v", secretKey, csecretKey)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Test if all migrate code returns error with corrupted config files
|
// Test if all migrate code returns error with corrupted config files
|
||||||
|
@ -535,10 +535,6 @@ func serverMain(ctx *cli.Context) {
|
|||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
|
|
||||||
if !globalActiveCred.IsValid() && globalIsDistErasure {
|
|
||||||
globalActiveCred = auth.DefaultCredentials
|
|
||||||
}
|
|
||||||
|
|
||||||
// Set system resources to maximum.
|
// Set system resources to maximum.
|
||||||
setMaxResources()
|
setMaxResources()
|
||||||
|
|
||||||
@ -605,6 +601,12 @@ func serverMain(ctx *cli.Context) {
|
|||||||
logger.Info(color.RedBold("WARNING: Strict AWS S3 compatible incoming PUT, POST content payload validation is turned off, caution is advised do not use in production"))
|
logger.Info(color.RedBold("WARNING: Strict AWS S3 compatible incoming PUT, POST content payload validation is turned off, caution is advised do not use in production"))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if globalActiveCred.Equal(auth.DefaultCredentials) {
|
||||||
|
msg := fmt.Sprintf("WARNING: Detected default credentials '%s', we recommend that you change these values with 'MINIO_ROOT_USER' and 'MINIO_ROOT_PASSWORD' environment variables",
|
||||||
|
globalActiveCred)
|
||||||
|
logger.Info(color.RedBold(msg))
|
||||||
|
}
|
||||||
|
|
||||||
if err = initServer(GlobalContext, newObject); err != nil {
|
if err = initServer(GlobalContext, newObject); err != nil {
|
||||||
var cerr config.Err
|
var cerr config.Err
|
||||||
// For any config error, we don't need to drop into safe-mode
|
// For any config error, we don't need to drop into safe-mode
|
||||||
@ -621,19 +623,6 @@ func serverMain(ctx *cli.Context) {
|
|||||||
logger.LogIf(GlobalContext, err)
|
logger.LogIf(GlobalContext, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if globalActiveCred.Equal(auth.DefaultCredentials) {
|
|
||||||
msg := fmt.Sprintf("WARNING: Detected default credentials '%s', we recommend that you change these values with 'MINIO_ROOT_USER' and 'MINIO_ROOT_PASSWORD' environment variables",
|
|
||||||
globalActiveCred)
|
|
||||||
logger.Info(color.RedBold(msg))
|
|
||||||
}
|
|
||||||
|
|
||||||
savedCreds, _ := config.LookupCreds(globalServerConfig[config.CredentialsSubSys][config.Default])
|
|
||||||
if globalActiveCred.Equal(auth.DefaultCredentials) && !globalActiveCred.Equal(savedCreds) {
|
|
||||||
msg := fmt.Sprintf("WARNING: Detected credentials changed to '%s', please set them back to previously set values",
|
|
||||||
globalActiveCred)
|
|
||||||
logger.Info(color.RedBold(msg))
|
|
||||||
}
|
|
||||||
|
|
||||||
// Initialize users credentials and policies in background right after config has initialized.
|
// Initialize users credentials and policies in background right after config has initialized.
|
||||||
go func() {
|
go func() {
|
||||||
globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient, globalRefreshIAMInterval)
|
globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient, globalRefreshIAMInterval)
|
||||||
|
@ -96,7 +96,6 @@ const (
|
|||||||
|
|
||||||
// Top level config constants.
|
// Top level config constants.
|
||||||
const (
|
const (
|
||||||
CredentialsSubSys = madmin.CredentialsSubSys
|
|
||||||
PolicyOPASubSys = madmin.PolicyOPASubSys
|
PolicyOPASubSys = madmin.PolicyOPASubSys
|
||||||
PolicyPluginSubSys = madmin.PolicyPluginSubSys
|
PolicyPluginSubSys = madmin.PolicyPluginSubSys
|
||||||
IdentityOpenIDSubSys = madmin.IdentityOpenIDSubSys
|
IdentityOpenIDSubSys = madmin.IdentityOpenIDSubSys
|
||||||
@ -178,7 +177,6 @@ var SubSystemsDynamic = set.CreateStringSet(
|
|||||||
|
|
||||||
// SubSystemsSingleTargets - subsystems which only support single target.
|
// SubSystemsSingleTargets - subsystems which only support single target.
|
||||||
var SubSystemsSingleTargets = set.CreateStringSet(
|
var SubSystemsSingleTargets = set.CreateStringSet(
|
||||||
CredentialsSubSys,
|
|
||||||
SiteSubSys,
|
SiteSubSys,
|
||||||
RegionSubSys,
|
RegionSubSys,
|
||||||
EtcdSubSys,
|
EtcdSubSys,
|
||||||
@ -463,9 +461,6 @@ func (c Config) RedactSensitiveInfo() Config {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Remove the server credentials altogether
|
|
||||||
nc.DelKVS(CredentialsSubSys)
|
|
||||||
|
|
||||||
return nc
|
return nc
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -501,20 +496,6 @@ var (
|
|||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
// LookupCreds - lookup credentials from config.
|
|
||||||
func LookupCreds(kv KVS) (auth.Credentials, error) {
|
|
||||||
if err := CheckValidKeys(CredentialsSubSys, kv, DefaultCredentialKVS); err != nil {
|
|
||||||
return auth.Credentials{}, err
|
|
||||||
}
|
|
||||||
accessKey := kv.Get(AccessKey)
|
|
||||||
secretKey := kv.Get(SecretKey)
|
|
||||||
if accessKey == "" || secretKey == "" {
|
|
||||||
accessKey = auth.DefaultAccessKey
|
|
||||||
secretKey = auth.DefaultSecretKey
|
|
||||||
}
|
|
||||||
return auth.CreateCredentials(accessKey, secretKey)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Site - holds site info - name and region.
|
// Site - holds site info - name and region.
|
||||||
type Site struct {
|
type Site struct {
|
||||||
Name string
|
Name string
|
||||||
|
@ -17,31 +17,8 @@
|
|||||||
|
|
||||||
package config
|
package config
|
||||||
|
|
||||||
import "github.com/minio/minio/internal/auth"
|
|
||||||
|
|
||||||
// One time migration code section
|
// One time migration code section
|
||||||
|
|
||||||
// SetCredentials - One time migration code needed, for migrating from older config to new for server credentials.
|
|
||||||
func SetCredentials(c Config, cred auth.Credentials) {
|
|
||||||
creds, err := auth.CreateCredentials(cred.AccessKey, cred.SecretKey)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if !creds.IsValid() {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
c[CredentialsSubSys][Default] = KVS{
|
|
||||||
KV{
|
|
||||||
Key: AccessKey,
|
|
||||||
Value: cred.AccessKey,
|
|
||||||
},
|
|
||||||
KV{
|
|
||||||
Key: SecretKey,
|
|
||||||
Value: cred.SecretKey,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// SetRegion - One time migration code needed, for migrating from older config to new for server Region.
|
// SetRegion - One time migration code needed, for migrating from older config to new for server Region.
|
||||||
func SetRegion(c Config, name string) {
|
func SetRegion(c Config, name string) {
|
||||||
if name == "" {
|
if name == "" {
|
||||||
|
Loading…
Reference in New Issue
Block a user