mirror of
https://github.com/minio/minio.git
synced 2025-01-11 15:03:22 -05:00
Do not save credentials in config.json (#16275)
This commit is contained in:
parent
b4f71362e9
commit
e57e946206
@ -773,6 +773,8 @@ func handleCommonEnvVars() {
|
||||
logger.Info(color.RedBold(msg))
|
||||
}
|
||||
globalActiveCred = cred
|
||||
} else {
|
||||
globalActiveCred = auth.DefaultCredentials
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -25,7 +25,6 @@ import (
|
||||
"sync"
|
||||
|
||||
"github.com/minio/madmin-go/v2"
|
||||
"github.com/minio/minio/internal/auth"
|
||||
"github.com/minio/minio/internal/config"
|
||||
"github.com/minio/minio/internal/config/api"
|
||||
"github.com/minio/minio/internal/config/cache"
|
||||
@ -65,7 +64,6 @@ func initHelp() {
|
||||
config.SiteSubSys: config.DefaultSiteKVS,
|
||||
config.RegionSubSys: config.DefaultRegionKVS,
|
||||
config.APISubSys: api.DefaultKVS,
|
||||
config.CredentialsSubSys: config.DefaultCredentialKVS,
|
||||
config.LoggerWebhookSubSys: logger.DefaultLoggerWebhookKVS,
|
||||
config.AuditWebhookSubSys: logger.DefaultAuditWebhookKVS,
|
||||
config.AuditKafkaSubSys: logger.DefaultAuditKafkaKVS,
|
||||
@ -427,15 +425,6 @@ func validateConfig(s config.Config, subSys string) error {
|
||||
func lookupConfigs(s config.Config, objAPI ObjectLayer) {
|
||||
ctx := GlobalContext
|
||||
|
||||
var err error
|
||||
if !globalActiveCred.IsValid() {
|
||||
// Env doesn't seem to be set, we fallback to lookup creds from the config.
|
||||
globalActiveCred, err = config.LookupCreds(s[config.CredentialsSubSys][config.Default])
|
||||
if err != nil {
|
||||
logger.LogIf(ctx, fmt.Errorf("Invalid credentials configuration: %w", err))
|
||||
}
|
||||
}
|
||||
|
||||
dnsURL, dnsUser, dnsPass, err := env.LookupEnv(config.EnvDNSWebhook)
|
||||
if err != nil {
|
||||
logger.LogIf(ctx, fmt.Errorf("Unable to initialize remote webhook DNS config %w", err))
|
||||
@ -765,13 +754,6 @@ func newSrvConfig(objAPI ObjectLayer) error {
|
||||
// Initialize server config.
|
||||
srvCfg := newServerConfig()
|
||||
|
||||
if globalActiveCred.IsValid() && !globalActiveCred.Equal(auth.DefaultCredentials) {
|
||||
kvs := srvCfg[config.CredentialsSubSys][config.Default]
|
||||
kvs.Set(config.AccessKey, globalActiveCred.AccessKey)
|
||||
kvs.Set(config.SecretKey, globalActiveCred.SecretKey)
|
||||
srvCfg[config.CredentialsSubSys][config.Default] = kvs
|
||||
}
|
||||
|
||||
// hold the mutex lock before a new config is assigned.
|
||||
globalServerConfigMu.Lock()
|
||||
globalServerConfig = srvCfg
|
||||
|
@ -2755,9 +2755,7 @@ func migrateMinioSysConfigToKV(objAPI ObjectLayer) error {
|
||||
|
||||
newCfg := newServerConfig()
|
||||
|
||||
config.SetCredentials(newCfg, cfg.Credential)
|
||||
config.SetRegion(newCfg, cfg.Region)
|
||||
|
||||
storageclass.SetStorageClass(newCfg, cfg.StorageClass)
|
||||
|
||||
for k, loggerArgs := range cfg.Logger.HTTP {
|
||||
|
@ -22,8 +22,6 @@ import (
|
||||
"fmt"
|
||||
"os"
|
||||
"testing"
|
||||
|
||||
"github.com/minio/minio/internal/config"
|
||||
)
|
||||
|
||||
// Test if config v1 is purged
|
||||
@ -210,17 +208,6 @@ func TestServerConfigMigrateV2toV33(t *testing.T) {
|
||||
if err := loadConfig(objLayer, nil); err != nil {
|
||||
t.Fatalf("Unable to initialize from updated config file %s", err)
|
||||
}
|
||||
|
||||
// Check if accessKey and secretKey are not altered during migration
|
||||
caccessKey := globalServerConfig[config.CredentialsSubSys][config.Default].Get(config.AccessKey)
|
||||
if caccessKey != accessKey {
|
||||
t.Fatalf("Access key lost during migration, expected: %v, found:%v", accessKey, caccessKey)
|
||||
}
|
||||
|
||||
csecretKey := globalServerConfig[config.CredentialsSubSys][config.Default].Get(config.SecretKey)
|
||||
if csecretKey != secretKey {
|
||||
t.Fatalf("Secret key lost during migration, expected: %v, found: %v", secretKey, csecretKey)
|
||||
}
|
||||
}
|
||||
|
||||
// Test if all migrate code returns error with corrupted config files
|
||||
|
@ -535,10 +535,6 @@ func serverMain(ctx *cli.Context) {
|
||||
}
|
||||
}()
|
||||
|
||||
if !globalActiveCred.IsValid() && globalIsDistErasure {
|
||||
globalActiveCred = auth.DefaultCredentials
|
||||
}
|
||||
|
||||
// Set system resources to maximum.
|
||||
setMaxResources()
|
||||
|
||||
@ -605,6 +601,12 @@ func serverMain(ctx *cli.Context) {
|
||||
logger.Info(color.RedBold("WARNING: Strict AWS S3 compatible incoming PUT, POST content payload validation is turned off, caution is advised do not use in production"))
|
||||
}
|
||||
|
||||
if globalActiveCred.Equal(auth.DefaultCredentials) {
|
||||
msg := fmt.Sprintf("WARNING: Detected default credentials '%s', we recommend that you change these values with 'MINIO_ROOT_USER' and 'MINIO_ROOT_PASSWORD' environment variables",
|
||||
globalActiveCred)
|
||||
logger.Info(color.RedBold(msg))
|
||||
}
|
||||
|
||||
if err = initServer(GlobalContext, newObject); err != nil {
|
||||
var cerr config.Err
|
||||
// For any config error, we don't need to drop into safe-mode
|
||||
@ -621,19 +623,6 @@ func serverMain(ctx *cli.Context) {
|
||||
logger.LogIf(GlobalContext, err)
|
||||
}
|
||||
|
||||
if globalActiveCred.Equal(auth.DefaultCredentials) {
|
||||
msg := fmt.Sprintf("WARNING: Detected default credentials '%s', we recommend that you change these values with 'MINIO_ROOT_USER' and 'MINIO_ROOT_PASSWORD' environment variables",
|
||||
globalActiveCred)
|
||||
logger.Info(color.RedBold(msg))
|
||||
}
|
||||
|
||||
savedCreds, _ := config.LookupCreds(globalServerConfig[config.CredentialsSubSys][config.Default])
|
||||
if globalActiveCred.Equal(auth.DefaultCredentials) && !globalActiveCred.Equal(savedCreds) {
|
||||
msg := fmt.Sprintf("WARNING: Detected credentials changed to '%s', please set them back to previously set values",
|
||||
globalActiveCred)
|
||||
logger.Info(color.RedBold(msg))
|
||||
}
|
||||
|
||||
// Initialize users credentials and policies in background right after config has initialized.
|
||||
go func() {
|
||||
globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient, globalRefreshIAMInterval)
|
||||
|
@ -96,7 +96,6 @@ const (
|
||||
|
||||
// Top level config constants.
|
||||
const (
|
||||
CredentialsSubSys = madmin.CredentialsSubSys
|
||||
PolicyOPASubSys = madmin.PolicyOPASubSys
|
||||
PolicyPluginSubSys = madmin.PolicyPluginSubSys
|
||||
IdentityOpenIDSubSys = madmin.IdentityOpenIDSubSys
|
||||
@ -178,7 +177,6 @@ var SubSystemsDynamic = set.CreateStringSet(
|
||||
|
||||
// SubSystemsSingleTargets - subsystems which only support single target.
|
||||
var SubSystemsSingleTargets = set.CreateStringSet(
|
||||
CredentialsSubSys,
|
||||
SiteSubSys,
|
||||
RegionSubSys,
|
||||
EtcdSubSys,
|
||||
@ -463,9 +461,6 @@ func (c Config) RedactSensitiveInfo() Config {
|
||||
}
|
||||
}
|
||||
|
||||
// Remove the server credentials altogether
|
||||
nc.DelKVS(CredentialsSubSys)
|
||||
|
||||
return nc
|
||||
}
|
||||
|
||||
@ -501,20 +496,6 @@ var (
|
||||
}
|
||||
)
|
||||
|
||||
// LookupCreds - lookup credentials from config.
|
||||
func LookupCreds(kv KVS) (auth.Credentials, error) {
|
||||
if err := CheckValidKeys(CredentialsSubSys, kv, DefaultCredentialKVS); err != nil {
|
||||
return auth.Credentials{}, err
|
||||
}
|
||||
accessKey := kv.Get(AccessKey)
|
||||
secretKey := kv.Get(SecretKey)
|
||||
if accessKey == "" || secretKey == "" {
|
||||
accessKey = auth.DefaultAccessKey
|
||||
secretKey = auth.DefaultSecretKey
|
||||
}
|
||||
return auth.CreateCredentials(accessKey, secretKey)
|
||||
}
|
||||
|
||||
// Site - holds site info - name and region.
|
||||
type Site struct {
|
||||
Name string
|
||||
|
@ -17,31 +17,8 @@
|
||||
|
||||
package config
|
||||
|
||||
import "github.com/minio/minio/internal/auth"
|
||||
|
||||
// One time migration code section
|
||||
|
||||
// SetCredentials - One time migration code needed, for migrating from older config to new for server credentials.
|
||||
func SetCredentials(c Config, cred auth.Credentials) {
|
||||
creds, err := auth.CreateCredentials(cred.AccessKey, cred.SecretKey)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
if !creds.IsValid() {
|
||||
return
|
||||
}
|
||||
c[CredentialsSubSys][Default] = KVS{
|
||||
KV{
|
||||
Key: AccessKey,
|
||||
Value: cred.AccessKey,
|
||||
},
|
||||
KV{
|
||||
Key: SecretKey,
|
||||
Value: cred.SecretKey,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// SetRegion - One time migration code needed, for migrating from older config to new for server Region.
|
||||
func SetRegion(c Config, name string) {
|
||||
if name == "" {
|
||||
|
Loading…
Reference in New Issue
Block a user