From f803bb4b3d4ed5cbb6b472a31bf90e07b7a49003 Mon Sep 17 00:00:00 2001 From: Anis Elleuch Date: Tue, 17 Jan 2017 23:25:59 +0100 Subject: [PATCH] admin: Add service Set Credentials API (#3580) --- appveyor.yml | 4 +- cmd/admin-handlers.go | 72 +++++++++++++++++++ cmd/admin-handlers_test.go | 57 +++++++++++---- cmd/admin-router.go | 2 + cmd/api-errors.go | 14 ++++ cmd/globals.go | 6 ++ cmd/main.go | 8 +-- docs/admin-api/management-api.md | 44 ++++++++++-- pkg/madmin/README.md | 2 + pkg/madmin/api-error-response.go | 28 +++++++- .../examples/service-set-credentials.go | 44 ++++++++++++ pkg/madmin/service.go | 48 +++++++++++++ pkg/madmin/utils.go | 15 ++++ 13 files changed, 317 insertions(+), 27 deletions(-) create mode 100644 pkg/madmin/examples/service-set-credentials.go diff --git a/appveyor.yml b/appveyor.yml index 66afd4cb2..7488c103a 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -35,8 +35,8 @@ test_script: # Unit tests - ps: Add-AppveyorTest "Unit Tests" -Outcome Running - mkdir build\coverage - - go test -race github.com/minio/minio/cmd... - - go test -race github.com/minio/minio/pkg... + - go test -timeout 15m -v -race github.com/minio/minio/cmd... + - go test -v -race github.com/minio/minio/pkg... - go test -coverprofile=build\coverage\coverage.txt -covermode=atomic github.com/minio/minio/cmd - ps: Update-AppveyorTest "Unit Tests" -Outcome Passed diff --git a/cmd/admin-handlers.go b/cmd/admin-handlers.go index cebfcd3b0..8d93f605d 100644 --- a/cmd/admin-handlers.go +++ b/cmd/admin-handlers.go @@ -18,6 +18,8 @@ package cmd import ( "encoding/json" + "encoding/xml" + "io/ioutil" "net/http" "net/url" "strconv" @@ -84,6 +86,76 @@ func (adminAPI adminAPIHandlers) ServiceRestartHandler(w http.ResponseWriter, r sendServiceCmd(globalAdminPeers, serviceRestart) } +// setCredsReq request +type setCredsReq struct { + Username string `xml:"username"` + Password string `xml:"password"` +} + +// ServiceCredsHandler - POST /?service +// HTTP header x-minio-operation: creds +// ---------- +// Update credentials in a minio server. In a distributed setup, update all the servers +// in the cluster. +func (adminAPI adminAPIHandlers) ServiceCredentialsHandler(w http.ResponseWriter, r *http.Request) { + // Authenticate request + adminAPIErr := checkRequestAuthType(r, "", "", "") + if adminAPIErr != ErrNone { + writeErrorResponse(w, adminAPIErr, r.URL) + return + } + + // Avoid setting new credentials when they are already passed + // by the environnement + if globalEnvAccessKey != "" || globalEnvSecretKey != "" { + writeErrorResponse(w, ErrMethodNotAllowed, r.URL) + return + } + + // Load request body + inputData, err := ioutil.ReadAll(r.Body) + if err != nil { + writeErrorResponse(w, ErrInternalError, r.URL) + return + } + + // Unmarshal request body + var req setCredsReq + err = xml.Unmarshal(inputData, &req) + if err != nil { + errorIf(err, "Cannot unmarshal credentials request") + writeErrorResponse(w, ErrMalformedXML, r.URL) + return + } + + // Check passed credentials + cred, err := getCredential(req.Username, req.Password) + switch err { + case errInvalidAccessKeyLength: + writeErrorResponse(w, ErrAdminInvalidAccessKey, r.URL) + return + case errInvalidSecretKeyLength: + writeErrorResponse(w, ErrAdminInvalidSecretKey, r.URL) + return + } + + // Notify all other Minio peers to update credentials + updateErrs := updateCredsOnPeers(cred) + for peer, err := range updateErrs { + errorIf(err, "Unable to update credentials on peer %s.", peer) + } + + // Update local credentials + serverConfig.SetCredential(cred) + if err = serverConfig.Save(); err != nil { + writeErrorResponse(w, ErrInternalError, r.URL) + return + } + + // At this stage, the operation is successful, return 200 OK + w.WriteHeader(http.StatusOK) +} + // validateLockQueryParams - Validates query params for list/clear locks management APIs. func validateLockQueryParams(vars url.Values) (string, string, time.Duration, APIErrorCode) { bucket := vars.Get(string(mgmtBucket)) diff --git a/cmd/admin-handlers_test.go b/cmd/admin-handlers_test.go index 0f0c39c66..15b620623 100644 --- a/cmd/admin-handlers_test.go +++ b/cmd/admin-handlers_test.go @@ -19,6 +19,8 @@ package cmd import ( "bytes" "encoding/json" + "encoding/xml" + "io/ioutil" "net/http" "net/http/httptest" "net/url" @@ -33,8 +35,8 @@ type cmdType int const ( statusCmd cmdType = iota - stopCmd restartCmd + setCreds ) // String - String representation for cmdType @@ -42,10 +44,10 @@ func (c cmdType) String() string { switch c { case statusCmd: return "status" - case stopCmd: - return "stop" case restartCmd: return "restart" + case setCreds: + return "set-credentials" } return "" } @@ -58,6 +60,8 @@ func (c cmdType) apiMethod() string { return "GET" case restartCmd: return "POST" + case setCreds: + return "POST" } return "GET" } @@ -86,15 +90,19 @@ func testServiceSignalReceiver(cmd cmdType, t *testing.T) { // getServiceCmdRequest - Constructs a management REST API request for service // subcommands for a given cmdType value. -func getServiceCmdRequest(cmd cmdType, cred credential) (*http.Request, error) { +func getServiceCmdRequest(cmd cmdType, cred credential, body []byte) (*http.Request, error) { req, err := newTestRequest(cmd.apiMethod(), "/?service", 0, nil) if err != nil { return nil, err } + // Set body + req.Body = ioutil.NopCloser(bytes.NewReader(body)) + // minioAdminOpHeader is to identify the request as a // management REST API request. req.Header.Set(minioAdminOpHeader, cmd.String()) + req.Header.Set("X-Amz-Content-Sha256", getSHA256Hash(body)) // management REST API uses signature V4 for authentication. err = signRequestV4(req, cred.AccessKey, cred.SecretKey) @@ -106,7 +114,7 @@ func getServiceCmdRequest(cmd cmdType, cred credential) (*http.Request, error) { // testServicesCmdHandler - parametrizes service subcommand tests on // cmdType value. -func testServicesCmdHandler(cmd cmdType, t *testing.T) { +func testServicesCmdHandler(cmd cmdType, args map[string]interface{}, t *testing.T) { // reset globals. // this is to make sure that the tests are not affected by modified value. resetTestGlobals() @@ -147,19 +155,25 @@ func testServicesCmdHandler(cmd cmdType, t *testing.T) { // Setting up a go routine to simulate ServerMux's // handleServiceSignals for stop and restart commands. - switch cmd { - case stopCmd, restartCmd: + if cmd == restartCmd { go testServiceSignalReceiver(cmd, t) } credentials := serverConfig.GetCredential() adminRouter := router.NewRouter() registerAdminRouter(adminRouter) - rec := httptest.NewRecorder() - req, err := getServiceCmdRequest(cmd, credentials) + var body []byte + + if cmd == setCreds { + body, _ = xml.Marshal(setCredsReq{Username: args["username"].(string), Password: args["password"].(string)}) + } + + req, err := getServiceCmdRequest(cmd, credentials, body) if err != nil { t.Fatalf("Failed to build service status request %v", err) } + + rec := httptest.NewRecorder() adminRouter.ServeHTTP(rec, req) if cmd == statusCmd { @@ -173,20 +187,37 @@ func testServicesCmdHandler(cmd cmdType, t *testing.T) { } } + if cmd == setCreds { + // Check if new credentials are set + cred := serverConfig.GetCredential() + if cred.AccessKey != args["username"].(string) { + t.Errorf("Wrong access key, expected = %s, found = %s", args["username"].(string), cred.AccessKey) + } + if cred.SecretKey != args["password"].(string) { + t.Errorf("Wrong secret key, expected = %s, found = %s", args["password"].(string), cred.SecretKey) + } + + } + if rec.Code != http.StatusOK { - t.Errorf("Expected to receive %d status code but received %d", - http.StatusOK, rec.Code) + resp, _ := ioutil.ReadAll(rec.Body) + t.Errorf("Expected to receive %d status code but received %d. Body (%s)", + http.StatusOK, rec.Code, string(resp)) } } // Test for service status management REST API. func TestServiceStatusHandler(t *testing.T) { - testServicesCmdHandler(statusCmd, t) + testServicesCmdHandler(statusCmd, nil, t) } // Test for service restart management REST API. func TestServiceRestartHandler(t *testing.T) { - testServicesCmdHandler(restartCmd, t) + testServicesCmdHandler(restartCmd, nil, t) +} + +func TestServiceSetCreds(t *testing.T) { + testServicesCmdHandler(setCreds, map[string]interface{}{"username": "minio", "password": "minio123"}, t) } // mkLockQueryVal - helper function to build lock query param. diff --git a/cmd/admin-router.go b/cmd/admin-router.go index dde7faea8..3c5f63a96 100644 --- a/cmd/admin-router.go +++ b/cmd/admin-router.go @@ -36,6 +36,8 @@ func registerAdminRouter(mux *router.Router) { // Service restart adminRouter.Methods("POST").Queries("service", "").Headers(minioAdminOpHeader, "restart").HandlerFunc(adminAPI.ServiceRestartHandler) + // Service update credentials + adminRouter.Methods("POST").Queries("service", "").Headers(minioAdminOpHeader, "set-credentials").HandlerFunc(adminAPI.ServiceCredentialsHandler) /// Lock operations diff --git a/cmd/api-errors.go b/cmd/api-errors.go index a23a7e7d6..99b18ccd6 100644 --- a/cmd/api-errors.go +++ b/cmd/api-errors.go @@ -140,6 +140,9 @@ const ( // Add new extended error codes here. // Please open a https://github.com/minio/minio/issues before adding // new error codes here. + + ErrAdminInvalidAccessKey + ErrAdminInvalidSecretKey ) // error code to APIError structure, these fields carry respective @@ -574,6 +577,17 @@ var errorCodeResponse = map[APIErrorCode]APIError{ Description: "Server not initialized, please try again.", HTTPStatusCode: http.StatusServiceUnavailable, }, + ErrAdminInvalidAccessKey: { + Code: "XMinioAdminInvalidAccessKey", + Description: "The access key is invalid.", + HTTPStatusCode: http.StatusBadRequest, + }, + ErrAdminInvalidSecretKey: { + Code: "XMinioAdminInvalidSecretKey", + Description: "The secret key is invalid.", + HTTPStatusCode: http.StatusBadRequest, + }, + // Add your error structure here. } diff --git a/cmd/globals.go b/cmd/globals.go index bae69452a..ce3a0a983 100644 --- a/cmd/globals.go +++ b/cmd/globals.go @@ -101,6 +101,12 @@ var ( // Minio server user agent string. globalServerUserAgent = "Minio/" + ReleaseTag + " (" + runtime.GOOS + "; " + runtime.GOARCH + ")" + // Access key passed from the environment + globalEnvAccessKey = os.Getenv("MINIO_ACCESS_KEY") + + // Secret key passed from the environment + globalEnvSecretKey = os.Getenv("MINIO_SECRET_KEY") + // Add new variable global values here. ) diff --git a/cmd/main.go b/cmd/main.go index bb2a47a71..db214201e 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -190,13 +190,11 @@ func minioInit(ctx *cli.Context) { enableLoggers() // Fetch access keys from environment variables and update the config. - accessKey := os.Getenv("MINIO_ACCESS_KEY") - secretKey := os.Getenv("MINIO_SECRET_KEY") - if accessKey != "" && secretKey != "" { + if globalEnvAccessKey != "" && globalEnvSecretKey != "" { // Set new credentials. serverConfig.SetCredential(credential{ - AccessKey: accessKey, - SecretKey: secretKey, + AccessKey: globalEnvAccessKey, + SecretKey: globalEnvSecretKey, }) } if !isAccessKeyValid(serverConfig.GetCredential().AccessKey) { diff --git a/docs/admin-api/management-api.md b/docs/admin-api/management-api.md index 2655c1698..b8ed45489 100644 --- a/docs/admin-api/management-api.md +++ b/docs/admin-api/management-api.md @@ -6,9 +6,9 @@ ## List of management APIs - Service - - Stop - Restart - Status + - SetCredentials - Locks - List @@ -17,11 +17,6 @@ - Healing ### Service Management APIs -* Stop - - POST /?service - - x-minio-operation: stop - - Response: On success 200 - * Restart - POST /?service - x-minio-operation: restart @@ -32,6 +27,43 @@ - x-minio-operation: status - Response: On success 200, return json formatted StorageInfo object. +* SetCredentials + - GET /?service + - x-minio-operation: set-credentials + - Response: Success 200 + - Possible error responses + - ErrMethodNotAllowed + + MethodNotAllowed + The specified method is not allowed against this resource. + + + / + 3L137 + 3L137 + + - ErrAdminBadCred + + XMinioBadCred + XMinioBadCred + + + / + 3L137 + 3L137 + + - ErrInternalError + + InternalError + We encountered an internal error, please try again. + + + / + 3L137 + 3L137 + + + ### Lock Management APIs * ListLocks - GET /?lock&bucket=mybucket&prefix=myprefix&older-than=rel_time diff --git a/pkg/madmin/README.md b/pkg/madmin/README.md index 73aba84a3..e2d16f1f8 100644 --- a/pkg/madmin/README.md +++ b/pkg/madmin/README.md @@ -106,6 +106,7 @@ go run service-status.go * [`ServiceStatus`](./API.md#ServiceStatus) * [`ServiceRestart`](./API.md#ServiceRestart) +* [`ServiceSetCredentials`](./API.md#ServiceSetCredentials) ## Full Examples @@ -113,6 +114,7 @@ go run service-status.go * [service-status.go](https://github.com/minio/minio/blob/master/pkg/madmin/examples/service-status.go) * [service-restart.go](https://github.com/minio/minio/blob/master/pkg/madmin/examples/service-restart.go) +* [service-set-credentials.go](https://github.com/minio/minio/blob/master/pkg/madmin/examples/service-set-credentials.go) ## Contribute diff --git a/pkg/madmin/api-error-response.go b/pkg/madmin/api-error-response.go index 49abf7e70..d5a14f656 100644 --- a/pkg/madmin/api-error-response.go +++ b/pkg/madmin/api-error-response.go @@ -16,7 +16,10 @@ package madmin -import "encoding/xml" +import ( + "encoding/xml" + "net/http" +) /* **** SAMPLE ERROR RESPONSE **** @@ -50,6 +53,29 @@ func (e ErrorResponse) Error() string { return e.Message } +const ( + reportIssue = "Please report this issue at https://github.com/minio/minio-go/issues." +) + +// httpRespToErrorResponse returns a new encoded ErrorResponse +// structure as error. +func httpRespToErrorResponse(resp *http.Response) error { + if resp == nil { + msg := "Response is empty. " + reportIssue + return ErrInvalidArgument(msg) + } + var errResp ErrorResponse + // Decode the xml error + err := xmlDecoder(resp.Body, &errResp) + if err != nil { + return ErrorResponse{ + Code: resp.Status, + Message: "Failed to parse server response.", + } + } + return errResp +} + // ErrInvalidArgument - Invalid argument response. func ErrInvalidArgument(message string) error { return ErrorResponse{ diff --git a/pkg/madmin/examples/service-set-credentials.go b/pkg/madmin/examples/service-set-credentials.go new file mode 100644 index 000000000..81f0dc203 --- /dev/null +++ b/pkg/madmin/examples/service-set-credentials.go @@ -0,0 +1,44 @@ +// +build ignore + +/* + * Minio Cloud Storage, (C) 2016 Minio, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package main + +import ( + "log" + + "github.com/minio/minio/pkg/madmin" +) + +func main() { + // Note: YOUR-ACCESSKEYID, YOUR-SECRETACCESSKEY and my-bucketname are + // dummy values, please replace them with original values. + + // API requests are secure (HTTPS) if secure=true and insecure (HTTPS) otherwise. + // New returns an Minio Admin client object. + madmClnt, err := madmin.New("your-minio.example.com:9000", "YOUR-ACCESSKEYID", "YOUR-SECRETACCESSKEY", true) + if err != nil { + log.Fatalln(err) + } + + err = madmClnt.ServiceSetCredentials("YOUR-NEW-ACCESSKEY", "YOUR-NEW-SECRETKEY") + if err != nil { + log.Fatalln(err) + } + log.Println("New credentials successfully set.") +} diff --git a/pkg/madmin/service.go b/pkg/madmin/service.go index d49213037..442ab3ffb 100644 --- a/pkg/madmin/service.go +++ b/pkg/madmin/service.go @@ -18,7 +18,9 @@ package madmin import ( + "bytes" "encoding/json" + "encoding/xml" "errors" "io/ioutil" "net/http" @@ -117,3 +119,49 @@ func (adm *AdminClient) ServiceRestart() error { } return nil } + +// setCredsReq - xml to send to the server to set new credentials +type setCredsReq struct { + Username string `xml:"username"` + Password string `xml:"password"` +} + +// ServiceSetCredentials - Call Service Set Credentials API to set new access and secret keys in the specified Minio server +func (adm *AdminClient) ServiceSetCredentials(access, secret string) error { + + // Disallow sending with the server if the connection is not secure + if !adm.secure { + return errors.New("setting new credentials requires HTTPS connection to the server") + } + + // Setup new request + reqData := requestData{} + reqData.queryValues = make(url.Values) + reqData.queryValues.Set("service", "") + reqData.customHeaders = make(http.Header) + reqData.customHeaders.Set(minioAdminOpHeader, "set-credentials") + + // Setup request's body + body, err := xml.Marshal(setCredsReq{Username: access, Password: secret}) + if err != nil { + return err + } + reqData.contentBody = bytes.NewReader(body) + reqData.contentLength = int64(len(body)) + reqData.contentMD5Bytes = sumMD5(body) + reqData.contentSHA256Bytes = sum256(body) + + // Execute GET on bucket to list objects. + resp, err := adm.executeMethod("POST", reqData) + + defer closeResponse(resp) + if err != nil { + return err + } + + // Return error to the caller if http response code is different from 200 + if resp.StatusCode != http.StatusOK { + return httpRespToErrorResponse(resp) + } + return nil +} diff --git a/pkg/madmin/utils.go b/pkg/madmin/utils.go index 1661c2f8c..34aa80618 100644 --- a/pkg/madmin/utils.go +++ b/pkg/madmin/utils.go @@ -17,7 +17,9 @@ package madmin import ( + "crypto/md5" "crypto/sha256" + "encoding/xml" "io" "io/ioutil" "net" @@ -35,6 +37,19 @@ func sum256(data []byte) []byte { return hash.Sum(nil) } +// sumMD5 calculate sumMD5 sum for an input byte array. +func sumMD5(data []byte) []byte { + hash := md5.New() + hash.Write(data) + return hash.Sum(nil) +} + +// xmlDecoder provide decoded value in xml. +func xmlDecoder(body io.Reader, v interface{}) error { + d := xml.NewDecoder(body) + return d.Decode(v) +} + // getEndpointURL - construct a new endpoint. func getEndpointURL(endpoint string, secure bool) (*url.URL, error) { if strings.Contains(endpoint, ":") {