admin: Add service Set Credentials API (#3580)

This commit is contained in:
Anis Elleuch 2017-01-17 23:25:59 +01:00 committed by Harshavardhana
parent 20a65981bd
commit f803bb4b3d
13 changed files with 317 additions and 27 deletions

View File

@ -35,8 +35,8 @@ test_script:
# Unit tests # Unit tests
- ps: Add-AppveyorTest "Unit Tests" -Outcome Running - ps: Add-AppveyorTest "Unit Tests" -Outcome Running
- mkdir build\coverage - mkdir build\coverage
- go test -race github.com/minio/minio/cmd... - go test -timeout 15m -v -race github.com/minio/minio/cmd...
- go test -race github.com/minio/minio/pkg... - go test -v -race github.com/minio/minio/pkg...
- go test -coverprofile=build\coverage\coverage.txt -covermode=atomic github.com/minio/minio/cmd - go test -coverprofile=build\coverage\coverage.txt -covermode=atomic github.com/minio/minio/cmd
- ps: Update-AppveyorTest "Unit Tests" -Outcome Passed - ps: Update-AppveyorTest "Unit Tests" -Outcome Passed

View File

@ -18,6 +18,8 @@ package cmd
import ( import (
"encoding/json" "encoding/json"
"encoding/xml"
"io/ioutil"
"net/http" "net/http"
"net/url" "net/url"
"strconv" "strconv"
@ -84,6 +86,76 @@ func (adminAPI adminAPIHandlers) ServiceRestartHandler(w http.ResponseWriter, r
sendServiceCmd(globalAdminPeers, serviceRestart) sendServiceCmd(globalAdminPeers, serviceRestart)
} }
// setCredsReq request
type setCredsReq struct {
Username string `xml:"username"`
Password string `xml:"password"`
}
// ServiceCredsHandler - POST /?service
// HTTP header x-minio-operation: creds
// ----------
// Update credentials in a minio server. In a distributed setup, update all the servers
// in the cluster.
func (adminAPI adminAPIHandlers) ServiceCredentialsHandler(w http.ResponseWriter, r *http.Request) {
// Authenticate request
adminAPIErr := checkRequestAuthType(r, "", "", "")
if adminAPIErr != ErrNone {
writeErrorResponse(w, adminAPIErr, r.URL)
return
}
// Avoid setting new credentials when they are already passed
// by the environnement
if globalEnvAccessKey != "" || globalEnvSecretKey != "" {
writeErrorResponse(w, ErrMethodNotAllowed, r.URL)
return
}
// Load request body
inputData, err := ioutil.ReadAll(r.Body)
if err != nil {
writeErrorResponse(w, ErrInternalError, r.URL)
return
}
// Unmarshal request body
var req setCredsReq
err = xml.Unmarshal(inputData, &req)
if err != nil {
errorIf(err, "Cannot unmarshal credentials request")
writeErrorResponse(w, ErrMalformedXML, r.URL)
return
}
// Check passed credentials
cred, err := getCredential(req.Username, req.Password)
switch err {
case errInvalidAccessKeyLength:
writeErrorResponse(w, ErrAdminInvalidAccessKey, r.URL)
return
case errInvalidSecretKeyLength:
writeErrorResponse(w, ErrAdminInvalidSecretKey, r.URL)
return
}
// Notify all other Minio peers to update credentials
updateErrs := updateCredsOnPeers(cred)
for peer, err := range updateErrs {
errorIf(err, "Unable to update credentials on peer %s.", peer)
}
// Update local credentials
serverConfig.SetCredential(cred)
if err = serverConfig.Save(); err != nil {
writeErrorResponse(w, ErrInternalError, r.URL)
return
}
// At this stage, the operation is successful, return 200 OK
w.WriteHeader(http.StatusOK)
}
// validateLockQueryParams - Validates query params for list/clear locks management APIs. // validateLockQueryParams - Validates query params for list/clear locks management APIs.
func validateLockQueryParams(vars url.Values) (string, string, time.Duration, APIErrorCode) { func validateLockQueryParams(vars url.Values) (string, string, time.Duration, APIErrorCode) {
bucket := vars.Get(string(mgmtBucket)) bucket := vars.Get(string(mgmtBucket))

View File

@ -19,6 +19,8 @@ package cmd
import ( import (
"bytes" "bytes"
"encoding/json" "encoding/json"
"encoding/xml"
"io/ioutil"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"net/url" "net/url"
@ -33,8 +35,8 @@ type cmdType int
const ( const (
statusCmd cmdType = iota statusCmd cmdType = iota
stopCmd
restartCmd restartCmd
setCreds
) )
// String - String representation for cmdType // String - String representation for cmdType
@ -42,10 +44,10 @@ func (c cmdType) String() string {
switch c { switch c {
case statusCmd: case statusCmd:
return "status" return "status"
case stopCmd:
return "stop"
case restartCmd: case restartCmd:
return "restart" return "restart"
case setCreds:
return "set-credentials"
} }
return "" return ""
} }
@ -58,6 +60,8 @@ func (c cmdType) apiMethod() string {
return "GET" return "GET"
case restartCmd: case restartCmd:
return "POST" return "POST"
case setCreds:
return "POST"
} }
return "GET" return "GET"
} }
@ -86,15 +90,19 @@ func testServiceSignalReceiver(cmd cmdType, t *testing.T) {
// getServiceCmdRequest - Constructs a management REST API request for service // getServiceCmdRequest - Constructs a management REST API request for service
// subcommands for a given cmdType value. // subcommands for a given cmdType value.
func getServiceCmdRequest(cmd cmdType, cred credential) (*http.Request, error) { func getServiceCmdRequest(cmd cmdType, cred credential, body []byte) (*http.Request, error) {
req, err := newTestRequest(cmd.apiMethod(), "/?service", 0, nil) req, err := newTestRequest(cmd.apiMethod(), "/?service", 0, nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }
// Set body
req.Body = ioutil.NopCloser(bytes.NewReader(body))
// minioAdminOpHeader is to identify the request as a // minioAdminOpHeader is to identify the request as a
// management REST API request. // management REST API request.
req.Header.Set(minioAdminOpHeader, cmd.String()) req.Header.Set(minioAdminOpHeader, cmd.String())
req.Header.Set("X-Amz-Content-Sha256", getSHA256Hash(body))
// management REST API uses signature V4 for authentication. // management REST API uses signature V4 for authentication.
err = signRequestV4(req, cred.AccessKey, cred.SecretKey) err = signRequestV4(req, cred.AccessKey, cred.SecretKey)
@ -106,7 +114,7 @@ func getServiceCmdRequest(cmd cmdType, cred credential) (*http.Request, error) {
// testServicesCmdHandler - parametrizes service subcommand tests on // testServicesCmdHandler - parametrizes service subcommand tests on
// cmdType value. // cmdType value.
func testServicesCmdHandler(cmd cmdType, t *testing.T) { func testServicesCmdHandler(cmd cmdType, args map[string]interface{}, t *testing.T) {
// reset globals. // reset globals.
// this is to make sure that the tests are not affected by modified value. // this is to make sure that the tests are not affected by modified value.
resetTestGlobals() resetTestGlobals()
@ -147,19 +155,25 @@ func testServicesCmdHandler(cmd cmdType, t *testing.T) {
// Setting up a go routine to simulate ServerMux's // Setting up a go routine to simulate ServerMux's
// handleServiceSignals for stop and restart commands. // handleServiceSignals for stop and restart commands.
switch cmd { if cmd == restartCmd {
case stopCmd, restartCmd:
go testServiceSignalReceiver(cmd, t) go testServiceSignalReceiver(cmd, t)
} }
credentials := serverConfig.GetCredential() credentials := serverConfig.GetCredential()
adminRouter := router.NewRouter() adminRouter := router.NewRouter()
registerAdminRouter(adminRouter) registerAdminRouter(adminRouter)
rec := httptest.NewRecorder() var body []byte
req, err := getServiceCmdRequest(cmd, credentials)
if cmd == setCreds {
body, _ = xml.Marshal(setCredsReq{Username: args["username"].(string), Password: args["password"].(string)})
}
req, err := getServiceCmdRequest(cmd, credentials, body)
if err != nil { if err != nil {
t.Fatalf("Failed to build service status request %v", err) t.Fatalf("Failed to build service status request %v", err)
} }
rec := httptest.NewRecorder()
adminRouter.ServeHTTP(rec, req) adminRouter.ServeHTTP(rec, req)
if cmd == statusCmd { if cmd == statusCmd {
@ -173,20 +187,37 @@ func testServicesCmdHandler(cmd cmdType, t *testing.T) {
} }
} }
if cmd == setCreds {
// Check if new credentials are set
cred := serverConfig.GetCredential()
if cred.AccessKey != args["username"].(string) {
t.Errorf("Wrong access key, expected = %s, found = %s", args["username"].(string), cred.AccessKey)
}
if cred.SecretKey != args["password"].(string) {
t.Errorf("Wrong secret key, expected = %s, found = %s", args["password"].(string), cred.SecretKey)
}
}
if rec.Code != http.StatusOK { if rec.Code != http.StatusOK {
t.Errorf("Expected to receive %d status code but received %d", resp, _ := ioutil.ReadAll(rec.Body)
http.StatusOK, rec.Code) t.Errorf("Expected to receive %d status code but received %d. Body (%s)",
http.StatusOK, rec.Code, string(resp))
} }
} }
// Test for service status management REST API. // Test for service status management REST API.
func TestServiceStatusHandler(t *testing.T) { func TestServiceStatusHandler(t *testing.T) {
testServicesCmdHandler(statusCmd, t) testServicesCmdHandler(statusCmd, nil, t)
} }
// Test for service restart management REST API. // Test for service restart management REST API.
func TestServiceRestartHandler(t *testing.T) { func TestServiceRestartHandler(t *testing.T) {
testServicesCmdHandler(restartCmd, t) testServicesCmdHandler(restartCmd, nil, t)
}
func TestServiceSetCreds(t *testing.T) {
testServicesCmdHandler(setCreds, map[string]interface{}{"username": "minio", "password": "minio123"}, t)
} }
// mkLockQueryVal - helper function to build lock query param. // mkLockQueryVal - helper function to build lock query param.

View File

@ -36,6 +36,8 @@ func registerAdminRouter(mux *router.Router) {
// Service restart // Service restart
adminRouter.Methods("POST").Queries("service", "").Headers(minioAdminOpHeader, "restart").HandlerFunc(adminAPI.ServiceRestartHandler) adminRouter.Methods("POST").Queries("service", "").Headers(minioAdminOpHeader, "restart").HandlerFunc(adminAPI.ServiceRestartHandler)
// Service update credentials
adminRouter.Methods("POST").Queries("service", "").Headers(minioAdminOpHeader, "set-credentials").HandlerFunc(adminAPI.ServiceCredentialsHandler)
/// Lock operations /// Lock operations

View File

@ -140,6 +140,9 @@ const (
// Add new extended error codes here. // Add new extended error codes here.
// Please open a https://github.com/minio/minio/issues before adding // Please open a https://github.com/minio/minio/issues before adding
// new error codes here. // new error codes here.
ErrAdminInvalidAccessKey
ErrAdminInvalidSecretKey
) )
// error code to APIError structure, these fields carry respective // error code to APIError structure, these fields carry respective
@ -574,6 +577,17 @@ var errorCodeResponse = map[APIErrorCode]APIError{
Description: "Server not initialized, please try again.", Description: "Server not initialized, please try again.",
HTTPStatusCode: http.StatusServiceUnavailable, HTTPStatusCode: http.StatusServiceUnavailable,
}, },
ErrAdminInvalidAccessKey: {
Code: "XMinioAdminInvalidAccessKey",
Description: "The access key is invalid.",
HTTPStatusCode: http.StatusBadRequest,
},
ErrAdminInvalidSecretKey: {
Code: "XMinioAdminInvalidSecretKey",
Description: "The secret key is invalid.",
HTTPStatusCode: http.StatusBadRequest,
},
// Add your error structure here. // Add your error structure here.
} }

View File

@ -101,6 +101,12 @@ var (
// Minio server user agent string. // Minio server user agent string.
globalServerUserAgent = "Minio/" + ReleaseTag + " (" + runtime.GOOS + "; " + runtime.GOARCH + ")" globalServerUserAgent = "Minio/" + ReleaseTag + " (" + runtime.GOOS + "; " + runtime.GOARCH + ")"
// Access key passed from the environment
globalEnvAccessKey = os.Getenv("MINIO_ACCESS_KEY")
// Secret key passed from the environment
globalEnvSecretKey = os.Getenv("MINIO_SECRET_KEY")
// Add new variable global values here. // Add new variable global values here.
) )

View File

@ -190,13 +190,11 @@ func minioInit(ctx *cli.Context) {
enableLoggers() enableLoggers()
// Fetch access keys from environment variables and update the config. // Fetch access keys from environment variables and update the config.
accessKey := os.Getenv("MINIO_ACCESS_KEY") if globalEnvAccessKey != "" && globalEnvSecretKey != "" {
secretKey := os.Getenv("MINIO_SECRET_KEY")
if accessKey != "" && secretKey != "" {
// Set new credentials. // Set new credentials.
serverConfig.SetCredential(credential{ serverConfig.SetCredential(credential{
AccessKey: accessKey, AccessKey: globalEnvAccessKey,
SecretKey: secretKey, SecretKey: globalEnvSecretKey,
}) })
} }
if !isAccessKeyValid(serverConfig.GetCredential().AccessKey) { if !isAccessKeyValid(serverConfig.GetCredential().AccessKey) {

View File

@ -6,9 +6,9 @@
## List of management APIs ## List of management APIs
- Service - Service
- Stop
- Restart - Restart
- Status - Status
- SetCredentials
- Locks - Locks
- List - List
@ -17,11 +17,6 @@
- Healing - Healing
### Service Management APIs ### Service Management APIs
* Stop
- POST /?service
- x-minio-operation: stop
- Response: On success 200
* Restart * Restart
- POST /?service - POST /?service
- x-minio-operation: restart - x-minio-operation: restart
@ -32,6 +27,43 @@
- x-minio-operation: status - x-minio-operation: status
- Response: On success 200, return json formatted StorageInfo object. - Response: On success 200, return json formatted StorageInfo object.
* SetCredentials
- GET /?service
- x-minio-operation: set-credentials
- Response: Success 200
- Possible error responses
- ErrMethodNotAllowed
<Error>
<Code>MethodNotAllowed</Code>
<Message>The specified method is not allowed against this resource.</Message>
<Key></Key>
<BucketName></BucketName>
<Resource>/</Resource>
<RequestId>3L137</RequestId>
<HostId>3L137</HostId>
</Error>
- ErrAdminBadCred
<Error>
<Code>XMinioBadCred</Code>
<Message>XMinioBadCred</Message>
<Key></Key>
<BucketName></BucketName>
<Resource>/</Resource>
<RequestId>3L137</RequestId>
<HostId>3L137</HostId>
</Error>
- ErrInternalError
<Error>
<Code>InternalError</Code>
<Message>We encountered an internal error, please try again.</Message>
<Key></Key>
<BucketName></BucketName>
<Resource>/</Resource>
<RequestId>3L137</RequestId>
<HostId>3L137</HostId>
</Error>
### Lock Management APIs ### Lock Management APIs
* ListLocks * ListLocks
- GET /?lock&bucket=mybucket&prefix=myprefix&older-than=rel_time - GET /?lock&bucket=mybucket&prefix=myprefix&older-than=rel_time

View File

@ -106,6 +106,7 @@ go run service-status.go
* [`ServiceStatus`](./API.md#ServiceStatus) * [`ServiceStatus`](./API.md#ServiceStatus)
* [`ServiceRestart`](./API.md#ServiceRestart) * [`ServiceRestart`](./API.md#ServiceRestart)
* [`ServiceSetCredentials`](./API.md#ServiceSetCredentials)
## Full Examples ## Full Examples
@ -113,6 +114,7 @@ go run service-status.go
* [service-status.go](https://github.com/minio/minio/blob/master/pkg/madmin/examples/service-status.go) * [service-status.go](https://github.com/minio/minio/blob/master/pkg/madmin/examples/service-status.go)
* [service-restart.go](https://github.com/minio/minio/blob/master/pkg/madmin/examples/service-restart.go) * [service-restart.go](https://github.com/minio/minio/blob/master/pkg/madmin/examples/service-restart.go)
* [service-set-credentials.go](https://github.com/minio/minio/blob/master/pkg/madmin/examples/service-set-credentials.go)
## Contribute ## Contribute

View File

@ -16,7 +16,10 @@
package madmin package madmin
import "encoding/xml" import (
"encoding/xml"
"net/http"
)
/* **** SAMPLE ERROR RESPONSE **** /* **** SAMPLE ERROR RESPONSE ****
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
@ -50,6 +53,29 @@ func (e ErrorResponse) Error() string {
return e.Message return e.Message
} }
const (
reportIssue = "Please report this issue at https://github.com/minio/minio-go/issues."
)
// httpRespToErrorResponse returns a new encoded ErrorResponse
// structure as error.
func httpRespToErrorResponse(resp *http.Response) error {
if resp == nil {
msg := "Response is empty. " + reportIssue
return ErrInvalidArgument(msg)
}
var errResp ErrorResponse
// Decode the xml error
err := xmlDecoder(resp.Body, &errResp)
if err != nil {
return ErrorResponse{
Code: resp.Status,
Message: "Failed to parse server response.",
}
}
return errResp
}
// ErrInvalidArgument - Invalid argument response. // ErrInvalidArgument - Invalid argument response.
func ErrInvalidArgument(message string) error { func ErrInvalidArgument(message string) error {
return ErrorResponse{ return ErrorResponse{

View File

@ -0,0 +1,44 @@
// +build ignore
/*
* Minio Cloud Storage, (C) 2016 Minio, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package main
import (
"log"
"github.com/minio/minio/pkg/madmin"
)
func main() {
// Note: YOUR-ACCESSKEYID, YOUR-SECRETACCESSKEY and my-bucketname are
// dummy values, please replace them with original values.
// API requests are secure (HTTPS) if secure=true and insecure (HTTPS) otherwise.
// New returns an Minio Admin client object.
madmClnt, err := madmin.New("your-minio.example.com:9000", "YOUR-ACCESSKEYID", "YOUR-SECRETACCESSKEY", true)
if err != nil {
log.Fatalln(err)
}
err = madmClnt.ServiceSetCredentials("YOUR-NEW-ACCESSKEY", "YOUR-NEW-SECRETKEY")
if err != nil {
log.Fatalln(err)
}
log.Println("New credentials successfully set.")
}

View File

@ -18,7 +18,9 @@
package madmin package madmin
import ( import (
"bytes"
"encoding/json" "encoding/json"
"encoding/xml"
"errors" "errors"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
@ -117,3 +119,49 @@ func (adm *AdminClient) ServiceRestart() error {
} }
return nil return nil
} }
// setCredsReq - xml to send to the server to set new credentials
type setCredsReq struct {
Username string `xml:"username"`
Password string `xml:"password"`
}
// ServiceSetCredentials - Call Service Set Credentials API to set new access and secret keys in the specified Minio server
func (adm *AdminClient) ServiceSetCredentials(access, secret string) error {
// Disallow sending with the server if the connection is not secure
if !adm.secure {
return errors.New("setting new credentials requires HTTPS connection to the server")
}
// Setup new request
reqData := requestData{}
reqData.queryValues = make(url.Values)
reqData.queryValues.Set("service", "")
reqData.customHeaders = make(http.Header)
reqData.customHeaders.Set(minioAdminOpHeader, "set-credentials")
// Setup request's body
body, err := xml.Marshal(setCredsReq{Username: access, Password: secret})
if err != nil {
return err
}
reqData.contentBody = bytes.NewReader(body)
reqData.contentLength = int64(len(body))
reqData.contentMD5Bytes = sumMD5(body)
reqData.contentSHA256Bytes = sum256(body)
// Execute GET on bucket to list objects.
resp, err := adm.executeMethod("POST", reqData)
defer closeResponse(resp)
if err != nil {
return err
}
// Return error to the caller if http response code is different from 200
if resp.StatusCode != http.StatusOK {
return httpRespToErrorResponse(resp)
}
return nil
}

View File

@ -17,7 +17,9 @@
package madmin package madmin
import ( import (
"crypto/md5"
"crypto/sha256" "crypto/sha256"
"encoding/xml"
"io" "io"
"io/ioutil" "io/ioutil"
"net" "net"
@ -35,6 +37,19 @@ func sum256(data []byte) []byte {
return hash.Sum(nil) return hash.Sum(nil)
} }
// sumMD5 calculate sumMD5 sum for an input byte array.
func sumMD5(data []byte) []byte {
hash := md5.New()
hash.Write(data)
return hash.Sum(nil)
}
// xmlDecoder provide decoded value in xml.
func xmlDecoder(body io.Reader, v interface{}) error {
d := xml.NewDecoder(body)
return d.Decode(v)
}
// getEndpointURL - construct a new endpoint. // getEndpointURL - construct a new endpoint.
func getEndpointURL(endpoint string, secure bool) (*url.URL, error) { func getEndpointURL(endpoint string, secure bool) (*url.URL, error) {
if strings.Contains(endpoint, ":") { if strings.Contains(endpoint, ":") {