minio/pkg/madmin/kms-commands.go
Andreas Auernhammer a317a2531c
admin: new API for creating KMS master keys (#9982)
This commit adds a new admin API for creating master keys.
An admin client can send a POST request to:
```
/minio/admin/v3/kms/key/create?key-id=<keyID>
```

The name / ID of the new key is specified as request
query parameter `key-id=<ID>`.

Creating new master keys requires KES - it does not work with
the native Vault KMS (deprecated) nor with a static master key
(deprecated).

Further, this commit removes the `UpdateKey` method from the `KMS`
interface. This method is not needed and not used anymore.
2020-07-08 18:50:43 -07:00

85 lines
2.7 KiB
Go

/*
* MinIO Cloud Storage, (C) 2019 MinIO, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package madmin
import (
"context"
"encoding/json"
"net/http"
"net/url"
)
// CreateKey tries to create a new master key with the given keyID
// at the KMS connected to a MinIO server.
func (adm *AdminClient) CreateKey(ctx context.Context, keyID string) error {
// POST /minio/admin/v3/kms/key/create?key-id=<keyID>
qv := url.Values{}
qv.Set("key-id", keyID)
reqData := requestData{
relPath: adminAPIPrefix + "/kms/key/create",
queryValues: qv,
}
resp, err := adm.executeMethod(ctx, http.MethodPost, reqData)
if err != nil {
return err
}
defer closeResponse(resp)
if resp.StatusCode != http.StatusOK {
return httpRespToErrorResponse(resp)
}
return nil
}
// GetKeyStatus requests status information about the key referenced by keyID
// from the KMS connected to a MinIO by performing a Admin-API request.
// It basically hits the `/minio/admin/v3/kms/key/status` API endpoint.
func (adm *AdminClient) GetKeyStatus(ctx context.Context, keyID string) (*KMSKeyStatus, error) {
// GET /minio/admin/v3/kms/key/status?key-id=<keyID>
qv := url.Values{}
qv.Set("key-id", keyID)
reqData := requestData{
relPath: adminAPIPrefix + "/kms/key/status",
queryValues: qv,
}
resp, err := adm.executeMethod(ctx, http.MethodGet, reqData)
if err != nil {
return nil, err
}
defer closeResponse(resp)
if resp.StatusCode != http.StatusOK {
return nil, httpRespToErrorResponse(resp)
}
var keyInfo KMSKeyStatus
if err = json.NewDecoder(resp.Body).Decode(&keyInfo); err != nil {
return nil, err
}
return &keyInfo, nil
}
// KMSKeyStatus contains some status information about a KMS master key.
// The MinIO server tries to access the KMS and perform encryption and
// decryption operations. If the MinIO server can access the KMS and
// all master key operations succeed it returns a status containing only
// the master key ID but no error.
type KMSKeyStatus struct {
KeyID string `json:"key-id"`
EncryptionErr string `json:"encryption-error,omitempty"` // An empty error == success
DecryptionErr string `json:"decryption-error,omitempty"` // An empty error == success
}