mirror of
https://github.com/minio/minio.git
synced 2024-12-26 07:05:55 -05:00
31dff87903
Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup)
155 lines
4.1 KiB
Go
155 lines
4.1 KiB
Go
/*
|
|
* Minio Cloud Storage, (C) 2016 Minio, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"path"
|
|
"sync"
|
|
"time"
|
|
)
|
|
|
|
// Login handler implements JWT login token generator, which upon login request
|
|
// along with username and password is generated.
|
|
func (br *browserPeerAPIHandlers) Login(args *LoginRPCArgs, reply *LoginRPCReply) error {
|
|
// Validate LoginRPCArgs
|
|
if err := args.IsValid(); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Authenticate using JWT.
|
|
token, err := authenticateWeb(args.Username, args.Password)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Return the token.
|
|
reply.AuthToken = token
|
|
|
|
return nil
|
|
}
|
|
|
|
// SetAuthPeerArgs - Arguments collection for SetAuth RPC call
|
|
type SetAuthPeerArgs struct {
|
|
// For Auth
|
|
AuthRPCArgs
|
|
|
|
// New credentials that receiving peer should update to.
|
|
Creds credential
|
|
}
|
|
|
|
// SetAuthPeer - Update to new credentials sent from a peer Minio
|
|
// server. Since credentials are already validated on the sending
|
|
// peer, here we just persist to file and update in-memory config. All
|
|
// subsequently running isAuthTokenValid() calls will fail, and clients
|
|
// will be forced to re-establish connections. Connections will be
|
|
// re-established only when the sending client has also updated its
|
|
// credentials.
|
|
func (br *browserPeerAPIHandlers) SetAuthPeer(args SetAuthPeerArgs, reply *AuthRPCReply) error {
|
|
if err := args.IsAuthenticated(); err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := validateAuthKeys(args.Creds.AccessKey, args.Creds.SecretKey); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Update credentials in memory
|
|
serverConfig.SetCredential(args.Creds)
|
|
|
|
// Save credentials to config file
|
|
if err := serverConfig.Save(); err != nil {
|
|
errorIf(err, "Error updating config file with new credentials sent from browser RPC.")
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Sends SetAuthPeer RPCs to all peers in the Minio cluster
|
|
func updateCredsOnPeers(creds credential) map[string]error {
|
|
// Get list of peer addresses (from globalS3Peers)
|
|
peers := []string{}
|
|
for _, p := range globalS3Peers {
|
|
peers = append(peers, p.addr)
|
|
}
|
|
|
|
// Array of errors for each peer
|
|
errs := make([]error, len(peers))
|
|
var wg sync.WaitGroup
|
|
|
|
serverCred := serverConfig.GetCredential()
|
|
// Launch go routines to send request to each peer in parallel.
|
|
for ix := range peers {
|
|
wg.Add(1)
|
|
go func(ix int) {
|
|
defer wg.Done()
|
|
|
|
// Exclude self to avoid race with
|
|
// invalidating the RPC token.
|
|
if peers[ix] == globalMinioAddr {
|
|
errs[ix] = nil
|
|
return
|
|
}
|
|
|
|
// Initialize client
|
|
client := newAuthRPCClient(authConfig{
|
|
accessKey: serverCred.AccessKey,
|
|
secretKey: serverCred.SecretKey,
|
|
serverAddr: peers[ix],
|
|
secureConn: globalIsSSL,
|
|
serviceEndpoint: path.Join(reservedBucket, browserPeerPath),
|
|
serviceName: "BrowserPeer",
|
|
})
|
|
|
|
// Construct RPC call arguments.
|
|
args := SetAuthPeerArgs{Creds: creds}
|
|
|
|
// Make RPC call - we only care about error
|
|
// response and not the reply.
|
|
err := client.Call("BrowserPeer.SetAuthPeer", &args, &AuthRPCReply{})
|
|
|
|
// We try a bit hard (3 attempts with 1 second delay)
|
|
// to set creds on peers in case of failure.
|
|
if err != nil {
|
|
for i := 0; i < 2; i++ {
|
|
time.Sleep(1 * time.Second) // 1 second delay.
|
|
err = client.Call("BrowserPeer.SetAuthPeer", &args, &AuthRPCReply{})
|
|
if err == nil {
|
|
break
|
|
}
|
|
}
|
|
}
|
|
|
|
// Send result down the channel
|
|
errs[ix] = err
|
|
}(ix)
|
|
}
|
|
|
|
// Wait for requests to complete.
|
|
wg.Wait()
|
|
|
|
// Put errors into map.
|
|
errsMap := make(map[string]error)
|
|
for i, err := range errs {
|
|
if err != nil {
|
|
errsMap[peers[i]] = err
|
|
}
|
|
}
|
|
|
|
return errsMap
|
|
}
|