mirror of
https://github.com/minio/minio.git
synced 2024-12-24 22:25:54 -05:00
c3d4c1f584
This commit adds support for the minio/kes KMS. See: https://github.com/minio/kes In particular you can configure it as KMS by: - `export MINIO_KMS_KES_ENDPOINT=` // Server URL - `export MINIO_KMS_KES_KEY_FILE=` // TLS client private key - `export MINIO_KMS_KES_CERT_FILE=` // TLS client certificate - `export MINIO_KMS_KES_CA_PATH=` // Root CAs issuing server cert - `export MINIO_KMS_KES_KEY_NAME=` // The name of the (default) master key
476 lines
13 KiB
Go
476 lines
13 KiB
Go
/*
|
|
* MinIO Cloud Storage, (C) 2019 MinIO, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"encoding/json"
|
|
"io"
|
|
"net/http"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"github.com/gorilla/mux"
|
|
"github.com/minio/minio/cmd/config"
|
|
"github.com/minio/minio/cmd/config/cache"
|
|
"github.com/minio/minio/cmd/config/etcd"
|
|
xldap "github.com/minio/minio/cmd/config/identity/ldap"
|
|
"github.com/minio/minio/cmd/config/identity/openid"
|
|
"github.com/minio/minio/cmd/config/policy/opa"
|
|
"github.com/minio/minio/cmd/config/storageclass"
|
|
"github.com/minio/minio/cmd/crypto"
|
|
"github.com/minio/minio/cmd/logger"
|
|
iampolicy "github.com/minio/minio/pkg/iam/policy"
|
|
"github.com/minio/minio/pkg/madmin"
|
|
)
|
|
|
|
func validateAdminReqConfigKV(ctx context.Context, w http.ResponseWriter, r *http.Request) ObjectLayer {
|
|
// Get current object layer instance.
|
|
objectAPI := newObjectLayerWithoutSafeModeFn()
|
|
if objectAPI == nil {
|
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
|
|
return nil
|
|
}
|
|
|
|
// Validate request signature.
|
|
_, adminAPIErr := checkAdminRequestAuthType(ctx, r, iampolicy.ConfigUpdateAdminAction, "")
|
|
if adminAPIErr != ErrNone {
|
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL)
|
|
return nil
|
|
}
|
|
|
|
return objectAPI
|
|
}
|
|
|
|
// DelConfigKVHandler - DELETE /minio/admin/v2/del-config-kv
|
|
func (a adminAPIHandlers) DelConfigKVHandler(w http.ResponseWriter, r *http.Request) {
|
|
ctx := newContext(r, w, "DelConfigKVHandler")
|
|
|
|
objectAPI := validateAdminReqConfigKV(ctx, w, r)
|
|
if objectAPI == nil {
|
|
return
|
|
}
|
|
|
|
// Deny if WORM is enabled
|
|
if globalWORMEnabled {
|
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL)
|
|
return
|
|
}
|
|
|
|
if r.ContentLength > maxEConfigJSONSize || r.ContentLength == -1 {
|
|
// More than maxConfigSize bytes were available
|
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigTooLarge), r.URL)
|
|
return
|
|
}
|
|
|
|
password := globalActiveCred.SecretKey
|
|
kvBytes, err := madmin.DecryptData(password, io.LimitReader(r.Body, r.ContentLength))
|
|
if err != nil {
|
|
logger.LogIf(ctx, err, logger.Application)
|
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigBadJSON), r.URL)
|
|
return
|
|
}
|
|
|
|
cfg, err := readServerConfig(ctx, objectAPI)
|
|
if err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
if err = cfg.DelFrom(bytes.NewReader(kvBytes)); err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
if err = saveServerConfig(ctx, objectAPI, cfg); err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
}
|
|
|
|
// SetConfigKVHandler - PUT /minio/admin/v2/set-config-kv
|
|
func (a adminAPIHandlers) SetConfigKVHandler(w http.ResponseWriter, r *http.Request) {
|
|
ctx := newContext(r, w, "SetConfigKVHandler")
|
|
|
|
objectAPI := validateAdminReqConfigKV(ctx, w, r)
|
|
if objectAPI == nil {
|
|
return
|
|
}
|
|
|
|
// Deny if WORM is enabled
|
|
if globalWORMEnabled {
|
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL)
|
|
return
|
|
}
|
|
|
|
if r.ContentLength > maxEConfigJSONSize || r.ContentLength == -1 {
|
|
// More than maxConfigSize bytes were available
|
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigTooLarge), r.URL)
|
|
return
|
|
}
|
|
|
|
password := globalActiveCred.SecretKey
|
|
kvBytes, err := madmin.DecryptData(password, io.LimitReader(r.Body, r.ContentLength))
|
|
if err != nil {
|
|
logger.LogIf(ctx, err, logger.Application)
|
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigBadJSON), r.URL)
|
|
return
|
|
}
|
|
|
|
cfg, err := readServerConfig(ctx, objectAPI)
|
|
if err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
if _, err = cfg.ReadFrom(bytes.NewReader(kvBytes)); err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
if err = validateConfig(cfg); err != nil {
|
|
writeCustomErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigBadJSON), err.Error(), r.URL)
|
|
return
|
|
}
|
|
|
|
// Update the actual server config on disk.
|
|
if err = saveServerConfig(ctx, objectAPI, cfg); err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
// Write to the config input KV to history.
|
|
if err = saveServerConfigHistory(ctx, objectAPI, kvBytes); err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
// Make sure to write backend is encrypted
|
|
if globalConfigEncrypted {
|
|
saveConfig(context.Background(), objectAPI, backendEncryptedFile, backendEncryptedMigrationComplete)
|
|
}
|
|
|
|
writeSuccessResponseHeadersOnly(w)
|
|
}
|
|
|
|
// GetConfigKVHandler - GET /minio/admin/v2/get-config-kv?key={key}
|
|
func (a adminAPIHandlers) GetConfigKVHandler(w http.ResponseWriter, r *http.Request) {
|
|
ctx := newContext(r, w, "GetConfigKVHandler")
|
|
|
|
objectAPI := validateAdminReqConfigKV(ctx, w, r)
|
|
if objectAPI == nil {
|
|
return
|
|
}
|
|
|
|
cfg := globalServerConfig
|
|
if globalSafeMode {
|
|
var err error
|
|
cfg, err = getValidConfig(objectAPI)
|
|
if err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
}
|
|
|
|
vars := mux.Vars(r)
|
|
var buf = &bytes.Buffer{}
|
|
cw := config.NewConfigWriteTo(cfg, vars["key"])
|
|
if _, err := cw.WriteTo(buf); err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
password := globalActiveCred.SecretKey
|
|
econfigData, err := madmin.EncryptData(password, buf.Bytes())
|
|
if err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
writeSuccessResponseJSON(w, econfigData)
|
|
}
|
|
|
|
func (a adminAPIHandlers) ClearConfigHistoryKVHandler(w http.ResponseWriter, r *http.Request) {
|
|
ctx := newContext(r, w, "ClearConfigHistoryKVHandler")
|
|
|
|
objectAPI := validateAdminReqConfigKV(ctx, w, r)
|
|
if objectAPI == nil {
|
|
return
|
|
}
|
|
|
|
vars := mux.Vars(r)
|
|
restoreID := vars["restoreId"]
|
|
if restoreID == "" {
|
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
|
|
return
|
|
}
|
|
if restoreID == "all" {
|
|
chEntries, err := listServerConfigHistory(ctx, objectAPI, false, -1)
|
|
if err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
for _, chEntry := range chEntries {
|
|
if err = delServerConfigHistory(ctx, objectAPI, chEntry.RestoreID); err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
}
|
|
} else {
|
|
if err := delServerConfigHistory(ctx, objectAPI, restoreID); err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
// RestoreConfigHistoryKVHandler - restores a config with KV settings for the given KV id.
|
|
func (a adminAPIHandlers) RestoreConfigHistoryKVHandler(w http.ResponseWriter, r *http.Request) {
|
|
ctx := newContext(r, w, "RestoreConfigHistoryKVHandler")
|
|
|
|
objectAPI := validateAdminReqConfigKV(ctx, w, r)
|
|
if objectAPI == nil {
|
|
return
|
|
}
|
|
|
|
vars := mux.Vars(r)
|
|
restoreID := vars["restoreId"]
|
|
if restoreID == "" {
|
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
|
|
return
|
|
}
|
|
|
|
kvBytes, err := readServerConfigHistory(ctx, objectAPI, restoreID)
|
|
if err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
cfg, err := readServerConfig(ctx, objectAPI)
|
|
if err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
if _, err = cfg.ReadFrom(bytes.NewReader(kvBytes)); err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
if err = validateConfig(cfg); err != nil {
|
|
writeCustomErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigBadJSON), err.Error(), r.URL)
|
|
return
|
|
}
|
|
|
|
if err = saveServerConfig(ctx, objectAPI, cfg); err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
delServerConfigHistory(ctx, objectAPI, restoreID)
|
|
}
|
|
|
|
// ListConfigHistoryKVHandler - lists all the KV ids.
|
|
func (a adminAPIHandlers) ListConfigHistoryKVHandler(w http.ResponseWriter, r *http.Request) {
|
|
ctx := newContext(r, w, "ListConfigHistoryKVHandler")
|
|
|
|
objectAPI := validateAdminReqConfigKV(ctx, w, r)
|
|
if objectAPI == nil {
|
|
return
|
|
}
|
|
|
|
vars := mux.Vars(r)
|
|
count, err := strconv.Atoi(vars["count"])
|
|
if err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
chEntries, err := listServerConfigHistory(ctx, objectAPI, true, count)
|
|
if err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
data, err := json.Marshal(chEntries)
|
|
if err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
password := globalActiveCred.SecretKey
|
|
econfigData, err := madmin.EncryptData(password, data)
|
|
if err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
writeSuccessResponseJSON(w, econfigData)
|
|
}
|
|
|
|
// HelpConfigKVHandler - GET /minio/admin/v2/help-config-kv?subSys={subSys}&key={key}
|
|
func (a adminAPIHandlers) HelpConfigKVHandler(w http.ResponseWriter, r *http.Request) {
|
|
ctx := newContext(r, w, "HelpConfigKVHandler")
|
|
|
|
objectAPI := validateAdminReqConfigKV(ctx, w, r)
|
|
if objectAPI == nil {
|
|
return
|
|
}
|
|
|
|
vars := mux.Vars(r)
|
|
|
|
subSys := vars["subSys"]
|
|
key := vars["key"]
|
|
|
|
_, envOnly := r.URL.Query()["env"]
|
|
|
|
rd, err := GetHelp(subSys, key, envOnly)
|
|
if err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
json.NewEncoder(w).Encode(rd)
|
|
w.(http.Flusher).Flush()
|
|
}
|
|
|
|
// SetConfigHandler - PUT /minio/admin/v2/config
|
|
func (a adminAPIHandlers) SetConfigHandler(w http.ResponseWriter, r *http.Request) {
|
|
ctx := newContext(r, w, "SetConfigHandler")
|
|
|
|
objectAPI := validateAdminReqConfigKV(ctx, w, r)
|
|
if objectAPI == nil {
|
|
return
|
|
}
|
|
|
|
// Deny if WORM is enabled
|
|
if globalWORMEnabled {
|
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL)
|
|
return
|
|
}
|
|
|
|
if r.ContentLength > maxEConfigJSONSize || r.ContentLength == -1 {
|
|
// More than maxConfigSize bytes were available
|
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigTooLarge), r.URL)
|
|
return
|
|
}
|
|
|
|
password := globalActiveCred.SecretKey
|
|
kvBytes, err := madmin.DecryptData(password, io.LimitReader(r.Body, r.ContentLength))
|
|
if err != nil {
|
|
logger.LogIf(ctx, err, logger.Application)
|
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigBadJSON), r.URL)
|
|
return
|
|
}
|
|
|
|
cfg := newServerConfig()
|
|
if _, err = cfg.ReadFrom(bytes.NewReader(kvBytes)); err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
if err = validateConfig(cfg); err != nil {
|
|
writeCustomErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigBadJSON), err.Error(), r.URL)
|
|
return
|
|
}
|
|
|
|
// Update the actual server config on disk.
|
|
if err = saveServerConfig(ctx, objectAPI, cfg); err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
// Write to the config input KV to history.
|
|
if err = saveServerConfigHistory(ctx, objectAPI, kvBytes); err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
// Make sure to write backend is encrypted
|
|
if globalConfigEncrypted {
|
|
saveConfig(context.Background(), objectAPI, backendEncryptedFile, backendEncryptedMigrationComplete)
|
|
}
|
|
|
|
writeSuccessResponseHeadersOnly(w)
|
|
}
|
|
|
|
// GetConfigHandler - GET /minio/admin/v2/config
|
|
// Get config.json of this minio setup.
|
|
func (a adminAPIHandlers) GetConfigHandler(w http.ResponseWriter, r *http.Request) {
|
|
ctx := newContext(r, w, "GetConfigHandler")
|
|
|
|
objectAPI := validateAdminReqConfigKV(ctx, w, r)
|
|
if objectAPI == nil {
|
|
return
|
|
}
|
|
|
|
cfg, err := readServerConfig(ctx, objectAPI)
|
|
if err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
var s strings.Builder
|
|
hkvs := config.HelpSubSysMap[""]
|
|
for _, hkv := range hkvs {
|
|
v := cfg[hkv.Key]
|
|
for target, kv := range v {
|
|
off := kv.Get(config.Enable) == config.EnableOff
|
|
switch hkv.Key {
|
|
case config.EtcdSubSys:
|
|
off = !etcd.Enabled(kv)
|
|
case config.CacheSubSys:
|
|
off = !cache.Enabled(kv)
|
|
case config.StorageClassSubSys:
|
|
off = !storageclass.Enabled(kv)
|
|
case config.KmsVaultSubSys:
|
|
off = !crypto.EnabledVault(kv)
|
|
case config.KmsKesSubSys:
|
|
off = !crypto.EnabledKes(kv)
|
|
case config.PolicyOPASubSys:
|
|
off = !opa.Enabled(kv)
|
|
case config.IdentityOpenIDSubSys:
|
|
off = !openid.Enabled(kv)
|
|
case config.IdentityLDAPSubSys:
|
|
off = !xldap.Enabled(kv)
|
|
}
|
|
if off {
|
|
s.WriteString(config.KvComment)
|
|
s.WriteString(config.KvSpaceSeparator)
|
|
}
|
|
s.WriteString(hkv.Key)
|
|
if target != config.Default {
|
|
s.WriteString(config.SubSystemSeparator)
|
|
s.WriteString(target)
|
|
}
|
|
s.WriteString(config.KvSpaceSeparator)
|
|
s.WriteString(kv.String())
|
|
s.WriteString(config.KvNewline)
|
|
}
|
|
}
|
|
|
|
password := globalActiveCred.SecretKey
|
|
econfigData, err := madmin.EncryptData(password, []byte(s.String()))
|
|
if err != nil {
|
|
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
|
|
return
|
|
}
|
|
|
|
writeSuccessResponseJSON(w, econfigData)
|
|
}
|