diff options
| author | Konstantin Lebedev <lebedev_k@tochka.com> | 2021-03-10 14:42:39 +0500 |
|---|---|---|
| committer | Konstantin Lebedev <lebedev_k@tochka.com> | 2021-03-10 14:42:39 +0500 |
| commit | 348e21a08ccc52f6837613e7765e9d815850bd6c (patch) | |
| tree | 0d30bbdc4695c3c9f75054feff1adbf80a525ea8 | |
| parent | 831953c55c04e8fca50bffd1c45197ea065e6b60 (diff) | |
| download | seaweedfs-348e21a08ccc52f6837613e7765e9d815850bd6c.tar.xz seaweedfs-348e21a08ccc52f6837613e7765e9d815850bd6c.zip | |
add comments
| -rw-r--r-- | docker/compose/tls.env | 6 | ||||
| -rw-r--r-- | weed/command/scaffold.go | 1 | ||||
| -rw-r--r-- | weed/security/tls.go | 11 |
3 files changed, 12 insertions, 6 deletions
diff --git a/docker/compose/tls.env b/docker/compose/tls.env index e03f42e95..a82954c4f 100644 --- a/docker/compose/tls.env +++ b/docker/compose/tls.env @@ -7,4 +7,8 @@ WEED_GRPC_VOLUME_KEY=/etc/seaweedfs/tls/volume01.dev.key WEED_GRPC_FILER_CERT=/etc/seaweedfs/tls/filer01.dev.crt WEED_GRPC_FILER_KEY=/etc/seaweedfs/tls/filer01.dev.key WEED_GRPC_CLIENT_CERT=/etc/seaweedfs/tls/client01.dev.crt -WEED_GRPC_CLIENT_KEY=/etc/seaweedfs/tls/client01.dev.key
\ No newline at end of file +WEED_GRPC_CLIENT_KEY=/etc/seaweedfs/tls/client01.dev.key +WEED_GRPC_MASTER_ALLOWED_COMMONNAMES="volume01.dev,master01.dev,filer01.dev,client01.dev" +WEED_GRPC_VOLUME_ALLOWED_COMMONNAMES="volume01.dev,master01.dev,filer01.dev,client01.dev" +WEED_GRPC_FILER_ALLOWED_COMMONNAMES="volume01.dev,master01.dev,filer01.dev,client01.dev" +WEED_GRPC_CLIENT_ALLOWED_COMMONNAMES="volume01.dev,master01.dev,filer01.dev,client01.dev"
\ No newline at end of file diff --git a/weed/command/scaffold.go b/weed/command/scaffold.go index 1e81d4d58..07d448042 100644 --- a/weed/command/scaffold.go +++ b/weed/command/scaffold.go @@ -440,6 +440,7 @@ expires_after_seconds = 10 # seconds # the host name is not checked, so the PERM files can be shared. [grpc] ca = "" +# Set wildcard domain for enable TLS authentication by common names allowed_wildcard_domain = "" # .mycompany.com [grpc.volume] diff --git a/weed/security/tls.go b/weed/security/tls.go index 59714d103..7d3ffcdca 100644 --- a/weed/security/tls.go +++ b/weed/security/tls.go @@ -50,11 +50,11 @@ func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption ClientAuth: tls.RequireAndVerifyClientCert, }) - allowedCommonNames := strings.Split(config.GetString(component+".allowed_commonNames"), ",") + allowedCommonNames := config.GetString(component + ".allowed_commonNames") allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain") - if len(allowedCommonNames) > 0 || allowedWildcardDomain != "" { + if allowedCommonNames != "" || allowedWildcardDomain != "" { allowedCommonNamesMap := make(map[string]bool) - for _, s := range allowedCommonNames { + for _, s := range strings.Split(allowedCommonNames, ",") { allowedCommonNamesMap[s] = true } auther := Authenticator{ @@ -108,10 +108,10 @@ func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context if !ok { return ctx, status.Error(codes.Unauthenticated, "unexpected peer transport credentials") } - if len(tlsAuth.State.VerifiedChains) == 0 || len(tlsAuth.State.VerifiedChains[0]) == 0 { return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate") } + commonName := tlsAuth.State.VerifiedChains[0][0].Subject.CommonName if a.AllowedWildcardDomain != "" && strings.HasSuffix(commonName, a.AllowedWildcardDomain) { return ctx, nil @@ -119,5 +119,6 @@ func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context if _, ok := a.AllowedCommonNames[commonName]; ok { return ctx, nil } - return ctx, status.Error(codes.Unauthenticated, "invalid subject common name") + + return ctx, status.Errorf(codes.Unauthenticated, "invalid subject common name: %s", commonName) } |