diff options
| author | Chris Lu <chrislusf@users.noreply.github.com> | 2025-11-20 00:07:00 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-11-20 00:07:00 -0800 |
| commit | 6281e62d7f6cfbc6632de05829897bbd0fd2c992 (patch) | |
| tree | 1220149d69c590d6d15b89535a7e29d52418fc14 | |
| parent | c14e513964ff708b7ace352b7e86198b3ebe6827 (diff) | |
| download | seaweedfs-6281e62d7f6cfbc6632de05829897bbd0fd2c992.tar.xz seaweedfs-6281e62d7f6cfbc6632de05829897bbd0fd2c992.zip | |
S3: JWT generation for volume server authentication (#7514)
* Refactor JWT generation for volume server authentication to use centralized function from filer package, improving code clarity and reducing redundancy.
* Update s3api_object_handlers.go
| -rw-r--r-- | weed/s3api/s3api_object_handlers.go | 29 |
1 files changed, 11 insertions, 18 deletions
diff --git a/weed/s3api/s3api_object_handlers.go b/weed/s3api/s3api_object_handlers.go index ce2772981..dee5f60c8 100644 --- a/weed/s3api/s3api_object_handlers.go +++ b/weed/s3api/s3api_object_handlers.go @@ -20,7 +20,6 @@ import ( "github.com/seaweedfs/seaweedfs/weed/filer" "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb" - "github.com/seaweedfs/seaweedfs/weed/security" "github.com/seaweedfs/seaweedfs/weed/wdclient" "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants" @@ -938,10 +937,7 @@ func (s3a *S3ApiServer) streamFromVolumeServers(w http.ResponseWriter, r *http.R streamFn, err := filer.PrepareStreamContentWithThrottler( ctx, masterClient, - func(fileId string) string { - // Use volume server JWT (not filer JWT) for direct volume reads - return string(security.GenJwtForVolumeServer(s3a.filerGuard.ReadSigningKey, s3a.filerGuard.ReadExpiresAfterSec, fileId)) - }, + filer.JwtForVolumeServer, // Use filer's JWT function (loads config once, generates JWT locally) resolvedChunks, offset, size, @@ -1760,8 +1756,8 @@ func (s3a *S3ApiServer) fetchFullChunk(ctx context.Context, fileId string) (io.R // Use the first URL chunkUrl := urlStrings[0] - // Generate JWT for volume server authentication - jwt := security.GenJwtForVolumeServer(s3a.filerGuard.ReadSigningKey, s3a.filerGuard.ReadExpiresAfterSec, fileId) + // Generate JWT for volume server authentication (uses config loaded once at startup) + jwt := filer.JwtForVolumeServer(fileId) // Create request WITHOUT Range header to get full chunk req, err := http.NewRequestWithContext(ctx, "GET", chunkUrl, nil) @@ -1771,7 +1767,7 @@ func (s3a *S3ApiServer) fetchFullChunk(ctx context.Context, fileId string) (io.R // Set JWT for authentication if jwt != "" { - req.Header.Set("Authorization", "BEARER "+string(jwt)) + req.Header.Set("Authorization", "BEARER "+jwt) } // Use shared HTTP client @@ -1800,8 +1796,8 @@ func (s3a *S3ApiServer) fetchChunkViewData(ctx context.Context, chunkView *filer // Use the first URL (already contains complete URL with fileId) chunkUrl := urlStrings[0] - // Generate JWT for volume server authentication - jwt := security.GenJwtForVolumeServer(s3a.filerGuard.ReadSigningKey, s3a.filerGuard.ReadExpiresAfterSec, chunkView.FileId) + // Generate JWT for volume server authentication (uses config loaded once at startup) + jwt := filer.JwtForVolumeServer(chunkView.FileId) // Create request with Range header for the chunk view // chunkUrl already contains the complete URL including fileId @@ -1818,7 +1814,7 @@ func (s3a *S3ApiServer) fetchChunkViewData(ctx context.Context, chunkView *filer // Set JWT for authentication if jwt != "" { - req.Header.Set("Authorization", "BEARER "+string(jwt)) + req.Header.Set("Authorization", "BEARER "+jwt) } // Use shared HTTP client with connection pooling @@ -1863,10 +1859,7 @@ func (s3a *S3ApiServer) getEncryptedStreamFromVolumes(ctx context.Context, entry streamFn, err := filer.PrepareStreamContentWithThrottler( ctx, masterClient, - func(fileId string) string { - // Use volume server JWT (not filer JWT) for direct volume reads - return string(security.GenJwtForVolumeServer(s3a.filerGuard.ReadSigningKey, s3a.filerGuard.ReadExpiresAfterSec, fileId)) - }, + filer.JwtForVolumeServer, // Use filer's JWT function (loads config once, generates JWT locally) resolvedChunks, 0, totalSize, @@ -3022,10 +3015,10 @@ func (s3a *S3ApiServer) createEncryptedChunkReader(ctx context.Context, chunk *f return nil, fmt.Errorf("create HTTP request for chunk: %v", err) } - // Attach volume server JWT for authentication (matches filer behavior) - jwt := security.GenJwtForVolumeServer(s3a.filerGuard.ReadSigningKey, s3a.filerGuard.ReadExpiresAfterSec, chunk.GetFileIdString()) + // Attach volume server JWT for authentication (uses config loaded once at startup) + jwt := filer.JwtForVolumeServer(chunk.GetFileIdString()) if jwt != "" { - req.Header.Set("Authorization", "BEARER "+string(jwt)) + req.Header.Set("Authorization", "BEARER "+jwt) } // Use shared HTTP client with connection pooling |