diff options
| author | Chris Lu <chrislusf@users.noreply.github.com> | 2025-10-24 17:09:58 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-10-24 17:09:58 -0700 |
| commit | 263e891da0d9aae1618e48b4da5df6bfd9802f80 (patch) | |
| tree | 0057104d55568822043a833fcc557cca29a9f669 /weed/filer/stream.go | |
| parent | 9f4075441ca3adff84fd8a4d88b03330c35db951 (diff) | |
| download | seaweedfs-263e891da0d9aae1618e48b4da5df6bfd9802f80.tar.xz seaweedfs-263e891da0d9aae1618e48b4da5df6bfd9802f80.zip | |
Clients to volume server requires JWT tokens for all read operations (#7376)
* [Admin UI] Login not possible due to securecookie error
* avoid 404 favicon
* Update weed/admin/dash/auth_middleware.go
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
* address comments
* avoid variable over shadowing
* log session save error
* When jwt.signing.read.key is enabled in security.toml, the volume server requires JWT tokens for all read operations.
* reuse fileId
* refactor
---------
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Diffstat (limited to 'weed/filer/stream.go')
| -rw-r--r-- | weed/filer/stream.go | 30 |
1 files changed, 28 insertions, 2 deletions
diff --git a/weed/filer/stream.go b/weed/filer/stream.go index 87280d6b0..b2ee00555 100644 --- a/weed/filer/stream.go +++ b/weed/filer/stream.go @@ -14,6 +14,7 @@ import ( "github.com/seaweedfs/seaweedfs/weed/glog" "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb" + "github.com/seaweedfs/seaweedfs/weed/security" "github.com/seaweedfs/seaweedfs/weed/stats" "github.com/seaweedfs/seaweedfs/weed/util" util_http "github.com/seaweedfs/seaweedfs/weed/util/http" @@ -26,6 +27,30 @@ var getLookupFileIdBackoffSchedule = []time.Duration{ 1800 * time.Millisecond, } +var ( + jwtSigningReadKey security.SigningKey + jwtSigningReadKeyExpires int + loadJwtConfigOnce sync.Once +) + +func loadJwtConfig() { + v := util.GetViper() + jwtSigningReadKey = security.SigningKey(v.GetString("jwt.signing.read.key")) + jwtSigningReadKeyExpires = v.GetInt("jwt.signing.read.expires_after_seconds") + if jwtSigningReadKeyExpires == 0 { + jwtSigningReadKeyExpires = 60 + } +} + +// JwtForVolumeServer generates a JWT token for volume server read operations if jwt.signing.read is configured +func JwtForVolumeServer(fileId string) string { + loadJwtConfigOnce.Do(loadJwtConfig) + if len(jwtSigningReadKey) == 0 { + return "" + } + return string(security.GenJwtForVolumeServer(jwtSigningReadKey, jwtSigningReadKeyExpires, fileId)) +} + func HasData(entry *filer_pb.Entry) bool { if len(entry.Content) > 0 { @@ -152,7 +177,7 @@ func PrepareStreamContentWithThrottler(ctx context.Context, masterClient wdclien } func StreamContent(masterClient wdclient.HasLookupFileIdFunction, writer io.Writer, chunks []*filer_pb.FileChunk, offset int64, size int64) error { - streamFn, err := PrepareStreamContent(masterClient, noJwtFunc, chunks, offset, size) + streamFn, err := PrepareStreamContent(masterClient, JwtForVolumeServer, chunks, offset, size) if err != nil { return err } @@ -351,8 +376,9 @@ func (c *ChunkStreamReader) fetchChunkToBuffer(chunkView *ChunkView) error { } var buffer bytes.Buffer var shouldRetry bool + jwt := JwtForVolumeServer(chunkView.FileId) for _, urlString := range urlStrings { - shouldRetry, err = util_http.ReadUrlAsStream(context.Background(), urlString+"?readDeleted=true", chunkView.CipherKey, chunkView.IsGzipped, chunkView.IsFullChunk(), chunkView.OffsetInChunk, int(chunkView.ViewSize), func(data []byte) { + shouldRetry, err = util_http.ReadUrlAsStream(context.Background(), urlString+"?readDeleted=true", jwt, chunkView.CipherKey, chunkView.IsGzipped, chunkView.IsFullChunk(), chunkView.OffsetInChunk, int(chunkView.ViewSize), func(data []byte) { buffer.Write(data) }) if !shouldRetry { |