diff options
Diffstat (limited to 'weed/command')
| -rw-r--r-- | weed/command/filer.go | 74 | ||||
| -rw-r--r-- | weed/command/master.go | 15 | ||||
| -rw-r--r-- | weed/command/server.go | 77 | ||||
| -rw-r--r-- | weed/command/volume.go | 16 |
4 files changed, 165 insertions, 17 deletions
diff --git a/weed/command/filer.go b/weed/command/filer.go index 0bd508e0b..f58e38403 100644 --- a/weed/command/filer.go +++ b/weed/command/filer.go @@ -9,6 +9,7 @@ import ( "github.com/chrislusf/seaweedfs/weed/glog" "github.com/chrislusf/seaweedfs/weed/server" "github.com/chrislusf/seaweedfs/weed/util" + "strings" ) var ( @@ -31,6 +32,31 @@ type FilerOptions struct { redis_server *string redis_password *string redis_database *int + get_ip_whitelist_option *string + get_root_whitelist_option *string + head_ip_whitelist_option *string + head_root_whitelist_option *string + delete_ip_whitelist_option *string + delete_root_whitelist_option *string + put_ip_whitelist_option *string + put_root_whitelist_option *string + post_ip_whitelist_option *string + post_root_whitelist_option *string + get_secure_key *string + head_secure_key *string + delete_secure_key *string + put_secure_key *string + post_secure_key *string + get_ip_whitelist []string + get_root_whitelist []string + head_ip_whitelist []string + head_root_whitelist []string + delete_ip_whitelist []string + delete_root_whitelist []string + put_ip_whitelist []string + put_root_whitelist []string + post_ip_whitelist []string + post_root_whitelist []string } func init() { @@ -50,6 +76,21 @@ func init() { f.redis_password = cmdFiler.Flag.String("redis.password", "", "password in clear text") f.redis_database = cmdFiler.Flag.Int("redis.database", 0, "the database on the redis server") f.secretKey = cmdFiler.Flag.String("secure.secret", "", "secret to encrypt Json Web Token(JWT)") + f.get_ip_whitelist_option = cmdFiler.Flag.String("whitelist.ip.get", "", "comma separated Ip addresses having get permission. No limit if empty.") + f.get_root_whitelist_option = cmdFiler.Flag.String("whitelist.root.get", "", "comma separated root paths having get permission. No limit if empty.") + f.head_ip_whitelist_option = cmdFiler.Flag.String("whitelist.ip.head", "", "comma separated Ip addresses having head permission. No limit if empty.") + f.head_root_whitelist_option = cmdFiler.Flag.String("whitelist.root.head", "", "comma separated root paths having head permission. No limit if empty.") + f.delete_ip_whitelist_option = cmdFiler.Flag.String("whitelist.ip.delete", "", "comma separated Ip addresses having delete permission. No limit if empty.") + f.delete_root_whitelist_option = cmdFiler.Flag.String("whitelist.root.delete", "", "comma separated root paths having delete permission. No limit if empty.") + f.put_ip_whitelist_option = cmdFiler.Flag.String("whitelist.ip.put", "", "comma separated Ip addresses having put permission. No limit if empty.") + f.put_root_whitelist_option = cmdFiler.Flag.String("whitelist.root.put", "", "comma separated root paths having put permission. No limit if empty.") + f.post_ip_whitelist_option = cmdFiler.Flag.String("whitelist.ip.post", "", "comma separated Ip addresses having post permission. No limit if empty.") + f.post_root_whitelist_option = cmdFiler.Flag.String("whitelist.root.post", "", "comma separated root paths having post permission. No limit if empty.") + f.get_secure_key = cmdFiler.Flag.String("secure.secret.get", "", "secret to encrypt Json Web Token(JWT)") + f.head_secure_key = cmdFiler.Flag.String("secure.secret.head", "", "secret to encrypt Json Web Token(JWT)") + f.delete_secure_key = cmdFiler.Flag.String("secure.secret.delete", "", "secret to encrypt Json Web Token(JWT)") + f.put_secure_key = cmdFiler.Flag.String("secure.secret.put", "", "secret to encrypt Json Web Token(JWT)") + f.post_secure_key = cmdFiler.Flag.String("secure.secret.post", "", "secret to encrypt Json Web Token(JWT)") } @@ -81,6 +122,36 @@ func runFiler(cmd *Command, args []string) bool { glog.Fatalf("Check Meta Folder (-dir) Writable %s : %s", *f.dir, err) } + if *f.get_ip_whitelist_option != "" { + f.get_ip_whitelist = strings.Split(*f.get_ip_whitelist_option, ",") + } + if *f.get_root_whitelist_option != "" { + f.get_root_whitelist = strings.Split(*f.get_root_whitelist_option, ",") + } + if *f.head_ip_whitelist_option != "" { + f.head_ip_whitelist = strings.Split(*f.head_ip_whitelist_option, ",") + } + if *f.head_root_whitelist_option != "" { + f.head_root_whitelist = strings.Split(*f.head_root_whitelist_option, ",") + } + if *f.delete_ip_whitelist_option != "" { + f.delete_ip_whitelist = strings.Split(*f.delete_ip_whitelist_option, ",") + } + if *f.delete_root_whitelist_option != "" { + f.delete_root_whitelist = strings.Split(*f.delete_root_whitelist_option, ",") + } + if *f.put_ip_whitelist_option != "" { + f.put_ip_whitelist = strings.Split(*f.put_ip_whitelist_option, ",") + } + if *f.put_root_whitelist_option != "" { + f.put_root_whitelist = strings.Split(*f.put_root_whitelist_option, ",") + } + if *f.post_ip_whitelist_option != "" { + f.post_ip_whitelist = strings.Split(*f.post_ip_whitelist_option, ",") + } + if *f.post_root_whitelist_option != "" { + f.post_root_whitelist = strings.Split(*f.post_root_whitelist_option, ",") + } r := http.NewServeMux() _, nfs_err := weed_server.NewFilerServer(r, *f.ip, *f.port, *f.master, *f.dir, *f.collection, *f.defaultReplicaPlacement, *f.redirectOnRead, *f.disableDirListing, @@ -88,6 +159,9 @@ func runFiler(cmd *Command, args []string) bool { *f.secretKey, *f.cassandra_server, *f.cassandra_keyspace, *f.redis_server, *f.redis_password, *f.redis_database, + f.get_ip_whitelist, f.head_ip_whitelist, f.delete_ip_whitelist, f.put_ip_whitelist, f.post_ip_whitelist, + f.get_root_whitelist, f.head_root_whitelist, f.delete_root_whitelist, f.put_root_whitelist, f.post_root_whitelist, + *f.get_secure_key, *f.head_secure_key, *f.delete_secure_key, *f.put_secure_key, *f.post_secure_key, ) if nfs_err != nil { glog.Fatalf("Filer startup error: %v", nfs_err) diff --git a/weed/command/master.go b/weed/command/master.go index cd15defce..f140750ea 100644 --- a/weed/command/master.go +++ b/weed/command/master.go @@ -41,11 +41,13 @@ var ( mTimeout = cmdMaster.Flag.Int("idleTimeout", 10, "connection idle seconds") mMaxCpu = cmdMaster.Flag.Int("maxCpu", 0, "maximum number of CPUs. 0 means all available CPUs") garbageThreshold = cmdMaster.Flag.String("garbageThreshold", "0.3", "threshold to vacuum and reclaim spaces") - masterWhiteListOption = cmdMaster.Flag.String("whiteList", "", "comma separated Ip addresses having write permission. No limit if empty.") + masterReadWhiteListOption = cmdMaster.Flag.String("readWhiteList", "", "comma separated Ip addresses having read permission. No limit if empty.") + masterWriteWhiteListOption = cmdMaster.Flag.String("writeWhiteList", "", "comma separated Ip addresses having write permission. No limit if empty.") masterSecureKey = cmdMaster.Flag.String("secure.secret", "", "secret to encrypt Json Web Token(JWT)") masterCpuProfile = cmdMaster.Flag.String("cpuprofile", "", "cpu profile output file") - masterWhiteList []string + masterReadWhiteList []string + masterWriteWhiteList []string ) func runMaster(cmd *Command, args []string) bool { @@ -67,14 +69,17 @@ func runMaster(cmd *Command, args []string) bool { if err := util.TestFolderWritable(*metaFolder); err != nil { glog.Fatalf("Check Meta Folder (-mdir) Writable %s : %s", *metaFolder, err) } - if *masterWhiteListOption != "" { - masterWhiteList = strings.Split(*masterWhiteListOption, ",") + if *masterReadWhiteListOption != "" { + masterReadWhiteList = strings.Split(*masterReadWhiteListOption, ",") + } + if *masterWriteWhiteListOption != "" { + masterWriteWhiteList = strings.Split(*masterWriteWhiteListOption, ",") } r := mux.NewRouter() ms := weed_server.NewMasterServer(r, *mport, *metaFolder, *volumeSizeLimitMB, *mpulse, *confFile, *defaultReplicaPlacement, *garbageThreshold, - masterWhiteList, *masterSecureKey, + masterReadWhiteList, masterWriteWhiteList, nil, *masterSecureKey, ) listeningAddress := *masterBindIp + ":" + strconv.Itoa(*mport) diff --git a/weed/command/server.go b/weed/command/server.go index 7a6677a65..9a19ef2af 100644 --- a/weed/command/server.go +++ b/weed/command/server.go @@ -54,7 +54,8 @@ var ( serverTimeout = cmdServer.Flag.Int("idleTimeout", 10, "connection idle seconds") serverDataCenter = cmdServer.Flag.String("dataCenter", "", "current volume server's data center name") serverRack = cmdServer.Flag.String("rack", "", "current volume server's rack name") - serverWhiteListOption = cmdServer.Flag.String("whiteList", "", "comma separated Ip addresses having write permission. No limit if empty.") + serverReadWhiteListOption = cmdServer.Flag.String("read.whitelist", "", "comma separated Ip addresses having read permission. No limit if empty.") + serverWriteWhiteListOption = cmdServer.Flag.String("write.whitelist", "", "comma separated Ip addresses having write permission. No limit if empty.") serverPeers = cmdServer.Flag.String("master.peers", "", "other master nodes in comma separated ip:masterPort list") serverSecureKey = cmdServer.Flag.String("secure.secret", "", "secret to encrypt Json Web Token(JWT)") serverGarbageThreshold = cmdServer.Flag.String("garbageThreshold", "0.3", "threshold to vacuum and reclaim spaces") @@ -74,7 +75,8 @@ var ( volumeServerPublicUrl = cmdServer.Flag.String("volume.publicUrl", "", "publicly accessible address") isStartingFiler = cmdServer.Flag.Bool("filer", false, "whether to start filer") - serverWhiteList []string + serverReadWhiteList []string + serverWriteWhiteList []string ) func init() { @@ -82,7 +84,7 @@ func init() { filerOptions.master = cmdServer.Flag.String("filer.master", "", "default to current master server") filerOptions.collection = cmdServer.Flag.String("filer.collection", "", "all data will be stored in this collection") filerOptions.port = cmdServer.Flag.Int("filer.port", 8888, "filer server http listen port") - filerOptions.dir = cmdServer.Flag.String("filer.dir", "", "directory to store meta data, default to a 'filer' sub directory of what -dir is specified") + filerOptions.dir = cmdServer.Flag.String("filer.dir", "", "directory to store meta data, default to a 'filer' sub directory of what -mdir is specified") filerOptions.defaultReplicaPlacement = cmdServer.Flag.String("filer.defaultReplicaPlacement", "", "Default replication type if not specified during runtime.") filerOptions.redirectOnRead = cmdServer.Flag.Bool("filer.redirectOnRead", false, "whether proxy or redirect to volume server during file GET request") filerOptions.disableDirListing = cmdServer.Flag.Bool("filer.disableDirListing", false, "turn off directory listing") @@ -92,6 +94,21 @@ func init() { filerOptions.redis_server = cmdServer.Flag.String("filer.redis.server", "", "host:port of the redis server, e.g., 127.0.0.1:6379") filerOptions.redis_password = cmdServer.Flag.String("filer.redis.password", "", "redis password in clear text") filerOptions.redis_database = cmdServer.Flag.Int("filer.redis.database", 0, "the database on the redis server") + filerOptions.get_ip_whitelist_option = cmdServer.Flag.String("filer.whitelist.ip.get", "", "comma separated Ip addresses having filer GET permission. No limit if empty.") + filerOptions.get_root_whitelist_option = cmdServer.Flag.String("filer.whitelist.root.get", "", "comma separated root paths having filer GET permission. No limit if empty.") + filerOptions.head_ip_whitelist_option = cmdServer.Flag.String("filer.whitelist.ip.head", "", "comma separated Ip addresses having filer HEAD permission. No limit if empty.") + filerOptions.head_root_whitelist_option = cmdServer.Flag.String("filer.whitelist.root.head", "", "comma separated root paths having filer HEAD permission. No limit if empty.") + filerOptions.delete_ip_whitelist_option = cmdServer.Flag.String("filer.whitelist.ip.delete", "", "comma separated Ip addresses having filer DELETE permission. No limit if empty.") + filerOptions.delete_root_whitelist_option = cmdServer.Flag.String("filer.whitelist.root.delete", "", "comma separated root paths having filer DELETE permission. No limit if empty.") + filerOptions.put_ip_whitelist_option = cmdServer.Flag.String("filer.whitelist.ip.put", "", "comma separated Ip addresses having filer PUT permission. No limit if empty.") + filerOptions.put_root_whitelist_option = cmdServer.Flag.String("filer.whitelist.root.put", "", "comma separated root paths having filer PUT permission. No limit if empty.") + filerOptions.post_ip_whitelist_option = cmdServer.Flag.String("filer.whitelist.ip.post", "", "comma separated Ip addresses having filer POST permission. No limit if empty.") + filerOptions.post_root_whitelist_option = cmdServer.Flag.String("filer.whitelist.root.post", "", "comma separated root paths having filer POST permission. No limit if empty.") + filerOptions.get_secure_key = cmdServer.Flag.String("filer.secure.secret.get", "", "secret to encrypt Json Web Token(JWT)") + filerOptions.head_secure_key = cmdServer.Flag.String("filer.secure.secret.head", "", "secret to encrypt Json Web Token(JWT)") + filerOptions.delete_secure_key = cmdServer.Flag.String("filer.secure.secret.delete", "", "secret to encrypt Json Web Token(JWT)") + filerOptions.put_secure_key = cmdServer.Flag.String("filer.secure.secret.put", "", "secret to encrypt Json Web Token(JWT)") + filerOptions.post_secure_key = cmdServer.Flag.String("filer.secure.secret.post", "", "secret to encrypt Json Web Token(JWT)") } func runServer(cmd *Command, args []string) bool { @@ -154,13 +171,56 @@ func runServer(cmd *Command, args []string) bool { if err := util.TestFolderWritable(*filerOptions.dir); err != nil { glog.Fatalf("Check Mapping Meta Folder (-filer.dir=\"%s\") Writable: %s", *filerOptions.dir, err) } + if *filerOptions.get_ip_whitelist_option != "" { + glog.V(0).Infof("Filer GET IP whitelist: %s", *filerOptions.get_ip_whitelist_option) + filerOptions.get_ip_whitelist = strings.Split(*filerOptions.get_ip_whitelist_option, ",") + } + if *filerOptions.get_root_whitelist_option != "" { + glog.V(0).Infof("Filer GET root whitelist: %s", *filerOptions.get_root_whitelist_option) + filerOptions.get_root_whitelist = strings.Split(*filerOptions.get_root_whitelist_option, ",") + } + if *filerOptions.head_ip_whitelist_option != "" { + glog.V(0).Infof("Filer HEAD IP whitelist: %s", *filerOptions.head_ip_whitelist_option) + filerOptions.head_ip_whitelist = strings.Split(*filerOptions.head_ip_whitelist_option, ",") + } + if *filerOptions.head_root_whitelist_option != "" { + glog.V(0).Infof("Filer HEAD root whitelist: %s", *filerOptions.head_root_whitelist_option) + filerOptions.head_root_whitelist = strings.Split(*filerOptions.head_root_whitelist_option, ",") + } + if *filerOptions.delete_ip_whitelist_option != "" { + glog.V(0).Infof("Filer DELETE IP whitelist: %s", *filerOptions.delete_ip_whitelist_option) + filerOptions.delete_ip_whitelist = strings.Split(*filerOptions.delete_ip_whitelist_option, ",") + } + if *filerOptions.delete_root_whitelist_option != "" { + glog.V(0).Infof("Filer DELETE root whitelist: %s", *filerOptions.delete_root_whitelist_option) + filerOptions.delete_root_whitelist = strings.Split(*filerOptions.delete_root_whitelist_option, ",") + } + if *filerOptions.put_ip_whitelist_option != "" { + glog.V(0).Infof("Filer PUT IP whitelist: %s", *filerOptions.put_ip_whitelist_option) + filerOptions.put_ip_whitelist = strings.Split(*filerOptions.put_ip_whitelist_option, ",") + } + if *filerOptions.put_root_whitelist_option != "" { + glog.V(0).Infof("Filer PUT root whitelist: %s", *filerOptions.put_root_whitelist_option) + filerOptions.put_root_whitelist = strings.Split(*filerOptions.put_root_whitelist_option, ",") + } + if *filerOptions.post_ip_whitelist_option != "" { + glog.V(0).Infof("Filer POST IP whitelist: %s", *filerOptions.post_ip_whitelist_option) + filerOptions.post_ip_whitelist = strings.Split(*filerOptions.post_ip_whitelist_option, ",") + } + if *filerOptions.post_root_whitelist_option != "" { + glog.V(0).Infof("Filer POST root whitelist: %s", *filerOptions.post_root_whitelist_option) + filerOptions.post_root_whitelist = strings.Split(*filerOptions.post_root_whitelist_option, ",") + } } if err := util.TestFolderWritable(*masterMetaFolder); err != nil { glog.Fatalf("Check Meta Folder (-mdir=\"%s\") Writable: %s", *masterMetaFolder, err) } - if *serverWhiteListOption != "" { - serverWhiteList = strings.Split(*serverWhiteListOption, ",") + if *serverReadWhiteListOption != "" { + serverReadWhiteList = strings.Split(*serverReadWhiteListOption, ",") + } + if *serverWriteWhiteListOption != "" { + serverWriteWhiteList = strings.Split(*serverWriteWhiteListOption, ",") } if *isStartingFiler { @@ -174,6 +234,9 @@ func runServer(cmd *Command, args []string) bool { *filerOptions.secretKey, *filerOptions.cassandra_server, *filerOptions.cassandra_keyspace, *filerOptions.redis_server, *filerOptions.redis_password, *filerOptions.redis_database, + filerOptions.get_ip_whitelist, filerOptions.head_ip_whitelist, filerOptions.delete_ip_whitelist, filerOptions.put_ip_whitelist, filerOptions.post_ip_whitelist, + filerOptions.get_root_whitelist, filerOptions.head_root_whitelist, filerOptions.delete_root_whitelist, filerOptions.put_root_whitelist, filerOptions.post_root_whitelist, + *f.get_secure_key, *f.head_secure_key, *f.delete_secure_key, *f.put_secure_key, *f.post_secure_key, ) if nfs_err != nil { glog.Fatalf("Filer startup error: %v", nfs_err) @@ -202,7 +265,7 @@ func runServer(cmd *Command, args []string) bool { r := mux.NewRouter() ms := weed_server.NewMasterServer(r, *masterPort, *masterMetaFolder, *masterVolumeSizeLimitMB, *volumePulse, *masterConfFile, *masterDefaultReplicaPlacement, *serverGarbageThreshold, - serverWhiteList, *serverSecureKey, + serverReadWhiteList, serverWriteWhiteList, nil, *serverSecureKey, ) glog.V(0).Infoln("Start Seaweed Master", util.VERSION, "at", *serverIp+":"+strconv.Itoa(*masterPort)) @@ -256,7 +319,7 @@ func runServer(cmd *Command, args []string) bool { folders, maxCounts, volumeNeedleMapKind, *serverIp+":"+strconv.Itoa(*masterPort), *volumePulse, *serverDataCenter, *serverRack, - serverWhiteList, *volumeFixJpgOrientation, *volumeReadRedirect, + serverReadWhiteList, serverWriteWhiteList, nil, *volumeFixJpgOrientation, *volumeReadRedirect, ) glog.V(0).Infoln("Start Seaweed volume server", util.VERSION, "at", *serverIp+":"+strconv.Itoa(*volumePort)) diff --git a/weed/command/volume.go b/weed/command/volume.go index 21369cbe9..68f5edd9e 100644 --- a/weed/command/volume.go +++ b/weed/command/volume.go @@ -2,6 +2,7 @@ package command import ( "net/http" + _ "net/http/pprof" "os" "runtime" "strconv" @@ -32,7 +33,8 @@ type VolumeServerOptions struct { maxCpu *int dataCenter *string rack *string - whiteList []string + readWhitelist []string + writeWhitelist []string indexType *string fixJpgOrientation *bool readRedirect *bool @@ -67,7 +69,8 @@ var cmdVolume = &Command{ var ( volumeFolders = cmdVolume.Flag.String("dir", os.TempDir(), "directories to store data files. dir[,dir]...") maxVolumeCounts = cmdVolume.Flag.String("max", "7", "maximum numbers of volumes, count[,count]...") - volumeWhiteListOption = cmdVolume.Flag.String("whiteList", "", "comma separated Ip addresses having write permission. No limit if empty.") + volumeReadWhiteListOption = cmdVolume.Flag.String("read.whitelist", "", "comma separated Ip addresses having read permission. No limit if empty.") + volumeWriteWhiteListOption = cmdVolume.Flag.String("write.whitelist", "", "comma separated Ip addresses having write permission. No limit if empty.") ) func runVolume(cmd *Command, args []string) bool { @@ -96,8 +99,11 @@ func runVolume(cmd *Command, args []string) bool { } //security related white list configuration - if *volumeWhiteListOption != "" { - v.whiteList = strings.Split(*volumeWhiteListOption, ",") + if *volumeReadWhiteListOption != "" { + v.readWhitelist = strings.Split(*volumeReadWhiteListOption, ",") + } + if *volumeWriteWhiteListOption != "" { + v.writeWhitelist = strings.Split(*volumeWriteWhiteListOption, ",") } if *v.ip == "" { @@ -130,7 +136,7 @@ func runVolume(cmd *Command, args []string) bool { v.folders, v.folderMaxLimits, volumeNeedleMapKind, *v.master, *v.pulseSeconds, *v.dataCenter, *v.rack, - v.whiteList, + v.readWhitelist, v.writeWhitelist, nil, *v.fixJpgOrientation, *v.readRedirect, ) |