aboutsummaryrefslogtreecommitdiff
path: root/weed/security
AgeCommit message (Collapse)AuthorFilesLines
2024-12-02[security] reload whiteList on http seerver (#6302)Konstantin Lebedev1-29/+40
* reload whiteList * white_list add to scaffold
2024-08-01fix CVE-2016-2183 (#5844)zuzuviewer1-6/+76
* fix CVE-2016-2183 * allow tls.min_version and tls.max_version not set
2024-06-22update advancedtlschrislu1-13/+13
2023-12-05Add a way to use a JWT in an HTTP only cookiejerebear121-0/+8
If a JWT is not included in the Authorization header or a query string, attempt to get a JWT from an HTTP only cookie.
2023-08-22upgrade jwtchrislu1-1/+1
2023-08-21change from deprecated jwt.StandardClaims to new jwt.RegisteredClaimschrislu1-6/+6
2023-06-04S3 TLS credentials Refreshing (#4506)Konstantin Lebedev1-5/+8
* S3 TLS credentials Refreshing * fix: logging --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
2023-02-21Updated the deprecated ioutil dependency (#4239)Zachary Walters1-2/+2
2022-09-14go fmtchrislu1-10/+9
2022-07-29fix deprecated functionschrislu1-5/+6
2022-07-29move to https://github.com/seaweedfs/seaweedfschrislu3-4/+4
2022-06-27avoid set currentMaster k8s svc.local discoveruy service domainsKonstantin Lebedev1-1/+1
https://github.com/chrislusf/seaweedfs/issues/2589
2022-06-24rm defer commentsKonstantin Lebedev1-2/+1
2022-06-24fix AuthenticateKonstantin Lebedev1-45/+23
2022-06-24enable require client certKonstantin Lebedev1-3/+3
2022-06-24seperate optionKonstantin Lebedev1-6/+18
2022-06-23initial advancedtlsKonstantin Lebedev1-30/+63
2022-03-16Add mTLS support for both master and volume http server.Berck Nash1-0/+18
2021-12-30FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 ClientSebastian Kurfuerst1-0/+29
- one JWT for reading and one for writing, analogous to how the JWT between Master and Volume Server works - I did not implement IP `whiteList` parameter on the filer Additionally, because http_util.DownloadFile now sets the JWT, the `download` command should now work when `jwt.signing.read` is configured. By looking at the code, I think this case did not work before. ## Docs to be adjusted after a release Page `Amazon-S3-API`: ``` # Authentication with Filer You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as explained in [Security-Configuration](Security-Configuration) - controlled by the `grpc.*` configuration in `security.toml`. Starting with version XX, it is also possible to authenticate the HTTP operations between the S3-API-Proxy and the Filer (especially uploading new files). This is configured by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. With both configurations (gRPC and JWT), it is possible to have Filer and S3 communicate in fully authenticated fashion; so Filer will reject any unauthenticated communication. ``` Page `Security Overview`: ``` The following items are not covered, yet: - master server http REST services Starting with version XX, the Filer HTTP REST services can be secured with a JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. ... Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer. Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).** ... # Securing Filer HTTP with JWT To enable JWT-based access control for the Filer, 1. generate `security.toml` file by `weed scaffold -config=security` 2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string 3. copy the same `security.toml` file to the filers and all S3 proxies. If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`. If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`. The S3 API Gateway reads the above JWT keys and sends authenticated HTTP requests to the filer. ``` Page `Security Configuration`: ``` (update scaffold file) ... [filer_jwt.signing] key = "blahblahblahblah" [filer_jwt.signing.read] key = "blahblahblahblah" ``` Resolves: #158
2021-12-29Refactor: pass in claim type into security.DecodeJwtSebastian Kurfuerst1-2/+2
2021-12-29rename security.GenJwt to security.GenJwtForVolumeServerSebastian Kurfuerst1-1/+3
2021-12-29fix typo in error messageSebastian Kurfuerst1-1/+1
2021-10-14refactor: move from io/ioutil to io and os packageEng Zer Jun1-8/+8
The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-07-22fix security alert on github.com/dgrijalva/jwt-goChris Lu1-1/+1
resolve https://github.com/chrislusf/seaweedfs/security/dependabot/go.mod/github.com%2Fdgrijalva%2Fjwt-go/open
2021-03-10add commentsKonstantin Lebedev1-5/+6
2021-03-10allowed wildcard domainKonstantin Lebedev1-11/+17
2021-03-10comma-separated SSL certificate common namesKonstantin Lebedev1-1/+2
2021-03-08TLS allowed commonNamesKonstantin Lebedev1-4/+7
2021-03-08permitCommonNamesKonstantin Lebedev1-5/+46
https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/
2021-01-12avoid concurrent map updates to viperChris Lu1-4/+3
2020-11-22fix tls grpc ca pathlimd1-2/+2
2020-09-20refactorChris Lu1-3/+3
2020-09-20adjust loggingChris Lu1-1/+6
2020-05-25simplify func(w http.ResponseWriter, r *http.Request) to http.HandlerFuncbingoohuang1-1/+1
2020-02-22adjust log levelChris Lu1-6/+8
2020-01-29support env variables to overwrite toml fileChris Lu1-2/+2
2019-06-06jwt for read access controlChris Lu1-8/+16
2019-05-28working with reading remote intervalsChris Lu1-1/+1
2019-05-04master: add jwt expires_after_secondsChris Lu2-8/+10
2019-02-18adding grpc mutual tlsChris Lu1-0/+66
2019-02-15benchmark can work in secure modeChris Lu1-3/+2
2019-02-14add authorizing fileId write accessChris Lu2-77/+25
need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc
2019-02-09cleanup security.SecretChris Lu2-11/+11
2019-02-06fixing of typosSergey1-1/+1
2016-06-26adjust loggingChris Lu1-1/+1
2016-06-18fix compilation problem due to API changesChris Lu1-3/+5
2016-06-02directory structure change to work with glideChris Lu2-0/+234
glide has its own requirements. My previous workaround caused me some code checkin errors. Need to fix this.
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-25 01:23:54 +0000