Mirror
/
MinIO
mirror of https://github.com/minio/minio.git
2
0
Fork 0
Code Issues Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12513 Commits
4 Branches
520 Tags
175 MiB
Tree: b9f0e8c712
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b9f0e8c712'
${ noResults }
MinIO/cmd/jwt.go

140 lines
4.5 KiB
Raw Normal View History

update license change for MinIO Signed-off-by: Harshavardhana <harsha@minio.io>
4 years ago
Have simpler JWT authentication. (#3501)
9 years ago
move to jwt-go v4 with correct releases (#13586)
4 years ago
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
4 years ago
ldap: Add user DN attributes list config param (#19758) This change uses the updated ldap library in minio/pkg (bumped up to v3). A new config parameter is added for LDAP configuration to specify extra user attributes to load from the LDAP server and to store them as additional claims for the user. A test is added in sts_handlers.go that shows how to access the LDAP attributes as a claim. This is in preparation for adding SSH pubkey authentication to MinIO's SFTP integration.
1 year ago
Have simpler JWT authentication. (#3501)
9 years ago
remove unnecessary LRU for internode auth token (#20119) removes contentious usage of mutexes in LRU, which were never really reused in any manner; we do not need it. To trust hosts, the correct way is TLS certs; this PR completely removes this dependency, which has never been useful. ``` 0 0% 100% 25.83s 26.76% github.com/hashicorp/golang-lru/v2/expirable.(*LRU[...]) 0 0% 100% 28.03s 29.04% github.com/hashicorp/golang-lru/v2/expirable.(*LRU[...]) ``` Bonus: use `x-minio-time` as a nanosecond to avoid unnecessary parsing logic of time strings instead of using a more straightforward mechanism.
1 year ago
Have simpler JWT authentication. (#3501)
9 years ago
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup)
9 years ago
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
4 years ago
allow root user to be disabled via config settings (#17089)
2 years ago
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
4 years ago
Fix typo in jwt skewed date/time error (#19066)
1 year ago
return different status code for internode communication (#17655) mc admin trace -a will be able to quickly show 401 Unauthorized header to pinpoint trivial issues between nodes, such as wrong root credentials and skewed time.
2 years ago
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup)
9 years ago
Have simpler JWT authentication. (#3501)
9 years ago
remove unnecessary LRU for internode auth token (#20119) removes contentious usage of mutexes in LRU, which were never really reused in any manner; we do not need it. To trust hosts, the correct way is TLS certs; this PR completely removes this dependency, which has never been useful. ``` 0 0% 100% 25.83s 26.76% github.com/hashicorp/golang-lru/v2/expirable.(*LRU[...]) 0 0% 100% 28.03s 29.04% github.com/hashicorp/golang-lru/v2/expirable.(*LRU[...]) ``` Bonus: use `x-minio-time` as a nanosecond to avoid unnecessary parsing logic of time strings instead of using a more straightforward mechanism.
1 year ago
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
6 years ago
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
6 years ago
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
6 years ago
Have simpler JWT authentication. (#3501)
9 years ago
browser: Allow anonymous browsing of readable buckets. (#3515)
9 years ago
decouple service accounts from root credentials (#14534) changing root credentials makes service accounts in-operable, this PR changes the way sessionToken is generated for service accounts. It changes service account behavior to generate sessionToken claims from its own secret instead of using global root credential. Existing credentials will be supported by falling back to verify using root credential. fixes #14530
3 years ago
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
6 years ago
Have simpler JWT authentication. (#3501)
9 years ago
browser: Allow anonymous browsing of readable buckets. (#3515)
9 years ago
make sure to pass groups for all credentials while verifying policies (#14193) fixes #14180
4 years ago
browser: Allow anonymous browsing of readable buckets. (#3515)
9 years ago
make sure to pass groups for all credentials while verifying policies (#14193) fixes #14180
4 years ago
[security] rpc: Do not transfer access/secret key. (#4857) This is an improvement upon existing implementation by avoiding transfer of access and secret keys over the network. This change only exchanges JWT tokens generated by an rpc client. Even if the JWT can be traced over the network on a non-TLS connection, this change makes sure that we never really expose the secret key over the network.
8 years ago
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
6 years ago
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
4 years ago
allow root user to be disabled via config settings (#17089)
2 years ago
reject expired STS credentials early without decoding sessionToken (#19072)
1 year ago
allow root user to be disabled via config settings (#17089)
2 years ago
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
4 years ago
allow root user to be disabled via config settings (#17089)
2 years ago
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
4 years ago
make sure to pass groups for all credentials while verifying policies (#14193) fixes #14180
4 years ago
browser: Allow anonymous browsing of readable buckets. (#3515)
9 years ago
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
4 years ago
make sure to pass groups for all credentials while verifying policies (#14193) fixes #14180
4 years ago
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
4 years ago
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
3 years ago
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
4 years ago
make sure to pass groups for all credentials while verifying policies (#14193) fixes #14180
4 years ago
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
4 years ago
site healing: Skip stale iam asset updates from peer. (#15203) Allow healing to apply IAM change only when peer gave the most recent update.
3 years ago
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
4 years ago
make sure to pass groups for all credentials while verifying policies (#14193) fixes #14180
4 years ago
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
4 years ago
allow root user to be disabled via config settings (#17089)
2 years ago
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
4 years ago
Fix policy package import name (#18031) We do not need to rename the import of minio/pkg/v2/policy as iampolicy any more.
2 years ago
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
4 years ago
make sure to pass groups for all credentials while verifying policies (#14193) fixes #14180
4 years ago
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
4 years ago
make sure to pass groups for all credentials while verifying policies (#14193) fixes #14180
4 years ago
Have simpler JWT authentication. (#3501)
9 years ago
Implement HTTP POST based RPC (#5840) Added support for new RPC support using HTTP POST. RPC's arguments and reply are Gob encoded and sent as HTTP request/response body. This patch also removes Go RPC based implementation.
7 years ago
remove unnecessary LRU for internode auth token (#20119) removes contentious usage of mutexes in LRU, which were never really reused in any manner; we do not need it. To trust hosts, the correct way is TLS certs; this PR completely removes this dependency, which has never been useful. ``` 0 0% 100% 25.83s 26.76% github.com/hashicorp/golang-lru/v2/expirable.(*LRU[...]) 0 0% 100% 28.03s 29.04% github.com/hashicorp/golang-lru/v2/expirable.(*LRU[...]) ``` Bonus: use `x-minio-time` as a nanosecond to avoid unnecessary parsing logic of time strings instead of using a more straightforward mechanism.
1 year ago
Reduce JWT overhead for internode tokens (#13738) Since JWT tokens remain valid for up to 15 minutes, we don't have to regenerate tokens for every call. Cache tokens for matching access+secret+audience for up to 15 seconds. ``` BenchmarkAuthenticateNode/uncached-32 270567 4179 ns/op 2961 B/op 33 allocs/op BenchmarkAuthenticateNode/cached-32 7684824 157.5 ns/op 48 B/op 1 allocs/op ``` Reduces internode call allocations a great deal.
4 years ago
Implement HTTP POST based RPC (#5840) Added support for new RPC support using HTTP POST. RPC's arguments and reply are Gob encoded and sent as HTTP request/response body. This patch also removes Go RPC based implementation.
7 years ago
  1. // Copyright (c) 2015-2021 MinIO, Inc.
  2. //
  3. // This file is part of MinIO Object Storage stack
  4. //
  5. // This program is free software: you can redistribute it and/or modify
  6. // it under the terms of the GNU Affero General Public License as published by
  7. // the Free Software Foundation, either version 3 of the License, or
  8. // (at your option) any later version.
  9. //
  10. // This program is distributed in the hope that it will be useful
  11. // but WITHOUT ANY WARRANTY; without even the implied warranty of
  12. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13. // GNU Affero General Public License for more details.
  14. //
  15. // You should have received a copy of the GNU Affero General Public License
  16. // along with this program. If not, see <http://www.gnu.org/licenses/>.
  18. package cmd
  20. import (
  21. "errors"
  22. "net/http"
  23. "time"
  25. jwtgo "github.com/golang-jwt/jwt/v4"
  26. jwtreq "github.com/golang-jwt/jwt/v4/request"
  27. "github.com/minio/minio/internal/auth"
  28. xjwt "github.com/minio/minio/internal/jwt"
  29. "github.com/minio/pkg/v3/policy"
  30. )
  32. const (
  33. jwtAlgorithm = "Bearer"
  35. // Default JWT token for web handlers is one day.
  36. defaultJWTExpiry = 24 * time.Hour
  38. // Inter-node JWT token expiry is 100 years approx.
  39. defaultInterNodeJWTExpiry = 100 * 365 * 24 * time.Hour
  40. )
  42. var (
  43. errInvalidAccessKeyID = errors.New("The access key ID you provided does not exist in our records")
  44. errAccessKeyDisabled = errors.New("The access key you provided is disabled")
  45. errAuthentication = errors.New("Authentication failed, check your access credentials")
  46. errNoAuthToken = errors.New("JWT token missing")
  47. errSkewedAuthTime = errors.New("Skewed authentication date/time")
  48. errMalformedAuth = errors.New("Malformed authentication input")
  49. )
  51. func authenticateNode(accessKey, secretKey string) (string, error) {
  52. claims := xjwt.NewStandardClaims()
  53. claims.SetExpiry(UTCNow().Add(defaultInterNodeJWTExpiry))
  54. claims.SetAccessKey(accessKey)
  56. jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, claims)
  57. return jwt.SignedString([]byte(secretKey))
  58. }
  60. // Check if the request is authenticated.
  61. // Returns nil if the request is authenticated. errNoAuthToken if token missing.
  62. // Returns errAuthentication for all other errors.
  63. func metricsRequestAuthenticate(req *http.Request) (*xjwt.MapClaims, []string, bool, error) {
  64. token, err := jwtreq.AuthorizationHeaderExtractor.ExtractToken(req)
  65. if err != nil {
  66. if err == jwtreq.ErrNoTokenInRequest {
  67. return nil, nil, false, errNoAuthToken
  68. }
  69. return nil, nil, false, err
  70. }
  71. claims := xjwt.NewMapClaims()
  72. if err := xjwt.ParseWithClaims(token, claims, func(claims *xjwt.MapClaims) ([]byte, error) {
  73. if claims.AccessKey != globalActiveCred.AccessKey {
  74. u, ok := globalIAMSys.GetUser(req.Context(), claims.AccessKey)
  75. if !ok {
  76. // Credentials will be invalid but for disabled
  77. // return a different error in such a scenario.
  78. if u.Credentials.Status == auth.AccountOff {
  79. return nil, errAccessKeyDisabled
  80. }
  81. return nil, errInvalidAccessKeyID
  82. }
  83. cred := u.Credentials
  84. // Expired credentials return error.
  85. if cred.IsTemp() && cred.IsExpired() {
  86. return nil, errInvalidAccessKeyID
  87. }
  88. return []byte(cred.SecretKey), nil
  89. } // this means claims.AccessKey == rootAccessKey
  90. if !globalAPIConfig.permitRootAccess() {
  91. // if root access is disabled, fail this request.
  92. return nil, errAccessKeyDisabled
  93. }
  94. return []byte(globalActiveCred.SecretKey), nil
  95. }); err != nil {
  96. return claims, nil, false, errAuthentication
  97. }
  98. owner := true
  99. var groups []string
  100. if globalActiveCred.AccessKey != claims.AccessKey {
  101. // Check if the access key is part of users credentials.
  102. u, ok := globalIAMSys.GetUser(req.Context(), claims.AccessKey)
  103. if !ok {
  104. return nil, nil, false, errInvalidAccessKeyID
  105. }
  106. ucred := u.Credentials
  107. // get embedded claims
  108. eclaims, s3Err := checkClaimsFromToken(req, ucred)
  109. if s3Err != ErrNone {
  110. return nil, nil, false, errAuthentication
  111. }
  113. for k, v := range eclaims {
  114. claims.MapClaims[k] = v
  115. }
  117. // if root access is disabled, disable all its service accounts and temporary credentials.
  118. if ucred.ParentUser == globalActiveCred.AccessKey && !globalAPIConfig.permitRootAccess() {
  119. return nil, nil, false, errAccessKeyDisabled
  120. }
  122. // Now check if we have a sessionPolicy.
  123. if _, ok = eclaims[policy.SessionPolicyName]; ok {
  124. owner = false
  125. } else {
  126. owner = globalActiveCred.AccessKey == ucred.ParentUser
  127. }
  129. groups = ucred.Groups
  130. }
  132. return claims, groups, owner, nil
  133. }
  135. // newCachedAuthToken returns the cached token.
  136. func newCachedAuthToken() func() string {
  137. return func() string {
  138. return globalNodeAuthToken
  139. }
  140. }