mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2025-10-21 23:17:23 +08:00
Merge pull request #1872 from kmlebedev/grpc_auth
TLS allowed CommonNames
This commit is contained in:
Chris Lu
@@ -138,7 +138,6 @@ func startMaster(masterOption MasterOptions, masterWhiteList []string) {
|
||||
if err != nil {
|
||||
glog.Fatalf("master failed to listen on grpc port %d: %v", grpcPort, err)
|
||||
}
|
||||
// Create your protocol servers.
|
||||
grpcS := pb.NewGrpcServer(security.LoadServerTLS(util.GetViper(), "grpc.master"))
|
||||
master_pb.RegisterSeaweedServer(grpcS, ms)
|
||||
protobuf.RegisterRaftServer(grpcS, raftServer)
|
||||
|
||||
@@ -440,22 +440,28 @@ expires_after_seconds = 10 # seconds
|
||||
# the host name is not checked, so the PERM files can be shared.
|
||||
[grpc]
|
||||
ca = ""
|
||||
# Set wildcard domain for enable TLS authentication by common names
|
||||
allowed_wildcard_domain = "" # .mycompany.com
|
||||
|
||||
[grpc.volume]
|
||||
cert = ""
|
||||
key = ""
|
||||
allowed_commonNames = "" # comma-separated SSL certificate common names
|
||||
|
||||
[grpc.master]
|
||||
cert = ""
|
||||
key = ""
|
||||
allowed_commonNames = "" # comma-separated SSL certificate common names
|
||||
|
||||
[grpc.filer]
|
||||
cert = ""
|
||||
key = ""
|
||||
allowed_commonNames = "" # comma-separated SSL certificate common names
|
||||
|
||||
[grpc.msg_broker]
|
||||
cert = ""
|
||||
key = ""
|
||||
allowed_commonNames = "" # comma-separated SSL certificate common names
|
||||
|
||||
# use this for any place needs a grpc client
|
||||
# i.e., "weed backup|benchmark|filer.copy|filer.replicate|mount|s3|upload"
|
||||
@@ -463,7 +469,6 @@ key = ""
|
||||
cert = ""
|
||||
key = ""
|
||||
|
||||
|
||||
# volume server https options
|
||||
# Note: work in progress!
|
||||
# this does not work with other clients, e.g., "weed filer|mount" etc, yet.
|
||||
|
||||
@@ -1,10 +1,16 @@
|
||||
package security
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"github.com/chrislusf/seaweedfs/weed/util"
|
||||
grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth"
|
||||
"google.golang.org/grpc/codes"
|
||||
"google.golang.org/grpc/peer"
|
||||
"google.golang.org/grpc/status"
|
||||
"io/ioutil"
|
||||
"strings"
|
||||
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/credentials"
|
||||
@@ -12,21 +18,29 @@ import (
|
||||
"github.com/chrislusf/seaweedfs/weed/glog"
|
||||
)
|
||||
|
||||
func LoadServerTLS(config *util.ViperProxy, component string) grpc.ServerOption {
|
||||
type Authenticator struct {
|
||||
AllowedWildcardDomain string
|
||||
AllowedCommonNames map[string]bool
|
||||
}
|
||||
|
||||
func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption, grpc.ServerOption) {
|
||||
if config == nil {
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// load cert/key, ca cert
|
||||
cert, err := tls.LoadX509KeyPair(config.GetString(component+".cert"), config.GetString(component+".key"))
|
||||
if err != nil {
|
||||
glog.V(1).Infof("load cert/key error: %v", err)
|
||||
return nil
|
||||
glog.V(1).Infof("load cert: %s / key: %s error: %v",
|
||||
config.GetString(component+".cert"),
|
||||
config.GetString(component+".key"),
|
||||
err)
|
||||
return nil, nil
|
||||
}
|
||||
caCert, err := ioutil.ReadFile(config.GetString("grpc.ca"))
|
||||
if err != nil {
|
||||
glog.V(1).Infof("read ca cert file error: %v", err)
|
||||
return nil
|
||||
glog.V(1).Infof("read ca cert file %s error: %v", config.GetString("grpc.ca"), err)
|
||||
return nil, nil
|
||||
}
|
||||
caCertPool := x509.NewCertPool()
|
||||
caCertPool.AppendCertsFromPEM(caCert)
|
||||
@@ -36,7 +50,20 @@ func LoadServerTLS(config *util.ViperProxy, component string) grpc.ServerOption
|
||||
ClientAuth: tls.RequireAndVerifyClientCert,
|
||||
})
|
||||
|
||||
return grpc.Creds(ta)
|
||||
allowedCommonNames := config.GetString(component + ".allowed_commonNames")
|
||||
allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain")
|
||||
if allowedCommonNames != "" || allowedWildcardDomain != "" {
|
||||
allowedCommonNamesMap := make(map[string]bool)
|
||||
for _, s := range strings.Split(allowedCommonNames, ",") {
|
||||
allowedCommonNamesMap[s] = true
|
||||
}
|
||||
auther := Authenticator{
|
||||
AllowedCommonNames: allowedCommonNamesMap,
|
||||
AllowedWildcardDomain: allowedWildcardDomain,
|
||||
}
|
||||
return grpc.Creds(ta), grpc.UnaryInterceptor(grpc_auth.UnaryServerInterceptor(auther.Authenticate))
|
||||
}
|
||||
return grpc.Creds(ta), nil
|
||||
}
|
||||
|
||||
func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
|
||||
@@ -70,3 +97,28 @@ func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
|
||||
})
|
||||
return grpc.WithTransportCredentials(ta)
|
||||
}
|
||||
|
||||
func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context, err error) {
|
||||
p, ok := peer.FromContext(ctx)
|
||||
if !ok {
|
||||
return ctx, status.Error(codes.Unauthenticated, "no peer found")
|
||||
}
|
||||
|
||||
tlsAuth, ok := p.AuthInfo.(credentials.TLSInfo)
|
||||
if !ok {
|
||||
return ctx, status.Error(codes.Unauthenticated, "unexpected peer transport credentials")
|
||||
}
|
||||
if len(tlsAuth.State.VerifiedChains) == 0 || len(tlsAuth.State.VerifiedChains[0]) == 0 {
|
||||
return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate")
|
||||
}
|
||||
|
||||
commonName := tlsAuth.State.VerifiedChains[0][0].Subject.CommonName
|
||||
if a.AllowedWildcardDomain != "" && strings.HasSuffix(commonName, a.AllowedWildcardDomain) {
|
||||
return ctx, nil
|
||||
}
|
||||
if _, ok := a.AllowedCommonNames[commonName]; ok {
|
||||
return ctx, nil
|
||||
}
|
||||
|
||||
return ctx, status.Errorf(codes.Unauthenticated, "invalid subject common name: %s", commonName)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user