lsm/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2025-10-21 23:17:23 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

TLS allowed commonNames

Browse Source
This commit is contained in:
Konstantin Lebedev
2021-03-08 21:39:44 +05:00
parent c6d3735605
commit 190fada1ef
6 changed files with 64 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
weed/command/scaffold.go
View File

@@ -444,18 +444,22 @@ ca = ""
[grpc.volume]
cert = ""
key = ""
allowed_commonNames = ""
[grpc.master]
cert = ""
key = ""
allowed_commonNames = ""
[grpc.filer]
cert = ""
key = ""
allowed_commonNames = ""
[grpc.msg_broker]
cert = ""
key = ""
allowed_commonNames = ""
# use this for any place needs a grpc client
# i.e., "weed backup|benchmark|filer.copy|filer.replicate|mount|s3|upload"
@@ -463,7 +467,6 @@ key = ""
cert = ""
key = ""
# volume server https options
# Note: work in progress!
# this does not work with other clients, e.g., "weed filer|mount" etc, yet.

11
weed/security/tls.go
View File

@@ -29,12 +29,15 @@ func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption
// load cert/key, ca cert
cert, err := tls.LoadX509KeyPair(config.GetString(component+".cert"), config.GetString(component+".key"))
if err != nil {
glog.V(1).Infof("load cert/key error: %v", err)
glog.V(1).Infof("load cert: %s / key: %s error: %v",
config.GetString(component+".cert"),
config.GetString(component+".key"),
err)
return nil, nil
}
caCert, err := ioutil.ReadFile(config.GetString("grpc.ca"))
if err != nil {
glog.V(1).Infof("read ca cert file error: %v", err)
glog.V(1).Infof("read ca cert file %s error: %v", config.GetString("grpc.ca"), err)
return nil, nil
}
caCertPool := x509.NewCertPool()
@@ -44,11 +47,11 @@ func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption
ClientCAs: caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert,
})
permitCommonNames := config.GetStringSlice(component + "permitCommonNames")
permitCommonNames := config.GetStringSlice(component + ".allowed_commonNames")
if len(permitCommonNames) > 0 {
permitCommonNamesMap := make(map[string]bool)
for _, s := range util.GetViper().GetStringSlice(component + "permitCommonNames") {
for _, s := range permitCommonNames {
permitCommonNamesMap[s] = true
}
auther := Authenticator{