Add credential storage (#6938)

* add credential store interface * load credential.toml * lint * create credentialManager with explicit store type * add type name * InitializeCredentialManager * remove unused functions * fix missing import * fix import * fix nil configuration
2025-10-08 01:04:22 +08:00 · 2025-07-02 18:03:17 -07:00
parent 6b706f9ccd
commit 1db7c2b8aa
23 changed files with 3656 additions and 288 deletions
--- a/weed/command/iam.go
+++ b/weed/command/iam.go
@@ -3,9 +3,10 @@ package command
 import (
 	"context"
 	"fmt"
-	"github.com/seaweedfs/seaweedfs/weed/util/version"
 	"net/http"

+	"github.com/seaweedfs/seaweedfs/weed/util/version"
+
 	"time"

 	"github.com/gorilla/mux"
@@ -15,6 +16,12 @@ import (
 	"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
 	"github.com/seaweedfs/seaweedfs/weed/security"
 	"github.com/seaweedfs/seaweedfs/weed/util"
+
+	// Import credential stores to register them
+	_ "github.com/seaweedfs/seaweedfs/weed/credential/filer_etc"
+	_ "github.com/seaweedfs/seaweedfs/weed/credential/memory"
+	_ "github.com/seaweedfs/seaweedfs/weed/credential/postgres"
+	_ "github.com/seaweedfs/seaweedfs/weed/credential/sqlite"
 )

 var (
--- a/weed/command/s3.go
+++ b/weed/command/s3.go
@@ -5,7 +5,6 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
-	"github.com/seaweedfs/seaweedfs/weed/util/version"
 	"io/ioutil"
 	"net"
 	"net/http"
@@ -14,6 +13,8 @@ import (
 	"strings"
 	"time"

+	"github.com/seaweedfs/seaweedfs/weed/util/version"
+
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
 	"google.golang.org/grpc/credentials/tls/certprovider"
 	"google.golang.org/grpc/credentials/tls/certprovider/pemfile"
--- a/weed/command/scaffold.go
+++ b/weed/command/scaffold.go
@@ -2,9 +2,10 @@ package command

 import (
 	"fmt"
-	"github.com/seaweedfs/seaweedfs/weed/util"
 	"path/filepath"

+	"github.com/seaweedfs/seaweedfs/weed/util"
+
 	"github.com/seaweedfs/seaweedfs/weed/command/scaffold"
 )

@@ -13,9 +14,9 @@ func init() {
 }

 var cmdScaffold = &Command{
-	UsageLine: "scaffold -config=[filer|notification|replication|security|master]",
+	UsageLine: "scaffold -config=[filer|notification|replication|security|master|shell|credential]",
 	Short:     "generate basic configuration files",
-	Long: `Generate filer.toml with all possible configurations for you to customize.
+	Long: `Generate configuration files with all possible configurations for you to customize.

 	The options can also be overwritten by environment variables.
 	For example, the filer.toml mysql password can be overwritten by environment variable
@@ -30,7 +31,7 @@ var cmdScaffold = &Command{

 var (
 	outputPath = cmdScaffold.Flag.String("output", "", "if not empty, save the configuration file to this directory")
-	config     = cmdScaffold.Flag.String("config", "filer", "[filer|notification|replication|security|master] the configuration file to generate")
+	config     = cmdScaffold.Flag.String("config", "filer", "[filer|notification|replication|security|master|shell|credential] the configuration file to generate")
 )

 func runScaffold(cmd *Command, args []string) bool {
@@ -49,6 +50,8 @@ func runScaffold(cmd *Command, args []string) bool {
 		content = scaffold.Master
 	case "shell":
 		content = scaffold.Shell
+	case "credential":
+		content = scaffold.Credential
 	}
 	if content == "" {
 		println("need a valid -config option")
--- a/weed/command/scaffold/credential.toml
+++ b/weed/command/scaffold/credential.toml
@@ -0,0 +1,55 @@
+# Put this file to one of the location, with descending priority
+#    ./credential.toml
+#    $HOME/.seaweedfs/credential.toml
+#    /etc/seaweedfs/credential.toml
+# this file is read by S3 API and IAM API servers
+
+# Choose one of the credential stores below
+# Only one store can be enabled at a time
+
+# Filer-based credential store (default, uses existing filer storage)
+[credential.filer_etc]
+enabled = true
+# filer address and grpc_dial_option will be automatically configured by the server
+
+# SQLite credential store (recommended for single-node deployments)
+[credential.sqlite]
+enabled = false
+file = "/var/lib/seaweedfs/credentials.db"
+# Optional: table name prefix (default: "sw_")
+table_prefix = "sw_"
+
+# PostgreSQL credential store (recommended for multi-node deployments)
+[credential.postgres]
+enabled = false
+hostname = "localhost"
+port = 5432
+username = "seaweedfs"
+password = "your_password"
+database = "seaweedfs"
+schema = "public"
+sslmode = "disable"
+# Optional: table name prefix (default: "sw_")
+table_prefix = "sw_"
+# Connection pool settings
+connection_max_idle = 10
+connection_max_open = 100
+connection_max_lifetime_seconds = 3600
+
+# Memory credential store (for testing only, data is lost on restart)
+[credential.memory]
+enabled = false
+
+# Environment variable overrides:
+# Any configuration value can be overridden by environment variables
+# Rules:
+#   * Prefix with "WEED_CREDENTIAL_"
+#   * Convert to uppercase
+#   * Replace '.' with '_'
+#
+# Examples:
+#   export WEED_CREDENTIAL_POSTGRES_PASSWORD=secret
+#   export WEED_CREDENTIAL_SQLITE_FILE=/custom/path/credentials.db
+#   export WEED_CREDENTIAL_POSTGRES_HOSTNAME=db.example.com
+#   export WEED_CREDENTIAL_FILER_ETC_ENABLED=true
+#   export WEED_CREDENTIAL_SQLITE_ENABLED=false 
--- a/weed/command/scaffold/example.go
+++ b/weed/command/scaffold/example.go
@@ -19,3 +19,6 @@ var Master string

 //go:embed shell.toml
 var Shell string
+
+//go:embed credential.toml
+var Credential string