Add credential storage (#6938)

* add credential store interface * load credential.toml * lint * create credentialManager with explicit store type * add type name * InitializeCredentialManager * remove unused functions * fix missing import * fix import * fix nil configuration
2025-11-08 20:27:26 +08:00 · 2025-07-02 18:03:17 -07:00
parent 6b706f9ccd
commit 1db7c2b8aa
23 changed files with 3656 additions and 288 deletions
--- a/weed/command/scaffold/credential.toml
+++ b/weed/command/scaffold/credential.toml
@@ -0,0 +1,55 @@
+# Put this file to one of the location, with descending priority
+#    ./credential.toml
+#    $HOME/.seaweedfs/credential.toml
+#    /etc/seaweedfs/credential.toml
+# this file is read by S3 API and IAM API servers
+
+# Choose one of the credential stores below
+# Only one store can be enabled at a time
+
+# Filer-based credential store (default, uses existing filer storage)
+[credential.filer_etc]
+enabled = true
+# filer address and grpc_dial_option will be automatically configured by the server
+
+# SQLite credential store (recommended for single-node deployments)
+[credential.sqlite]
+enabled = false
+file = "/var/lib/seaweedfs/credentials.db"
+# Optional: table name prefix (default: "sw_")
+table_prefix = "sw_"
+
+# PostgreSQL credential store (recommended for multi-node deployments)
+[credential.postgres]
+enabled = false
+hostname = "localhost"
+port = 5432
+username = "seaweedfs"
+password = "your_password"
+database = "seaweedfs"
+schema = "public"
+sslmode = "disable"
+# Optional: table name prefix (default: "sw_")
+table_prefix = "sw_"
+# Connection pool settings
+connection_max_idle = 10
+connection_max_open = 100
+connection_max_lifetime_seconds = 3600
+
+# Memory credential store (for testing only, data is lost on restart)
+[credential.memory]
+enabled = false
+
+# Environment variable overrides:
+# Any configuration value can be overridden by environment variables
+# Rules:
+#   * Prefix with "WEED_CREDENTIAL_"
+#   * Convert to uppercase
+#   * Replace '.' with '_'
+#
+# Examples:
+#   export WEED_CREDENTIAL_POSTGRES_PASSWORD=secret
+#   export WEED_CREDENTIAL_SQLITE_FILE=/custom/path/credentials.db
+#   export WEED_CREDENTIAL_POSTGRES_HOSTNAME=db.example.com
+#   export WEED_CREDENTIAL_FILER_ETC_ENABLED=true
+#   export WEED_CREDENTIAL_SQLITE_ENABLED=false 
--- a/weed/command/scaffold/example.go
+++ b/weed/command/scaffold/example.go
@@ -19,3 +19,6 @@ var Master string

 //go:embed shell.toml
 var Shell string
+
+//go:embed credential.toml
+var Credential string