Add credential storage (#6938)

* add credential store interface * load credential.toml * lint * create credentialManager with explicit store type * add type name * InitializeCredentialManager * remove unused functions * fix missing import * fix import * fix nil configuration
2025-09-19 06:37:56 +08:00 · 2025-07-02 18:03:17 -07:00
parent 6b706f9ccd
commit 1db7c2b8aa
23 changed files with 3656 additions and 288 deletions
--- a/weed/s3api/s3api_server.go
+++ b/weed/s3api/s3api_server.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 	"time"

+	"github.com/seaweedfs/seaweedfs/weed/credential"
 	"github.com/seaweedfs/seaweedfs/weed/filer"
 	"github.com/seaweedfs/seaweedfs/weed/glog"
 	"github.com/seaweedfs/seaweedfs/weed/pb/s3_pb"
@@ -41,16 +42,21 @@ type S3ApiServerOption struct {

 type S3ApiServer struct {
 	s3_pb.UnimplementedSeaweedS3Server
-	option         *S3ApiServerOption
-	iam            *IdentityAccessManagement
-	cb             *CircuitBreaker
-	randomClientId int32
-	filerGuard     *security.Guard
-	client         util_http_client.HTTPClientInterface
-	bucketRegistry *BucketRegistry
+	option            *S3ApiServerOption
+	iam               *IdentityAccessManagement
+	cb                *CircuitBreaker
+	randomClientId    int32
+	filerGuard        *security.Guard
+	client            util_http_client.HTTPClientInterface
+	bucketRegistry    *BucketRegistry
+	credentialManager *credential.CredentialManager
 }

 func NewS3ApiServer(router *mux.Router, option *S3ApiServerOption) (s3ApiServer *S3ApiServer, err error) {
+	return NewS3ApiServerWithStore(router, option, "")
+}
+
+func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, explicitStore string) (s3ApiServer *S3ApiServer, err error) {
 	startTsNs := time.Now().UnixNano()

 	v := util.GetViper()
@@ -64,19 +70,25 @@ func NewS3ApiServer(router *mux.Router, option *S3ApiServerOption) (s3ApiServer

 	v.SetDefault("cors.allowed_origins.values", "*")

-	if (option.AllowedOrigins == nil) || (len(option.AllowedOrigins) == 0) {
+	if len(option.AllowedOrigins) == 0 {
 		allowedOrigins := v.GetString("cors.allowed_origins.values")
 		domains := strings.Split(allowedOrigins, ",")
 		option.AllowedOrigins = domains
 	}

+	var iam *IdentityAccessManagement
+
+	iam = NewIdentityAccessManagementWithStore(option, explicitStore)
+
 	s3ApiServer = &S3ApiServer{
-		option:         option,
-		iam:            NewIdentityAccessManagement(option),
-		randomClientId: util.RandomInt32(),
-		filerGuard:     security.NewGuard([]string{}, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec),
-		cb:             NewCircuitBreaker(option),
+		option:            option,
+		iam:               iam,
+		randomClientId:    util.RandomInt32(),
+		filerGuard:        security.NewGuard([]string{}, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec),
+		cb:                NewCircuitBreaker(option),
+		credentialManager: iam.credentialManager,
 	}
+
 	if option.Config != "" {
 		grace.OnReload(func() {
 			if err := s3ApiServer.iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
@@ -119,7 +131,7 @@ func (s3a *S3ApiServer) registerRouter(router *mux.Router) {
 		func(w http.ResponseWriter, r *http.Request) {
 			origin := r.Header.Get("Origin")
 			if origin != "" {
-				if s3a.option.AllowedOrigins == nil || len(s3a.option.AllowedOrigins) == 0 || s3a.option.AllowedOrigins[0] == "*" {
+				if len(s3a.option.AllowedOrigins) == 0 || s3a.option.AllowedOrigins[0] == "*" {
 					origin = "*"
 				} else {
 					originFound := false