lsm/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2025-11-24 16:53:14 +08:00
Code Issues Actions 17 Packages Projects Releases Wiki Activity

S3: JWT generation for volume server authentication (#7514)

Browse Source 
* Refactor JWT generation for volume server authentication to use centralized function from filer package, improving code clarity and reducing redundancy.

* Update s3api_object_handlers.go
This commit is contained in:
Chris Lu
2025-11-20 00:07:00 -08:00
committed by GitHub
parent c14e513964
commit 6281e62d7f
1 changed files with 11 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
weed/s3api/s3api_object_handlers.go
View File

@@ -20,7 +20,6 @@ import (
"github.com/seaweedfs/seaweedfs/weed/filer"
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
"github.com/seaweedfs/seaweedfs/weed/security"
"github.com/seaweedfs/seaweedfs/weed/wdclient"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
@@ -938,10 +937,7 @@ func (s3a *S3ApiServer) streamFromVolumeServers(w http.ResponseWriter, r *http.R
streamFn, err := filer.PrepareStreamContentWithThrottler(
ctx,
masterClient,
func(fileId string) string {
// Use volume server JWT (not filer JWT) for direct volume reads
return string(security.GenJwtForVolumeServer(s3a.filerGuard.ReadSigningKey, s3a.filerGuard.ReadExpiresAfterSec, fileId))
},
filer.JwtForVolumeServer, // Use filer's JWT function (loads config once, generates JWT locally)
resolvedChunks,
offset,
size,
@@ -1760,8 +1756,8 @@ func (s3a *S3ApiServer) fetchFullChunk(ctx context.Context, fileId string) (io.R
// Use the first URL
chunkUrl := urlStrings[0]
// Generate JWT for volume server authentication
jwt := security.GenJwtForVolumeServer(s3a.filerGuard.ReadSigningKey, s3a.filerGuard.ReadExpiresAfterSec, fileId)
// Generate JWT for volume server authentication (uses config loaded once at startup)
jwt := filer.JwtForVolumeServer(fileId)
// Create request WITHOUT Range header to get full chunk
req, err := http.NewRequestWithContext(ctx, "GET", chunkUrl, nil)
@@ -1771,7 +1767,7 @@ func (s3a *S3ApiServer) fetchFullChunk(ctx context.Context, fileId string) (io.R
// Set JWT for authentication
if jwt != "" {
req.Header.Set("Authorization", "BEARER "+string(jwt))
req.Header.Set("Authorization", "BEARER "+jwt)
}
// Use shared HTTP client
@@ -1800,8 +1796,8 @@ func (s3a *S3ApiServer) fetchChunkViewData(ctx context.Context, chunkView *filer
// Use the first URL (already contains complete URL with fileId)
chunkUrl := urlStrings[0]
// Generate JWT for volume server authentication
jwt := security.GenJwtForVolumeServer(s3a.filerGuard.ReadSigningKey, s3a.filerGuard.ReadExpiresAfterSec, chunkView.FileId)
// Generate JWT for volume server authentication (uses config loaded once at startup)
jwt := filer.JwtForVolumeServer(chunkView.FileId)
// Create request with Range header for the chunk view
// chunkUrl already contains the complete URL including fileId
@@ -1818,7 +1814,7 @@ func (s3a *S3ApiServer) fetchChunkViewData(ctx context.Context, chunkView *filer
// Set JWT for authentication
if jwt != "" {
req.Header.Set("Authorization", "BEARER "+string(jwt))
req.Header.Set("Authorization", "BEARER "+jwt)
}
// Use shared HTTP client with connection pooling
@@ -1863,10 +1859,7 @@ func (s3a *S3ApiServer) getEncryptedStreamFromVolumes(ctx context.Context, entry
streamFn, err := filer.PrepareStreamContentWithThrottler(
ctx,
masterClient,
func(fileId string) string {
// Use volume server JWT (not filer JWT) for direct volume reads
return string(security.GenJwtForVolumeServer(s3a.filerGuard.ReadSigningKey, s3a.filerGuard.ReadExpiresAfterSec, fileId))
},
filer.JwtForVolumeServer, // Use filer's JWT function (loads config once, generates JWT locally)
resolvedChunks,
0,
totalSize,
@@ -3022,10 +3015,10 @@ func (s3a *S3ApiServer) createEncryptedChunkReader(ctx context.Context, chunk *f
return nil, fmt.Errorf("create HTTP request for chunk: %v", err)
}
// Attach volume server JWT for authentication (matches filer behavior)
jwt := security.GenJwtForVolumeServer(s3a.filerGuard.ReadSigningKey, s3a.filerGuard.ReadExpiresAfterSec, chunk.GetFileIdString())
// Attach volume server JWT for authentication (uses config loaded once at startup)
jwt := filer.JwtForVolumeServer(chunk.GetFileIdString())
if jwt != "" {
req.Header.Set("Authorization", "BEARER "+string(jwt))
req.Header.Set("Authorization", "BEARER "+jwt)
}
// Use shared HTTP client with connection pooling