Home Explore Help
Sign In
SMusatov
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Files Wiki
Browse Source

master: add jwt expires_after_seconds

Chris Lu 5 years ago
parent
bd8af92b54
commit
25941e0500
7 changed files with 21 additions and 14 deletions
Split View Show Diff Stats
  1. 3 2
      weed/command/scaffold.go
  2. 5 4
      weed/security/guard.go
  3. 5 4
      weed/security/jwt.go
  4. 1 1
      weed/server/master_grpc_server_volume.go
  5. 3 1
      weed/server/master_server.go
  6. 1 1
      weed/server/master_server_handlers.go
  7. 3 1
      weed/server/volume_server.go

+ 3 - 2
weed/command/scaffold.go
View File 

@@ -262,10 +262,11 @@ directory = "/"                # destination directory
 
 #    /etc/seaweedfs/security.toml
 
 # this file is read by master, volume server, and filer
 
 
-# the jwt signing key is read by master and volume server
 
-# a jwt expires in 10 seconds
 
+# the jwt signing key is read by master and volume server.
 
+# a jwt defaults to expire after 10 seconds.
 
 [jwt.signing]
 
 key = ""
 
+expires_after_seconds = 10           # seconds
 
 
 # all grpc tls authentications are mutual
 
 # the values for the following ca, cert, and key are paths to the PERM files.

+ 5 - 4
weed/security/guard.go
View File 

@@ -41,14 +41,15 @@ https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go
 
 
 */
 
 type Guard struct {
 
-	whiteList  []string
 
-	SigningKey SigningKey
 
+	whiteList       []string
 
+	SigningKey      SigningKey
 
+	ExpiresAfterSec int
 
 
 	isActive bool
 
 }
 
 
-func NewGuard(whiteList []string, signingKey string) *Guard {
 
-	g := &Guard{whiteList: whiteList, SigningKey: SigningKey(signingKey)}
 
+func NewGuard(whiteList []string, signingKey string, expiresAfterSec int) *Guard {
 
+	g := &Guard{whiteList: whiteList, SigningKey: SigningKey(signingKey), ExpiresAfterSec:expiresAfterSec}
 
 	g.isActive = len(g.whiteList) != 0 || len(g.SigningKey) != 0
 
 	return g
 
 }

+ 5 - 4
weed/security/jwt.go
View File 

@@ -18,16 +18,17 @@ type SeaweedFileIdClaims struct {
 
 	jwt.StandardClaims
 
 }
 
 
-func GenJwt(signingKey SigningKey, fileId string) EncodedJwt {
 
+func GenJwt(signingKey SigningKey, expiresAfterSec int, fileId string) EncodedJwt {
 
 	if len(signingKey) == 0 {
 
 		return ""
 
 	}
 
 
 	claims := SeaweedFileIdClaims{
 
 		fileId,
 
-		jwt.StandardClaims{
 
-			ExpiresAt: time.Now().Add(time.Second * 10).Unix(),
 
-		},
 
+		jwt.StandardClaims{},
 
+	}
 
+	if expiresAfterSec > 0 {
 
+		claims.ExpiresAt = time.Now().Add(time.Second * time.Duration(expiresAfterSec)).Unix()
 
 	}
 
 	t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 
 	encoded, e := t.SignedString([]byte(signingKey))

+ 1 - 1
weed/server/master_grpc_server_volume.go
View File 

@@ -94,7 +94,7 @@ func (ms *MasterServer) Assign(ctx context.Context, req *master_pb.AssignRequest
 
 		Url:       dn.Url(),
 
 		PublicUrl: dn.PublicUrl,
 
 		Count:     count,
 
-		Auth:      string(security.GenJwt(ms.guard.SigningKey, fid)),
 
+		Auth:      string(security.GenJwt(ms.guard.SigningKey, ms.guard.ExpiresAfterSec, fid)),
 
 	}, nil
 
 }

+ 3 - 1
weed/server/master_server.go
View File 

@@ -54,6 +54,8 @@ func NewMasterServer(r *mux.Router, port int, metaFolder string,
 
 
 	v := viper.GetViper()
 
 	signingKey := v.GetString("jwt.signing.key")
 
+	v.SetDefault("jwt.signing.expires_after_seconds", 10)
 
+	expiresAfterSec := v.GetInt("jwt.signing.expires_after_seconds")
 
 
 	var preallocateSize int64
 
 	if preallocate {
 
@@ -75,7 +77,7 @@ func NewMasterServer(r *mux.Router, port int, metaFolder string,
 
 	ms.vg = topology.NewDefaultVolumeGrowth()
 
 	glog.V(0).Infoln("Volume Size Limit is", volumeSizeLimitMB, "MB")
 
 
-	ms.guard = security.NewGuard(whiteList, signingKey)
 
+	ms.guard = security.NewGuard(whiteList, signingKey, expiresAfterSec)
 
 
 	if !disableHttp {
 
 		handleStaticResources2(r)

+ 1 - 1
weed/server/master_server_handlers.go
View File 

@@ -110,7 +110,7 @@ func (ms *MasterServer) dirAssignHandler(w http.ResponseWriter, r *http.Request)
 
 }
 
 
 func (ms *MasterServer) maybeAddJwtAuthorization(w http.ResponseWriter, fileId string) {
 
-	encodedJwt := security.GenJwt(ms.guard.SigningKey, fileId)
 
+	encodedJwt := security.GenJwt(ms.guard.SigningKey, ms.guard.ExpiresAfterSec, fileId)
 
 	if encodedJwt == "" {
 
 		return
 
 	}

+ 3 - 1
weed/server/volume_server.go
View File 

@@ -40,6 +40,8 @@ func NewVolumeServer(adminMux, publicMux *http.ServeMux, ip string,
 
 
 	v := viper.GetViper()
 
 	signingKey := v.GetString("jwt.signing.key")
 
+	v.SetDefault("jwt.signing.expires_after_seconds", 10)
 
+	expiresAfterSec := v.GetInt("jwt.signing.expires_after_seconds")
 
 	enableUiAccess := v.GetBool("access.ui")
 
 
 	vs := &VolumeServer{
 
@@ -55,7 +57,7 @@ func NewVolumeServer(adminMux, publicMux *http.ServeMux, ip string,
 
 	vs.MasterNodes = masterNodes
 
 	vs.store = storage.NewStore(port, ip, publicUrl, folders, maxCounts, vs.needleMapKind)
 
 
-	vs.guard = security.NewGuard(whiteList, signingKey)
 
+	vs.guard = security.NewGuard(whiteList, signingKey, expiresAfterSec)
 
 
 	handleStaticResources(adminMux)
 
 	if signingKey == "" || enableUiAccess {