s3.go 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377
  1. package command
  2. import (
  3. "context"
  4. "crypto/tls"
  5. "crypto/x509"
  6. "fmt"
  7. "io/ioutil"
  8. "net"
  9. "net/http"
  10. "os"
  11. "runtime"
  12. "strings"
  13. "time"
  14. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  15. "google.golang.org/grpc/credentials/tls/certprovider"
  16. "google.golang.org/grpc/credentials/tls/certprovider/pemfile"
  17. "google.golang.org/grpc/reflection"
  18. "github.com/seaweedfs/seaweedfs/weed/pb"
  19. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  20. "github.com/seaweedfs/seaweedfs/weed/pb/s3_pb"
  21. "github.com/seaweedfs/seaweedfs/weed/security"
  22. "github.com/gorilla/mux"
  23. "github.com/seaweedfs/seaweedfs/weed/glog"
  24. "github.com/seaweedfs/seaweedfs/weed/s3api"
  25. stats_collect "github.com/seaweedfs/seaweedfs/weed/stats"
  26. "github.com/seaweedfs/seaweedfs/weed/util"
  27. )
  28. var (
  29. s3StandaloneOptions S3Options
  30. )
  31. type S3Options struct {
  32. filer *string
  33. bindIp *string
  34. port *int
  35. portHttps *int
  36. portGrpc *int
  37. config *string
  38. domainName *string
  39. allowedOrigins *string
  40. tlsPrivateKey *string
  41. tlsCertificate *string
  42. tlsCACertificate *string
  43. tlsVerifyClientCert *bool
  44. metricsHttpPort *int
  45. metricsHttpIp *string
  46. allowEmptyFolder *bool
  47. allowDeleteBucketNotEmpty *bool
  48. auditLogConfig *string
  49. localFilerSocket *string
  50. dataCenter *string
  51. localSocket *string
  52. certProvider certprovider.Provider
  53. }
  54. func init() {
  55. cmdS3.Run = runS3 // break init cycle
  56. s3StandaloneOptions.filer = cmdS3.Flag.String("filer", "localhost:8888", "filer server address")
  57. s3StandaloneOptions.bindIp = cmdS3.Flag.String("ip.bind", "", "ip address to bind to. Default to localhost.")
  58. s3StandaloneOptions.port = cmdS3.Flag.Int("port", 8333, "s3 server http listen port")
  59. s3StandaloneOptions.portHttps = cmdS3.Flag.Int("port.https", 0, "s3 server https listen port")
  60. s3StandaloneOptions.portGrpc = cmdS3.Flag.Int("port.grpc", 0, "s3 server grpc listen port")
  61. s3StandaloneOptions.domainName = cmdS3.Flag.String("domainName", "", "suffix of the host name in comma separated list, {bucket}.{domainName}")
  62. s3StandaloneOptions.allowedOrigins = cmdS3.Flag.String("allowedOrigins", "*", "comma separated list of allowed origins")
  63. s3StandaloneOptions.dataCenter = cmdS3.Flag.String("dataCenter", "", "prefer to read and write to volumes in this data center")
  64. s3StandaloneOptions.config = cmdS3.Flag.String("config", "", "path to the config file")
  65. s3StandaloneOptions.auditLogConfig = cmdS3.Flag.String("auditLogConfig", "", "path to the audit log config file")
  66. s3StandaloneOptions.tlsPrivateKey = cmdS3.Flag.String("key.file", "", "path to the TLS private key file")
  67. s3StandaloneOptions.tlsCertificate = cmdS3.Flag.String("cert.file", "", "path to the TLS certificate file")
  68. s3StandaloneOptions.tlsCACertificate = cmdS3.Flag.String("cacert.file", "", "path to the TLS CA certificate file")
  69. s3StandaloneOptions.tlsVerifyClientCert = cmdS3.Flag.Bool("tlsVerifyClientCert", false, "whether to verify the client's certificate")
  70. s3StandaloneOptions.metricsHttpPort = cmdS3.Flag.Int("metricsPort", 0, "Prometheus metrics listen port")
  71. s3StandaloneOptions.metricsHttpIp = cmdS3.Flag.String("metricsIp", "", "metrics listen ip. If empty, default to same as -ip.bind option.")
  72. s3StandaloneOptions.allowEmptyFolder = cmdS3.Flag.Bool("allowEmptyFolder", true, "allow empty folders")
  73. s3StandaloneOptions.allowDeleteBucketNotEmpty = cmdS3.Flag.Bool("allowDeleteBucketNotEmpty", true, "allow recursive deleting all entries along with bucket")
  74. s3StandaloneOptions.localFilerSocket = cmdS3.Flag.String("localFilerSocket", "", "local filer socket path")
  75. s3StandaloneOptions.localSocket = cmdS3.Flag.String("localSocket", "", "default to /tmp/seaweedfs-s3-<port>.sock")
  76. }
  77. var cmdS3 = &Command{
  78. UsageLine: "s3 [-port=8333] [-filer=<ip:port>] [-config=</path/to/config.json>]",
  79. Short: "start a s3 API compatible server that is backed by a filer",
  80. Long: `start a s3 API compatible server that is backed by a filer.
  81. By default, you can use any access key and secret key to access the S3 APIs.
  82. To enable credential based access, create a config.json file similar to this:
  83. {
  84. "identities": [
  85. {
  86. "name": "anonymous",
  87. "actions": [
  88. "Read"
  89. ]
  90. },
  91. {
  92. "name": "some_admin_user",
  93. "credentials": [
  94. {
  95. "accessKey": "some_access_key1",
  96. "secretKey": "some_secret_key1"
  97. }
  98. ],
  99. "actions": [
  100. "Admin",
  101. "Read",
  102. "List",
  103. "Tagging",
  104. "Write"
  105. ]
  106. },
  107. {
  108. "name": "some_read_only_user",
  109. "credentials": [
  110. {
  111. "accessKey": "some_access_key2",
  112. "secretKey": "some_secret_key2"
  113. }
  114. ],
  115. "actions": [
  116. "Read"
  117. ]
  118. },
  119. {
  120. "name": "some_normal_user",
  121. "credentials": [
  122. {
  123. "accessKey": "some_access_key3",
  124. "secretKey": "some_secret_key3"
  125. }
  126. ],
  127. "actions": [
  128. "Read",
  129. "List",
  130. "Tagging",
  131. "Write"
  132. ]
  133. },
  134. {
  135. "name": "user_limited_to_bucket1",
  136. "credentials": [
  137. {
  138. "accessKey": "some_access_key4",
  139. "secretKey": "some_secret_key4"
  140. }
  141. ],
  142. "actions": [
  143. "Read:bucket1",
  144. "List:bucket1",
  145. "Tagging:bucket1",
  146. "Write:bucket1"
  147. ]
  148. }
  149. ]
  150. }
  151. `,
  152. }
  153. func runS3(cmd *Command, args []string) bool {
  154. util.LoadSecurityConfiguration()
  155. switch {
  156. case *s3StandaloneOptions.metricsHttpIp != "":
  157. // noting to do, use s3StandaloneOptions.metricsHttpIp
  158. case *s3StandaloneOptions.bindIp != "":
  159. *s3StandaloneOptions.metricsHttpIp = *s3StandaloneOptions.bindIp
  160. }
  161. go stats_collect.StartMetricsServer(*s3StandaloneOptions.metricsHttpIp, *s3StandaloneOptions.metricsHttpPort)
  162. return s3StandaloneOptions.startS3Server()
  163. }
  164. // GetCertificateWithUpdate Auto refreshing TSL certificate
  165. func (S3opt *S3Options) GetCertificateWithUpdate(*tls.ClientHelloInfo) (*tls.Certificate, error) {
  166. certs, err := S3opt.certProvider.KeyMaterial(context.Background())
  167. return &certs.Certs[0], err
  168. }
  169. func (s3opt *S3Options) startS3Server() bool {
  170. filerAddress := pb.ServerAddress(*s3opt.filer)
  171. filerBucketsPath := "/buckets"
  172. filerGroup := ""
  173. grpcDialOption := security.LoadClientTLS(util.GetViper(), "grpc.client")
  174. // metrics read from the filer
  175. var metricsAddress string
  176. var metricsIntervalSec int
  177. for {
  178. err := pb.WithGrpcFilerClient(false, 0, filerAddress, grpcDialOption, func(client filer_pb.SeaweedFilerClient) error {
  179. resp, err := client.GetFilerConfiguration(context.Background(), &filer_pb.GetFilerConfigurationRequest{})
  180. if err != nil {
  181. return fmt.Errorf("get filer %s configuration: %v", filerAddress, err)
  182. }
  183. filerBucketsPath = resp.DirBuckets
  184. filerGroup = resp.FilerGroup
  185. metricsAddress, metricsIntervalSec = resp.MetricsAddress, int(resp.MetricsIntervalSec)
  186. glog.V(0).Infof("S3 read filer buckets dir: %s", filerBucketsPath)
  187. return nil
  188. })
  189. if err != nil {
  190. glog.V(0).Infof("wait to connect to filer %s grpc address %s", *s3opt.filer, filerAddress.ToGrpcAddress())
  191. time.Sleep(time.Second)
  192. } else {
  193. glog.V(0).Infof("connected to filer %s grpc address %s", *s3opt.filer, filerAddress.ToGrpcAddress())
  194. break
  195. }
  196. }
  197. go stats_collect.LoopPushingMetric("s3", stats_collect.SourceName(uint32(*s3opt.port)), metricsAddress, metricsIntervalSec)
  198. router := mux.NewRouter().SkipClean(true)
  199. var localFilerSocket string
  200. if s3opt.localFilerSocket != nil {
  201. localFilerSocket = *s3opt.localFilerSocket
  202. }
  203. s3ApiServer, s3ApiServer_err := s3api.NewS3ApiServer(router, &s3api.S3ApiServerOption{
  204. Filer: filerAddress,
  205. Port: *s3opt.port,
  206. Config: *s3opt.config,
  207. DomainName: *s3opt.domainName,
  208. AllowedOrigins: strings.Split(*s3opt.allowedOrigins, ","),
  209. BucketsPath: filerBucketsPath,
  210. GrpcDialOption: grpcDialOption,
  211. AllowEmptyFolder: *s3opt.allowEmptyFolder,
  212. AllowDeleteBucketNotEmpty: *s3opt.allowDeleteBucketNotEmpty,
  213. LocalFilerSocket: localFilerSocket,
  214. DataCenter: *s3opt.dataCenter,
  215. FilerGroup: filerGroup,
  216. })
  217. if s3ApiServer_err != nil {
  218. glog.Fatalf("S3 API Server startup error: %v", s3ApiServer_err)
  219. }
  220. httpS := &http.Server{Handler: router}
  221. if *s3opt.portGrpc == 0 {
  222. *s3opt.portGrpc = 10000 + *s3opt.port
  223. }
  224. if *s3opt.bindIp == "" {
  225. *s3opt.bindIp = "localhost"
  226. }
  227. if runtime.GOOS != "windows" {
  228. localSocket := *s3opt.localSocket
  229. if localSocket == "" {
  230. localSocket = fmt.Sprintf("/tmp/seaweedfs-s3-%d.sock", *s3opt.port)
  231. }
  232. if err := os.Remove(localSocket); err != nil && !os.IsNotExist(err) {
  233. glog.Fatalf("Failed to remove %s, error: %s", localSocket, err.Error())
  234. }
  235. go func() {
  236. // start on local unix socket
  237. s3SocketListener, err := net.Listen("unix", localSocket)
  238. if err != nil {
  239. glog.Fatalf("Failed to listen on %s: %v", localSocket, err)
  240. }
  241. httpS.Serve(s3SocketListener)
  242. }()
  243. }
  244. listenAddress := fmt.Sprintf("%s:%d", *s3opt.bindIp, *s3opt.port)
  245. s3ApiListener, s3ApiLocalListener, err := util.NewIpAndLocalListeners(*s3opt.bindIp, *s3opt.port, time.Duration(10)*time.Second)
  246. if err != nil {
  247. glog.Fatalf("S3 API Server listener on %s error: %v", listenAddress, err)
  248. }
  249. if len(*s3opt.auditLogConfig) > 0 {
  250. s3err.InitAuditLog(*s3opt.auditLogConfig)
  251. if s3err.Logger != nil {
  252. defer s3err.Logger.Close()
  253. }
  254. }
  255. // starting grpc server
  256. grpcPort := *s3opt.portGrpc
  257. grpcL, grpcLocalL, err := util.NewIpAndLocalListeners(*s3opt.bindIp, grpcPort, 0)
  258. if err != nil {
  259. glog.Fatalf("s3 failed to listen on grpc port %d: %v", grpcPort, err)
  260. }
  261. grpcS := pb.NewGrpcServer(security.LoadServerTLS(util.GetViper(), "grpc.s3"))
  262. s3_pb.RegisterSeaweedS3Server(grpcS, s3ApiServer)
  263. reflection.Register(grpcS)
  264. if grpcLocalL != nil {
  265. go grpcS.Serve(grpcLocalL)
  266. }
  267. go grpcS.Serve(grpcL)
  268. if *s3opt.tlsPrivateKey != "" {
  269. pemfileOptions := pemfile.Options{
  270. CertFile: *s3opt.tlsCertificate,
  271. KeyFile: *s3opt.tlsPrivateKey,
  272. RefreshDuration: security.CredRefreshingInterval,
  273. }
  274. if s3opt.certProvider, err = pemfile.NewProvider(pemfileOptions); err != nil {
  275. glog.Fatalf("pemfile.NewProvider(%v) failed: %v", pemfileOptions, err)
  276. }
  277. caCertPool := x509.NewCertPool()
  278. if *s3Options.tlsCACertificate != "" {
  279. // load CA certificate file and add it to list of client CAs
  280. caCertFile, err := ioutil.ReadFile(*s3opt.tlsCACertificate)
  281. if err != nil {
  282. glog.Fatalf("error reading CA certificate: %v", err)
  283. }
  284. caCertPool.AppendCertsFromPEM(caCertFile)
  285. }
  286. clientAuth := tls.NoClientCert
  287. if *s3Options.tlsVerifyClientCert {
  288. clientAuth = tls.RequireAndVerifyClientCert
  289. }
  290. httpS.TLSConfig = &tls.Config{
  291. GetCertificate: s3opt.GetCertificateWithUpdate,
  292. ClientAuth: clientAuth,
  293. ClientCAs: caCertPool,
  294. }
  295. if *s3opt.portHttps == 0 {
  296. glog.V(0).Infof("Start Seaweed S3 API Server %s at https port %d", util.Version(), *s3opt.port)
  297. if s3ApiLocalListener != nil {
  298. go func() {
  299. if err = httpS.ServeTLS(s3ApiLocalListener, "", ""); err != nil {
  300. glog.Fatalf("S3 API Server Fail to serve: %v", err)
  301. }
  302. }()
  303. }
  304. if err = httpS.ServeTLS(s3ApiListener, "", ""); err != nil {
  305. glog.Fatalf("S3 API Server Fail to serve: %v", err)
  306. }
  307. } else {
  308. glog.V(0).Infof("Start Seaweed S3 API Server %s at https port %d", util.Version(), *s3opt.portHttps)
  309. s3ApiListenerHttps, s3ApiLocalListenerHttps, _ := util.NewIpAndLocalListeners(
  310. *s3opt.bindIp, *s3opt.portHttps, time.Duration(10)*time.Second)
  311. if s3ApiLocalListenerHttps != nil {
  312. go func() {
  313. if err = httpS.ServeTLS(s3ApiLocalListenerHttps, "", ""); err != nil {
  314. glog.Fatalf("S3 API Server Fail to serve: %v", err)
  315. }
  316. }()
  317. }
  318. go func() {
  319. if err = httpS.ServeTLS(s3ApiListenerHttps, "", ""); err != nil {
  320. glog.Fatalf("S3 API Server Fail to serve: %v", err)
  321. }
  322. }()
  323. }
  324. }
  325. if *s3opt.tlsPrivateKey == "" || *s3opt.portHttps > 0 {
  326. glog.V(0).Infof("Start Seaweed S3 API Server %s at http port %d", util.Version(), *s3opt.port)
  327. if s3ApiLocalListener != nil {
  328. go func() {
  329. if err = httpS.Serve(s3ApiLocalListener); err != nil {
  330. glog.Fatalf("S3 API Server Fail to serve: %v", err)
  331. }
  332. }()
  333. }
  334. if err = httpS.Serve(s3ApiListener); err != nil {
  335. glog.Fatalf("S3 API Server Fail to serve: %v", err)
  336. }
  337. }
  338. return true
  339. }