mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
328133d3ffd89d4095e66cf5139ab8274ea84e3b
object-browser/restapi/user_buckets_events.go
Lenin Alevski 1e7f272a67 MCS service account authentication with Mkube (#166) 
`MCS` will authenticate against `Mkube`using bearer tokens via HTTP
`Authorization` header. The user will provide this token once
in the login form, MCS will validate it against Mkube (list tenants) and
if valid will generate and return a new MCS sessions
with encrypted claims (the user Service account token will be inside the
JWT in the data field)

Kubernetes

The provided `JWT token` corresponds to the `Kubernetes service account`
that `Mkube` will use to run tasks on behalf of the
user, ie: list, create, edit, delete tenants, storage class, etc.

Development

If you are running mcs in your local environment and wish to make
request to `Mkube` you can set `MCS_M3_HOSTNAME`, if
the environment variable is not present by default `MCS` will use
`"http://m3:8787"`, additionally you will need to set the
`MCS_MKUBE_ADMIN_ONLY=on` variable to make MCS display the Mkube UI

Extract the Service account token and use it with MCS

For local development you can use the jwt associated to the `m3-sa`
service account, you can get the token running
the following command in your terminal:

```
kubectl get secret $(kubectl get serviceaccount m3-sa -o
jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64
--decode
```

Then run the mcs server

```
MCS_M3_HOSTNAME=http://localhost:8787 MCS_MKUBE_ADMIN_ONLY=on ./mcs
server
```

Self-signed certificates and Custom certificate authority for Mkube

If Mkube uses TLS with a self-signed certificate, or a certificate
issued by a custom certificate authority you can add those
certificates usinng the `MCS_M3_SERVER_TLS_CA_CERTIFICATE` env variable

````
MCS_M3_SERVER_TLS_CA_CERTIFICATE=cert1.pem,cert2.pem,cert3.pem ./mcs
server
````
2020-06-23 11:37:46 -07:00

244 lines
9.0 KiB
Go
Raw Blame History

// This file is part of MinIO Console Server
// Copyright (c) 2020 MinIO, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package restapi
import (
"log"
"strings"
"github.com/go-openapi/runtime/middleware"
"github.com/go-openapi/swag"
"github.com/minio/mcs/models"
"github.com/minio/mcs/pkg/auth"
"github.com/minio/mcs/restapi/operations"
"github.com/minio/mcs/restapi/operations/user_api"
"github.com/minio/minio-go/v6"
)
func registerBucketEventsHandlers(api *operations.McsAPI) {
// list bucket events
api.UserAPIListBucketEventsHandler = user_api.ListBucketEventsHandlerFunc(func(params user_api.ListBucketEventsParams, principal *models.Principal) middleware.Responder {
sessionID := string(*principal)
listBucketEventsResponse, err := getListBucketEventsResponse(sessionID, params)
if err != nil {
return user_api.NewListBucketEventsDefault(500).WithPayload(&models.Error{Code: 500, Message: swag.String(err.Error())})
}
return user_api.NewListBucketEventsOK().WithPayload(listBucketEventsResponse)
})
// create bucket event
api.UserAPICreateBucketEventHandler = user_api.CreateBucketEventHandlerFunc(func(params user_api.CreateBucketEventParams, principal *models.Principal) middleware.Responder {
sessionID := string(*principal)
if err := getCreateBucketEventsResponse(sessionID, params.BucketName, params.Body); err != nil {
return user_api.NewCreateBucketEventDefault(500).WithPayload(&models.Error{Code: 500, Message: swag.String(err.Error())})
}
return user_api.NewCreateBucketEventCreated()
})
// delete bucket event
api.UserAPIDeleteBucketEventHandler = user_api.DeleteBucketEventHandlerFunc(func(params user_api.DeleteBucketEventParams, principal *models.Principal) middleware.Responder {
sessionID := string(*principal)
if err := getDeleteBucketEventsResponse(sessionID, params.BucketName, params.Arn, params.Body.Events, params.Body.Prefix, params.Body.Suffix); err != nil {
return user_api.NewDeleteBucketEventDefault(500).WithPayload(&models.Error{Code: 500, Message: swag.String(err.Error())})
}
return user_api.NewDeleteBucketEventNoContent()
})
}
// listBucketEvents fetches a list of all events set for a bucket and serializes them for a proper output
func listBucketEvents(client MinioClient, bucketName string) ([]*models.NotificationConfig, error) {
var configs []*models.NotificationConfig
bn, err := client.getBucketNotification(bucketName)
if err != nil {
return nil, err
}
// Generate pretty event names from event types
prettyEventNames := func(eventsTypes []minio.NotificationEventType) []models.NotificationEventType {
var result []models.NotificationEventType
for _, eventType := range eventsTypes {
var eventTypePretty models.NotificationEventType
switch eventType {
case minio.ObjectAccessedAll:
eventTypePretty = models.NotificationEventTypeGet
case minio.ObjectCreatedAll:
eventTypePretty = models.NotificationEventTypePut
case minio.ObjectRemovedAll:
eventTypePretty = models.NotificationEventTypeDelete
}
result = append(result, eventTypePretty)
}
return result
}
// part of implementation taken from minio/mc
// s3Client.ListNotificationConfigs()... to serialize configurations
getFilters := func(config minio.NotificationConfig) (prefix, suffix string) {
if config.Filter == nil {
return
}
for _, filter := range config.Filter.S3Key.FilterRules {
if strings.ToLower(filter.Name) == "prefix" {
prefix = filter.Value
}
if strings.ToLower(filter.Name) == "suffix" {
suffix = filter.Value
}
}
return prefix, suffix
}
for _, config := range bn.TopicConfigs {
prefix, suffix := getFilters(config.NotificationConfig)
configs = append(configs, &models.NotificationConfig{ID: config.ID,
Arn: swag.String(config.Topic),
Events: prettyEventNames(config.Events),
Prefix: prefix,
Suffix: suffix})
}
for _, config := range bn.QueueConfigs {
prefix, suffix := getFilters(config.NotificationConfig)
configs = append(configs, &models.NotificationConfig{ID: config.ID,
Arn: swag.String(config.Queue),
Events: prettyEventNames(config.Events),
Prefix: prefix,
Suffix: suffix})
}
for _, config := range bn.LambdaConfigs {
prefix, suffix := getFilters(config.NotificationConfig)
configs = append(configs, &models.NotificationConfig{ID: config.ID,
Arn: swag.String(config.Lambda),
Events: prettyEventNames(config.Events),
Prefix: prefix,
Suffix: suffix})
}
return configs, nil
}
// getListBucketsResponse performs listBucketEvents() and serializes it to the handler's output
func getListBucketEventsResponse(sessionID string, params user_api.ListBucketEventsParams) (*models.ListBucketEventsResponse, error) {
mClient, err := newMinioClient(sessionID)
if err != nil {
log.Println("error creating MinIO Client:", err)
return nil, err
}
// create a minioClient interface implementation
// defining the client to be used
minioClient := minioClient{client: mClient}
bucketEvents, err := listBucketEvents(minioClient, params.BucketName)
if err != nil {
log.Println("error listing bucket events:", err)
return nil, err
}
// serialize output
listBucketsResponse := &models.ListBucketEventsResponse{
Events: bucketEvents,
Total: int64(len(bucketEvents)),
}
return listBucketsResponse, nil
}
// createBucketEvent calls mc AddNotificationConfig() to create a bucket nofication
//
// If notificationEvents is empty, by default will set [get, put, delete], else the provided
// ones will be set.
// this function follows same behavior as minio/mc for adding a bucket event
func createBucketEvent(client MCS3Client, arn string, notificationEvents []models.NotificationEventType, prefix, suffix string, ignoreExisting bool) error {
var events []string
if len(notificationEvents) == 0 {
// default event values are [get, put, delete]
events = []string{
string(models.NotificationEventTypeGet),
string(models.NotificationEventTypePut),
string(models.NotificationEventTypeDelete),
}
} else {
// else use defined events in request
// cast type models.NotificationEventType to string
for _, e := range notificationEvents {
events = append(events, string(e))
}
}
perr := client.addNotificationConfig(arn, events, prefix, suffix, ignoreExisting)
if perr != nil {
return perr.Cause
}
return nil
}
// getCreateBucketEventsResponse calls createBucketEvent to add a bucket event notification
func getCreateBucketEventsResponse(sessionID, bucketName string, eventReq *models.BucketEventRequest) error {
claims, err := auth.JWTAuthenticate(sessionID)
if err != nil {
return err
}
s3Client, err := newS3BucketClient(claims, bucketName)
if err != nil {
log.Println("error creating S3Client:", err)
return err
}
// create a mc S3Client interface implementation
// defining the client to be used
mcS3Client := mcS3Client{client: s3Client}
err = createBucketEvent(mcS3Client, *eventReq.Configuration.Arn, eventReq.Configuration.Events, eventReq.Configuration.Prefix, eventReq.Configuration.Suffix, eventReq.IgnoreExisting)
if err != nil {
log.Println("error creating bucket event:", err)
return err
}
return nil
}
// deleteBucketEventNotification calls S3Client.RemoveNotificationConfig to remove a bucket event notification
func deleteBucketEventNotification(client MCS3Client, arn string, events []models.NotificationEventType, prefix, suffix *string) error {
eventSingleString := joinNotificationEvents(events)
perr := client.removeNotificationConfig(arn, eventSingleString, *prefix, *suffix)
if perr != nil {
return perr.Cause
}
return nil
}
func joinNotificationEvents(events []models.NotificationEventType) string {
var eventsArn []string
for _, e := range events {
eventsArn = append(eventsArn, string(e))
}
return strings.Join(eventsArn, ",")
}
// getDeleteBucketEventsResponse calls deleteBucketEventNotification() to delete a bucket event notification
func getDeleteBucketEventsResponse(sessionID, bucketName string, arn string, events []models.NotificationEventType, prefix, suffix *string) error {
claims, err := auth.JWTAuthenticate(sessionID)
if err != nil {
return err
}
s3Client, err := newS3BucketClient(claims, bucketName)
if err != nil {
log.Println("error creating S3Client:", err)
return err
}
// create a mc S3Client interface implementation
// defining the client to be used
mcS3Client := mcS3Client{client: s3Client}
err = deleteBucketEventNotification(mcS3Client, arn, events, prefix, suffix)
if err != nil {
log.Println("error deleting bucket event:", err)
return err
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink