ee8242d72a
This PR adds the following features:
- Allow user to provide its own keypair certificates for enable TLS in
MinIO
- Allow user to configure data encryption at rest in MinIO with KES
- Removes JWT schema for login and instead Console authentication will use
encrypted session tokens
Enable TLS between client and MinIO with user provided certificates
Instead of using AutoCert feature now the user can provide `cert` and
`key` via `tls` object, values must be valid `x509.Certificate`
formatted files encoded in `base64`
Enable encryption at rest configuring KES
User can deploy KES via Console/Operator by defining the encryption
object, AutoCert must be enabled or custom certificates for KES must be
provided, KES support 3 KMS backends: `Vault`, `AWS KMS` and `Gemalto`,
previous configuration of the KMS is necessary.
eg of body request for create-tenant
```
{
"name": "honeywell",
"access_key": "minio",
"secret_key": "minio123",
"enable_mcs": false,
"enable_ssl": false,
"service_name": "honeywell",
"zones": [
{
"name": "honeywell-zone-1",
"servers": 1,
"volumes_per_server": 4,
"volume_configuration": {
"size": 256000000,
"storage_class": "vsan-default-storage-policy"
}
}
],
"namespace": "default",
"tls": {
"tls.crt": "",
"tls.key": ""
},
"encryption": {
"server": {
"tls.crt": "",
"tls.key": ""
},
"client": {
"tls.crt": "",
"tls.key": ""
},
"vault": {
"endpoint": "http://vault:8200",
"prefix": "",
"approle": {
"id": "",
"secret": ""
}
}
}
}
```
49 lines
1.7 KiB
Go
49 lines
1.7 KiB
Go
// This file is part of MinIO Console Server
|
|
// Copyright (c) 2020 MinIO, Inc.
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
package token
|
|
|
|
import (
|
|
"strconv"
|
|
|
|
"github.com/minio/console/pkg/auth/utils"
|
|
"github.com/minio/minio/pkg/env"
|
|
)
|
|
|
|
// ConsoleSTSAndJWTDurationSeconds returns the default session duration for the STS requested tokens and the generated JWTs.
|
|
// Ideally both values should match so jwt and Minio sts sessions expires at the same time.
|
|
func GetConsoleSTSAndJWTDurationInSeconds() int {
|
|
duration, err := strconv.Atoi(env.Get(ConsoleSTSAndJWTDurationSeconds, "3600"))
|
|
if err != nil {
|
|
duration = 3600
|
|
}
|
|
return duration
|
|
}
|
|
|
|
var defaultPBKDFPassphrase = utils.RandomCharString(64)
|
|
|
|
// GetPBKDFPassphrase returns passphrase for the pbkdf2 function used to encrypt JWT payload
|
|
func GetPBKDFPassphrase() string {
|
|
return env.Get(ConsolePBKDFPassphrase, defaultPBKDFPassphrase)
|
|
}
|
|
|
|
var defaultPBKDFSalt = utils.RandomCharString(64)
|
|
|
|
// GetPBKDFSalt returns salt for the pbkdf2 function used to encrypt JWT payload
|
|
func GetPBKDFSalt() string {
|
|
return env.Get(ConsolePBKDFSalt, defaultPBKDFSalt)
|
|
}
|