Add credential storage (#6938)

* add credential store interface * load credential.toml * lint * create credentialManager with explicit store type * add type name * InitializeCredentialManager * remove unused functions * fix missing import * fix import * fix nil configuration
2025-07-02 18:03:17 -07:00
parent 6b706f9ccd
commit 1db7c2b8aa
23 changed files with 3656 additions and 288 deletions
--- a/weed/credential/filer_etc/filer_etc_store.go
+++ b/weed/credential/filer_etc/filer_etc_store.go
@@ -0,0 +1,235 @@
+package filer_etc
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+
+	"github.com/seaweedfs/seaweedfs/weed/credential"
+	"github.com/seaweedfs/seaweedfs/weed/filer"
+	"github.com/seaweedfs/seaweedfs/weed/pb"
+	"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
+	"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
+	"github.com/seaweedfs/seaweedfs/weed/util"
+	"google.golang.org/grpc"
+)
+
+func init() {
+	credential.Stores = append(credential.Stores, &FilerEtcStore{})
+}
+
+// FilerEtcStore implements CredentialStore using SeaweedFS filer for storage
+type FilerEtcStore struct {
+	filerGrpcAddress string
+	grpcDialOption   grpc.DialOption
+}
+
+func (store *FilerEtcStore) GetName() credential.CredentialStoreTypeName {
+	return credential.StoreTypeFilerEtc
+}
+
+func (store *FilerEtcStore) Initialize(configuration util.Configuration, prefix string) error {
+	// Handle nil configuration gracefully
+	if configuration != nil {
+		store.filerGrpcAddress = configuration.GetString(prefix + "filer")
+		// TODO: Initialize grpcDialOption based on configuration
+	}
+	// Note: filerGrpcAddress can be set later via SetFilerClient method
+	return nil
+}
+
+// SetFilerClient sets the filer client details for the file store
+func (store *FilerEtcStore) SetFilerClient(filerAddress string, grpcDialOption grpc.DialOption) {
+	store.filerGrpcAddress = filerAddress
+	store.grpcDialOption = grpcDialOption
+}
+
+// withFilerClient executes a function with a filer client
+func (store *FilerEtcStore) withFilerClient(fn func(client filer_pb.SeaweedFilerClient) error) error {
+	if store.filerGrpcAddress == "" {
+		return fmt.Errorf("filer address not configured")
+	}
+
+	// Use the pb.WithGrpcFilerClient helper similar to existing code
+	return pb.WithGrpcFilerClient(false, 0, pb.ServerAddress(store.filerGrpcAddress), store.grpcDialOption, fn)
+}
+
+func (store *FilerEtcStore) LoadConfiguration(ctx context.Context) (*iam_pb.S3ApiConfiguration, error) {
+	s3cfg := &iam_pb.S3ApiConfiguration{}
+
+	err := store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
+		var buf bytes.Buffer
+		if err := filer.ReadEntry(nil, client, filer.IamConfigDirectory, filer.IamIdentityFile, &buf); err != nil {
+			if err != filer_pb.ErrNotFound {
+				return err
+			}
+		}
+		if buf.Len() > 0 {
+			return filer.ParseS3ConfigurationFromBytes(buf.Bytes(), s3cfg)
+		}
+		return nil
+	})
+
+	return s3cfg, err
+}
+
+func (store *FilerEtcStore) SaveConfiguration(ctx context.Context, config *iam_pb.S3ApiConfiguration) error {
+	return store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
+		var buf bytes.Buffer
+		if err := filer.ProtoToText(&buf, config); err != nil {
+			return fmt.Errorf("failed to marshal configuration: %v", err)
+		}
+		return filer.SaveInsideFiler(client, filer.IamConfigDirectory, filer.IamIdentityFile, buf.Bytes())
+	})
+}
+
+func (store *FilerEtcStore) CreateUser(ctx context.Context, identity *iam_pb.Identity) error {
+	// Load existing configuration
+	config, err := store.LoadConfiguration(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to load configuration: %v", err)
+	}
+
+	// Check if user already exists
+	for _, existingIdentity := range config.Identities {
+		if existingIdentity.Name == identity.Name {
+			return credential.ErrUserAlreadyExists
+		}
+	}
+
+	// Add new identity
+	config.Identities = append(config.Identities, identity)
+
+	// Save configuration
+	return store.SaveConfiguration(ctx, config)
+}
+
+func (store *FilerEtcStore) GetUser(ctx context.Context, username string) (*iam_pb.Identity, error) {
+	config, err := store.LoadConfiguration(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load configuration: %v", err)
+	}
+
+	for _, identity := range config.Identities {
+		if identity.Name == username {
+			return identity, nil
+		}
+	}
+
+	return nil, credential.ErrUserNotFound
+}
+
+func (store *FilerEtcStore) UpdateUser(ctx context.Context, username string, identity *iam_pb.Identity) error {
+	config, err := store.LoadConfiguration(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to load configuration: %v", err)
+	}
+
+	// Find and update the user
+	for i, existingIdentity := range config.Identities {
+		if existingIdentity.Name == username {
+			config.Identities[i] = identity
+			return store.SaveConfiguration(ctx, config)
+		}
+	}
+
+	return credential.ErrUserNotFound
+}
+
+func (store *FilerEtcStore) DeleteUser(ctx context.Context, username string) error {
+	config, err := store.LoadConfiguration(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to load configuration: %v", err)
+	}
+
+	// Find and remove the user
+	for i, identity := range config.Identities {
+		if identity.Name == username {
+			config.Identities = append(config.Identities[:i], config.Identities[i+1:]...)
+			return store.SaveConfiguration(ctx, config)
+		}
+	}
+
+	return credential.ErrUserNotFound
+}
+
+func (store *FilerEtcStore) ListUsers(ctx context.Context) ([]string, error) {
+	config, err := store.LoadConfiguration(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load configuration: %v", err)
+	}
+
+	var usernames []string
+	for _, identity := range config.Identities {
+		usernames = append(usernames, identity.Name)
+	}
+
+	return usernames, nil
+}
+
+func (store *FilerEtcStore) GetUserByAccessKey(ctx context.Context, accessKey string) (*iam_pb.Identity, error) {
+	config, err := store.LoadConfiguration(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load configuration: %v", err)
+	}
+
+	for _, identity := range config.Identities {
+		for _, credential := range identity.Credentials {
+			if credential.AccessKey == accessKey {
+				return identity, nil
+			}
+		}
+	}
+
+	return nil, credential.ErrAccessKeyNotFound
+}
+
+func (store *FilerEtcStore) CreateAccessKey(ctx context.Context, username string, cred *iam_pb.Credential) error {
+	config, err := store.LoadConfiguration(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to load configuration: %v", err)
+	}
+
+	// Find the user and add the credential
+	for _, identity := range config.Identities {
+		if identity.Name == username {
+			// Check if access key already exists
+			for _, existingCred := range identity.Credentials {
+				if existingCred.AccessKey == cred.AccessKey {
+					return fmt.Errorf("access key %s already exists", cred.AccessKey)
+				}
+			}
+
+			identity.Credentials = append(identity.Credentials, cred)
+			return store.SaveConfiguration(ctx, config)
+		}
+	}
+
+	return credential.ErrUserNotFound
+}
+
+func (store *FilerEtcStore) DeleteAccessKey(ctx context.Context, username string, accessKey string) error {
+	config, err := store.LoadConfiguration(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to load configuration: %v", err)
+	}
+
+	// Find the user and remove the credential
+	for _, identity := range config.Identities {
+		if identity.Name == username {
+			for i, cred := range identity.Credentials {
+				if cred.AccessKey == accessKey {
+					identity.Credentials = append(identity.Credentials[:i], identity.Credentials[i+1:]...)
+					return store.SaveConfiguration(ctx, config)
+				}
+			}
+			return credential.ErrAccessKeyNotFound
+		}
+	}
+
+	return credential.ErrUserNotFound
+}
+
+func (store *FilerEtcStore) Shutdown() {
+	// No cleanup needed for file store
+}