gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix Filer startup failure due to JWT on / path #8149 (#8167)

Browse Source 
* fix Filer startup failure due to JWT on / path #8149

- Comment out JWT keys in security.toml.example
- Revert Dockerfile.local change that enabled security by default
- Exempt GET/HEAD on / from JWT check for health checks

* refactor: simplify JWT bypass condition as per PR feedback
This commit is contained in:
Chris Lu
2026-01-29 21:45:15 -08:00
committed by GitHub
parent 23c25379ca
commit 6940b7d06e
4 changed files with 24 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docker/Dockerfile.local
View File

@@ -4,7 +4,6 @@ COPY ./weed /usr/bin/weed
RUN chmod +x /usr/bin/weed && ls -la /usr/bin/weed RUN chmod +x /usr/bin/weed && ls -la /usr/bin/weed
RUN mkdir -p /etc/seaweedfs RUN mkdir -p /etc/seaweedfs
COPY ./filer.toml /etc/seaweedfs/filer.toml COPY ./filer.toml /etc/seaweedfs/filer.toml
COPY ./security.toml.example /etc/seaweedfs/security.toml
COPY ./entrypoint.sh /entrypoint.sh COPY ./entrypoint.sh /entrypoint.sh
# Install dependencies and create non-root user # Install dependencies and create non-root user

16
docker/security.toml.example
View File

@@ -13,22 +13,22 @@ values = "*"
# - the Master server generates the JWT, which can be used to write a certain file on a volume server # - the Master server generates the JWT, which can be used to write a certain file on a volume server
# - the Volume server validates the JWT on writing # - the Volume server validates the JWT on writing
# the jwt defaults to expire after 10 seconds. # the jwt defaults to expire after 10 seconds.
[jwt.signing] # [jwt.signing]
key = "V1JJVEVTRUNSRVRFWEFNUExFMTIzNDU2Nzg5MDEy" # Example: WRITESECRETEXAMPLE123456789012 # key = "V1JJVEVTRUNSRVRFWEFNUExFMTIzNDU2Nzg5MDEy" # Example: WRITESECRETEXAMPLE123456789012
# this jwt signing key is read by master and volume server, and it is used for read operations: # this jwt signing key is read by master and volume server, and it is used for read operations:
# - the Master server generates the JWT, which can be used to read a certain file on a volume server # - the Master server generates the JWT, which can be used to read a certain file on a volume server
# - the Volume server validates the JWT on reading # - the Volume server validates the JWT on reading
[jwt.signing.read] # [jwt.signing.read]
key = "UkVBRFNFQ1JFVUVYQU1QTEUxMjM0NTY3ODkwMTI=" # Example: READSECRETEXAMPLE123456789012 # key = "UkVBRFNFQ1JFVUVYQU1QTEUxMjM0NTY3ODkwMTI=" # Example: READSECRETEXAMPLE123456789012
# If this JWT key is configured, Filer only accepts writes over HTTP if they are signed with this JWT: # If this JWT key is configured, Filer only accepts writes over HTTP if they are signed with this JWT:
# - f.e. the S3 API Shim generates the JWT # - f.e. the S3 API Shim generates the JWT
# - the Filer server validates the JWT on writing # - the Filer server validates the JWT on writing
# the jwt defaults to expire after 10 seconds. # the jwt defaults to expire after 10 seconds.
[jwt.filer_signing] # [jwt.filer_signing]
key = "RklMRVJXUklURVNFQ1JFVEVYQU1QTEUxMjM0NTY3OA==" # Example: FILERWRITESECRETEXAMPLE12345678 # key = "RklMRVJXUklURVNFQ1JFVEVYQU1QTEUxMjM0NTY3OA==" # Example: FILERWRITESECRETEXAMPLE12345678
# If this JWT key is configured, Filer only accepts reads over HTTP if they are signed with this JWT: # If this JWT key is configured, Filer only accepts reads over HTTP if they are signed with this JWT:
# - f.e. the S3 API Shim generates the JWT # - f.e. the S3 API Shim generates the JWT
# - the Filer server validates the JWT on reading # - the Filer server validates the JWT on reading
# the jwt defaults to expire after 10 seconds. # the jwt defaults to expire after 10 seconds.
[jwt.filer_signing.read] # [jwt.filer_signing.read]
key = "RklMRVJSRUFEU0VDUkVURVhBTVBMRTEyMzQ1Njc4OQ==" # Example: FILERREADSECRETEXAMPLE123456789 # key = "RklMRVJSRUFEU0VDUkVURVhBTVBMRTEyMzQ1Njc4OQ==" # Example: FILERREADSECRETEXAMPLE123456789

12
weed/server/filer_jwt_test.go
View File

@@ -119,7 +119,15 @@ func TestFilerServer_maybeCheckJwtAuthorization_Scoped(t *testing.T) {
method: "GET", method: "GET",
path: "/", path: "/",
isWrite: false, isWrite: false,
expectAuthorized: false, expectAuthorized: true,
},
{
name: "root path without token",
token: "",
method: "GET",
path: "/",
isWrite: false,
expectAuthorized: true,
}, },
{ {
name: "exact prefix match", name: "exact prefix match",
@@ -134,7 +142,9 @@ func TestFilerServer_maybeCheckJwtAuthorization_Scoped(t *testing.T) {
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
req := httptest.NewRequest(tt.method, tt.path, nil) req := httptest.NewRequest(tt.method, tt.path, nil)
if tt.token != "" {
req.Header.Set("Authorization", "Bearer "+tt.token) req.Header.Set("Authorization", "Bearer "+tt.token)
}
if authorized := fs.maybeCheckJwtAuthorization(req, tt.isWrite); authorized != tt.expectAuthorized { if authorized := fs.maybeCheckJwtAuthorization(req, tt.isWrite); authorized != tt.expectAuthorized {
t.Errorf("expected authorized=%v, got %v", tt.expectAuthorized, authorized) t.Errorf("expected authorized=%v, got %v", tt.expectAuthorized, authorized)
} }

4
weed/server/filer_server_handlers.go
View File

@@ -211,6 +211,10 @@ func OptionsHandler(w http.ResponseWriter, r *http.Request, isReadOnly bool) {
// maybeCheckJwtAuthorization returns true if access should be granted, false if it should be denied // maybeCheckJwtAuthorization returns true if access should be granted, false if it should be denied
func (fs *FilerServer) maybeCheckJwtAuthorization(r *http.Request, isWrite bool) bool { func (fs *FilerServer) maybeCheckJwtAuthorization(r *http.Request, isWrite bool) bool {
if !isWrite && r.URL.Path == "/" {
return true
}
var signingKey security.SigningKey var signingKey security.SigningKey
if isWrite { if isWrite {