e4a77b8b16
* feat(security): add [admin] section to security.toml scaffold Add admin credential fields (user, password, readonly.user, readonly.password) to security.toml. Via viper's WEED_ env prefix and AutomaticEnv(), these are automatically overridable as WEED_ADMIN_USER, WEED_ADMIN_PASSWORD, etc. Ref: https://github.com/seaweedfs/seaweedfs/discussions/8586 * feat(admin): support env var and security.toml fallbacks for credentials Add applyViperFallback() to read admin credentials from security.toml / WEED_* environment variables when CLI flags are not explicitly set. This allows systems like NixOS to pass secrets via env vars instead of CLI flags, which appear in process listings. Precedence: CLI flag > env var / security.toml > default value. Also change -adminUser default from "admin" to "" so that credentials are fully opt-in. Ref: https://github.com/seaweedfs/seaweedfs/discussions/8586 * feat(helm): use WEED_ env vars for admin credentials instead of CLI flags Rename SEAWEEDFS_ADMIN_USER/PASSWORD to WEED_ADMIN_USER/PASSWORD so viper picks them up natively. Remove -adminUser/-adminPassword shell expansion from command args since the Go binary now reads these directly via viper. * docs(admin): document env var and security.toml credential support Add environment variable mapping table, security.toml example, and precedence rules to the admin README. * style(security): use nested [admin.readonly] table in security.toml Use a nested TOML table instead of dotted keys for the readonly credentials. More idiomatic and easier to read; no change in how Viper parses it. * fix(admin): use util.GetViper() for env var support and fix README example applyViperFallback() was using viper.GetString() directly, which bypasses the WEED_ env prefix and AutomaticEnv setup that only happens in util.GetViper(). Switch to util.GetViper().GetString() so WEED_ADMIN_* environment variables are actually picked up. Also fix the README example to include WEED_ADMIN_USER alongside WEED_ADMIN_PASSWORD, since runAdmin() rejects an empty username when a password is set. * fix(admin): restore default adminUser to "admin" Defaulting adminUser to "" broke the common flow of setting only WEED_ADMIN_PASSWORD — runAdmin() rejects an empty username when a password is set. Restore "admin" as the default so that setting only the password works out of the box. * docs(admin): align README security.toml example with scaffold format Use nested [admin.readonly] table instead of flat dotted keys to match the format in weed/command/scaffold/security.toml. * docs(admin): remove README.md in favor of wiki page Admin documentation lives at the wiki (Admin-UI.md). Remove the in-repo README to avoid maintaining duplicate docs. --------- Co-authored-by: Copilot <copilot@github.com>
184 lines
6.4 KiB
TOML
184 lines
6.4 KiB
TOML
# Put this file to one of the location, with descending priority
|
|
# ./security.toml
|
|
# $HOME/.seaweedfs/security.toml
|
|
# /etc/seaweedfs/security.toml
|
|
# this file is read by master, volume server, filer, and worker
|
|
|
|
# comma separated origins allowed to make requests to the filer and s3 gateway.
|
|
# enter in this format: https://domain.com, or http://localhost:port
|
|
[cors.allowed_origins]
|
|
values = "*"
|
|
|
|
# this jwt signing key is read by master and volume server, and it is used for write operations:
|
|
# - the Master server generates the JWT, which can be used to write a certain file on a volume server
|
|
# - the Volume server validates the JWT on writing
|
|
# the jwt defaults to expire after 10 seconds.
|
|
[jwt.signing]
|
|
key = ""
|
|
expires_after_seconds = 10 # seconds
|
|
|
|
# by default, if the signing key above is set, the Volume UI over HTTP is disabled.
|
|
# by setting ui.access to true, you can re-enable the Volume UI. Despite
|
|
# some information leakage (as the UI is not authenticated), this should not
|
|
# pose a security risk.
|
|
[access]
|
|
ui = false
|
|
|
|
# by default the filer UI is enabled. This can be a security risk if the filer is exposed to the public
|
|
# and the JWT for reads is not set. If you don't want the public to have access to the objects in your
|
|
# storage, and you haven't set the JWT for reads it is wise to disable access to directory metadata.
|
|
# This disables access to the Filer UI, and will no longer return directory metadata in GET requests.
|
|
[filer.expose_directory_metadata]
|
|
enabled = true
|
|
|
|
# this jwt signing key is read by master and volume server, and it is used for read operations:
|
|
# - the Master server generates the JWT, which can be used to read a certain file on a volume server
|
|
# - the Volume server validates the JWT on reading
|
|
# NOTE: jwt for read is only supported with master+volume setup. Filer does not support this mode.
|
|
[jwt.signing.read]
|
|
key = ""
|
|
expires_after_seconds = 10 # seconds
|
|
|
|
|
|
# If this JWT key is configured, Filer only accepts writes over HTTP if they are signed with this JWT:
|
|
# - f.e. the S3 API Shim generates the JWT
|
|
# - the Filer server validates the JWT on writing
|
|
# NOTE: This key is ALSO used as a fallback signing key for S3 STS if s3.iam.config does not specify a signingKey.
|
|
# the jwt defaults to expire after 10 seconds.
|
|
[jwt.filer_signing]
|
|
key = ""
|
|
expires_after_seconds = 10 # seconds
|
|
|
|
# If this JWT key is configured, Filer only accepts reads over HTTP if they are signed with this JWT:
|
|
# - f.e. the S3 API Shim generates the JWT
|
|
# - the Filer server validates the JWT on reading
|
|
# the jwt defaults to expire after 10 seconds.
|
|
[jwt.filer_signing.read]
|
|
key = ""
|
|
expires_after_seconds = 10 # seconds
|
|
|
|
# gRPC mTLS configuration
|
|
# All gRPC TLS authentications are mutual (mTLS)
|
|
# The values for ca, cert, and key are paths to the certificate/key files
|
|
# The host name is not checked, so the certificate files can be shared
|
|
[grpc]
|
|
ca = ""
|
|
# Set wildcard domain for enable TLS authentication by common names
|
|
allowed_wildcard_domain = "" # .mycompany.com
|
|
|
|
# Volume server gRPC options (server-side)
|
|
# Enables mTLS for incoming gRPC connections to volume server
|
|
[grpc.volume]
|
|
cert = ""
|
|
key = ""
|
|
allowed_commonNames = "" # comma-separated SSL certificate common names
|
|
|
|
# Master server gRPC options (server-side)
|
|
# Enables mTLS for incoming gRPC connections to master server
|
|
[grpc.master]
|
|
cert = ""
|
|
key = ""
|
|
allowed_commonNames = "" # comma-separated SSL certificate common names
|
|
|
|
# Filer server gRPC options (server-side)
|
|
# Enables mTLS for incoming gRPC connections to filer server
|
|
[grpc.filer]
|
|
cert = ""
|
|
key = ""
|
|
allowed_commonNames = "" # comma-separated SSL certificate common names
|
|
|
|
# S3 server gRPC options (server-side)
|
|
# Enables mTLS for incoming gRPC connections to S3 server
|
|
[grpc.s3]
|
|
cert = ""
|
|
key = ""
|
|
allowed_commonNames = "" # comma-separated SSL certificate common names
|
|
|
|
[grpc.msg_broker]
|
|
cert = ""
|
|
key = ""
|
|
allowed_commonNames = "" # comma-separated SSL certificate common names
|
|
|
|
[grpc.msg_agent]
|
|
cert = ""
|
|
key = ""
|
|
allowed_commonNames = "" # comma-separated SSL certificate common names
|
|
|
|
[grpc.admin]
|
|
cert = ""
|
|
key = ""
|
|
allowed_commonNames = "" # comma-separated SSL certificate common names
|
|
|
|
[grpc.worker]
|
|
cert = ""
|
|
key = ""
|
|
allowed_commonNames = "" # comma-separated SSL certificate common names
|
|
|
|
[grpc.mq]
|
|
cert = ""
|
|
key = ""
|
|
allowed_commonNames = "" # comma-separated SSL certificate common names
|
|
|
|
# gRPC client configuration for outgoing gRPC connections
|
|
# Used by clients (S3, mount, backup, benchmark, filer.copy, filer.replicate, upload, etc.)
|
|
# when connecting to any gRPC server (master, volume, filer)
|
|
[grpc.client]
|
|
cert = ""
|
|
key = ""
|
|
|
|
# HTTPS client configuration for outgoing HTTP connections
|
|
# Used by S3, mount, filer.copy, backup, and other clients when communicating with master/volume/filer
|
|
# Set enabled=true to use HTTPS instead of HTTP for data operations (separate from gRPC)
|
|
# If [https.filer] or [https.volume] are enabled on servers, clients must have [https.client] enabled=true
|
|
[https.client]
|
|
enabled = false # Set to true to enable HTTPS for all outgoing HTTP client connections
|
|
cert = "" # Client certificate for mTLS (optional if server doesn't require client cert)
|
|
key = "" # Client key for mTLS (optional if server doesn't require client cert)
|
|
ca = "" # CA certificate to verify server certificates (required when enabled=true)
|
|
|
|
# Volume server HTTPS options (server-side)
|
|
# Enables HTTPS for incoming HTTP connections to volume server
|
|
[https.volume]
|
|
cert = ""
|
|
key = ""
|
|
ca = ""
|
|
|
|
# Master server HTTPS options (server-side)
|
|
# Enables HTTPS for incoming HTTP connections to master server (web UI, HTTP API)
|
|
[https.master]
|
|
cert = ""
|
|
key = ""
|
|
ca = ""
|
|
|
|
# Filer server HTTPS options (server-side)
|
|
# Enables HTTPS for incoming HTTP connections to filer server (web UI, HTTP API)
|
|
[https.filer]
|
|
cert = ""
|
|
key = ""
|
|
ca = ""
|
|
# disable_tls_verify_client_cert = true|false (default: false)
|
|
|
|
# Admin server HTTPS options (server-side)
|
|
# Enables HTTPS for incoming HTTP connections to admin server
|
|
[https.admin]
|
|
cert = ""
|
|
key = ""
|
|
ca = ""
|
|
|
|
# Admin server authentication
|
|
# If password is set, users must login to access the admin interface
|
|
# These can be overridden by environment variables with WEED_ prefix:
|
|
# WEED_ADMIN_USER, WEED_ADMIN_PASSWORD
|
|
# WEED_ADMIN_READONLY_USER, WEED_ADMIN_READONLY_PASSWORD
|
|
[admin]
|
|
user = ""
|
|
password = ""
|
|
|
|
[admin.readonly]
|
|
user = ""
|
|
password = ""
|
|
|
|
# white list. It's checking request ip address.
|
|
[guard]
|
|
white_list = ""
|