minio/cmd/browser-peer-rpc.go

/*
 * Minio Cloud Storage, (C) 2016 Minio, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package cmd

import (
	"path"
	"sync"
	"time"
)

// Login handler implements JWT login token generator, which upon login request
// along with username and password is generated.
func (br *browserPeerAPIHandlers) Login(args *LoginRPCArgs, reply *LoginRPCReply) error {
	// Validate LoginRPCArgs
	if err := args.IsValid(); err != nil {
		return err
	}

	// Authenticate using JWT.
	token, err := authenticateWeb(args.Username, args.Password)
	if err != nil {
		return err
	}

	// Return the token.
	reply.AuthToken = token

	return nil
}

// SetAuthPeerArgs - Arguments collection for SetAuth RPC call
type SetAuthPeerArgs struct {
	// For Auth
	AuthRPCArgs

	// New credentials that receiving peer should update to.
	Creds credential
}

// SetAuthPeer - Update to new credentials sent from a peer Minio
// server. Since credentials are already validated on the sending
// peer, here we just persist to file and update in-memory config. All
// subsequently running isAuthTokenValid() calls will fail, and clients
// will be forced to re-establish connections. Connections will be
// re-established only when the sending client has also updated its
// credentials.
func (br *browserPeerAPIHandlers) SetAuthPeer(args SetAuthPeerArgs, reply *AuthRPCReply) error {
	if err := args.IsAuthenticated(); err != nil {
		return err
	}

	if err := validateAuthKeys(args.Creds.AccessKey, args.Creds.SecretKey); err != nil {
		return err
	}

	// Update credentials in memory
	serverConfig.SetCredential(args.Creds)

	// Save credentials to config file
	if err := serverConfig.Save(); err != nil {
		errorIf(err, "Error updating config file with new credentials sent from browser RPC.")
		return err
	}

	return nil
}

// Sends SetAuthPeer RPCs to all peers in the Minio cluster
func updateCredsOnPeers(creds credential) map[string]error {
	// Get list of peer addresses (from globalS3Peers)
	peers := []string{}
	for _, p := range globalS3Peers {
		peers = append(peers, p.addr)
	}

	// Array of errors for each peer
	errs := make([]error, len(peers))
	var wg sync.WaitGroup

	serverCred := serverConfig.GetCredential()
	// Launch go routines to send request to each peer in parallel.
	for ix := range peers {
		wg.Add(1)
		go func(ix int) {
			defer wg.Done()

			// Exclude self to avoid race with
			// invalidating the RPC token.
			if peers[ix] == globalMinioAddr {
				errs[ix] = nil
				return
			}

			// Initialize client
			client := newAuthRPCClient(authConfig{
				accessKey:       serverCred.AccessKey,
				secretKey:       serverCred.SecretKey,
				serverAddr:      peers[ix],
				secureConn:      globalIsSSL,
				serviceEndpoint: path.Join(minioReservedBucketPath, browserPeerPath),
				serviceName:     "BrowserPeer",
			})

			// Construct RPC call arguments.
			args := SetAuthPeerArgs{Creds: creds}

			// Make RPC call - we only care about error
			// response and not the reply.
			err := client.Call("BrowserPeer.SetAuthPeer", &args, &AuthRPCReply{})

			// We try a bit hard (3 attempts with 1 second delay)
			// to set creds on peers in case of failure.
			if err != nil {
				for i := 0; i < 2; i++ {
					time.Sleep(1 * time.Second) // 1 second delay.
					err = client.Call("BrowserPeer.SetAuthPeer", &args, &AuthRPCReply{})
					if err == nil {
						break
					}
				}
			}

			// Send result down the channel
			errs[ix] = err
		}(ix)
	}

	// Wait for requests to complete.
	wg.Wait()

	// Put errors into map.
	errsMap := make(map[string]error)
	for i, err := range errs {
		if err != nil {
			errsMap[peers[i]] = err
		}
	}

	return errsMap
}
Propagate creds change to cluster (Fixes #2855) (#2929) 2016-10-18 11:18:08 +08:00			`/*`
tests: Add tests for browser peer rpc. Fixes #3062 (#3189) 2016-11-08 03:43:35 +08:00			`* Minio Cloud Storage, (C) 2016 Minio, Inc.`
Propagate creds change to cluster (Fixes #2855) (#2929) 2016-10-18 11:18:08 +08:00			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`package cmd`

			`import (`
			`"path"`
			`"sync"`
			`"time"`
			`)`

tests: Add tests for browser peer rpc. Fixes #3062 (#3189) 2016-11-08 03:43:35 +08:00			`// Login handler implements JWT login token generator, which upon login request`
			`// along with username and password is generated.`
Adopt dsync interface changes and major cleanup on RPC server/client. * Rename GenericArgs to AuthRPCArgs * Rename GenericReply to AuthRPCReply * Remove authConfig.loginMethod and add authConfig.ServiceName * Rename loginServer to AuthRPCServer * Rename RPCLoginArgs to LoginRPCArgs * Rename RPCLoginReply to LoginRPCReply * Version and RequestTime are added to LoginRPCArgs and verified by server side, not client side. * Fix data race in lockMaintainence loop. 2016-12-23 23:12:19 +08:00			`func (br browserPeerAPIHandlers) Login(args LoginRPCArgs, reply *LoginRPCReply) error {`
			`// Validate LoginRPCArgs`
			`if err := args.IsValid(); err != nil {`
			`return err`
			`}`

			`// Authenticate using JWT.`
Have simpler JWT authentication. (#3501) 2016-12-28 00:28:10 +08:00			`token, err := authenticateWeb(args.Username, args.Password)`
Propagate creds change to cluster (Fixes #2855) (#2929) 2016-10-18 11:18:08 +08:00			`if err != nil {`
			`return err`
			`}`
Have simpler JWT authentication. (#3501) 2016-12-28 00:28:10 +08:00
Adopt dsync interface changes and major cleanup on RPC server/client. * Rename GenericArgs to AuthRPCArgs * Rename GenericReply to AuthRPCReply * Remove authConfig.loginMethod and add authConfig.ServiceName * Rename loginServer to AuthRPCServer * Rename RPCLoginArgs to LoginRPCArgs * Rename RPCLoginReply to LoginRPCReply * Version and RequestTime are added to LoginRPCArgs and verified by server side, not client side. * Fix data race in lockMaintainence loop. 2016-12-23 23:12:19 +08:00			`// Return the token.`
			`reply.AuthToken = token`

Propagate creds change to cluster (Fixes #2855) (#2929) 2016-10-18 11:18:08 +08:00			`return nil`
			`}`

			`// SetAuthPeerArgs - Arguments collection for SetAuth RPC call`
			`type SetAuthPeerArgs struct {`
			`// For Auth`
Adopt dsync interface changes and major cleanup on RPC server/client. * Rename GenericArgs to AuthRPCArgs * Rename GenericReply to AuthRPCReply * Remove authConfig.loginMethod and add authConfig.ServiceName * Rename loginServer to AuthRPCServer * Rename RPCLoginArgs to LoginRPCArgs * Rename RPCLoginReply to LoginRPCReply * Version and RequestTime are added to LoginRPCArgs and verified by server side, not client side. * Fix data race in lockMaintainence loop. 2016-12-23 23:12:19 +08:00			`AuthRPCArgs`
Propagate creds change to cluster (Fixes #2855) (#2929) 2016-10-18 11:18:08 +08:00
			`// New credentials that receiving peer should update to.`
			`Creds credential`
			`}`

			`// SetAuthPeer - Update to new credentials sent from a peer Minio`
			`// server. Since credentials are already validated on the sending`
			`// peer, here we just persist to file and update in-memory config. All`
Have simpler JWT authentication. (#3501) 2016-12-28 00:28:10 +08:00			`// subsequently running isAuthTokenValid() calls will fail, and clients`
Propagate creds change to cluster (Fixes #2855) (#2929) 2016-10-18 11:18:08 +08:00			`// will be forced to re-establish connections. Connections will be`
			`// re-established only when the sending client has also updated its`
			`// credentials.`
Adopt dsync interface changes and major cleanup on RPC server/client. * Rename GenericArgs to AuthRPCArgs * Rename GenericReply to AuthRPCReply * Remove authConfig.loginMethod and add authConfig.ServiceName * Rename loginServer to AuthRPCServer * Rename RPCLoginArgs to LoginRPCArgs * Rename RPCLoginReply to LoginRPCReply * Version and RequestTime are added to LoginRPCArgs and verified by server side, not client side. * Fix data race in lockMaintainence loop. 2016-12-23 23:12:19 +08:00			`func (br browserPeerAPIHandlers) SetAuthPeer(args SetAuthPeerArgs, reply AuthRPCReply) error {`
			`if err := args.IsAuthenticated(); err != nil {`
			`return err`
Propagate creds change to cluster (Fixes #2855) (#2929) 2016-10-18 11:18:08 +08:00			`}`

Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-08 04:51:43 +08:00			`if err := validateAuthKeys(args.Creds.AccessKey, args.Creds.SecretKey); err != nil {`
jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 2017-01-27 08:51:51 +08:00			`return err`
			`}`

Propagate creds change to cluster (Fixes #2855) (#2929) 2016-10-18 11:18:08 +08:00			`// Update credentials in memory`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-08 04:51:43 +08:00			`serverConfig.SetCredential(args.Creds)`
Propagate creds change to cluster (Fixes #2855) (#2929) 2016-10-18 11:18:08 +08:00
			`// Save credentials to config file`
			`if err := serverConfig.Save(); err != nil {`
			`errorIf(err, "Error updating config file with new credentials sent from browser RPC.")`
			`return err`
			`}`

			`return nil`
			`}`

			`// Sends SetAuthPeer RPCs to all peers in the Minio cluster`
			`func updateCredsOnPeers(creds credential) map[string]error {`
Add bucket metadata state client/handler (Fixes #3022) (#3152) - Adds an interface to update in-memory bucket metadata state called BucketMetaState - this interface has functions to: - update bucket notification configuration, - bucket listener configuration, - bucket policy configuration, and - send bucket event - This interface is implemented by `localBMS` a type for manipulating local node in-memory bucket metadata, and by `remoteBMS` a type for manipulating remote node in-memory bucket metadata. - The remote node interface, makes an RPC call, but the local node interface does not - it updates in-memory bucket state directly. - Rename mkPeersFromEndpoints to makeS3Peers and refactored it. - Use arrayslice instead of map in s3Peers struct - `s3Peers.SendUpdate` now receives an arrayslice of peer indexes to send the request to, with a special nil value slice indicating that all peers should be sent the update. - `s3Peers.SendUpdate` now returns an arrayslice of errors, representing errors from peers when sending an update. The array positions correspond to peer array s3Peers.peers Improve globalS3Peers: - Make isDistXL a global `globalIsDistXL` and remove from s3Peers - Make globalS3Peers an array of (address, bucket-meta-state) pairs. - Fix code and tests. 2016-11-08 04:09:24 +08:00			`// Get list of peer addresses (from globalS3Peers)`
			`peers := []string{}`
			`for _, p := range globalS3Peers {`
			`peers = append(peers, p.addr)`
			`}`
Propagate creds change to cluster (Fixes #2855) (#2929) 2016-10-18 11:18:08 +08:00
			`// Array of errors for each peer`
			`errs := make([]error, len(peers))`
			`var wg sync.WaitGroup`

Adopt dsync interface changes and major cleanup on RPC server/client. * Rename GenericArgs to AuthRPCArgs * Rename GenericReply to AuthRPCReply * Remove authConfig.loginMethod and add authConfig.ServiceName * Rename loginServer to AuthRPCServer * Rename RPCLoginArgs to LoginRPCArgs * Rename RPCLoginReply to LoginRPCReply * Version and RequestTime are added to LoginRPCArgs and verified by server side, not client side. * Fix data race in lockMaintainence loop. 2016-12-23 23:12:19 +08:00			`serverCred := serverConfig.GetCredential()`
tests: Add tests for browser peer rpc. Fixes #3062 (#3189) 2016-11-08 03:43:35 +08:00			`// Launch go routines to send request to each peer in parallel.`
Propagate creds change to cluster (Fixes #2855) (#2929) 2016-10-18 11:18:08 +08:00			`for ix := range peers {`
			`wg.Add(1)`
			`go func(ix int) {`
			`defer wg.Done()`

			`// Exclude self to avoid race with`
			`// invalidating the RPC token.`
			`if peers[ix] == globalMinioAddr {`
			`errs[ix] = nil`
			`return`
			`}`

			`// Initialize client`
Adopt dsync interface changes and major cleanup on RPC server/client. * Rename GenericArgs to AuthRPCArgs * Rename GenericReply to AuthRPCReply * Remove authConfig.loginMethod and add authConfig.ServiceName * Rename loginServer to AuthRPCServer * Rename RPCLoginArgs to LoginRPCArgs * Rename RPCLoginReply to LoginRPCReply * Version and RequestTime are added to LoginRPCArgs and verified by server side, not client side. * Fix data race in lockMaintainence loop. 2016-12-23 23:12:19 +08:00			`client := newAuthRPCClient(authConfig{`
			`accessKey: serverCred.AccessKey,`
			`secretKey: serverCred.SecretKey,`
			`serverAddr: peers[ix],`
ssl: Set a global boolean to enable SSL across Minio (#3558) We have been using `isSSL()` everywhere we can set a global value once and re-use it again. 2017-01-12 05:59:51 +08:00			`secureConn: globalIsSSL,`
fs: Do not return reservedBucket names in ListBuckets() (#3754) Make sure to skip reserved bucket names in `ListBuckets()` current code didn't skip this properly and also generalize this behavior for both XL and FS. 2017-02-17 06:52:14 +08:00			`serviceEndpoint: path.Join(minioReservedBucketPath, browserPeerPath),`
peer rpc: Fix typo in cluster credentials update (#3579) Update credentials in cluster wasn't working due to a typo 2017-01-15 06:06:23 +08:00			`serviceName: "BrowserPeer",`
Propagate creds change to cluster (Fixes #2855) (#2929) 2016-10-18 11:18:08 +08:00			`})`

			`// Construct RPC call arguments.`
			`args := SetAuthPeerArgs{Creds: creds}`

			`// Make RPC call - we only care about error`
			`// response and not the reply.`
peer rpc: Fix typo in cluster credentials update (#3579) Update credentials in cluster wasn't working due to a typo 2017-01-15 06:06:23 +08:00			`err := client.Call("BrowserPeer.SetAuthPeer", &args, &AuthRPCReply{})`
Propagate creds change to cluster (Fixes #2855) (#2929) 2016-10-18 11:18:08 +08:00
tests: Add tests for browser peer rpc. Fixes #3062 (#3189) 2016-11-08 03:43:35 +08:00			`// We try a bit hard (3 attempts with 1 second delay)`
			`// to set creds on peers in case of failure.`
Propagate creds change to cluster (Fixes #2855) (#2929) 2016-10-18 11:18:08 +08:00			`if err != nil {`
			`for i := 0; i < 2; i++ {`
tests: Add tests for browser peer rpc. Fixes #3062 (#3189) 2016-11-08 03:43:35 +08:00			`time.Sleep(1 * time.Second) // 1 second delay.`
peer rpc: Fix typo in cluster credentials update (#3579) Update credentials in cluster wasn't working due to a typo 2017-01-15 06:06:23 +08:00			`err = client.Call("BrowserPeer.SetAuthPeer", &args, &AuthRPCReply{})`
Propagate creds change to cluster (Fixes #2855) (#2929) 2016-10-18 11:18:08 +08:00			`if err == nil {`
			`break`
			`}`
			`}`
			`}`

			`// Send result down the channel`
			`errs[ix] = err`
			`}(ix)`
			`}`

			`// Wait for requests to complete.`
			`wg.Wait()`

			`// Put errors into map.`
			`errsMap := make(map[string]error)`
			`for i, err := range errs {`
			`if err != nil {`
			`errsMap[peers[i]] = err`
			`}`
			`}`

			`return errsMap`
			`}`