admin: Add service Set Credentials API (#3580)

2017-01-17 23:25:59 +01:00 · 2017-01-17 23:25:59 +01:00 · f803bb4b3d
parent 20a65981bd
commit f803bb4b3d
13 changed files with 317 additions and 27 deletions
--- a/appveyor.yml
+++ b/appveyor.yml
@ -35,8 +35,8 @@ test_script:
  # Unit tests
  - ps: Add-AppveyorTest "Unit Tests" -Outcome Running
  - mkdir build\coverage
-  - go test -race github.com/minio/minio/cmd...
-  - go test -race github.com/minio/minio/pkg...
+  - go test -timeout 15m -v -race github.com/minio/minio/cmd...
+  - go test -v -race github.com/minio/minio/pkg...
  - go test -coverprofile=build\coverage\coverage.txt -covermode=atomic github.com/minio/minio/cmd
  - ps: Update-AppveyorTest "Unit Tests" -Outcome Passed

--- a/cmd/admin-handlers.go
+++ b/cmd/admin-handlers.go
@ -18,6 +18,8 @@ package cmd

 import (
 	"encoding/json"
+	"encoding/xml"
+	"io/ioutil"
 	"net/http"
 	"net/url"
 	"strconv"
@ -84,6 +86,76 @@ func (adminAPI adminAPIHandlers) ServiceRestartHandler(w http.ResponseWriter, r
 	sendServiceCmd(globalAdminPeers, serviceRestart)
 }

+// setCredsReq request
+type setCredsReq struct {
+	Username string `xml:"username"`
+	Password string `xml:"password"`
+}
+
+// ServiceCredsHandler - POST /?service
+// HTTP header x-minio-operation: creds
+// ----------
+// Update credentials in a minio server. In a distributed setup, update all the servers
+// in the cluster.
+func (adminAPI adminAPIHandlers) ServiceCredentialsHandler(w http.ResponseWriter, r *http.Request) {
+	// Authenticate request
+	adminAPIErr := checkRequestAuthType(r, "", "", "")
+	if adminAPIErr != ErrNone {
+		writeErrorResponse(w, adminAPIErr, r.URL)
+		return
+	}
+
+	// Avoid setting new credentials when they are already passed
+	// by the environnement
+	if globalEnvAccessKey != "" || globalEnvSecretKey != "" {
+		writeErrorResponse(w, ErrMethodNotAllowed, r.URL)
+		return
+	}
+
+	// Load request body
+	inputData, err := ioutil.ReadAll(r.Body)
+	if err != nil {
+		writeErrorResponse(w, ErrInternalError, r.URL)
+		return
+	}
+
+	// Unmarshal request body
+	var req setCredsReq
+	err = xml.Unmarshal(inputData, &req)
+	if err != nil {
+		errorIf(err, "Cannot unmarshal credentials request")
+		writeErrorResponse(w, ErrMalformedXML, r.URL)
+		return
+	}
+
+	// Check passed credentials
+	cred, err := getCredential(req.Username, req.Password)
+	switch err {
+	case errInvalidAccessKeyLength:
+		writeErrorResponse(w, ErrAdminInvalidAccessKey, r.URL)
+		return
+	case errInvalidSecretKeyLength:
+		writeErrorResponse(w, ErrAdminInvalidSecretKey, r.URL)
+		return
+	}
+
+	// Notify all other Minio peers to update credentials
+	updateErrs := updateCredsOnPeers(cred)
+	for peer, err := range updateErrs {
+		errorIf(err, "Unable to update credentials on peer %s.", peer)
+	}
+
+	// Update local credentials
+	serverConfig.SetCredential(cred)
+	if err = serverConfig.Save(); err != nil {
+		writeErrorResponse(w, ErrInternalError, r.URL)
+		return
+	}
+
+	// At this stage, the operation is successful, return 200 OK
+	w.WriteHeader(http.StatusOK)
+}
+
 // validateLockQueryParams - Validates query params for list/clear locks management APIs.
 func validateLockQueryParams(vars url.Values) (string, string, time.Duration, APIErrorCode) {
 	bucket := vars.Get(string(mgmtBucket))
--- a/cmd/admin-handlers_test.go
+++ b/cmd/admin-handlers_test.go
@ -19,6 +19,8 @@ package cmd
 import (
 	"bytes"
 	"encoding/json"
+	"encoding/xml"
+	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@ -33,8 +35,8 @@ type cmdType int

 const (
 	statusCmd cmdType = iota
-	stopCmd
 	restartCmd
+	setCreds
 )

 // String - String representation for cmdType
@ -42,10 +44,10 @@ func (c cmdType) String() string {
 	switch c {
 	case statusCmd:
 		return "status"
-	case stopCmd:
-		return "stop"
 	case restartCmd:
 		return "restart"
+	case setCreds:
+		return "set-credentials"
 	}
 	return ""
 }
@ -58,6 +60,8 @@ func (c cmdType) apiMethod() string {
 		return "GET"
 	case restartCmd:
 		return "POST"
+	case setCreds:
+		return "POST"
 	}
 	return "GET"
 }
@ -86,15 +90,19 @@ func testServiceSignalReceiver(cmd cmdType, t *testing.T) {

 // getServiceCmdRequest - Constructs a management REST API request for service
 // subcommands for a given cmdType value.
-func getServiceCmdRequest(cmd cmdType, cred credential) (*http.Request, error) {
+func getServiceCmdRequest(cmd cmdType, cred credential, body []byte) (*http.Request, error) {
 	req, err := newTestRequest(cmd.apiMethod(), "/?service", 0, nil)
 	if err != nil {
 		return nil, err
 	}

+	// Set body
+	req.Body = ioutil.NopCloser(bytes.NewReader(body))
+
 	// minioAdminOpHeader is to identify the request as a
 	// management REST API request.
 	req.Header.Set(minioAdminOpHeader, cmd.String())
+	req.Header.Set("X-Amz-Content-Sha256", getSHA256Hash(body))

 	// management REST API uses signature V4 for authentication.
 	err = signRequestV4(req, cred.AccessKey, cred.SecretKey)
@ -106,7 +114,7 @@ func getServiceCmdRequest(cmd cmdType, cred credential) (*http.Request, error) {

 // testServicesCmdHandler - parametrizes service subcommand tests on
 // cmdType value.
-func testServicesCmdHandler(cmd cmdType, t *testing.T) {
+func testServicesCmdHandler(cmd cmdType, args map[string]interface{}, t *testing.T) {
 	// reset globals.
 	// this is to make sure that the tests are not affected by modified value.
 	resetTestGlobals()
@ -147,19 +155,25 @@ func testServicesCmdHandler(cmd cmdType, t *testing.T) {

 	// Setting up a go routine to simulate ServerMux's
 	// handleServiceSignals for stop and restart commands.
-	switch cmd {
-	case stopCmd, restartCmd:
+	if cmd == restartCmd {
 		go testServiceSignalReceiver(cmd, t)
 	}
 	credentials := serverConfig.GetCredential()
 	adminRouter := router.NewRouter()
 	registerAdminRouter(adminRouter)

-	rec := httptest.NewRecorder()
-	req, err := getServiceCmdRequest(cmd, credentials)
+	var body []byte
+
+	if cmd == setCreds {
+		body, _ = xml.Marshal(setCredsReq{Username: args["username"].(string), Password: args["password"].(string)})
+	}
+
+	req, err := getServiceCmdRequest(cmd, credentials, body)
 	if err != nil {
 		t.Fatalf("Failed to build service status request %v", err)
 	}
+
+	rec := httptest.NewRecorder()
 	adminRouter.ServeHTTP(rec, req)

 	if cmd == statusCmd {
@ -173,20 +187,37 @@ func testServicesCmdHandler(cmd cmdType, t *testing.T) {
 		}
 	}

+	if cmd == setCreds {
+		// Check if new credentials are set
+		cred := serverConfig.GetCredential()
+		if cred.AccessKey != args["username"].(string) {
+			t.Errorf("Wrong access key, expected = %s, found = %s", args["username"].(string), cred.AccessKey)
+		}
+		if cred.SecretKey != args["password"].(string) {
+			t.Errorf("Wrong secret key, expected = %s, found = %s", args["password"].(string), cred.SecretKey)
+		}
+
+	}
+
 	if rec.Code != http.StatusOK {
-		t.Errorf("Expected to receive %d status code but received %d",
-			http.StatusOK, rec.Code)
+		resp, _ := ioutil.ReadAll(rec.Body)
+		t.Errorf("Expected to receive %d status code but received %d. Body (%s)",
+			http.StatusOK, rec.Code, string(resp))
 	}
 }

 // Test for service status management REST API.
 func TestServiceStatusHandler(t *testing.T) {
-	testServicesCmdHandler(statusCmd, t)
+	testServicesCmdHandler(statusCmd, nil, t)
 }

 // Test for service restart management REST API.
 func TestServiceRestartHandler(t *testing.T) {
-	testServicesCmdHandler(restartCmd, t)
+	testServicesCmdHandler(restartCmd, nil, t)
+}
+
+func TestServiceSetCreds(t *testing.T) {
+	testServicesCmdHandler(setCreds, map[string]interface{}{"username": "minio", "password": "minio123"}, t)
 }

 // mkLockQueryVal - helper function to build lock query param.
--- a/cmd/admin-router.go
+++ b/cmd/admin-router.go
@ -36,6 +36,8 @@ func registerAdminRouter(mux *router.Router) {

 	// Service restart
 	adminRouter.Methods("POST").Queries("service", "").Headers(minioAdminOpHeader, "restart").HandlerFunc(adminAPI.ServiceRestartHandler)
+	// Service update credentials
+	adminRouter.Methods("POST").Queries("service", "").Headers(minioAdminOpHeader, "set-credentials").HandlerFunc(adminAPI.ServiceCredentialsHandler)

 	/// Lock operations

--- a/cmd/api-errors.go
+++ b/cmd/api-errors.go
@ -140,6 +140,9 @@ const (
 	// Add new extended error codes here.
 	// Please open a https://github.com/minio/minio/issues before adding
 	// new error codes here.
+
+	ErrAdminInvalidAccessKey
+	ErrAdminInvalidSecretKey
 )

 // error code to APIError structure, these fields carry respective
@ -574,6 +577,17 @@ var errorCodeResponse = map[APIErrorCode]APIError{
 		Description:    "Server not initialized, please try again.",
 		HTTPStatusCode: http.StatusServiceUnavailable,
 	},
+	ErrAdminInvalidAccessKey: {
+		Code:           "XMinioAdminInvalidAccessKey",
+		Description:    "The access key is invalid.",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
+	ErrAdminInvalidSecretKey: {
+		Code:           "XMinioAdminInvalidSecretKey",
+		Description:    "The secret key is invalid.",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
+
 	// Add your error structure here.
 }

--- a/cmd/globals.go
+++ b/cmd/globals.go
@ -101,6 +101,12 @@ var (
 	// Minio server user agent string.
 	globalServerUserAgent = "Minio/" + ReleaseTag + " (" + runtime.GOOS + "; " + runtime.GOARCH + ")"

+	// Access key passed from the environment
+	globalEnvAccessKey = os.Getenv("MINIO_ACCESS_KEY")
+
+	// Secret key passed from the environment
+	globalEnvSecretKey = os.Getenv("MINIO_SECRET_KEY")
+
 	// Add new variable global values here.
 )

--- a/cmd/main.go
+++ b/cmd/main.go
@ -190,13 +190,11 @@ func minioInit(ctx *cli.Context) {
 	enableLoggers()

 	// Fetch access keys from environment variables and update the config.
-	accessKey := os.Getenv("MINIO_ACCESS_KEY")
-	secretKey := os.Getenv("MINIO_SECRET_KEY")
-	if accessKey != "" && secretKey != "" {
+	if globalEnvAccessKey != "" && globalEnvSecretKey != "" {
 		// Set new credentials.
 		serverConfig.SetCredential(credential{
-			AccessKey: accessKey,
-			SecretKey: secretKey,
+			AccessKey: globalEnvAccessKey,
+			SecretKey: globalEnvSecretKey,
 		})
 	}
 	if !isAccessKeyValid(serverConfig.GetCredential().AccessKey) {
--- a/docs/admin-api/management-api.md
+++ b/docs/admin-api/management-api.md
@ -6,9 +6,9 @@

 ## List of management APIs
 - Service
-  - Stop
  - Restart
  - Status
+  - SetCredentials

 - Locks
  - List
@ -17,11 +17,6 @@
 - Healing

 ### Service Management APIs
-* Stop
-  - POST /?service
-  - x-minio-operation: stop
-  - Response: On success 200
-
 * Restart
  - POST /?service
  - x-minio-operation: restart
@ -32,6 +27,43 @@
  - x-minio-operation: status
  - Response: On success 200, return json formatted StorageInfo object.

+* SetCredentials
+  - GET /?service
+  - x-minio-operation: set-credentials
+  - Response: Success 200
+  - Possible error responses
+    - ErrMethodNotAllowed
+    <Error>
+        <Code>MethodNotAllowed</Code>
+        <Message>The specified method is not allowed against this resource.</Message>
+        <Key></Key>
+        <BucketName></BucketName>
+        <Resource>/</Resource>
+        <RequestId>3L137</RequestId>
+        <HostId>3L137</HostId>
+    </Error>
+    - ErrAdminBadCred
+    <Error>
+        <Code>XMinioBadCred</Code>
+        <Message>XMinioBadCred</Message>
+        <Key></Key>
+        <BucketName></BucketName>
+        <Resource>/</Resource>
+        <RequestId>3L137</RequestId>
+        <HostId>3L137</HostId>
+    </Error>
+    - ErrInternalError
+    <Error>
+        <Code>InternalError</Code>
+        <Message>We encountered an internal error, please try again.</Message>
+        <Key></Key>
+        <BucketName></BucketName>
+        <Resource>/</Resource>
+        <RequestId>3L137</RequestId>
+        <HostId>3L137</HostId>
+    </Error>
+
+
 ### Lock Management APIs
 * ListLocks
  - GET /?lock&bucket=mybucket&prefix=myprefix&older-than=rel_time
--- a/pkg/madmin/README.md
+++ b/pkg/madmin/README.md
@ -106,6 +106,7 @@ go run service-status.go

 * [`ServiceStatus`](./API.md#ServiceStatus)
 * [`ServiceRestart`](./API.md#ServiceRestart)
+* [`ServiceSetCredentials`](./API.md#ServiceSetCredentials)

 ## Full Examples

@ -113,6 +114,7 @@ go run service-status.go

 * [service-status.go](https://github.com/minio/minio/blob/master/pkg/madmin/examples/service-status.go)
 * [service-restart.go](https://github.com/minio/minio/blob/master/pkg/madmin/examples/service-restart.go)
+* [service-set-credentials.go](https://github.com/minio/minio/blob/master/pkg/madmin/examples/service-set-credentials.go)

 ## Contribute

--- a/pkg/madmin/api-error-response.go
+++ b/pkg/madmin/api-error-response.go
@ -16,7 +16,10 @@

 package madmin

-import "encoding/xml"
+import (
+	"encoding/xml"
+	"net/http"
+)

 /* **** SAMPLE ERROR RESPONSE ****
 <?xml version="1.0" encoding="UTF-8"?>
@ -50,6 +53,29 @@ func (e ErrorResponse) Error() string {
 	return e.Message
 }

+const (
+	reportIssue = "Please report this issue at https://github.com/minio/minio-go/issues."
+)
+
+// httpRespToErrorResponse returns a new encoded ErrorResponse
+// structure as error.
+func httpRespToErrorResponse(resp *http.Response) error {
+	if resp == nil {
+		msg := "Response is empty. " + reportIssue
+		return ErrInvalidArgument(msg)
+	}
+	var errResp ErrorResponse
+	// Decode the xml error
+	err := xmlDecoder(resp.Body, &errResp)
+	if err != nil {
+		return ErrorResponse{
+			Code:    resp.Status,
+			Message: "Failed to parse server response.",
+		}
+	}
+	return errResp
+}
+
 // ErrInvalidArgument - Invalid argument response.
 func ErrInvalidArgument(message string) error {
 	return ErrorResponse{
--- a/pkg/madmin/examples/service-set-credentials.go
+++ b/pkg/madmin/examples/service-set-credentials.go
@ -0,0 +1,44 @@
+// +build ignore
+
+/*
+ * Minio Cloud Storage, (C) 2016 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package main
+
+import (
+	"log"
+
+	"github.com/minio/minio/pkg/madmin"
+)
+
+func main() {
+	// Note: YOUR-ACCESSKEYID, YOUR-SECRETACCESSKEY and my-bucketname are
+	// dummy values, please replace them with original values.
+
+	// API requests are secure (HTTPS) if secure=true and insecure (HTTPS) otherwise.
+	// New returns an Minio Admin client object.
+	madmClnt, err := madmin.New("your-minio.example.com:9000", "YOUR-ACCESSKEYID", "YOUR-SECRETACCESSKEY", true)
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+	err = madmClnt.ServiceSetCredentials("YOUR-NEW-ACCESSKEY", "YOUR-NEW-SECRETKEY")
+	if err != nil {
+		log.Fatalln(err)
+	}
+	log.Println("New credentials successfully set.")
+}
--- a/pkg/madmin/service.go
+++ b/pkg/madmin/service.go
@ -18,7 +18,9 @@
 package madmin

 import (
+	"bytes"
 	"encoding/json"
+	"encoding/xml"
 	"errors"
 	"io/ioutil"
 	"net/http"
@ -117,3 +119,49 @@ func (adm *AdminClient) ServiceRestart() error {
 	}
 	return nil
 }
+
+// setCredsReq - xml to send to the server to set new credentials
+type setCredsReq struct {
+	Username string `xml:"username"`
+	Password string `xml:"password"`
+}
+
+// ServiceSetCredentials - Call Service Set Credentials API to set new access and secret keys in the specified Minio server
+func (adm *AdminClient) ServiceSetCredentials(access, secret string) error {
+
+	// Disallow sending with the server if the connection is not secure
+	if !adm.secure {
+		return errors.New("setting new credentials requires HTTPS connection to the server")
+	}
+
+	// Setup new request
+	reqData := requestData{}
+	reqData.queryValues = make(url.Values)
+	reqData.queryValues.Set("service", "")
+	reqData.customHeaders = make(http.Header)
+	reqData.customHeaders.Set(minioAdminOpHeader, "set-credentials")
+
+	// Setup request's body
+	body, err := xml.Marshal(setCredsReq{Username: access, Password: secret})
+	if err != nil {
+		return err
+	}
+	reqData.contentBody = bytes.NewReader(body)
+	reqData.contentLength = int64(len(body))
+	reqData.contentMD5Bytes = sumMD5(body)
+	reqData.contentSHA256Bytes = sum256(body)
+
+	// Execute GET on bucket to list objects.
+	resp, err := adm.executeMethod("POST", reqData)
+
+	defer closeResponse(resp)
+	if err != nil {
+		return err
+	}
+
+	// Return error to the caller if http response code is different from 200
+	if resp.StatusCode != http.StatusOK {
+		return httpRespToErrorResponse(resp)
+	}
+	return nil
+}
--- a/pkg/madmin/utils.go
+++ b/pkg/madmin/utils.go
@ -17,7 +17,9 @@
 package madmin

 import (
+	"crypto/md5"
 	"crypto/sha256"
+	"encoding/xml"
 	"io"
 	"io/ioutil"
 	"net"
@ -35,6 +37,19 @@ func sum256(data []byte) []byte {
 	return hash.Sum(nil)
 }

+// sumMD5 calculate sumMD5 sum for an input byte array.
+func sumMD5(data []byte) []byte {
+	hash := md5.New()
+	hash.Write(data)
+	return hash.Sum(nil)
+}
+
+// xmlDecoder provide decoded value in xml.
+func xmlDecoder(body io.Reader, v interface{}) error {
+	d := xml.NewDecoder(body)
+	return d.Decode(v)
+}
+
 // getEndpointURL - construct a new endpoint.
 func getEndpointURL(endpoint string, secure bool) (*url.URL, error) {
 	if strings.Contains(endpoint, ":") {