Documentation
¶
Index ¶
- Variables
- func DecodeJwt(signingKey SigningKey, tokenString EncodedJwt, claims jwt.Claims) (token *jwt.Token, err error)
- func GetActualRemoteHost(r *http.Request) (host string, err error)
- func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption
- func LoadClientTLSHTTP(clientCertFile string) *tls.Config
- func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption, grpc.ServerOption)
- type Authenticator
- type EncodedJwt
- type Guard
- type SeaweedFileIdClaims
- type SeaweedFilerClaims
- type SigningKey
Constants ¶
This section is empty.
Variables ¶
var (
)
Functions ¶
func DecodeJwt ¶
func DecodeJwt(signingKey SigningKey, tokenString EncodedJwt, claims jwt.Claims) (token *jwt.Token, err error)
func LoadClientTLS ¶
func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption
func LoadClientTLSHTTP ¶
func LoadServerTLS ¶
func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption, grpc.ServerOption)
Types ¶
type Authenticator ¶
func (Authenticator) Authenticate ¶
func (a Authenticator) Authenticate(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error)
type EncodedJwt ¶
type EncodedJwt string
func GenJwtForFilerServer ¶
func GenJwtForFilerServer(signingKey SigningKey, expiresAfterSec int) EncodedJwt
GenJwtForFilerServer creates a JSON-web-token for using the authenticated Filer API. Used f.e. inside the S3 API
func GenJwtForVolumeServer ¶
func GenJwtForVolumeServer(signingKey SigningKey, expiresAfterSec int, fileId string) EncodedJwt
func GetJwt ¶
func GetJwt(r *http.Request) EncodedJwt
type Guard ¶
type Guard struct {
SigningKey SigningKey
ExpiresAfterSec int
ReadSigningKey SigningKey
ReadExpiresAfterSec int
// contains filtered or unexported fields
}
Guard is to ensure data access security. There are 2 ways to check access:
- white list. It's checking request ip address.
- JSON Web Token(JWT) generated from secretKey. The jwt can come from:
- url parameter jwt=...
- request header "Authorization"
- cookie with the name "jwt"
The white list is checked first because it is easy. Then the JWT is checked.
The Guard will also check these claims if provided: 1. "exp" Expiration Time 2. "nbf" Not Before
Generating JWT:
- use HS256 to sign
- optionally set "exp", "nbf" fields, in Unix time, the number of seconds elapsed since January 1, 1970 UTC.
Referenced: https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go
func (*Guard) WhiteList ¶
func (g *Guard) WhiteList(f http.HandlerFunc) http.HandlerFunc
type SeaweedFileIdClaims ¶
type SeaweedFileIdClaims struct {
Fid string `json:"fid"`
jwt.StandardClaims
}
SeaweedFileIdClaims is created by Master server(s) and consumed by Volume server(s), restricting the access this JWT allows to only a single file.
type SeaweedFilerClaims ¶
type SeaweedFilerClaims struct {
jwt.StandardClaims
}
SeaweedFilerClaims is created e.g. by S3 proxy server and consumed by Filer server. Right now, it only contains the standard claims; but this might be extended later for more fine-grained permissions.
type SigningKey ¶
type SigningKey []byte
Source Files