Make targets for issuing credentials #86
6 changed files with 124 additions and 0 deletions
1
Makefile
1
Makefile
|
@ -60,6 +60,7 @@ get: $(foreach SVC, $(GET_SVCS), get.$(SVC))
|
||||||
.PHONY: up
|
.PHONY: up
|
||||||
up: up/basic
|
up: up/basic
|
||||||
@$(foreach SVC, $(START_SVCS), $(shell docker-compose -f services/$(SVC)/docker-compose.yml up -d))
|
@$(foreach SVC, $(START_SVCS), $(shell docker-compose -f services/$(SVC)/docker-compose.yml up -d))
|
||||||
|
./vendor/frostfs-adm morph proxy-add-account --config frostfs-adm.yml --account=`docker container exec morph_chain neo-go wallet dump-keys -w /wallets/s3-wallet.json | head -1 | awk '{print $1}'` || die "Couldn't set s3-gw wallet as proxy wallet"
|
||||||
@echo "Full FrostFS Developer Environment is ready"
|
@echo "Full FrostFS Developer Environment is ready"
|
||||||
|
|
||||||
# Build up FrostFS
|
# Build up FrostFS
|
||||||
|
|
59
README.md
59
README.md
|
@ -137,6 +137,65 @@ Display addresses and host names for each running service, if available.
|
||||||
|
|
||||||
Clean up `vendor` directory.
|
Clean up `vendor` directory.
|
||||||
|
|
||||||
|
### s3cred
|
||||||
|
|
||||||
|
Registers user wallet and issues s3 credentials.
|
||||||
|
|
||||||
|
Usage and default parameter values:
|
||||||
|
```sh
|
||||||
|
make s3cred [password=""] [contract_password=s3] [wallet=/user_wallet.json] [gate_public_key=0313b1ac3a8076e155a7e797b24f0b650cccad5941ea59d7cfd51a024a8b2a06bf]
|
||||||
|
```
|
||||||
|
|
||||||
|
As soon as the storage node is in the network map (see above) you can generate S3
|
||||||
|
credentials:
|
||||||
|
|
||||||
|
``` sh
|
||||||
|
$ make s3cred
|
||||||
|
{
|
||||||
|
"access_key_id": "EXArWh8x1zeHG3851s1RtoCo7dowxF6rhLGA15nbMffT0AKRSjJ5fmcqf3Ht2VCAkfmPQUVARghRB77xHCA1BoN2p",
|
||||||
|
"secret_access_key": "d70c1dba83f0f90bb231f06f1ce0e0dfbcfb122f4b4345a3c18d3869c359b79f",
|
||||||
|
"owner_private_key": "140947599afd9ca89af4b358c3176eb046e554d942a0dc99a8e06f3e43c8f4ad",
|
||||||
|
"wallet_public_key": "0324e76288fcb900100d01802a14ef977cca45ad073561230446df14b344c858b6",
|
||||||
|
"container_id": "EXArWh8x1zeHG3851s1RtoCo7dowxF6rhLGA15nbMffT"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
Running without any parameters will result in defaults which are based on the private key from
|
||||||
|
`/user-wallet.json` file and `/wallet.json` contract wallet.
|
||||||
|
|
||||||
|
Now let's configure an S3 client (AWS CLI will be used as example):
|
||||||
|
|
||||||
|
``` sh
|
||||||
|
$ aws configure
|
||||||
|
AWS Access Key ID []: EXArWh8x1zeHG3851s1RtoCo7dowxF6rhLGA15nbMffT0AKRSjJ5fmcqf3Ht2VCAkfmPQUVARghRB77xHCA1BoN2p
|
||||||
|
AWS Secret Access Key []: d70c1dba83f0f90bb231f06f1ce0e0dfbcfb122f4b4345a3c18d3869c359b79f
|
||||||
|
Default region name []: us-east-1
|
||||||
|
Default output format []: json
|
||||||
|
```
|
||||||
|
|
||||||
|
If you need to create credentials for different users, put user wallets to `wallets` dir and specify them via `wallet` parameter.
|
||||||
|
Pass wallet password in `password` parameter if it's not default. The same is for `contract_wallet` and `gate_public_key` params.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ make s3cred wallet=custom_wallet.json password=test
|
||||||
|
{
|
||||||
|
"access_key_id": "jHhL5B33o16R4jQsb8wm9A3RRdS6KrTB5N4bja9Jys904W7xXFNKqem2ACvTRWRYJsZMCUikYFSokN7pPJziWyDi",
|
||||||
|
"secret_access_key": "21bb64fafa32c82417fd8b97ac56cc8a085998a3852632d52fe7042453daa440",
|
||||||
|
"owner_private_key": "10f6f9d7a47bb0bf68363ad8a99fe69f1493f8b6e1665b3e4e83feb2d5c7ee39",
|
||||||
|
"wallet_public_key": "03e38759973a6bb722baabc2dd84036a39f0b2f53d32fec45a4dacde8a50fe4b70",
|
||||||
|
"container_id": "jHhL5B33o16R4jQsb8wm9A3RRdS6KrTB5N4bja9Jys9"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
To get credentials from custom wallet, place it in `wallets` dir before start.
|
||||||
|
|
||||||
|
### cred
|
||||||
|
|
||||||
|
Usage and default parameter values:
|
||||||
|
```sh
|
||||||
|
make cred [password=""] [contract_password=s3] [wallet=/user_wallet.json]
|
||||||
|
```
|
||||||
|
The same as `s3cred`, but it doesn't issues s3 credentials.
|
||||||
|
|
||||||
## Contributing
|
## Contributing
|
||||||
|
|
||||||
Feel free to contribute to this project after reading the [contributing
|
Feel free to contribute to this project after reading the [contributing
|
||||||
|
|
|
@ -19,6 +19,7 @@ services:
|
||||||
- ./config.yml:/wallets/config.yml
|
- ./config.yml:/wallets/config.yml
|
||||||
- ./../../vendor/hosts:/etc/hosts
|
- ./../../vendor/hosts:/etc/hosts
|
||||||
- ./../../wallets/wallet.json:/wallets/wallet.json
|
- ./../../wallets/wallet.json:/wallets/wallet.json
|
||||||
|
- ./../s3_gate/wallet.json:/wallets/s3-wallet.json
|
||||||
- chains:/chains
|
- chains:/chains
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
|
|
|
@ -12,11 +12,17 @@ services:
|
||||||
internet:
|
internet:
|
||||||
ipv4_address: ${IPV4_PREFIX}.82
|
ipv4_address: ${IPV4_PREFIX}.82
|
||||||
volumes:
|
volumes:
|
||||||
|
# Gate wallet
|
||||||
- ./wallet.json:/wallet.json
|
- ./wallet.json:/wallet.json
|
||||||
|
# Custom user wallets
|
||||||
|
- ./wallets:/wallets
|
||||||
|
# Default user wallet
|
||||||
|
- ./../../wallets/wallet.json:/wallets/wallet.json
|
||||||
- ./tls.key:/tls.key
|
- ./tls.key:/tls.key
|
||||||
- ./tls.crt:/tls.crt
|
- ./tls.crt:/tls.crt
|
||||||
- ./../../vendor/hosts:/etc/hosts
|
- ./../../vendor/hosts:/etc/hosts
|
||||||
- ./cfg:/etc/frostfs/s3
|
- ./cfg:/etc/frostfs/s3
|
||||||
|
- ./issue-creds.sh:/usr/bin/issue-creds.sh
|
||||||
stop_signal: SIGTERM
|
stop_signal: SIGTERM
|
||||||
stop_grace_period: 15s
|
stop_grace_period: 15s
|
||||||
env_file: [ ".env", ".s3.env", ".int_test.env" ]
|
env_file: [ ".env", ".s3.env", ".int_test.env" ]
|
||||||
|
@ -34,6 +40,8 @@ services:
|
||||||
- S3_GW_PEERS_2_WEIGHT=0.2
|
- S3_GW_PEERS_2_WEIGHT=0.2
|
||||||
- S3_GW_PEERS_3_ADDRESS=s04.${LOCAL_DOMAIN}:8080
|
- S3_GW_PEERS_3_ADDRESS=s04.${LOCAL_DOMAIN}:8080
|
||||||
- S3_GW_PEERS_3_WEIGHT=0.2
|
- S3_GW_PEERS_3_WEIGHT=0.2
|
||||||
|
- AUTHMATE_WALLET_PASSPHRASE=
|
||||||
|
- AUTHMATE_WALLET_CONTRACT_PASSPHRASE=s3
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
s3_gate_int:
|
s3_gate_int:
|
||||||
|
|
41
services/s3_gate/issue-creds.sh
Executable file
41
services/s3_gate/issue-creds.sh
Executable file
|
@ -0,0 +1,41 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
initUser() {
|
||||||
|
/bin/frostfs-s3-authmate register-user \
|
||||||
|
--wallet $WALLET_PATH \
|
||||||
|
--rpc-endpoint http://morph-chain.frostfs.devenv:30333 \
|
||||||
|
--username $USERNAME \
|
||||||
|
--contract-wallet /wallet.json 1> /dev/null && touch $WALLET_CACHE/$USERNAME
|
||||||
|
}
|
||||||
|
|
||||||
|
issueCreds() {
|
||||||
|
/bin/frostfs-s3-authmate issue-secret \
|
||||||
|
--wallet $WALLET_PATH \
|
||||||
|
--peer s01.frostfs.devenv:8080 \
|
||||||
|
--gate-public-key $S3_GATE_PUBLIC_KEY \
|
||||||
|
--container-placement-policy "REP 3"
|
||||||
|
}
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
WALLET_PATH=/wallets/$2
|
||||||
|
if [[ -z "$2" ]]; then
|
||||||
|
WALLET_PATH=/wallets/wallet.json
|
||||||
|
fi
|
||||||
|
|
||||||
|
S3_GATE_PUBLIC_KEY=$3
|
||||||
|
if [[ -z "$3" ]]; then
|
||||||
|
S3_GATE_PUBLIC_KEY=0313b1ac3a8076e155a7e797b24f0b650cccad5941ea59d7cfd51a024a8b2a06bf
|
||||||
|
fi
|
||||||
|
|
||||||
|
WALLET_CACHE=/data/wallets
|
||||||
|
mkdir -p $WALLET_CACHE
|
||||||
|
|
||||||
|
USERNAME=$(echo $WALLET_PATH | md5sum | cut -d' ' -f1)
|
||||||
|
if [ ! -e $WALLET_CACHE/$USERNAME ]; then
|
||||||
|
initUser
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $1 == "s3" ]; then
|
||||||
|
issueCreds
|
||||||
|
fi
|
14
services/s3_gate/prepare.mk
Normal file
14
services/s3_gate/prepare.mk
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
.PHONY: s3cred register
|
||||||
|
|
||||||
|
password?=
|
||||||
|
contract_password?=s3
|
||||||
|
gate_public_key?=
|
||||||
|
wallet?=
|
||||||
|
|
||||||
|
# Register wallet & generate S3 credentials
|
||||||
|
s3cred:
|
||||||
|
@docker exec -e AUTHMATE_WALLET_PASSPHRASE="$(password)" -e AUTHMATE_WALLET_CONTRACT_PASSPHRASE="$(contract_password)" s3_gate /usr/bin/issue-creds.sh s3 "$(wallet)" "$(gate_public_key)"
|
||||||
|
|
||||||
|
# Only registers user wallet
|
||||||
|
register:
|
||||||
|
@docker exec -e AUTHMATE_WALLET_PASSPHRASE="$(password)" -e AUTHMATE_WALLET_CONTRACT_PASSPHRASE="$(contract_password)" s3_gate /usr/bin/issue-creds.sh native "$(wallet)"
|
Loading…
Reference in a new issue