[#509] Update docs
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
parent
cb3753f286
commit
6a90f4e624
2 changed files with 36 additions and 6 deletions
|
@ -159,8 +159,10 @@ storage node.
|
||||||
Object s3 credentials are formed based on:
|
Object s3 credentials are formed based on:
|
||||||
|
|
||||||
* `AccessKeyId` - is concatenated container id and object id (`<cid>0<oid>`) of `AccessBox` (
|
* `AccessKeyId` - is concatenated container id and object id (`<cid>0<oid>`) of `AccessBox` (
|
||||||
e.g. `2XGRML5EW3LMHdf64W2DkBy1Nkuu4y4wGhUj44QjbXBi05ZNvs8WVwy1XTmSEkcVkydPKzCgtmR7U3zyLYTj3Snxf`)
|
e.g. `2XGRML5EW3LMHdf64W2DkBy1Nkuu4y4wGhUj44QjbXBi05ZNvs8WVwy1XTmSEkcVkydPKzCgtmR7U3zyLYTj3Snxf`).
|
||||||
* `SecretAccessKey` - hex-encoded random generated 32 bytes (that is encrypted and stored in object payload)
|
Or it can be arbitrary user-provided unique string with min length 4 and max length 128.
|
||||||
|
* `SecretAccessKey` - hex-encoded random generated 32 bytes (that is encrypted and stored in object payload).
|
||||||
|
Or it can be arbitrary user-provided unique string with min length 4 and max length 128.
|
||||||
|
|
||||||
> **Note**: sensitive info in `AccessBox` is [encrypted](#encryption), so only someone who posses specific private key
|
> **Note**: sensitive info in `AccessBox` is [encrypted](#encryption), so only someone who posses specific private key
|
||||||
> can decrypt such info.
|
> can decrypt such info.
|
||||||
|
@ -192,7 +194,7 @@ It contains:
|
||||||
* List of gate data:
|
* List of gate data:
|
||||||
* Gate public key (so that gate (when it will decrypt data later) know which item from the list it should process)
|
* Gate public key (so that gate (when it will decrypt data later) know which item from the list it should process)
|
||||||
* Encrypted tokens:
|
* Encrypted tokens:
|
||||||
* `SecretAccessKey` - hex-encoded random generated 32 bytes
|
* `SecretAccessKey` - hex-encoded random generated 32 bytes (or arbitrary user-provided string)
|
||||||
* Marshaled bearer token - more detail
|
* Marshaled bearer token - more detail
|
||||||
in [spec](https://git.frostfs.info/TrueCloudLab/frostfs-api/src/commit/4c68d92468503b10282c8a92af83a56f170c8a3a/acl/types.proto#L189)
|
in [spec](https://git.frostfs.info/TrueCloudLab/frostfs-api/src/commit/4c68d92468503b10282c8a92af83a56f170c8a3a/acl/types.proto#L189)
|
||||||
* Marshaled session token - more detail
|
* Marshaled session token - more detail
|
||||||
|
@ -229,10 +231,12 @@ relevant data) the following sequence is used:
|
||||||
</a>
|
</a>
|
||||||
|
|
||||||
* Search all object whose attribute `S3-Access-Box-CRDT-Name` is equal to `AccessKeyId` (extract container id
|
* Search all object whose attribute `S3-Access-Box-CRDT-Name` is equal to `AccessKeyId` (extract container id
|
||||||
from `AccessKeyId` that has format: `<cid>0<oid>`).
|
from `AccessKeyId` that has format: `<cid>0<oid>` if `AccessBox` was created with default parameters, or it can also
|
||||||
|
be arbitrary user-defined string).
|
||||||
* Get metadata for these object using `HEAD` requests (not `Get` to reduce network traffic)
|
* Get metadata for these object using `HEAD` requests (not `Get` to reduce network traffic)
|
||||||
* Sort all these objects by creation epoch and object id
|
* Sort all these objects by creation epoch and object id
|
||||||
* Pick last object id (If no object is found then extract object id from `AccessKeyId` that has format: `<cid>0<oid>`.
|
* Pick last object id (If no object is found then extract object id from `AccessKeyId` that has format: `<cid>0<oid>`
|
||||||
|
(if `AccessBox` was created with default parameters, or it can also be arbitrary user-defined string).
|
||||||
We need to do this because versions of `AccessBox` can miss the `S3-Access-Box-CRDT-Name` attribute.)
|
We need to do this because versions of `AccessBox` can miss the `S3-Access-Box-CRDT-Name` attribute.)
|
||||||
* Get appropriate object from FrostFS storage
|
* Get appropriate object from FrostFS storage
|
||||||
* Decrypt `AccessBox` (see [encryption](#encryption))
|
* Decrypt `AccessBox` (see [encryption](#encryption))
|
||||||
|
@ -253,7 +257,7 @@ secp256r1 or prime256v1) is used (unless otherwise stated).
|
||||||
|
|
||||||
* Create ephemeral key (`SeedKey`), it's need to generate shared secret
|
* Create ephemeral key (`SeedKey`), it's need to generate shared secret
|
||||||
* Generate random 32-byte (that after hex-encoded be `SecretAccessKey`) or use existing secret access key
|
* Generate random 32-byte (that after hex-encoded be `SecretAccessKey`) or use existing secret access key
|
||||||
(if `AccessBox` is being updated rather than creating brand new)
|
(if `AccessBox` is being updated rather than creating brand new) or use arbitrary user-provided string
|
||||||
* Generate shared secret as [ECDH](https://en.wikipedia.org/wiki/Elliptic-curve_Diffie%E2%80%93Hellman)
|
* Generate shared secret as [ECDH](https://en.wikipedia.org/wiki/Elliptic-curve_Diffie%E2%80%93Hellman)
|
||||||
* Derive 32-byte key using shared secret from previous step with key derivation function based on
|
* Derive 32-byte key using shared secret from previous step with key derivation function based on
|
||||||
HMAC with SHA256 [HKDF](https://en.wikipedia.org/wiki/HKDF)
|
HMAC with SHA256 [HKDF](https://en.wikipedia.org/wiki/HKDF)
|
||||||
|
|
|
@ -146,6 +146,32 @@ the secret. Format of `access_key_id`: `%cid0%oid`, where 0(zero) is a delimiter
|
||||||
24h). Default value is `720h` (30 days). It will be ceil rounded to the nearest amount of epoch
|
24h). Default value is `720h` (30 days). It will be ceil rounded to the nearest amount of epoch
|
||||||
* `--aws-cli-credentials` - path to the aws cli credentials file, where authmate will write `access_key_id` and
|
* `--aws-cli-credentials` - path to the aws cli credentials file, where authmate will write `access_key_id` and
|
||||||
`secret_access_key` to
|
`secret_access_key` to
|
||||||
|
* `--rpc-endpoint` - NEO node RPC address (must be provided if `--container-id` is NNS name)
|
||||||
|
* `--access-key-id` - access key id of s3 credential that must be created (must be unique)
|
||||||
|
* `--secret-access-key` - secret access key of s3 credential that must be used
|
||||||
|
|
||||||
|
You also can specify `AccessKeyID`/`SecretAccessKey` pair that should be created:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
$ frostfs-s3-authmate issue-secret --wallet wallet.json \
|
||||||
|
--peer 192.168.130.71:8080 \
|
||||||
|
--gate-public-key 0313b1ac3a8076e155a7e797b24f0b650cccad5941ea59d7cfd51a024a8b2a06bf \
|
||||||
|
--gate-public-key 0317585fa8274f7afdf1fc5f2a2e7bece549d5175c4e5182e37924f30229aef967 \
|
||||||
|
--access-key-id my-access-key \
|
||||||
|
--secret-access-key my-secret-key \
|
||||||
|
--container-id BpExV76416Vo7GrkJsGwXGoLM35xsBwup8voedDZR3c6
|
||||||
|
|
||||||
|
Enter password for wallet.json >
|
||||||
|
|
||||||
|
{
|
||||||
|
"initial_access_key_id": "my-access-key-3",
|
||||||
|
"access_key_id": "my-access-key",
|
||||||
|
"secret_access_key": "my-secret-key",
|
||||||
|
"owner_private_key": "d9972cc4f21b07a90f4b347c72c33c1d1611c2b9a2cfd0cc28cee8cb221e8e55",
|
||||||
|
"wallet_public_key": "031a6c6fbbdf02ca351745fa86b9ba5a9452d785ac4f7fc2b7548ca2a46c4fcf4a",
|
||||||
|
"container_id": "BpExV76416Vo7GrkJsGwXGoLM35xsBwup8voedDZR3c6"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
### Bearer tokens
|
### Bearer tokens
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue