diff --git a/docs/authentication.md b/docs/authentication.md index 60f2e4f1..caac9512 100644 --- a/docs/authentication.md +++ b/docs/authentication.md @@ -159,8 +159,10 @@ storage node. Object s3 credentials are formed based on: * `AccessKeyId` - is concatenated container id and object id (`0`) of `AccessBox` ( - e.g. `2XGRML5EW3LMHdf64W2DkBy1Nkuu4y4wGhUj44QjbXBi05ZNvs8WVwy1XTmSEkcVkydPKzCgtmR7U3zyLYTj3Snxf`) -* `SecretAccessKey` - hex-encoded random generated 32 bytes (that is encrypted and stored in object payload) + e.g. `2XGRML5EW3LMHdf64W2DkBy1Nkuu4y4wGhUj44QjbXBi05ZNvs8WVwy1XTmSEkcVkydPKzCgtmR7U3zyLYTj3Snxf`). + Or it can be arbitrary user-provided unique string with min length 4 and max length 128. +* `SecretAccessKey` - hex-encoded random generated 32 bytes (that is encrypted and stored in object payload). + Or it can be arbitrary user-provided unique string with min length 4 and max length 128. > **Note**: sensitive info in `AccessBox` is [encrypted](#encryption), so only someone who posses specific private key > can decrypt such info. @@ -192,7 +194,7 @@ It contains: * List of gate data: * Gate public key (so that gate (when it will decrypt data later) know which item from the list it should process) * Encrypted tokens: - * `SecretAccessKey` - hex-encoded random generated 32 bytes + * `SecretAccessKey` - hex-encoded random generated 32 bytes (or arbitrary user-provided string) * Marshaled bearer token - more detail in [spec](https://git.frostfs.info/TrueCloudLab/frostfs-api/src/commit/4c68d92468503b10282c8a92af83a56f170c8a3a/acl/types.proto#L189) * Marshaled session token - more detail @@ -229,10 +231,12 @@ relevant data) the following sequence is used: * Search all object whose attribute `S3-Access-Box-CRDT-Name` is equal to `AccessKeyId` (extract container id - from `AccessKeyId` that has format: `0`). + from `AccessKeyId` that has format: `0` if `AccessBox` was created with default parameters, or it can also + be arbitrary user-defined string). * Get metadata for these object using `HEAD` requests (not `Get` to reduce network traffic) * Sort all these objects by creation epoch and object id -* Pick last object id (If no object is found then extract object id from `AccessKeyId` that has format: `0`. +* Pick last object id (If no object is found then extract object id from `AccessKeyId` that has format: `0` + (if `AccessBox` was created with default parameters, or it can also be arbitrary user-defined string). We need to do this because versions of `AccessBox` can miss the `S3-Access-Box-CRDT-Name` attribute.) * Get appropriate object from FrostFS storage * Decrypt `AccessBox` (see [encryption](#encryption)) @@ -253,7 +257,7 @@ secp256r1 or prime256v1) is used (unless otherwise stated). * Create ephemeral key (`SeedKey`), it's need to generate shared secret * Generate random 32-byte (that after hex-encoded be `SecretAccessKey`) or use existing secret access key - (if `AccessBox` is being updated rather than creating brand new) + (if `AccessBox` is being updated rather than creating brand new) or use arbitrary user-provided string * Generate shared secret as [ECDH](https://en.wikipedia.org/wiki/Elliptic-curve_Diffie%E2%80%93Hellman) * Derive 32-byte key using shared secret from previous step with key derivation function based on HMAC with SHA256 [HKDF](https://en.wikipedia.org/wiki/HKDF) diff --git a/docs/authmate.md b/docs/authmate.md index c0b1be5e..5c947ee7 100644 --- a/docs/authmate.md +++ b/docs/authmate.md @@ -146,6 +146,32 @@ the secret. Format of `access_key_id`: `%cid0%oid`, where 0(zero) is a delimiter 24h). Default value is `720h` (30 days). It will be ceil rounded to the nearest amount of epoch * `--aws-cli-credentials` - path to the aws cli credentials file, where authmate will write `access_key_id` and `secret_access_key` to +* `--rpc-endpoint` - NEO node RPC address (must be provided if `--container-id` is NNS name) +* `--access-key-id` - access key id of s3 credential that must be created (must be unique) +* `--secret-access-key` - secret access key of s3 credential that must be used + +You also can specify `AccessKeyID`/`SecretAccessKey` pair that should be created: + +```shell +$ frostfs-s3-authmate issue-secret --wallet wallet.json \ +--peer 192.168.130.71:8080 \ + --gate-public-key 0313b1ac3a8076e155a7e797b24f0b650cccad5941ea59d7cfd51a024a8b2a06bf \ + --gate-public-key 0317585fa8274f7afdf1fc5f2a2e7bece549d5175c4e5182e37924f30229aef967 \ + --access-key-id my-access-key \ + --secret-access-key my-secret-key \ + --container-id BpExV76416Vo7GrkJsGwXGoLM35xsBwup8voedDZR3c6 + + Enter password for wallet.json > + +{ + "initial_access_key_id": "my-access-key-3", + "access_key_id": "my-access-key", + "secret_access_key": "my-secret-key", + "owner_private_key": "d9972cc4f21b07a90f4b347c72c33c1d1611c2b9a2cfd0cc28cee8cb221e8e55", + "wallet_public_key": "031a6c6fbbdf02ca351745fa86b9ba5a9452d785ac4f7fc2b7548ca2a46c4fcf4a", + "container_id": "BpExV76416Vo7GrkJsGwXGoLM35xsBwup8voedDZR3c6" +} +``` ### Bearer tokens