Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/mongodb security #5602

Merged
merged 4 commits into from
May 18, 2024
Merged

Feature/mongodb security #5602

merged 4 commits into from
May 18, 2024

Conversation

baursn
Copy link
Contributor

@baursn baursn commented May 18, 2024

What problem are we solving?

added insecure_skip_verify option to mongodb filer store

How is the PR tested?

tested on my local instance

@baursn baursn mentioned this pull request May 18, 2024
Merged
2 tasks
@kmlebedev
Copy link
Contributor

kmlebedev commented May 18, 2024
edited

@baursn I would recommend doing automatic reloading of certificates for https without restarting the process.
#

seaweedfs/weed/command/s3.go

Lines 293 to 322 in 3fae876

if *s3opt.tlsPrivateKey != "" {
pemfileOptions := pemfile.Options{
CertFile: *s3opt.tlsCertificate,
KeyFile: *s3opt.tlsPrivateKey,
RefreshDuration: security.CredRefreshingInterval,
}
if s3opt.certProvider, err = pemfile.NewProvider(pemfileOptions); err != nil {
glog.Fatalf("pemfile.NewProvider(%v) failed: %v", pemfileOptions, err)
}
caCertPool := x509.NewCertPool()
if *s3Options.tlsCACertificate != "" {
// load CA certificate file and add it to list of client CAs
caCertFile, err := ioutil.ReadFile(*s3opt.tlsCACertificate)
if err != nil {
glog.Fatalf("error reading CA certificate: %v", err)
}
caCertPool.AppendCertsFromPEM(caCertFile)
}
clientAuth := tls.NoClientCert
if *s3Options.tlsVerifyClientCert {
clientAuth = tls.RequireAndVerifyClientCert
}
httpS.TLSConfig = &tls.Config{
GetCertificate: s3opt.GetCertificateWithUpdate,
ClientAuth: clientAuth,
ClientCAs: caCertPool,
}

Maybe the driver itself can replace the certificate during reconnections?

@chrislusf chrislusf merged commit a3a00d9 into seaweedfs:master May 18, 2024
6 checks passed
@baursn
Copy link
Contributor Author

baursn commented May 18, 2024

@baursn I would recommend doing automatic reloading of certificates for https without restarting the process. #

seaweedfs/weed/command/s3.go

Lines 293 to 322 in 3fae876

if *s3opt.tlsPrivateKey != "" {
pemfileOptions := pemfile.Options{
CertFile: *s3opt.tlsCertificate,
KeyFile: *s3opt.tlsPrivateKey,
RefreshDuration: security.CredRefreshingInterval,
}
if s3opt.certProvider, err = pemfile.NewProvider(pemfileOptions); err != nil {
glog.Fatalf("pemfile.NewProvider(%v) failed: %v", pemfileOptions, err)
}
caCertPool := x509.NewCertPool()
if *s3Options.tlsCACertificate != "" {
// load CA certificate file and add it to list of client CAs
caCertFile, err := ioutil.ReadFile(*s3opt.tlsCACertificate)
if err != nil {
glog.Fatalf("error reading CA certificate: %v", err)
}
caCertPool.AppendCertsFromPEM(caCertFile)
}
clientAuth := tls.NoClientCert
if *s3Options.tlsVerifyClientCert {
clientAuth = tls.RequireAndVerifyClientCert
}
httpS.TLSConfig = &tls.Config{
GetCertificate: s3opt.GetCertificateWithUpdate,
ClientAuth: clientAuth,
ClientCAs: caCertPool,
}

Maybe the driver itself can replace the certificate during reconnections?

Is there any examples in other connectors, then i can take a look?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@baursn @kmlebedev @chrislusf