self-hosted/minio
self-hosted/minio
1
0
Fork 0
mirror of https://github.com/minio/minio synced 2024-10-14 11:52:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Show a better error msg when internal data encryption key is incorrect (#16549)

Browse source
This commit is contained in:
Anis Elleuch 2023-02-07 14:22:54 +01:00 committed by GitHub
parent 0319ae756a
commit 095b518802
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 14 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
cmd/config-migrate.go
View file

@ -46,7 +46,7 @@ import (
"github.com/minio/pkg/quick" "github.com/minio/pkg/quick"
) )
// DO NOT EDIT following message template, please open a GitHub issue to discuss instead. // Do not edit following message template, please open a GitHub issue to discuss instead.
var configMigrateMSGTemplate = "Configuration file %s migrated from version '%s' to '%s' successfully." var configMigrateMSGTemplate = "Configuration file %s migrated from version '%s' to '%s' successfully."
// Save config file to corresponding backend // Save config file to corresponding backend
@ -2515,20 +2515,13 @@ func checkConfigVersion(objAPI ObjectLayer, configFile string, version string) (
data, err = config.DecryptBytes(GlobalKMS, data, kms.Context{ data, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
minioMetaBucket: path.Join(minioMetaBucket, configFile), minioMetaBucket: path.Join(minioMetaBucket, configFile),
}) })
if err != nil { }
data, err = madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
if err != nil { if GlobalKMS == nil && err != nil {
if err == madmin.ErrMaliciousData {
return false, nil, config.ErrInvalidCredentialsBackendEncrypted(nil)
}
return false, nil, err
}
}
} else {
data, err = madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data)) data, err = madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
if err != nil { if err != nil {
if err == madmin.ErrMaliciousData { if err == madmin.ErrMaliciousData || err == madmin.ErrUnexpectedHeader {
return false, nil, config.ErrInvalidCredentialsBackendEncrypted(nil) return false, nil, config.ErrInvalidConfigDecryptionKey(nil)
} }
return false, nil, err return false, nil, err
} }

2
cmd/server-main.go
View file

@ -465,7 +465,7 @@ func initConfigSubsystem(ctx context.Context, newObject ObjectLayer) error {
} }
// Any other config errors we simply print a message and proceed forward. // Any other config errors we simply print a message and proceed forward.
logger.LogIf(ctx, fmt.Errorf("Unable to initialize config, some features may be missing %w", err)) logger.LogIf(ctx, fmt.Errorf("Unable to initialize config, some features may be missing: %w", err))
} }
return nil return nil

2
go.mod
View file

@ -48,7 +48,7 @@ require (
github.com/minio/dperf v0.4.2 github.com/minio/dperf v0.4.2
github.com/minio/highwayhash v1.0.2 github.com/minio/highwayhash v1.0.2
github.com/minio/kes v0.22.3 github.com/minio/kes v0.22.3
github.com/minio/madmin-go/v2 v2.0.8 github.com/minio/madmin-go/v2 v2.0.9
github.com/minio/minio-go/v7 v7.0.47 github.com/minio/minio-go/v7 v7.0.47
github.com/minio/mux v1.9.0 github.com/minio/mux v1.9.0
github.com/minio/pkg v1.6.1 github.com/minio/pkg v1.6.1

4
go.sum
View file

@ -775,8 +775,8 @@ github.com/minio/highwayhash v1.0.2/go.mod h1:BQskDq+xkJ12lmlUUi7U0M5Swg3EWR+dLT
github.com/minio/kes v0.22.3 h1:aSPW9uCMVaLax5POxvoQJxCU4MNo/KzMXA7WfmC/lRw= github.com/minio/kes v0.22.3 h1:aSPW9uCMVaLax5POxvoQJxCU4MNo/KzMXA7WfmC/lRw=
github.com/minio/kes v0.22.3/go.mod h1:wnhmdwWX2rpurNPKn3yDFImg2wuc7j3e+IU5rVkR9UY= github.com/minio/kes v0.22.3/go.mod h1:wnhmdwWX2rpurNPKn3yDFImg2wuc7j3e+IU5rVkR9UY=
github.com/minio/madmin-go v1.6.6/go.mod h1:ATvkBOLiP3av4D++2v1UEHC/QzsGtgXD5kYvvRYzdKs= github.com/minio/madmin-go v1.6.6/go.mod h1:ATvkBOLiP3av4D++2v1UEHC/QzsGtgXD5kYvvRYzdKs=
github.com/minio/madmin-go/v2 v2.0.8 h1:gyqkULZS+RX5G2a4pxC8vmewbTzTBKItqqCIHR1GUcs= github.com/minio/madmin-go/v2 v2.0.9 h1:wv1e4ZTH1L1SaHs/jaI3uW2AHYQw77T2hgarfPo1j3U=
github.com/minio/madmin-go/v2 v2.0.8/go.mod h1:5aFi/VLWBHC2DEFfGIlUmAeJhaF4ZAjuYpEWZFU14Zw= github.com/minio/madmin-go/v2 v2.0.9/go.mod h1:5aFi/VLWBHC2DEFfGIlUmAeJhaF4ZAjuYpEWZFU14Zw=
github.com/minio/mc v0.0.0-20230203133213-3aebb3362b18 h1:Di71Ums7dD5vA3VK/loOqb/QttQjvCV/1/DF77w1XqA= github.com/minio/mc v0.0.0-20230203133213-3aebb3362b18 h1:Di71Ums7dD5vA3VK/loOqb/QttQjvCV/1/DF77w1XqA=
github.com/minio/mc v0.0.0-20230203133213-3aebb3362b18/go.mod h1:j3BgTu1LshBzna9Wf8il7WAyw9IQabMu+EcrDUaNZ2k= github.com/minio/mc v0.0.0-20230203133213-3aebb3362b18/go.mod h1:j3BgTu1LshBzna9Wf8il7WAyw9IQabMu+EcrDUaNZ2k=
github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34= github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=

8
internal/config/errors.go
View file

@ -121,10 +121,10 @@ var (
"MINIO_CACHE_AFTER cannot be used with MINIO_CACHE_COMMIT setting", "MINIO_CACHE_AFTER cannot be used with MINIO_CACHE_COMMIT setting",
) )
ErrInvalidCredentialsBackendEncrypted = newErrFn( ErrInvalidConfigDecryptionKey = newErrFn(
"Invalid credentials", "Incorrect encryption key to decrypt internal data",
"Please set correct credentials in the environment for decryption", "Please set the correct default KMS key value or the correct root credentials for older MinIO versions.",
`Detected encrypted config backend, correct access and secret keys should be specified via environment variables MINIO_ROOT_USER and MINIO_ROOT_PASSWORD to be able to decrypt the MinIO config, user IAM and policies`, `Revert MINIO_KMS_KES_KEY_NAME or MINIO_ROOT_USER/MINIO_ROOT_PASSWORD (for older MinIO versions) to be able to decrypt the internal data again.`,
) )
ErrInvalidCredentials = newErrFn( ErrInvalidCredentials = newErrFn(