Do not save credentials in config.json (#16275)

2024-07-20 18:04:21 +00:00 · 2022-12-19 21:27:06 +01:00 · 2022-12-19 21:27:06 +01:00 · e57e946206
parent b4f71362e9
commit e57e946206
7 changed files with 8 additions and 92 deletions
--- a/cmd/common-main.go
+++ b/cmd/common-main.go
@ -773,6 +773,8 @@ func handleCommonEnvVars() {
 			logger.Info(color.RedBold(msg))
 		}
 		globalActiveCred = cred
+	} else {
+		globalActiveCred = auth.DefaultCredentials
 	}
 }

--- a/cmd/config-current.go
+++ b/cmd/config-current.go
@ -25,7 +25,6 @@ import (
 	"sync"

 	"github.com/minio/madmin-go/v2"
-	"github.com/minio/minio/internal/auth"
 	"github.com/minio/minio/internal/config"
 	"github.com/minio/minio/internal/config/api"
 	"github.com/minio/minio/internal/config/cache"
@ -65,7 +64,6 @@ func initHelp() {
 		config.SiteSubSys:           config.DefaultSiteKVS,
 		config.RegionSubSys:         config.DefaultRegionKVS,
 		config.APISubSys:            api.DefaultKVS,
-		config.CredentialsSubSys:    config.DefaultCredentialKVS,
 		config.LoggerWebhookSubSys:  logger.DefaultLoggerWebhookKVS,
 		config.AuditWebhookSubSys:   logger.DefaultAuditWebhookKVS,
 		config.AuditKafkaSubSys:     logger.DefaultAuditKafkaKVS,
@ -427,15 +425,6 @@ func validateConfig(s config.Config, subSys string) error {
 func lookupConfigs(s config.Config, objAPI ObjectLayer) {
 	ctx := GlobalContext

-	var err error
-	if !globalActiveCred.IsValid() {
-		// Env doesn't seem to be set, we fallback to lookup creds from the config.
-		globalActiveCred, err = config.LookupCreds(s[config.CredentialsSubSys][config.Default])
-		if err != nil {
-			logger.LogIf(ctx, fmt.Errorf("Invalid credentials configuration: %w", err))
-		}
-	}
-
 	dnsURL, dnsUser, dnsPass, err := env.LookupEnv(config.EnvDNSWebhook)
 	if err != nil {
 		logger.LogIf(ctx, fmt.Errorf("Unable to initialize remote webhook DNS config %w", err))
@ -765,13 +754,6 @@ func newSrvConfig(objAPI ObjectLayer) error {
 	// Initialize server config.
 	srvCfg := newServerConfig()

-	if globalActiveCred.IsValid() && !globalActiveCred.Equal(auth.DefaultCredentials) {
-		kvs := srvCfg[config.CredentialsSubSys][config.Default]
-		kvs.Set(config.AccessKey, globalActiveCred.AccessKey)
-		kvs.Set(config.SecretKey, globalActiveCred.SecretKey)
-		srvCfg[config.CredentialsSubSys][config.Default] = kvs
-	}
-
 	// hold the mutex lock before a new config is assigned.
 	globalServerConfigMu.Lock()
 	globalServerConfig = srvCfg
--- a/cmd/config-migrate.go
+++ b/cmd/config-migrate.go
@ -2755,9 +2755,7 @@ func migrateMinioSysConfigToKV(objAPI ObjectLayer) error {

 	newCfg := newServerConfig()

-	config.SetCredentials(newCfg, cfg.Credential)
 	config.SetRegion(newCfg, cfg.Region)
-
 	storageclass.SetStorageClass(newCfg, cfg.StorageClass)

 	for k, loggerArgs := range cfg.Logger.HTTP {
--- a/cmd/config-migrate_test.go
+++ b/cmd/config-migrate_test.go
@ -22,8 +22,6 @@ import (
 	"fmt"
 	"os"
 	"testing"
-
-	"github.com/minio/minio/internal/config"
 )

 // Test if config v1 is purged
@ -210,17 +208,6 @@ func TestServerConfigMigrateV2toV33(t *testing.T) {
 	if err := loadConfig(objLayer, nil); err != nil {
 		t.Fatalf("Unable to initialize from updated config file %s", err)
 	}
-
-	// Check if accessKey and secretKey are not altered during migration
-	caccessKey := globalServerConfig[config.CredentialsSubSys][config.Default].Get(config.AccessKey)
-	if caccessKey != accessKey {
-		t.Fatalf("Access key lost during migration, expected: %v, found:%v", accessKey, caccessKey)
-	}
-
-	csecretKey := globalServerConfig[config.CredentialsSubSys][config.Default].Get(config.SecretKey)
-	if csecretKey != secretKey {
-		t.Fatalf("Secret key lost during migration, expected: %v, found: %v", secretKey, csecretKey)
-	}
 }

 // Test if all migrate code returns error with corrupted config files
--- a/cmd/server-main.go
+++ b/cmd/server-main.go
@ -535,10 +535,6 @@ func serverMain(ctx *cli.Context) {
 		}
 	}()

-	if !globalActiveCred.IsValid() && globalIsDistErasure {
-		globalActiveCred = auth.DefaultCredentials
-	}
-
 	// Set system resources to maximum.
 	setMaxResources()

@ -605,6 +601,12 @@ func serverMain(ctx *cli.Context) {
 		logger.Info(color.RedBold("WARNING: Strict AWS S3 compatible incoming PUT, POST content payload validation is turned off, caution is advised do not use in production"))
 	}

+	if globalActiveCred.Equal(auth.DefaultCredentials) {
+		msg := fmt.Sprintf("WARNING: Detected default credentials '%s', we recommend that you change these values with 'MINIO_ROOT_USER' and 'MINIO_ROOT_PASSWORD' environment variables",
+			globalActiveCred)
+		logger.Info(color.RedBold(msg))
+	}
+
 	if err = initServer(GlobalContext, newObject); err != nil {
 		var cerr config.Err
 		// For any config error, we don't need to drop into safe-mode
@ -621,19 +623,6 @@ func serverMain(ctx *cli.Context) {
 		logger.LogIf(GlobalContext, err)
 	}

-	if globalActiveCred.Equal(auth.DefaultCredentials) {
-		msg := fmt.Sprintf("WARNING: Detected default credentials '%s', we recommend that you change these values with 'MINIO_ROOT_USER' and 'MINIO_ROOT_PASSWORD' environment variables",
-			globalActiveCred)
-		logger.Info(color.RedBold(msg))
-	}
-
-	savedCreds, _ := config.LookupCreds(globalServerConfig[config.CredentialsSubSys][config.Default])
-	if globalActiveCred.Equal(auth.DefaultCredentials) && !globalActiveCred.Equal(savedCreds) {
-		msg := fmt.Sprintf("WARNING: Detected credentials changed to '%s', please set them back to previously set values",
-			globalActiveCred)
-		logger.Info(color.RedBold(msg))
-	}
-
 	// Initialize users credentials and policies in background right after config has initialized.
 	go func() {
 		globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient, globalRefreshIAMInterval)
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -96,7 +96,6 @@ const (

 // Top level config constants.
 const (
-	CredentialsSubSys    = madmin.CredentialsSubSys
 	PolicyOPASubSys      = madmin.PolicyOPASubSys
 	PolicyPluginSubSys   = madmin.PolicyPluginSubSys
 	IdentityOpenIDSubSys = madmin.IdentityOpenIDSubSys
@ -178,7 +177,6 @@ var SubSystemsDynamic = set.CreateStringSet(

 // SubSystemsSingleTargets - subsystems which only support single target.
 var SubSystemsSingleTargets = set.CreateStringSet(
-	CredentialsSubSys,
 	SiteSubSys,
 	RegionSubSys,
 	EtcdSubSys,
@ -463,9 +461,6 @@ func (c Config) RedactSensitiveInfo() Config {
 		}
 	}

-	// Remove the server credentials altogether
-	nc.DelKVS(CredentialsSubSys)
-
 	return nc
 }

@ -501,20 +496,6 @@ var (
 	}
 )

-// LookupCreds - lookup credentials from config.
-func LookupCreds(kv KVS) (auth.Credentials, error) {
-	if err := CheckValidKeys(CredentialsSubSys, kv, DefaultCredentialKVS); err != nil {
-		return auth.Credentials{}, err
-	}
-	accessKey := kv.Get(AccessKey)
-	secretKey := kv.Get(SecretKey)
-	if accessKey == "" || secretKey == "" {
-		accessKey = auth.DefaultAccessKey
-		secretKey = auth.DefaultSecretKey
-	}
-	return auth.CreateCredentials(accessKey, secretKey)
-}
-
 // Site - holds site info - name and region.
 type Site struct {
 	Name   string
--- a/internal/config/legacy.go
+++ b/internal/config/legacy.go
@ -17,31 +17,8 @@

 package config

-import "github.com/minio/minio/internal/auth"
-
 // One time migration code section

-// SetCredentials - One time migration code needed, for migrating from older config to new for server credentials.
-func SetCredentials(c Config, cred auth.Credentials) {
-	creds, err := auth.CreateCredentials(cred.AccessKey, cred.SecretKey)
-	if err != nil {
-		return
-	}
-	if !creds.IsValid() {
-		return
-	}
-	c[CredentialsSubSys][Default] = KVS{
-		KV{
-			Key:   AccessKey,
-			Value: cred.AccessKey,
-		},
-		KV{
-			Key:   SecretKey,
-			Value: cred.SecretKey,
-		},
-	}
-}
-
 // SetRegion - One time migration code needed, for migrating from older config to new for server Region.
 func SetRegion(c Config, name string) {
 	if name == "" {