From 366f0705a083f7ef8d6f5232c880a8a43b22c92e Mon Sep 17 00:00:00 2001 From: Richard Caunt Date: Mon, 6 Nov 2017 21:45:58 +0000 Subject: [PATCH] ECS credentials bug fixes --- src/curl.cpp | 39 ++++++++++++++++++++++++++------------- src/s3fs.cpp | 2 +- 2 files changed, 27 insertions(+), 14 deletions(-) diff --git a/src/curl.cpp b/src/curl.cpp index 5581ea8..5b268cb 100644 --- a/src/curl.cpp +++ b/src/curl.cpp @@ -320,14 +320,16 @@ void CurlHandlerPool::ReturnHandler(CURL* h) #define MAX_MULTI_COPY_SOURCE_SIZE 524288000 // 500MB #define IAM_EXPIRE_MERGIN (20 * 60) // update timing -#define IAM_BASE_URL "http://169.254.169.254" -#define IAM_CRED_URL "/latest/meta-data/iam/security-credentials/" +#define IAM_CRED_URL_ECS "http://169.254.170.2" +#define IAM_CRED_URL "http://169.254.169.254/latest/meta-data/iam/security-credentials/" #define ECS_IAM_ENV_VAR "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" #define IAMCRED_ACCESSKEYID "AccessKeyId" #define IAMCRED_SECRETACCESSKEY "SecretAccessKey" #define IAMCRED_ACCESSTOKEN "Token" #define IAMCRED_EXPIRATION "Expiration" +#define IAMCRED_ROLEARN "RoleArn" #define IAMCRED_KEYCOUNT 4 +#define IAMCRED_KEYCOUNT_ECS 5 // [NOTICE] // This symbol is for libcurl under 7.23.0 @@ -1401,7 +1403,9 @@ bool S3fsCurl::ParseIAMCredentialResponse(const char* response, iamcredmap_t& ke string::size_type pos; string key; string val; - if(string::npos != (pos = oneline.find(IAMCRED_ACCESSKEYID))){ + if(string::npos != (pos = oneline.find(IAMCRED_ROLEARN))){ + key = IAMCRED_ROLEARN; + }else if(string::npos != (pos = oneline.find(IAMCRED_ACCESSKEYID))){ key = IAMCRED_ACCESSKEYID; }else if(string::npos != (pos = oneline.find(IAMCRED_SECRETACCESSKEY))){ key = IAMCRED_SECRETACCESSKEY; @@ -1410,6 +1414,7 @@ bool S3fsCurl::ParseIAMCredentialResponse(const char* response, iamcredmap_t& ke }else if(string::npos != (pos = oneline.find(IAMCRED_EXPIRATION))){ key = IAMCRED_EXPIRATION; }else{ + S3FS_PRN_INFO3("Unknown key"); continue; } if(string::npos == (pos = oneline.find(':', pos + key.length()))){ @@ -1423,6 +1428,7 @@ bool S3fsCurl::ParseIAMCredentialResponse(const char* response, iamcredmap_t& ke continue; } val = oneline.substr(0, pos); + S3FS_PRN_INFO3("keyval: %s - %s", key, val); keyval[key] = val; } return true; @@ -1437,10 +1443,14 @@ bool S3fsCurl::SetIAMCredentials(const char* response) if(!ParseIAMCredentialResponse(response, keyval)){ return false; } - if(IAMCRED_KEYCOUNT != keyval.size()){ + S3FS_PRN_INFO3("Parsed"); + + if(S3fsCurl::is_ecs ? IAMCRED_KEYCOUNT_ECS : IAMCRED_KEYCOUNT != keyval.size()){ return false; } + S3FS_PRN_INFO3("keyval size OK"); + S3fsCurl::AWSAccessKeyId = keyval[string(IAMCRED_ACCESSKEYID)]; S3fsCurl::AWSSecretAccessKey = keyval[string(IAMCRED_SECRETACCESSKEY)]; S3fsCurl::AWSAccessToken = keyval[string(IAMCRED_ACCESSTOKEN)]; @@ -1451,7 +1461,7 @@ bool S3fsCurl::SetIAMCredentials(const char* response) bool S3fsCurl::CheckIAMCredentialUpdate(void) { - if(0 == S3fsCurl::IAM_role.size()){ + if(0 == S3fsCurl::IAM_role.size() && !S3fsCurl::is_ecs){ return true; } if(time(NULL) + IAM_EXPIRE_MERGIN <= S3fsCurl::AWSAccessTokenExpire){ @@ -2344,12 +2354,15 @@ int S3fsCurl::DeleteRequest(const char* tpath) // int S3fsCurl::GetIAMCredentials(void) { - S3FS_PRN_INFO3("[IAM role=%s]", S3fsCurl::IAM_role.c_str()); + if (!S3fsCurl::is_ecs) { + S3FS_PRN_INFO3("[IAM role=%s]", S3fsCurl::IAM_role.c_str()); - if(0 == S3fsCurl::IAM_role.size()){ - S3FS_PRN_ERR("IAM role name is empty."); - return -EIO; + if(0 == S3fsCurl::IAM_role.size()) { + S3FS_PRN_ERR("IAM role name is empty."); + return -EIO; + } } + // at first set type for handle type = REQTYPE_IAMCRED; @@ -2359,12 +2372,12 @@ int S3fsCurl::GetIAMCredentials(void) // url if (is_ecs) { - url = string(IAM_BASE_URL) + std::getenv(ECS_IAM_ENV_VAR); + url = string(IAM_CRED_URL_ECS) + std::getenv(ECS_IAM_ENV_VAR); } else { - url = string(IAM_BASE_URL) + string(IAM_CRED_URL) + S3fsCurl::IAM_role; + url = string(IAM_CRED_URL) + S3fsCurl::IAM_role; } - + requestHeaders = NULL; responseHeaders.clear(); bodydata = new BodyData(); @@ -2401,7 +2414,7 @@ bool S3fsCurl::LoadIAMRoleFromMetaData(void) } // url - url = string(IAM_BASE_URL) + string(IAM_CRED_URL); + url = string(IAM_CRED_URL); requestHeaders = NULL; responseHeaders.clear(); bodydata = new BodyData(); diff --git a/src/s3fs.cpp b/src/s3fs.cpp index 7da6216..9320a23 100644 --- a/src/s3fs.cpp +++ b/src/s3fs.cpp @@ -4918,7 +4918,7 @@ int main(int argc, char* argv[]) S3FS_PRN_EXIT("specifying both passwd_file and the access keys options is invalid."); exit(EXIT_FAILURE); } - if(!S3fsCurl::IsPublicBucket() && !load_iamrole){ + if(!S3fsCurl::IsPublicBucket() && !load_iamrole && !is_ecs){ if(EXIT_SUCCESS != get_access_keys()){ exit(EXIT_FAILURE); }