ECS credentials bug fixes

This commit is contained in:
Richard Caunt 2017-11-06 21:45:58 +00:00
parent ccea87ca68
commit 366f0705a0
2 changed files with 27 additions and 14 deletions

View File

@ -320,14 +320,16 @@ void CurlHandlerPool::ReturnHandler(CURL* h)
#define MAX_MULTI_COPY_SOURCE_SIZE 524288000 // 500MB #define MAX_MULTI_COPY_SOURCE_SIZE 524288000 // 500MB
#define IAM_EXPIRE_MERGIN (20 * 60) // update timing #define IAM_EXPIRE_MERGIN (20 * 60) // update timing
#define IAM_BASE_URL "http://169.254.169.254" #define IAM_CRED_URL_ECS "http://169.254.170.2"
#define IAM_CRED_URL "/latest/meta-data/iam/security-credentials/" #define IAM_CRED_URL "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
#define ECS_IAM_ENV_VAR "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" #define ECS_IAM_ENV_VAR "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
#define IAMCRED_ACCESSKEYID "AccessKeyId" #define IAMCRED_ACCESSKEYID "AccessKeyId"
#define IAMCRED_SECRETACCESSKEY "SecretAccessKey" #define IAMCRED_SECRETACCESSKEY "SecretAccessKey"
#define IAMCRED_ACCESSTOKEN "Token" #define IAMCRED_ACCESSTOKEN "Token"
#define IAMCRED_EXPIRATION "Expiration" #define IAMCRED_EXPIRATION "Expiration"
#define IAMCRED_ROLEARN "RoleArn"
#define IAMCRED_KEYCOUNT 4 #define IAMCRED_KEYCOUNT 4
#define IAMCRED_KEYCOUNT_ECS 5
// [NOTICE] // [NOTICE]
// This symbol is for libcurl under 7.23.0 // This symbol is for libcurl under 7.23.0
@ -1401,7 +1403,9 @@ bool S3fsCurl::ParseIAMCredentialResponse(const char* response, iamcredmap_t& ke
string::size_type pos; string::size_type pos;
string key; string key;
string val; string val;
if(string::npos != (pos = oneline.find(IAMCRED_ACCESSKEYID))){ if(string::npos != (pos = oneline.find(IAMCRED_ROLEARN))){
key = IAMCRED_ROLEARN;
}else if(string::npos != (pos = oneline.find(IAMCRED_ACCESSKEYID))){
key = IAMCRED_ACCESSKEYID; key = IAMCRED_ACCESSKEYID;
}else if(string::npos != (pos = oneline.find(IAMCRED_SECRETACCESSKEY))){ }else if(string::npos != (pos = oneline.find(IAMCRED_SECRETACCESSKEY))){
key = IAMCRED_SECRETACCESSKEY; key = IAMCRED_SECRETACCESSKEY;
@ -1410,6 +1414,7 @@ bool S3fsCurl::ParseIAMCredentialResponse(const char* response, iamcredmap_t& ke
}else if(string::npos != (pos = oneline.find(IAMCRED_EXPIRATION))){ }else if(string::npos != (pos = oneline.find(IAMCRED_EXPIRATION))){
key = IAMCRED_EXPIRATION; key = IAMCRED_EXPIRATION;
}else{ }else{
S3FS_PRN_INFO3("Unknown key");
continue; continue;
} }
if(string::npos == (pos = oneline.find(':', pos + key.length()))){ if(string::npos == (pos = oneline.find(':', pos + key.length()))){
@ -1423,6 +1428,7 @@ bool S3fsCurl::ParseIAMCredentialResponse(const char* response, iamcredmap_t& ke
continue; continue;
} }
val = oneline.substr(0, pos); val = oneline.substr(0, pos);
S3FS_PRN_INFO3("keyval: %s - %s", key, val);
keyval[key] = val; keyval[key] = val;
} }
return true; return true;
@ -1437,10 +1443,14 @@ bool S3fsCurl::SetIAMCredentials(const char* response)
if(!ParseIAMCredentialResponse(response, keyval)){ if(!ParseIAMCredentialResponse(response, keyval)){
return false; return false;
} }
if(IAMCRED_KEYCOUNT != keyval.size()){ S3FS_PRN_INFO3("Parsed");
if(S3fsCurl::is_ecs ? IAMCRED_KEYCOUNT_ECS : IAMCRED_KEYCOUNT != keyval.size()){
return false; return false;
} }
S3FS_PRN_INFO3("keyval size OK");
S3fsCurl::AWSAccessKeyId = keyval[string(IAMCRED_ACCESSKEYID)]; S3fsCurl::AWSAccessKeyId = keyval[string(IAMCRED_ACCESSKEYID)];
S3fsCurl::AWSSecretAccessKey = keyval[string(IAMCRED_SECRETACCESSKEY)]; S3fsCurl::AWSSecretAccessKey = keyval[string(IAMCRED_SECRETACCESSKEY)];
S3fsCurl::AWSAccessToken = keyval[string(IAMCRED_ACCESSTOKEN)]; S3fsCurl::AWSAccessToken = keyval[string(IAMCRED_ACCESSTOKEN)];
@ -1451,7 +1461,7 @@ bool S3fsCurl::SetIAMCredentials(const char* response)
bool S3fsCurl::CheckIAMCredentialUpdate(void) bool S3fsCurl::CheckIAMCredentialUpdate(void)
{ {
if(0 == S3fsCurl::IAM_role.size()){ if(0 == S3fsCurl::IAM_role.size() && !S3fsCurl::is_ecs){
return true; return true;
} }
if(time(NULL) + IAM_EXPIRE_MERGIN <= S3fsCurl::AWSAccessTokenExpire){ if(time(NULL) + IAM_EXPIRE_MERGIN <= S3fsCurl::AWSAccessTokenExpire){
@ -2344,12 +2354,15 @@ int S3fsCurl::DeleteRequest(const char* tpath)
// //
int S3fsCurl::GetIAMCredentials(void) int S3fsCurl::GetIAMCredentials(void)
{ {
S3FS_PRN_INFO3("[IAM role=%s]", S3fsCurl::IAM_role.c_str()); if (!S3fsCurl::is_ecs) {
S3FS_PRN_INFO3("[IAM role=%s]", S3fsCurl::IAM_role.c_str());
if(0 == S3fsCurl::IAM_role.size()){ if(0 == S3fsCurl::IAM_role.size()) {
S3FS_PRN_ERR("IAM role name is empty."); S3FS_PRN_ERR("IAM role name is empty.");
return -EIO; return -EIO;
}
} }
// at first set type for handle // at first set type for handle
type = REQTYPE_IAMCRED; type = REQTYPE_IAMCRED;
@ -2359,12 +2372,12 @@ int S3fsCurl::GetIAMCredentials(void)
// url // url
if (is_ecs) { if (is_ecs) {
url = string(IAM_BASE_URL) + std::getenv(ECS_IAM_ENV_VAR); url = string(IAM_CRED_URL_ECS) + std::getenv(ECS_IAM_ENV_VAR);
} }
else { else {
url = string(IAM_BASE_URL) + string(IAM_CRED_URL) + S3fsCurl::IAM_role; url = string(IAM_CRED_URL) + S3fsCurl::IAM_role;
} }
requestHeaders = NULL; requestHeaders = NULL;
responseHeaders.clear(); responseHeaders.clear();
bodydata = new BodyData(); bodydata = new BodyData();
@ -2401,7 +2414,7 @@ bool S3fsCurl::LoadIAMRoleFromMetaData(void)
} }
// url // url
url = string(IAM_BASE_URL) + string(IAM_CRED_URL); url = string(IAM_CRED_URL);
requestHeaders = NULL; requestHeaders = NULL;
responseHeaders.clear(); responseHeaders.clear();
bodydata = new BodyData(); bodydata = new BodyData();

View File

@ -4918,7 +4918,7 @@ int main(int argc, char* argv[])
S3FS_PRN_EXIT("specifying both passwd_file and the access keys options is invalid."); S3FS_PRN_EXIT("specifying both passwd_file and the access keys options is invalid.");
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
if(!S3fsCurl::IsPublicBucket() && !load_iamrole){ if(!S3fsCurl::IsPublicBucket() && !load_iamrole && !is_ecs){
if(EXIT_SUCCESS != get_access_keys()){ if(EXIT_SUCCESS != get_access_keys()){
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }