From 181cd42bbf521e05b8ae87a46e509a66e9bd9030 Mon Sep 17 00:00:00 2001 From: Andrej Mickov Date: Tue, 3 Mar 2026 23:27:16 +0100 Subject: [PATCH] Changed environment variable names for auth settings. --- .env.example | 18 +++++++++--------- README.md | 6 +++--- auth/README.md | 28 ++++++++++++++-------------- utils/config.go | 16 ++++++++-------- 4 files changed, 34 insertions(+), 34 deletions(-) diff --git a/.env.example b/.env.example index a4dcab2..d150fde 100644 --- a/.env.example +++ b/.env.example @@ -7,14 +7,14 @@ ADDRESS=0.0.0.0 GC_INTERVAL=10 GC_ENABLED=true MULTIPART_RETENTION_HOURS=24 -AUTH_ENABLED=false -AUTH_REGION=us-east-1 -AUTH_SKEW_SECONDS=300 -AUTH_MAX_PRESIGN_SECONDS=86400 -# When AUTH_ENABLED=true you MUST set AUTH_MASTER_KEY to a strong random value, e.g.: +FS_AUTH_ENABLED=false +FS_AUTH_REGION=us-east-1 +FS_AUTH_CLOCK_SKEW_SECONDS=300 +FS_AUTH_MAX_PRESIGN_SECONDS=86400 +# When FS_AUTH_ENABLED=true you MUST set FS_MASTER_KEY to a strong random value, e.g.: # openssl rand -base64 32 -AUTH_MASTER_KEY=REPLACE_WITH_SECURE_RANDOM_KEY -AUTH_BOOTSTRAP_ACCESS_KEY= -AUTH_BOOTSTRAP_SECRET_KEY= -AUTH_BOOTSTRAP_POLICY= +FS_MASTER_KEY=REPLACE_WITH_SECURE_RANDOM_KEY +FS_ROOT_USER= +FS_ROOT_PASSWORD= +FS_ROOT_POLICY_JSON= ADMIN_API_ENABLED=true diff --git a/README.md b/README.md index 1a8c5cc..6c6e49d 100644 --- a/README.md +++ b/README.md @@ -44,9 +44,9 @@ Admin API (JSON): ## Auth Setup -Required when `AUTH_ENABLED=true`: -- `AUTH_MASTER_KEY` must be base64 for 32 decoded bytes (AES-256 key), e.g. `openssl rand -base64 32` -- `AUTH_BOOTSTRAP_ACCESS_KEY` and `AUTH_BOOTSTRAP_SECRET_KEY` define initial credentials +Required when `FS_AUTH_ENABLED=true`: +- `FS_MASTER_KEY` must be base64 for 32 decoded bytes (AES-256 key), e.g. `openssl rand -base64 32` +- `FS_ROOT_USER` and `FS_ROOT_PASSWORD` define initial credentials - `ADMIN_API_ENABLED=true` enables `/_admin/v1/*` routes (bootstrap key only) Reference: `auth/README.md` diff --git a/auth/README.md b/auth/README.md index 74a79f0..f175e0c 100644 --- a/auth/README.md +++ b/auth/README.md @@ -40,18 +40,18 @@ This folder implements S3-compatible request authentication using AWS Signature ## Config Model Auth is configured through env (read in `utils/config.go`, converted in `auth/config.go`): -- `AUTH_ENABLED` -- `AUTH_REGION` -- `AUTH_SKEW_SECONDS` -- `AUTH_MAX_PRESIGN_SECONDS` -- `AUTH_MASTER_KEY` -- `AUTH_BOOTSTRAP_ACCESS_KEY` -- `AUTH_BOOTSTRAP_SECRET_KEY` -- `AUTH_BOOTSTRAP_POLICY` (optional JSON) +- `FS_AUTH_ENABLED` +- `FS_AUTH_REGION` +- `FS_AUTH_CLOCK_SKEW_SECONDS` +- `FS_AUTH_MAX_PRESIGN_SECONDS` +- `FS_MASTER_KEY` +- `FS_ROOT_USER` +- `FS_ROOT_PASSWORD` +- `FS_ROOT_POLICY_JSON` (optional JSON) Important: -- If `AUTH_ENABLED=true`, `AUTH_MASTER_KEY` is required. -- `AUTH_MASTER_KEY` must be base64 that decodes to exactly 32 bytes (AES-256 key). +- If `FS_AUTH_ENABLED=true`, `FS_MASTER_KEY` is required. +- `FS_MASTER_KEY` must be base64 that decodes to exactly 32 bytes (AES-256 key). ## Persistence Model (bbolt) Implemented in metadata layer: @@ -75,7 +75,7 @@ If bootstrap env key/secret are set: - secret is encrypted with AES-GCM and stored - policy is created: - default: full access (`s3:*`, `bucket=*`, `prefix=*`) - - or overridden by `AUTH_BOOTSTRAP_POLICY` + - or overridden by `FS_ROOT_POLICY_JSON` ## Request Authentication Flow For each non-health request: @@ -87,8 +87,8 @@ For each non-health request: - region must match config 3. Validate time: - `x-amz-date` format - - skew within `AUTH_SKEW_SECONDS` - - presigned expiry within `AUTH_MAX_PRESIGN_SECONDS` + - skew within `FS_AUTH_CLOCK_SKEW_SECONDS` + - presigned expiry within `FS_AUTH_MAX_PRESIGN_SECONDS` 4. Load identity by access key id. 5. Ensure identity status is active. 6. Decrypt stored secret using master key. @@ -133,7 +133,7 @@ Each audit entry includes method, path, remote IP, and request ID (if present). - Secret keys are recoverable by server design (required for SigV4 verification). - They are encrypted at rest, not hashed. - Master key rotation is not implemented yet. -- Keep `AUTH_MASTER_KEY` protected (secret manager/systemd env file/etc.). +- Keep `FS_MASTER_KEY` protected (secret manager/systemd env file/etc.). ## Current Scope / Limitations - No STS/session-token auth yet. diff --git a/utils/config.go b/utils/config.go index 88c38ee..1886bbd 100644 --- a/utils/config.go +++ b/utils/config.go @@ -48,14 +48,14 @@ func NewConfig() *Config { MultipartCleanupRetention: time.Duration( envIntRange("MULTIPART_RETENTION_HOURS", 24, 1, 24*30), ) * time.Hour, - AuthEnabled: envBool("AUTH_ENABLED", false), - AuthRegion: firstNonEmpty(strings.TrimSpace(os.Getenv("AUTH_REGION")), "us-east-1"), - AuthSkew: time.Duration(envIntRange("AUTH_SKEW_SECONDS", 300, 30, 3600)) * time.Second, - AuthMaxPresign: time.Duration(envIntRange("AUTH_MAX_PRESIGN_SECONDS", 86400, 60, 86400)) * time.Second, - AuthMasterKey: strings.TrimSpace(os.Getenv("AUTH_MASTER_KEY")), - AuthBootstrapAccessKey: strings.TrimSpace(os.Getenv("AUTH_BOOTSTRAP_ACCESS_KEY")), - AuthBootstrapSecretKey: strings.TrimSpace(os.Getenv("AUTH_BOOTSTRAP_SECRET_KEY")), - AuthBootstrapPolicy: strings.TrimSpace(os.Getenv("AUTH_BOOTSTRAP_POLICY")), + AuthEnabled: envBool("FS_AUTH_ENABLED", false), + AuthRegion: firstNonEmpty(strings.TrimSpace(os.Getenv("FS_AUTH_REGION")), "us-east-1"), + AuthSkew: time.Duration(envIntRange("FS_AUTH_CLOCK_SKEW_SECONDS", 300, 30, 3600)) * time.Second, + AuthMaxPresign: time.Duration(envIntRange("FS_AUTH_MAX_PRESIGN_SECONDS", 86400, 60, 86400)) * time.Second, + AuthMasterKey: strings.TrimSpace(os.Getenv("FS_MASTER_KEY")), + AuthBootstrapAccessKey: strings.TrimSpace(os.Getenv("FS_ROOT_USER")), + AuthBootstrapSecretKey: strings.TrimSpace(os.Getenv("FS_ROOT_PASSWORD")), + AuthBootstrapPolicy: strings.TrimSpace(os.Getenv("FS_ROOT_POLICY_JSON")), AdminAPIEnabled: envBool("ADMIN_API_ENABLED", true), }