Project

General

Profile

Bug #28156

Escape quotes for S3 secret key

Added by Adam Straub about 1 year ago. Updated 10 months ago.

Status:
Done
Priority:
Important
Assignee:
Vladimir Vinogradenko
Category:
OS
Target version:
Seen in:
Severity:
Medium
Reason for Closing:
Reason for Blocked:
Need verification
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Related projects 1 project

Description

Issue: Creating an s3(minio) secret key via the gui that contains a double quote character bugs the s3 service and will cause the machine to hang on next boot

Steps to recreate:
Set up the minio service to have a secret key containing a single double quote(") character, click save

Expected behavior: Minio still works, and you can stop and start the service as normal. Rebooting machine allows a successful reboot.

Actual behavior: The S3 service is stuck "on" and refuses to restart or stop. Upon rebooting the machine Truenas hangs during boot due to /var/tmp/rc.conf.freenas being malformed.

When the /var/tmp/rc.conf.freenas file is created on boot it wraps the minio configuration items in quotes without escaping them. This causes the rc.conf file to fail if there is a double quote in the secret key since it is terminating the string early.

Associated revisions

Revision 13dd8c12 (diff)
Added by Vladimir Vinogradenko about 1 year ago

fix(rc.conf): Escape quotes in minio_env in rc.conf.local

Ticket: #28156

Revision a2bd2d96 (diff)
Added by Vladimir Vinogradenko about 1 year ago

fix(rc.conf): Escape quotes in minio_env in rc.conf.local

Ticket: #28156

Revision 784066a8 (diff)
Added by Vladimir Vinogradenko about 1 year ago

fix(rc.conf): Escape quotes in minio_env in rc.conf.local

Ticket: #28156

Revision 34504d5f (diff)
Added by Vladimir Vinogradenko about 1 year ago

fix(rc.conf): Escape quotes in minio_env in rc.conf.local

Ticket: #28156

Revision 4e765da7 (diff)
Added by Vladimir Vinogradenko 10 months ago

fix(s3): Restrict characters that can be used as access_key or secret_key

Ticket: #28156

Revision bb9ea0df (diff)
Added by Vladimir Vinogradenko 10 months ago

fix(s3): Restrict characters that can be used as access_key or secret_key

Ticket: #28156

History

#1 Updated by Dru Lavigne about 1 year ago

  • Category changed from GUI (new) to OS
  • Assignee changed from Release Council to Vladimir Vinogradenko
  • Target version set to 11.2-RC2
  • Seen in changed from TrueNAS-11.1-RC2 to Unspecified
  • Reason for Blocked set to Need verification

Adam: please verify your build version (System -> Information).

#2 Updated by Adam Straub about 1 year ago

I don't see the build version in the options, but it is TrueNAS-11.0-U6 (d67d0452b)

#3 Updated by Dru Lavigne about 1 year ago

  • Seen in changed from Unspecified to 11.0-U5

#4 Updated by Dru Lavigne about 1 year ago

  • 1 added project (TrueNAS)

#5 Updated by Vladimir Vinogradenko about 1 year ago

  • Status changed from Not Started to In Progress

#6 Updated by Vladimir Vinogradenko about 1 year ago

  • Status changed from In Progress to Done

#7 Updated by Dru Lavigne about 1 year ago

  • Subject changed from S3 Secret Key Escaping/warnings to Escape quotes for S3 secret key
  • Target version changed from 11.2-RC2 to 11.2-BETA1
  • Needs Doc changed from Yes to No
  • Needs Merging changed from Yes to No

#8 Updated by Dru Lavigne 12 months ago

  • Status changed from Done to Ready for Testing

#9 Updated by Nick Wolff 10 months ago

  • Status changed from Ready for Testing to Failed Testing

abcd1234 works but "abcd1234 doesn't work as a secret key for minio/s3

Service doesn't start when "abcd1234 is set

from /tmp/rc.conf.freenas

minio_env="\
MINIO_ACCESS_KEY=12345 \
MINIO_SECRET_KEY="'"'"abcd1234 \
" 

You should be able to look at this on fn02.

#10 Updated by Vladimir Vinogradenko 10 months ago

  • Status changed from Failed Testing to In Progress

Problem is minio_env is passed to minio as

command_args="-c -p ${pidfile} /usr/bin/env ${minio_env} ${procname} -C \"${minio_config}\" server --address=\"${minio_address}\" --quiet ${minio_disks} < /dev/null > ${minio_logfile} 2>&1"

I have no idea how to do proper escaping in this case and I doubt this is necessary because AWS keys are alphanumeric, so I've restricted our keys to be alphanumeric too.

#11 Updated by Dru Lavigne 10 months ago

#12 Updated by Vladimir Vinogradenko 10 months ago

  • Status changed from In Progress to Ready for Testing

#13 Updated by Nick Wolff 10 months ago

  • Status changed from Ready for Testing to Failed Testing

The regex is actually \w which includes underscores. So if we add underscores we should be good.

https://docs.aws.amazon.com/IAM/latest/APIReference/API_AccessKey.html

AccessKeyId
The ID for this access key.

Type: String

Length Constraints: Minimum length of 16. Maximum length of 128.

Pattern: [\w]+

Required: Yes

#14 Updated by William Grzybowski 10 months ago

  • Status changed from Failed Testing to Ready for Testing

#15 Updated by Timothy Moore II 10 months ago

  • Status changed from Ready for Testing to Passed Testing
  • Needs QA changed from Yes to No

Testing (INTERNAL12)

Edited S3 service: could not save changes when either Access Key or Secret Key contained a double quote (“). These errors display:
```
[EINVAL] s3_update.access_key: Should be ^\w+$

[EINVAL] s3_update.secret_key: Should be ^\w+$
```

#16 Updated by Dru Lavigne 10 months ago

  • Status changed from Passed Testing to Done

Also available in: Atom PDF