Linux上Seaweedfs文件服务搭建及访问控制权限配置

一、检查并安装go环境

1.1 查询宿主机是否有go环境

go version

1.2 没有则通过yum安装go

yum install golang -y

1.3 检查安装

go version

#输出类似则安装完成
#-> go version go1.15.5 linux/amd64

1.4 配置环境变量

#编辑环境变量
vi /etc/profile

# GOROOT go安装目录
export GOROOT=/usr/lib/golang

# GOPATH go工作目录，可自定义
export GOPATH=/home/go/path/

# GOPATH bin go bin
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin

#重启使环境生效
source /etc/profile

二、下载安装Seaweedfs

2.1 进入安装目录，如没有请先创建（下面所有操作在/user/local/seaweedfs下进行）

cd /user/local/seaweedfs

2.2 去github下载linux_amd64.tar.gz压缩包并解压（https://github.com/chrislusf/seaweedfs/releases）

tar -zxf linux_amd64.tar.gz
#解压后得到weed执行文件

2.3 ./weed -h 查看帮助指令

./weed -h

2.4 创建运行时需要的文件

mkdir master logs vol vol2 vol3

2.5 启动master服务 (ip根据自己实际情况指定)

nohup /usr/local/seaweedfs/weed master -mdir=/usr/local/seaweedfs/master -port=9333 -defaultReplication="001" -ip="1xx.xx.0.1" &>>/usr/local/seaweedfs/logs/master.log &

#查看master其它启动参数
./weed master -h

2.6 启动volume服务 (ip根据自己实际情况指定)

nohup /usr/local/seaweedfs/weed volume -dir=/usr/local/seaweedfs/vol1 -mserver="1xx.xx.0.1:9333" -port=9334 -ip="1xx.xx.0.1" &>> /usr/local/seaweedfs/logs/vol1.log &
nohup /usr/local/seaweedfs/weed volume -dir=/usr/local/seaweedfs/vol2 -mserver="1xx.xx.0.1:9333" -port=9335 -ip="1xx.xx.0.1" &>> /usr/local/seaweedfs/logs/vol2.log &
nohup /usr/local/seaweedfs/weed volume -dir=/usr/local/seaweedfs/vol3 -mserver="1xx.xx.0.1:9333" -port=9336 -ip="1xx.xx.0.1" &>> /usr/local/seaweedfs/logs/vol3.log &

#查看volume其它启动参数
./weed volume -h

三、如需文件访问控制权限，配置Security模块

3.1 通过./weed scaffold -config=security创建security.toml文件

#创建security.toml
touch security.toml

#生成配置信息，编辑security.toml文件，将生成的配置信息复制并保存
./weed scaffold -config=security

3.2 通过certstrap工具生成security.toml所需秘钥

#下载certstrap
git clone https://github.com/square/certstrap
#进入
cd certstrap/
#构建
go build

#生成秘钥
certstrap init --common-name "SeaweedFS CA"
certstrap request-cert --common-name volume01
certstrap request-cert --common-name master01
certstrap request-cert --common-name filer01
certstrap request-cert --common-name client01
certstrap sign --CA "SeaweedFS CA" volume01
certstrap sign --CA "SeaweedFS CA" master01
certstrap sign --CA "SeaweedFS CA" filer01
certstrap sign --CA "SeaweedFS CA" client01

3.3 将生成的秘钥文件路径配置到security.toml中
参考：

[jwt.signing]
key = "111"
expires_after_seconds = 300           # seconds

# jwt for read is only supported with master+volume setup. Filer does not support this mode.
[jwt.signing.read]
key = "222"
expires_after_seconds = 360           # seconds

# all grpc tls authentications are mutual
# the values for the following ca, cert, and key are paths to the PERM files.
# the host name is not checked, so the PERM files can be shared.
[grpc]
ca = "/usr/local/seaweedfs/certstrap/out/SeaweedFS_CA.crt"
# Set wildcard domain for enable TLS authentication by common names
allowed_wildcard_domain = "" # .mycompany.com

[grpc.volume]
cert ="/usr/local/seaweedfs/certstrap/out/volume01.crt"
key  ="/usr/local/seaweedfs/certstrap/out/volume01.key"
allowed_commonNames = ""        # comma-separated SSL certificate common names

[grpc.master]
cert ="/usr/local/seaweedfs/certstrap/out/master01.crt"
key  ="/usr/local/seaweedfs/certstrap/out/master01.key"
allowed_commonNames = ""        # comma-separated SSL certificate common names

[grpc.filer]
cert ="/usr/local/seaweedfs/certstrap/out/filer01.crt"
key  ="/usr/local/seaweedfs/certstrap/out/filer01.key"
allowed_commonNames = ""        # comma-separated SSL certificate common names

[grpc.msg_broker]
cert = ""
key  = ""
allowed_commonNames = ""        # comma-separated SSL certificate common names

# use this for any place needs a grpc client
# i.e., "weed backup|benchmark|filer.copy|filer.replicate|mount|s3|upload"
[grpc.client]
cert ="/usr/local/seaweedfs/certstrap/out/client01.crt"
key  ="/usr/local/seaweedfs/certstrap/out/client01.key"

# volume server https options
# Note: work in progress!
#     this does not work with other clients, e.g., "weed filer|mount" etc, yet.
[https.client]
enabled = true
[https.volume]
cert = ""
key  = ""

3.4 重启seaweedfs服务

#依次杀掉进程
ps -ef | grep weed
kill -9 进程id

#重启运行《2.5 启动master服务》以及《2.6 启动volume服务》

至此文件访问控制权限已经配置生效，后续通过http发送请求至文件服务器都会在请求头部中带上Authorization。

四、带权限使用案例

4.1 获取图片可上传位置

16225186963043.jpg

Response中Authorization

16225187847210.jpg

4.2上传图片

16225190450515.jpg

如果不带Authorization，则无权上传

16225190951806.jpg

4.3查询已上传的图片

获取查询图片权限

16225193115315.jpg

查询图片

16225194236942.jpg

五、以上使用案例基于http协议。如在项目中使用，请自行下载官方推荐的sdk并集成到项目中

seaweedfs官方地址
https://github.com/chrislusf/seaweedfs

各语言sdk下载地址
https://github.com/chrislusf/seaweedfs/wiki/Client-Libraries

seaweedfs Api地址
https://github.com/chrislusf/seaweedfs/wiki/Master-Server-API

----------------- 文章如有问题，请下方回复指出，感谢查阅😁 -----------------