Skip to content

feat: add comprehensive credential management system for S3 Gateway#248

Merged
szbr9486 merged 1 commit intoCurvineIO:mainfrom
jlon:ak_store
Sep 11, 2025
Merged

feat: add comprehensive credential management system for S3 Gateway#248
szbr9486 merged 1 commit intoCurvineIO:mainfrom
jlon:ak_store

Conversation

@jlon
Copy link
Copy Markdown
Contributor

@jlon jlon commented Sep 8, 2025

Overview

This PR introduces a complete credential management system for the Curvine S3 Gateway, enabling secure storage and management of AWS Access Key/Secret Key pairs. The system supports both single-instance and multi-instance deployments with automatic synchronization capabilities.

Key Features

Dual Storage Modes

  • Local Storage: File-based storage for single-instance deployments (default: ~/.curvine/credentials.jsonl)
  • Distributed Storage: Curvine-based storage for multi-instance deployments with automatic synchronization (default: /system/auth/credentials.jsonl)

Security & Performance

  • Memory-protected SecretKey type with automatic zeroization
  • Background cache refresh for distributed mode
  • JSONL format for human-readable and append-friendly storage

Management Operations

  • Add credentials: Manual or auto-generated Access Key/Secret Key pairs
  • List credentials: View all stored credentials with optional secret display
  • Cache statistics: Monitor cache performance and storage status
  • Hot reload: Automatic detection of credential changes in distributed mode

Technical Implementation

Architecture

  • Static Dispatch: AccessKeyStoreEnum provides zero-cost abstraction over storage implementations
  • Unified Cache: CacheState structure shared between local and distributed stores
  • Async Traits: AccesskeyStore and CredentialStore traits for consistent API
  • Background Tasks: CacheRefreshTask for automatic credential synchronization

Key Components

  • LocalAccessKeyStore: Single-instance local file system storage
  • CurvineAccessKeyStore: Multi-instance distributed storage with background refresh
  • AccessKeyStoreEnum: Static dispatch wrapper for unified API
  • CredentialEntry: Secure credential data structure with validation

Usage

CLI Integration

The credential management is fully integrated into the gateway shell script:

# Generate new credentials
./curvine-s3-gateway.sh credential generate --description "Production API"

# Add existing credentials
./curvine-s3-gateway.sh credential add --access-key AKIAEXAMPLE --secret-key secretkey123 --description "Dev Environment"

# List all credentials
./curvine-s3-gateway.sh credential list

# Show cache statistics
./curvine-s3-gateway.sh credential stats

Configuration

Enable distributed authentication in cluster configuration:

[s3_gateway]
enable_distributed_auth = true
credentials_path = "/system/auth/credentials.jsonl"  # optional
cache_refresh_interval_secs = 300  # optional

For local mode, simply set enable_distributed_auth = false or omit the section.

@jlon jlon force-pushed the ak_store branch 3 times, most recently from d84f23e to e739864 Compare September 8, 2025 08:30
@szbr9486 szbr9486 mentioned this pull request Sep 10, 2025
Open
@jlon jlon force-pushed the ak_store branch 2 times, most recently from ce15f11 to 29f420d Compare September 10, 2025 10:34
szbr9486
szbr9486 reviewed Sep 10, 2025
View reviewed changes
curvine-s3-gateway/src/auth/errors.rs
Copy link
Copy Markdown
Contributor

@szbr9486 szbr9486 Sep 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Streamlined annotations

@szbr9486 szbr9486 merged commit 0264492 into CurvineIO:main Sep 11, 2025
3 checks passed
szbr9486 pushed a commit that referenced this pull request Sep 11, 2025
@jlon @szbr9486
feat: add distributed credentials support for s3 gateway (#248)
ecb16f5
@jlon jlon deleted the ak_store branch September 17, 2025 09:00
@lzjqsdd lzjqsdd added the enhancement New feature or request label Sep 22, 2025
Coderlxl pushed a commit to Coderlxl/curvine that referenced this pull request Dec 25, 2025
@jlon
feat: add distributed credentials support for s3 gateway (CurvineIO#248)
ee8f177
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@szbr9486 szbr9486 szbr9486 approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jlon @szbr9486 @lzjqsdd