MyFavMirrors
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
minio/cmd/object-handlers.go

3464 lines
114 KiB
Go
Raw Normal View History

update license change for MinIO Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-18 15:41:13 -04:00
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
Update minioapi documentation
2015-02-23 19:46:48 -05:00
server: Move all the top level files into cmd folder. (#2490) This change brings a change which was done for the 'mc' package to allow for clean repo and have a cleaner github drop in experience.
2016-08-18 19:23:42 -04:00
package cmd
Implement bucket policy handler and with galore of cleanup
2015-02-15 20:03:27 -05:00
import (
Create logger package and rename errorIf to LogIf (#5678) Removing message from error logging Replace errors.Trace with LogIf
2018-04-05 18:04:40 -04:00
"context"
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
"encoding/hex"
s3: Force a prefix removal using a special header (#12504) An S3 client can send `x-minio-force-delete: true` to remove a prefix.
2021-06-15 21:43:14 -04:00
"errors"
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
"fmt"
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-07 18:18:59 -05:00
"io"
Implement bucket policy handler and with galore of cleanup
2015-02-15 20:03:27 -05:00
"net/http"
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
"net/http/httptest"
getObject: Add support for special response headers. Supports now response-content-type, response-content-disposition, response-cache-control, response-expires.
2016-02-07 06:37:54 -05:00
"net/url"
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
"os"
Change CreateObject() to take size argument from content-length
2015-05-04 02:16:10 -04:00
"strconv"
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 06:30:19 -04:00
"strings"
fix: limit HTTP transport tuables to affordable values (#9383) Close connections pro-actively in transient calls
2020-04-17 14:20:56 -04:00
"sync"
Send white spaces to client till completeMultipart() process completes (#7198)
2019-02-05 23:58:09 -05:00
"time"
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
"github.com/google/uuid"
use package name correctly (#5827)
2018-04-21 22:23:54 -04:00
"github.com/gorilla/mux"
Add GetObject gzip option (#14226) Enabled with `mc admin config set alias/ api gzip_objects=on` Standard filtering applies (1K response minimum, not compressed content type, not range request, gzip accepted by client).
2022-02-14 12:19:01 -05:00
"github.com/klauspost/compress/gzhttp"
Move dependency from minio-go v6 to v7 (#10042)
2020-07-14 12:38:05 -04:00
miniogo "github.com/minio/minio-go/v7"
fix: return versionId in tagging APIs (#10068)
2020-07-17 01:38:58 -04:00
"github.com/minio/minio-go/v7/pkg/credentials"
Move dependency from minio-go v6 to v7 (#10042)
2020-07-14 12:38:05 -04:00
"github.com/minio/minio-go/v7/pkg/encrypt"
"github.com/minio/minio-go/v7/pkg/tags"
allow S3 gateway to support object locked buckets (#13257) - Supports object locked buckets that require PutObject() to set content-md5 always. - Use SSE-S3 when S3 gateway is being used instead of SSE-KMS for auto-encryption.
2021-09-21 12:02:15 -04:00
sse "github.com/minio/minio/internal/bucket/encryption"
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
2021-06-01 17:59:40 -04:00
"github.com/minio/minio/internal/bucket/lifecycle"
objectlock "github.com/minio/minio/internal/bucket/object/lock"
"github.com/minio/minio/internal/bucket/replication"
"github.com/minio/minio/internal/config/dns"
"github.com/minio/minio/internal/config/storageclass"
"github.com/minio/minio/internal/crypto"
"github.com/minio/minio/internal/etag"
"github.com/minio/minio/internal/event"
"github.com/minio/minio/internal/fips"
"github.com/minio/minio/internal/handlers"
"github.com/minio/minio/internal/hash"
xhttp "github.com/minio/minio/internal/http"
re-use io.Copy buffers with 32k pools (#13553) Borrowed idea from Go's usage of this optimization for ReadFrom() on client side, we should re-use the 32k buffers io.Copy() allocates for generic copy from a reader to writer. the performance increase for reads for really tiny objects is at this range after this change. > * Fastest: +7.89% (+1.3 MiB/s) throughput, +7.89% (+1308.1) obj/s
2021-11-02 11:11:50 -04:00
xioutil "github.com/minio/minio/internal/ioutil"
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
2021-06-01 17:59:40 -04:00
"github.com/minio/minio/internal/kms"
"github.com/minio/minio/internal/logger"
"github.com/minio/minio/internal/s3select"
move to iam, bucket policy from minio/pkg (#12400)
2021-05-30 00:16:42 -04:00
"github.com/minio/pkg/bucket/policy"
iampolicy "github.com/minio/pkg/iam/policy"
move internal/net to pkg/net package (#12505)
2021-06-14 17:54:37 -04:00
xnet "github.com/minio/pkg/net"
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 14:37:57 -05:00
"github.com/minio/sio"
Handle partNumberMarker with listObjectParts now and other fixes
2015-05-09 22:39:00 -04:00
)
Honor overriding response headers for HEAD (#4784) Though not clearly mentioned in S3 specification, we should override response headers for presigned HEAD requests as we do for GET.
2017-08-08 14:04:04 -04:00
// supportedHeadGetReqParams - supported request parameters for GET and HEAD presigned request.
var supportedHeadGetReqParams = map[string]string{
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 01:34:32 -04:00
"response-expires": xhttp.Expires,
"response-content-type": xhttp.ContentType,
"response-cache-control": xhttp.CacheControl,
"response-content-encoding": xhttp.ContentEncoding,
"response-content-language": xhttp.ContentLanguage,
"response-content-disposition": xhttp.ContentDisposition,
getObject: Add support for special response headers. Supports now response-content-type, response-content-disposition, response-cache-control, response-expires.
2016-02-07 06:37:54 -05:00
}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-27 23:36:17 -04:00
const (
compressionAlgorithmV1 = "golang/snappy/LZ77"
Switch to Snappy -> S2 compression (#8189)
2019-09-26 02:08:24 -04:00
compressionAlgorithmV2 = "klauspost/compress/s2"
Add encryption buffer (#8626) Quite hard to measure difference: ``` λ warp cmp put-before.csv.zst put-after2.csv.zst Operation: PUT Operations: 340 -> 353 * Average: +4.11% (+22.7 MB/s) throughput, +4.11% (+0.2) obj/s * 50% Median: +1.58% (+7.3 MB/s) throughput, +1.58% (+0.1) obj/s ``` Difference is likely bigger on Intel platforms due to higher syscall costs.
2019-12-12 13:01:15 -05:00
// When an upload exceeds encryptBufferThreshold ...
encryptBufferThreshold = 1 << 20
// add an input buffer of this size.
encryptBufferSize = 1 << 20
Add 4K minimum compressed size (#15273) There is no point in compressing very small files. Typically the effective size on disk will be the same due to disk blocks. So don't waste resources on extremely small files. We don't check on multipart. 1) because we don't know and 2) this is very likely a big object anyway.
2022-07-12 10:42:04 -04:00
// minCompressibleSize is the minimum size at which we enable compression.
minCompressibleSize = 4096
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-27 23:36:17 -04:00
)
Honor overriding response headers for HEAD (#4784) Though not clearly mentioned in S3 specification, we should override response headers for presigned HEAD requests as we do for GET.
2017-08-08 14:04:04 -04:00
// setHeadGetRespHeaders - set any requested parameters as response headers.
func setHeadGetRespHeaders(w http.ResponseWriter, reqParams url.Values) {
getObject: Add support for special response headers. Supports now response-content-type, response-content-disposition, response-cache-control, response-expires.
2016-02-07 06:37:54 -05:00
for k, v := range reqParams {
fix: validate partNumber in queryParam as part of preConditions (#9386)
2020-04-21 01:01:59 -04:00
if header, ok := supportedHeadGetReqParams[strings.ToLower(k)]; ok {
getObject: Add support for special response headers. Supports now response-content-type, response-content-disposition, response-cache-control, response-expires.
2016-02-07 06:37:54 -05:00
w.Header()[header] = v
}
}
}
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 06:30:19 -04:00
// SelectObjectContentHandler - GET Object?select
// ----------
// This implementation of the GET operation retrieves object content based
// on an SQL expression. In the request, along with the sql expression, you must
// also specify a data serialization format (JSON, CSV) of the object.
func (api objectAPIHandlers) SelectObjectContentHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "SelectObject")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 15:25:59 -04:00
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 06:30:19 -04:00
// Fetch object stat info.
objectAPI := api.ObjectAPI()
if objectAPI == nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 06:30:19 -04:00
return
}
fix: S3 gateway doesn't support full passthrough for encryption (#10484) The entire encryption layer is dependent on the fact that KMS should be configured for S3 encryption to work properly and we only support passing the headers as is to the backend for encryption only if KMS is configured. Make sure that this predictability is maintained, currently the code was allowing encryption to go through and fail at later to indicate that KMS was not configured. We should simply reply "NotImplemented" if KMS is not configured, this allows clients to simply proceed with their tests.
2020-09-15 16:57:15 -04:00
if crypto.S3.IsRequested(r.Header) || crypto.S3KMS.IsRequested(r.Header) { // If SSE-S3 or SSE-KMS present -> AWS fails with undefined error
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrBadRequest), r.URL)
Fix: Disallow requests with SSE-KMS headers (#6587) Addresses issue #6582. Minio server currently does not have SSE-KMS support. Reject requests with SSE-KMS headers with NotImplementedErr
2018-10-09 18:04:53 -04:00
return
}
fix: S3 gateway doesn't support full passthrough for encryption (#10484) The entire encryption layer is dependent on the fact that KMS should be configured for S3 encryption to work properly and we only support passing the headers as is to the backend for encryption only if KMS is configured. Make sure that this predictability is maintained, currently the code was allowing encryption to go through and fail at later to indicate that KMS was not configured. We should simply reply "NotImplemented" if KMS is not configured, this allows clients to simply proceed with their tests.
2020-09-15 16:57:15 -04:00
Add padding to compressed+encrypted files (#15282) Add up to 256 bytes of padding for compressed+encrypted files. This will obscure the obvious cases of extremely compressible content and leave a similar output size for a very wide variety of inputs. This does *not* mean the compression ratio doesn't leak information about the content, but the outcome space is much smaller, so often *less* information is leaked.
2022-07-13 10:52:15 -04:00
if crypto.Requested(r.Header) && !objectAPI.IsEncryptionSupported() {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrBadRequest), r.URL)
Disallow SSE requests when object layer has encryption disabled (#6981)
2018-12-15 00:39:59 -05:00
return
}
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
vars := mux.Vars(r)
bucket := vars["bucket"]
fix: normalize object layer inputs (#11534) Cases where we have applications making request for `//` in object names make sure that all are normalized to `/` and all such requests that are prefixed '/' are removed. To ensure a consistent view from all operations.
2021-03-09 15:58:22 -05:00
object, err := unescapePath(vars["object"])
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
return
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
// get gateway encryption options
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 00:31:06 -05:00
opts, err := getOpts(ctx, r, bucket, object)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
return
}
Refactor s3select to support parquet. (#7023) Also handle pretty formatted JSON documents.
2019-01-08 19:53:04 -05:00
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
// Check for auth type to return S3 compatible error.
// type to return the correct error (NoSuchKey vs AccessDenied)
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 06:30:19 -04:00
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, bucket, object); s3Error != ErrNone {
if getRequestAuthType(r) == authTypeAnonymous {
// As per "Permission" section in
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
// https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html
// If the object you request does not exist,
// the error Amazon S3 returns depends on
// whether you also have the s3:ListBucket
// permission.
// * If you have the s3:ListBucket permission
// on the bucket, Amazon S3 will return an
// HTTP status code 404 ("no such key")
// error.
// * if you dont have the s3:ListBucket
// permission, Amazon S3 will return an HTTP
// status code 403 ("access denied") error.`
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 06:30:19 -04:00
if globalPolicySys.IsAllowed(policy.Args{
Action: policy.ListBucketAction,
BucketName: bucket,
Add support for {jwt:sub} substitutions for policies (#8393) Fixes #8345
2019-10-16 11:59:59 -04:00
ConditionValues: getConditionValues(r, "", "", nil),
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 06:30:19 -04:00
IsOwner: false,
}) {
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
_, err = getObjectInfo(ctx, bucket, object, opts)
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 04:25:52 -05:00
if toAPIError(ctx, err).Code == "NoSuchKey" {
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 06:30:19 -04:00
s3Error = ErrNoSuchKey
}
}
}
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL)
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 06:30:19 -04:00
return
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
// Get request range.
fix: Add support for preserving mtime for replication (#9995) This PR is needed for bucket replication support
2020-07-08 20:36:56 -04:00
rangeHeader := r.Header.Get(xhttp.Range)
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
if rangeHeader != "" {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrUnsupportedRangeHeader), r.URL)
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
return
}
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 06:30:19 -04:00
if r.ContentLength <= 0 {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrEmptyRequestBody), r.URL)
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 06:30:19 -04:00
return
}
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
getObjectNInfo := objectAPI.GetObjectNInfo
if api.CacheAPI() != nil {
getObjectNInfo = api.CacheAPI().GetObjectNInfo
S3 select switch to new parquet library and reduce locking (#14731) - This change switches to a new parquet library - SelectObjectContent now takes a single lock at the beginning and holds it during the operation. Previously the operation took a lock every time the parquet library performed a Seek on the underlying object stream. - Add basic support for LogicalType annotations for timestamps.
2022-04-14 09:54:47 -04:00
} else {
// Take read lock on object, here so subsequent lower-level
// calls do not need to.
lock := objectAPI.NewNSLock(bucket, object)
lkctx, err := lock.GetRLock(ctx, globalOperationTimeout)
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
return
select: Add ScanRange to CSV&JSON (#14546) Implements https://docs.aws.amazon.com/AmazonS3/latest/API/API_SelectObjectContent.html#AmazonS3-SelectObjectContent-request-ScanRange Fixes #14539
2022-03-14 12:48:36 -04:00
}
S3 select switch to new parquet library and reduce locking (#14731) - This change switches to a new parquet library - SelectObjectContent now takes a single lock at the beginning and holds it during the operation. Previously the operation took a lock every time the parquet library performed a Seek on the underlying object stream. - Add basic support for LogicalType annotations for timestamps.
2022-04-14 09:54:47 -04:00
ctx = lkctx.Context()
defer lock.RUnlock(lkctx.Cancel)
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 06:30:19 -04:00
}
Add new SQL parser to support S3 Select syntax (#7102) - New parser written from scratch, allows easier and complete parsing of the full S3 Select SQL syntax. Parser definition is directly provided by the AST defined for the SQL grammar. - Bring support to parse and interpret SQL involving JSON path expressions; evaluation of JSON path expressions will be subsequently added. - Bring automatic type inference and conversion for untyped values (e.g. CSV data).
2019-01-28 20:59:48 -05:00
objInfo, err := getObjectInfo(ctx, bucket, object, opts)
if err != nil {
feat: implement prefix-level versioning exclusion (#14828) Spark/Hadoop workloads which use Hadoop MR Committer v1/v2 algorithm upload objects to a temporary prefix in a bucket. These objects are 'renamed' to a different prefix on Job commit. Object storage admins are forced to configure separate ILM policies to expire these objects and their versions to reclaim space. Our solution: This can be avoided by simply marking objects under these prefixes to be excluded from versioning, as shown below. Consequently, these objects are excluded from replication, and don't require ILM policies to prune unnecessary versions. - MinIO Extension to Bucket Version Configuration ```xml <VersioningConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Status>Enabled</Status> <ExcludeFolders>true</ExcludeFolders> <ExcludedPrefixes> <Prefix>app1-jobs/*/_temporary/</Prefix> </ExcludedPrefixes> <ExcludedPrefixes> <Prefix>app2-jobs/*/__magic/</Prefix> </ExcludedPrefixes> <!-- .. up to 10 prefixes in all --> </VersioningConfiguration> ``` Note: `ExcludeFolders` excludes all folders in a bucket from versioning. This is required to prevent the parent folders from accumulating delete markers, especially those which are shared across spark workloads spanning projects/teams. - To enable version exclusion on a list of prefixes ``` mc version enable --excluded-prefixes "app1-jobs/*/_temporary/,app2-jobs/*/_magic," --exclude-prefix-marker myminio/test ```
2022-05-06 22:05:28 -04:00
if globalBucketVersioningSys.PrefixEnabled(bucket, object) {
fix: return proper errors Get/HeadObject for deleteMarkers (#9957)
2020-07-02 19:17:27 -04:00
// Versioning enabled quite possibly object is deleted might be delete-marker
// if present set the headers, no idea why AWS S3 sets these headers.
if objInfo.VersionID != "" && objInfo.DeleteMarker {
w.Header()[xhttp.AmzVersionID] = []string{objInfo.VersionID}
w.Header()[xhttp.AmzDeleteMarker] = []string{strconv.FormatBool(objInfo.DeleteMarker)}
}
}
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add new SQL parser to support S3 Select syntax (#7102) - New parser written from scratch, allows easier and complete parsing of the full S3 Select SQL syntax. Parser definition is directly provided by the AST defined for the SQL grammar. - Bring support to parse and interpret SQL involving JSON path expressions; evaluation of JSON path expressions will be subsequently added. - Bring automatic type inference and conversion for untyped values (e.g. CSV data).
2019-01-28 20:59:48 -05:00
return
}
fix: selectObject to return error when object does not exist (#9423)
2020-04-24 16:51:48 -04:00
fix: avoid double body reads in SelectObject call (#9638) Bonus fix handle encryption headers in response properly for both notification and response to the client.
2020-05-19 05:01:08 -04:00
// filter object lock metadata if permission does not permit
getRetPerms := checkRequestAuthType(ctx, r, policy.GetObjectRetentionAction, bucket, object)
legalHoldPerms := checkRequestAuthType(ctx, r, policy.GetObjectLegalHoldAction, bucket, object)
// filter object lock metadata if permission does not permit
objInfo.UserDefined = objectlock.FilterObjectLockMetadata(objInfo.UserDefined, getRetPerms != ErrNone, legalHoldPerms != ErrNone)
if objectAPI.IsEncryptionSupported() {
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
if _, err = DecryptObjectInfo(&objInfo, r); err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
fix: avoid double body reads in SelectObject call (#9638) Bonus fix handle encryption headers in response properly for both notification and response to the client.
2020-05-19 05:01:08 -04:00
return
}
}
S3 select switch to new parquet library and reduce locking (#14731) - This change switches to a new parquet library - SelectObjectContent now takes a single lock at the beginning and holds it during the operation. Previously the operation took a lock every time the parquet library performed a Seek on the underlying object stream. - Add basic support for LogicalType annotations for timestamps.
2022-04-14 09:54:47 -04:00
actualSize, err := objInfo.GetActualSize()
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
return
}
objectRSC := s3select.NewObjectReadSeekCloser(
func(offset int64) (io.ReadCloser, error) {
rs := &HTTPRangeSpec{
IsSuffixLength: false,
Start: offset,
End: -1,
}
return getObjectNInfo(ctx, bucket, object, rs, r.Header, noLock, opts)
},
actualSize,
)
fix: selectObject to return error when object does not exist (#9423)
2020-04-24 16:51:48 -04:00
s3Select, err := s3select.NewS3Select(r.Body)
if err != nil {
if serr, ok := err.(s3select.SelectError); ok {
encodedErrorResponse := encodeResponse(APIErrorResponse{
Code: serr.ErrorCode(),
Message: serr.ErrorMessage(),
BucketName: bucket,
Key: object,
Resource: r.URL.Path,
RequestID: w.Header().Get(xhttp.AmzRequestID),
HostID: globalDeploymentID,
})
writeResponse(w, serr.HTTPStatusCode(), encodedErrorResponse, mimeXML)
} else {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
fix: selectObject to return error when object does not exist (#9423)
2020-04-24 16:51:48 -04:00
}
return
}
select: Fix leak on compressed files (#11302) Properly close gzip reader when done reading fixes #11300
2021-01-19 20:51:46 -05:00
defer s3Select.Close()
fix: selectObject to return error when object does not exist (#9423)
2020-04-24 16:51:48 -04:00
S3 select switch to new parquet library and reduce locking (#14731) - This change switches to a new parquet library - SelectObjectContent now takes a single lock at the beginning and holds it during the operation. Previously the operation took a lock every time the parquet library performed a Seek on the underlying object stream. - Add basic support for LogicalType annotations for timestamps.
2022-04-14 09:54:47 -04:00
if err = s3Select.Open(objectRSC); err != nil {
Refactor s3select to support parquet. (#7023) Also handle pretty formatted JSON documents.
2019-01-08 19:53:04 -05:00
if serr, ok := err.(s3select.SelectError); ok {
Select should return early errors as XML (#7230) Currently, we were sending errors in Select binary format, which is incompatible with AWS S3 behavior, errors in binary are sent after HTTP status code is already 200 OK - i.e it happens during the evaluation of the record reader.
2019-02-13 02:48:11 -05:00
encodedErrorResponse := encodeResponse(APIErrorResponse{
Code: serr.ErrorCode(),
Message: serr.ErrorMessage(),
BucketName: bucket,
Key: object,
Resource: r.URL.Path,
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 01:34:32 -04:00
RequestID: w.Header().Get(xhttp.AmzRequestID),
Remove DeploymentID from response headers (#7815) Response headers need not contain deployment ID.
2019-07-01 15:22:01 -04:00
HostID: globalDeploymentID,
Select should return early errors as XML (#7230) Currently, we were sending errors in Select binary format, which is incompatible with AWS S3 behavior, errors in binary are sent after HTTP status code is already 200 OK - i.e it happens during the evaluation of the record reader.
2019-02-13 02:48:11 -05:00
})
writeResponse(w, serr.HTTPStatusCode(), encodedErrorResponse, mimeXML)
Refactor s3select to support parquet. (#7023) Also handle pretty formatted JSON documents.
2019-01-08 19:53:04 -05:00
} else {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Performance improvements to SELECT API on certain query operations (#6752) This improves the performance of certain queries dramatically, such as 'count(*)' etc. Without this PR ``` ~ time mc select --query "select count(*) from S3Object" myminio/sjm-airlines/star2000.csv.gz 2173762 real 0m42.464s user 0m0.071s sys 0m0.010s ``` With this PR ``` ~ time mc select --query "select count(*) from S3Object" myminio/sjm-airlines/star2000.csv.gz 2173762 real 0m17.603s user 0m0.093s sys 0m0.008s ``` Almost a 250% improvement in performance. This PR avoids a lot of type conversions and instead relies on raw sequences of data and interprets them lazily. ``` benchcmp old new benchmark old ns/op new ns/op delta BenchmarkSQLAggregate_100K-4 551213 259782 -52.87% BenchmarkSQLAggregate_1M-4 6981901985 2432413729 -65.16% BenchmarkSQLAggregate_2M-4 13511978488 4536903552 -66.42% BenchmarkSQLAggregate_10M-4 68427084908 23266283336 -66.00% benchmark old allocs new allocs delta BenchmarkSQLAggregate_100K-4 2366 485 -79.50% BenchmarkSQLAggregate_1M-4 47455492 21462860 -54.77% BenchmarkSQLAggregate_2M-4 95163637 43110771 -54.70% BenchmarkSQLAggregate_10M-4 476959550 216906510 -54.52% benchmark old bytes new bytes delta BenchmarkSQLAggregate_100K-4 1233079 1086024 -11.93% BenchmarkSQLAggregate_1M-4 2607984120 557038536 -78.64% BenchmarkSQLAggregate_2M-4 5254103616 1128149168 -78.53% BenchmarkSQLAggregate_10M-4 26443524872 5722715992 -78.36% ```
2018-11-14 18:55:10 -05:00
}
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 15:12:22 -04:00
return
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 06:30:19 -04:00
}
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 15:12:22 -04:00
fix: avoid double body reads in SelectObject call (#9638) Bonus fix handle encryption headers in response properly for both notification and response to the client.
2020-05-19 05:01:08 -04:00
// Set encryption response headers
if objectAPI.IsEncryptionSupported() {
crypto: add support for decrypting SSE-KMS metadata (#11415) This commit refactors the SSE implementation and add S3-compatible SSE-KMS context handling. SSE-KMS differs from SSE-S3 in two main aspects: 1. The client can request a particular key and specify a KMS context as part of the request. 2. The ETag of an SSE-KMS encrypted object is not the MD5 sum of the object content. This commit only focuses on the 1st aspect. A client can send an optional SSE context when using SSE-KMS. This context is remembered by the S3 server such that the client does not have to specify the context again (during multipart PUT / GET / HEAD ...). The crypto. context also includes the bucket/object name to prevent renaming objects at the backend. Now, AWS S3 behaves as following: - If the user does not provide a SSE-KMS context it does not store one - resp. does not include the SSE-KMS context header in the response (e.g. HEAD). - If the user specifies a SSE-KMS context without the bucket/object name then AWS stores the exact context the client provided but adds the bucket/object name internally. The response contains the KMS context without the bucket/object name. - If the user specifies a SSE-KMS context with the bucket/object name then AWS again stores the exact context provided by the client. The response contains the KMS context with the bucket/object name. This commit implements this behavior w.r.t. SSE-KMS. However, as of now, no such object can be created since the server rejects SSE-KMS encryption requests. This commit is one stepping stone for SSE-KMS support. Co-authored-by: Harshavardhana <harsha@minio.io>
2021-02-03 18:19:08 -05:00
switch kind, _ := crypto.IsEncrypted(objInfo.UserDefined); kind {
case crypto.S3:
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionAES)
sse-kms: set KMS key ID response header (#12316) This commit adds the `X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id` response header to the GET, HEAD, PUT and Download API. Based on AWS documentation [1] AWS S3 returns the KMS key ID as part of the response headers. [1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/specifying-kms-encryption.html Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-18 17:21:20 -04:00
case crypto.S3KMS:
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionKMS)
fix: kms-id header should have arn:aws:kms: prefix (#13833) arn:aws:kms: is a must for KMS keyID.
2021-12-06 03:39:32 -05:00
w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.KMSKeyID())
sse-kms: set KMS key ID response header (#12316) This commit adds the `X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id` response header to the GET, HEAD, PUT and Download API. Based on AWS documentation [1] AWS S3 returns the KMS key ID as part of the response headers. [1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/specifying-kms-encryption.html Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-18 17:21:20 -04:00
if kmsCtx, ok := objInfo.UserDefined[crypto.MetaContext]; ok {
w.Header().Set(xhttp.AmzServerSideEncryptionKmsContext, kmsCtx)
}
crypto: add support for decrypting SSE-KMS metadata (#11415) This commit refactors the SSE implementation and add S3-compatible SSE-KMS context handling. SSE-KMS differs from SSE-S3 in two main aspects: 1. The client can request a particular key and specify a KMS context as part of the request. 2. The ETag of an SSE-KMS encrypted object is not the MD5 sum of the object content. This commit only focuses on the 1st aspect. A client can send an optional SSE context when using SSE-KMS. This context is remembered by the S3 server such that the client does not have to specify the context again (during multipart PUT / GET / HEAD ...). The crypto. context also includes the bucket/object name to prevent renaming objects at the backend. Now, AWS S3 behaves as following: - If the user does not provide a SSE-KMS context it does not store one - resp. does not include the SSE-KMS context header in the response (e.g. HEAD). - If the user specifies a SSE-KMS context without the bucket/object name then AWS stores the exact context the client provided but adds the bucket/object name internally. The response contains the KMS context without the bucket/object name. - If the user specifies a SSE-KMS context with the bucket/object name then AWS again stores the exact context provided by the client. The response contains the KMS context with the bucket/object name. This commit implements this behavior w.r.t. SSE-KMS. However, as of now, no such object can be created since the server rejects SSE-KMS encryption requests. This commit is one stepping stone for SSE-KMS support. Co-authored-by: Harshavardhana <harsha@minio.io>
2021-02-03 18:19:08 -05:00
case crypto.SSEC:
// Validate the SSE-C Key set in the header.
if _, err = crypto.SSEC.UnsealObjectKey(r.Header, objInfo.UserDefined, bucket, object); err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
crypto: add support for decrypting SSE-KMS metadata (#11415) This commit refactors the SSE implementation and add S3-compatible SSE-KMS context handling. SSE-KMS differs from SSE-S3 in two main aspects: 1. The client can request a particular key and specify a KMS context as part of the request. 2. The ETag of an SSE-KMS encrypted object is not the MD5 sum of the object content. This commit only focuses on the 1st aspect. A client can send an optional SSE context when using SSE-KMS. This context is remembered by the S3 server such that the client does not have to specify the context again (during multipart PUT / GET / HEAD ...). The crypto. context also includes the bucket/object name to prevent renaming objects at the backend. Now, AWS S3 behaves as following: - If the user does not provide a SSE-KMS context it does not store one - resp. does not include the SSE-KMS context header in the response (e.g. HEAD). - If the user specifies a SSE-KMS context without the bucket/object name then AWS stores the exact context the client provided but adds the bucket/object name internally. The response contains the KMS context without the bucket/object name. - If the user specifies a SSE-KMS context with the bucket/object name then AWS again stores the exact context provided by the client. The response contains the KMS context with the bucket/object name. This commit implements this behavior w.r.t. SSE-KMS. However, as of now, no such object can be created since the server rejects SSE-KMS encryption requests. This commit is one stepping stone for SSE-KMS support. Co-authored-by: Harshavardhana <harsha@minio.io>
2021-02-03 18:19:08 -05:00
return
fix: avoid double body reads in SelectObject call (#9638) Bonus fix handle encryption headers in response properly for both notification and response to the client.
2020-05-19 05:01:08 -04:00
}
crypto: add support for decrypting SSE-KMS metadata (#11415) This commit refactors the SSE implementation and add S3-compatible SSE-KMS context handling. SSE-KMS differs from SSE-S3 in two main aspects: 1. The client can request a particular key and specify a KMS context as part of the request. 2. The ETag of an SSE-KMS encrypted object is not the MD5 sum of the object content. This commit only focuses on the 1st aspect. A client can send an optional SSE context when using SSE-KMS. This context is remembered by the S3 server such that the client does not have to specify the context again (during multipart PUT / GET / HEAD ...). The crypto. context also includes the bucket/object name to prevent renaming objects at the backend. Now, AWS S3 behaves as following: - If the user does not provide a SSE-KMS context it does not store one - resp. does not include the SSE-KMS context header in the response (e.g. HEAD). - If the user specifies a SSE-KMS context without the bucket/object name then AWS stores the exact context the client provided but adds the bucket/object name internally. The response contains the KMS context without the bucket/object name. - If the user specifies a SSE-KMS context with the bucket/object name then AWS again stores the exact context provided by the client. The response contains the KMS context with the bucket/object name. This commit implements this behavior w.r.t. SSE-KMS. However, as of now, no such object can be created since the server rejects SSE-KMS encryption requests. This commit is one stepping stone for SSE-KMS support. Co-authored-by: Harshavardhana <harsha@minio.io>
2021-02-03 18:19:08 -05:00
w.Header().Set(xhttp.AmzServerSideEncryptionCustomerAlgorithm, r.Header.Get(xhttp.AmzServerSideEncryptionCustomerAlgorithm))
w.Header().Set(xhttp.AmzServerSideEncryptionCustomerKeyMD5, r.Header.Get(xhttp.AmzServerSideEncryptionCustomerKeyMD5))
fix: avoid double body reads in SelectObject call (#9638) Bonus fix handle encryption headers in response properly for both notification and response to the client.
2020-05-19 05:01:08 -04:00
}
}
Refactor s3select to support parquet. (#7023) Also handle pretty formatted JSON documents.
2019-01-08 19:53:04 -05:00
s3Select.Evaluate(w)
Support audit logs with additional fields (#6738) This PR adds support - Request query params - Request headers - Response headers AuditLogEntry is exported and versioned as well starting with this PR.
2018-11-02 21:40:08 -04:00
// Notify object accessed via a GET request.
sendEvent(eventArgs{
EventName: event.ObjectAccessedGet,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Populate host value from GetSourceIP directly (#7417)
2019-03-25 14:45:42 -04:00
Host: handlers.GetSourceIP(r),
Support audit logs with additional fields (#6738) This PR adds support - Request query params - Request headers - Response headers AuditLogEntry is exported and versioned as well starting with this PR.
2018-11-02 21:40:08 -04:00
})
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 06:30:19 -04:00
}
feat: support of ZIP list/get/head as S3 extension (#12267) When enabled, it is possible to list/get files inside a zip file without uncompressing it. Signed-off-by: Anis Elleuch <anis@min.io>
2021-06-10 11:17:03 -04:00
func (api objectAPIHandlers) getObjectHandler(ctx context.Context, objectAPI ObjectLayer, bucket, object string, w http.ResponseWriter, r *http.Request) {
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 00:07:19 -04:00
if crypto.S3.IsRequested(r.Header) || crypto.S3KMS.IsRequested(r.Header) { // If SSE-S3 or SSE-KMS present -> AWS fails with undefined error
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrBadRequest), r.URL)
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 00:07:19 -04:00
return
}
Add padding to compressed+encrypted files (#15282) Add up to 256 bytes of padding for compressed+encrypted files. This will obscure the obvious cases of extremely compressible content and leave a similar output size for a very wide variety of inputs. This does *not* mean the compression ratio doesn't leak information about the content, but the outcome space is much smaller, so often *less* information is leaked.
2022-07-13 10:52:15 -04:00
if crypto.Requested(r.Header) && !objectAPI.IsEncryptionSupported() {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrBadRequest), r.URL)
Disallow SSE requests when object layer has encryption disabled (#6981)
2018-12-15 00:39:59 -05:00
return
}
Revert all GetObjectNInfo related PRs (#6398) * Revert "Encrypted reader wrapped in NewGetObjectReader should be closed (#6383)" This reverts commit 53a0bbeb5b604503b61f6d4aa38414babe4de66c. * Revert "Change SelectAPI to use new GetObjectNInfo API (#6373)" This reverts commit 5b05df215a71e1de8b46e239d5a4efa49281c014. * Revert "Implement GetObjectNInfo object layer call (#6290)" This reverts commit e6d740ce09b3020d2c7debfbea445c21b0acb86c.
2018-08-31 16:10:12 -04:00
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
// get gateway encryption options
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 00:31:06 -05:00
opts, err := getOpts(ctx, r, bucket, object)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
return
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
// Check for auth type to return S3 compatible error.
// type to return the correct error (NoSuchKey vs AccessDenied)
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 02:43:27 -04:00
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, bucket, object); s3Error != ErrNone {
if getRequestAuthType(r) == authTypeAnonymous {
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
// As per "Permission" section in
// https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html
// If the object you request does not exist,
// the error Amazon S3 returns depends on
// whether you also have the s3:ListBucket
// permission.
// * If you have the s3:ListBucket permission
// on the bucket, Amazon S3 will return an
// HTTP status code 404 ("no such key")
// error.
// * if you dont have the s3:ListBucket
// permission, Amazon S3 will return an HTTP
// status code 403 ("access denied") error.`
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 02:43:27 -04:00
if globalPolicySys.IsAllowed(policy.Args{
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-24 18:53:30 -04:00
Action: policy.ListBucketAction,
BucketName: bucket,
Add support for {jwt:sub} substitutions for policies (#8393) Fixes #8345
2019-10-16 11:59:59 -04:00
ConditionValues: getConditionValues(r, "", "", nil),
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-24 18:53:30 -04:00
IsOwner: false,
}) {
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-14 20:36:41 -05:00
_, err = getObjectInfo(ctx, bucket, object, opts)
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 04:25:52 -05:00
if toAPIError(ctx, err).Code == "NoSuchKey" {
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 02:43:27 -04:00
s3Error = ErrNoSuchKey
}
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-24 18:53:30 -04:00
}
Migrate from iodine to probe
2015-08-03 19:17:21 -04:00
}
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL)
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 02:43:27 -04:00
return
}
Change SelectAPI to use new GetObjectNInfo API (#6373) This PR also removes some double checks
2018-08-28 16:08:30 -04:00
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
getObjectNInfo := objectAPI.GetObjectNInfo
if api.CacheAPI() != nil {
getObjectNInfo = api.CacheAPI().GetObjectNInfo
Change SelectAPI to use new GetObjectNInfo API (#6373) This PR also removes some double checks
2018-08-28 16:08:30 -04:00
}
// Get request range.
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
var rs *HTTPRangeSpec
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
var rangeErr error
fix: Add support for preserving mtime for replication (#9995) This PR is needed for bucket replication support
2020-07-08 20:36:56 -04:00
rangeHeader := r.Header.Get(xhttp.Range)
Change SelectAPI to use new GetObjectNInfo API (#6373) This PR also removes some double checks
2018-08-28 16:08:30 -04:00
if rangeHeader != "" {
fix: validate exclusivity with partNumber regardless of valid Range (#13418) To mimic an exact AWS S3 behavior this fix is needed.
2021-10-12 12:24:19 -04:00
// Both 'Range' and 'partNumber' cannot be specified at the same time
if opts.PartNumber > 0 {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidRangePartNumber), r.URL)
return
}
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
rs, rangeErr = parseRequestRangeSpec(rangeHeader)
fix: consider partNumber in GET/HEAD requests (#10618)
2020-10-01 18:41:12 -04:00
// Handle only errInvalidRange. Ignore other
// parse error and treat it as regular Get
// request like Amazon S3.
if rangeErr == errInvalidRange {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidRange), r.URL)
fix: consider partNumber in GET/HEAD requests (#10618)
2020-10-01 18:41:12 -04:00
return
}
if rangeErr != nil {
logger.LogIf(ctx, rangeErr, logger.Application)
}
}
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
// Validate pre-conditions if any.
opts.CheckPrecondFn = func(oi ObjectInfo) bool {
if objectAPI.IsEncryptionSupported() {
if _, err := DecryptObjectInfo(&oi, r); err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
return true
Change SelectAPI to use new GetObjectNInfo API (#6373) This PR also removes some double checks
2018-08-28 16:08:30 -04:00
}
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
}
validate storage class across pools when setting config (#11320) ``` mc admin config set alias/ storage_class standard=EC:3 ``` should only succeed if parity ratio is valid for all server pools, if not we should fail proactively. This PR also needs to bring other changes now that we need to cater for variadic drive counts per pool. Bonus fixes also various bugs reproduced with - GetObjectWithPartNumber() - CopyObjectPartWithOffsets() - CopyObjectWithMetadata() - PutObjectPart,PutObject with truncated streams
2021-01-22 15:09:24 -05:00
return checkPreconditions(ctx, w, r, oi, opts)
Change SelectAPI to use new GetObjectNInfo API (#6373) This PR also removes some double checks
2018-08-28 16:08:30 -04:00
}
Add ObjectOptions to GetObjectNInfo (#6533)
2018-09-27 06:06:45 -04:00
gr, err := getObjectNInfo(ctx, bucket, object, rs, r.Header, readLock, opts)
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
if err != nil {
More fixes for delete marker replication (#11504) continuation of PR#11491 for multiple server pools and bi-directional replication. Moving proxying for GET/HEAD to handler level rather than server pool layer as this was also causing incorrect proxying of HEAD. Also fixing metadata update on CopyObject - minio-go was not passing source version ID in X-Amz-Copy-Source header
2021-02-10 20:25:04 -05:00
var (
reader *GetObjectReader
fix: consistent replies for incorrect range requests on replicated buckets (#14345) Propagate error from replication proxy target correctly to the client if range GET is unsatisfiable.
2022-03-08 16:58:55 -05:00
proxy proxyResult
Avoid shadowing error during replication proxy check (#14655) Fixes #14652
2022-03-29 13:53:09 -04:00
perr error
More fixes for delete marker replication (#11504) continuation of PR#11491 for multiple server pools and bi-directional replication. Moving proxying for GET/HEAD to handler level rather than server pool layer as this was also causing incorrect proxying of HEAD. Also fixing metadata update on CopyObject - minio-go was not passing source version ID in X-Amz-Copy-Source header
2021-02-10 20:25:04 -05:00
)
avoid replication proxy on version excluded paths (#14878) no need to attempt proxying objects that were never replicated, but do have local `null` versions on them.
2022-05-08 19:50:31 -04:00
proxytgts := getProxyTargets(ctx, bucket, object, opts)
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
if !proxytgts.Empty() {
More fixes for delete marker replication (#11504) continuation of PR#11491 for multiple server pools and bi-directional replication. Moving proxying for GET/HEAD to handler level rather than server pool layer as this was also causing incorrect proxying of HEAD. Also fixing metadata update on CopyObject - minio-go was not passing source version ID in X-Amz-Copy-Source header
2021-02-10 20:25:04 -05:00
// proxy to replication target if active-active replication is in place.
Avoid shadowing error during replication proxy check (#14655) Fixes #14652
2022-03-29 13:53:09 -04:00
reader, proxy, perr = proxyGetToReplicationTarget(ctx, bucket, object, rs, r.Header, opts, proxytgts)
Revert proxying requests with precondition errors (#15180) In a replicated setup, when an object is updated in one cluster but still waiting to be replicated to the other cluster, GET requests with if-match, and range headers will likely fail. It is better to proxy requests instead. Also, this commit avoids printing verbose logs about precondition & range errors.
2022-06-27 17:03:44 -04:00
if perr != nil {
proxyGetErr := ErrorRespToObjectError(perr, bucket, object)
if !isErrObjectNotFound(proxyGetErr) && !isErrVersionNotFound(proxyGetErr) &&
!isErrPreconditionFailed(proxyGetErr) && !isErrInvalidRange(proxyGetErr) {
logger.LogIf(ctx, fmt.Errorf("Replication proxy failed for %s/%s(%s) - %w", bucket, object, opts.VersionID, perr))
}
fix: consistent replies for incorrect range requests on replicated buckets (#14345) Propagate error from replication proxy target correctly to the client if range GET is unsatisfiable.
2022-03-08 16:58:55 -05:00
}
Avoid shadowing error during replication proxy check (#14655) Fixes #14652
2022-03-29 13:53:09 -04:00
if reader != nil && proxy.Proxy && perr == nil {
More fixes for delete marker replication (#11504) continuation of PR#11491 for multiple server pools and bi-directional replication. Moving proxying for GET/HEAD to handler level rather than server pool layer as this was also causing incorrect proxying of HEAD. Also fixing metadata update on CopyObject - minio-go was not passing source version ID in X-Amz-Copy-Source header
2021-02-10 20:25:04 -05:00
gr = reader
}
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
}
fix: consistent replies for incorrect range requests on replicated buckets (#14345) Propagate error from replication proxy target correctly to the client if range GET is unsatisfiable.
2022-03-08 16:58:55 -05:00
if reader == nil || !proxy.Proxy {
More fixes for delete marker replication (#11504) continuation of PR#11491 for multiple server pools and bi-directional replication. Moving proxying for GET/HEAD to handler level rather than server pool layer as this was also causing incorrect proxying of HEAD. Also fixing metadata update on CopyObject - minio-go was not passing source version ID in X-Amz-Copy-Source header
2021-02-10 20:25:04 -05:00
if isErrPreconditionFailed(err) {
return
}
fix: consistent replies for incorrect range requests on replicated buckets (#14345) Propagate error from replication proxy target correctly to the client if range GET is unsatisfiable.
2022-03-08 16:58:55 -05:00
if proxy.Err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, proxy.Err), r.URL)
return
}
feat: implement prefix-level versioning exclusion (#14828) Spark/Hadoop workloads which use Hadoop MR Committer v1/v2 algorithm upload objects to a temporary prefix in a bucket. These objects are 'renamed' to a different prefix on Job commit. Object storage admins are forced to configure separate ILM policies to expire these objects and their versions to reclaim space. Our solution: This can be avoided by simply marking objects under these prefixes to be excluded from versioning, as shown below. Consequently, these objects are excluded from replication, and don't require ILM policies to prune unnecessary versions. - MinIO Extension to Bucket Version Configuration ```xml <VersioningConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Status>Enabled</Status> <ExcludeFolders>true</ExcludeFolders> <ExcludedPrefixes> <Prefix>app1-jobs/*/_temporary/</Prefix> </ExcludedPrefixes> <ExcludedPrefixes> <Prefix>app2-jobs/*/__magic/</Prefix> </ExcludedPrefixes> <!-- .. up to 10 prefixes in all --> </VersioningConfiguration> ``` Note: `ExcludeFolders` excludes all folders in a bucket from versioning. This is required to prevent the parent folders from accumulating delete markers, especially those which are shared across spark workloads spanning projects/teams. - To enable version exclusion on a list of prefixes ``` mc version enable --excluded-prefixes "app1-jobs/*/_temporary/,app2-jobs/*/_magic," --exclude-prefix-marker myminio/test ```
2022-05-06 22:05:28 -04:00
if globalBucketVersioningSys.PrefixEnabled(bucket, object) && gr != nil {
More fixes for delete marker replication (#11504) continuation of PR#11491 for multiple server pools and bi-directional replication. Moving proxying for GET/HEAD to handler level rather than server pool layer as this was also causing incorrect proxying of HEAD. Also fixing metadata update on CopyObject - minio-go was not passing source version ID in X-Amz-Copy-Source header
2021-02-10 20:25:04 -05:00
if !gr.ObjInfo.VersionPurgeStatus.Empty() {
// Shows the replication status of a permanent delete of a version
w.Header()[xhttp.MinIODeleteReplicationStatus] = []string{string(gr.ObjInfo.VersionPurgeStatus)}
}
if !gr.ObjInfo.ReplicationStatus.Empty() && gr.ObjInfo.DeleteMarker {
w.Header()[xhttp.MinIODeleteMarkerReplicationStatus] = []string{string(gr.ObjInfo.ReplicationStatus)}
}
// Versioning enabled quite possibly object is deleted might be delete-marker
// if present set the headers, no idea why AWS S3 sets these headers.
if gr.ObjInfo.VersionID != "" && gr.ObjInfo.DeleteMarker {
w.Header()[xhttp.AmzVersionID] = []string{gr.ObjInfo.VersionID}
w.Header()[xhttp.AmzDeleteMarker] = []string{strconv.FormatBool(gr.ObjInfo.DeleteMarker)}
}
fix: return proper errors Get/HeadObject for deleteMarkers (#9957)
2020-07-02 19:17:27 -04:00
}
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
More fixes for delete marker replication (#11504) continuation of PR#11491 for multiple server pools and bi-directional replication. Moving proxying for GET/HEAD to handler level rather than server pool layer as this was also causing incorrect proxying of HEAD. Also fixing metadata update on CopyObject - minio-go was not passing source version ID in X-Amz-Copy-Source header
2021-02-10 20:25:04 -05:00
return
fix: return proper errors Get/HeadObject for deleteMarkers (#9957)
2020-07-02 19:17:27 -04:00
}
object: checkETag compares quoted ETags properly (#1997) Previously, checkETag didn't handle ETags with leading and trailing double quotes. e.g "abcdef1234" == "\"abcdef1234\"" would return false. Now, checkETag function canonicalizes the ETags passed as arguments by removing one leading/trailing double quote.
2016-06-26 21:10:08 -04:00
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
defer gr.Close()
erasure: avoid io.Copy in hotpaths to reduce allocation (#11213)
2021-01-03 19:27:34 -05:00
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
objInfo := gr.ObjInfo
object: checkETag compares quoted ETags properly (#1997) Previously, checkETag didn't handle ETags with leading and trailing double quotes. e.g "abcdef1234" == "\"abcdef1234\"" would return false. Now, checkETag function canonicalizes the ETags passed as arguments by removing one leading/trailing double quote.
2016-06-26 21:10:08 -04:00
ilm: Remove object in HEAD/GET if having an applicable ILM rule (#11296) Remove an object on the fly if there is a lifecycle rule with delete expiry action for the corresponding object.
2021-02-01 12:52:11 -05:00
// Automatically remove the object/version is an expiry lifecycle rule can be applied
if lc, err := globalLifecycleSys.Get(bucket); err == nil {
fetch bucket retention config once for ILM evalAction (#14727) This is mainly an optimization, does not change any existing functionality.
2022-04-11 16:25:32 -04:00
rcfg, _ := globalBucketObjectLockSys.Get(bucket)
action := evalActionFromLifecycle(ctx, *lc, rcfg, objInfo, false)
reduce extra getObjectInfo() calls during ILM transition (#13091) * reduce extra getObjectInfo() calls during ILM transition This PR also changes expiration logic to be non-blocking, scanner is now free from additional costs incurred due to slower object layer calls and hitting the drives. * move verifying expiration inside locks
2021-08-27 20:06:47 -04:00
var success bool
switch action {
case lifecycle.DeleteVersionAction, lifecycle.DeleteAction:
success = applyExpiryRule(objInfo, false, action == lifecycle.DeleteVersionAction)
case lifecycle.DeleteRestoredAction, lifecycle.DeleteRestoredVersionAction:
// Restored object delete would be still allowed to proceed as success
// since transition behavior is slightly different.
applyExpiryRule(objInfo, true, action == lifecycle.DeleteRestoredVersionAction)
}
if success {
ilm: Remove object in HEAD/GET if having an applicable ILM rule (#11296) Remove an object on the fly if there is a lifecycle rule with delete expiry action for the corresponding object.
2021-02-01 12:52:11 -05:00
writeErrorResponseHeadersOnly(w, errorCodes.ToAPIErr(ErrNoSuchKey))
return
}
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
// filter object lock metadata if permission does not permit
getRetPerms := checkRequestAuthType(ctx, r, policy.GetObjectRetentionAction, bucket, object)
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
legalHoldPerms := checkRequestAuthType(ctx, r, policy.GetObjectLegalHoldAction, bucket, object)
// filter object lock metadata if permission does not permit
objInfo.UserDefined = objectlock.FilterObjectLockMetadata(objInfo.UserDefined, getRetPerms != ErrNone, legalHoldPerms != ErrNone)
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
// Set encryption response headers
if objectAPI.IsEncryptionSupported() {
crypto: add support for decrypting SSE-KMS metadata (#11415) This commit refactors the SSE implementation and add S3-compatible SSE-KMS context handling. SSE-KMS differs from SSE-S3 in two main aspects: 1. The client can request a particular key and specify a KMS context as part of the request. 2. The ETag of an SSE-KMS encrypted object is not the MD5 sum of the object content. This commit only focuses on the 1st aspect. A client can send an optional SSE context when using SSE-KMS. This context is remembered by the S3 server such that the client does not have to specify the context again (during multipart PUT / GET / HEAD ...). The crypto. context also includes the bucket/object name to prevent renaming objects at the backend. Now, AWS S3 behaves as following: - If the user does not provide a SSE-KMS context it does not store one - resp. does not include the SSE-KMS context header in the response (e.g. HEAD). - If the user specifies a SSE-KMS context without the bucket/object name then AWS stores the exact context the client provided but adds the bucket/object name internally. The response contains the KMS context without the bucket/object name. - If the user specifies a SSE-KMS context with the bucket/object name then AWS again stores the exact context provided by the client. The response contains the KMS context with the bucket/object name. This commit implements this behavior w.r.t. SSE-KMS. However, as of now, no such object can be created since the server rejects SSE-KMS encryption requests. This commit is one stepping stone for SSE-KMS support. Co-authored-by: Harshavardhana <harsha@minio.io>
2021-02-03 18:19:08 -05:00
switch kind, _ := crypto.IsEncrypted(objInfo.UserDefined); kind {
case crypto.S3:
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionAES)
add SSE-KMS support and use SSE-KMS for auto encryption (#12237) This commit adds basic SSE-KMS support. Now, a client can specify the SSE-KMS headers (algorithm, optional key-id, optional context) such that the object gets encrypted using the SSE-KMS method. Further, auto-encryption now defaults to SSE-KMS. This commit does not try to do any refactoring and instead tries to implement SSE-KMS as a minimal change to the code base. However, refactoring the entire crypto-related code is planned - but needs a separate effort. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-06 18:24:01 -04:00
case crypto.S3KMS:
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionKMS)
fix: kms-id header should have arn:aws:kms: prefix (#13833) arn:aws:kms: is a must for KMS keyID.
2021-12-06 03:39:32 -05:00
w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.KMSKeyID())
add SSE-KMS support and use SSE-KMS for auto encryption (#12237) This commit adds basic SSE-KMS support. Now, a client can specify the SSE-KMS headers (algorithm, optional key-id, optional context) such that the object gets encrypted using the SSE-KMS method. Further, auto-encryption now defaults to SSE-KMS. This commit does not try to do any refactoring and instead tries to implement SSE-KMS as a minimal change to the code base. However, refactoring the entire crypto-related code is planned - but needs a separate effort. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-06 18:24:01 -04:00
if kmsCtx, ok := objInfo.UserDefined[crypto.MetaContext]; ok {
w.Header().Set(xhttp.AmzServerSideEncryptionKmsContext, kmsCtx)
}
crypto: add support for decrypting SSE-KMS metadata (#11415) This commit refactors the SSE implementation and add S3-compatible SSE-KMS context handling. SSE-KMS differs from SSE-S3 in two main aspects: 1. The client can request a particular key and specify a KMS context as part of the request. 2. The ETag of an SSE-KMS encrypted object is not the MD5 sum of the object content. This commit only focuses on the 1st aspect. A client can send an optional SSE context when using SSE-KMS. This context is remembered by the S3 server such that the client does not have to specify the context again (during multipart PUT / GET / HEAD ...). The crypto. context also includes the bucket/object name to prevent renaming objects at the backend. Now, AWS S3 behaves as following: - If the user does not provide a SSE-KMS context it does not store one - resp. does not include the SSE-KMS context header in the response (e.g. HEAD). - If the user specifies a SSE-KMS context without the bucket/object name then AWS stores the exact context the client provided but adds the bucket/object name internally. The response contains the KMS context without the bucket/object name. - If the user specifies a SSE-KMS context with the bucket/object name then AWS again stores the exact context provided by the client. The response contains the KMS context with the bucket/object name. This commit implements this behavior w.r.t. SSE-KMS. However, as of now, no such object can be created since the server rejects SSE-KMS encryption requests. This commit is one stepping stone for SSE-KMS support. Co-authored-by: Harshavardhana <harsha@minio.io>
2021-02-03 18:19:08 -05:00
case crypto.SSEC:
w.Header().Set(xhttp.AmzServerSideEncryptionCustomerAlgorithm, r.Header.Get(xhttp.AmzServerSideEncryptionCustomerAlgorithm))
w.Header().Set(xhttp.AmzServerSideEncryptionCustomerKeyMD5, r.Header.Get(xhttp.AmzServerSideEncryptionCustomerKeyMD5))
XL/GetObject: If quorum not available during GetObject appropriate error should be returned. (#2135)
2016-07-10 20:12:22 -04:00
}
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-07 18:18:59 -05:00
}
api: Implement bucket notification. (#2271) * Implement basic S3 notifications through queues Supports multiple queues and three basic queue types: 1. NilQueue -- messages don't get sent anywhere 2. LogQueue -- messages get logged 3. AmqpQueue -- messages are sent to an AMQP queue * api: Implement bucket notification. Supports two different queue types - AMQP - ElasticSearch. * Add support for redis
2016-07-24 01:51:12 -04:00
fix: consider partNumber in GET/HEAD requests (#10618)
2020-10-01 18:41:12 -04:00
if err = setObjectHeaders(w, objInfo, rs, opts); err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
return
Revert all GetObjectNInfo related PRs (#6398) * Revert "Encrypted reader wrapped in NewGetObjectReader should be closed (#6383)" This reverts commit 53a0bbeb5b604503b61f6d4aa38414babe4de66c. * Revert "Change SelectAPI to use new GetObjectNInfo API (#6373)" This reverts commit 5b05df215a71e1de8b46e239d5a4efa49281c014. * Revert "Implement GetObjectNInfo object layer call (#6290)" This reverts commit e6d740ce09b3020d2c7debfbea445c21b0acb86c.
2018-08-31 16:10:12 -04:00
}
Send Partscount only when partnumber is specified (#9793) Fixes #9789
2020-06-10 12:22:15 -04:00
// Set Parts Count Header
if opts.PartNumber > 0 && len(objInfo.Parts) > 0 {
setPartsCountHeaders(w, objInfo)
}
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 01:43:01 -04:00
setHeadGetRespHeaders(w, r.Form)
Avoid sending an error after 206 HTTP code (#6264) When a S3 client sends a GET Object with a range header, 206 http code is returned indicating success, however the call of the object layer's GetObject() inside the handler can return an error and will lead to writing an XML error message, which is obviously wrong since we already sent 206 http code. So in the case, we just stop sending data to the S3 client, this latter can still detect if there is no error when comparing received data with Content-Length header in the Get Object response.
2018-08-08 18:39:47 -04:00
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
statusCodeWritten := false
re-use io.Copy buffers with 32k pools (#13553) Borrowed idea from Go's usage of this optimization for ReadFrom() on client side, we should re-use the 32k buffers io.Copy() allocates for generic copy from a reader to writer. the performance increase for reads for really tiny objects is at this range after this change. > * Fastest: +7.89% (+1.3 MiB/s) throughput, +7.89% (+1308.1) obj/s
2021-11-02 11:11:50 -04:00
httpWriter := xioutil.WriteOnClose(w)
fix: consider partNumber in GET/HEAD requests (#10618)
2020-10-01 18:41:12 -04:00
if rs != nil || opts.PartNumber > 0 {
Avoid sending an error after 206 HTTP code (#6264) When a S3 client sends a GET Object with a range header, 206 http code is returned indicating success, however the call of the object layer's GetObject() inside the handler can return an error and will lead to writing an XML error message, which is obviously wrong since we already sent 206 http code. So in the case, we just stop sending data to the S3 client, this latter can still detect if there is no error when comparing received data with Content-Length header in the Get Object response.
2018-08-08 18:39:47 -04:00
statusCodeWritten = true
w.WriteHeader(http.StatusPartialContent)
}
fix: return proper errors Get/HeadObject for deleteMarkers (#9957)
2020-07-02 19:17:27 -04:00
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
// Write object content to response body
re-use io.Copy buffers with 32k pools (#13553) Borrowed idea from Go's usage of this optimization for ReadFrom() on client side, we should re-use the 32k buffers io.Copy() allocates for generic copy from a reader to writer. the performance increase for reads for really tiny objects is at this range after this change. > * Fastest: +7.89% (+1.3 MiB/s) throughput, +7.89% (+1308.1) obj/s
2021-11-02 11:11:50 -04:00
if _, err = xioutil.Copy(httpWriter, gr); err != nil {
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
if !httpWriter.HasWritten() && !statusCodeWritten {
// write error response only if no data or headers has been written to client yet
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
fix: avoid writing more content on network with O_DIRECT reads (#11659) There was an io.LimitReader was missing for the 'length' parameter for ranged requests, that would cause client to get truncated responses and errors. fixes #11651
2021-02-28 18:33:03 -05:00
return
}
if !xnet.IsNetworkOrHostDown(err, true) { // do not need to log disconnected clients
logger.LogIf(ctx, fmt.Errorf("Unable to write all the data to client %w", err))
XL/GetObject: If quorum not available during GetObject appropriate error should be returned. (#2135)
2016-07-10 20:12:22 -04:00
}
XL: bring in new storage API. (#1780) Fixes #1771
2016-05-28 18:13:15 -04:00
return
fs: Break fs package to top-level and introduce ObjectAPI interface. ObjectAPI interface brings in changes needed for XL ObjectAPI layer. The new interface for any ObjectAPI layer is as below ``` // ObjectAPI interface. type ObjectAPI interface { // Bucket resource API. DeleteBucket(bucket string) *probe.Error ListBuckets() ([]BucketInfo, *probe.Error) MakeBucket(bucket string) *probe.Error GetBucketInfo(bucket string) (BucketInfo, *probe.Error) // Bucket query API. ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsResult, *probe.Error) ListMultipartUploads(bucket string, resources BucketMultipartResourcesMetadata) (BucketMultipartResourcesMetadata, *probe.Error) // Object resource API. GetObject(bucket, object string, startOffset int64) (io.ReadCloser, *probe.Error) GetObjectInfo(bucket, object string) (ObjectInfo, *probe.Error) PutObject(bucket string, object string, size int64, data io.Reader, metadata map[string]string) (ObjectInfo, *probe.Error) DeleteObject(bucket, object string) *probe.Error // Object query API. NewMultipartUpload(bucket, object string) (string, *probe.Error) PutObjectPart(bucket, object, uploadID string, partID int, size int64, data io.Reader, md5Hex string) (string, *probe.Error) ListObjectParts(bucket, object string, resources ObjectResourcesMetadata) (ObjectResourcesMetadata, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []CompletePart) (ObjectInfo, *probe.Error) AbortMultipartUpload(bucket, object, uploadID string) *probe.Error } ```
2016-03-30 19:15:28 -04:00
}
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-23 18:07:21 -05:00
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-07 18:18:59 -05:00
if err = httpWriter.Close(); err != nil {
Avoid sending an error after 206 HTTP code (#6264) When a S3 client sends a GET Object with a range header, 206 http code is returned indicating success, however the call of the object layer's GetObject() inside the handler can return an error and will lead to writing an XML error message, which is obviously wrong since we already sent 206 http code. So in the case, we just stop sending data to the S3 client, this latter can still detect if there is no error when comparing received data with Content-Length header in the Get Object response.
2018-08-08 18:39:47 -04:00
if !httpWriter.HasWritten() && !statusCodeWritten { // write error response only if no data or headers has been written to client yet
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-07 18:18:59 -05:00
return
}
fix: avoid writing more content on network with O_DIRECT reads (#11659) There was an io.LimitReader was missing for the 'length' parameter for ranged requests, that would cause client to get truncated responses and errors. fixes #11651
2021-02-28 18:33:03 -05:00
if !xnet.IsNetworkOrHostDown(err, true) { // do not need to log disconnected clients
logger.LogIf(ctx, fmt.Errorf("Unable to write all the data to client %w", err))
}
return
XL/GetObject: If quorum not available during GetObject appropriate error should be returned. (#2135)
2016-07-10 20:12:22 -04:00
}
Add notification for object access via GET/HEAD (#3941) The following notification event types are available for all targets, s3:ObjectAccessed:Get s3:ObjectAccessed:Head s3:ObjectAccessed:*
2017-03-21 13:32:17 -04:00
// Notify object accessed via a GET request.
make notification as separate package (#5294) * Remove old notification files * Add net package * Add event package * Modify minio to take new notification system
2018-03-15 16:03:41 -04:00
sendEvent(eventArgs{
Add content-length as part of event notification structure (#6341) Fixes #6321
2018-08-23 17:40:54 -04:00
EventName: event.ObjectAccessedGet,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Populate host value from GetSourceIP directly (#7417)
2019-03-25 14:45:42 -04:00
Host: handlers.GetSourceIP(r),
Add notification for object access via GET/HEAD (#3941) The following notification event types are available for all targets, s3:ObjectAccessed:Get s3:ObjectAccessed:Head s3:ObjectAccessed:*
2017-03-21 13:32:17 -04:00
})
Implement bucket policy handler and with galore of cleanup
2015-02-15 20:03:27 -05:00
}
feat: support of ZIP list/get/head as S3 extension (#12267) When enabled, it is possible to list/get files inside a zip file without uncompressing it. Signed-off-by: Anis Elleuch <anis@min.io>
2021-06-10 11:17:03 -04:00
// GetObjectHandler - GET Object
// ----------
// This implementation of the GET operation retrieves object. To use GET,
// you must have READ access to the object.
func (api objectAPIHandlers) GetObjectHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "GetObject")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 15:01:47 -04:00
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 15:25:59 -04:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-10 21:47:49 -04:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-10 21:47:49 -04:00
return
}
feat: support of ZIP list/get/head as S3 extension (#12267) When enabled, it is possible to list/get files inside a zip file without uncompressing it. Signed-off-by: Anis Elleuch <anis@min.io>
2021-06-10 11:17:03 -04:00
vars := mux.Vars(r)
bucket := vars["bucket"]
object, err := unescapePath(vars["object"])
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
feat: support of ZIP list/get/head as S3 extension (#12267) When enabled, it is possible to list/get files inside a zip file without uncompressing it. Signed-off-by: Anis Elleuch <anis@min.io>
2021-06-10 11:17:03 -04:00
return
}
Add GetObject gzip option (#14226) Enabled with `mc admin config set alias/ api gzip_objects=on` Standard filtering applies (1K response minimum, not compressed content type, not range request, gzip accepted by client).
2022-02-14 12:19:01 -05:00
if !globalAPIConfig.shouldGzipObjects() {
w.Header().Set(gzhttp.HeaderNoCompression, "true")
}
feat: support of ZIP list/get/head as S3 extension (#12267) When enabled, it is possible to list/get files inside a zip file without uncompressing it. Signed-off-by: Anis Elleuch <anis@min.io>
2021-06-10 11:17:03 -04:00
if r.Header.Get(xMinIOExtract) == "true" && strings.Contains(object, archivePattern) {
api.getObjectInArchiveFileHandler(ctx, objectAPI, bucket, object, w, r)
} else {
api.getObjectHandler(ctx, objectAPI, bucket, object, w, r)
}
}
func (api objectAPIHandlers) headObjectHandler(ctx context.Context, objectAPI ObjectLayer, bucket, object string, w http.ResponseWriter, r *http.Request) {
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 00:07:19 -04:00
if crypto.S3.IsRequested(r.Header) || crypto.S3KMS.IsRequested(r.Header) { // If SSE-S3 or SSE-KMS present -> AWS fails with undefined error
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 04:25:52 -05:00
writeErrorResponseHeadersOnly(w, errorCodes.ToAPIErr(ErrBadRequest))
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 00:07:19 -04:00
return
}
Add padding to compressed+encrypted files (#15282) Add up to 256 bytes of padding for compressed+encrypted files. This will obscure the obvious cases of extremely compressible content and leave a similar output size for a very wide variety of inputs. This does *not* mean the compression ratio doesn't leak information about the content, but the outcome space is much smaller, so often *less* information is leaked.
2022-07-13 10:52:15 -04:00
if crypto.Requested(r.Header) && !objectAPI.IsEncryptionSupported() {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrBadRequest), r.URL)
Disallow SSE requests when object layer has encryption disabled (#6981)
2018-12-15 00:39:59 -05:00
return
}
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-10 21:47:49 -04:00
Switch back to GetObjectInfo for HEAD requests (#6513)
2018-09-21 16:48:58 -04:00
getObjectInfo := objectAPI.GetObjectInfo
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 17:14:06 -04:00
if api.CacheAPI() != nil {
Switch back to GetObjectInfo for HEAD requests (#6513)
2018-09-21 16:48:58 -04:00
getObjectInfo = api.CacheAPI().GetObjectInfo
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 17:14:06 -04:00
}
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 00:31:06 -05:00
opts, err := getOpts(ctx, r, bucket, object)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
if err != nil {
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 04:25:52 -05:00
writeErrorResponseHeadersOnly(w, toAPIError(ctx, err))
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-14 20:36:41 -05:00
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 02:43:27 -04:00
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, bucket, object); s3Error != ErrNone {
if getRequestAuthType(r) == authTypeAnonymous {
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
// As per "Permission" section in
// https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectHEAD.html
// If the object you request does not exist,
// the error Amazon S3 returns depends on
// whether you also have the s3:ListBucket
// permission.
// * If you have the s3:ListBucket permission
// on the bucket, Amazon S3 will return an
// HTTP status code 404 ("no such key")
// error.
// * if you dont have the s3:ListBucket
// permission, Amazon S3 will return an HTTP
// status code 403 ("access denied") error.`
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 02:43:27 -04:00
if globalPolicySys.IsAllowed(policy.Args{
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-24 18:53:30 -04:00
Action: policy.ListBucketAction,
BucketName: bucket,
Add support for {jwt:sub} substitutions for policies (#8393) Fixes #8345
2019-10-16 11:59:59 -04:00
ConditionValues: getConditionValues(r, "", "", nil),
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-24 18:53:30 -04:00
IsOwner: false,
}) {
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-14 20:36:41 -05:00
_, err = getObjectInfo(ctx, bucket, object, opts)
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 04:25:52 -05:00
if toAPIError(ctx, err).Code == "NoSuchKey" {
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 02:43:27 -04:00
s3Error = ErrNoSuchKey
}
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-24 18:53:30 -04:00
}
Add errorIf for all API handlers to print call trace upon errors
2015-09-19 06:20:07 -04:00
}
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 04:25:52 -05:00
writeErrorResponseHeadersOnly(w, errorCodes.ToAPIErr(s3Error))
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 02:43:27 -04:00
return
}
fix: consistent replies for incorrect range requests on replicated buckets (#14345) Propagate error from replication proxy target correctly to the client if range GET is unsatisfiable.
2022-03-08 16:58:55 -05:00
// Get request range.
var rs *HTTPRangeSpec
rangeHeader := r.Header.Get(xhttp.Range)
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-24 18:53:30 -04:00
Switch back to GetObjectInfo for HEAD requests (#6513)
2018-09-21 16:48:58 -04:00
objInfo, err := getObjectInfo(ctx, bucket, object, opts)
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 02:43:27 -04:00
if err != nil {
More fixes for delete marker replication (#11504) continuation of PR#11491 for multiple server pools and bi-directional replication. Moving proxying for GET/HEAD to handler level rather than server pool layer as this was also causing incorrect proxying of HEAD. Also fixing metadata update on CopyObject - minio-go was not passing source version ID in X-Amz-Copy-Source header
2021-02-10 20:25:04 -05:00
var (
fix: consistent replies for incorrect range requests on replicated buckets (#14345) Propagate error from replication proxy target correctly to the client if range GET is unsatisfiable.
2022-03-08 16:58:55 -05:00
proxy proxyResult
More fixes for delete marker replication (#11504) continuation of PR#11491 for multiple server pools and bi-directional replication. Moving proxying for GET/HEAD to handler level rather than server pool layer as this was also causing incorrect proxying of HEAD. Also fixing metadata update on CopyObject - minio-go was not passing source version ID in X-Amz-Copy-Source header
2021-02-10 20:25:04 -05:00
oi ObjectInfo
)
// proxy HEAD to replication target if active-active replication configured on bucket
avoid replication proxy on version excluded paths (#14878) no need to attempt proxying objects that were never replicated, but do have local `null` versions on them.
2022-05-08 19:50:31 -04:00
proxytgts := getProxyTargets(ctx, bucket, object, opts)
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
if !proxytgts.Empty() {
fix: consistent replies for incorrect range requests on replicated buckets (#14345) Propagate error from replication proxy target correctly to the client if range GET is unsatisfiable.
2022-03-08 16:58:55 -05:00
if rangeHeader != "" {
rs, _ = parseRequestRangeSpec(rangeHeader)
}
oi, proxy = proxyHeadToReplicationTarget(ctx, bucket, object, rs, opts, proxytgts)
if proxy.Proxy {
More fixes for delete marker replication (#11504) continuation of PR#11491 for multiple server pools and bi-directional replication. Moving proxying for GET/HEAD to handler level rather than server pool layer as this was also causing incorrect proxying of HEAD. Also fixing metadata update on CopyObject - minio-go was not passing source version ID in X-Amz-Copy-Source header
2021-02-10 20:25:04 -05:00
objInfo = oi
Show Delete replication status header (#10946) X-Minio-Replication-Delete-Status header shows the status of the replication of a permanent delete of a version. All GETs are disallowed and return 405 on this object version. In the case of replicating delete markers. X-Minio-Replication-DeleteMarker-Status shows the status of replication, and would similarly return 405. Additionally, this PR adds reporting of delete marker event completion and updates documentation
2020-11-22 02:48:50 -05:00
}
More fixes for delete marker replication (#11504) continuation of PR#11491 for multiple server pools and bi-directional replication. Moving proxying for GET/HEAD to handler level rather than server pool layer as this was also causing incorrect proxying of HEAD. Also fixing metadata update on CopyObject - minio-go was not passing source version ID in X-Amz-Copy-Source header
2021-02-10 20:25:04 -05:00
}
fix: consistent replies for incorrect range requests on replicated buckets (#14345) Propagate error from replication proxy target correctly to the client if range GET is unsatisfiable.
2022-03-08 16:58:55 -05:00
if !proxy.Proxy {
feat: implement prefix-level versioning exclusion (#14828) Spark/Hadoop workloads which use Hadoop MR Committer v1/v2 algorithm upload objects to a temporary prefix in a bucket. These objects are 'renamed' to a different prefix on Job commit. Object storage admins are forced to configure separate ILM policies to expire these objects and their versions to reclaim space. Our solution: This can be avoided by simply marking objects under these prefixes to be excluded from versioning, as shown below. Consequently, these objects are excluded from replication, and don't require ILM policies to prune unnecessary versions. - MinIO Extension to Bucket Version Configuration ```xml <VersioningConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Status>Enabled</Status> <ExcludeFolders>true</ExcludeFolders> <ExcludedPrefixes> <Prefix>app1-jobs/*/_temporary/</Prefix> </ExcludedPrefixes> <ExcludedPrefixes> <Prefix>app2-jobs/*/__magic/</Prefix> </ExcludedPrefixes> <!-- .. up to 10 prefixes in all --> </VersioningConfiguration> ``` Note: `ExcludeFolders` excludes all folders in a bucket from versioning. This is required to prevent the parent folders from accumulating delete markers, especially those which are shared across spark workloads spanning projects/teams. - To enable version exclusion on a list of prefixes ``` mc version enable --excluded-prefixes "app1-jobs/*/_temporary/,app2-jobs/*/_magic," --exclude-prefix-marker myminio/test ```
2022-05-06 22:05:28 -04:00
if globalBucketVersioningSys.PrefixEnabled(bucket, object) {
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
switch {
case !objInfo.VersionPurgeStatus.Empty():
More fixes for delete marker replication (#11504) continuation of PR#11491 for multiple server pools and bi-directional replication. Moving proxying for GET/HEAD to handler level rather than server pool layer as this was also causing incorrect proxying of HEAD. Also fixing metadata update on CopyObject - minio-go was not passing source version ID in X-Amz-Copy-Source header
2021-02-10 20:25:04 -05:00
w.Header()[xhttp.MinIODeleteReplicationStatus] = []string{string(objInfo.VersionPurgeStatus)}
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
case !objInfo.ReplicationStatus.Empty() && objInfo.DeleteMarker:
More fixes for delete marker replication (#11504) continuation of PR#11491 for multiple server pools and bi-directional replication. Moving proxying for GET/HEAD to handler level rather than server pool layer as this was also causing incorrect proxying of HEAD. Also fixing metadata update on CopyObject - minio-go was not passing source version ID in X-Amz-Copy-Source header
2021-02-10 20:25:04 -05:00
w.Header()[xhttp.MinIODeleteMarkerReplicationStatus] = []string{string(objInfo.ReplicationStatus)}
}
// Versioning enabled quite possibly object is deleted might be delete-marker
// if present set the headers, no idea why AWS S3 sets these headers.
if objInfo.VersionID != "" && objInfo.DeleteMarker {
w.Header()[xhttp.AmzVersionID] = []string{objInfo.VersionID}
w.Header()[xhttp.AmzDeleteMarker] = []string{strconv.FormatBool(objInfo.DeleteMarker)}
}
fix: return proper errors Get/HeadObject for deleteMarkers (#9957)
2020-07-02 19:17:27 -04:00
}
More fixes for delete marker replication (#11504) continuation of PR#11491 for multiple server pools and bi-directional replication. Moving proxying for GET/HEAD to handler level rather than server pool layer as this was also causing incorrect proxying of HEAD. Also fixing metadata update on CopyObject - minio-go was not passing source version ID in X-Amz-Copy-Source header
2021-02-10 20:25:04 -05:00
writeErrorResponseHeadersOnly(w, toAPIError(ctx, err))
return
fix: return proper errors Get/HeadObject for deleteMarkers (#9957)
2020-07-02 19:17:27 -04:00
}
Migrate from iodine to probe
2015-08-03 19:17:21 -04:00
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
ilm: Remove object in HEAD/GET if having an applicable ILM rule (#11296) Remove an object on the fly if there is a lifecycle rule with delete expiry action for the corresponding object.
2021-02-01 12:52:11 -05:00
// Automatically remove the object/version is an expiry lifecycle rule can be applied
if lc, err := globalLifecycleSys.Get(bucket); err == nil {
fetch bucket retention config once for ILM evalAction (#14727) This is mainly an optimization, does not change any existing functionality.
2022-04-11 16:25:32 -04:00
rcfg, _ := globalBucketObjectLockSys.Get(bucket)
action := evalActionFromLifecycle(ctx, *lc, rcfg, objInfo, false)
reduce extra getObjectInfo() calls during ILM transition (#13091) * reduce extra getObjectInfo() calls during ILM transition This PR also changes expiration logic to be non-blocking, scanner is now free from additional costs incurred due to slower object layer calls and hitting the drives. * move verifying expiration inside locks
2021-08-27 20:06:47 -04:00
var success bool
switch action {
case lifecycle.DeleteVersionAction, lifecycle.DeleteAction:
success = applyExpiryRule(objInfo, false, action == lifecycle.DeleteVersionAction)
case lifecycle.DeleteRestoredAction, lifecycle.DeleteRestoredVersionAction:
// Restored object delete would be still allowed to proceed as success
// since transition behavior is slightly different.
applyExpiryRule(objInfo, true, action == lifecycle.DeleteRestoredVersionAction)
}
if success {
ilm: Remove object in HEAD/GET if having an applicable ILM rule (#11296) Remove an object on the fly if there is a lifecycle rule with delete expiry action for the corresponding object.
2021-02-01 12:52:11 -05:00
writeErrorResponseHeadersOnly(w, errorCodes.ToAPIErr(ErrNoSuchKey))
return
}
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
// filter object lock metadata if permission does not permit
getRetPerms := checkRequestAuthType(ctx, r, policy.GetObjectRetentionAction, bucket, object)
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
legalHoldPerms := checkRequestAuthType(ctx, r, policy.GetObjectLegalHoldAction, bucket, object)
// filter object lock metadata if permission does not permit
objInfo.UserDefined = objectlock.FilterObjectLockMetadata(objInfo.UserDefined, getRetPerms != ErrNone, legalHoldPerms != ErrNone)
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-23 18:07:21 -05:00
if objectAPI.IsEncryptionSupported() {
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
if _, err = DecryptObjectInfo(&objInfo, r); err != nil {
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 04:25:52 -05:00
writeErrorResponseHeadersOnly(w, toAPIError(ctx, err))
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-07 18:18:59 -05:00
return
HEAD on an object should mimic GET without body (#6508) Add "Range" header support etc.
2018-09-23 13:24:10 -04:00
}
}
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
// Validate pre-conditions if any.
if checkPreconditions(ctx, w, r, objInfo, opts) {
return
}
if rangeHeader != "" {
fix: validate exclusivity with partNumber regardless of valid Range (#13418) To mimic an exact AWS S3 behavior this fix is needed.
2021-10-12 12:24:19 -04:00
// Both 'Range' and 'partNumber' cannot be specified at the same time
if opts.PartNumber > 0 {
writeErrorResponseHeadersOnly(w, errorCodes.ToAPIErr(ErrInvalidRangePartNumber))
return
}
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
if rs, err = parseRequestRangeSpec(rangeHeader); err != nil {
// Handle only errInvalidRange. Ignore other
// parse error and treat it as regular Get
// request like Amazon S3.
if err == errInvalidRange {
writeErrorResponseHeadersOnly(w, errorCodes.ToAPIErr(ErrInvalidRange))
return
}
logger.LogIf(ctx, err)
}
}
HEAD on an object should mimic GET without body (#6508) Add "Range" header support etc.
2018-09-23 13:24:10 -04:00
// Set encryption response headers
if objectAPI.IsEncryptionSupported() {
crypto: add support for decrypting SSE-KMS metadata (#11415) This commit refactors the SSE implementation and add S3-compatible SSE-KMS context handling. SSE-KMS differs from SSE-S3 in two main aspects: 1. The client can request a particular key and specify a KMS context as part of the request. 2. The ETag of an SSE-KMS encrypted object is not the MD5 sum of the object content. This commit only focuses on the 1st aspect. A client can send an optional SSE context when using SSE-KMS. This context is remembered by the S3 server such that the client does not have to specify the context again (during multipart PUT / GET / HEAD ...). The crypto. context also includes the bucket/object name to prevent renaming objects at the backend. Now, AWS S3 behaves as following: - If the user does not provide a SSE-KMS context it does not store one - resp. does not include the SSE-KMS context header in the response (e.g. HEAD). - If the user specifies a SSE-KMS context without the bucket/object name then AWS stores the exact context the client provided but adds the bucket/object name internally. The response contains the KMS context without the bucket/object name. - If the user specifies a SSE-KMS context with the bucket/object name then AWS again stores the exact context provided by the client. The response contains the KMS context with the bucket/object name. This commit implements this behavior w.r.t. SSE-KMS. However, as of now, no such object can be created since the server rejects SSE-KMS encryption requests. This commit is one stepping stone for SSE-KMS support. Co-authored-by: Harshavardhana <harsha@minio.io>
2021-02-03 18:19:08 -05:00
switch kind, _ := crypto.IsEncrypted(objInfo.UserDefined); kind {
case crypto.S3:
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionAES)
add SSE-KMS support and use SSE-KMS for auto encryption (#12237) This commit adds basic SSE-KMS support. Now, a client can specify the SSE-KMS headers (algorithm, optional key-id, optional context) such that the object gets encrypted using the SSE-KMS method. Further, auto-encryption now defaults to SSE-KMS. This commit does not try to do any refactoring and instead tries to implement SSE-KMS as a minimal change to the code base. However, refactoring the entire crypto-related code is planned - but needs a separate effort. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-06 18:24:01 -04:00
case crypto.S3KMS:
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionKMS)
fix: kms-id header should have arn:aws:kms: prefix (#13833) arn:aws:kms: is a must for KMS keyID.
2021-12-06 03:39:32 -05:00
w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.KMSKeyID())
add SSE-KMS support and use SSE-KMS for auto encryption (#12237) This commit adds basic SSE-KMS support. Now, a client can specify the SSE-KMS headers (algorithm, optional key-id, optional context) such that the object gets encrypted using the SSE-KMS method. Further, auto-encryption now defaults to SSE-KMS. This commit does not try to do any refactoring and instead tries to implement SSE-KMS as a minimal change to the code base. However, refactoring the entire crypto-related code is planned - but needs a separate effort. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-06 18:24:01 -04:00
if kmsCtx, ok := objInfo.UserDefined[crypto.MetaContext]; ok {
w.Header().Set(xhttp.AmzServerSideEncryptionKmsContext, kmsCtx)
}
crypto: add support for decrypting SSE-KMS metadata (#11415) This commit refactors the SSE implementation and add S3-compatible SSE-KMS context handling. SSE-KMS differs from SSE-S3 in two main aspects: 1. The client can request a particular key and specify a KMS context as part of the request. 2. The ETag of an SSE-KMS encrypted object is not the MD5 sum of the object content. This commit only focuses on the 1st aspect. A client can send an optional SSE context when using SSE-KMS. This context is remembered by the S3 server such that the client does not have to specify the context again (during multipart PUT / GET / HEAD ...). The crypto. context also includes the bucket/object name to prevent renaming objects at the backend. Now, AWS S3 behaves as following: - If the user does not provide a SSE-KMS context it does not store one - resp. does not include the SSE-KMS context header in the response (e.g. HEAD). - If the user specifies a SSE-KMS context without the bucket/object name then AWS stores the exact context the client provided but adds the bucket/object name internally. The response contains the KMS context without the bucket/object name. - If the user specifies a SSE-KMS context with the bucket/object name then AWS again stores the exact context provided by the client. The response contains the KMS context with the bucket/object name. This commit implements this behavior w.r.t. SSE-KMS. However, as of now, no such object can be created since the server rejects SSE-KMS encryption requests. This commit is one stepping stone for SSE-KMS support. Co-authored-by: Harshavardhana <harsha@minio.io>
2021-02-03 18:19:08 -05:00
case crypto.SSEC:
// Validate the SSE-C Key set in the header.
if _, err = crypto.SSEC.UnsealObjectKey(r.Header, objInfo.UserDefined, bucket, object); err != nil {
writeErrorResponseHeadersOnly(w, toAPIError(ctx, err))
return
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 15:52:14 -04:00
}
crypto: add support for decrypting SSE-KMS metadata (#11415) This commit refactors the SSE implementation and add S3-compatible SSE-KMS context handling. SSE-KMS differs from SSE-S3 in two main aspects: 1. The client can request a particular key and specify a KMS context as part of the request. 2. The ETag of an SSE-KMS encrypted object is not the MD5 sum of the object content. This commit only focuses on the 1st aspect. A client can send an optional SSE context when using SSE-KMS. This context is remembered by the S3 server such that the client does not have to specify the context again (during multipart PUT / GET / HEAD ...). The crypto. context also includes the bucket/object name to prevent renaming objects at the backend. Now, AWS S3 behaves as following: - If the user does not provide a SSE-KMS context it does not store one - resp. does not include the SSE-KMS context header in the response (e.g. HEAD). - If the user specifies a SSE-KMS context without the bucket/object name then AWS stores the exact context the client provided but adds the bucket/object name internally. The response contains the KMS context without the bucket/object name. - If the user specifies a SSE-KMS context with the bucket/object name then AWS again stores the exact context provided by the client. The response contains the KMS context with the bucket/object name. This commit implements this behavior w.r.t. SSE-KMS. However, as of now, no such object can be created since the server rejects SSE-KMS encryption requests. This commit is one stepping stone for SSE-KMS support. Co-authored-by: Harshavardhana <harsha@minio.io>
2021-02-03 18:19:08 -05:00
w.Header().Set(xhttp.AmzServerSideEncryptionCustomerAlgorithm, r.Header.Get(xhttp.AmzServerSideEncryptionCustomerAlgorithm))
w.Header().Set(xhttp.AmzServerSideEncryptionCustomerKeyMD5, r.Header.Get(xhttp.AmzServerSideEncryptionCustomerKeyMD5))
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-07 18:18:59 -05:00
}
}
api: Implement support for additional request headers. Now GetObject and HeadObject both support - If-Modified-Since, If-Unmodified-Since - If-Match, If-None-Match request headers. These headers are used to further handle the responses for GetObject and HeadObject API. Fixes #1098
2016-02-28 21:10:37 -05:00
XL/GetObject: If quorum not available during GetObject appropriate error should be returned. (#2135)
2016-07-10 20:12:22 -04:00
// Set standard object headers.
fix: consider partNumber in GET/HEAD requests (#10618)
2020-10-01 18:41:12 -04:00
if err = setObjectHeaders(w, objInfo, rs, opts); err != nil {
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 04:25:52 -05:00
writeErrorResponseHeadersOnly(w, toAPIError(ctx, err))
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
return
}
api: Implement support for additional request headers. Now GetObject and HeadObject both support - If-Modified-Since, If-Unmodified-Since - If-Match, If-None-Match request headers. These headers are used to further handle the responses for GetObject and HeadObject API. Fixes #1098
2016-02-28 21:10:37 -05:00
Send Partscount only when partnumber is specified (#9793) Fixes #9789
2020-06-10 12:22:15 -04:00
// Set Parts Count Header
if opts.PartNumber > 0 && len(objInfo.Parts) > 0 {
setPartsCountHeaders(w, objInfo)
}
Honor overriding response headers for HEAD (#4784) Though not clearly mentioned in S3 specification, we should override response headers for presigned HEAD requests as we do for GET.
2017-08-08 14:04:04 -04:00
// Set any additional requested response headers.
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 01:43:01 -04:00
setHeadGetRespHeaders(w, r.Form)
Honor overriding response headers for HEAD (#4784) Though not clearly mentioned in S3 specification, we should override response headers for presigned HEAD requests as we do for GET.
2017-08-08 14:04:04 -04:00
XL: erasure Index should have its corresponding distribution order. (#2300)
2016-07-27 14:57:08 -04:00
// Successful response.
fix: consider partNumber in GET/HEAD requests (#10618)
2020-10-01 18:41:12 -04:00
if rs != nil || opts.PartNumber > 0 {
HEAD on an object should mimic GET without body (#6508) Add "Range" header support etc.
2018-09-23 13:24:10 -04:00
w.WriteHeader(http.StatusPartialContent)
} else {
w.WriteHeader(http.StatusOK)
}
Add notification for object access via GET/HEAD (#3941) The following notification event types are available for all targets, s3:ObjectAccessed:Get s3:ObjectAccessed:Head s3:ObjectAccessed:*
2017-03-21 13:32:17 -04:00
// Notify object accessed via a HEAD request.
make notification as separate package (#5294) * Remove old notification files * Add net package * Add event package * Modify minio to take new notification system
2018-03-15 16:03:41 -04:00
sendEvent(eventArgs{
Add content-length as part of event notification structure (#6341) Fixes #6321
2018-08-23 17:40:54 -04:00
EventName: event.ObjectAccessedHead,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Populate host value from GetSourceIP directly (#7417)
2019-03-25 14:45:42 -04:00
Host: handlers.GetSourceIP(r),
Add notification for object access via GET/HEAD (#3941) The following notification event types are available for all targets, s3:ObjectAccessed:Get s3:ObjectAccessed:Head s3:ObjectAccessed:*
2017-03-21 13:32:17 -04:00
})
Implement bucket policy handler and with galore of cleanup
2015-02-15 20:03:27 -05:00
}
feat: support of ZIP list/get/head as S3 extension (#12267) When enabled, it is possible to list/get files inside a zip file without uncompressing it. Signed-off-by: Anis Elleuch <anis@min.io>
2021-06-10 11:17:03 -04:00
// HeadObjectHandler - HEAD Object
// -----------
// The HEAD operation retrieves metadata from an object without returning the object itself.
func (api objectAPIHandlers) HeadObjectHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "HeadObject")
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
objectAPI := api.ObjectAPI()
if objectAPI == nil {
writeErrorResponseHeadersOnly(w, errorCodes.ToAPIErr(ErrServerNotInitialized))
return
}
vars := mux.Vars(r)
bucket := vars["bucket"]
object, err := unescapePath(vars["object"])
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
feat: support of ZIP list/get/head as S3 extension (#12267) When enabled, it is possible to list/get files inside a zip file without uncompressing it. Signed-off-by: Anis Elleuch <anis@min.io>
2021-06-10 11:17:03 -04:00
return
}
if r.Header.Get(xMinIOExtract) == "true" && strings.Contains(object, archivePattern) {
api.headObjectInArchiveFileHandler(ctx, objectAPI, bucket, object, w, r)
} else {
api.headObjectHandler(ctx, objectAPI, bucket, object, w, r)
}
}
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-26 19:29:26 -05:00
// Extract metadata relevant for an CopyObject operation based on conditional
// header values specified in X-Amz-Metadata-Directive.
SignatureV4 validation with Metadata in the presignedUrl (#5894) The `X-Amz-Meta-`/`X-Minio-Meta-` will now be recognized in query string also. Fixes #5857 #5950
2018-07-10 23:27:10 -04:00
func getCpObjMetadataFromHeader(ctx context.Context, r *http.Request, userMeta map[string]string) (map[string]string, error) {
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-23 18:07:21 -05:00
// Make a copy of the supplied metadata to avoid
// to change the original one.
defaultMeta := make(map[string]string, len(userMeta))
for k, v := range userMeta {
defaultMeta[k] = v
}
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
// remove SSE Headers from source info
crypto.RemoveSSEHeaders(defaultMeta)
allow copyObject to rotate storageClass of objects (#9362) Added additional mint tests as well to verify, this functionality. Fixes #9357
2020-04-16 20:42:44 -04:00
// Storage class is special, it can be replaced regardless of the
// metadata directive, if set should be preserved and replaced
// to the destination metadata.
sc := r.Header.Get(xhttp.AmzStorageClass)
if sc == "" {
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 01:43:01 -04:00
sc = r.Form.Get(xhttp.AmzStorageClass)
allow copyObject to rotate storageClass of objects (#9362) Added additional mint tests as well to verify, this functionality. Fixes #9357
2020-04-16 20:42:44 -04:00
}
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-26 19:29:26 -05:00
// if x-amz-metadata-directive says REPLACE then
// we extract metadata from the input headers.
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
if isDirectiveReplace(r.Header.Get(xhttp.AmzMetadataDirective)) {
allow copyObject to rotate storageClass of objects (#9362) Added additional mint tests as well to verify, this functionality. Fixes #9357
2020-04-16 20:42:44 -04:00
emetadata, err := extractMetadata(ctx, r)
if err != nil {
return nil, err
}
if sc != "" {
emetadata[xhttp.AmzStorageClass] = sc
}
return emetadata, nil
}
if sc != "" {
defaultMeta[xhttp.AmzStorageClass] = sc
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-26 19:29:26 -05:00
}
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 03:37:00 -05:00
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-26 19:29:26 -05:00
// if x-amz-metadata-directive says COPY then we
// return the default metadata.
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
if isDirectiveCopy(r.Header.Get(xhttp.AmzMetadataDirective)) {
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-05 19:56:10 -04:00
return defaultMeta, nil
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-26 19:29:26 -05:00
}
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 03:37:00 -05:00
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-26 19:29:26 -05:00
// Copy is default behavior if not x-amz-metadata-directive is set.
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-05 19:56:10 -04:00
return defaultMeta, nil
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-26 19:29:26 -05:00
}
fix: limit HTTP transport tuables to affordable values (#9383) Close connections pro-actively in transient calls
2020-04-17 14:20:56 -04:00
// getRemoteInstanceTransport contains a singleton roundtripper.
add support for configurable remote transport deadline (#10447) configurable remote transport timeouts for some special cases where this value needs to be bumped to a higher value when transferring large data between federated instances.
2020-09-12 02:03:08 -04:00
var (
getRemoteInstanceTransport *http.Transport
getRemoteInstanceTransportOnce sync.Once
)
fix: limit HTTP transport tuables to affordable values (#9383) Close connections pro-actively in transient calls
2020-04-17 14:20:56 -04:00
Choose right users in federation mode for CopyObject (#6895)
2018-11-29 20:35:11 -05:00
// Returns a minio-go Client configured to access remote host described by destDNSRecord
// Applicable only in a federated deployment
Add support for federation on browser (#6891)
2018-12-19 08:13:47 -05:00
var getRemoteInstanceClient = func(r *http.Request, host string) (*miniogo.Core, error) {
Add new `site` config sub-system intended to replace `region` (#13672) - New sub-system has "region" and "name" fields. - `region` subsystem is marked as deprecated, however still works, unless the new region parameter under `site` is set - in this case, the region subsystem is ignored. `region` subsystem is hidden from top-level help (i.e. from `mc admin config set myminio`), but appears when specifically requested (i.e. with `mc admin config set myminio region`). - MINIO_REGION, MINIO_REGION_NAME are supported as legacy environment variables for server region. - Adds MINIO_SITE_REGION as the current environment variable to configure the server region and MINIO_SITE_NAME for the site name.
2021-11-25 16:06:25 -05:00
cred := getReqAccessCred(r, globalSite.Region)
Remove timeout from putobject and listobjects (#9986) Use a separate client for these calls that can take a long time. Add request context to these so they are canceled when the client disconnects instead except for ListObject which doesn't have any equivalent.
2020-07-07 15:19:57 -04:00
// In a federated deployment, all the instances share config files
// and hence expected to have same credentials.
allow resetting and reapply config on broken clusters (#12554) Bonus: remove kms_kes as sub-system, since its ENV only. - also fixes a crash with etcd cluster without KMS configured and also if KMS decryption is missing.
2021-06-24 19:24:12 -04:00
return miniogo.NewCore(host, &miniogo.Options{
fix: return versionId in tagging APIs (#10068)
2020-07-17 01:38:58 -04:00
Creds: credentials.NewStaticV4(cred.AccessKey, cred.SecretKey, ""),
update x/net/http2 to address few bugs (#11144) additionally also configure http2 healthcheck values to quickly detect unstable connections and let them timeout. also use single transport for proxying requests
2020-12-22 00:42:38 -05:00
Secure: globalIsTLS,
add support for configurable remote transport deadline (#10447) configurable remote transport timeouts for some special cases where this value needs to be bumped to a higher value when transferring large data between federated instances.
2020-09-12 02:03:08 -04:00
Transport: getRemoteInstanceTransport,
fix: return versionId in tagging APIs (#10068)
2020-07-17 01:38:58 -04:00
})
Remove timeout from putobject and listobjects (#9986) Use a separate client for these calls that can take a long time. Add request context to these so they are canceled when the client disconnects instead except for ListObject which doesn't have any equivalent.
2020-07-07 15:19:57 -04:00
}
Allow CopyObjectPart to work in federated setups (#8066) Fixes #8065
2019-08-20 13:19:22 -04:00
// Check if the destination bucket is on a remote site, this code only gets executed
// when federation is enabled, ie when globalDNSConfig is non 'nil'.
//
// This function is similar to isRemoteCallRequired but specifically for COPY object API
Add Kubernetes operator webook server as DNS target (#10404) This PR adds a DNS target that ensures to update an entry into Kubernetes operator when a bucket is created or deleted. See minio/operator#264 for details. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-09 15:20:49 -04:00
// if destination and source are same we do not need to check for destination bucket
Allow CopyObjectPart to work in federated setups (#8066) Fixes #8065
2019-08-20 13:19:22 -04:00
// to exist locally.
func isRemoteCopyRequired(ctx context.Context, srcBucket, dstBucket string, objAPI ObjectLayer) bool {
if srcBucket == dstBucket {
return false
}
return isRemoteCallRequired(ctx, dstBucket, objAPI)
}
Add support for federation on browser (#6891)
2018-12-19 08:13:47 -05:00
// Check if the bucket is on a remote site, this code only gets executed when federation is enabled.
Allow CopyObjectPart to work in federated setups (#8066) Fixes #8065
2019-08-20 13:19:22 -04:00
func isRemoteCallRequired(ctx context.Context, bucket string, objAPI ObjectLayer) bool {
Add support for federation on browser (#6891)
2018-12-19 08:13:47 -05:00
if globalDNSConfig == nil {
return false
}
Disable federated buckets when etcd is namespaced (#8709) This is to ensure that when we have multiple tenants deployed all sharing the same etcd for global bucket should avoid listing each others buckets, this leads to information leak which should be avoided unless etcd is not namespaced for IAM assets in which case it can be assumed that its a federated setup. Federated setup and namespaced IAM assets on etcd is not supported since namespacing is only useful when you wish to separate the tenants as isolated instances of MinIO. This PR allows a new type of behavior, primarily driven by the usecase of m3(mkube) multi-tenant deployments with global bucket support.
2019-12-29 11:56:45 -05:00
if globalBucketFederation {
site replication: fix healing of bucket deletes. (#15377) This PR changes the handling of bucket deletes for site replicated setups to hold on to deleted bucket state until it syncs to all the clusters participating in site replication.
2022-07-25 20:51:32 -04:00
_, err := objAPI.GetBucketInfo(ctx, bucket, BucketOptions{})
Disable federated buckets when etcd is namespaced (#8709) This is to ensure that when we have multiple tenants deployed all sharing the same etcd for global bucket should avoid listing each others buckets, this leads to information leak which should be avoided unless etcd is not namespaced for IAM assets in which case it can be assumed that its a federated setup. Federated setup and namespaced IAM assets on etcd is not supported since namespacing is only useful when you wish to separate the tenants as isolated instances of MinIO. This PR allows a new type of behavior, primarily driven by the usecase of m3(mkube) multi-tenant deployments with global bucket support.
2019-12-29 11:56:45 -05:00
return err == toObjectErr(errVolumeNotFound, bucket)
}
return false
Choose right users in federation mode for CopyObject (#6895)
2018-11-29 20:35:11 -05:00
}
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 06:04:52 -05:00
// CopyObjectHandler - Copy Object
// ----------
// This implementation of the PUT operation adds an object to a bucket
// while reading the object from another source.
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 15:39:46 -04:00
// Notice: The S3 client can send secret keys in headers for encryption related jobs,
// the handler should ensure to remove these keys before sending them to the object layer.
// Currently these keys are:
// - X-Amz-Server-Side-Encryption-Customer-Key
// - X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key
storage/server/client: Enable storage server, enable client storage.
2016-04-12 15:45:15 -04:00
func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-20 21:46:32 -04:00
ctx := newContext(r, w, "CopyObject")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 15:01:47 -04:00
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 15:25:59 -04:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-10 21:47:49 -04:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-10 21:47:49 -04:00
return
}
fix: S3 gateway doesn't support full passthrough for encryption (#10484) The entire encryption layer is dependent on the fact that KMS should be configured for S3 encryption to work properly and we only support passing the headers as is to the backend for encryption only if KMS is configured. Make sure that this predictability is maintained, currently the code was allowing encryption to go through and fail at later to indicate that KMS was not configured. We should simply reply "NotImplemented" if KMS is not configured, this allows clients to simply proceed with their tests.
2020-09-15 16:57:15 -04:00
Add padding to compressed+encrypted files (#15282) Add up to 256 bytes of padding for compressed+encrypted files. This will obscure the obvious cases of extremely compressible content and leave a similar output size for a very wide variety of inputs. This does *not* mean the compression ratio doesn't leak information about the content, but the outcome space is much smaller, so often *less* information is leaked.
2022-07-13 10:52:15 -04:00
if crypto.Requested(r.Header) {
s3-gateway: Allow encryption S3 passthrough for SSE-S3 (#13204) This reverts commit 35cbe43b6df48927a1574829b13f9ed5d3af99d3.
2021-09-14 15:55:32 -04:00
if globalIsGateway {
if crypto.SSEC.IsRequested(r.Header) && !objectAPI.IsEncryptionSupported() {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL)
return
}
} else {
if !objectAPI.IsEncryptionSupported() {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL)
return
}
}
Disallow SSE requests when object layer has encryption disabled (#6981)
2018-12-15 00:39:59 -05:00
}
fix: allow S3 gateway passthrough for SSE-S3 header (#12020) only in case of S3 gateway we have a case where we need to allow for SSE-S3 headers as passthrough, If SSE-C headers are passed then they are rejected if KMS is not configured.
2021-04-08 19:40:38 -04:00
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 00:07:19 -04:00
vars := mux.Vars(r)
dstBucket := vars["bucket"]
fix: normalize object layer inputs (#11534) Cases where we have applications making request for `//` in object names make sure that all are normalized to `/` and all such requests that are prefixed '/' are removed. To ensure a consistent view from all operations.
2021-03-09 15:58:22 -05:00
dstObject, err := unescapePath(vars["object"])
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
return
}
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-10 21:47:49 -04:00
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-24 18:53:30 -04:00
if s3Error := checkRequestAuthType(ctx, r, policy.PutObjectAction, dstBucket, dstObject); s3Error != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL)
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 06:04:52 -05:00
return
}
Fix server side copy of files with `?` in - fixes #7058 (#7059) Before this change the CopyObjectHandler and the CopyObjectPartHandler both looked for a `versionId` parameter on the `X-Amz-Copy-Source` URL for the version of the object to be copied on the URL unescaped version of the header. This meant that files that had question marks in were truncated after the question mark so that files with `?` in their names could not be server side copied. After this change the URL unescaping is done during the parsing of the `versionId` parameter which fixes the problem. This change also introduces the same logic for the `X-Amz-Copy-Source-Version-Id` header field which was previously ignored, namely returning an error if it is present and not `null` since minio does not currently support versions. S3 Docs: - https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html - https://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html
2019-01-10 16:10:10 -05:00
// Read escaped copy source path to check for parameters.
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 01:34:32 -04:00
cpSrcPath := r.Header.Get(xhttp.AmzCopySource)
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
var vid string
Allow versionId to be null for Copy,Get,Head API calls (#6942) Fixes #6935
2018-12-12 14:43:44 -05:00
if u, err := url.Parse(cpSrcPath); err == nil {
fix: Add support for preserving mtime for replication (#9995) This PR is needed for bucket replication support
2020-07-08 20:36:56 -04:00
vid = strings.TrimSpace(u.Query().Get(xhttp.VersionID))
Fix server side copy of files with `?` in - fixes #7058 (#7059) Before this change the CopyObjectHandler and the CopyObjectPartHandler both looked for a `versionId` parameter on the `X-Amz-Copy-Source` URL for the version of the object to be copied on the URL unescaped version of the header. This meant that files that had question marks in were truncated after the question mark so that files with `?` in their names could not be server side copied. After this change the URL unescaping is done during the parsing of the `versionId` parameter which fixes the problem. This change also introduces the same logic for the `X-Amz-Copy-Source-Version-Id` header field which was previously ignored, namely returning an error if it is present and not `null` since minio does not currently support versions. S3 Docs: - https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html - https://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html
2019-01-10 16:10:10 -05:00
// Note that url.Parse does the unescaping
Allow versionId to be null for Copy,Get,Head API calls (#6942) Fixes #6935
2018-12-12 14:43:44 -05:00
cpSrcPath = u.Path
}
fix: Avoid double usage calculation on every restart (#8856) On every restart of the server, usage was being calculated which is not useful instead wait for sufficient time to start the crawling routine. This PR also avoids lots of double allocations through strings, optimizes usage of string builders and also avoids crawling through symbolic links. Fixes #8844
2020-01-21 17:07:49 -05:00
srcBucket, srcObject := path2BucketObject(cpSrcPath)
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-26 19:29:26 -05:00
// If source object is empty or bucket is empty, reply back invalid copy source.
if srcObject == "" || srcBucket == "" {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidCopySource), r.URL)
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 06:04:52 -05:00
return
}
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
if vid != "" && vid != nullVersionID {
_, err := uuid.Parse(vid)
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, VersionNotFound{
Bucket: srcBucket,
Object: srcObject,
VersionID: vid,
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
}), r.URL)
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
return
}
}
copy: Ensure that the user has GET access to the src object (#6715)
2018-10-26 19:12:44 -04:00
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, srcBucket, srcObject); s3Error != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL)
copy: Ensure that the user has GET access to the src object (#6715)
2018-10-26 19:12:44 -04:00
return
}
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-26 19:29:26 -05:00
// Check if metadata directive is valid.
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
if !isDirectiveValid(r.Header.Get(xhttp.AmzMetadataDirective)) {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidMetadataDirective), r.URL)
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 06:04:52 -05:00
return
}
remove SSE-S3 key rotation in CopyObject (#8278) This commit removes the SSE-S3 key rotation functionality from CopyObject since there will be a dedicated Admin-API for this purpose. Also update the security documentation to link to mc and the admin documentation.
2019-09-23 16:35:04 -04:00
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
// check if tag directive is valid
if !isDirectiveValid(r.Header.Get(xhttp.AmzTagDirective)) {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidTagDirective), r.URL)
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
return
}
allow copyObject to rotate storageClass of objects (#9362) Added additional mint tests as well to verify, this functionality. Fixes #9357
2020-04-16 20:42:44 -04:00
// Validate storage class metadata if present
dstSc := r.Header.Get(xhttp.AmzStorageClass)
if dstSc != "" && !storageclass.IsValid(dstSc) {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidStorageClass), r.URL)
allow copyObject to rotate storageClass of objects (#9362) Added additional mint tests as well to verify, this functionality. Fixes #9357
2020-04-16 20:42:44 -04:00
return
}
Add support for bucket encryption feature (#8890) - pkg/bucket/encryption provides support for handling bucket encryption configuration - changes under cmd/ provide support for AES256 algorithm only Co-Authored-By: Poorna <poornas@users.noreply.github.com> Co-authored-by: Harshavardhana <harsha@minio.io>
2020-02-05 04:42:34 -05:00
// Check if bucket encryption is enabled
sse: add support for SSE-KMS bucket configurations (#12295) This commit adds support for SSE-KMS bucket configurations. Before, the MinIO server did not support SSE-KMS, and therefore, it was not possible to specify an SSE-KMS bucket config. Now, this is possible. For example: ``` mc encrypt set sse-kms some-key <alias>/my-bucket ``` Further, this commit fixes an issue caused by not supporting SSE-KMS bucket configuration and switching to SSE-KMS as default SSE method. Before, the server just checked whether an SSE bucket config was present (not which type of SSE config) and applied the default SSE method (which was switched from SSE-S3 to SSE-KMS). This caused objects to get encrypted with SSE-KMS even though a SSE-S3 bucket config was present. This issue is fixed as a side-effect of this commit. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-14 03:59:05 -04:00
sseConfig, _ := globalBucketSSEConfigSys.Get(dstBucket)
allow S3 gateway to support object locked buckets (#13257) - Supports object locked buckets that require PutObject() to set content-md5 always. - Use SSE-S3 when S3 gateway is being used instead of SSE-KMS for auto-encryption.
2021-09-21 12:02:15 -04:00
sseConfig.Apply(r.Header, sse.ApplyOptions{
AutoEncrypt: globalAutoEncryption,
Passthrough: globalIsGateway && globalGatewayName == S3BackendGateway,
})
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 06:04:52 -05:00
Add ObjectOptions to ObjectLayer calls (#6382)
2018-09-10 12:42:43 -04:00
var srcOpts, dstOpts ObjectOptions
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
srcOpts, err = copySrcOpts(ctx, r, srcBucket, srcObject)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
if err != nil {
logger.LogIf(ctx, err)
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
return
}
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
srcOpts.VersionID = vid
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
// convert copy src encryption options for GET calls
fix: resyncing 'null' version on pre-existing content (#15043) PR #15041 fixed replicating 'null' version however due to a regression from #14994 caused the target versions for these 'null' versioned objects to have different 'versions', this may cause confusion with bi-directional replication and cause double replication. This PR fixes this properly by making sure we replicate the correct versions on the objects.
2022-06-06 18:14:56 -04:00
getOpts := ObjectOptions{
VersionID: srcOpts.VersionID,
Versioned: srcOpts.Versioned,
VersionSuspended: srcOpts.VersionSuspended,
}
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
getSSE := encrypt.SSE(srcOpts.ServerSideEncryption)
if getSSE != srcOpts.ServerSideEncryption {
getOpts.ServerSideEncryption = getSSE
}
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 00:31:06 -05:00
dstOpts, err = copyDstOpts(ctx, r, dstBucket, dstObject, nil)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
if err != nil {
logger.LogIf(ctx, err)
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
return
}
Worm: Permit key-rotation of S3 encrypted objects (#7429) Fixes : #7399
2019-04-10 14:31:50 -04:00
cpSrcDstSame := isStringEqual(pathJoin(srcBucket, srcObject), pathJoin(dstBucket, dstObject))
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 15:39:46 -04:00
getObjectNInfo := objectAPI.GetObjectNInfo
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
if api.CacheAPI() != nil {
getObjectNInfo = api.CacheAPI().GetObjectNInfo
}
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 15:39:46 -04:00
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
checkCopyPrecondFn := func(o ObjectInfo) bool {
if objectAPI.IsEncryptionSupported() {
if _, err := DecryptObjectInfo(&o, r); err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
return true
}
}
return checkCopyObjectPreconditions(ctx, w, r, o)
s3: Fix precondition failed in CopyObjectPart when src is encrypted (#7276) CopyObject precondition checks into GetObjectReader in order to perform SSE-C pre-condition checks using the last 32 bytes of encrypted ETag rather than the decrypted ETag This also necessitates moving precondition checks for gateways to gateway layer rather than object handler check
2019-03-06 15:38:41 -05:00
}
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
getOpts.CheckPrecondFn = checkCopyPrecondFn
delayed locks until we have started reading the body (#10474) This is to ensure that Go contexts work properly, after some interesting experiments I found that Go net/http doesn't cancel the context when Body is non-zero and hasn't been read till EOF. The following gist explains this, this can lead to pile up of go-routines on the server which will never be canceled and will die at a really later point in time, which can simply overwhelm the server. https://gist.github.com/harshavardhana/c51dcfd055780eaeb71db54f9c589150 To avoid this refactor the locking such that we take locks after we have started reading from the body and only take locks when needed. Also, remove contextReader as it's not useful, doesn't work as expected context is not canceled until the body reaches EOF so there is no point in wrapping it with context and putting a `select {` on it which can unnecessarily increase the CPU overhead. We will still use the context to cancel the lockers etc. Additional simplification in the locker code to avoid timers as re-using them is a complicated ordeal avoid them in the hot path, since locking is very common this may avoid lots of allocations.
2020-09-14 18:57:13 -04:00
// FIXME: a possible race exists between a parallel
// GetObject v/s CopyObject with metadata updates, ideally
// we should be holding write lock here but it is not
// possible due to other constraints such as knowing
// the type of source content etc.
lock := noLock
if !cpSrcDstSame {
lock = readLock
}
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 11:50:06 -04:00
var rs *HTTPRangeSpec
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
gr, err := getObjectNInfo(ctx, srcBucket, srcObject, rs, r.Header, lock, getOpts)
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 15:39:46 -04:00
if err != nil {
s3: Fix precondition failed in CopyObjectPart when src is encrypted (#7276) CopyObject precondition checks into GetObjectReader in order to perform SSE-C pre-condition checks using the last 32 bytes of encrypted ETag rather than the decrypted ETag This also necessitates moving precondition checks for gateways to gateway layer rather than object handler check
2019-03-06 15:38:41 -05:00
if isErrPreconditionFailed(err) {
return
}
feat: implement prefix-level versioning exclusion (#14828) Spark/Hadoop workloads which use Hadoop MR Committer v1/v2 algorithm upload objects to a temporary prefix in a bucket. These objects are 'renamed' to a different prefix on Job commit. Object storage admins are forced to configure separate ILM policies to expire these objects and their versions to reclaim space. Our solution: This can be avoided by simply marking objects under these prefixes to be excluded from versioning, as shown below. Consequently, these objects are excluded from replication, and don't require ILM policies to prune unnecessary versions. - MinIO Extension to Bucket Version Configuration ```xml <VersioningConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Status>Enabled</Status> <ExcludeFolders>true</ExcludeFolders> <ExcludedPrefixes> <Prefix>app1-jobs/*/_temporary/</Prefix> </ExcludedPrefixes> <ExcludedPrefixes> <Prefix>app2-jobs/*/__magic/</Prefix> </ExcludedPrefixes> <!-- .. up to 10 prefixes in all --> </VersioningConfiguration> ``` Note: `ExcludeFolders` excludes all folders in a bucket from versioning. This is required to prevent the parent folders from accumulating delete markers, especially those which are shared across spark workloads spanning projects/teams. - To enable version exclusion on a list of prefixes ``` mc version enable --excluded-prefixes "app1-jobs/*/_temporary/,app2-jobs/*/_magic," --exclude-prefix-marker myminio/test ```
2022-05-06 22:05:28 -04:00
if globalBucketVersioningSys.PrefixEnabled(srcBucket, srcObject) && gr != nil {
fix: return proper errors Get/HeadObject for deleteMarkers (#9957)
2020-07-02 19:17:27 -04:00
// Versioning enabled quite possibly object is deleted might be delete-marker
// if present set the headers, no idea why AWS S3 sets these headers.
if gr.ObjInfo.VersionID != "" && gr.ObjInfo.DeleteMarker {
w.Header()[xhttp.AmzVersionID] = []string{gr.ObjInfo.VersionID}
w.Header()[xhttp.AmzDeleteMarker] = []string{strconv.FormatBool(gr.ObjInfo.DeleteMarker)}
}
}
s3: Return correct error XML tag in case of copy object (#12427) In Copy Object S3 API, the server does not return correct bucket & object names when the source bucket/object does not exist, this commit fixes it.
2021-06-03 20:25:31 -04:00
// Update context bucket & object names for correct S3 XML error response
reqInfo := logger.GetReqInfo(ctx)
reqInfo.BucketName = srcBucket
reqInfo.ObjectName = srcObject
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 15:39:46 -04:00
return
}
defer gr.Close()
srcInfo := gr.ObjInfo
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
// maximum Upload size for object in a single CopyObject operation.
Change CopyObject{Part} to single srcInfo argument (#5553) Refactor such that metadata and etag are combined to a single argument `srcInfo`. This is a precursor change for #5544 making it easier for us to provide encryption/decryption functions.
2018-02-21 03:48:47 -05:00
if isMaxObjectSize(srcInfo.Size) {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrEntityTooLarge), r.URL)
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 06:04:52 -05:00
return
}
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-23 18:07:21 -05:00
// We have to copy metadata only if source and destination are same.
// this changes for encryption which can be observed below.
if cpSrcDstSame {
srcInfo.metadataOnly = true
}
allow copyObject to rotate storageClass of objects (#9362) Added additional mint tests as well to verify, this functionality. Fixes #9357
2020-04-16 20:42:44 -04:00
var chStorageClass bool
fix: replication deleteObject() regression and CopyObject() behavior (#14780) This PR fixes two issues - The first fix is a regression from #14555, the fix itself in #14555 is correct but the interpretation of that information by the object layer code for "replication" was not correct. This PR tries to fix this situation by making sure the "Delete" replication works as expected when "VersionPurgeStatus" is already set. Without this fix, there is a DELETE marker created incorrectly on the source where the "DELETE" was triggered. - The second fix is perhaps an older problem started since we inlined-data on the disk for small objects, CopyObject() incorrectly inline's a non-inlined data. This is due to the fact that we have code where we read the `part.1` under certain conditions where the size of the `part.1` is less than the specific "threshold". This eventually causes problems when we are "deleting" the data that is only inlined, which means dataDir is ignored leaving such dataDir on the disk, that looks like an inconsistent content on the namespace. fixes #14767
2022-04-20 13:22:05 -04:00
if dstSc != "" && dstSc != srcInfo.StorageClass {
fix: perform CopyObject under more conditions (#9879) - x-amz-storage-class specified CopyObject should proceed regardless, its not a precondition - sourceVersionID is specified CopyObject should proceed regardless, its not a precondition
2020-06-19 16:53:45 -04:00
chStorageClass = true
srcInfo.metadataOnly = false
fix: replication deleteObject() regression and CopyObject() behavior (#14780) This PR fixes two issues - The first fix is a regression from #14555, the fix itself in #14555 is correct but the interpretation of that information by the object layer code for "replication" was not correct. This PR tries to fix this situation by making sure the "Delete" replication works as expected when "VersionPurgeStatus" is already set. Without this fix, there is a DELETE marker created incorrectly on the source where the "DELETE" was triggered. - The second fix is perhaps an older problem started since we inlined-data on the disk for small objects, CopyObject() incorrectly inline's a non-inlined data. This is due to the fact that we have code where we read the `part.1` under certain conditions where the size of the `part.1` is less than the specific "threshold". This eventually causes problems when we are "deleting" the data that is only inlined, which means dataDir is ignored leaving such dataDir on the disk, that looks like an inconsistent content on the namespace. fixes #14767
2022-04-20 13:22:05 -04:00
} // no changes in storage-class expected so its a metadataonly operation.
allow copyObject to rotate storageClass of objects (#9362) Added additional mint tests as well to verify, this functionality. Fixes #9357
2020-04-16 20:42:44 -04:00
pkg/etag: add new package for S3 ETag handling (#11577) This commit adds a new package `etag` for dealing with S3 ETags. Even though ETag is often viewed as MD5 checksum of an object, handling S3 ETags correctly is a surprisingly complex task. While it is true that the ETag corresponds to the MD5 for the most basic S3 API operations, there are many exceptions in case of multipart uploads or encryption. In worse, some S3 clients expect very specific behavior when it comes to ETags. For example, some clients expect that the ETag is a double-quoted string and fail otherwise. Non-AWS compliant ETag handling has been a source of many bugs in the past. Therefore, this commit adds a dedicated `etag` package that provides functionality for parsing, generating and converting S3 ETags. Further, this commit removes the ETag computation from the `hash` package. Instead, the `hash` package (i.e. `hash.Reader`) should focus only on computing and verifying the content-sha256. One core feature of this commit is to provide a mechanism to communicate a computed ETag from a low-level `io.Reader` to a high-level `io.Reader`. This problem occurs when an S3 server receives a request and has to compute the ETag of the content. However, the server may also wrap the initial body with several other `io.Reader`, e.g. when encrypting or compressing the content: ``` reader := Encrypt(Compress(ETag(content))) ``` In such a case, the ETag should be accessible by the high-level `io.Reader`. The `etag` provides a mechanism to wrap `io.Reader` implementations such that the `ETag` can be accessed by a type-check. This technique is applied to the PUT, COPY and Upload handlers.
2021-02-23 15:31:53 -05:00
var reader io.Reader = gr
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 14:46:20 -04:00
Allow Compression + encryption (#11103)
2021-01-05 23:08:35 -05:00
// Set the actual size to the compressed/decrypted size if encrypted.
actualSize, err := srcInfo.GetActualSize()
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Allow Compression + encryption (#11103)
2021-01-05 23:08:35 -05:00
return
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 14:46:20 -04:00
}
Allow Compression + encryption (#11103)
2021-01-05 23:08:35 -05:00
length := actualSize
Apply quota usage cache invalidation per second (#10127) Allow faster lookups for quota check enforcement
2020-07-24 15:24:21 -04:00
Add docs for bucket quota feature (#9503) This PR also adds a check to not enforce bucket quota for server-side metadata copy of an object onto itself.
2020-05-16 22:27:33 -04:00
if !cpSrcDstSame {
remove FIFO bucket quota, use ILM expiration instead (#14206)
2022-01-31 14:07:04 -05:00
if err := enforceBucketQuotaHard(ctx, dstBucket, actualSize); err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add docs for bucket quota feature (#9503) This PR also adds a check to not enforce bucket quota for server-side metadata copy of an object onto itself.
2020-05-16 22:27:33 -04:00
return
}
Add API's for managing bucket quota (#9379) This PR allows setting a "hard" or "fifo" quota restriction at the bucket level. Buckets that have reached the FIFO quota configured, will automatically be cleaned up in FIFO manner until bucket usage drops to configured quota. If a bucket is configured with a "hard" quota ceiling, all further writes are disallowed.
2020-04-30 18:55:54 -04:00
}
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 14:46:20 -04:00
CopyObject: Do not remove crypto info when compressed (#11702) Removing crypto info makes it impossible to copy encrypted+compressed objects. Disable destination compression when encrypted.
2021-03-08 15:57:54 -05:00
// Check if either the source is encrypted or the destination will be encrypted.
Add padding to compressed+encrypted files (#15282) Add up to 256 bytes of padding for compressed+encrypted files. This will obscure the obvious cases of extremely compressible content and leave a similar output size for a very wide variety of inputs. This does *not* mean the compression ratio doesn't leak information about the content, but the outcome space is much smaller, so often *less* information is leaked.
2022-07-13 10:52:15 -04:00
objectEncryption := crypto.Requested(r.Header)
CopyObject: Do not remove crypto info when compressed (#11702) Removing crypto info makes it impossible to copy encrypted+compressed objects. Disable destination compression when encrypted.
2021-03-08 15:57:54 -05:00
objectEncryption = objectEncryption || crypto.IsSourceEncrypted(srcInfo.UserDefined)
Preserve the compression headers while copying (#6952) Fixes #6951
2018-12-11 15:05:41 -05:00
var compressMetadata map[string]string
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-27 23:36:17 -04:00
// No need to compress for remote etcd calls
// Pass the decompressed stream to such calls.
Allow Compression + encryption (#11103)
2021-01-05 23:08:35 -05:00
isDstCompressed := objectAPI.IsCompressionSupported() &&
validate storage class across pools when setting config (#11320) ``` mc admin config set alias/ storage_class standard=EC:3 ``` should only succeed if parity ratio is valid for all server pools, if not we should fail proactively. This PR also needs to bring other changes now that we need to cater for variadic drive counts per pool. Bonus fixes also various bugs reproduced with - GetObjectWithPartNumber() - CopyObjectPartWithOffsets() - CopyObjectWithMetadata() - PutObjectPart,PutObject with truncated streams
2021-01-22 15:09:24 -05:00
isCompressible(r.Header, dstObject) &&
Add 4K minimum compressed size (#15273) There is no point in compressing very small files. Typically the effective size on disk will be the same due to disk blocks. So don't waste resources on extremely small files. We don't check on multipart. 1) because we don't know and 2) this is very likely a big object anyway.
2022-07-12 10:42:04 -04:00
length > minCompressibleSize &&
CopyObject: Do not remove crypto info when compressed (#11702) Removing crypto info makes it impossible to copy encrypted+compressed objects. Disable destination compression when encrypted.
2021-03-08 15:57:54 -05:00
!isRemoteCopyRequired(ctx, srcBucket, dstBucket, objectAPI) && !cpSrcDstSame && !objectEncryption
Allow Compression + encryption (#11103)
2021-01-05 23:08:35 -05:00
if isDstCompressed {
Preserve the compression headers while copying (#6952) Fixes #6951
2018-12-11 15:05:41 -05:00
compressMetadata = make(map[string]string, 2)
// Preserving the compression metadata.
Switch to Snappy -> S2 compression (#8189)
2019-09-26 02:08:24 -04:00
compressMetadata[ReservedMetadataPrefix+"compression"] = compressionAlgorithmV2
Preserve the compression headers while copying (#6952) Fixes #6951
2018-12-11 15:05:41 -05:00
compressMetadata[ReservedMetadataPrefix+"actual-size"] = strconv.FormatInt(actualSize, 10)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-27 23:36:17 -04:00
etag: compute ETag as MD5 for compressed single-part objects (#12375) This commit fixes a bug causing the MinIO server to compute the ETag of a single-part object as MD5 of the compressed content - not as MD5 of the actual content. This usually does not affect clients since the MinIO appended a `-1` to indicate that the ETag belongs to a multipart object. However, this behavior was problematic since: - A S3 client being very strict should reject such an ETag since the client uploaded the object via single-part API but got a multipart ETag that is not the content MD5. - The MinIO server leaks (via the ETag) that it compressed the object. This commit addresses both cases. Now, the MinIO server returns an ETag equal to the content MD5 for single-part objects that got compressed. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-27 11:18:41 -04:00
reader = etag.NewReader(reader, nil)
Add padding to compressed+encrypted files (#15282) Add up to 256 bytes of padding for compressed+encrypted files. This will obscure the obvious cases of extremely compressible content and leave a similar output size for a very wide variety of inputs. This does *not* mean the compression ratio doesn't leak information about the content, but the outcome space is much smaller, so often *less* information is leaked.
2022-07-13 10:52:15 -04:00
wantEncryption := objectAPI.IsEncryptionSupported() && crypto.Requested(r.Header)
s2c, cb := newS2CompressReader(reader, actualSize, wantEncryption)
Add compressed file index (#15247)
2022-07-11 20:30:56 -04:00
dstOpts.IndexCB = cb
Switch to Snappy -> S2 compression (#8189)
2019-09-26 02:08:24 -04:00
defer s2c.Close()
pkg/etag: add new package for S3 ETag handling (#11577) This commit adds a new package `etag` for dealing with S3 ETags. Even though ETag is often viewed as MD5 checksum of an object, handling S3 ETags correctly is a surprisingly complex task. While it is true that the ETag corresponds to the MD5 for the most basic S3 API operations, there are many exceptions in case of multipart uploads or encryption. In worse, some S3 clients expect very specific behavior when it comes to ETags. For example, some clients expect that the ETag is a double-quoted string and fail otherwise. Non-AWS compliant ETag handling has been a source of many bugs in the past. Therefore, this commit adds a dedicated `etag` package that provides functionality for parsing, generating and converting S3 ETags. Further, this commit removes the ETag computation from the `hash` package. Instead, the `hash` package (i.e. `hash.Reader`) should focus only on computing and verifying the content-sha256. One core feature of this commit is to provide a mechanism to communicate a computed ETag from a low-level `io.Reader` to a high-level `io.Reader`. This problem occurs when an S3 server receives a request and has to compute the ETag of the content. However, the server may also wrap the initial body with several other `io.Reader`, e.g. when encrypting or compressing the content: ``` reader := Encrypt(Compress(ETag(content))) ``` In such a case, the ETag should be accessible by the high-level `io.Reader`. The `etag` provides a mechanism to wrap `io.Reader` implementations such that the `ETag` can be accessed by a type-check. This technique is applied to the PUT, COPY and Upload handlers.
2021-02-23 15:31:53 -05:00
reader = etag.Wrap(s2c, reader)
Replace snappy.Writer/io.Pipe with snappyCompressReader. (#7316) Prevents deferred close functions from being called while still attempting to copy reader to snappyWriter. Reduces code duplication when compressing objects.
2019-03-05 11:35:37 -05:00
length = -1
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-27 23:36:17 -04:00
} else {
CopyObject: Do not remove crypto info when compressed (#11702) Removing crypto info makes it impossible to copy encrypted+compressed objects. Disable destination compression when encrypted.
2021-03-08 15:57:54 -05:00
delete(srcInfo.UserDefined, ReservedMetadataPrefix+"compression")
delete(srcInfo.UserDefined, ReservedMetadataPrefix+"actual-size")
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-27 23:36:17 -04:00
reader = gr
}
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-02 20:24:02 -05:00
pkg/etag: add new package for S3 ETag handling (#11577) This commit adds a new package `etag` for dealing with S3 ETags. Even though ETag is often viewed as MD5 checksum of an object, handling S3 ETags correctly is a surprisingly complex task. While it is true that the ETag corresponds to the MD5 for the most basic S3 API operations, there are many exceptions in case of multipart uploads or encryption. In worse, some S3 clients expect very specific behavior when it comes to ETags. For example, some clients expect that the ETag is a double-quoted string and fail otherwise. Non-AWS compliant ETag handling has been a source of many bugs in the past. Therefore, this commit adds a dedicated `etag` package that provides functionality for parsing, generating and converting S3 ETags. Further, this commit removes the ETag computation from the `hash` package. Instead, the `hash` package (i.e. `hash.Reader`) should focus only on computing and verifying the content-sha256. One core feature of this commit is to provide a mechanism to communicate a computed ETag from a low-level `io.Reader` to a high-level `io.Reader`. This problem occurs when an S3 server receives a request and has to compute the ETag of the content. However, the server may also wrap the initial body with several other `io.Reader`, e.g. when encrypting or compressing the content: ``` reader := Encrypt(Compress(ETag(content))) ``` In such a case, the ETag should be accessible by the high-level `io.Reader`. The `etag` provides a mechanism to wrap `io.Reader` implementations such that the `ETag` can be accessed by a type-check. This technique is applied to the PUT, COPY and Upload handlers.
2021-02-23 15:31:53 -05:00
srcInfo.Reader, err = hash.NewReader(reader, length, "", "", actualSize)
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-02 20:24:02 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-02 20:24:02 -05:00
return
}
Fix CopyObject regression calculating md5sum (#6868) CopyObject() failed to calculate proper md5sum when without encryption headers. This is a regression fix perhaps introduced in commit 5f6d717b7a Fixes https://github.com/minio/minio-go/issues/1044
2018-11-27 16:23:32 -05:00
Simplify PutObjReader for plain-text reader usage (#11470) This change moves away from a unified constructor for plaintext and encrypted usage. NewPutObjReader is simplified for the plain-text reader use. For encrypted reader use, WithEncryption should be called on an initialized PutObjReader. Plaintext: func NewPutObjReader(rawReader *hash.Reader) *PutObjReader The hash.Reader is used to provide payload size and md5sum to the downstream consumers. This is different from the previous version in that there is no need to pass nil values for unused parameters. Encrypted: func WithEncryption(encReader *hash.Reader, key *crypto.ObjectKey) (*PutObjReader, error) This method sets up encrypted reader along with the key to seal the md5sum produced by the plain-text reader (already setup when NewPutObjReader was called). Usage: ``` pReader := NewPutObjReader(rawReader) // ... other object handler code goes here // Prepare the encrypted hashed reader pReader, err = pReader.WithEncryption(encReader, objEncKey) ```
2021-02-10 11:52:50 -05:00
pReader := NewPutObjReader(srcInfo.Reader)
Fix CopyObject regression calculating md5sum (#6868) CopyObject() failed to calculate proper md5sum when without encryption headers. This is a regression fix perhaps introduced in commit 5f6d717b7a Fixes https://github.com/minio/minio-go/issues/1044
2018-11-27 16:23:32 -05:00
CopyObject: Do not remove crypto info when compressed (#11702) Removing crypto info makes it impossible to copy encrypted+compressed objects. Disable destination compression when encrypted.
2021-03-08 15:57:54 -05:00
// Handle encryption
run gofumpt cleanup across code-base (#14015)
2022-01-02 12:15:06 -05:00
encMetadata := make(map[string]string)
Allow Compression + encryption (#11103)
2021-01-05 23:08:35 -05:00
if objectAPI.IsEncryptionSupported() {
Fix SSE-C source decryption handling (#6671) Without this fix we have room for two different type of errors. - Source is encrypted and we didn't provide any source encryption keys This results in Incomplete body error to be returned back to the client since source is encrypted and we gave the reader as is to the object layer which was of a decrypted value leading to "IncompleteBody" - Source is not encrypted and we provided source encryption keys. This results in a corrupted object on the destination which is considered encrypted but cannot be read by the server and returns the following error. ``` <Error><Code>XMinioObjectTampered</Code><Message>The requested object was modified and may be compromised</Message><Resource>/id-platform-gamma/ </Resource><RequestId>155EDC3E86BFD4DA</RequestId><HostId>3L137</HostId> </Error> ```
2018-10-19 13:41:13 -04:00
// Encryption parameters not applicable for this object.
fux: copy object for encrypted objects (#11490)
2021-02-08 22:58:17 -05:00
if _, ok := crypto.IsEncrypted(srcInfo.UserDefined); !ok && crypto.SSECopy.IsRequested(r.Header) {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, errInvalidEncryptionParameters), r.URL)
Fix SSE-C source decryption handling (#6671) Without this fix we have room for two different type of errors. - Source is encrypted and we didn't provide any source encryption keys This results in Incomplete body error to be returned back to the client since source is encrypted and we gave the reader as is to the object layer which was of a decrypted value leading to "IncompleteBody" - Source is not encrypted and we provided source encryption keys. This results in a corrupted object on the destination which is considered encrypted but cannot be read by the server and returns the following error. ``` <Error><Code>XMinioObjectTampered</Code><Message>The requested object was modified and may be compromised</Message><Resource>/id-platform-gamma/ </Resource><RequestId>155EDC3E86BFD4DA</RequestId><HostId>3L137</HostId> </Error> ```
2018-10-19 13:41:13 -04:00
return
}
// Encryption parameters not present for this object.
if crypto.SSEC.IsEncrypted(srcInfo.UserDefined) && !crypto.SSECopy.IsRequested(r.Header) {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidSSECustomerAlgorithm), r.URL)
Fix SSE-C source decryption handling (#6671) Without this fix we have room for two different type of errors. - Source is encrypted and we didn't provide any source encryption keys This results in Incomplete body error to be returned back to the client since source is encrypted and we gave the reader as is to the object layer which was of a decrypted value leading to "IncompleteBody" - Source is not encrypted and we provided source encryption keys. This results in a corrupted object on the destination which is considered encrypted but cannot be read by the server and returns the following error. ``` <Error><Code>XMinioObjectTampered</Code><Message>The requested object was modified and may be compromised</Message><Resource>/id-platform-gamma/ </Resource><RequestId>155EDC3E86BFD4DA</RequestId><HostId>3L137</HostId> </Error> ```
2018-10-19 13:41:13 -04:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-14 20:36:41 -05:00
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-09 20:01:45 -04:00
var oldKey, newKey []byte
add SSE-KMS support and use SSE-KMS for auto encryption (#12237) This commit adds basic SSE-KMS support. Now, a client can specify the SSE-KMS headers (algorithm, optional key-id, optional context) such that the object gets encrypted using the SSE-KMS method. Further, auto-encryption now defaults to SSE-KMS. This commit does not try to do any refactoring and instead tries to implement SSE-KMS as a minimal change to the code base. However, refactoring the entire crypto-related code is planned - but needs a separate effort. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-06 18:24:01 -04:00
var newKeyID string
kms: replace KES client implementation with minio/kes (#12207) This commit replaces the custom KES client implementation with the KES SDK from https://github.com/minio/kes The SDK supports multi-server client load-balancing and requests retry out of the box. Therefore, this change reduces the overall complexity within the MinIO server and there is no need to maintain two separate client implementations. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-10 21:15:11 -04:00
var kmsCtx kms.Context
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-09 20:01:45 -04:00
var objEncKey crypto.ObjectKey
add SSE-KMS support and use SSE-KMS for auto encryption (#12237) This commit adds basic SSE-KMS support. Now, a client can specify the SSE-KMS headers (algorithm, optional key-id, optional context) such that the object gets encrypted using the SSE-KMS method. Further, auto-encryption now defaults to SSE-KMS. This commit does not try to do any refactoring and instead tries to implement SSE-KMS as a minimal change to the code base. However, refactoring the entire crypto-related code is planned - but needs a separate effort. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-06 18:24:01 -04:00
sseCopyKMS := crypto.S3KMS.IsEncrypted(srcInfo.UserDefined)
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 15:52:14 -04:00
sseCopyS3 := crypto.S3.IsEncrypted(srcInfo.UserDefined)
Fix SSE-C source decryption handling (#6671) Without this fix we have room for two different type of errors. - Source is encrypted and we didn't provide any source encryption keys This results in Incomplete body error to be returned back to the client since source is encrypted and we gave the reader as is to the object layer which was of a decrypted value leading to "IncompleteBody" - Source is not encrypted and we provided source encryption keys. This results in a corrupted object on the destination which is considered encrypted but cannot be read by the server and returns the following error. ``` <Error><Code>XMinioObjectTampered</Code><Message>The requested object was modified and may be compromised</Message><Resource>/id-platform-gamma/ </Resource><RequestId>155EDC3E86BFD4DA</RequestId><HostId>3L137</HostId> </Error> ```
2018-10-19 13:41:13 -04:00
sseCopyC := crypto.SSEC.IsEncrypted(srcInfo.UserDefined) && crypto.SSECopy.IsRequested(r.Header)
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 15:52:14 -04:00
sseC := crypto.SSEC.IsRequested(r.Header)
sseS3 := crypto.S3.IsRequested(r.Header)
add SSE-KMS support and use SSE-KMS for auto encryption (#12237) This commit adds basic SSE-KMS support. Now, a client can specify the SSE-KMS headers (algorithm, optional key-id, optional context) such that the object gets encrypted using the SSE-KMS method. Further, auto-encryption now defaults to SSE-KMS. This commit does not try to do any refactoring and instead tries to implement SSE-KMS as a minimal change to the code base. However, refactoring the entire crypto-related code is planned - but needs a separate effort. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-06 18:24:01 -04:00
sseKMS := crypto.S3KMS.IsRequested(r.Header)
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 14:07:36 -04:00
add SSE-KMS support and use SSE-KMS for auto encryption (#12237) This commit adds basic SSE-KMS support. Now, a client can specify the SSE-KMS headers (algorithm, optional key-id, optional context) such that the object gets encrypted using the SSE-KMS method. Further, auto-encryption now defaults to SSE-KMS. This commit does not try to do any refactoring and instead tries to implement SSE-KMS as a minimal change to the code base. However, refactoring the entire crypto-related code is planned - but needs a separate effort. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-06 18:24:01 -04:00
isSourceEncrypted := sseCopyC || sseCopyS3 || sseCopyKMS
isTargetEncrypted := sseC || sseS3 || sseKMS
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 14:07:36 -04:00
if sseC {
newKey, err = ParseSSECustomerRequest(r)
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-23 18:07:21 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-23 18:07:21 -05:00
return
}
}
add SSE-KMS support and use SSE-KMS for auto encryption (#12237) This commit adds basic SSE-KMS support. Now, a client can specify the SSE-KMS headers (algorithm, optional key-id, optional context) such that the object gets encrypted using the SSE-KMS method. Further, auto-encryption now defaults to SSE-KMS. This commit does not try to do any refactoring and instead tries to implement SSE-KMS as a minimal change to the code base. However, refactoring the entire crypto-related code is planned - but needs a separate effort. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-06 18:24:01 -04:00
if crypto.S3KMS.IsRequested(r.Header) {
newKeyID, kmsCtx, err = crypto.S3KMS.ParseHTTP(r.Header)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
add SSE-KMS support and use SSE-KMS for auto encryption (#12237) This commit adds basic SSE-KMS support. Now, a client can specify the SSE-KMS headers (algorithm, optional key-id, optional context) such that the object gets encrypted using the SSE-KMS method. Further, auto-encryption now defaults to SSE-KMS. This commit does not try to do any refactoring and instead tries to implement SSE-KMS as a minimal change to the code base. However, refactoring the entire crypto-related code is planned - but needs a separate effort. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-06 18:24:01 -04:00
return
}
}
add key-rotation for SSE-S3 objects (#6755) This commit adds key-rotation for SSE-S3 objects. To execute a key-rotation a SSE-S3 client must - specify the `X-Amz-Server-Side-Encryption: AES256` header for the destination - The source == destination for the COPY operation. Fixes #6754
2018-11-05 13:26:10 -05:00
// If src == dst and either
// - the object is encrypted using SSE-C and two different SSE-C keys are present
// - the object is encrypted using SSE-S3 and the SSE-S3 header is present
allow copyObject to rotate storageClass of objects (#9362) Added additional mint tests as well to verify, this functionality. Fixes #9357
2020-04-16 20:42:44 -04:00
// - the object storage class is not changing
// then execute a key rotation.
if cpSrcDstSame && (sseCopyC && sseC) && !chStorageClass {
remove SSE-S3 key rotation in CopyObject (#8278) This commit removes the SSE-S3 key rotation functionality from CopyObject since there will be a dedicated Admin-API for this purpose. Also update the security documentation to link to mc and the admin documentation.
2019-09-23 16:35:04 -04:00
oldKey, err = ParseSSECopyCustomerRequest(r.Header, srcInfo.UserDefined)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
remove SSE-S3 key rotation in CopyObject (#8278) This commit removes the SSE-S3 key rotation functionality from CopyObject since there will be a dedicated Admin-API for this purpose. Also update the security documentation to link to mc and the admin documentation.
2019-09-23 16:35:04 -04:00
return
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-02 20:24:02 -05:00
}
Fix ETag handling with auto-encryption with CopyObject conditions (#7000) minio-java tests were failing under multiple places when auto encryption was turned on, handle all the cases properly This PR fixes - CopyObject should decrypt ETag before it does if-match - CopyObject should not try to preserve metadata of source when rotating keys, unless explicitly asked by the user. - We should not try to decrypt Compressed object etag, the potential case was if user sets encryption headers along with compression enabled.
2018-12-19 17:12:53 -05:00
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-23 18:07:21 -05:00
for k, v := range srcInfo.UserDefined {
fix: CopyObject behavior on expanded zones (#9729) CopyObject was not correctly figuring out the correct destination object location and would end up creating duplicate objects on two different zones, reproduced by doing encryption based key rotation.
2020-05-28 17:36:38 -04:00
if strings.HasPrefix(strings.ToLower(k), ReservedMetadataPrefixLower) {
Fix ETag handling with auto-encryption with CopyObject conditions (#7000) minio-java tests were failing under multiple places when auto encryption was turned on, handle all the cases properly This PR fixes - CopyObject should decrypt ETag before it does if-match - CopyObject should not try to preserve metadata of source when rotating keys, unless explicitly asked by the user. - We should not try to decrypt Compressed object etag, the potential case was if user sets encryption headers along with compression enabled.
2018-12-19 17:12:53 -05:00
encMetadata[k] = v
}
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-23 18:07:21 -05:00
}
add key-rotation for SSE-S3 objects (#6755) This commit adds key-rotation for SSE-S3 objects. To execute a key-rotation a SSE-S3 client must - specify the `X-Amz-Server-Side-Encryption: AES256` header for the destination - The source == destination for the COPY operation. Fixes #6754
2018-11-05 13:26:10 -05:00
kms: add `context.Context` to KMS API calls (#15327) This commit adds a `context.Context` to the the KMS `{Stat, CreateKey, GenerateKey}` API calls. The context will be used to terminate external calls as soon as the client requests gets canceled. A follow-up PR will add a `context.Context` to the remaining `DecryptKey` API call. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2022-07-18 21:54:27 -04:00
if err = rotateKey(ctx, oldKey, newKeyID, newKey, srcBucket, srcObject, encMetadata, kmsCtx); err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-23 18:07:21 -05:00
return
}
Fix deadlock in in-place CopyObject decryption/encryption (#5637) In-place decryption/encryption already holds write locks on them, attempting to acquire a read lock would fail.
2018-03-12 16:52:38 -04:00
// Since we are rotating the keys, make sure to update the metadata.
srcInfo.metadataOnly = true
Introduce simpler GetMultipartInfo call for performance (#9722) Advantages avoids 100's of stats which are needed for each upload operation in FS/NAS gateway mode when uploading a large multipart object, dramatically increases performance for multipart uploads by avoiding recursive calls. For other gateway's simplifies the approach since azure, gcs, hdfs gateway's don't capture any specific metadata during upload which needs handler validation for encryption/compression. Erasure coding was already optimized, additionally just avoids small allocations of large data structure. Fixes #7206
2020-05-28 15:36:20 -04:00
srcInfo.keyRotation = true
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-23 18:07:21 -05:00
} else {
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 14:07:36 -04:00
if isSourceEncrypted || isTargetEncrypted {
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-23 18:07:21 -05:00
// We are not only copying just metadata instead
// we are creating a new object at this point, even
// if source and destination are same objects.
Introduce simpler GetMultipartInfo call for performance (#9722) Advantages avoids 100's of stats which are needed for each upload operation in FS/NAS gateway mode when uploading a large multipart object, dramatically increases performance for multipart uploads by avoiding recursive calls. For other gateway's simplifies the approach since azure, gcs, hdfs gateway's don't capture any specific metadata during upload which needs handler validation for encryption/compression. Erasure coding was already optimized, additionally just avoids small allocations of large data structure. Fixes #7206
2020-05-28 15:36:20 -04:00
if !srcInfo.keyRotation {
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
srcInfo.metadataOnly = false
}
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-23 18:07:21 -05:00
}
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 14:07:36 -04:00
// Calculate the size of the target object
var targetSize int64
switch {
Allow Compression + encryption (#11103)
2021-01-05 23:08:35 -05:00
case isDstCompressed:
targetSize = -1
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 14:07:36 -04:00
case !isSourceEncrypted && !isTargetEncrypted:
Allow Compression + encryption (#11103)
2021-01-05 23:08:35 -05:00
targetSize, _ = srcInfo.GetActualSize()
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 14:07:36 -04:00
case isSourceEncrypted && isTargetEncrypted:
Fix copy from encrypted multipart to single encrypted part (#7056) When source is encrypted multipart object and the parts are not evenly divisible by DARE package block size, target encrypted size will not necessarily be the same as encrypted source object.
2019-01-09 18:17:21 -05:00
objInfo := ObjectInfo{Size: actualSize}
targetSize = objInfo.EncryptedSize()
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 14:07:36 -04:00
case !isSourceEncrypted && isTargetEncrypted:
targetSize = srcInfo.EncryptedSize()
case isSourceEncrypted && !isTargetEncrypted:
targetSize, _ = srcInfo.DecryptedSize()
}
Fix CopyObject regression calculating md5sum (#6868) CopyObject() failed to calculate proper md5sum when without encryption headers. This is a regression fix perhaps introduced in commit 5f6d717b7a Fixes https://github.com/minio/minio-go/issues/1044
2018-11-27 16:23:32 -05:00
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 14:07:36 -04:00
if isTargetEncrypted {
pkg/etag: add new package for S3 ETag handling (#11577) This commit adds a new package `etag` for dealing with S3 ETags. Even though ETag is often viewed as MD5 checksum of an object, handling S3 ETags correctly is a surprisingly complex task. While it is true that the ETag corresponds to the MD5 for the most basic S3 API operations, there are many exceptions in case of multipart uploads or encryption. In worse, some S3 clients expect very specific behavior when it comes to ETags. For example, some clients expect that the ETag is a double-quoted string and fail otherwise. Non-AWS compliant ETag handling has been a source of many bugs in the past. Therefore, this commit adds a dedicated `etag` package that provides functionality for parsing, generating and converting S3 ETags. Further, this commit removes the ETag computation from the `hash` package. Instead, the `hash` package (i.e. `hash.Reader`) should focus only on computing and verifying the content-sha256. One core feature of this commit is to provide a mechanism to communicate a computed ETag from a low-level `io.Reader` to a high-level `io.Reader`. This problem occurs when an S3 server receives a request and has to compute the ETag of the content. However, the server may also wrap the initial body with several other `io.Reader`, e.g. when encrypting or compressing the content: ``` reader := Encrypt(Compress(ETag(content))) ``` In such a case, the ETag should be accessible by the high-level `io.Reader`. The `etag` provides a mechanism to wrap `io.Reader` implementations such that the `ETag` can be accessed by a type-check. This technique is applied to the PUT, COPY and Upload handlers.
2021-02-23 15:31:53 -05:00
var encReader io.Reader
add SSE-KMS support and use SSE-KMS for auto encryption (#12237) This commit adds basic SSE-KMS support. Now, a client can specify the SSE-KMS headers (algorithm, optional key-id, optional context) such that the object gets encrypted using the SSE-KMS method. Further, auto-encryption now defaults to SSE-KMS. This commit does not try to do any refactoring and instead tries to implement SSE-KMS as a minimal change to the code base. However, refactoring the entire crypto-related code is planned - but needs a separate effort. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-06 18:24:01 -04:00
kind, _ := crypto.IsRequested(r.Header)
kms: add `context.Context` to KMS API calls (#15327) This commit adds a `context.Context` to the the KMS `{Stat, CreateKey, GenerateKey}` API calls. The context will be used to terminate external calls as soon as the client requests gets canceled. A follow-up PR will add a `context.Context` to the remaining `DecryptKey` API call. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2022-07-18 21:54:27 -04:00
encReader, objEncKey, err = newEncryptReader(ctx, srcInfo.Reader, kind, newKeyID, newKey, dstBucket, dstObject, encMetadata, kmsCtx)
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-23 18:07:21 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-23 18:07:21 -05:00
return
}
pkg/etag: add new package for S3 ETag handling (#11577) This commit adds a new package `etag` for dealing with S3 ETags. Even though ETag is often viewed as MD5 checksum of an object, handling S3 ETags correctly is a surprisingly complex task. While it is true that the ETag corresponds to the MD5 for the most basic S3 API operations, there are many exceptions in case of multipart uploads or encryption. In worse, some S3 clients expect very specific behavior when it comes to ETags. For example, some clients expect that the ETag is a double-quoted string and fail otherwise. Non-AWS compliant ETag handling has been a source of many bugs in the past. Therefore, this commit adds a dedicated `etag` package that provides functionality for parsing, generating and converting S3 ETags. Further, this commit removes the ETag computation from the `hash` package. Instead, the `hash` package (i.e. `hash.Reader`) should focus only on computing and verifying the content-sha256. One core feature of this commit is to provide a mechanism to communicate a computed ETag from a low-level `io.Reader` to a high-level `io.Reader`. This problem occurs when an S3 server receives a request and has to compute the ETag of the content. However, the server may also wrap the initial body with several other `io.Reader`, e.g. when encrypting or compressing the content: ``` reader := Encrypt(Compress(ETag(content))) ``` In such a case, the ETag should be accessible by the high-level `io.Reader`. The `etag` provides a mechanism to wrap `io.Reader` implementations such that the `ETag` can be accessed by a type-check. This technique is applied to the PUT, COPY and Upload handlers.
2021-02-23 15:31:53 -05:00
reader = etag.Wrap(encReader, srcInfo.Reader)
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-02 20:24:02 -05:00
}
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 15:52:14 -04:00
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 14:07:36 -04:00
if isSourceEncrypted {
// Remove all source encrypted related metadata to
// avoid copying them in target object.
crypto: add RemoveInternalEntries function (#6616) This commit adds a function for removing crypto-specific internal entries from the object metadata. See #6604
2018-10-19 13:50:52 -04:00
crypto.RemoveInternalEntries(srcInfo.UserDefined)
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 14:07:36 -04:00
}
Turn off md5sum optionally if content-md5 is not set (#7609) This PR also brings --compat option to run MinIO in strict S3 compatibility mode, MinIO by default will now try to run high performance mode.
2019-05-08 21:35:40 -04:00
// do not try to verify encrypted content
pkg/etag: add new package for S3 ETag handling (#11577) This commit adds a new package `etag` for dealing with S3 ETags. Even though ETag is often viewed as MD5 checksum of an object, handling S3 ETags correctly is a surprisingly complex task. While it is true that the ETag corresponds to the MD5 for the most basic S3 API operations, there are many exceptions in case of multipart uploads or encryption. In worse, some S3 clients expect very specific behavior when it comes to ETags. For example, some clients expect that the ETag is a double-quoted string and fail otherwise. Non-AWS compliant ETag handling has been a source of many bugs in the past. Therefore, this commit adds a dedicated `etag` package that provides functionality for parsing, generating and converting S3 ETags. Further, this commit removes the ETag computation from the `hash` package. Instead, the `hash` package (i.e. `hash.Reader`) should focus only on computing and verifying the content-sha256. One core feature of this commit is to provide a mechanism to communicate a computed ETag from a low-level `io.Reader` to a high-level `io.Reader`. This problem occurs when an S3 server receives a request and has to compute the ETag of the content. However, the server may also wrap the initial body with several other `io.Reader`, e.g. when encrypting or compressing the content: ``` reader := Encrypt(Compress(ETag(content))) ``` In such a case, the ETag should be accessible by the high-level `io.Reader`. The `etag` provides a mechanism to wrap `io.Reader` implementations such that the `ETag` can be accessed by a type-check. This technique is applied to the PUT, COPY and Upload handlers.
2021-02-23 15:31:53 -05:00
srcInfo.Reader, err = hash.NewReader(reader, targetSize, "", "", actualSize)
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-02 20:24:02 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-02 20:24:02 -05:00
return
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-23 18:07:21 -05:00
}
Fix CopyObject regression calculating md5sum (#6868) CopyObject() failed to calculate proper md5sum when without encryption headers. This is a regression fix perhaps introduced in commit 5f6d717b7a Fixes https://github.com/minio/minio-go/issues/1044
2018-11-27 16:23:32 -05:00
fix: regression in CopyObject not preserving ETag in --compat (#9322) issue found after `git bisect` to commit db4195361876fbe2410236bce55f173da3ef3b2b
2020-04-11 23:20:30 -04:00
if isTargetEncrypted {
Simplify PutObjReader for plain-text reader usage (#11470) This change moves away from a unified constructor for plaintext and encrypted usage. NewPutObjReader is simplified for the plain-text reader use. For encrypted reader use, WithEncryption should be called on an initialized PutObjReader. Plaintext: func NewPutObjReader(rawReader *hash.Reader) *PutObjReader The hash.Reader is used to provide payload size and md5sum to the downstream consumers. This is different from the previous version in that there is no need to pass nil values for unused parameters. Encrypted: func WithEncryption(encReader *hash.Reader, key *crypto.ObjectKey) (*PutObjReader, error) This method sets up encrypted reader along with the key to seal the md5sum produced by the plain-text reader (already setup when NewPutObjReader was called). Usage: ``` pReader := NewPutObjReader(rawReader) // ... other object handler code goes here // Prepare the encrypted hashed reader pReader, err = pReader.WithEncryption(encReader, objEncKey) ```
2021-02-10 11:52:50 -05:00
pReader, err = pReader.WithEncryption(srcInfo.Reader, &objEncKey)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Simplify PutObjReader for plain-text reader usage (#11470) This change moves away from a unified constructor for plaintext and encrypted usage. NewPutObjReader is simplified for the plain-text reader use. For encrypted reader use, WithEncryption should be called on an initialized PutObjReader. Plaintext: func NewPutObjReader(rawReader *hash.Reader) *PutObjReader The hash.Reader is used to provide payload size and md5sum to the downstream consumers. This is different from the previous version in that there is no need to pass nil values for unused parameters. Encrypted: func WithEncryption(encReader *hash.Reader, key *crypto.ObjectKey) (*PutObjReader, error) This method sets up encrypted reader along with the key to seal the md5sum produced by the plain-text reader (already setup when NewPutObjReader was called). Usage: ``` pReader := NewPutObjReader(rawReader) // ... other object handler code goes here // Prepare the encrypted hashed reader pReader, err = pReader.WithEncryption(encReader, objEncKey) ```
2021-02-10 11:52:50 -05:00
return
}
Add compressed file index (#15247)
2022-07-11 20:30:56 -04:00
if dstOpts.IndexCB != nil {
dstOpts.IndexCB = compressionIndexEncrypter(objEncKey, dstOpts.IndexCB)
}
fix: regression in CopyObject not preserving ETag in --compat (#9322) issue found after `git bisect` to commit db4195361876fbe2410236bce55f173da3ef3b2b
2020-04-11 23:20:30 -04:00
}
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-23 18:07:21 -05:00
}
}
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 15:39:46 -04:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-14 20:36:41 -05:00
srcInfo.PutObjReader = pReader
SignatureV4 validation with Metadata in the presignedUrl (#5894) The `X-Amz-Meta-`/`X-Minio-Meta-` will now be recognized in query string also. Fixes #5857 #5950
2018-07-10 23:27:10 -04:00
srcInfo.UserDefined, err = getCpObjMetadataFromHeader(ctx, r, srcInfo.UserDefined)
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-05 19:56:10 -04:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Allow CopyObject() in S3 gateway to support metadata (#5000) Fixes #4924
2017-10-03 13:38:25 -04:00
return
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-05 19:56:10 -04:00
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
add bucket tagging support (#9389) This patch also simplifies object tagging support
2020-05-05 17:18:13 -04:00
objTags := srcInfo.UserTags
// If x-amz-tagging-directive header is REPLACE, get passed tags.
if isDirectiveReplace(r.Header.Get(xhttp.AmzTagDirective)) {
objTags = r.Header.Get(xhttp.AmzObjectTagging)
if _, err := tags.ParseObjectTags(objTags); err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
add bucket tagging support (#9389) This patch also simplifies object tagging support
2020-05-05 17:18:13 -04:00
return
}
add copyobject tagging replace directive for gateway (#9711)
2020-05-26 20:32:53 -04:00
if globalIsGateway {
srcInfo.UserDefined[xhttp.AmzTagDirective] = replaceDirective
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
}
add bucket tagging support (#9389) This patch also simplifies object tagging support
2020-05-05 17:18:13 -04:00
if objTags != "" {
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
lastTaggingTimestamp := srcInfo.UserDefined[ReservedMetadataPrefixLower+TaggingTimestamp]
if dstOpts.ReplicationRequest {
srcTimestamp := dstOpts.ReplicationSourceTaggingTimestamp
if !srcTimestamp.IsZero() {
ondiskTimestamp, err := time.Parse(lastTaggingTimestamp, time.RFC3339Nano)
// update tagging metadata only if replica timestamp is newer than what's on disk
if err != nil || (err == nil && ondiskTimestamp.Before(srcTimestamp)) {
srcInfo.UserDefined[ReservedMetadataPrefixLower+TaggingTimestamp] = srcTimestamp.Format(time.RFC3339Nano)
srcInfo.UserDefined[xhttp.AmzObjectTagging] = objTags
}
}
} else {
srcInfo.UserDefined[xhttp.AmzObjectTagging] = objTags
srcInfo.UserDefined[ReservedMetadataPrefixLower+TaggingTimestamp] = UTCNow().Format(time.RFC3339Nano)
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
}
fix: web handlers to enforce replication (#10249) This PR also preserves source ETag for replication
2020-08-12 20:32:24 -04:00
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
srcInfo.UserDefined = filterReplicationStatusMetadata(srcInfo.UserDefined)
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 16:44:16 -04:00
srcInfo.UserDefined = objectlock.FilterObjectLockMetadata(srcInfo.UserDefined, true, true)
Context based AccessKey passing (#10615) A new field called AccessKey is added to the ReqInfo struct and populated. Because ReqInfo is added to the context, this allows the AccessKey to be accessed from 3rd-party code, such as a custom ObjectLayer. Co-authored-by: Harshavardhana <harsha@minio.io> Co-authored-by: Kaloyan Raev <kaloyan@storj.io>
2020-11-04 12:13:34 -05:00
retPerms := isPutActionAllowed(ctx, getRequestAuthType(r), dstBucket, dstObject, r, iampolicy.PutObjectRetentionAction)
holdPerms := isPutActionAllowed(ctx, getRequestAuthType(r), dstBucket, dstObject, r, iampolicy.PutObjectLegalHoldAction)
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
// apply default bucket configuration/governance headers for dest side.
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
retentionMode, retentionDate, legalHold, s3Err := checkPutObjectLockAllowed(ctx, r, dstBucket, dstObject, getObjectInfo, retPerms, holdPerms)
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 16:44:16 -04:00
if s3Err == ErrNone && retentionMode.Valid() {
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
lastretentionTimestamp := srcInfo.UserDefined[ReservedMetadataPrefixLower+ObjectLockRetentionTimestamp]
if dstOpts.ReplicationRequest {
srcTimestamp := dstOpts.ReplicationSourceRetentionTimestamp
if !srcTimestamp.IsZero() {
ondiskTimestamp, err := time.Parse(lastretentionTimestamp, time.RFC3339Nano)
// update retention metadata only if replica timestamp is newer than what's on disk
if err != nil || (err == nil && ondiskTimestamp.Before(srcTimestamp)) {
srcInfo.UserDefined[strings.ToLower(xhttp.AmzObjectLockMode)] = string(retentionMode)
srcInfo.UserDefined[strings.ToLower(xhttp.AmzObjectLockRetainUntilDate)] = retentionDate.UTC().Format(iso8601TimeFormat)
srcInfo.UserDefined[ReservedMetadataPrefixLower+ObjectLockRetentionTimestamp] = srcTimestamp.Format(time.RFC3339Nano)
}
}
} else {
srcInfo.UserDefined[strings.ToLower(xhttp.AmzObjectLockMode)] = string(retentionMode)
srcInfo.UserDefined[strings.ToLower(xhttp.AmzObjectLockRetainUntilDate)] = retentionDate.UTC().Format(iso8601TimeFormat)
srcInfo.UserDefined[ReservedMetadataPrefixLower+ObjectLockRetentionTimestamp] = UTCNow().Format(time.RFC3339Nano)
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
}
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 16:44:16 -04:00
if s3Err == ErrNone && legalHold.Status.Valid() {
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
lastLegalHoldTimestamp := srcInfo.UserDefined[ReservedMetadataPrefixLower+ObjectLockLegalHoldTimestamp]
if dstOpts.ReplicationRequest {
srcTimestamp := dstOpts.ReplicationSourceLegalholdTimestamp
if !srcTimestamp.IsZero() {
ondiskTimestamp, err := time.Parse(lastLegalHoldTimestamp, time.RFC3339Nano)
// update legalhold metadata only if replica timestamp is newer than what's on disk
if err != nil || (err == nil && ondiskTimestamp.Before(srcTimestamp)) {
srcInfo.UserDefined[strings.ToLower(xhttp.AmzObjectLockLegalHold)] = string(legalHold.Status)
srcInfo.UserDefined[ReservedMetadataPrefixLower+ObjectLockRetentionTimestamp] = srcTimestamp.Format(time.RFC3339Nano)
}
}
} else {
srcInfo.UserDefined[strings.ToLower(xhttp.AmzObjectLockLegalHold)] = string(legalHold.Status)
}
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
if s3Err != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
return
}
Add support for replication of object tags, retention metadata (#10880)
2020-11-19 14:50:22 -05:00
if rs := r.Header.Get(xhttp.AmzBucketReplicationStatus); rs != "" {
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
srcInfo.UserDefined[ReservedMetadataPrefixLower+ReplicaStatus] = replication.Replica.String()
srcInfo.UserDefined[ReservedMetadataPrefixLower+ReplicaTimestamp] = UTCNow().Format(time.RFC3339Nano)
Add support for replication of object tags, retention metadata (#10880)
2020-11-19 14:50:22 -05:00
srcInfo.UserDefined[xhttp.AmzBucketReplicationStatus] = rs
}
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
if dsc := mustReplicate(ctx, dstBucket, dstObject, getMustReplicateOptions(srcInfo, replication.UnsetReplicationType, dstOpts)); dsc.ReplicateAny() {
srcInfo.UserDefined[ReservedMetadataPrefixLower+ReplicationStatus] = dsc.PendingStatus()
srcInfo.UserDefined[ReservedMetadataPrefixLower+ReplicationTimestamp] = UTCNow().Format(time.RFC3339Nano)
Add support for server side bucket replication (#9882)
2020-07-21 20:49:56 -04:00
}
Preserve the compression headers while copying (#6952) Fixes #6951
2018-12-11 15:05:41 -05:00
// Store the preserved compression metadata.
for k, v := range compressMetadata {
srcInfo.UserDefined[k] = v
}
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-23 18:07:21 -05:00
// We need to preserve the encryption headers set in EncryptRequest,
// so we do not want to override them, copy them instead.
for k, v := range encMetadata {
srcInfo.UserDefined[k] = v
}
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 15:39:46 -04:00
// Ensure that metadata does not contain sensitive information
crypto.RemoveSensitiveEntries(srcInfo.UserDefined)
CopyObject: Do not remove crypto info when compressed (#11702) Removing crypto info makes it impossible to copy encrypted+compressed objects. Disable destination compression when encrypted.
2021-03-08 15:57:54 -05:00
fix: legacy object should be overwritten for metadataOnly updates (#12012)
2021-04-08 17:29:27 -04:00
// If we see legacy source, metadataOnly we have to overwrite the content.
if srcInfo.Legacy {
srcInfo.metadataOnly = false
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
// Check if x-amz-metadata-directive or x-amz-tagging-directive was not set to REPLACE and source,
// destination are same objects. Apply this restriction also when
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-23 18:07:21 -05:00
// metadataOnly is true indicating that we are not overwriting the object.
SSE-C CopyObject key-rotation doesn't need metadata REPLACE value (#5611) Fix a compatibility issue with AWS S3 where to do key rotation we need to replace an existing object's metadata. In such a scenario "REPLACE" metadata directive is not necessary.
2018-03-06 19:04:48 -05:00
// if encryption is enabled we do not need explicit "REPLACE" metadata to
// be enabled as well - this is to allow for key-rotation.
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
if !isDirectiveReplace(r.Header.Get(xhttp.AmzMetadataDirective)) && !isDirectiveReplace(r.Header.Get(xhttp.AmzTagDirective)) &&
validate storage class across pools when setting config (#11320) ``` mc admin config set alias/ storage_class standard=EC:3 ``` should only succeed if parity ratio is valid for all server pools, if not we should fail proactively. This PR also needs to bring other changes now that we need to cater for variadic drive counts per pool. Bonus fixes also various bugs reproduced with - GetObjectWithPartNumber() - CopyObjectPartWithOffsets() - CopyObjectWithMetadata() - PutObjectPart,PutObject with truncated streams
2021-01-22 15:09:24 -05:00
srcInfo.metadataOnly && srcOpts.VersionID == "" && !objectEncryption {
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-26 19:29:26 -05:00
// If x-amz-metadata-directive is not set to REPLACE then we need
// to error out if source and destination are same.
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidCopyDest), r.URL)
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-26 19:29:26 -05:00
return
}
lock: Moving locking to handler layer. (#3381) This is implemented so that the issues like in the following flow don't affect the behavior of operation. ``` GetObjectInfo() .... --> Time window for mutation (no lock held) .... --> Time window for mutation (no lock held) GetObject() ``` This happens when two simultaneous uploads are made to the same object the object has returned wrong info to the client. Another classic example is "CopyObject" API itself which reads from a source object and copies to destination object. Fixes #3370 Fixes #2912
2016-12-10 19:15:12 -05:00
perform object sweep after equeue the latest CopyObject() (#15183) keep it similar to PutObject/CompleteMultipart
2022-06-27 15:11:33 -04:00
remoteCallRequired := isRemoteCopyRequired(ctx, srcBucket, dstBucket, objectAPI)
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 15:02:30 -04:00
perform object sweep after equeue the latest CopyObject() (#15183) keep it similar to PutObject/CompleteMultipart
2022-06-27 15:11:33 -04:00
var objInfo ObjectInfo
var os *objSweeper
if remoteCallRequired {
Add support for federation on browser (#6891)
2018-12-19 08:13:47 -05:00
var dstRecords []dns.SrvRecord
dstRecords, err = globalDNSConfig.Get(dstBucket)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Use random host from among multiple hosts to create requests Also use hosts passed to Minio startup command to populate IP addresses if MINIO_PUBLIC_IPS is not set.
2018-05-15 21:20:22 -04:00
return
}
Add support for federation on browser (#6891)
2018-12-19 08:13:47 -05:00
// Send PutObject request to appropriate instance (in federated deployment)
add support for configurable remote transport deadline (#10447) configurable remote transport timeouts for some special cases where this value needs to be bumped to a higher value when transferring large data between federated instances.
2020-09-12 02:03:08 -04:00
core, rerr := getRemoteInstanceClient(r, getHostFromSrv(dstRecords))
Add support for federation on browser (#6891)
2018-12-19 08:13:47 -05:00
if rerr != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, rerr), r.URL)
Add support for federation on browser (#6891)
2018-12-19 08:13:47 -05:00
return
}
add gateway object tagging support (#9124)
2020-05-23 14:09:35 -04:00
tag, err := tags.ParseObjectTags(objTags)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
add gateway object tagging support (#9124)
2020-05-23 14:09:35 -04:00
return
}
validate storage class across pools when setting config (#11320) ``` mc admin config set alias/ storage_class standard=EC:3 ``` should only succeed if parity ratio is valid for all server pools, if not we should fail proactively. This PR also needs to bring other changes now that we need to cater for variadic drive counts per pool. Bonus fixes also various bugs reproduced with - GetObjectWithPartNumber() - CopyObjectPartWithOffsets() - CopyObjectWithMetadata() - PutObjectPart,PutObject with truncated streams
2021-01-22 15:09:24 -05:00
// Remove the metadata for remote calls.
delete(srcInfo.UserDefined, ReservedMetadataPrefix+"compression")
delete(srcInfo.UserDefined, ReservedMetadataPrefix+"actual-size")
add gateway object tagging support (#9124)
2020-05-23 14:09:35 -04:00
opts := miniogo.PutObjectOptions{
UserMetadata: srcInfo.UserDefined,
ServerSideEncryption: dstOpts.ServerSideEncryption,
UserTags: tag.ToMap(),
}
Move dependency from minio-go v6 to v7 (#10042)
2020-07-14 12:38:05 -04:00
remoteObjInfo, rerr := core.PutObject(ctx, dstBucket, dstObject, srcInfo.Reader,
add gateway object tagging support (#9124)
2020-05-23 14:09:35 -04:00
srcInfo.Size, "", "", opts)
Add support for federation on browser (#6891)
2018-12-19 08:13:47 -05:00
if rerr != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, rerr), r.URL)
Add support for federation on browser (#6891)
2018-12-19 08:13:47 -05:00
return
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 15:02:30 -04:00
}
Add support for federation on browser (#6891)
2018-12-19 08:13:47 -05:00
objInfo.ETag = remoteObjInfo.ETag
objInfo.ModTime = remoteObjInfo.LastModified
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 15:02:30 -04:00
} else {
perform object sweep after equeue the latest CopyObject() (#15183) keep it similar to PutObject/CompleteMultipart
2022-06-27 15:11:33 -04:00
os = newObjSweeper(dstBucket, dstObject).WithVersioning(dstOpts.Versioned, dstOpts.VersionSuspended)
Support for remote tier management (#12090) With this change, MinIO's ILM supports transitioning objects to a remote tier. This change includes support for Azure Blob Storage, AWS S3 compatible object storage incl. MinIO and Google Cloud Storage as remote tier storage backends. Some new additions include: - Admin APIs remote tier configuration management - Simple journal to track remote objects to be 'collected' This is used by object API handlers which 'mutate' object versions by overwriting/replacing content (Put/CopyObject) or removing the version itself (e.g DeleteObjectVersion). - Rework of previous ILM transition to fit the new model In the new model, a storage class (a.k.a remote tier) is defined by the 'remote' object storage type (one of s3, azure, GCS), bucket name and a prefix. * Fixed bugs, review comments, and more unit-tests - Leverage inline small object feature - Migrate legacy objects to the latest object format before transitioning - Fix restore to particular version if specified - Extend SharedDataDirCount to handle transitioned and restored objects - Restore-object should accept version-id for version-suspended bucket (#12091) - Check if remote tier creds have sufficient permissions - Bonus minor fixes to existing error messages Co-authored-by: Poorna Krishnamoorthy <poorna@minio.io> Co-authored-by: Krishna Srinivas <krishna@minio.io> Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 13:30:42 -04:00
// Get appropriate object info to identify the remote object to delete
if !srcInfo.metadataOnly {
goiOpts := os.GetOpts()
fix: various performance improvements to tiering (#12965) - deletes should always Sweep() for tiering at the end and does not need an extra getObjectInfo() call - puts, copy and multipart writes should conditionally do getObjectInfo() when tiering targets are configured - introduce 'TransitionedObject' struct for ease of usage and understanding. - multiple-pools optimization deletes don't need to hold read locks verifying objects across namespace and pools.
2021-08-17 10:50:00 -04:00
if !globalTierConfigMgr.Empty() {
if goi, gerr := getObjectInfo(ctx, dstBucket, dstObject, goiOpts); gerr == nil {
os.SetTransitionState(goi.TransitionedObject)
}
Support for remote tier management (#12090) With this change, MinIO's ILM supports transitioning objects to a remote tier. This change includes support for Azure Blob Storage, AWS S3 compatible object storage incl. MinIO and Google Cloud Storage as remote tier storage backends. Some new additions include: - Admin APIs remote tier configuration management - Simple journal to track remote objects to be 'collected' This is used by object API handlers which 'mutate' object versions by overwriting/replacing content (Put/CopyObject) or removing the version itself (e.g DeleteObjectVersion). - Rework of previous ILM transition to fit the new model In the new model, a storage class (a.k.a remote tier) is defined by the 'remote' object storage type (one of s3, azure, GCS), bucket name and a prefix. * Fixed bugs, review comments, and more unit-tests - Leverage inline small object feature - Migrate legacy objects to the latest object format before transitioning - Fix restore to particular version if specified - Extend SharedDataDirCount to handle transitioned and restored objects - Restore-object should accept version-id for version-suspended bucket (#12091) - Check if remote tier creds have sufficient permissions - Bonus minor fixes to existing error messages Co-authored-by: Poorna Krishnamoorthy <poorna@minio.io> Co-authored-by: Krishna Srinivas <krishna@minio.io> Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 13:30:42 -04:00
}
}
evict cached entry for server side copy (#8947) Fixes #8942
2020-02-07 17:36:46 -05:00
copyObjectFn := objectAPI.CopyObject
if api.CacheAPI() != nil {
copyObjectFn = api.CacheAPI().CopyObject
}
delayed locks until we have started reading the body (#10474) This is to ensure that Go contexts work properly, after some interesting experiments I found that Go net/http doesn't cancel the context when Body is non-zero and hasn't been read till EOF. The following gist explains this, this can lead to pile up of go-routines on the server which will never be canceled and will die at a really later point in time, which can simply overwhelm the server. https://gist.github.com/harshavardhana/c51dcfd055780eaeb71db54f9c589150 To avoid this refactor the locking such that we take locks after we have started reading from the body and only take locks when needed. Also, remove contextReader as it's not useful, doesn't work as expected context is not canceled until the body reaches EOF so there is no point in wrapping it with context and putting a `select {` on it which can unnecessarily increase the CPU overhead. We will still use the context to cancel the lockers etc. Additional simplification in the locker code to avoid timers as re-using them is a complicated ordeal avoid them in the hot path, since locking is very common this may avoid lots of allocations.
2020-09-14 18:57:13 -04:00
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 15:02:30 -04:00
// Copy source object to destination, if source and destination
// object is same then only metadata is updated.
evict cached entry for server side copy (#8947) Fixes #8942
2020-02-07 17:36:46 -05:00
objInfo, err = copyObjectFn(ctx, srcBucket, srcObject, dstBucket, dstObject, srcInfo, srcOpts, dstOpts)
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 15:02:30 -04:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 15:02:30 -04:00
return
}
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 06:04:52 -05:00
}
fix: deleteMultiObjects performance regression (#12951) fixes performance regression found in deleteObjects(), putObject(), copyObject and completeMultipart calls.
2021-08-12 21:57:37 -04:00
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
objInfo.ETag = getDecryptedETag(r.Header, objInfo, false)
response := generateCopyObjectResponse(objInfo.ETag, objInfo.ModTime)
api: DRY code and add new test This commit makes code cleaner and reduces the repetitions in the code base. Specifically, it reduces the clutter in setObjectHeaders. It also merges encodeSuccessResponse and encodeErrorResponse together because they served no purpose differently. Finally, it adds a simple test for generateRequestID.
2016-03-06 15:16:22 -05:00
encodedSuccessResponse := encodeResponse(response)
Add support for existing object replication. (#12109) Also adding an API to allow resyncing replication when existing object replication is enabled and the remote target is entirely lost. With the `mc replicate reset` command, the objects that are eligible for replication as per the replication config will be resynced to target if existing object replication is enabled on the rule.
2021-06-01 22:59:11 -04:00
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
if dsc := mustReplicate(ctx, dstBucket, dstObject, getMustReplicateOptions(objInfo, replication.UnsetReplicationType, dstOpts)); dsc.ReplicateAny() {
scheduleReplication(ctx, objInfo.Clone(), objectAPI, dsc, replication.ObjectReplicationType)
Add support for server side bucket replication (#9882)
2020-07-21 20:49:56 -04:00
}
serialize replication and feed it through task model (#10500) this allows for eventually controlling the concurrency of replication and overally control of throughput
2020-09-16 19:04:55 -04:00
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
setPutObjHeaders(w, objInfo, false)
fix: perform CopyObject under more conditions (#9879) - x-amz-storage-class specified CopyObject should proceed regardless, its not a precondition - sourceVersionID is specified CopyObject should proceed regardless, its not a precondition
2020-06-19 16:53:45 -04:00
// We must not use the http.Header().Set method here because some (broken)
// clients expect the x-amz-copy-source-version-id header key to be literally
// "x-amz-copy-source-version-id"- not in canonicalized form, preserve it.
if srcOpts.VersionID != "" {
w.Header()[strings.ToLower(xhttp.AmzCopySourceVersionID)] = []string{srcOpts.VersionID}
}
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 03:37:00 -05:00
// Write success response.
writeSuccessResponseXML(w, encodedSuccessResponse)
api: Implement bucket notification. (#2271) * Implement basic S3 notifications through queues Supports multiple queues and three basic queue types: 1. NilQueue -- messages don't get sent anywhere 2. LogQueue -- messages get logged 3. AmqpQueue -- messages are sent to an AMQP queue * api: Implement bucket notification. Supports two different queue types - AMQP - ElasticSearch. * Add support for redis
2016-07-24 01:51:12 -04:00
Make addition of TopicConfig to globalEventNotifier go-routine safe (#2806)
2016-09-29 01:46:19 -04:00
// Notify object created event.
make notification as separate package (#5294) * Remove old notification files * Add net package * Add event package * Modify minio to take new notification system
2018-03-15 16:03:41 -04:00
sendEvent(eventArgs{
Support audit logs with additional fields (#6738) This PR adds support - Request query params - Request headers - Response headers AuditLogEntry is exported and versioned as well starting with this PR.
2018-11-02 21:40:08 -04:00
EventName: event.ObjectCreatedCopy,
BucketName: dstBucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Populate host value from GetSourceIP directly (#7417)
2019-03-25 14:45:42 -04:00
Host: handlers.GetSourceIP(r),
Make addition of TopicConfig to globalEventNotifier go-routine safe (#2806)
2016-09-29 01:46:19 -04:00
})
perform object sweep after equeue the latest CopyObject() (#15183) keep it similar to PutObject/CompleteMultipart
2022-06-27 15:11:33 -04:00
if !remoteCallRequired && !globalTierConfigMgr.Empty() {
Add immediate inline tiering support (#13298)
2021-10-01 14:58:17 -04:00
// Schedule object for immediate transition if eligible.
enqueueTransitionImmediate(objInfo)
perform object sweep after equeue the latest CopyObject() (#15183) keep it similar to PutObject/CompleteMultipart
2022-06-27 15:11:33 -04:00
// Remove the transitioned object whose object version is being overwritten.
logger.LogIf(ctx, os.Sweep())
Add immediate inline tiering support (#13298)
2021-10-01 14:58:17 -04:00
}
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 06:04:52 -05:00
}
Restructure API handlers, add JSON RPC simple HelloService right now.
2015-06-30 23:15:48 -04:00
// PutObjectHandler - PUT Object
Update minioapi documentation
2015-02-23 19:46:48 -05:00
// ----------
// This implementation of the PUT operation adds an object to a bucket.
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 15:39:46 -04:00
// Notice: The S3 client can send secret keys in headers for encryption related jobs,
// the handler should ensure to remove these keys before sending them to the object layer.
// Currently these keys are:
// - X-Amz-Server-Side-Encryption-Customer-Key
// - X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key
storage/server/client: Enable storage server, enable client storage.
2016-04-12 15:45:15 -04:00
func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-20 21:46:32 -04:00
ctx := newContext(r, w, "PutObject")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 15:25:59 -04:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-10 21:47:49 -04:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-10 21:47:49 -04:00
return
}
fix: S3 gateway doesn't support full passthrough for encryption (#10484) The entire encryption layer is dependent on the fact that KMS should be configured for S3 encryption to work properly and we only support passing the headers as is to the backend for encryption only if KMS is configured. Make sure that this predictability is maintained, currently the code was allowing encryption to go through and fail at later to indicate that KMS was not configured. We should simply reply "NotImplemented" if KMS is not configured, this allows clients to simply proceed with their tests.
2020-09-15 16:57:15 -04:00
Add padding to compressed+encrypted files (#15282) Add up to 256 bytes of padding for compressed+encrypted files. This will obscure the obvious cases of extremely compressible content and leave a similar output size for a very wide variety of inputs. This does *not* mean the compression ratio doesn't leak information about the content, but the outcome space is much smaller, so often *less* information is leaked.
2022-07-13 10:52:15 -04:00
if crypto.Requested(r.Header) {
s3-gateway: Allow encryption S3 passthrough for SSE-S3 (#13204) This reverts commit 35cbe43b6df48927a1574829b13f9ed5d3af99d3.
2021-09-14 15:55:32 -04:00
if globalIsGateway {
if crypto.SSEC.IsRequested(r.Header) && !objectAPI.IsEncryptionSupported() {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL)
return
}
} else {
if !objectAPI.IsEncryptionSupported() {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL)
return
}
}
Disallow SSE requests when object layer has encryption disabled (#6981)
2018-12-15 00:39:59 -05:00
}
fix: S3 gateway doesn't support full passthrough for encryption (#10484) The entire encryption layer is dependent on the fact that KMS should be configured for S3 encryption to work properly and we only support passing the headers as is to the backend for encryption only if KMS is configured. Make sure that this predictability is maintained, currently the code was allowing encryption to go through and fail at later to indicate that KMS was not configured. We should simply reply "NotImplemented" if KMS is not configured, this allows clients to simply proceed with their tests.
2020-09-15 16:57:15 -04:00
signature: Rewrite signature handling and move it into a library.
2016-02-15 20:42:39 -05:00
vars := mux.Vars(r)
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 06:04:52 -05:00
bucket := vars["bucket"]
fix: normalize object layer inputs (#11534) Cases where we have applications making request for `//` in object names make sure that all are normalized to `/` and all such requests that are prefixed '/' are removed. To ensure a consistent view from all operations.
2021-03-09 15:58:22 -05:00
object, err := unescapePath(vars["object"])
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
return
}
Further fixes for ACL support, currently code is disabled in all the handlers Disabled because due to lack of testing support. Once we get that in we can uncomment them back.
2015-04-22 22:29:39 -04:00
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 00:07:19 -04:00
// X-Amz-Copy-Source shouldn't be set for this call.
Allow CopyObject in pathStyle across federated instances (#8064) Fixes #7976
2019-08-22 04:02:39 -04:00
if _, ok := r.Header[xhttp.AmzCopySource]; ok {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidCopySource), r.URL)
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 00:07:19 -04:00
return
}
Fix storage class related issues (#5322) - Add storage class metadata validation for request header - Change storage class header values to be consistent with AWS S3 - Refactor internal method to take only the reqd argument
2017-12-26 23:36:16 -05:00
// Validate storage class metadata if present
Move storageclass config handling into cmd/config/storageclass (#8360) Continuation of the changes done in PR #8351 to refactor, add tests and move global handling into a more idiomatic style for Go as packages.
2019-10-07 01:50:24 -04:00
if sc := r.Header.Get(xhttp.AmzStorageClass); sc != "" {
if !storageclass.IsValid(sc) {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidStorageClass), r.URL)
Fix storage class related issues (#5322) - Add storage class metadata validation for request header - Change storage class header values to be consistent with AWS S3 - Refactor internal method to take only the reqd argument
2017-12-26 23:36:16 -05:00
return
}
}
etag: add FromContentMD5 to parse content-md5 as ETag (#11688) This commit adds the `FromContentMD5` function to parse a client-provided content-md5 as ETag. Further, it also adds multipart ETag computation for future needs.
2021-03-03 15:58:28 -05:00
clientETag, err := etag.FromContentMD5(r.Header)
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-12 19:08:15 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidDigest), r.URL)
Implement x-amz-acl handling
2015-04-22 19:28:13 -04:00
return
}
acl: Support PUT calls with success for 'private' ACL's (#9000) Add dummy calls which respond success when ACL's are set to be private and fails, if user tries to change them from their default 'private' Some applications such as nuxeo may have an unnecessary requirement for this operation, we support this anyways such that don't have to fully implement the functionality just that we can respond with success for default ACLs
2020-02-16 01:07:52 -05:00
add gocritic/ruleguard checks back again, cleanup code. (#13665) - remove some duplicated code - reported a bug, separately fixed in #13664 - using strings.ReplaceAll() when needed - using filepath.ToSlash() use when needed - remove all non-Go style comments from the codebase Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2021-11-16 12:28:29 -05:00
// if Content-Length is unknown/missing, deny the request
signature: Rewrite signature handling and move it into a library.
2016-02-15 20:42:39 -05:00
size := r.ContentLength
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-08 23:56:29 -04:00
rAuthType := getRequestAuthType(r)
if rAuthType == authTypeStreamingSigned {
Allow CopyObject in pathStyle across federated instances (#8064) Fixes #7976
2019-08-22 04:02:39 -04:00
if sizeStr, ok := r.Header[xhttp.AmzDecodedContentLength]; ok {
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-16 14:22:34 -04:00
if sizeStr[0] == "" {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMissingContentLength), r.URL)
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-16 14:22:34 -04:00
return
}
size, err = strconv.ParseInt(sizeStr[0], 10, 64)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-16 14:22:34 -04:00
return
}
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-08 23:56:29 -04:00
}
}
Make PutObject a nop for an object which ends with "/" and size is '0' (#3603) This helps majority of S3 compatible applications while not returning an error upon directory create request. Fixes #2965
2017-01-20 19:33:01 -05:00
if size == -1 {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMissingContentLength), r.URL)
maxObjectSize and minObjectSize limitation added at putObjectHandler() Put() replies back with - EntityTooLarge with > 5GB in single PUT operation - EntityTooSmall with < 1B in single PUT operation - IncompleteBody with ho Content-Length found in HTTP request header
2015-04-29 05:19:51 -04:00
return
}
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-09-30 17:32:13 -04:00
add gocritic/ruleguard checks back again, cleanup code. (#13665) - remove some duplicated code - reported a bug, separately fixed in #13664 - using strings.ReplaceAll() when needed - using filepath.ToSlash() use when needed - remove all non-Go style comments from the codebase Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2021-11-16 12:28:29 -05:00
// maximum Upload size for objects in a single operation
maxObjectSize and minObjectSize limitation added at putObjectHandler() Put() replies back with - EntityTooLarge with > 5GB in single PUT operation - EntityTooSmall with < 1B in single PUT operation - IncompleteBody with ho Content-Length found in HTTP request header
2015-04-29 05:19:51 -04:00
if isMaxObjectSize(size) {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrEntityTooLarge), r.URL)
maxObjectSize and minObjectSize limitation added at putObjectHandler() Put() replies back with - EntityTooLarge with > 5GB in single PUT operation - EntityTooSmall with < 1B in single PUT operation - IncompleteBody with ho Content-Length found in HTTP request header
2015-04-29 05:19:51 -04:00
return
}
Make donut fully integrated back into API handlers
2015-07-02 23:31:22 -04:00
SignatureV4 validation with Metadata in the presignedUrl (#5894) The `X-Amz-Meta-`/`X-Minio-Meta-` will now be recognized in query string also. Fixes #5857 #5950
2018-07-10 23:27:10 -04:00
metadata, err := extractMetadata(ctx, r)
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-05 19:56:10 -04:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-05 19:56:10 -04:00
return
}
SignatureV4 validation with Metadata in the presignedUrl (#5894) The `X-Amz-Meta-`/`X-Minio-Meta-` will now be recognized in query string also. Fixes #5857 #5950
2018-07-10 23:27:10 -04:00
add bucket tagging support (#9389) This patch also simplifies object tagging support
2020-05-05 17:18:13 -04:00
if objTags := r.Header.Get(xhttp.AmzObjectTagging); objTags != "" {
add gateway object tagging support (#9124)
2020-05-23 14:09:35 -04:00
if !objectAPI.IsTaggingSupported() {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL)
add gateway object tagging support (#9124)
2020-05-23 14:09:35 -04:00
return
}
add bucket tagging support (#9389) This patch also simplifies object tagging support
2020-05-05 17:18:13 -04:00
if _, err := tags.ParseObjectTags(objTags); err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
return
}
add bucket tagging support (#9389) This patch also simplifies object tagging support
2020-05-05 17:18:13 -04:00
metadata[xhttp.AmzObjectTagging] = objTags
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
}
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 01:30:34 -04:00
var (
etag: add FromContentMD5 to parse content-md5 as ETag (#11688) This commit adds the `FromContentMD5` function to parse a client-provided content-md5 as ETag. Further, it also adds multipart ETag computation for future needs.
2021-03-03 15:58:28 -05:00
md5hex = clientETag.String()
pkg/etag: add new package for S3 ETag handling (#11577) This commit adds a new package `etag` for dealing with S3 ETags. Even though ETag is often viewed as MD5 checksum of an object, handling S3 ETags correctly is a surprisingly complex task. While it is true that the ETag corresponds to the MD5 for the most basic S3 API operations, there are many exceptions in case of multipart uploads or encryption. In worse, some S3 clients expect very specific behavior when it comes to ETags. For example, some clients expect that the ETag is a double-quoted string and fail otherwise. Non-AWS compliant ETag handling has been a source of many bugs in the past. Therefore, this commit adds a dedicated `etag` package that provides functionality for parsing, generating and converting S3 ETags. Further, this commit removes the ETag computation from the `hash` package. Instead, the `hash` package (i.e. `hash.Reader`) should focus only on computing and verifying the content-sha256. One core feature of this commit is to provide a mechanism to communicate a computed ETag from a low-level `io.Reader` to a high-level `io.Reader`. This problem occurs when an S3 server receives a request and has to compute the ETag of the content. However, the server may also wrap the initial body with several other `io.Reader`, e.g. when encrypting or compressing the content: ``` reader := Encrypt(Compress(ETag(content))) ``` In such a case, the ETag should be accessible by the high-level `io.Reader`. The `etag` provides a mechanism to wrap `io.Reader` implementations such that the `ETag` can be accessed by a type-check. This technique is applied to the PUT, COPY and Upload handlers.
2021-02-23 15:31:53 -05:00
sha256hex = ""
reader io.Reader = r.Body
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-07 18:18:59 -05:00
s3Err APIErrorCode
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 17:14:06 -04:00
putObject = objectAPI.PutObject
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 01:30:34 -04:00
)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
// Check if put is allowed
Context based AccessKey passing (#10615) A new field called AccessKey is added to the ReqInfo struct and populated. Because ReqInfo is added to the context, this allows the AccessKey to be accessed from 3rd-party code, such as a custom ObjectLayer. Co-authored-by: Harshavardhana <harsha@minio.io> Co-authored-by: Kaloyan Raev <kaloyan@storj.io>
2020-11-04 12:13:34 -05:00
if s3Err = isPutActionAllowed(ctx, rAuthType, bucket, object, r, iampolicy.PutObjectAction); s3Err != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
return
}
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-08 23:56:29 -04:00
switch rAuthType {
case authTypeStreamingSigned:
// Initialize stream signature verifier.
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-07 18:18:59 -05:00
reader, s3Err = newSignV4ChunkedReader(r)
if s3Err != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-08 23:56:29 -04:00
return
}
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-09-30 17:32:13 -04:00
case authTypeSignedV2, authTypePresignedV2:
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-07 18:18:59 -05:00
s3Err = isReqAuthenticatedV2(r)
if s3Err != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-09-30 17:32:13 -04:00
return
}
Allow x-amz-content-sha256 to be optional for PutObject() (#5340) x-amz-content-sha256 can be optional for any AWS signature v4 requests, make sure to skip sha256 calculation when payload checksum is not set. Here is the overall expected behavior ** Signed request ** - X-Amz-Content-Sha256 is set to 'empty' or some 'value' or its not 'UNSIGNED-PAYLOAD'- use it to validate the incoming payload. - X-Amz-Content-Sha256 is set to 'UNSIGNED-PAYLOAD' - skip checksum verification - X-Amz-Content-Sha256 is not set we use emptySHA256 ** Presigned request ** - X-Amz-Content-Sha256 is set to 'empty' or some 'value' or its not 'UNSIGNED-PAYLOAD'- use it to validate the incoming payload - X-Amz-Content-Sha256 is set to 'UNSIGNED-PAYLOAD' - skip checksum verification - X-Amz-Content-Sha256 is not set we use 'UNSIGNED-PAYLOAD' Fixes #5339
2018-01-09 02:19:50 -05:00
signature: Handle presigned payload if set. Validate payload with incoming content. Fixes #1288
2016-04-07 06:04:18 -04:00
case authTypePresigned, authTypeSigned:
Add new `site` config sub-system intended to replace `region` (#13672) - New sub-system has "region" and "name" fields. - `region` subsystem is marked as deprecated, however still works, unless the new region parameter under `site` is set - in this case, the region subsystem is ignored. `region` subsystem is hidden from top-level help (i.e. from `mc admin config set myminio`), but appears when specifically requested (i.e. with `mc admin config set myminio region`). - MINIO_REGION, MINIO_REGION_NAME are supported as legacy environment variables for server region. - Adds MINIO_SITE_REGION as the current environment variable to configure the server region and MINIO_SITE_NAME for the site name.
2021-11-25 16:06:25 -05:00
if s3Err = reqSignatureV4Verify(r, globalSite.Region, serviceS3); s3Err != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
sha256: Verify sha256 along with md5sum, signature is verified on the request early. (#2813)
2016-10-02 18:51:49 -04:00
return
}
if !skipContentSha256Cksum(r) {
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
sha256hex = getContentSha256Cksum(r, serviceS3)
sha256: Verify sha256 along with md5sum, signature is verified on the request early. (#2813)
2016-10-02 18:51:49 -04:00
}
web/rpc: Merge ports with API server. Fixes #1081 and #1130
2016-02-16 21:50:36 -05:00
}
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
remove FIFO bucket quota, use ILM expiration instead (#14206)
2022-01-31 14:07:04 -05:00
if err := enforceBucketQuotaHard(ctx, bucket, size); err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add API's for managing bucket quota (#9379) This PR allows setting a "hard" or "fifo" quota restriction at the bucket level. Buckets that have reached the FIFO quota configured, will automatically be cleaned up in FIFO manner until bucket usage drops to configured quota. If a bucket is configured with a "hard" quota ceiling, all further writes are disallowed.
2020-04-30 18:55:54 -04:00
return
}
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
if r.Header.Get(xhttp.AmzBucketReplicationStatus) == replication.Replica.String() {
if s3Err = isPutActionAllowed(ctx, getRequestAuthType(r), bucket, object, r, iampolicy.ReplicateObjectAction); s3Err != ErrNone {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
return
}
metadata[ReservedMetadataPrefixLower+ReplicaStatus] = replication.Replica.String()
metadata[ReservedMetadataPrefixLower+ReplicaTimestamp] = UTCNow().Format(time.RFC3339Nano)
defer globalReplicationStats.UpdateReplicaStat(bucket, size)
}
migrate all bucket metadata into a single file (#9586) this is a major overhaul by migrating off all bucket metadata related configs into a single object '.metadata.bin' this allows us for faster bootups across 1000's of buckets and as well as keeps the code simple enough for future work and additions. Additionally also fixes #9396, #9394
2020-05-19 16:53:54 -04:00
Add support for bucket encryption feature (#8890) - pkg/bucket/encryption provides support for handling bucket encryption configuration - changes under cmd/ provide support for AES256 algorithm only Co-Authored-By: Poorna <poornas@users.noreply.github.com> Co-authored-by: Harshavardhana <harsha@minio.io>
2020-02-05 04:42:34 -05:00
// Check if bucket encryption is enabled
sse: add support for SSE-KMS bucket configurations (#12295) This commit adds support for SSE-KMS bucket configurations. Before, the MinIO server did not support SSE-KMS, and therefore, it was not possible to specify an SSE-KMS bucket config. Now, this is possible. For example: ``` mc encrypt set sse-kms some-key <alias>/my-bucket ``` Further, this commit fixes an issue caused by not supporting SSE-KMS bucket configuration and switching to SSE-KMS as default SSE method. Before, the server just checked whether an SSE bucket config was present (not which type of SSE config) and applied the default SSE method (which was switched from SSE-S3 to SSE-KMS). This caused objects to get encrypted with SSE-KMS even though a SSE-S3 bucket config was present. This issue is fixed as a side-effect of this commit. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-14 03:59:05 -04:00
sseConfig, _ := globalBucketSSEConfigSys.Get(bucket)
allow S3 gateway to support object locked buckets (#13257) - Supports object locked buckets that require PutObject() to set content-md5 always. - Use SSE-S3 when S3 gateway is being used instead of SSE-KMS for auto-encryption.
2021-09-21 12:02:15 -04:00
sseConfig.Apply(r.Header, sse.ApplyOptions{
AutoEncrypt: globalAutoEncryption,
Passthrough: globalIsGateway && globalGatewayName == S3BackendGateway,
})
Compression: Handle auto encryption when size is unknown (#7600) When size is unknown and auto encryption is enabled, and compression is set to true, putobject API is failing. Moving adding the SSE-S3 header as part of the request to before checking if compression can be done, otherwise the size is set to -1 and that seems to cause problems.
2019-05-02 11:28:18 -04:00
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-27 23:36:17 -04:00
actualSize := size
Add compressed file index (#15247)
2022-07-11 20:30:56 -04:00
var idxCb func() []byte
Add 4K minimum compressed size (#15273) There is no point in compressing very small files. Typically the effective size on disk will be the same due to disk blocks. So don't waste resources on extremely small files. We don't check on multipart. 1) because we don't know and 2) this is very likely a big object anyway.
2022-07-12 10:42:04 -04:00
if objectAPI.IsCompressionSupported() && isCompressible(r.Header, object) && size > minCompressibleSize {
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-27 23:36:17 -04:00
// Storing the compression metadata.
Switch to Snappy -> S2 compression (#8189)
2019-09-26 02:08:24 -04:00
metadata[ReservedMetadataPrefix+"compression"] = compressionAlgorithmV2
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-27 23:36:17 -04:00
metadata[ReservedMetadataPrefix+"actual-size"] = strconv.FormatInt(size, 10)
pkg/etag: add new package for S3 ETag handling (#11577) This commit adds a new package `etag` for dealing with S3 ETags. Even though ETag is often viewed as MD5 checksum of an object, handling S3 ETags correctly is a surprisingly complex task. While it is true that the ETag corresponds to the MD5 for the most basic S3 API operations, there are many exceptions in case of multipart uploads or encryption. In worse, some S3 clients expect very specific behavior when it comes to ETags. For example, some clients expect that the ETag is a double-quoted string and fail otherwise. Non-AWS compliant ETag handling has been a source of many bugs in the past. Therefore, this commit adds a dedicated `etag` package that provides functionality for parsing, generating and converting S3 ETags. Further, this commit removes the ETag computation from the `hash` package. Instead, the `hash` package (i.e. `hash.Reader`) should focus only on computing and verifying the content-sha256. One core feature of this commit is to provide a mechanism to communicate a computed ETag from a low-level `io.Reader` to a high-level `io.Reader`. This problem occurs when an S3 server receives a request and has to compute the ETag of the content. However, the server may also wrap the initial body with several other `io.Reader`, e.g. when encrypting or compressing the content: ``` reader := Encrypt(Compress(ETag(content))) ``` In such a case, the ETag should be accessible by the high-level `io.Reader`. The `etag` provides a mechanism to wrap `io.Reader` implementations such that the `ETag` can be accessed by a type-check. This technique is applied to the PUT, COPY and Upload handlers.
2021-02-23 15:31:53 -05:00
actualReader, err := hash.NewReader(reader, size, md5hex, sha256hex, actualSize)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-27 23:36:17 -04:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-27 23:36:17 -04:00
return
}
Fix racy error communication inside go-routine (#6539) Use CloseWithError to communicate errors in pipe, this PR also fixes potential shadowing of error
2018-09-28 03:44:59 -04:00
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-27 23:36:17 -04:00
// Set compression metrics.
Add compressed file index (#15247)
2022-07-11 20:30:56 -04:00
var s2c io.ReadCloser
Add padding to compressed+encrypted files (#15282) Add up to 256 bytes of padding for compressed+encrypted files. This will obscure the obvious cases of extremely compressible content and leave a similar output size for a very wide variety of inputs. This does *not* mean the compression ratio doesn't leak information about the content, but the outcome space is much smaller, so often *less* information is leaked.
2022-07-13 10:52:15 -04:00
wantEncryption := objectAPI.IsEncryptionSupported() && crypto.Requested(r.Header)
s2c, idxCb = newS2CompressReader(actualReader, actualSize, wantEncryption)
Switch to Snappy -> S2 compression (#8189)
2019-09-26 02:08:24 -04:00
defer s2c.Close()
Add compressed file index (#15247)
2022-07-11 20:30:56 -04:00
pkg/etag: add new package for S3 ETag handling (#11577) This commit adds a new package `etag` for dealing with S3 ETags. Even though ETag is often viewed as MD5 checksum of an object, handling S3 ETags correctly is a surprisingly complex task. While it is true that the ETag corresponds to the MD5 for the most basic S3 API operations, there are many exceptions in case of multipart uploads or encryption. In worse, some S3 clients expect very specific behavior when it comes to ETags. For example, some clients expect that the ETag is a double-quoted string and fail otherwise. Non-AWS compliant ETag handling has been a source of many bugs in the past. Therefore, this commit adds a dedicated `etag` package that provides functionality for parsing, generating and converting S3 ETags. Further, this commit removes the ETag computation from the `hash` package. Instead, the `hash` package (i.e. `hash.Reader`) should focus only on computing and verifying the content-sha256. One core feature of this commit is to provide a mechanism to communicate a computed ETag from a low-level `io.Reader` to a high-level `io.Reader`. This problem occurs when an S3 server receives a request and has to compute the ETag of the content. However, the server may also wrap the initial body with several other `io.Reader`, e.g. when encrypting or compressing the content: ``` reader := Encrypt(Compress(ETag(content))) ``` In such a case, the ETag should be accessible by the high-level `io.Reader`. The `etag` provides a mechanism to wrap `io.Reader` implementations such that the `ETag` can be accessed by a type-check. This technique is applied to the PUT, COPY and Upload handlers.
2021-02-23 15:31:53 -05:00
reader = etag.Wrap(s2c, actualReader)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-27 23:36:17 -04:00
size = -1 // Since compressed size is un-predictable.
md5hex = "" // Do not try to verify the content.
sha256hex = ""
}
pkg/etag: add new package for S3 ETag handling (#11577) This commit adds a new package `etag` for dealing with S3 ETags. Even though ETag is often viewed as MD5 checksum of an object, handling S3 ETags correctly is a surprisingly complex task. While it is true that the ETag corresponds to the MD5 for the most basic S3 API operations, there are many exceptions in case of multipart uploads or encryption. In worse, some S3 clients expect very specific behavior when it comes to ETags. For example, some clients expect that the ETag is a double-quoted string and fail otherwise. Non-AWS compliant ETag handling has been a source of many bugs in the past. Therefore, this commit adds a dedicated `etag` package that provides functionality for parsing, generating and converting S3 ETags. Further, this commit removes the ETag computation from the `hash` package. Instead, the `hash` package (i.e. `hash.Reader`) should focus only on computing and verifying the content-sha256. One core feature of this commit is to provide a mechanism to communicate a computed ETag from a low-level `io.Reader` to a high-level `io.Reader`. This problem occurs when an S3 server receives a request and has to compute the ETag of the content. However, the server may also wrap the initial body with several other `io.Reader`, e.g. when encrypting or compressing the content: ``` reader := Encrypt(Compress(ETag(content))) ``` In such a case, the ETag should be accessible by the high-level `io.Reader`. The `etag` provides a mechanism to wrap `io.Reader` implementations such that the `ETag` can be accessed by a type-check. This technique is applied to the PUT, COPY and Upload handlers.
2021-02-23 15:31:53 -05:00
hashReader, err := hash.NewReader(reader, size, md5hex, sha256hex, actualSize)
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 01:30:34 -04:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 01:30:34 -04:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-14 20:36:41 -05:00
rawReader := hashReader
Simplify PutObjReader for plain-text reader usage (#11470) This change moves away from a unified constructor for plaintext and encrypted usage. NewPutObjReader is simplified for the plain-text reader use. For encrypted reader use, WithEncryption should be called on an initialized PutObjReader. Plaintext: func NewPutObjReader(rawReader *hash.Reader) *PutObjReader The hash.Reader is used to provide payload size and md5sum to the downstream consumers. This is different from the previous version in that there is no need to pass nil values for unused parameters. Encrypted: func WithEncryption(encReader *hash.Reader, key *crypto.ObjectKey) (*PutObjReader, error) This method sets up encrypted reader along with the key to seal the md5sum produced by the plain-text reader (already setup when NewPutObjReader was called). Usage: ``` pReader := NewPutObjReader(rawReader) // ... other object handler code goes here // Prepare the encrypted hashed reader pReader, err = pReader.WithEncryption(encReader, objEncKey) ```
2021-02-10 11:52:50 -05:00
pReader := NewPutObjReader(rawReader)
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-14 20:36:41 -05:00
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
// get gateway encryption options
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-14 20:36:41 -05:00
var opts ObjectOptions
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 00:31:06 -05:00
opts, err = putOpts(ctx, r, bucket, object, metadata)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
return
}
Add compressed file index (#15247)
2022-07-11 20:30:56 -04:00
opts.IndexCB = idxCb
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 16:44:16 -04:00
Fix regression in caching on single PUT (#8526) Regression caused by #8120
2019-11-15 05:16:27 -05:00
if api.CacheAPI() != nil {
putObject = api.CacheAPI().PutObject
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 16:44:16 -04:00
Context based AccessKey passing (#10615) A new field called AccessKey is added to the ReqInfo struct and populated. Because ReqInfo is added to the context, this allows the AccessKey to be accessed from 3rd-party code, such as a custom ObjectLayer. Co-authored-by: Harshavardhana <harsha@minio.io> Co-authored-by: Kaloyan Raev <kaloyan@storj.io>
2020-11-04 12:13:34 -05:00
retPerms := isPutActionAllowed(ctx, getRequestAuthType(r), bucket, object, r, iampolicy.PutObjectRetentionAction)
holdPerms := isPutActionAllowed(ctx, getRequestAuthType(r), bucket, object, r, iampolicy.PutObjectLegalHoldAction)
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 16:44:16 -04:00
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
retentionMode, retentionDate, legalHold, s3Err := checkPutObjectLockAllowed(ctx, r, bucket, object, getObjectInfo, retPerms, holdPerms)
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 16:44:16 -04:00
if s3Err == ErrNone && retentionMode.Valid() {
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
metadata[strings.ToLower(xhttp.AmzObjectLockMode)] = string(retentionMode)
fix: reply back user-metadata in lower case form (#9697) some clients such as veeam expect the x-amz-meta to be sent in lower cased form, while this does indeed defeats the HTTP protocol contract it is harder to change these applications, while these applications get fixed appropriately in future. x-amz-meta is usually sent in lowercased form by AWS S3 and some applications like veeam incorrectly end up relying on the case sensitivity of the HTTP headers. Bonus fixes - Fix the iso8601 time format to keep it same as AWS S3 response - Increase maxObjectList to 50,000 and use maxDeleteList as 10,000 whenever multi-object deletes are needed.
2020-05-25 19:51:32 -04:00
metadata[strings.ToLower(xhttp.AmzObjectLockRetainUntilDate)] = retentionDate.UTC().Format(iso8601TimeFormat)
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 16:44:16 -04:00
if s3Err == ErrNone && legalHold.Status.Valid() {
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
metadata[strings.ToLower(xhttp.AmzObjectLockLegalHold)] = string(legalHold.Status)
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
if s3Err != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
return
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-27 19:44:45 -04:00
}
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
if dsc := mustReplicate(ctx, bucket, object, getMustReplicateOptions(ObjectInfo{
Add support for existing object replication. (#12109) Also adding an API to allow resyncing replication when existing object replication is enabled and the remote target is entirely lost. With the `mc replicate reset` command, the objects that are eligible for replication as per the replication config will be resynced to target if existing object replication is enabled on the rule.
2021-06-01 22:59:11 -04:00
UserDefined: metadata,
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
}, replication.ObjectReplicationType, opts)); dsc.ReplicateAny() {
metadata[ReservedMetadataPrefixLower+ReplicationTimestamp] = UTCNow().Format(time.RFC3339Nano)
metadata[ReservedMetadataPrefixLower+ReplicationStatus] = dsc.PendingStatus()
Add support for server side bucket replication (#9882)
2020-07-21 20:49:56 -04:00
}
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-09 20:01:45 -04:00
var objectEncryptionKey crypto.ObjectKey
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-09 18:19:30 -05:00
if objectAPI.IsEncryptionSupported() {
Add padding to compressed+encrypted files (#15282) Add up to 256 bytes of padding for compressed+encrypted files. This will obscure the obvious cases of extremely compressible content and leave a similar output size for a very wide variety of inputs. This does *not* mean the compression ratio doesn't leak information about the content, but the outcome space is much smaller, so often *less* information is leaked.
2022-07-13 10:52:15 -04:00
if crypto.Requested(r.Header) && !HasSuffix(object, SlashSeparator) { // handle SSE requests
make SSE request header check comprehensive (#8276) This commit refactors the SSE header check by moving it into the `crypto` package, adds a unit test for it and makes the check comprehensive.
2019-09-20 17:56:12 -04:00
if crypto.SSECopy.IsRequested(r.Header) {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, errInvalidEncryptionParameters), r.URL)
make SSE request header check comprehensive (#8276) This commit refactors the SSE header check by moving it into the `crypto` package, adds a unit test for it and makes the check comprehensive.
2019-09-20 17:56:12 -04:00
return
}
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-09 20:01:45 -04:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-14 20:36:41 -05:00
reader, objectEncryptionKey, err = EncryptRequest(hashReader, r, bucket, object, metadata)
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-09 18:19:30 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-09 18:19:30 -05:00
return
}
Allow Compression + encryption (#11103)
2021-01-05 23:08:35 -05:00
wantSize := int64(-1)
if size >= 0 {
info := ObjectInfo{Size: size}
wantSize = info.EncryptedSize()
}
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-09 20:01:45 -04:00
Turn off md5sum optionally if content-md5 is not set (#7609) This PR also brings --compat option to run MinIO in strict S3 compatibility mode, MinIO by default will now try to run high performance mode.
2019-05-08 21:35:40 -04:00
// do not try to verify encrypted content
pkg/etag: add new package for S3 ETag handling (#11577) This commit adds a new package `etag` for dealing with S3 ETags. Even though ETag is often viewed as MD5 checksum of an object, handling S3 ETags correctly is a surprisingly complex task. While it is true that the ETag corresponds to the MD5 for the most basic S3 API operations, there are many exceptions in case of multipart uploads or encryption. In worse, some S3 clients expect very specific behavior when it comes to ETags. For example, some clients expect that the ETag is a double-quoted string and fail otherwise. Non-AWS compliant ETag handling has been a source of many bugs in the past. Therefore, this commit adds a dedicated `etag` package that provides functionality for parsing, generating and converting S3 ETags. Further, this commit removes the ETag computation from the `hash` package. Instead, the `hash` package (i.e. `hash.Reader`) should focus only on computing and verifying the content-sha256. One core feature of this commit is to provide a mechanism to communicate a computed ETag from a low-level `io.Reader` to a high-level `io.Reader`. This problem occurs when an S3 server receives a request and has to compute the ETag of the content. However, the server may also wrap the initial body with several other `io.Reader`, e.g. when encrypting or compressing the content: ``` reader := Encrypt(Compress(ETag(content))) ``` In such a case, the ETag should be accessible by the high-level `io.Reader`. The `etag` provides a mechanism to wrap `io.Reader` implementations such that the `ETag` can be accessed by a type-check. This technique is applied to the PUT, COPY and Upload handlers.
2021-02-23 15:31:53 -05:00
hashReader, err = hash.NewReader(etag.Wrap(reader, hashReader), wantSize, "", "", actualSize)
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-09 18:19:30 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-09 18:19:30 -05:00
return
}
Simplify PutObjReader for plain-text reader usage (#11470) This change moves away from a unified constructor for plaintext and encrypted usage. NewPutObjReader is simplified for the plain-text reader use. For encrypted reader use, WithEncryption should be called on an initialized PutObjReader. Plaintext: func NewPutObjReader(rawReader *hash.Reader) *PutObjReader The hash.Reader is used to provide payload size and md5sum to the downstream consumers. This is different from the previous version in that there is no need to pass nil values for unused parameters. Encrypted: func WithEncryption(encReader *hash.Reader, key *crypto.ObjectKey) (*PutObjReader, error) This method sets up encrypted reader along with the key to seal the md5sum produced by the plain-text reader (already setup when NewPutObjReader was called). Usage: ``` pReader := NewPutObjReader(rawReader) // ... other object handler code goes here // Prepare the encrypted hashed reader pReader, err = pReader.WithEncryption(encReader, objEncKey) ```
2021-02-10 11:52:50 -05:00
pReader, err = pReader.WithEncryption(hashReader, &objectEncryptionKey)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Simplify PutObjReader for plain-text reader usage (#11470) This change moves away from a unified constructor for plaintext and encrypted usage. NewPutObjReader is simplified for the plain-text reader use. For encrypted reader use, WithEncryption should be called on an initialized PutObjReader. Plaintext: func NewPutObjReader(rawReader *hash.Reader) *PutObjReader The hash.Reader is used to provide payload size and md5sum to the downstream consumers. This is different from the previous version in that there is no need to pass nil values for unused parameters. Encrypted: func WithEncryption(encReader *hash.Reader, key *crypto.ObjectKey) (*PutObjReader, error) This method sets up encrypted reader along with the key to seal the md5sum produced by the plain-text reader (already setup when NewPutObjReader was called). Usage: ``` pReader := NewPutObjReader(rawReader) // ... other object handler code goes here // Prepare the encrypted hashed reader pReader, err = pReader.WithEncryption(encReader, objEncKey) ```
2021-02-10 11:52:50 -05:00
return
}
Add compressed file index (#15247)
2022-07-11 20:30:56 -04:00
if opts.IndexCB != nil {
opts.IndexCB = compressionIndexEncrypter(objectEncryptionKey, opts.IndexCB)
}
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-07 18:18:59 -05:00
}
}
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 15:39:46 -04:00
// Ensure that metadata does not contain sensitive information
crypto.RemoveSensitiveEntries(metadata)
fix: various performance improvements to tiering (#12965) - deletes should always Sweep() for tiering at the end and does not need an extra getObjectInfo() call - puts, copy and multipart writes should conditionally do getObjectInfo() when tiering targets are configured - introduce 'TransitionedObject' struct for ease of usage and understanding. - multiple-pools optimization deletes don't need to hold read locks verifying objects across namespace and pools.
2021-08-17 10:50:00 -04:00
os := newObjSweeper(bucket, object).WithVersioning(opts.Versioned, opts.VersionSuspended)
if !globalTierConfigMgr.Empty() {
// Get appropriate object info to identify the remote object to delete
goiOpts := os.GetOpts()
if goi, gerr := getObjectInfo(ctx, bucket, object, goiOpts); gerr == nil {
os.SetTransitionState(goi.TransitionedObject)
}
Support for remote tier management (#12090) With this change, MinIO's ILM supports transitioning objects to a remote tier. This change includes support for Azure Blob Storage, AWS S3 compatible object storage incl. MinIO and Google Cloud Storage as remote tier storage backends. Some new additions include: - Admin APIs remote tier configuration management - Simple journal to track remote objects to be 'collected' This is used by object API handlers which 'mutate' object versions by overwriting/replacing content (Put/CopyObject) or removing the version itself (e.g DeleteObjectVersion). - Rework of previous ILM transition to fit the new model In the new model, a storage class (a.k.a remote tier) is defined by the 'remote' object storage type (one of s3, azure, GCS), bucket name and a prefix. * Fixed bugs, review comments, and more unit-tests - Leverage inline small object feature - Migrate legacy objects to the latest object format before transitioning - Fix restore to particular version if specified - Extend SharedDataDirCount to handle transitioned and restored objects - Restore-object should accept version-id for version-suspended bucket (#12091) - Check if remote tier creds have sufficient permissions - Bonus minor fixes to existing error messages Co-authored-by: Poorna Krishnamoorthy <poorna@minio.io> Co-authored-by: Krishna Srinivas <krishna@minio.io> Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 13:30:42 -04:00
}
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 17:14:06 -04:00
// Create the object..
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 00:31:06 -05:00
objInfo, err := putObject(ctx, bucket, object, pReader, opts)
Add errorIf for all API handlers to print call trace upon errors
2015-09-19 06:20:07 -04:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Migrate from iodine to probe
2015-08-03 19:17:21 -04:00
return
}
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-23 18:07:21 -05:00
feat: support of ZIP list/get/head as S3 extension (#12267) When enabled, it is possible to list/get files inside a zip file without uncompressing it. Signed-off-by: Anis Elleuch <anis@min.io>
2021-06-10 11:17:03 -04:00
if r.Header.Get(xMinIOExtract) == "true" && strings.HasSuffix(object, archiveExt) {
opts := ObjectOptions{VersionID: objInfo.VersionID, MTime: objInfo.ModTime}
if _, err := updateObjectMetadataWithZipInfo(ctx, objectAPI, bucket, object, opts); err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
feat: support of ZIP list/get/head as S3 extension (#12267) When enabled, it is possible to list/get files inside a zip file without uncompressing it. Signed-off-by: Anis Elleuch <anis@min.io>
2021-06-10 11:17:03 -04:00
return
}
}
etag: compute ETag as MD5 for compressed single-part objects (#12375) This commit fixes a bug causing the MinIO server to compute the ETag of a single-part object as MD5 of the compressed content - not as MD5 of the actual content. This usually does not affect clients since the MinIO appended a `-1` to indicate that the ETag belongs to a multipart object. However, this behavior was problematic since: - A S3 client being very strict should reject such an ETag since the client uploaded the object via single-part API but got a multipart ETag that is not the content MD5. - The MinIO server leaks (via the ETag) that it compressed the object. This commit addresses both cases. Now, the MinIO server returns an ETag equal to the content MD5 for single-part objects that got compressed. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-27 11:18:41 -04:00
if kind, encrypted := crypto.IsEncrypted(objInfo.UserDefined); encrypted {
crypto: add support for decrypting SSE-KMS metadata (#11415) This commit refactors the SSE implementation and add S3-compatible SSE-KMS context handling. SSE-KMS differs from SSE-S3 in two main aspects: 1. The client can request a particular key and specify a KMS context as part of the request. 2. The ETag of an SSE-KMS encrypted object is not the MD5 sum of the object content. This commit only focuses on the 1st aspect. A client can send an optional SSE context when using SSE-KMS. This context is remembered by the S3 server such that the client does not have to specify the context again (during multipart PUT / GET / HEAD ...). The crypto. context also includes the bucket/object name to prevent renaming objects at the backend. Now, AWS S3 behaves as following: - If the user does not provide a SSE-KMS context it does not store one - resp. does not include the SSE-KMS context header in the response (e.g. HEAD). - If the user specifies a SSE-KMS context without the bucket/object name then AWS stores the exact context the client provided but adds the bucket/object name internally. The response contains the KMS context without the bucket/object name. - If the user specifies a SSE-KMS context with the bucket/object name then AWS again stores the exact context provided by the client. The response contains the KMS context with the bucket/object name. This commit implements this behavior w.r.t. SSE-KMS. However, as of now, no such object can be created since the server rejects SSE-KMS encryption requests. This commit is one stepping stone for SSE-KMS support. Co-authored-by: Harshavardhana <harsha@minio.io>
2021-02-03 18:19:08 -05:00
switch kind {
case crypto.S3:
refactor cmd/crypto code for SSE handling and parsing (#11045) This commit refactors the code in `cmd/crypto` and separates SSE-S3, SSE-C and SSE-KMS. This commit should not cause any behavior change except for: - `IsRequested(http.Header)` which now returns the requested type {SSE-C, SSE-S3, SSE-KMS} and does not consider SSE-C copy headers. However, SSE-C copy headers alone are anyway not valid.
2020-12-22 12:19:32 -05:00
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionAES)
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
objInfo.ETag, _ = DecryptETag(objectEncryptionKey, ObjectInfo{ETag: objInfo.ETag})
add SSE-KMS support and use SSE-KMS for auto encryption (#12237) This commit adds basic SSE-KMS support. Now, a client can specify the SSE-KMS headers (algorithm, optional key-id, optional context) such that the object gets encrypted using the SSE-KMS method. Further, auto-encryption now defaults to SSE-KMS. This commit does not try to do any refactoring and instead tries to implement SSE-KMS as a minimal change to the code base. However, refactoring the entire crypto-related code is planned - but needs a separate effort. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-06 18:24:01 -04:00
case crypto.S3KMS:
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionKMS)
fix: kms-id header should have arn:aws:kms: prefix (#13833) arn:aws:kms: is a must for KMS keyID.
2021-12-06 03:39:32 -05:00
w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.KMSKeyID())
add SSE-KMS support and use SSE-KMS for auto encryption (#12237) This commit adds basic SSE-KMS support. Now, a client can specify the SSE-KMS headers (algorithm, optional key-id, optional context) such that the object gets encrypted using the SSE-KMS method. Further, auto-encryption now defaults to SSE-KMS. This commit does not try to do any refactoring and instead tries to implement SSE-KMS as a minimal change to the code base. However, refactoring the entire crypto-related code is planned - but needs a separate effort. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-06 18:24:01 -04:00
if kmsCtx, ok := objInfo.UserDefined[crypto.MetaContext]; ok {
w.Header().Set(xhttp.AmzServerSideEncryptionKmsContext, kmsCtx)
}
if len(objInfo.ETag) >= 32 && strings.Count(objInfo.ETag, "-") != 1 {
objInfo.ETag = objInfo.ETag[len(objInfo.ETag)-32:]
}
crypto: add support for decrypting SSE-KMS metadata (#11415) This commit refactors the SSE implementation and add S3-compatible SSE-KMS context handling. SSE-KMS differs from SSE-S3 in two main aspects: 1. The client can request a particular key and specify a KMS context as part of the request. 2. The ETag of an SSE-KMS encrypted object is not the MD5 sum of the object content. This commit only focuses on the 1st aspect. A client can send an optional SSE context when using SSE-KMS. This context is remembered by the S3 server such that the client does not have to specify the context again (during multipart PUT / GET / HEAD ...). The crypto. context also includes the bucket/object name to prevent renaming objects at the backend. Now, AWS S3 behaves as following: - If the user does not provide a SSE-KMS context it does not store one - resp. does not include the SSE-KMS context header in the response (e.g. HEAD). - If the user specifies a SSE-KMS context without the bucket/object name then AWS stores the exact context the client provided but adds the bucket/object name internally. The response contains the KMS context without the bucket/object name. - If the user specifies a SSE-KMS context with the bucket/object name then AWS again stores the exact context provided by the client. The response contains the KMS context with the bucket/object name. This commit implements this behavior w.r.t. SSE-KMS. However, as of now, no such object can be created since the server rejects SSE-KMS encryption requests. This commit is one stepping stone for SSE-KMS support. Co-authored-by: Harshavardhana <harsha@minio.io>
2021-02-03 18:19:08 -05:00
case crypto.SSEC:
refactor cmd/crypto code for SSE handling and parsing (#11045) This commit refactors the code in `cmd/crypto` and separates SSE-S3, SSE-C and SSE-KMS. This commit should not cause any behavior change except for: - `IsRequested(http.Header)` which now returns the requested type {SSE-C, SSE-S3, SSE-KMS} and does not consider SSE-C copy headers. However, SSE-C copy headers alone are anyway not valid.
2020-12-22 12:19:32 -05:00
w.Header().Set(xhttp.AmzServerSideEncryptionCustomerAlgorithm, r.Header.Get(xhttp.AmzServerSideEncryptionCustomerAlgorithm))
w.Header().Set(xhttp.AmzServerSideEncryptionCustomerKeyMD5, r.Header.Get(xhttp.AmzServerSideEncryptionCustomerKeyMD5))
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-09 20:01:45 -04:00
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
if len(objInfo.ETag) >= 32 && strings.Count(objInfo.ETag, "-") != 1 {
objInfo.ETag = objInfo.ETag[len(objInfo.ETag)-32:]
HEAD on an object should mimic GET without body (#6508) Add "Range" header support etc.
2018-09-23 13:24:10 -04:00
}
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-09 18:19:30 -05:00
}
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-07 18:18:59 -05:00
}
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
if dsc := mustReplicate(ctx, bucket, object, getMustReplicateOptions(ObjectInfo{
Add support for existing object replication. (#12109) Also adding an API to allow resyncing replication when existing object replication is enabled and the remote target is entirely lost. With the `mc replicate reset` command, the objects that are eligible for replication as per the replication config will be resynced to target if existing object replication is enabled on the rule.
2021-06-01 22:59:11 -04:00
UserDefined: metadata,
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
}, replication.ObjectReplicationType, opts)); dsc.ReplicateAny() {
scheduleReplication(ctx, objInfo.Clone(), objectAPI, dsc, replication.ObjectReplicationType)
Add support for server side bucket replication (#9882)
2020-07-21 20:49:56 -04:00
}
Support for remote tier management (#12090) With this change, MinIO's ILM supports transitioning objects to a remote tier. This change includes support for Azure Blob Storage, AWS S3 compatible object storage incl. MinIO and Google Cloud Storage as remote tier storage backends. Some new additions include: - Admin APIs remote tier configuration management - Simple journal to track remote objects to be 'collected' This is used by object API handlers which 'mutate' object versions by overwriting/replacing content (Put/CopyObject) or removing the version itself (e.g DeleteObjectVersion). - Rework of previous ILM transition to fit the new model In the new model, a storage class (a.k.a remote tier) is defined by the 'remote' object storage type (one of s3, azure, GCS), bucket name and a prefix. * Fixed bugs, review comments, and more unit-tests - Leverage inline small object feature - Migrate legacy objects to the latest object format before transitioning - Fix restore to particular version if specified - Extend SharedDataDirCount to handle transitioned and restored objects - Restore-object should accept version-id for version-suspended bucket (#12091) - Check if remote tier creds have sufficient permissions - Bonus minor fixes to existing error messages Co-authored-by: Poorna Krishnamoorthy <poorna@minio.io> Co-authored-by: Krishna Srinivas <krishna@minio.io> Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 13:30:42 -04:00
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
setPutObjHeaders(w, objInfo, false)
Add x-amz-expiration header in some S3 responses (#9667) x-amz-expiration is described in the S3 specification as a header which indicates if the object in question will expire any time in the future.
2020-05-21 17:12:52 -04:00
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 03:37:00 -05:00
writeSuccessResponseHeadersOnly(w)
api: Implement bucket notification. (#2271) * Implement basic S3 notifications through queues Supports multiple queues and three basic queue types: 1. NilQueue -- messages don't get sent anywhere 2. LogQueue -- messages get logged 3. AmqpQueue -- messages are sent to an AMQP queue * api: Implement bucket notification. Supports two different queue types - AMQP - ElasticSearch. * Add support for redis
2016-07-24 01:51:12 -04:00
Make addition of TopicConfig to globalEventNotifier go-routine safe (#2806)
2016-09-29 01:46:19 -04:00
// Notify object created event.
make notification as separate package (#5294) * Remove old notification files * Add net package * Add event package * Modify minio to take new notification system
2018-03-15 16:03:41 -04:00
sendEvent(eventArgs{
Support audit logs with additional fields (#6738) This PR adds support - Request query params - Request headers - Response headers AuditLogEntry is exported and versioned as well starting with this PR.
2018-11-02 21:40:08 -04:00
EventName: event.ObjectCreatedPut,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Populate host value from GetSourceIP directly (#7417)
2019-03-25 14:45:42 -04:00
Host: handlers.GetSourceIP(r),
Make addition of TopicConfig to globalEventNotifier go-routine safe (#2806)
2016-09-29 01:46:19 -04:00
})
fix: deleteMultiObjects performance regression (#12951) fixes performance regression found in deleteObjects(), putObject(), copyObject and completeMultipart calls.
2021-08-12 21:57:37 -04:00
// Remove the transitioned object whose object version is being overwritten.
fix: various performance improvements to tiering (#12965) - deletes should always Sweep() for tiering at the end and does not need an extra getObjectInfo() call - puts, copy and multipart writes should conditionally do getObjectInfo() when tiering targets are configured - introduce 'TransitionedObject' struct for ease of usage and understanding. - multiple-pools optimization deletes don't need to hold read locks verifying objects across namespace and pools.
2021-08-17 10:50:00 -04:00
if !globalTierConfigMgr.Empty() {
Add immediate inline tiering support (#13298)
2021-10-01 14:58:17 -04:00
// Schedule object for immediate transition if eligible.
enqueueTransitionImmediate(objInfo)
fix: various performance improvements to tiering (#12965) - deletes should always Sweep() for tiering at the end and does not need an extra getObjectInfo() call - puts, copy and multipart writes should conditionally do getObjectInfo() when tiering targets are configured - introduce 'TransitionedObject' struct for ease of usage and understanding. - multiple-pools optimization deletes don't need to hold read locks verifying objects across namespace and pools.
2021-08-17 10:50:00 -04:00
logger.LogIf(ctx, os.Sweep())
}
Implement bucket policy handler and with galore of cleanup
2015-02-15 20:03:27 -05:00
}
Adding multipart support
2015-05-07 22:55:30 -04:00
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
// PutObjectExtractHandler - PUT Object extract is an extended API
// based off from AWS Snowball feature to auto extract compressed
// stream will be extracted in the same directory it is stored in
// and the folder structures will be built out accordingly.
func (api objectAPIHandlers) PutObjectExtractHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "PutObjectExtract")
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
objectAPI := api.ObjectAPI()
if objectAPI == nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
return
}
if crypto.S3KMS.IsRequested(r.Header) { // SSE-KMS is not supported
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL)
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
return
}
Add padding to compressed+encrypted files (#15282) Add up to 256 bytes of padding for compressed+encrypted files. This will obscure the obvious cases of extremely compressible content and leave a similar output size for a very wide variety of inputs. This does *not* mean the compression ratio doesn't leak information about the content, but the outcome space is much smaller, so often *less* information is leaked.
2022-07-13 10:52:15 -04:00
if crypto.Requested(r.Header) {
s3-gateway: Allow encryption S3 passthrough for SSE-S3 (#13204) This reverts commit 35cbe43b6df48927a1574829b13f9ed5d3af99d3.
2021-09-14 15:55:32 -04:00
if globalIsGateway {
if crypto.SSEC.IsRequested(r.Header) && !objectAPI.IsEncryptionSupported() {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL)
return
}
} else {
if !objectAPI.IsEncryptionSupported() {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL)
return
}
}
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
}
vars := mux.Vars(r)
bucket := vars["bucket"]
object, err := unescapePath(vars["object"])
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
return
}
// X-Amz-Copy-Source shouldn't be set for this call.
if _, ok := r.Header[xhttp.AmzCopySource]; ok {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidCopySource), r.URL)
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
return
}
// Validate storage class metadata if present
sc := r.Header.Get(xhttp.AmzStorageClass)
if sc != "" {
if !storageclass.IsValid(sc) {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidStorageClass), r.URL)
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
return
}
}
clientETag, err := etag.FromContentMD5(r.Header)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidDigest), r.URL)
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
return
}
add gocritic/ruleguard checks back again, cleanup code. (#13665) - remove some duplicated code - reported a bug, separately fixed in #13664 - using strings.ReplaceAll() when needed - using filepath.ToSlash() use when needed - remove all non-Go style comments from the codebase Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2021-11-16 12:28:29 -05:00
// if Content-Length is unknown/missing, deny the request
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
size := r.ContentLength
rAuthType := getRequestAuthType(r)
if rAuthType == authTypeStreamingSigned {
if sizeStr, ok := r.Header[xhttp.AmzDecodedContentLength]; ok {
if sizeStr[0] == "" {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMissingContentLength), r.URL)
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
return
}
size, err = strconv.ParseInt(sizeStr[0], 10, 64)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
return
}
}
}
if size == -1 {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMissingContentLength), r.URL)
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
return
}
add gocritic/ruleguard checks back again, cleanup code. (#13665) - remove some duplicated code - reported a bug, separately fixed in #13664 - using strings.ReplaceAll() when needed - using filepath.ToSlash() use when needed - remove all non-Go style comments from the codebase Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2021-11-16 12:28:29 -05:00
// maximum Upload size for objects in a single operation
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
if isMaxObjectSize(size) {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrEntityTooLarge), r.URL)
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
return
}
var (
md5hex = clientETag.String()
sha256hex = ""
reader io.Reader = r.Body
s3Err APIErrorCode
putObject = objectAPI.PutObject
)
// Check if put is allowed
if s3Err = isPutActionAllowed(ctx, rAuthType, bucket, object, r, iampolicy.PutObjectAction); s3Err != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
return
}
switch rAuthType {
case authTypeStreamingSigned:
// Initialize stream signature verifier.
reader, s3Err = newSignV4ChunkedReader(r)
if s3Err != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
return
}
case authTypeSignedV2, authTypePresignedV2:
s3Err = isReqAuthenticatedV2(r)
if s3Err != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
return
}
case authTypePresigned, authTypeSigned:
Add new `site` config sub-system intended to replace `region` (#13672) - New sub-system has "region" and "name" fields. - `region` subsystem is marked as deprecated, however still works, unless the new region parameter under `site` is set - in this case, the region subsystem is ignored. `region` subsystem is hidden from top-level help (i.e. from `mc admin config set myminio`), but appears when specifically requested (i.e. with `mc admin config set myminio region`). - MINIO_REGION, MINIO_REGION_NAME are supported as legacy environment variables for server region. - Adds MINIO_SITE_REGION as the current environment variable to configure the server region and MINIO_SITE_NAME for the site name.
2021-11-25 16:06:25 -05:00
if s3Err = reqSignatureV4Verify(r, globalSite.Region, serviceS3); s3Err != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
return
}
if !skipContentSha256Cksum(r) {
sha256hex = getContentSha256Cksum(r, serviceS3)
}
}
hreader, err := hash.NewReader(reader, size, md5hex, sha256hex, size)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
return
}
remove FIFO bucket quota, use ILM expiration instead (#14206)
2022-01-31 14:07:04 -05:00
if err := enforceBucketQuotaHard(ctx, bucket, size); err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
return
}
// Check if bucket encryption is enabled
sse: add support for SSE-KMS bucket configurations (#12295) This commit adds support for SSE-KMS bucket configurations. Before, the MinIO server did not support SSE-KMS, and therefore, it was not possible to specify an SSE-KMS bucket config. Now, this is possible. For example: ``` mc encrypt set sse-kms some-key <alias>/my-bucket ``` Further, this commit fixes an issue caused by not supporting SSE-KMS bucket configuration and switching to SSE-KMS as default SSE method. Before, the server just checked whether an SSE bucket config was present (not which type of SSE config) and applied the default SSE method (which was switched from SSE-S3 to SSE-KMS). This caused objects to get encrypted with SSE-KMS even though a SSE-S3 bucket config was present. This issue is fixed as a side-effect of this commit. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-14 03:59:05 -04:00
sseConfig, _ := globalBucketSSEConfigSys.Get(bucket)
allow S3 gateway to support object locked buckets (#13257) - Supports object locked buckets that require PutObject() to set content-md5 always. - Use SSE-S3 when S3 gateway is being used instead of SSE-KMS for auto-encryption.
2021-09-21 12:02:15 -04:00
sseConfig.Apply(r.Header, sse.ApplyOptions{
AutoEncrypt: globalAutoEncryption,
Passthrough: globalIsGateway && globalGatewayName == S3BackendGateway,
})
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
retPerms := isPutActionAllowed(ctx, getRequestAuthType(r), bucket, object, r, iampolicy.PutObjectRetentionAction)
holdPerms := isPutActionAllowed(ctx, getRequestAuthType(r), bucket, object, r, iampolicy.PutObjectLegalHoldAction)
if api.CacheAPI() != nil {
putObject = api.CacheAPI().PutObject
}
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
snowball: return errors on failures (#13836) Return errors when untar fails at once. Current error handling was quite a mess. Errors are written to the stream, but processing continues. Instead, return errors when they occur and transform internal errors to bad request errors, since it is likely a problem with the input. Fixes #13832
2021-12-06 12:45:23 -05:00
putObjectTar := func(reader io.Reader, info os.FileInfo, object string) error {
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
size := info.Size()
metadata := map[string]string{
xhttp.AmzStorageClass: sc,
}
actualSize := size
Add compressed file index (#15247)
2022-07-11 20:30:56 -04:00
var idxCb func() []byte
Add 4K minimum compressed size (#15273) There is no point in compressing very small files. Typically the effective size on disk will be the same due to disk blocks. So don't waste resources on extremely small files. We don't check on multipart. 1) because we don't know and 2) this is very likely a big object anyway.
2022-07-12 10:42:04 -04:00
if objectAPI.IsCompressionSupported() && isCompressible(r.Header, object) && size > minCompressibleSize {
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
// Storing the compression metadata.
metadata[ReservedMetadataPrefix+"compression"] = compressionAlgorithmV2
metadata[ReservedMetadataPrefix+"actual-size"] = strconv.FormatInt(size, 10)
actualReader, err := hash.NewReader(reader, size, "", "", actualSize)
if err != nil {
snowball: return errors on failures (#13836) Return errors when untar fails at once. Current error handling was quite a mess. Errors are written to the stream, but processing continues. Instead, return errors when they occur and transform internal errors to bad request errors, since it is likely a problem with the input. Fixes #13832
2021-12-06 12:45:23 -05:00
return err
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
}
// Set compression metrics.
Add padding to compressed+encrypted files (#15282) Add up to 256 bytes of padding for compressed+encrypted files. This will obscure the obvious cases of extremely compressible content and leave a similar output size for a very wide variety of inputs. This does *not* mean the compression ratio doesn't leak information about the content, but the outcome space is much smaller, so often *less* information is leaked.
2022-07-13 10:52:15 -04:00
wantEncryption := objectAPI.IsEncryptionSupported() && crypto.Requested(r.Header)
s2c, cb := newS2CompressReader(actualReader, actualSize, wantEncryption)
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
defer s2c.Close()
Add compressed file index (#15247)
2022-07-11 20:30:56 -04:00
idxCb = cb
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
reader = etag.Wrap(s2c, actualReader)
size = -1 // Since compressed size is un-predictable.
}
hashReader, err := hash.NewReader(reader, size, "", "", actualSize)
if err != nil {
snowball: return errors on failures (#13836) Return errors when untar fails at once. Current error handling was quite a mess. Errors are written to the stream, but processing continues. Instead, return errors when they occur and transform internal errors to bad request errors, since it is likely a problem with the input. Fixes #13832
2021-12-06 12:45:23 -05:00
return err
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
}
rawReader := hashReader
pReader := NewPutObjReader(rawReader)
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
if r.Header.Get(xhttp.AmzBucketReplicationStatus) == replication.Replica.String() {
if s3Err = isPutActionAllowed(ctx, getRequestAuthType(r), bucket, object, r, iampolicy.ReplicateObjectAction); s3Err != ErrNone {
snowball: return errors on failures (#13836) Return errors when untar fails at once. Current error handling was quite a mess. Errors are written to the stream, but processing continues. Instead, return errors when they occur and transform internal errors to bad request errors, since it is likely a problem with the input. Fixes #13832
2021-12-06 12:45:23 -05:00
return err
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
}
metadata[ReservedMetadataPrefixLower+ReplicaStatus] = replication.Replica.String()
metadata[ReservedMetadataPrefixLower+ReplicaTimestamp] = UTCNow().Format(time.RFC3339Nano)
}
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
// get encryption options
opts, err := putOpts(ctx, r, bucket, object, metadata)
if err != nil {
snowball: return errors on failures (#13836) Return errors when untar fails at once. Current error handling was quite a mess. Errors are written to the stream, but processing continues. Instead, return errors when they occur and transform internal errors to bad request errors, since it is likely a problem with the input. Fixes #13832
2021-12-06 12:45:23 -05:00
return err
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
}
opts.MTime = info.ModTime()
Add compressed file index (#15247)
2022-07-11 20:30:56 -04:00
opts.IndexCB = idxCb
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
snowball: return errors on failures (#13836) Return errors when untar fails at once. Current error handling was quite a mess. Errors are written to the stream, but processing continues. Instead, return errors when they occur and transform internal errors to bad request errors, since it is likely a problem with the input. Fixes #13832
2021-12-06 12:45:23 -05:00
retentionMode, retentionDate, legalHold, s3err := checkPutObjectLockAllowed(ctx, r, bucket, object, getObjectInfo, retPerms, holdPerms)
if s3err == ErrNone && retentionMode.Valid() {
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
metadata[strings.ToLower(xhttp.AmzObjectLockMode)] = string(retentionMode)
metadata[strings.ToLower(xhttp.AmzObjectLockRetainUntilDate)] = retentionDate.UTC().Format(iso8601TimeFormat)
}
snowball: return errors on failures (#13836) Return errors when untar fails at once. Current error handling was quite a mess. Errors are written to the stream, but processing continues. Instead, return errors when they occur and transform internal errors to bad request errors, since it is likely a problem with the input. Fixes #13832
2021-12-06 12:45:23 -05:00
if s3err == ErrNone && legalHold.Status.Valid() {
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
metadata[strings.ToLower(xhttp.AmzObjectLockLegalHold)] = string(legalHold.Status)
}
snowball: return errors on failures (#13836) Return errors when untar fails at once. Current error handling was quite a mess. Errors are written to the stream, but processing continues. Instead, return errors when they occur and transform internal errors to bad request errors, since it is likely a problem with the input. Fixes #13832
2021-12-06 12:45:23 -05:00
if s3err != ErrNone {
s3Err = s3err
return ObjectLocked{}
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
}
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
if dsc := mustReplicate(ctx, bucket, object, getMustReplicateOptions(ObjectInfo{
Add support for existing object replication. (#12109) Also adding an API to allow resyncing replication when existing object replication is enabled and the remote target is entirely lost. With the `mc replicate reset` command, the objects that are eligible for replication as per the replication config will be resynced to target if existing object replication is enabled on the rule.
2021-06-01 22:59:11 -04:00
UserDefined: metadata,
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
}, replication.ObjectReplicationType, opts)); dsc.ReplicateAny() {
metadata[ReservedMetadataPrefixLower+ReplicationTimestamp] = UTCNow().Format(time.RFC3339Nano)
metadata[ReservedMetadataPrefixLower+ReplicationStatus] = dsc.PendingStatus()
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
}
var objectEncryptionKey crypto.ObjectKey
if objectAPI.IsEncryptionSupported() {
Add padding to compressed+encrypted files (#15282) Add up to 256 bytes of padding for compressed+encrypted files. This will obscure the obvious cases of extremely compressible content and leave a similar output size for a very wide variety of inputs. This does *not* mean the compression ratio doesn't leak information about the content, but the outcome space is much smaller, so often *less* information is leaked.
2022-07-13 10:52:15 -04:00
if crypto.Requested(r.Header) && !HasSuffix(object, SlashSeparator) { // handle SSE requests
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
if crypto.SSECopy.IsRequested(r.Header) {
snowball: return errors on failures (#13836) Return errors when untar fails at once. Current error handling was quite a mess. Errors are written to the stream, but processing continues. Instead, return errors when they occur and transform internal errors to bad request errors, since it is likely a problem with the input. Fixes #13832
2021-12-06 12:45:23 -05:00
return errInvalidEncryptionParameters
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
}
reader, objectEncryptionKey, err = EncryptRequest(hashReader, r, bucket, object, metadata)
if err != nil {
snowball: return errors on failures (#13836) Return errors when untar fails at once. Current error handling was quite a mess. Errors are written to the stream, but processing continues. Instead, return errors when they occur and transform internal errors to bad request errors, since it is likely a problem with the input. Fixes #13832
2021-12-06 12:45:23 -05:00
return err
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
}
wantSize := int64(-1)
if size >= 0 {
info := ObjectInfo{Size: size}
wantSize = info.EncryptedSize()
}
// do not try to verify encrypted content
hashReader, err = hash.NewReader(etag.Wrap(reader, hashReader), wantSize, "", "", actualSize)
if err != nil {
snowball: return errors on failures (#13836) Return errors when untar fails at once. Current error handling was quite a mess. Errors are written to the stream, but processing continues. Instead, return errors when they occur and transform internal errors to bad request errors, since it is likely a problem with the input. Fixes #13832
2021-12-06 12:45:23 -05:00
return err
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
}
pReader, err = pReader.WithEncryption(hashReader, &objectEncryptionKey)
if err != nil {
snowball: return errors on failures (#13836) Return errors when untar fails at once. Current error handling was quite a mess. Errors are written to the stream, but processing continues. Instead, return errors when they occur and transform internal errors to bad request errors, since it is likely a problem with the input. Fixes #13832
2021-12-06 12:45:23 -05:00
return err
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
}
}
Add compressed file index (#15247)
2022-07-11 20:30:56 -04:00
if opts.IndexCB != nil {
opts.IndexCB = compressionIndexEncrypter(objectEncryptionKey, opts.IndexCB)
}
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
}
// Ensure that metadata does not contain sensitive information
crypto.RemoveSensitiveEntries(metadata)
// Create the object..
objInfo, err := putObject(ctx, bucket, object, pReader, opts)
if err != nil {
snowball: return errors on failures (#13836) Return errors when untar fails at once. Current error handling was quite a mess. Errors are written to the stream, but processing continues. Instead, return errors when they occur and transform internal errors to bad request errors, since it is likely a problem with the input. Fixes #13832
2021-12-06 12:45:23 -05:00
return err
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
}
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
if dsc := mustReplicate(ctx, bucket, object, getMustReplicateOptions(ObjectInfo{
Add support for existing object replication. (#12109) Also adding an API to allow resyncing replication when existing object replication is enabled and the remote target is entirely lost. With the `mc replicate reset` command, the objects that are eligible for replication as per the replication config will be resynced to target if existing object replication is enabled on the rule.
2021-06-01 22:59:11 -04:00
UserDefined: metadata,
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
}, replication.ObjectReplicationType, opts)); dsc.ReplicateAny() {
scheduleReplication(ctx, objInfo.Clone(), objectAPI, dsc, replication.ObjectReplicationType)
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
}
snowball: return errors on failures (#13836) Return errors when untar fails at once. Current error handling was quite a mess. Errors are written to the stream, but processing continues. Instead, return errors when they occur and transform internal errors to bad request errors, since it is likely a problem with the input. Fixes #13832
2021-12-06 12:45:23 -05:00
return nil
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
}
snowball: return errors on failures (#13836) Return errors when untar fails at once. Current error handling was quite a mess. Errors are written to the stream, but processing continues. Instead, return errors when they occur and transform internal errors to bad request errors, since it is likely a problem with the input. Fixes #13832
2021-12-06 12:45:23 -05:00
if err = untar(hreader, putObjectTar); err != nil {
apiErr := errorCodes.ToAPIErr(s3Err)
// If not set, convert or use BadRequest
if s3Err == ErrNone {
apiErr = toAPIError(ctx, err)
if apiErr.Code == "InternalError" {
// Convert generic internal errors to bad requests.
apiErr = APIError{
Code: "BadRequest",
Description: err.Error(),
HTTPStatusCode: http.StatusBadRequest,
}
}
}
writeErrorResponse(ctx, w, apiErr, r.URL)
return
}
[feat] Add targz transparent extract support (#11849) This feature brings in support for auto extraction of objects onto MinIO's namespace from an incoming tar gzipped stream, the only expected metadata sent by the client is to set `snowball-auto-extract`. All the contents from the tar stream are saved as folders and objects on the namespace. fixes #8715
2021-03-26 20:15:09 -04:00
w.Header()[xhttp.ETag] = []string{`"` + hex.EncodeToString(hreader.MD5Current()) + `"`}
writeSuccessResponseHeadersOnly(w)
}
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 12:38:34 -05:00
// CopyObjectPartHandler - uploads a part by copying data from an existing object as data source.
func (api objectAPIHandlers) CopyObjectPartHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-20 21:46:32 -04:00
ctx := newContext(r, w, "CopyObjectPart")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 15:01:47 -04:00
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 15:25:59 -04:00
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 12:38:34 -05:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 12:38:34 -05:00
return
}
fix: S3 gateway doesn't support full passthrough for encryption (#10484) The entire encryption layer is dependent on the fact that KMS should be configured for S3 encryption to work properly and we only support passing the headers as is to the backend for encryption only if KMS is configured. Make sure that this predictability is maintained, currently the code was allowing encryption to go through and fail at later to indicate that KMS was not configured. We should simply reply "NotImplemented" if KMS is not configured, this allows clients to simply proceed with their tests.
2020-09-15 16:57:15 -04:00
if crypto.S3KMS.IsRequested(r.Header) { // SSE-KMS is not supported
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL)
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 00:07:19 -04:00
return
}
fix: S3 gateway doesn't support full passthrough for encryption (#10484) The entire encryption layer is dependent on the fact that KMS should be configured for S3 encryption to work properly and we only support passing the headers as is to the backend for encryption only if KMS is configured. Make sure that this predictability is maintained, currently the code was allowing encryption to go through and fail at later to indicate that KMS was not configured. We should simply reply "NotImplemented" if KMS is not configured, this allows clients to simply proceed with their tests.
2020-09-15 16:57:15 -04:00
Add padding to compressed+encrypted files (#15282) Add up to 256 bytes of padding for compressed+encrypted files. This will obscure the obvious cases of extremely compressible content and leave a similar output size for a very wide variety of inputs. This does *not* mean the compression ratio doesn't leak information about the content, but the outcome space is much smaller, so often *less* information is leaked.
2022-07-13 10:52:15 -04:00
if crypto.Requested(r.Header) && !objectAPI.IsEncryptionSupported() {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL)
Disallow SSE requests when object layer has encryption disabled (#6981)
2018-12-15 00:39:59 -05:00
return
}
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 00:07:19 -04:00
vars := mux.Vars(r)
dstBucket := vars["bucket"]
fix: normalize object layer inputs (#11534) Cases where we have applications making request for `//` in object names make sure that all are normalized to `/` and all such requests that are prefixed '/' are removed. To ensure a consistent view from all operations.
2021-03-09 15:58:22 -05:00
dstObject, err := unescapePath(vars["object"])
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
return
}
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 12:38:34 -05:00
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-24 18:53:30 -04:00
if s3Error := checkRequestAuthType(ctx, r, policy.PutObjectAction, dstBucket, dstObject); s3Error != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL)
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 12:38:34 -05:00
return
}
Fix server side copy of files with `?` in - fixes #7058 (#7059) Before this change the CopyObjectHandler and the CopyObjectPartHandler both looked for a `versionId` parameter on the `X-Amz-Copy-Source` URL for the version of the object to be copied on the URL unescaped version of the header. This meant that files that had question marks in were truncated after the question mark so that files with `?` in their names could not be server side copied. After this change the URL unescaping is done during the parsing of the `versionId` parameter which fixes the problem. This change also introduces the same logic for the `X-Amz-Copy-Source-Version-Id` header field which was previously ignored, namely returning an error if it is present and not `null` since minio does not currently support versions. S3 Docs: - https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html - https://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html
2019-01-10 16:10:10 -05:00
// Read escaped copy source path to check for parameters.
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 01:34:32 -04:00
cpSrcPath := r.Header.Get(xhttp.AmzCopySource)
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
var vid string
Allow versionId to be null for Delete,CopyObjectPart (#6972)
2018-12-14 01:04:37 -05:00
if u, err := url.Parse(cpSrcPath); err == nil {
fix: Add support for preserving mtime for replication (#9995) This PR is needed for bucket replication support
2020-07-08 20:36:56 -04:00
vid = strings.TrimSpace(u.Query().Get(xhttp.VersionID))
Fix server side copy of files with `?` in - fixes #7058 (#7059) Before this change the CopyObjectHandler and the CopyObjectPartHandler both looked for a `versionId` parameter on the `X-Amz-Copy-Source` URL for the version of the object to be copied on the URL unescaped version of the header. This meant that files that had question marks in were truncated after the question mark so that files with `?` in their names could not be server side copied. After this change the URL unescaping is done during the parsing of the `versionId` parameter which fixes the problem. This change also introduces the same logic for the `X-Amz-Copy-Source-Version-Id` header field which was previously ignored, namely returning an error if it is present and not `null` since minio does not currently support versions. S3 Docs: - https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html - https://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html
2019-01-10 16:10:10 -05:00
// Note that url.Parse does the unescaping
Allow versionId to be null for Delete,CopyObjectPart (#6972)
2018-12-14 01:04:37 -05:00
cpSrcPath = u.Path
}
fix: Avoid double usage calculation on every restart (#8856) On every restart of the server, usage was being calculated which is not useful instead wait for sufficient time to start the crawling routine. This PR also avoids lots of double allocations through strings, optimizes usage of string builders and also avoids crawling through symbolic links. Fixes #8844
2020-01-21 17:07:49 -05:00
srcBucket, srcObject := path2BucketObject(cpSrcPath)
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 12:38:34 -05:00
// If source object is empty or bucket is empty, reply back invalid copy source.
if srcObject == "" || srcBucket == "" {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidCopySource), r.URL)
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 12:38:34 -05:00
return
}
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
if vid != "" && vid != nullVersionID {
_, err := uuid.Parse(vid)
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, VersionNotFound{
Bucket: srcBucket,
Object: srcObject,
VersionID: vid,
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
}), r.URL)
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
return
}
}
copy: Ensure that the user has GET access to the src object (#6715)
2018-10-26 19:12:44 -04:00
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, srcBucket, srcObject); s3Error != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL)
copy: Ensure that the user has GET access to the src object (#6715)
2018-10-26 19:12:44 -04:00
return
}
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 01:43:01 -04:00
uploadID := r.Form.Get(xhttp.UploadID)
partIDString := r.Form.Get(xhttp.PartNumber)
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 12:38:34 -05:00
partID, err := strconv.Atoi(partIDString)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidPart), r.URL)
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 12:38:34 -05:00
return
}
// check partID with maximum part ID for multipart objects
if isMaxPartID(partID) {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidMaxParts), r.URL)
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 12:38:34 -05:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-14 20:36:41 -05:00
Add ObjectOptions to ObjectLayer calls (#6382)
2018-09-10 12:42:43 -04:00
var srcOpts, dstOpts ObjectOptions
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 00:31:06 -05:00
srcOpts, err = copySrcOpts(ctx, r, srcBucket, srcObject)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
return
}
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
srcOpts.VersionID = vid
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
// convert copy src and dst encryption options for GET/PUT calls
run gofumpt cleanup across code-base (#14015)
2022-01-02 12:15:06 -05:00
getOpts := ObjectOptions{VersionID: srcOpts.VersionID}
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
if srcOpts.ServerSideEncryption != nil {
getOpts.ServerSideEncryption = encrypt.SSE(srcOpts.ServerSideEncryption)
}
[feat] Preserve version supplied by client (#9854) Just like GET/DELETE APIs it is possible to preserve client supplied versionId's, of course the versionIds have to be uuid, if an existing versionId is found it is overwritten if no object locking policies are found. - PUT /bucketname/objectname?versionId=<id> - POST /bucketname/objectname?uploads=&versionId=<id> - PUT /bucketname/objectname?verisonId=<id> (with x-amz-copy-source)
2020-06-17 14:13:41 -04:00
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 00:31:06 -05:00
dstOpts, err = copyDstOpts(ctx, r, dstBucket, dstObject, nil)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
return
}
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 12:38:34 -05:00
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 15:39:46 -04:00
getObjectNInfo := objectAPI.GetObjectNInfo
if api.CacheAPI() != nil {
getObjectNInfo = api.CacheAPI().GetObjectNInfo
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 14:37:57 -05:00
}
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 12:38:34 -05:00
// Get request range.
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 15:39:46 -04:00
var rs *HTTPRangeSpec
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
var parseRangeErr error
if rangeHeader := r.Header.Get(xhttp.AmzCopySourceRange); rangeHeader != "" {
rs, parseRangeErr = parseCopyPartRangeSpec(rangeHeader)
return error with empty x-amz-copy-source-range headers (#14249) fixes #14246
2022-02-03 19:58:27 -05:00
} else {
// This check is to see if client specified a header but the value
// is empty for 'x-amz-copy-source-range'
_, ok := r.Header[xhttp.AmzCopySourceRange]
if ok {
parseRangeErr = errInvalidRange
}
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
}
checkCopyPartPrecondFn := func(o ObjectInfo) bool {
if objectAPI.IsEncryptionSupported() {
if _, err := DecryptObjectInfo(&o, r); err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
return true
}
}
if checkCopyObjectPartPreconditions(ctx, w, r, o) {
return true
}
if parseRangeErr != nil {
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 15:39:46 -04:00
logger.LogIf(ctx, parseRangeErr)
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeCopyPartErr(ctx, w, parseRangeErr, r.URL)
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
// Range header mismatch is pre-condition like failure
// so return true to indicate Range precondition failed.
return true
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 15:39:46 -04:00
}
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
return false
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 15:39:46 -04:00
}
fix: return Range errors after If-Matches (#10045) closes #7292
2020-07-17 16:01:22 -04:00
getOpts.CheckPrecondFn = checkCopyPartPrecondFn
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
gr, err := getObjectNInfo(ctx, srcBucket, srcObject, rs, r.Header, readLock, getOpts)
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 15:39:46 -04:00
if err != nil {
s3: Fix precondition failed in CopyObjectPart when src is encrypted (#7276) CopyObject precondition checks into GetObjectReader in order to perform SSE-C pre-condition checks using the last 32 bytes of encrypted ETag rather than the decrypted ETag This also necessitates moving precondition checks for gateways to gateway layer rather than object handler check
2019-03-06 15:38:41 -05:00
if isErrPreconditionFailed(err) {
return
}
feat: implement prefix-level versioning exclusion (#14828) Spark/Hadoop workloads which use Hadoop MR Committer v1/v2 algorithm upload objects to a temporary prefix in a bucket. These objects are 'renamed' to a different prefix on Job commit. Object storage admins are forced to configure separate ILM policies to expire these objects and their versions to reclaim space. Our solution: This can be avoided by simply marking objects under these prefixes to be excluded from versioning, as shown below. Consequently, these objects are excluded from replication, and don't require ILM policies to prune unnecessary versions. - MinIO Extension to Bucket Version Configuration ```xml <VersioningConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Status>Enabled</Status> <ExcludeFolders>true</ExcludeFolders> <ExcludedPrefixes> <Prefix>app1-jobs/*/_temporary/</Prefix> </ExcludedPrefixes> <ExcludedPrefixes> <Prefix>app2-jobs/*/__magic/</Prefix> </ExcludedPrefixes> <!-- .. up to 10 prefixes in all --> </VersioningConfiguration> ``` Note: `ExcludeFolders` excludes all folders in a bucket from versioning. This is required to prevent the parent folders from accumulating delete markers, especially those which are shared across spark workloads spanning projects/teams. - To enable version exclusion on a list of prefixes ``` mc version enable --excluded-prefixes "app1-jobs/*/_temporary/,app2-jobs/*/_magic," --exclude-prefix-marker myminio/test ```
2022-05-06 22:05:28 -04:00
if globalBucketVersioningSys.PrefixEnabled(srcBucket, srcObject) && gr != nil {
fix: return proper errors Get/HeadObject for deleteMarkers (#9957)
2020-07-02 19:17:27 -04:00
// Versioning enabled quite possibly object is deleted might be delete-marker
// if present set the headers, no idea why AWS S3 sets these headers.
if gr.ObjInfo.VersionID != "" && gr.ObjInfo.DeleteMarker {
w.Header()[xhttp.AmzVersionID] = []string{gr.ObjInfo.VersionID}
w.Header()[xhttp.AmzDeleteMarker] = []string{strconv.FormatBool(gr.ObjInfo.DeleteMarker)}
}
}
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 15:39:46 -04:00
return
}
defer gr.Close()
srcInfo := gr.ObjInfo
Always get actual size in CopyObjectPart (#12466) Always use `GetActualSize` to get the part size, not just when encrypted. Fixes mint test io.minio.MinioClient.uploadPartCopy, error "Range specified is not valid for source object".
2021-06-08 12:51:55 -04:00
actualPartSize, err := srcInfo.GetActualSize()
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Always get actual size in CopyObjectPart (#12466) Always use `GetActualSize` to get the part size, not just when encrypted. Fixes mint test io.minio.MinioClient.uploadPartCopy, error "Range specified is not valid for source object".
2021-06-08 12:51:55 -04:00
return
fix wrong actual part size assignment in CopyObjectPart (#6652) This commit fixes a wrong assignment to `actualPartSize`. The `actualPartSize` for an encrypted src object is not `srcInfo.Size` because that's the encrypted object size which is larger than the actual object size. So the actual part size for an encrypted object is the decrypted size of `srcInfo.Size`.
2018-10-22 17:23:23 -04:00
}
Apply quota usage cache invalidation per second (#10127) Allow faster lookups for quota check enforcement
2020-07-24 15:24:21 -04:00
remove FIFO bucket quota, use ILM expiration instead (#14206)
2022-01-31 14:07:04 -05:00
if err := enforceBucketQuotaHard(ctx, dstBucket, actualPartSize); err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add API's for managing bucket quota (#9379) This PR allows setting a "hard" or "fifo" quota restriction at the bucket level. Buckets that have reached the FIFO quota configured, will automatically be cleaned up in FIFO manner until bucket usage drops to configured quota. If a bucket is configured with a "hard" quota ceiling, all further writes are disallowed.
2020-04-30 18:55:54 -04:00
return
}
Apply quota usage cache invalidation per second (#10127) Allow faster lookups for quota check enforcement
2020-07-24 15:24:21 -04:00
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 15:39:46 -04:00
// Special care for CopyObjectPart
fix wrong actual part size assignment in CopyObjectPart (#6652) This commit fixes a wrong assignment to `actualPartSize`. The `actualPartSize` for an encrypted src object is not `srcInfo.Size` because that's the encrypted object size which is larger than the actual object size. So the actual part size for an encrypted object is the decrypted size of `srcInfo.Size`.
2018-10-22 17:23:23 -04:00
if partRangeErr := checkCopyPartRangeWithSize(rs, actualPartSize); partRangeErr != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeCopyPartErr(ctx, w, partRangeErr, r.URL)
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-20 22:22:09 -04:00
return
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 12:38:34 -05:00
}
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 15:39:46 -04:00
// Get the object offset & length
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 11:50:06 -04:00
startOffset, length, err := rs.GetOffsetLength(actualPartSize)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 11:50:06 -04:00
return
}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-27 23:36:17 -04:00
add gocritic/ruleguard checks back again, cleanup code. (#13665) - remove some duplicated code - reported a bug, separately fixed in #13664 - using strings.ReplaceAll() when needed - using filepath.ToSlash() use when needed - remove all non-Go style comments from the codebase Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2021-11-16 12:28:29 -05:00
// maximum copy size for multipart objects in a single operation
api: Increase the maximum object size limit from 5GiB to 16GiB. (#3834) The globalMaxObjectSize limit is instilled in S3 spec perhaps due to certain limitations on S3 infrastructure. For minio we don't have such limitations and we can stream a larger file instead. So we are going to bump this limit to 16GiB. Fixes #3825
2017-03-03 13:14:17 -05:00
if isMaxAllowedPartSize(length) {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrEntityTooLarge), r.URL)
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 12:38:34 -05:00
return
}
Allow CopyObjectPart to work in federated setups (#8066) Fixes #8065
2019-08-20 13:19:22 -04:00
if isRemoteCopyRequired(ctx, srcBucket, dstBucket, objectAPI) {
var dstRecords []dns.SrvRecord
dstRecords, err = globalDNSConfig.Get(dstBucket)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Allow CopyObjectPart to work in federated setups (#8066) Fixes #8065
2019-08-20 13:19:22 -04:00
return
}
// Send PutObject request to appropriate instance (in federated deployment)
add support for configurable remote transport deadline (#10447) configurable remote transport timeouts for some special cases where this value needs to be bumped to a higher value when transferring large data between federated instances.
2020-09-12 02:03:08 -04:00
core, rerr := getRemoteInstanceClient(r, getHostFromSrv(dstRecords))
Allow CopyObjectPart to work in federated setups (#8066) Fixes #8065
2019-08-20 13:19:22 -04:00
if rerr != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, rerr), r.URL)
Allow CopyObjectPart to work in federated setups (#8066) Fixes #8065
2019-08-20 13:19:22 -04:00
return
}
pkg/etag: add new package for S3 ETag handling (#11577) This commit adds a new package `etag` for dealing with S3 ETags. Even though ETag is often viewed as MD5 checksum of an object, handling S3 ETags correctly is a surprisingly complex task. While it is true that the ETag corresponds to the MD5 for the most basic S3 API operations, there are many exceptions in case of multipart uploads or encryption. In worse, some S3 clients expect very specific behavior when it comes to ETags. For example, some clients expect that the ETag is a double-quoted string and fail otherwise. Non-AWS compliant ETag handling has been a source of many bugs in the past. Therefore, this commit adds a dedicated `etag` package that provides functionality for parsing, generating and converting S3 ETags. Further, this commit removes the ETag computation from the `hash` package. Instead, the `hash` package (i.e. `hash.Reader`) should focus only on computing and verifying the content-sha256. One core feature of this commit is to provide a mechanism to communicate a computed ETag from a low-level `io.Reader` to a high-level `io.Reader`. This problem occurs when an S3 server receives a request and has to compute the ETag of the content. However, the server may also wrap the initial body with several other `io.Reader`, e.g. when encrypting or compressing the content: ``` reader := Encrypt(Compress(ETag(content))) ``` In such a case, the ETag should be accessible by the high-level `io.Reader`. The `etag` provides a mechanism to wrap `io.Reader` implementations such that the `ETag` can be accessed by a type-check. This technique is applied to the PUT, COPY and Upload handlers.
2021-02-23 15:31:53 -05:00
partInfo, err := core.PutObjectPart(ctx, dstBucket, dstObject, uploadID, partID, gr, length, "", "", dstOpts.ServerSideEncryption)
Allow CopyObjectPart to work in federated setups (#8066) Fixes #8065
2019-08-20 13:19:22 -04:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Allow CopyObjectPart to work in federated setups (#8066) Fixes #8065
2019-08-20 13:19:22 -04:00
return
}
response := generateCopyObjectPartResponse(partInfo.ETag, partInfo.LastModified)
encodedSuccessResponse := encodeResponse(response)
// Write success response.
writeSuccessResponseXML(w, encodedSuccessResponse)
return
}
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 11:50:06 -04:00
actualPartSize = length
pkg/etag: add new package for S3 ETag handling (#11577) This commit adds a new package `etag` for dealing with S3 ETags. Even though ETag is often viewed as MD5 checksum of an object, handling S3 ETags correctly is a surprisingly complex task. While it is true that the ETag corresponds to the MD5 for the most basic S3 API operations, there are many exceptions in case of multipart uploads or encryption. In worse, some S3 clients expect very specific behavior when it comes to ETags. For example, some clients expect that the ETag is a double-quoted string and fail otherwise. Non-AWS compliant ETag handling has been a source of many bugs in the past. Therefore, this commit adds a dedicated `etag` package that provides functionality for parsing, generating and converting S3 ETags. Further, this commit removes the ETag computation from the `hash` package. Instead, the `hash` package (i.e. `hash.Reader`) should focus only on computing and verifying the content-sha256. One core feature of this commit is to provide a mechanism to communicate a computed ETag from a low-level `io.Reader` to a high-level `io.Reader`. This problem occurs when an S3 server receives a request and has to compute the ETag of the content. However, the server may also wrap the initial body with several other `io.Reader`, e.g. when encrypting or compressing the content: ``` reader := Encrypt(Compress(ETag(content))) ``` In such a case, the ETag should be accessible by the high-level `io.Reader`. The `etag` provides a mechanism to wrap `io.Reader` implementations such that the `ETag` can be accessed by a type-check. This technique is applied to the PUT, COPY and Upload handlers.
2021-02-23 15:31:53 -05:00
var reader io.Reader = etag.NewReader(gr, nil)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-27 23:36:17 -04:00
Introduce simpler GetMultipartInfo call for performance (#9722) Advantages avoids 100's of stats which are needed for each upload operation in FS/NAS gateway mode when uploading a large multipart object, dramatically increases performance for multipart uploads by avoiding recursive calls. For other gateway's simplifies the approach since azure, gcs, hdfs gateway's don't capture any specific metadata during upload which needs handler validation for encryption/compression. Erasure coding was already optimized, additionally just avoids small allocations of large data structure. Fixes #7206
2020-05-28 15:36:20 -04:00
mi, err := objectAPI.GetMultipartInfo(ctx, dstBucket, dstObject, uploadID, dstOpts)
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 14:46:20 -04:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 14:46:20 -04:00
return
}
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 11:50:06 -04:00
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 14:46:20 -04:00
// Read compression metadata preserved in the init multipart for the decision.
Introduce simpler GetMultipartInfo call for performance (#9722) Advantages avoids 100's of stats which are needed for each upload operation in FS/NAS gateway mode when uploading a large multipart object, dramatically increases performance for multipart uploads by avoiding recursive calls. For other gateway's simplifies the approach since azure, gcs, hdfs gateway's don't capture any specific metadata during upload which needs handler validation for encryption/compression. Erasure coding was already optimized, additionally just avoids small allocations of large data structure. Fixes #7206
2020-05-28 15:36:20 -04:00
_, isCompressed := mi.UserDefined[ReservedMetadataPrefix+"compression"]
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 14:46:20 -04:00
// Compress only if the compression is enabled during initial multipart.
Add compressed file index (#15247)
2022-07-11 20:30:56 -04:00
var idxCb func() []byte
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 14:46:20 -04:00
if isCompressed {
Add padding to compressed+encrypted files (#15282) Add up to 256 bytes of padding for compressed+encrypted files. This will obscure the obvious cases of extremely compressible content and leave a similar output size for a very wide variety of inputs. This does *not* mean the compression ratio doesn't leak information about the content, but the outcome space is much smaller, so often *less* information is leaked.
2022-07-13 10:52:15 -04:00
wantEncryption := objectAPI.IsEncryptionSupported() && crypto.Requested(r.Header)
s2c, cb := newS2CompressReader(reader, actualPartSize, wantEncryption)
Add compressed file index (#15247)
2022-07-11 20:30:56 -04:00
idxCb = cb
Switch to Snappy -> S2 compression (#8189)
2019-09-26 02:08:24 -04:00
defer s2c.Close()
pkg/etag: add new package for S3 ETag handling (#11577) This commit adds a new package `etag` for dealing with S3 ETags. Even though ETag is often viewed as MD5 checksum of an object, handling S3 ETags correctly is a surprisingly complex task. While it is true that the ETag corresponds to the MD5 for the most basic S3 API operations, there are many exceptions in case of multipart uploads or encryption. In worse, some S3 clients expect very specific behavior when it comes to ETags. For example, some clients expect that the ETag is a double-quoted string and fail otherwise. Non-AWS compliant ETag handling has been a source of many bugs in the past. Therefore, this commit adds a dedicated `etag` package that provides functionality for parsing, generating and converting S3 ETags. Further, this commit removes the ETag computation from the `hash` package. Instead, the `hash` package (i.e. `hash.Reader`) should focus only on computing and verifying the content-sha256. One core feature of this commit is to provide a mechanism to communicate a computed ETag from a low-level `io.Reader` to a high-level `io.Reader`. This problem occurs when an S3 server receives a request and has to compute the ETag of the content. However, the server may also wrap the initial body with several other `io.Reader`, e.g. when encrypting or compressing the content: ``` reader := Encrypt(Compress(ETag(content))) ``` In such a case, the ETag should be accessible by the high-level `io.Reader`. The `etag` provides a mechanism to wrap `io.Reader` implementations such that the `ETag` can be accessed by a type-check. This technique is applied to the PUT, COPY and Upload handlers.
2021-02-23 15:31:53 -05:00
reader = etag.Wrap(s2c, reader)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-27 23:36:17 -04:00
length = -1
}
pkg/etag: add new package for S3 ETag handling (#11577) This commit adds a new package `etag` for dealing with S3 ETags. Even though ETag is often viewed as MD5 checksum of an object, handling S3 ETags correctly is a surprisingly complex task. While it is true that the ETag corresponds to the MD5 for the most basic S3 API operations, there are many exceptions in case of multipart uploads or encryption. In worse, some S3 clients expect very specific behavior when it comes to ETags. For example, some clients expect that the ETag is a double-quoted string and fail otherwise. Non-AWS compliant ETag handling has been a source of many bugs in the past. Therefore, this commit adds a dedicated `etag` package that provides functionality for parsing, generating and converting S3 ETags. Further, this commit removes the ETag computation from the `hash` package. Instead, the `hash` package (i.e. `hash.Reader`) should focus only on computing and verifying the content-sha256. One core feature of this commit is to provide a mechanism to communicate a computed ETag from a low-level `io.Reader` to a high-level `io.Reader`. This problem occurs when an S3 server receives a request and has to compute the ETag of the content. However, the server may also wrap the initial body with several other `io.Reader`, e.g. when encrypting or compressing the content: ``` reader := Encrypt(Compress(ETag(content))) ``` In such a case, the ETag should be accessible by the high-level `io.Reader`. The `etag` provides a mechanism to wrap `io.Reader` implementations such that the `ETag` can be accessed by a type-check. This technique is applied to the PUT, COPY and Upload handlers.
2021-02-23 15:31:53 -05:00
srcInfo.Reader, err = hash.NewReader(reader, length, "", "", actualPartSize)
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-02 20:24:02 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-02 20:24:02 -05:00
return
}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-27 23:36:17 -04:00
Introduce simpler GetMultipartInfo call for performance (#9722) Advantages avoids 100's of stats which are needed for each upload operation in FS/NAS gateway mode when uploading a large multipart object, dramatically increases performance for multipart uploads by avoiding recursive calls. For other gateway's simplifies the approach since azure, gcs, hdfs gateway's don't capture any specific metadata during upload which needs handler validation for encryption/compression. Erasure coding was already optimized, additionally just avoids small allocations of large data structure. Fixes #7206
2020-05-28 15:36:20 -04:00
dstOpts, err = copyDstOpts(ctx, r, dstBucket, dstObject, mi.UserDefined)
avoid double listObjectParts calls improves performance (#9606) this PR is to avoid double calls across multiple calls in APIs - CopyObjectPart - PutObjectPart
2020-05-15 11:06:45 -04:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
avoid double listObjectParts calls improves performance (#9606) this PR is to avoid double calls across multiple calls in APIs - CopyObjectPart - PutObjectPart
2020-05-15 11:06:45 -04:00
return
}
Add compressed file index (#15247)
2022-07-11 20:30:56 -04:00
dstOpts.IndexCB = idxCb
avoid double listObjectParts calls improves performance (#9606) this PR is to avoid double calls across multiple calls in APIs - CopyObjectPart - PutObjectPart
2020-05-15 11:06:45 -04:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-14 20:36:41 -05:00
rawReader := srcInfo.Reader
Simplify PutObjReader for plain-text reader usage (#11470) This change moves away from a unified constructor for plaintext and encrypted usage. NewPutObjReader is simplified for the plain-text reader use. For encrypted reader use, WithEncryption should be called on an initialized PutObjReader. Plaintext: func NewPutObjReader(rawReader *hash.Reader) *PutObjReader The hash.Reader is used to provide payload size and md5sum to the downstream consumers. This is different from the previous version in that there is no need to pass nil values for unused parameters. Encrypted: func WithEncryption(encReader *hash.Reader, key *crypto.ObjectKey) (*PutObjReader, error) This method sets up encrypted reader along with the key to seal the md5sum produced by the plain-text reader (already setup when NewPutObjReader was called). Usage: ``` pReader := NewPutObjReader(rawReader) // ... other object handler code goes here // Prepare the encrypted hashed reader pReader, err = pReader.WithEncryption(encReader, objEncKey) ```
2021-02-10 11:52:50 -05:00
pReader := NewPutObjReader(rawReader)
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-14 20:36:41 -05:00
crypto: add support for decrypting SSE-KMS metadata (#11415) This commit refactors the SSE implementation and add S3-compatible SSE-KMS context handling. SSE-KMS differs from SSE-S3 in two main aspects: 1. The client can request a particular key and specify a KMS context as part of the request. 2. The ETag of an SSE-KMS encrypted object is not the MD5 sum of the object content. This commit only focuses on the 1st aspect. A client can send an optional SSE context when using SSE-KMS. This context is remembered by the S3 server such that the client does not have to specify the context again (during multipart PUT / GET / HEAD ...). The crypto. context also includes the bucket/object name to prevent renaming objects at the backend. Now, AWS S3 behaves as following: - If the user does not provide a SSE-KMS context it does not store one - resp. does not include the SSE-KMS context header in the response (e.g. HEAD). - If the user specifies a SSE-KMS context without the bucket/object name then AWS stores the exact context the client provided but adds the bucket/object name internally. The response contains the KMS context without the bucket/object name. - If the user specifies a SSE-KMS context with the bucket/object name then AWS again stores the exact context provided by the client. The response contains the KMS context with the bucket/object name. This commit implements this behavior w.r.t. SSE-KMS. However, as of now, no such object can be created since the server rejects SSE-KMS encryption requests. This commit is one stepping stone for SSE-KMS support. Co-authored-by: Harshavardhana <harsha@minio.io>
2021-02-03 18:19:08 -05:00
_, isEncrypted := crypto.IsEncrypted(mi.UserDefined)
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-09 20:01:45 -04:00
var objectEncryptionKey crypto.ObjectKey
Allow Compression + encryption (#11103)
2021-01-05 23:08:35 -05:00
if objectAPI.IsEncryptionSupported() && isEncrypted {
Introduce simpler GetMultipartInfo call for performance (#9722) Advantages avoids 100's of stats which are needed for each upload operation in FS/NAS gateway mode when uploading a large multipart object, dramatically increases performance for multipart uploads by avoiding recursive calls. For other gateway's simplifies the approach since azure, gcs, hdfs gateway's don't capture any specific metadata during upload which needs handler validation for encryption/compression. Erasure coding was already optimized, additionally just avoids small allocations of large data structure. Fixes #7206
2020-05-28 15:36:20 -04:00
if !crypto.SSEC.IsRequested(r.Header) && crypto.SSEC.IsEncrypted(mi.UserDefined) {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrSSEMultipartEncrypted), r.URL)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
return
}
Introduce simpler GetMultipartInfo call for performance (#9722) Advantages avoids 100's of stats which are needed for each upload operation in FS/NAS gateway mode when uploading a large multipart object, dramatically increases performance for multipart uploads by avoiding recursive calls. For other gateway's simplifies the approach since azure, gcs, hdfs gateway's don't capture any specific metadata during upload which needs handler validation for encryption/compression. Erasure coding was already optimized, additionally just avoids small allocations of large data structure. Fixes #7206
2020-05-28 15:36:20 -04:00
if crypto.S3.IsEncrypted(mi.UserDefined) && crypto.SSEC.IsRequested(r.Header) {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrSSEMultipartEncrypted), r.URL)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 17:16:43 -05:00
return
}
avoid double listObjectParts calls improves performance (#9606) this PR is to avoid double calls across multiple calls in APIs - CopyObjectPart - PutObjectPart
2020-05-15 11:06:45 -04:00
var key []byte
if crypto.SSEC.IsRequested(r.Header) {
key, err = ParseSSECustomerRequest(r)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 14:37:57 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 14:37:57 -05:00
return
}
avoid double listObjectParts calls improves performance (#9606) this PR is to avoid double calls across multiple calls in APIs - CopyObjectPart - PutObjectPart
2020-05-15 11:06:45 -04:00
}
Introduce simpler GetMultipartInfo call for performance (#9722) Advantages avoids 100's of stats which are needed for each upload operation in FS/NAS gateway mode when uploading a large multipart object, dramatically increases performance for multipart uploads by avoiding recursive calls. For other gateway's simplifies the approach since azure, gcs, hdfs gateway's don't capture any specific metadata during upload which needs handler validation for encryption/compression. Erasure coding was already optimized, additionally just avoids small allocations of large data structure. Fixes #7206
2020-05-28 15:36:20 -04:00
key, err = decryptObjectInfo(key, dstBucket, dstObject, mi.UserDefined)
avoid double listObjectParts calls improves performance (#9606) this PR is to avoid double calls across multiple calls in APIs - CopyObjectPart - PutObjectPart
2020-05-15 11:06:45 -04:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
avoid double listObjectParts calls improves performance (#9606) this PR is to avoid double calls across multiple calls in APIs - CopyObjectPart - PutObjectPart
2020-05-15 11:06:45 -04:00
return
}
copy(objectEncryptionKey[:], key)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 14:37:57 -05:00
avoid double listObjectParts calls improves performance (#9606) this PR is to avoid double calls across multiple calls in APIs - CopyObjectPart - PutObjectPart
2020-05-15 11:06:45 -04:00
partEncryptionKey := objectEncryptionKey.DerivePartKey(uint32(partID))
fips: simplify TLS configuration (#15127) This commit simplifies the TLS configuration. It inlines the FIPS / non-FIPS code. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2022-06-21 10:54:48 -04:00
encReader, err := sio.EncryptReader(reader, sio.Config{Key: partEncryptionKey[:], CipherSuites: fips.DARECiphers()})
avoid double listObjectParts calls improves performance (#9606) this PR is to avoid double calls across multiple calls in APIs - CopyObjectPart - PutObjectPart
2020-05-15 11:06:45 -04:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
avoid double listObjectParts calls improves performance (#9606) this PR is to avoid double calls across multiple calls in APIs - CopyObjectPart - PutObjectPart
2020-05-15 11:06:45 -04:00
return
}
pkg/etag: add new package for S3 ETag handling (#11577) This commit adds a new package `etag` for dealing with S3 ETags. Even though ETag is often viewed as MD5 checksum of an object, handling S3 ETags correctly is a surprisingly complex task. While it is true that the ETag corresponds to the MD5 for the most basic S3 API operations, there are many exceptions in case of multipart uploads or encryption. In worse, some S3 clients expect very specific behavior when it comes to ETags. For example, some clients expect that the ETag is a double-quoted string and fail otherwise. Non-AWS compliant ETag handling has been a source of many bugs in the past. Therefore, this commit adds a dedicated `etag` package that provides functionality for parsing, generating and converting S3 ETags. Further, this commit removes the ETag computation from the `hash` package. Instead, the `hash` package (i.e. `hash.Reader`) should focus only on computing and verifying the content-sha256. One core feature of this commit is to provide a mechanism to communicate a computed ETag from a low-level `io.Reader` to a high-level `io.Reader`. This problem occurs when an S3 server receives a request and has to compute the ETag of the content. However, the server may also wrap the initial body with several other `io.Reader`, e.g. when encrypting or compressing the content: ``` reader := Encrypt(Compress(ETag(content))) ``` In such a case, the ETag should be accessible by the high-level `io.Reader`. The `etag` provides a mechanism to wrap `io.Reader` implementations such that the `ETag` can be accessed by a type-check. This technique is applied to the PUT, COPY and Upload handlers.
2021-02-23 15:31:53 -05:00
reader = etag.Wrap(encReader, reader)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 14:37:57 -05:00
Allow Compression + encryption (#11103)
2021-01-05 23:08:35 -05:00
wantSize := int64(-1)
if length >= 0 {
info := ObjectInfo{Size: length}
wantSize = info.EncryptedSize()
}
pkg/etag: add new package for S3 ETag handling (#11577) This commit adds a new package `etag` for dealing with S3 ETags. Even though ETag is often viewed as MD5 checksum of an object, handling S3 ETags correctly is a surprisingly complex task. While it is true that the ETag corresponds to the MD5 for the most basic S3 API operations, there are many exceptions in case of multipart uploads or encryption. In worse, some S3 clients expect very specific behavior when it comes to ETags. For example, some clients expect that the ETag is a double-quoted string and fail otherwise. Non-AWS compliant ETag handling has been a source of many bugs in the past. Therefore, this commit adds a dedicated `etag` package that provides functionality for parsing, generating and converting S3 ETags. Further, this commit removes the ETag computation from the `hash` package. Instead, the `hash` package (i.e. `hash.Reader`) should focus only on computing and verifying the content-sha256. One core feature of this commit is to provide a mechanism to communicate a computed ETag from a low-level `io.Reader` to a high-level `io.Reader`. This problem occurs when an S3 server receives a request and has to compute the ETag of the content. However, the server may also wrap the initial body with several other `io.Reader`, e.g. when encrypting or compressing the content: ``` reader := Encrypt(Compress(ETag(content))) ``` In such a case, the ETag should be accessible by the high-level `io.Reader`. The `etag` provides a mechanism to wrap `io.Reader` implementations such that the `ETag` can be accessed by a type-check. This technique is applied to the PUT, COPY and Upload handlers.
2021-02-23 15:31:53 -05:00
srcInfo.Reader, err = hash.NewReader(reader, wantSize, "", "", actualPartSize)
avoid double listObjectParts calls improves performance (#9606) this PR is to avoid double calls across multiple calls in APIs - CopyObjectPart - PutObjectPart
2020-05-15 11:06:45 -04:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
avoid double listObjectParts calls improves performance (#9606) this PR is to avoid double calls across multiple calls in APIs - CopyObjectPart - PutObjectPart
2020-05-15 11:06:45 -04:00
return
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 14:37:57 -05:00
}
Simplify PutObjReader for plain-text reader usage (#11470) This change moves away from a unified constructor for plaintext and encrypted usage. NewPutObjReader is simplified for the plain-text reader use. For encrypted reader use, WithEncryption should be called on an initialized PutObjReader. Plaintext: func NewPutObjReader(rawReader *hash.Reader) *PutObjReader The hash.Reader is used to provide payload size and md5sum to the downstream consumers. This is different from the previous version in that there is no need to pass nil values for unused parameters. Encrypted: func WithEncryption(encReader *hash.Reader, key *crypto.ObjectKey) (*PutObjReader, error) This method sets up encrypted reader along with the key to seal the md5sum produced by the plain-text reader (already setup when NewPutObjReader was called). Usage: ``` pReader := NewPutObjReader(rawReader) // ... other object handler code goes here // Prepare the encrypted hashed reader pReader, err = pReader.WithEncryption(encReader, objEncKey) ```
2021-02-10 11:52:50 -05:00
pReader, err = pReader.WithEncryption(srcInfo.Reader, &objectEncryptionKey)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Simplify PutObjReader for plain-text reader usage (#11470) This change moves away from a unified constructor for plaintext and encrypted usage. NewPutObjReader is simplified for the plain-text reader use. For encrypted reader use, WithEncryption should be called on an initialized PutObjReader. Plaintext: func NewPutObjReader(rawReader *hash.Reader) *PutObjReader The hash.Reader is used to provide payload size and md5sum to the downstream consumers. This is different from the previous version in that there is no need to pass nil values for unused parameters. Encrypted: func WithEncryption(encReader *hash.Reader, key *crypto.ObjectKey) (*PutObjReader, error) This method sets up encrypted reader along with the key to seal the md5sum produced by the plain-text reader (already setup when NewPutObjReader was called). Usage: ``` pReader := NewPutObjReader(rawReader) // ... other object handler code goes here // Prepare the encrypted hashed reader pReader, err = pReader.WithEncryption(encReader, objEncKey) ```
2021-02-10 11:52:50 -05:00
return
}
Add compressed file index (#15247)
2022-07-11 20:30:56 -04:00
if dstOpts.IndexCB != nil {
dstOpts.IndexCB = compressionIndexEncrypter(objectEncryptionKey, dstOpts.IndexCB)
}
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 14:37:57 -05:00
}
avoid double listObjectParts calls improves performance (#9606) this PR is to avoid double calls across multiple calls in APIs - CopyObjectPart - PutObjectPart
2020-05-15 11:06:45 -04:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-14 20:36:41 -05:00
srcInfo.PutObjReader = pReader
Add support for caching multipart in writethrough mode (#13507)
2021-11-01 11:11:58 -04:00
copyObjectPart := objectAPI.CopyObjectPart
if api.CacheAPI() != nil {
copyObjectPart = api.CacheAPI().CopyObjectPart
}
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 12:38:34 -05:00
// Copy source object to destination, if source and destination
// object is same then only metadata is updated.
Add support for caching multipart in writethrough mode (#13507)
2021-11-01 11:11:58 -04:00
partInfo, err := copyObjectPart(ctx, srcBucket, srcObject, dstBucket, dstObject, uploadID, partID,
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 11:50:06 -04:00
startOffset, length, srcInfo, srcOpts, dstOpts)
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 12:38:34 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 12:38:34 -05:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-14 20:36:41 -05:00
if isEncrypted {
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-09 20:01:45 -04:00
partInfo.ETag = tryDecryptETag(objectEncryptionKey[:], partInfo.ETag, crypto.SSEC.IsRequested(r.Header))
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-14 20:36:41 -05:00
}
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 12:38:34 -05:00
response := generateCopyObjectPartResponse(partInfo.ETag, partInfo.LastModified)
encodedSuccessResponse := encodeResponse(response)
// Write success response.
writeSuccessResponseXML(w, encodedSuccessResponse)
}
add gocritic/ruleguard checks back again, cleanup code. (#13665) - remove some duplicated code - reported a bug, separately fixed in #13664 - using strings.ReplaceAll() when needed - using filepath.ToSlash() use when needed - remove all non-Go style comments from the codebase Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2021-11-16 12:28:29 -05:00
// Delete objectAPIHandlers
Add delete handlers and reply back as 'NotImplemented' instead of 404
2015-06-08 14:06:06 -04:00
api: Implement multiple objects Delete api - fixes #956 This API takes input XML input in following form. ``` <?xml version="1.0" encoding="UTF-8"?> <Delete> <Quiet>true</Quiet> <Object> <Key>Key</Key> </Object> <Object> <Key>Key</Key> </Object> ... </Delete> ``` and responds the list of successful deletes, list of errors for all the deleted objects. ``` <?xml version="1.0" encoding="UTF-8"?> <DeleteResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Deleted> <Key>sample1.txt</Key> </Deleted> <Error> <Key>sample2.txt</Key> <Code>AccessDenied</Code> <Message>Access Denied</Message> </Error> </DeleteResult> ```
2016-03-05 19:43:48 -05:00
// DeleteObjectHandler - delete an object
storage/server/client: Enable storage server, enable client storage.
2016-04-12 15:45:15 -04:00
func (api objectAPIHandlers) DeleteObjectHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-20 21:46:32 -04:00
ctx := newContext(r, w, "DeleteObject")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 15:01:47 -04:00
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 15:25:59 -04:00
signature: Rewrite signature handling and move it into a library.
2016-02-15 20:42:39 -05:00
vars := mux.Vars(r)
Migrate this project to minio micro services code
2015-10-16 14:26:01 -04:00
bucket := vars["bucket"]
fix: normalize object layer inputs (#11534) Cases where we have applications making request for `//` in object names make sure that all are normalized to `/` and all such requests that are prefixed '/' are removed. To ensure a consistent view from all operations.
2021-03-09 15:58:22 -05:00
object, err := unescapePath(vars["object"])
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
return
}
Migrate this project to minio micro services code
2015-10-16 14:26:01 -04:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-10 21:47:49 -04:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-10 21:47:49 -04:00
return
}
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-24 18:53:30 -04:00
if s3Error := checkRequestAuthType(ctx, r, policy.DeleteObjectAction, bucket, object); s3Error != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL)
accessPolicy: Implement Put, Get, Delete access policy. This patch implements Get,Put,Delete bucket policies Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html Currently supports following actions. "*": true, "s3:*": true, "s3:GetObject": true, "s3:ListBucket": true, "s3:PutObject": true, "s3:CreateBucket": true, "s3:GetBucketLocation": true, "s3:DeleteBucket": true, "s3:DeleteObject": true, "s3:AbortMultipartUpload": true, "s3:ListBucketMultipartUploads": true, "s3:ListMultipartUploadParts": true, following conditions for "StringEquals" and "StringNotEquals" "s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
return
fs: Cleanup Golang errors to be called 'e' and probe to be called as 'err' - Replace the ACL checks back, remove them when bucket policy is implemented. - Move FTW (File Tree Walk) into ioutils package.
2016-02-04 15:52:25 -05:00
}
Cleanup and fixes (#3273) * newRequestID() (previously generateUploadID()) returns string than byte array. * Remove unclear comments and added appropriate comments. * SHA-256, MD5 Hash functions return Hex/Base64 encoded string than byte array. * Remove duplicate MD5 hasher functions. * Rename listObjectsValidateArgs() into validateListObjectsArgs() * Remove repeated auth check code in all bucket request handlers. * Remove abbreviated names in bucket-metadata * Avoid nested if in bucketPolicyMatchStatement() * Use ioutil.ReadFile() instead of os.Open() and ioutil.ReadAll() * Set crossDomainXML as constant.
2016-11-21 16:51:05 -05:00
Checking the existence of the bucket in DeleteObjectHandler (#6085) Fixes #6077
2018-07-01 01:35:43 -04:00
if globalDNSConfig != nil {
_, err := globalDNSConfig.Get(bucket)
Add Kubernetes operator webook server as DNS target (#10404) This PR adds a DNS target that ensures to update an entry into Kubernetes operator when a bucket is created or deleted. See minio/operator#264 for details. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-09 15:20:49 -04:00
if err != nil && err != dns.ErrNotImplemented {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Checking the existence of the bucket in DeleteObjectHandler (#6085) Fixes #6077
2018-07-01 01:35:43 -04:00
return
}
}
fix: save deleteMarker properly, precision upto UnixNano() (#9843)
2020-06-16 10:54:27 -04:00
opts, err := delOpts(ctx, r, bucket, object)
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
return
}
Refactor replication, ILM handling in DELETE API (#10945)
2020-11-25 14:24:50 -05:00
var (
Support for remote tier management (#12090) With this change, MinIO's ILM supports transitioning objects to a remote tier. This change includes support for Azure Blob Storage, AWS S3 compatible object storage incl. MinIO and Google Cloud Storage as remote tier storage backends. Some new additions include: - Admin APIs remote tier configuration management - Simple journal to track remote objects to be 'collected' This is used by object API handlers which 'mutate' object versions by overwriting/replacing content (Put/CopyObject) or removing the version itself (e.g DeleteObjectVersion). - Rework of previous ILM transition to fit the new model In the new model, a storage class (a.k.a remote tier) is defined by the 'remote' object storage type (one of s3, azure, GCS), bucket name and a prefix. * Fixed bugs, review comments, and more unit-tests - Leverage inline small object feature - Migrate legacy objects to the latest object format before transitioning - Fix restore to particular version if specified - Extend SharedDataDirCount to handle transitioned and restored objects - Restore-object should accept version-id for version-suspended bucket (#12091) - Check if remote tier creds have sufficient permissions - Bonus minor fixes to existing error messages Co-authored-by: Poorna Krishnamoorthy <poorna@minio.io> Co-authored-by: Krishna Srinivas <krishna@minio.io> Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 13:30:42 -04:00
goi ObjectInfo
gerr error
Refactor replication, ILM handling in DELETE API (#10945)
2020-11-25 14:24:50 -05:00
)
Support for remote tier management (#12090) With this change, MinIO's ILM supports transitioning objects to a remote tier. This change includes support for Azure Blob Storage, AWS S3 compatible object storage incl. MinIO and Google Cloud Storage as remote tier storage backends. Some new additions include: - Admin APIs remote tier configuration management - Simple journal to track remote objects to be 'collected' This is used by object API handlers which 'mutate' object versions by overwriting/replacing content (Put/CopyObject) or removing the version itself (e.g DeleteObjectVersion). - Rework of previous ILM transition to fit the new model In the new model, a storage class (a.k.a remote tier) is defined by the 'remote' object storage type (one of s3, azure, GCS), bucket name and a prefix. * Fixed bugs, review comments, and more unit-tests - Leverage inline small object feature - Migrate legacy objects to the latest object format before transitioning - Fix restore to particular version if specified - Extend SharedDataDirCount to handle transitioned and restored objects - Restore-object should accept version-id for version-suspended bucket (#12091) - Check if remote tier creds have sufficient permissions - Bonus minor fixes to existing error messages Co-authored-by: Poorna Krishnamoorthy <poorna@minio.io> Co-authored-by: Krishna Srinivas <krishna@minio.io> Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 13:30:42 -04:00
fix: various performance improvements to tiering (#12965) - deletes should always Sweep() for tiering at the end and does not need an extra getObjectInfo() call - puts, copy and multipart writes should conditionally do getObjectInfo() when tiering targets are configured - introduce 'TransitionedObject' struct for ease of usage and understanding. - multiple-pools optimization deletes don't need to hold read locks verifying objects across namespace and pools.
2021-08-17 10:50:00 -04:00
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
os := newObjSweeper(bucket, object).WithVersion(opts.VersionID).WithVersioning(opts.Versioned, opts.VersionSuspended)
Support for remote tier management (#12090) With this change, MinIO's ILM supports transitioning objects to a remote tier. This change includes support for Azure Blob Storage, AWS S3 compatible object storage incl. MinIO and Google Cloud Storage as remote tier storage backends. Some new additions include: - Admin APIs remote tier configuration management - Simple journal to track remote objects to be 'collected' This is used by object API handlers which 'mutate' object versions by overwriting/replacing content (Put/CopyObject) or removing the version itself (e.g DeleteObjectVersion). - Rework of previous ILM transition to fit the new model In the new model, a storage class (a.k.a remote tier) is defined by the 'remote' object storage type (one of s3, azure, GCS), bucket name and a prefix. * Fixed bugs, review comments, and more unit-tests - Leverage inline small object feature - Migrate legacy objects to the latest object format before transitioning - Fix restore to particular version if specified - Extend SharedDataDirCount to handle transitioned and restored objects - Restore-object should accept version-id for version-suspended bucket (#12091) - Check if remote tier creds have sufficient permissions - Bonus minor fixes to existing error messages Co-authored-by: Poorna Krishnamoorthy <poorna@minio.io> Co-authored-by: Krishna Srinivas <krishna@minio.io> Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 13:30:42 -04:00
// Mutations of objects on versioning suspended buckets
// affect its null version. Through opts below we select
// the null version's remote object to delete if
// transitioned.
fix: various performance improvements to tiering (#12965) - deletes should always Sweep() for tiering at the end and does not need an extra getObjectInfo() call - puts, copy and multipart writes should conditionally do getObjectInfo() when tiering targets are configured - introduce 'TransitionedObject' struct for ease of usage and understanding. - multiple-pools optimization deletes don't need to hold read locks verifying objects across namespace and pools.
2021-08-17 10:50:00 -04:00
goiOpts := os.GetOpts()
Support for remote tier management (#12090) With this change, MinIO's ILM supports transitioning objects to a remote tier. This change includes support for Azure Blob Storage, AWS S3 compatible object storage incl. MinIO and Google Cloud Storage as remote tier storage backends. Some new additions include: - Admin APIs remote tier configuration management - Simple journal to track remote objects to be 'collected' This is used by object API handlers which 'mutate' object versions by overwriting/replacing content (Put/CopyObject) or removing the version itself (e.g DeleteObjectVersion). - Rework of previous ILM transition to fit the new model In the new model, a storage class (a.k.a remote tier) is defined by the 'remote' object storage type (one of s3, azure, GCS), bucket name and a prefix. * Fixed bugs, review comments, and more unit-tests - Leverage inline small object feature - Migrate legacy objects to the latest object format before transitioning - Fix restore to particular version if specified - Extend SharedDataDirCount to handle transitioned and restored objects - Restore-object should accept version-id for version-suspended bucket (#12091) - Check if remote tier creds have sufficient permissions - Bonus minor fixes to existing error messages Co-authored-by: Poorna Krishnamoorthy <poorna@minio.io> Co-authored-by: Krishna Srinivas <krishna@minio.io> Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 13:30:42 -04:00
goi, gerr = getObjectInfo(ctx, bucket, object, goiOpts)
if gerr == nil {
fix: various performance improvements to tiering (#12965) - deletes should always Sweep() for tiering at the end and does not need an extra getObjectInfo() call - puts, copy and multipart writes should conditionally do getObjectInfo() when tiering targets are configured - introduce 'TransitionedObject' struct for ease of usage and understanding. - multiple-pools optimization deletes don't need to hold read locks verifying objects across namespace and pools.
2021-08-17 10:50:00 -04:00
os.SetTransitionState(goi.TransitionedObject)
Refactor replication, ILM handling in DELETE API (#10945)
2020-11-25 14:24:50 -05:00
}
fix: delete/delete marker replication versions consistent (#11932) replication didn't work as expected when deletion of delete markers was requested in DeleteMultipleObjects API, this is due to incorrect lookup elements being used to look for delete markers.
2021-03-30 20:15:36 -04:00
fix: audit log to support object names in multipleObjectNames() handler (#14017)
2022-01-03 04:28:52 -05:00
dsc := checkReplicateDelete(ctx, bucket, ObjectToDelete{
ObjectV: ObjectV{
ObjectName: object,
VersionID: opts.VersionID,
},
}, goi, opts, gerr)
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
if dsc.ReplicateAny() {
opts.SetDeleteReplicationState(dsc, opts.VersionID)
Revert "Revert "Add delete marker replication support (#10396)"" This reverts commit 267d7bf0a9f114065314a0b2863f7fcc9e923012.
2020-11-19 21:43:58 -05:00
}
fix: delete/delete marker replication versions consistent (#11932) replication didn't work as expected when deletion of delete markers was requested in DeleteMultipleObjects API, this is due to incorrect lookup elements being used to look for delete markers.
2021-03-30 20:15:36 -04:00
Refactor replication, ILM handling in DELETE API (#10945)
2020-11-25 14:24:50 -05:00
vID := opts.VersionID
Revert "Revert "Add delete marker replication support (#10396)"" This reverts commit 267d7bf0a9f114065314a0b2863f7fcc9e923012.
2020-11-19 21:43:58 -05:00
if r.Header.Get(xhttp.AmzBucketReplicationStatus) == replication.Replica.String() {
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
// check if replica has permission to be deleted.
if apiErrCode := checkRequestAuthType(ctx, r, policy.ReplicateDeleteAction, bucket, object); apiErrCode != ErrNone {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(apiErrCode), r.URL)
return
}
opts.SetReplicaStatus(replication.Replica)
if opts.VersionPurgeStatus().Empty() {
Refactor replication, ILM handling in DELETE API (#10945)
2020-11-25 14:24:50 -05:00
// opts.VersionID holds delete marker version ID to replicate and not yet present on disk
vID = ""
}
Revert "Revert "Add delete marker replication support (#10396)"" This reverts commit 267d7bf0a9f114065314a0b2863f7fcc9e923012.
2020-11-19 21:43:58 -05:00
}
Refactor replication, ILM handling in DELETE API (#10945)
2020-11-25 14:24:50 -05:00
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 16:44:16 -04:00
apiErr := ErrNone
migrate all bucket metadata into a single file (#9586) this is a major overhaul by migrating off all bucket metadata related configs into a single object '.metadata.bin' this allows us for faster bootups across 1000's of buckets and as well as keeps the code simple enough for future work and additions. Additionally also fixes #9396, #9394
2020-05-19 16:53:54 -04:00
if rcfg, _ := globalBucketObjectLockSys.Get(bucket); rcfg.LockEnabled {
s3: Force a prefix removal using a special header (#12504) An S3 client can send `x-minio-force-delete: true` to remove a prefix.
2021-06-15 21:43:14 -04:00
if opts.DeletePrefix {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, errors.New("force-delete is forbidden in a locked-enabled bucket")), r.URL)
s3: Force a prefix removal using a special header (#12504) An S3 client can send `x-minio-force-delete: true` to remove a prefix.
2021-06-15 21:43:14 -04:00
return
}
Revert "Tighten enforcement of object retention (#14993)" This reverts commit 5e3010d4557f9e013786024ee9c2a92af2083743. This commit causes regression on object locked buckets causine delete-markers to be not created.
2022-06-30 15:57:54 -04:00
if vID != "" {
apiErr = enforceRetentionBypassForDelete(ctx, r, bucket, ObjectToDelete{
ObjectV: ObjectV{
ObjectName: object,
VersionID: vID,
},
}, goi, gerr)
if apiErr != ErrNone && apiErr != ErrNoSuchKey {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(apiErr), r.URL)
return
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 16:44:16 -04:00
}
}
generate missing object delete bucket notifications (#10449) fixes #10381
2020-09-09 21:23:08 -04:00
if apiErr == ErrNoSuchKey {
writeSuccessNoContent(w)
return
}
avoid notification for non-existent delete objects (#11514) Skip notifications on objects that might have had an error during deletion, this also avoids unnecessary replication attempt on such objects. Refactor some places to make sure that we have notified the client before we - notify - schedule for replication - lifecycle etc.
2021-02-11 01:00:42 -05:00
deleteObject := objectAPI.DeleteObject
if api.CacheAPI() != nil {
deleteObject = api.CacheAPI().DeleteObject
}
generate missing object delete bucket notifications (#10449) fixes #10381
2020-09-09 21:23:08 -04:00
// http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectDELETE.html
avoid notification for non-existent delete objects (#11514) Skip notifications on objects that might have had an error during deletion, this also avoids unnecessary replication attempt on such objects. Refactor some places to make sure that we have notified the client before we - notify - schedule for replication - lifecycle etc.
2021-02-11 01:00:42 -05:00
objInfo, err := deleteObject(ctx, bucket, object, opts)
generate missing object delete bucket notifications (#10449) fixes #10381
2020-09-09 21:23:08 -04:00
if err != nil {
switch err.(type) {
case BucketNotFound:
// When bucket doesn't exist specially handle it.
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
generate missing object delete bucket notifications (#10449) fixes #10381
2020-09-09 21:23:08 -04:00
return
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 16:44:16 -04:00
}
}
Revert "Add delete marker replication support (#10396)" This reverts commit 50c10a5087d52052c92625aa021d82fdb6e75d17. PR is moved to origin/dev branch
2020-11-12 14:43:04 -05:00
avoid notification for non-existent delete objects (#11514) Skip notifications on objects that might have had an error during deletion, this also avoids unnecessary replication attempt on such objects. Refactor some places to make sure that we have notified the client before we - notify - schedule for replication - lifecycle etc.
2021-02-11 01:00:42 -05:00
if objInfo.Name == "" {
writeSuccessNoContent(w)
return
}
setPutObjHeaders(w, objInfo, true)
writeSuccessNoContent(w)
eventName := event.ObjectRemovedDelete
if objInfo.DeleteMarker {
eventName = event.ObjectRemovedDeleteMarkerCreated
}
// Notify object deleted event.
sendEvent(eventArgs{
EventName: eventName,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Host: handlers.GetSourceIP(r),
})
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
if dsc.ReplicateAny() {
Revert "Revert "Add delete marker replication support (#10396)"" This reverts commit 267d7bf0a9f114065314a0b2863f7fcc9e923012.
2020-11-19 21:43:58 -05:00
dmVersionID := ""
versionID := ""
if objInfo.DeleteMarker {
dmVersionID = objInfo.VersionID
} else {
versionID = objInfo.VersionID
}
Add support for existing object replication. (#12109) Also adding an API to allow resyncing replication when existing object replication is enabled and the remote target is entirely lost. With the `mc replicate reset` command, the objects that are eligible for replication as per the replication config will be resynced to target if existing object replication is enabled on the rule.
2021-06-01 22:59:11 -04:00
dobj := DeletedObjectReplicationInfo{
Revert "Revert "Add delete marker replication support (#10396)"" This reverts commit 267d7bf0a9f114065314a0b2863f7fcc9e923012.
2020-11-19 21:43:58 -05:00
DeletedObject: DeletedObject{
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
ObjectName: object,
VersionID: versionID,
DeleteMarkerVersionID: dmVersionID,
DeleteMarkerMTime: DeleteMarkerMTime{objInfo.ModTime},
DeleteMarker: objInfo.DeleteMarker,
ReplicationState: objInfo.getReplicationState(dsc.String(), opts.VersionID, false),
Revert "Revert "Add delete marker replication support (#10396)"" This reverts commit 267d7bf0a9f114065314a0b2863f7fcc9e923012.
2020-11-19 21:43:58 -05:00
},
fix: simplify passing auditLog eventType (#15278) Rename Trigger -> Event to be a more appropriate name for the audit event. Bonus: fixes a bug in AddMRFWorker() it did not cancel the waitgroup, leading to waitgroup leaks.
2022-07-12 13:43:32 -04:00
Bucket: bucket,
EventType: ReplicateIncomingDelete,
Allow synchronous replication if enabled. (#11165) Synchronous replication can be enabled by setting the --sync flag while adding a remote replication target. This PR also adds proxying on GET/HEAD to another node in a active-active replication setup in the event of a 404 on the current node.
2021-01-12 01:36:51 -05:00
}
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
scheduleReplicationDelete(ctx, dobj, objectAPI)
Revert "Revert "Add delete marker replication support (#10396)"" This reverts commit 267d7bf0a9f114065314a0b2863f7fcc9e923012.
2020-11-19 21:43:58 -05:00
}
fix: avoid sending errors on missing objects on locked buckets (#10994) make sure multi-object delete returned errors that are AWS S3 compatible
2020-11-29 00:15:45 -05:00
Support for remote tier management (#12090) With this change, MinIO's ILM supports transitioning objects to a remote tier. This change includes support for Azure Blob Storage, AWS S3 compatible object storage incl. MinIO and Google Cloud Storage as remote tier storage backends. Some new additions include: - Admin APIs remote tier configuration management - Simple journal to track remote objects to be 'collected' This is used by object API handlers which 'mutate' object versions by overwriting/replacing content (Put/CopyObject) or removing the version itself (e.g DeleteObjectVersion). - Rework of previous ILM transition to fit the new model In the new model, a storage class (a.k.a remote tier) is defined by the 'remote' object storage type (one of s3, azure, GCS), bucket name and a prefix. * Fixed bugs, review comments, and more unit-tests - Leverage inline small object feature - Migrate legacy objects to the latest object format before transitioning - Fix restore to particular version if specified - Extend SharedDataDirCount to handle transitioned and restored objects - Restore-object should accept version-id for version-suspended bucket (#12091) - Check if remote tier creds have sufficient permissions - Bonus minor fixes to existing error messages Co-authored-by: Poorna Krishnamoorthy <poorna@minio.io> Co-authored-by: Krishna Srinivas <krishna@minio.io> Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 13:30:42 -04:00
// Remove the transitioned object whose object version is being overwritten.
fix: various performance improvements to tiering (#12965) - deletes should always Sweep() for tiering at the end and does not need an extra getObjectInfo() call - puts, copy and multipart writes should conditionally do getObjectInfo() when tiering targets are configured - introduce 'TransitionedObject' struct for ease of usage and understanding. - multiple-pools optimization deletes don't need to hold read locks verifying objects across namespace and pools.
2021-08-17 10:50:00 -04:00
if !globalTierConfigMgr.Empty() {
os.Sweep()
}
Add delete handlers and reply back as 'NotImplemented' instead of 404
2015-06-08 14:06:06 -04:00
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
// PutObjectLegalHoldHandler - set legal hold configuration to object,
func (api objectAPIHandlers) PutObjectLegalHoldHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "PutObjectLegalHold")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
vars := mux.Vars(r)
bucket := vars["bucket"]
fix: normalize object layer inputs (#11534) Cases where we have applications making request for `//` in object names make sure that all are normalized to `/` and all such requests that are prefixed '/' are removed. To ensure a consistent view from all operations.
2021-03-09 15:58:22 -05:00
object, err := unescapePath(vars["object"])
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
return
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
return
}
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
// Check permissions to perform this legal hold operation
Enforce md5sum checks for object retention APIs (#9030) this PR enforces md5sum verification for following API's to be compatible with AWS S3 spec - PutObjectRetention - PutObjectLegalHold Co-authored-by: Harshavardhana <harsha@minio.io>
2020-03-04 10:04:12 -05:00
if s3Err := checkRequestAuthType(ctx, r, policy.PutObjectLegalHoldAction, bucket, object); s3Err != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
return
}
site replication: fix healing of bucket deletes. (#15377) This PR changes the handling of bucket deletes for site replicated setups to hold on to deleted bucket state until it syncs to all the clusters participating in site replication.
2022-07-25 20:51:32 -04:00
if _, err := objectAPI.GetBucketInfo(ctx, bucket, BucketOptions{}); err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
return
}
Enforce md5sum checks for object retention APIs (#9030) this PR enforces md5sum verification for following API's to be compatible with AWS S3 spec - PutObjectRetention - PutObjectLegalHold Co-authored-by: Harshavardhana <harsha@minio.io>
2020-03-04 10:04:12 -05:00
if !hasContentMD5(r.Header) {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMissingContentMD5), r.URL)
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
return
}
acl: Support PUT calls with success for 'private' ACL's (#9000) Add dummy calls which respond success when ACL's are set to be private and fails, if user tries to change them from their default 'private' Some applications such as nuxeo may have an unnecessary requirement for this operation, we support this anyways such that don't have to fully implement the functionality just that we can respond with success for default ACLs
2020-02-16 01:07:52 -05:00
migrate all bucket metadata into a single file (#9586) this is a major overhaul by migrating off all bucket metadata related configs into a single object '.metadata.bin' this allows us for faster bootups across 1000's of buckets and as well as keeps the code simple enough for future work and additions. Additionally also fixes #9396, #9394
2020-05-19 16:53:54 -04:00
if rcfg, _ := globalBucketObjectLockSys.Get(bucket); !rcfg.LockEnabled {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidBucketObjectLockConfiguration), r.URL)
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
return
}
return appropriate errors upon parseErrors (#13831)
2021-12-05 14:36:26 -05:00
legalHold, err := objectlock.ParseObjectLegalHold(io.LimitReader(r.Body, r.ContentLength))
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
if err != nil {
return appropriate errors upon parseErrors (#13831)
2021-12-05 14:36:26 -05:00
apiErr := errorCodes.ToAPIErr(ErrMalformedXML)
apiErr.Description = err.Error()
writeErrorResponse(ctx, w, apiErr, r.URL)
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
return
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
opts, err := getOpts(ctx, r, bucket, object)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
return
}
remove double reads updating object metadata (#13542) Removes RLock/RUnlock for updating metadata, since we already take a write lock to update metadata, this change removes reading of xl.meta as well as an additional lock, the performance gain should increase 3x theoretically for - PutObjectRetention - PutObjectLegalHold This optimization is mainly for Veeam like workloads that require a certain level of iops from these API calls, we were losing iops.
2021-10-30 11:22:04 -04:00
popts := ObjectOptions{
MTime: opts.MTime,
VersionID: opts.VersionID,
EvalMetadataFn: func(oi ObjectInfo) error {
oi.UserDefined[strings.ToLower(xhttp.AmzObjectLockLegalHold)] = strings.ToUpper(string(legalHold.Status))
oi.UserDefined[ReservedMetadataPrefixLower+ObjectLockLegalHoldTimestamp] = UTCNow().Format(time.RFC3339Nano)
dsc := mustReplicate(ctx, bucket, object, getMustReplicateOptions(oi, replication.MetadataReplicationType, opts))
if dsc.ReplicateAny() {
oi.UserDefined[ReservedMetadataPrefixLower+ReplicationTimestamp] = UTCNow().Format(time.RFC3339Nano)
oi.UserDefined[ReservedMetadataPrefixLower+ReplicationStatus] = dsc.PendingStatus()
}
return nil
},
}
objInfo, err := objectAPI.PutObjectMetadata(ctx, bucket, object, popts)
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
return
}
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
dsc := mustReplicate(ctx, bucket, object, getMustReplicateOptions(objInfo, replication.MetadataReplicationType, opts))
if dsc.ReplicateAny() {
scheduleReplication(ctx, objInfo.Clone(), objectAPI, dsc, replication.MetadataReplicationType)
Add support for replication of object tags, retention metadata (#10880)
2020-11-19 14:50:22 -05:00
}
remove double reads updating object metadata (#13542) Removes RLock/RUnlock for updating metadata, since we already take a write lock to update metadata, this change removes reading of xl.meta as well as an additional lock, the performance gain should increase 3x theoretically for - PutObjectRetention - PutObjectLegalHold This optimization is mainly for Veeam like workloads that require a certain level of iops from these API calls, we were losing iops.
2021-10-30 11:22:04 -04:00
Fix error messages returned by (Put)GetObjectLegalHold (#9013) fiixing some minor discrepancies between aws s3 responses vs minio server
2020-02-18 21:45:48 -05:00
writeSuccessResponseHeadersOnly(w)
fix: replication metadata comparsion and other fixes (#11410) - using miniogo.ObjectInfo.UserMetadata is not correct - using UserTags from Map->String() can change order - ContentType comparison needs to be removed. - Compare both lowercase and uppercase key names. - do not silently error out constructing PutObjectOptions if tag parsing fails - avoid notification for empty object info, failed operations should rely on valid objInfo for notification in all situations - optimize copyObject implementation, also introduce a new replication event - clone ObjectInfo() before scheduling for replication - add additional headers for comparison - remove strings.EqualFold comparison avoid unexpected bugs - fix pool based proxying with multiple pools - compare only specific metadata Co-authored-by: Poorna Krishnamoorthy <poornas@users.noreply.github.com>
2021-02-03 23:41:33 -05:00
// Notify object event.
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
sendEvent(eventArgs{
EventName: event.ObjectCreatedPutLegalHold,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Host: handlers.GetSourceIP(r),
})
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
}
// GetObjectLegalHoldHandler - get legal hold configuration to object,
func (api objectAPIHandlers) GetObjectLegalHoldHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "GetObjectLegalHold")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
vars := mux.Vars(r)
bucket := vars["bucket"]
fix: normalize object layer inputs (#11534) Cases where we have applications making request for `//` in object names make sure that all are normalized to `/` and all such requests that are prefixed '/' are removed. To ensure a consistent view from all operations.
2021-03-09 15:58:22 -05:00
object, err := unescapePath(vars["object"])
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
return
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
return
}
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectLegalHoldAction, bucket, object); s3Error != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL)
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
return
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
migrate all bucket metadata into a single file (#9586) this is a major overhaul by migrating off all bucket metadata related configs into a single object '.metadata.bin' this allows us for faster bootups across 1000's of buckets and as well as keeps the code simple enough for future work and additions. Additionally also fixes #9396, #9394
2020-05-19 16:53:54 -04:00
if rcfg, _ := globalBucketObjectLockSys.Get(bucket); !rcfg.LockEnabled {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidBucketObjectLockConfiguration), r.URL)
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 16:44:16 -04:00
return
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
opts, err := getOpts(ctx, r, bucket, object)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
return
}
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
objInfo, err := getObjectInfo(ctx, bucket, object, opts)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
return
}
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
legalHold := objectlock.GetObjectLegalHoldMeta(objInfo.UserDefined)
Fix error messages returned by (Put)GetObjectLegalHold (#9013) fiixing some minor discrepancies between aws s3 responses vs minio server
2020-02-18 21:45:48 -05:00
if legalHold.IsEmpty() {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNoSuchObjectLockConfiguration), r.URL)
Fix error messages returned by (Put)GetObjectLegalHold (#9013) fiixing some minor discrepancies between aws s3 responses vs minio server
2020-02-18 21:45:48 -05:00
return
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 16:44:16 -04:00
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
writeSuccessResponseXML(w, encodeResponse(legalHold))
// Notify object legal hold accessed via a GET request.
sendEvent(eventArgs{
EventName: event.ObjectAccessedGetLegalHold,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Host: handlers.GetSourceIP(r),
})
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
// PutObjectRetentionHandler - set object hold configuration to object,
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
func (api objectAPIHandlers) PutObjectRetentionHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "PutObjectRetention")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
vars := mux.Vars(r)
bucket := vars["bucket"]
fix: normalize object layer inputs (#11534) Cases where we have applications making request for `//` in object names make sure that all are normalized to `/` and all such requests that are prefixed '/' are removed. To ensure a consistent view from all operations.
2021-03-09 15:58:22 -05:00
object, err := unescapePath(vars["object"])
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
return
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
return
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 16:44:16 -04:00
disallow sub-credentials based on root credentials to gain priviledges (#12947) This happens because of a change added where any sub-credential with parentUser == rootCredential i.e (MINIO_ROOT_USER) will always be an owner, you cannot generate credentials with lower session policy to restrict their access. This doesn't affect user service accounts created with regular users, LDAP or OpenID
2021-08-12 21:07:08 -04:00
cred, owner, s3Err := validateSignature(getRequestAuthType(r), r)
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 16:44:16 -04:00
if s3Err != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
return
}
site replication: fix healing of bucket deletes. (#15377) This PR changes the handling of bucket deletes for site replicated setups to hold on to deleted bucket state until it syncs to all the clusters participating in site replication.
2022-07-25 20:51:32 -04:00
if _, err := objectAPI.GetBucketInfo(ctx, bucket, BucketOptions{}); err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Fix retention enforcement in Compliance mode (#8556) In compliance mode, the retention date can be extended with governance bypass permissions
2019-11-25 13:58:39 -05:00
return
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 16:44:16 -04:00
Enforce md5sum checks for object retention APIs (#9030) this PR enforces md5sum verification for following API's to be compatible with AWS S3 spec - PutObjectRetention - PutObjectLegalHold Co-authored-by: Harshavardhana <harsha@minio.io>
2020-03-04 10:04:12 -05:00
if !hasContentMD5(r.Header) {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMissingContentMD5), r.URL)
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
return
}
acl: Support PUT calls with success for 'private' ACL's (#9000) Add dummy calls which respond success when ACL's are set to be private and fails, if user tries to change them from their default 'private' Some applications such as nuxeo may have an unnecessary requirement for this operation, we support this anyways such that don't have to fully implement the functionality just that we can respond with success for default ACLs
2020-02-16 01:07:52 -05:00
migrate all bucket metadata into a single file (#9586) this is a major overhaul by migrating off all bucket metadata related configs into a single object '.metadata.bin' this allows us for faster bootups across 1000's of buckets and as well as keeps the code simple enough for future work and additions. Additionally also fixes #9396, #9394
2020-05-19 16:53:54 -04:00
if rcfg, _ := globalBucketObjectLockSys.Get(bucket); !rcfg.LockEnabled {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidBucketObjectLockConfiguration), r.URL)
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
return
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
objRetention, err := objectlock.ParseObjectRetention(r.Body)
Fix retention enforcement in Compliance mode (#8556) In compliance mode, the retention date can be extended with governance bypass permissions
2019-11-25 13:58:39 -05:00
if err != nil {
apiErr := errorCodes.ToAPIErr(ErrMalformedXML)
apiErr.Description = err.Error()
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, apiErr, r.URL)
Fix retention enforcement in Compliance mode (#8556) In compliance mode, the retention date can be extended with governance bypass permissions
2019-11-25 13:58:39 -05:00
return
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 16:44:16 -04:00
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
opts, err := getOpts(ctx, r, bucket, object)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
return
}
remove double reads updating object metadata (#13542) Removes RLock/RUnlock for updating metadata, since we already take a write lock to update metadata, this change removes reading of xl.meta as well as an additional lock, the performance gain should increase 3x theoretically for - PutObjectRetention - PutObjectLegalHold This optimization is mainly for Veeam like workloads that require a certain level of iops from these API calls, we were losing iops.
2021-10-30 11:22:04 -04:00
popts := ObjectOptions{
MTime: opts.MTime,
VersionID: opts.VersionID,
EvalMetadataFn: func(oi ObjectInfo) error {
if err := enforceRetentionBypassForPut(ctx, r, oi, objRetention, cred, owner); err != nil {
return err
}
if objRetention.Mode.Valid() {
oi.UserDefined[strings.ToLower(xhttp.AmzObjectLockMode)] = string(objRetention.Mode)
oi.UserDefined[strings.ToLower(xhttp.AmzObjectLockRetainUntilDate)] = objRetention.RetainUntilDate.UTC().Format(time.RFC3339)
} else {
oi.UserDefined[strings.ToLower(xhttp.AmzObjectLockMode)] = ""
oi.UserDefined[strings.ToLower(xhttp.AmzObjectLockRetainUntilDate)] = ""
}
oi.UserDefined[ReservedMetadataPrefixLower+ObjectLockRetentionTimestamp] = UTCNow().Format(time.RFC3339Nano)
dsc := mustReplicate(ctx, bucket, object, getMustReplicateOptions(oi, replication.MetadataReplicationType, opts))
if dsc.ReplicateAny() {
oi.UserDefined[ReservedMetadataPrefixLower+ReplicationTimestamp] = UTCNow().Format(time.RFC3339Nano)
oi.UserDefined[ReservedMetadataPrefixLower+ReplicationStatus] = dsc.PendingStatus()
}
return nil
},
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
}
remove double reads updating object metadata (#13542) Removes RLock/RUnlock for updating metadata, since we already take a write lock to update metadata, this change removes reading of xl.meta as well as an additional lock, the performance gain should increase 3x theoretically for - PutObjectRetention - PutObjectLegalHold This optimization is mainly for Veeam like workloads that require a certain level of iops from these API calls, we were losing iops.
2021-10-30 11:22:04 -04:00
objInfo, err := objectAPI.PutObjectMetadata(ctx, bucket, object, popts)
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
api: Introduce metadata update APIs to update only metadata (#11962) Current implementation heavily relies on readAllFileInfo but with the advent of xl.meta inlined with data, we cannot easily avoid reading data when we are only interested is updating metadata, this leads to invariably write amplification during metadata updates, repeatedly reading data when we are only interested in updating metadata. This PR ensures that we implement a metadata only update API at storage layer, that handles updates to metadata alone for any given version - given the version is valid and present. This helps reduce the chattiness for following calls.. - PutObjectTags - DeleteObjectTags - PutObjectLegalHold - PutObjectRetention - ReplicateObject (updates metadata on replication status)
2021-04-04 16:32:31 -04:00
return
}
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
dsc := mustReplicate(ctx, bucket, object, getMustReplicateOptions(objInfo, replication.MetadataReplicationType, opts))
if dsc.ReplicateAny() {
scheduleReplication(ctx, objInfo.Clone(), objectAPI, dsc, replication.MetadataReplicationType)
Add support for replication of object tags, retention metadata (#10880)
2020-11-19 14:50:22 -05:00
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
writeSuccessNoContent(w)
// Notify object event.
sendEvent(eventArgs{
EventName: event.ObjectCreatedPutRetention,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Host: handlers.GetSourceIP(r),
})
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
// GetObjectRetentionHandler - get object retention configuration of object,
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
func (api objectAPIHandlers) GetObjectRetentionHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "GetObjectRetention")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
vars := mux.Vars(r)
bucket := vars["bucket"]
fix: normalize object layer inputs (#11534) Cases where we have applications making request for `//` in object names make sure that all are normalized to `/` and all such requests that are prefixed '/' are removed. To ensure a consistent view from all operations.
2021-03-09 15:58:22 -05:00
object, err := unescapePath(vars["object"])
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
return
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
return
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectRetentionAction, bucket, object); s3Error != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL)
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
return
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
PutObjectRetention : return matching error XML as AWS S3 (#11973)
2021-04-14 03:01:53 -04:00
if rcfg, _ := globalBucketObjectLockSys.Get(bucket); !rcfg.LockEnabled {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidBucketObjectLockConfiguration), r.URL)
PutObjectRetention : return matching error XML as AWS S3 (#11973)
2021-04-14 03:01:53 -04:00
return
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
opts, err := getOpts(ctx, r, bucket, object)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
return
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
objInfo, err := getObjectInfo(ctx, bucket, object, opts)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
return
}
Add support for object locking with legal hold. (#8634)
2020-01-16 18:41:56 -05:00
retention := objectlock.GetObjectRetentionMeta(objInfo.UserDefined)
Handle empty retention in get/put object retention (#9948) Fixes #9943
2020-06-30 19:44:24 -04:00
if !retention.Mode.Valid() {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNoSuchObjectLockConfiguration), r.URL)
Handle empty retention in get/put object retention (#9948) Fixes #9943
2020-06-30 19:44:24 -04:00
return
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 16:18:09 -05:00
writeSuccessResponseXML(w, encodeResponse(retention))
// Notify object retention accessed via a GET request.
sendEvent(eventArgs{
EventName: event.ObjectAccessedGetRetention,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Host: handlers.GetSourceIP(r),
})
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 17:50:18 -05:00
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
// GetObjectTaggingHandler - GET object tagging
func (api objectAPIHandlers) GetObjectTaggingHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "GetObjectTagging")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
vars := mux.Vars(r)
bucket := vars["bucket"]
fix: normalize object layer inputs (#11534) Cases where we have applications making request for `//` in object names make sure that all are normalized to `/` and all such requests that are prefixed '/' are removed. To ensure a consistent view from all operations.
2021-03-09 15:58:22 -05:00
object, err := unescapePath(vars["object"])
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
return
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
objAPI := api.ObjectAPI()
if objAPI == nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
return
}
add gateway object tagging support (#9124)
2020-05-23 14:09:35 -04:00
if !objAPI.IsTaggingSupported() {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL)
add gateway object tagging support (#9124)
2020-05-23 14:09:35 -04:00
return
}
fix: return versionId in tagging APIs (#10068)
2020-07-17 01:38:58 -04:00
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
// Allow getObjectTagging if policy action is set.
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectTaggingAction, bucket, object); s3Error != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL)
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
return
}
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
opts, err := getOpts(ctx, r, bucket, object)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
return
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
// Get object tags
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
tags, err := objAPI.GetObjectTags(ctx, bucket, object, opts)
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
return
}
fix: return versionId in tagging APIs (#10068)
2020-07-17 01:38:58 -04:00
if opts.VersionID != "" {
w.Header()[xhttp.AmzVersionID] = []string{opts.VersionID}
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
writeSuccessResponseXML(w, encodeResponse(tags))
}
// PutObjectTaggingHandler - PUT object tagging
func (api objectAPIHandlers) PutObjectTaggingHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "PutObjectTagging")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
vars := mux.Vars(r)
bucket := vars["bucket"]
fix: normalize object layer inputs (#11534) Cases where we have applications making request for `//` in object names make sure that all are normalized to `/` and all such requests that are prefixed '/' are removed. To ensure a consistent view from all operations.
2021-03-09 15:58:22 -05:00
object, err := unescapePath(vars["object"])
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
return
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
objAPI := api.ObjectAPI()
if objAPI == nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
return
}
add gateway object tagging support (#9124)
2020-05-23 14:09:35 -04:00
if !objAPI.IsTaggingSupported() {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL)
add gateway object tagging support (#9124)
2020-05-23 14:09:35 -04:00
return
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
// Allow putObjectTagging if policy action is set
if s3Error := checkRequestAuthType(ctx, r, policy.PutObjectTaggingAction, bucket, object); s3Error != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL)
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
return
}
add bucket tagging support (#9389) This patch also simplifies object tagging support
2020-05-05 17:18:13 -04:00
tags, err := tags.ParseObjectXML(io.LimitReader(r.Body, r.ContentLength))
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
return
}
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
opts, err := getOpts(ctx, r, bucket, object)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
return
}
Add support for syncing replica modifications (#11104) when bidirectional replication is set up. If ReplicaModifications is enabled in the replication configuration, sync metadata updates to source if replication rules are met. By default, if this configuration is unset, MinIO automatically sync's metadata updates on replica back to the source.
2021-05-13 22:20:45 -04:00
objInfo, err := objAPI.GetObjectInfo(ctx, bucket, object, opts)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add support for syncing replica modifications (#11104) when bidirectional replication is set up. If ReplicaModifications is enabled in the replication configuration, sync metadata updates to source if replication rules are met. By default, if this configuration is unset, MinIO automatically sync's metadata updates on replica back to the source.
2021-05-13 22:20:45 -04:00
return
}
Add support for existing object replication. (#12109) Also adding an API to allow resyncing replication when existing object replication is enabled and the remote target is entirely lost. With the `mc replicate reset` command, the objects that are eligible for replication as per the replication config will be resynced to target if existing object replication is enabled on the rule.
2021-06-01 22:59:11 -04:00
tagsStr := tags.String()
oi := objInfo.Clone()
oi.UserTags = tagsStr
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
dsc := mustReplicate(ctx, bucket, object, getMustReplicateOptions(oi, replication.MetadataReplicationType, opts))
if dsc.ReplicateAny() {
Add support for replication of object tags, retention metadata (#10880)
2020-11-19 14:50:22 -05:00
opts.UserDefined = make(map[string]string)
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
opts.UserDefined[ReservedMetadataPrefixLower+ReplicationTimestamp] = UTCNow().Format(time.RFC3339Nano)
opts.UserDefined[ReservedMetadataPrefixLower+ReplicationStatus] = dsc.PendingStatus()
opts.UserDefined[ReservedMetadataPrefixLower+TaggingTimestamp] = UTCNow().Format(time.RFC3339Nano)
Add support for replication of object tags, retention metadata (#10880)
2020-11-19 14:50:22 -05:00
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
// Put object tags
Add support for syncing replica modifications (#11104) when bidirectional replication is set up. If ReplicaModifications is enabled in the replication configuration, sync metadata updates to source if replication rules are met. By default, if this configuration is unset, MinIO automatically sync's metadata updates on replica back to the source.
2021-05-13 22:20:45 -04:00
objInfo, err = objAPI.PutObjectTags(ctx, bucket, object, tagsStr, opts)
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
return
}
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
if dsc.ReplicateAny() {
scheduleReplication(ctx, objInfo.Clone(), objAPI, dsc, replication.MetadataReplicationType)
Add support for replication of object tags, retention metadata (#10880)
2020-11-19 14:50:22 -05:00
}
tagging: Add event notif for PUT object tagging (#11366) An optimization to avoid double calling for during PutObject tagging
2021-02-01 16:52:51 -05:00
if objInfo.VersionID != "" {
w.Header()[xhttp.AmzVersionID] = []string{objInfo.VersionID}
fix: return versionId in tagging APIs (#10068)
2020-07-17 01:38:58 -04:00
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
writeSuccessResponseHeadersOnly(w)
tagging: Add event notif for PUT object tagging (#11366) An optimization to avoid double calling for during PutObject tagging
2021-02-01 16:52:51 -05:00
sendEvent(eventArgs{
EventName: event.ObjectCreatedPutTagging,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Host: handlers.GetSourceIP(r),
})
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
}
// DeleteObjectTaggingHandler - DELETE object tagging
func (api objectAPIHandlers) DeleteObjectTaggingHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "DeleteObjectTagging")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
objAPI := api.ObjectAPI()
if objAPI == nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
return
}
add gateway object tagging support (#9124)
2020-05-23 14:09:35 -04:00
if !objAPI.IsTaggingSupported() {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL)
add gateway object tagging support (#9124)
2020-05-23 14:09:35 -04:00
return
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
vars := mux.Vars(r)
bucket := vars["bucket"]
fix: normalize object layer inputs (#11534) Cases where we have applications making request for `//` in object names make sure that all are normalized to `/` and all such requests that are prefixed '/' are removed. To ensure a consistent view from all operations.
2021-03-09 15:58:22 -05:00
object, err := unescapePath(vars["object"])
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-11 22:38:02 -05:00
return
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
// Allow deleteObjectTagging if policy action is set
if s3Error := checkRequestAuthType(ctx, r, policy.DeleteObjectTaggingAction, bucket, object); s3Error != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL)
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
return
}
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
opts, err := getOpts(ctx, r, bucket, object)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-12 23:04:01 -04:00
return
}
fix: replication metadata comparsion and other fixes (#11410) - using miniogo.ObjectInfo.UserMetadata is not correct - using UserTags from Map->String() can change order - ContentType comparison needs to be removed. - Compare both lowercase and uppercase key names. - do not silently error out constructing PutObjectOptions if tag parsing fails - avoid notification for empty object info, failed operations should rely on valid objInfo for notification in all situations - optimize copyObject implementation, also introduce a new replication event - clone ObjectInfo() before scheduling for replication - add additional headers for comparison - remove strings.EqualFold comparison avoid unexpected bugs - fix pool based proxying with multiple pools - compare only specific metadata Co-authored-by: Poorna Krishnamoorthy <poornas@users.noreply.github.com>
2021-02-03 23:41:33 -05:00
Add support for replication of object tags, retention metadata (#10880)
2020-11-19 14:50:22 -05:00
oi, err := objAPI.GetObjectInfo(ctx, bucket, object, opts)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add support for replication of object tags, retention metadata (#10880)
2020-11-19 14:50:22 -05:00
return
}
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
dsc := mustReplicate(ctx, bucket, object, getMustReplicateOptions(oi, replication.MetadataReplicationType, opts))
if dsc.ReplicateAny() {
Add support for replication of object tags, retention metadata (#10880)
2020-11-19 14:50:22 -05:00
opts.UserDefined = make(map[string]string)
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
opts.UserDefined[ReservedMetadataPrefixLower+ReplicationTimestamp] = UTCNow().Format(time.RFC3339Nano)
opts.UserDefined[ReservedMetadataPrefixLower+ReplicationStatus] = dsc.PendingStatus()
Add support for replication of object tags, retention metadata (#10880)
2020-11-19 14:50:22 -05:00
}
tagging: Add event notif for PUT object tagging (#11366) An optimization to avoid double calling for during PutObject tagging
2021-02-01 16:52:51 -05:00
fix: replication metadata comparsion and other fixes (#11410) - using miniogo.ObjectInfo.UserMetadata is not correct - using UserTags from Map->String() can change order - ContentType comparison needs to be removed. - Compare both lowercase and uppercase key names. - do not silently error out constructing PutObjectOptions if tag parsing fails - avoid notification for empty object info, failed operations should rely on valid objInfo for notification in all situations - optimize copyObject implementation, also introduce a new replication event - clone ObjectInfo() before scheduling for replication - add additional headers for comparison - remove strings.EqualFold comparison avoid unexpected bugs - fix pool based proxying with multiple pools - compare only specific metadata Co-authored-by: Poorna Krishnamoorthy <poornas@users.noreply.github.com>
2021-02-03 23:41:33 -05:00
oi, err = objAPI.DeleteObjectTags(ctx, bucket, object, opts)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
return
}
fix: return versionId in tagging APIs (#10068)
2020-07-17 01:38:58 -04:00
Add support for multi site replication (#12880)
2021-09-18 16:31:35 -04:00
if dsc.ReplicateAny() {
scheduleReplication(ctx, oi.Clone(), objAPI, dsc, replication.MetadataReplicationType)
Add support for replication of object tags, retention metadata (#10880)
2020-11-19 14:50:22 -05:00
}
tagging: Add event notif for PUT object tagging (#11366) An optimization to avoid double calling for during PutObject tagging
2021-02-01 16:52:51 -05:00
if oi.VersionID != "" {
w.Header()[xhttp.AmzVersionID] = []string{oi.VersionID}
}
fix: deleteObjectTagging should 204 on success (#9150)
2020-03-17 02:21:24 -04:00
writeSuccessNoContent(w)
tagging: Add event notif for PUT object tagging (#11366) An optimization to avoid double calling for during PutObject tagging
2021-02-01 16:52:51 -05:00
sendEvent(eventArgs{
EventName: event.ObjectCreatedDeleteTagging,
BucketName: bucket,
Object: oi,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Host: handlers.GetSourceIP(r),
})
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 11:45:59 -05:00
}
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
// RestoreObjectHandler - POST restore object handler.
// ----------
func (api objectAPIHandlers) PostRestoreObjectHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "PostRestoreObject")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
vars := mux.Vars(r)
bucket := vars["bucket"]
fix: normalize object layer inputs (#11534) Cases where we have applications making request for `//` in object names make sure that all are normalized to `/` and all such requests that are prefixed '/' are removed. To ensure a consistent view from all operations.
2021-03-09 15:58:22 -05:00
object, err := unescapePath(vars["object"])
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
return
}
// Fetch object stat info.
objectAPI := api.ObjectAPI()
if objectAPI == nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
return
}
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
// Check for auth type to return S3 compatible error.
if s3Error := checkRequestAuthType(ctx, r, policy.RestoreObjectAction, bucket, object); s3Error != ErrNone {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL)
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
return
}
if r.ContentLength <= 0 {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrEmptyRequestBody), r.URL)
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
return
}
Support for remote tier management (#12090) With this change, MinIO's ILM supports transitioning objects to a remote tier. This change includes support for Azure Blob Storage, AWS S3 compatible object storage incl. MinIO and Google Cloud Storage as remote tier storage backends. Some new additions include: - Admin APIs remote tier configuration management - Simple journal to track remote objects to be 'collected' This is used by object API handlers which 'mutate' object versions by overwriting/replacing content (Put/CopyObject) or removing the version itself (e.g DeleteObjectVersion). - Rework of previous ILM transition to fit the new model In the new model, a storage class (a.k.a remote tier) is defined by the 'remote' object storage type (one of s3, azure, GCS), bucket name and a prefix. * Fixed bugs, review comments, and more unit-tests - Leverage inline small object feature - Migrate legacy objects to the latest object format before transitioning - Fix restore to particular version if specified - Extend SharedDataDirCount to handle transitioned and restored objects - Restore-object should accept version-id for version-suspended bucket (#12091) - Check if remote tier creds have sufficient permissions - Bonus minor fixes to existing error messages Co-authored-by: Poorna Krishnamoorthy <poorna@minio.io> Co-authored-by: Krishna Srinivas <krishna@minio.io> Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 13:30:42 -04:00
opts, err := postRestoreOpts(ctx, r, bucket, object)
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Support for remote tier management (#12090) With this change, MinIO's ILM supports transitioning objects to a remote tier. This change includes support for Azure Blob Storage, AWS S3 compatible object storage incl. MinIO and Google Cloud Storage as remote tier storage backends. Some new additions include: - Admin APIs remote tier configuration management - Simple journal to track remote objects to be 'collected' This is used by object API handlers which 'mutate' object versions by overwriting/replacing content (Put/CopyObject) or removing the version itself (e.g DeleteObjectVersion). - Rework of previous ILM transition to fit the new model In the new model, a storage class (a.k.a remote tier) is defined by the 'remote' object storage type (one of s3, azure, GCS), bucket name and a prefix. * Fixed bugs, review comments, and more unit-tests - Leverage inline small object feature - Migrate legacy objects to the latest object format before transitioning - Fix restore to particular version if specified - Extend SharedDataDirCount to handle transitioned and restored objects - Restore-object should accept version-id for version-suspended bucket (#12091) - Check if remote tier creds have sufficient permissions - Bonus minor fixes to existing error messages Co-authored-by: Poorna Krishnamoorthy <poorna@minio.io> Co-authored-by: Krishna Srinivas <krishna@minio.io> Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 13:30:42 -04:00
return
}
fix: various performance improvements to tiering (#12965) - deletes should always Sweep() for tiering at the end and does not need an extra getObjectInfo() call - puts, copy and multipart writes should conditionally do getObjectInfo() when tiering targets are configured - introduce 'TransitionedObject' struct for ease of usage and understanding. - multiple-pools optimization deletes don't need to hold read locks verifying objects across namespace and pools.
2021-08-17 10:50:00 -04:00
Support for remote tier management (#12090) With this change, MinIO's ILM supports transitioning objects to a remote tier. This change includes support for Azure Blob Storage, AWS S3 compatible object storage incl. MinIO and Google Cloud Storage as remote tier storage backends. Some new additions include: - Admin APIs remote tier configuration management - Simple journal to track remote objects to be 'collected' This is used by object API handlers which 'mutate' object versions by overwriting/replacing content (Put/CopyObject) or removing the version itself (e.g DeleteObjectVersion). - Rework of previous ILM transition to fit the new model In the new model, a storage class (a.k.a remote tier) is defined by the 'remote' object storage type (one of s3, azure, GCS), bucket name and a prefix. * Fixed bugs, review comments, and more unit-tests - Leverage inline small object feature - Migrate legacy objects to the latest object format before transitioning - Fix restore to particular version if specified - Extend SharedDataDirCount to handle transitioned and restored objects - Restore-object should accept version-id for version-suspended bucket (#12091) - Check if remote tier creds have sufficient permissions - Bonus minor fixes to existing error messages Co-authored-by: Poorna Krishnamoorthy <poorna@minio.io> Co-authored-by: Krishna Srinivas <krishna@minio.io> Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 13:30:42 -04:00
objInfo, err := getObjectInfo(ctx, bucket, object, opts)
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
if err != nil {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
return
}
fix: various performance improvements to tiering (#12965) - deletes should always Sweep() for tiering at the end and does not need an extra getObjectInfo() call - puts, copy and multipart writes should conditionally do getObjectInfo() when tiering targets are configured - introduce 'TransitionedObject' struct for ease of usage and understanding. - multiple-pools optimization deletes don't need to hold read locks verifying objects across namespace and pools.
2021-08-17 10:50:00 -04:00
if objInfo.TransitionedObject.Status != lifecycle.TransitionComplete {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidObjectState), r.URL)
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
return
}
rreq, err := parseRestoreRequest(io.LimitReader(r.Body, r.ContentLength))
if err != nil {
apiErr := errorCodes.ToAPIErr(ErrMalformedXML)
apiErr.Description = err.Error()
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, apiErr, r.URL)
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
return
}
// validate the request
if err := rreq.validate(ctx, objectAPI); err != nil {
apiErr := errorCodes.ToAPIErr(ErrMalformedXML)
apiErr.Description = err.Error()
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, apiErr, r.URL)
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
return
}
statusCode := http.StatusOK
alreadyRestored := false
if err == nil {
if objInfo.RestoreOngoing && rreq.Type != SelectRestoreRequest {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrObjectRestoreAlreadyInProgress), r.URL)
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
return
}
if !objInfo.RestoreOngoing && !objInfo.RestoreExpires.IsZero() {
statusCode = http.StatusAccepted
alreadyRestored = true
}
}
// set or upgrade restore expiry
restoreExpiry := lifecycle.ExpectedExpiryTime(time.Now(), rreq.Days)
metadata := cloneMSS(objInfo.UserDefined)
// update self with restore metadata
if rreq.Type != SelectRestoreRequest {
objInfo.metadataOnly = true // Perform only metadata updates.
metadata[xhttp.AmzRestoreExpiryDays] = strconv.Itoa(rreq.Days)
metadata[xhttp.AmzRestoreRequestDate] = time.Now().UTC().Format(http.TimeFormat)
if alreadyRestored {
Support for remote tier management (#12090) With this change, MinIO's ILM supports transitioning objects to a remote tier. This change includes support for Azure Blob Storage, AWS S3 compatible object storage incl. MinIO and Google Cloud Storage as remote tier storage backends. Some new additions include: - Admin APIs remote tier configuration management - Simple journal to track remote objects to be 'collected' This is used by object API handlers which 'mutate' object versions by overwriting/replacing content (Put/CopyObject) or removing the version itself (e.g DeleteObjectVersion). - Rework of previous ILM transition to fit the new model In the new model, a storage class (a.k.a remote tier) is defined by the 'remote' object storage type (one of s3, azure, GCS), bucket name and a prefix. * Fixed bugs, review comments, and more unit-tests - Leverage inline small object feature - Migrate legacy objects to the latest object format before transitioning - Fix restore to particular version if specified - Extend SharedDataDirCount to handle transitioned and restored objects - Restore-object should accept version-id for version-suspended bucket (#12091) - Check if remote tier creds have sufficient permissions - Bonus minor fixes to existing error messages Co-authored-by: Poorna Krishnamoorthy <poorna@minio.io> Co-authored-by: Krishna Srinivas <krishna@minio.io> Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 13:30:42 -04:00
metadata[xhttp.AmzRestore] = completedRestoreObj(restoreExpiry).String()
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
} else {
Support for remote tier management (#12090) With this change, MinIO's ILM supports transitioning objects to a remote tier. This change includes support for Azure Blob Storage, AWS S3 compatible object storage incl. MinIO and Google Cloud Storage as remote tier storage backends. Some new additions include: - Admin APIs remote tier configuration management - Simple journal to track remote objects to be 'collected' This is used by object API handlers which 'mutate' object versions by overwriting/replacing content (Put/CopyObject) or removing the version itself (e.g DeleteObjectVersion). - Rework of previous ILM transition to fit the new model In the new model, a storage class (a.k.a remote tier) is defined by the 'remote' object storage type (one of s3, azure, GCS), bucket name and a prefix. * Fixed bugs, review comments, and more unit-tests - Leverage inline small object feature - Migrate legacy objects to the latest object format before transitioning - Fix restore to particular version if specified - Extend SharedDataDirCount to handle transitioned and restored objects - Restore-object should accept version-id for version-suspended bucket (#12091) - Check if remote tier creds have sufficient permissions - Bonus minor fixes to existing error messages Co-authored-by: Poorna Krishnamoorthy <poorna@minio.io> Co-authored-by: Krishna Srinivas <krishna@minio.io> Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 13:30:42 -04:00
metadata[xhttp.AmzRestore] = ongoingRestoreObj().String()
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
}
objInfo.UserDefined = metadata
if _, err := objectAPI.CopyObject(GlobalContext, bucket, object, bucket, object, objInfo, ObjectOptions{
VersionID: objInfo.VersionID,
}, ObjectOptions{
VersionID: objInfo.VersionID,
}); err != nil {
logger.LogIf(ctx, fmt.Errorf("Unable to update replication metadata for %s: %s", objInfo.VersionID, err))
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidObjectState), r.URL)
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
return
}
// for previously restored object, just update the restore expiry
if alreadyRestored {
return
}
}
restoreObject := mustGetUUID()
if rreq.OutputLocation.S3.BucketName != "" {
w.Header()[xhttp.AmzRestoreOutputPath] = []string{pathJoin(rreq.OutputLocation.S3.BucketName, rreq.OutputLocation.S3.Prefix, restoreObject)}
}
w.WriteHeader(statusCode)
// Notify object restore started via a POST request.
sendEvent(eventArgs{
EventName: event.ObjectRestorePostInitiated,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
UserAgent: r.UserAgent(),
Host: handlers.GetSourceIP(r),
})
// now process the restore in background
go func() {
rctx := GlobalContext
if !rreq.SelectParameters.IsEmpty() {
S3 select switch to new parquet library and reduce locking (#14731) - This change switches to a new parquet library - SelectObjectContent now takes a single lock at the beginning and holds it during the operation. Previously the operation took a lock every time the parquet library performed a Seek on the underlying object stream. - Add basic support for LogicalType annotations for timestamps.
2022-04-14 09:54:47 -04:00
actualSize, err := objInfo.GetActualSize()
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
return
}
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
S3 select switch to new parquet library and reduce locking (#14731) - This change switches to a new parquet library - SelectObjectContent now takes a single lock at the beginning and holds it during the operation. Previously the operation took a lock every time the parquet library performed a Seek on the underlying object stream. - Add basic support for LogicalType annotations for timestamps.
2022-04-14 09:54:47 -04:00
objectRSC := s3select.NewObjectReadSeekCloser(
func(offset int64) (io.ReadCloser, error) {
rs := &HTTPRangeSpec{
IsSuffixLength: false,
Start: offset,
End: -1,
}
return getTransitionedObjectReader(rctx, bucket, object, rs, r.Header,
objInfo, ObjectOptions{VersionID: objInfo.VersionID})
},
actualSize,
)
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
S3 select switch to new parquet library and reduce locking (#14731) - This change switches to a new parquet library - SelectObjectContent now takes a single lock at the beginning and holds it during the operation. Previously the operation took a lock every time the parquet library performed a Seek on the underlying object stream. - Add basic support for LogicalType annotations for timestamps.
2022-04-14 09:54:47 -04:00
if err = rreq.SelectParameters.Open(objectRSC); err != nil {
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
if serr, ok := err.(s3select.SelectError); ok {
encodedErrorResponse := encodeResponse(APIErrorResponse{
Code: serr.ErrorCode(),
Message: serr.ErrorMessage(),
BucketName: bucket,
Key: object,
Resource: r.URL.Path,
RequestID: w.Header().Get(xhttp.AmzRequestID),
HostID: globalDeploymentID,
})
writeResponse(w, serr.HTTPStatusCode(), encodedErrorResponse, mimeXML)
} else {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
}
return
}
nr := httptest.NewRecorder()
rw := logger.NewResponseWriter(nr)
rw.LogErrBody = true
rw.LogAllBody = true
rreq.SelectParameters.Evaluate(rw)
rreq.SelectParameters.Close()
return
}
Support for remote tier management (#12090) With this change, MinIO's ILM supports transitioning objects to a remote tier. This change includes support for Azure Blob Storage, AWS S3 compatible object storage incl. MinIO and Google Cloud Storage as remote tier storage backends. Some new additions include: - Admin APIs remote tier configuration management - Simple journal to track remote objects to be 'collected' This is used by object API handlers which 'mutate' object versions by overwriting/replacing content (Put/CopyObject) or removing the version itself (e.g DeleteObjectVersion). - Rework of previous ILM transition to fit the new model In the new model, a storage class (a.k.a remote tier) is defined by the 'remote' object storage type (one of s3, azure, GCS), bucket name and a prefix. * Fixed bugs, review comments, and more unit-tests - Leverage inline small object feature - Migrate legacy objects to the latest object format before transitioning - Fix restore to particular version if specified - Extend SharedDataDirCount to handle transitioned and restored objects - Restore-object should accept version-id for version-suspended bucket (#12091) - Check if remote tier creds have sufficient permissions - Bonus minor fixes to existing error messages Co-authored-by: Poorna Krishnamoorthy <poorna@minio.io> Co-authored-by: Krishna Srinivas <krishna@minio.io> Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 13:30:42 -04:00
opts := ObjectOptions{
Transition: TransitionOptions{
RestoreRequest: rreq,
RestoreExpiry: restoreExpiry,
},
VersionID: objInfo.VersionID,
}
if err := objectAPI.RestoreTransitionedObject(rctx, bucket, object, opts); err != nil {
logger.LogIf(ctx, err)
Add support for ILM transition (#10565) This PR adds transition support for ILM to transition data to another MinIO target represented by a storage class ARN. Subsequent GET or HEAD for that object will be streamed from the transition tier. If PostRestoreObject API is invoked, the transitioned object can be restored for duration specified to the source cluster.
2020-11-12 15:12:09 -05:00
return
}
// Notify object restore completed via a POST request.
sendEvent(eventArgs{
EventName: event.ObjectRestorePostCompleted,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
UserAgent: r.UserAgent(),
Host: handlers.GetSourceIP(r),
})
}()
}