mirror of
https://github.com/minio/minio.git
synced 2024-12-24 22:25:54 -05:00
allow S3 gateway to support object locked buckets (#13257)
- Supports object locked buckets that require PutObject() to set content-md5 always. - Use SSE-S3 when S3 gateway is being used instead of SSE-KMS for auto-encryption.
This commit is contained in:
parent
0b55a0423e
commit
50a68a1791
@ -21,7 +21,7 @@ import (
|
|||||||
"errors"
|
"errors"
|
||||||
"io"
|
"io"
|
||||||
|
|
||||||
bucketsse "github.com/minio/minio/internal/bucket/encryption"
|
sse "github.com/minio/minio/internal/bucket/encryption"
|
||||||
)
|
)
|
||||||
|
|
||||||
// BucketSSEConfigSys - in-memory cache of bucket encryption config
|
// BucketSSEConfigSys - in-memory cache of bucket encryption config
|
||||||
@ -33,7 +33,7 @@ func NewBucketSSEConfigSys() *BucketSSEConfigSys {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Get - gets bucket encryption config for the given bucket.
|
// Get - gets bucket encryption config for the given bucket.
|
||||||
func (sys *BucketSSEConfigSys) Get(bucket string) (*bucketsse.BucketSSEConfig, error) {
|
func (sys *BucketSSEConfigSys) Get(bucket string) (*sse.BucketSSEConfig, error) {
|
||||||
if globalIsGateway {
|
if globalIsGateway {
|
||||||
objAPI := newObjectLayerFn()
|
objAPI := newObjectLayerFn()
|
||||||
if objAPI == nil {
|
if objAPI == nil {
|
||||||
@ -47,8 +47,8 @@ func (sys *BucketSSEConfigSys) Get(bucket string) (*bucketsse.BucketSSEConfig, e
|
|||||||
}
|
}
|
||||||
|
|
||||||
// validateBucketSSEConfig parses bucket encryption configuration and validates if it is supported by MinIO.
|
// validateBucketSSEConfig parses bucket encryption configuration and validates if it is supported by MinIO.
|
||||||
func validateBucketSSEConfig(r io.Reader) (*bucketsse.BucketSSEConfig, error) {
|
func validateBucketSSEConfig(r io.Reader) (*sse.BucketSSEConfig, error) {
|
||||||
encConfig, err := bucketsse.ParseBucketSSEConfig(r)
|
encConfig, err := sse.ParseBucketSSEConfig(r)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -39,6 +39,7 @@ import (
|
|||||||
|
|
||||||
"github.com/minio/minio-go/v7/pkg/set"
|
"github.com/minio/minio-go/v7/pkg/set"
|
||||||
"github.com/minio/minio-go/v7/pkg/tags"
|
"github.com/minio/minio-go/v7/pkg/tags"
|
||||||
|
sse "github.com/minio/minio/internal/bucket/encryption"
|
||||||
objectlock "github.com/minio/minio/internal/bucket/object/lock"
|
objectlock "github.com/minio/minio/internal/bucket/object/lock"
|
||||||
"github.com/minio/minio/internal/bucket/replication"
|
"github.com/minio/minio/internal/bucket/replication"
|
||||||
"github.com/minio/minio/internal/config/dns"
|
"github.com/minio/minio/internal/config/dns"
|
||||||
@ -976,7 +977,10 @@ func (api objectAPIHandlers) PostPolicyBucketHandler(w http.ResponseWriter, r *h
|
|||||||
|
|
||||||
// Check if bucket encryption is enabled
|
// Check if bucket encryption is enabled
|
||||||
sseConfig, _ := globalBucketSSEConfigSys.Get(bucket)
|
sseConfig, _ := globalBucketSSEConfigSys.Get(bucket)
|
||||||
sseConfig.Apply(r.Header, globalAutoEncryption)
|
sseConfig.Apply(r.Header, sse.ApplyOptions{
|
||||||
|
AutoEncrypt: globalAutoEncryption,
|
||||||
|
Passthrough: globalIsGateway && globalGatewayName == S3BackendGateway,
|
||||||
|
})
|
||||||
|
|
||||||
// get gateway encryption options
|
// get gateway encryption options
|
||||||
var opts ObjectOptions
|
var opts ObjectOptions
|
||||||
|
@ -380,7 +380,7 @@ const (
|
|||||||
|
|
||||||
// Encryption specifies encryption setting on restored bucket
|
// Encryption specifies encryption setting on restored bucket
|
||||||
type Encryption struct {
|
type Encryption struct {
|
||||||
EncryptionType sse.SSEAlgorithm `xml:"EncryptionType"`
|
EncryptionType sse.Algorithm `xml:"EncryptionType"`
|
||||||
KMSContext string `xml:"KMSContext,omitempty"`
|
KMSContext string `xml:"KMSContext,omitempty"`
|
||||||
KMSKeyID string `xml:"KMSKeyId,omitempty"`
|
KMSKeyID string `xml:"KMSKeyId,omitempty"`
|
||||||
}
|
}
|
||||||
|
@ -481,6 +481,10 @@ func (l *s3Objects) PutObject(ctx context.Context, bucket string, object string,
|
|||||||
UserMetadata: opts.UserDefined,
|
UserMetadata: opts.UserDefined,
|
||||||
ServerSideEncryption: opts.ServerSideEncryption,
|
ServerSideEncryption: opts.ServerSideEncryption,
|
||||||
UserTags: tagMap,
|
UserTags: tagMap,
|
||||||
|
// Content-Md5 is needed for buckets with object locking,
|
||||||
|
// instead of spending an extra API call to detect this
|
||||||
|
// we can set md5sum to be calculated always.
|
||||||
|
SendContentMd5: true,
|
||||||
}
|
}
|
||||||
ui, err := l.Client.PutObject(ctx, bucket, object, data, data.Size(), data.MD5Base64String(), data.SHA256HexString(), putOpts)
|
ui, err := l.Client.PutObject(ctx, bucket, object, data, data.Size(), data.MD5Base64String(), data.SHA256HexString(), putOpts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -41,6 +41,7 @@ import (
|
|||||||
"github.com/minio/minio-go/v7/pkg/credentials"
|
"github.com/minio/minio-go/v7/pkg/credentials"
|
||||||
"github.com/minio/minio-go/v7/pkg/encrypt"
|
"github.com/minio/minio-go/v7/pkg/encrypt"
|
||||||
"github.com/minio/minio-go/v7/pkg/tags"
|
"github.com/minio/minio-go/v7/pkg/tags"
|
||||||
|
sse "github.com/minio/minio/internal/bucket/encryption"
|
||||||
"github.com/minio/minio/internal/bucket/lifecycle"
|
"github.com/minio/minio/internal/bucket/lifecycle"
|
||||||
objectlock "github.com/minio/minio/internal/bucket/object/lock"
|
objectlock "github.com/minio/minio/internal/bucket/object/lock"
|
||||||
"github.com/minio/minio/internal/bucket/replication"
|
"github.com/minio/minio/internal/bucket/replication"
|
||||||
@ -997,7 +998,10 @@ func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Re
|
|||||||
|
|
||||||
// Check if bucket encryption is enabled
|
// Check if bucket encryption is enabled
|
||||||
sseConfig, _ := globalBucketSSEConfigSys.Get(dstBucket)
|
sseConfig, _ := globalBucketSSEConfigSys.Get(dstBucket)
|
||||||
sseConfig.Apply(r.Header, globalAutoEncryption)
|
sseConfig.Apply(r.Header, sse.ApplyOptions{
|
||||||
|
AutoEncrypt: globalAutoEncryption,
|
||||||
|
Passthrough: globalIsGateway && globalGatewayName == S3BackendGateway,
|
||||||
|
})
|
||||||
|
|
||||||
var srcOpts, dstOpts ObjectOptions
|
var srcOpts, dstOpts ObjectOptions
|
||||||
srcOpts, err = copySrcOpts(ctx, r, srcBucket, srcObject)
|
srcOpts, err = copySrcOpts(ctx, r, srcBucket, srcObject)
|
||||||
@ -1667,7 +1671,10 @@ func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Req
|
|||||||
|
|
||||||
// Check if bucket encryption is enabled
|
// Check if bucket encryption is enabled
|
||||||
sseConfig, _ := globalBucketSSEConfigSys.Get(bucket)
|
sseConfig, _ := globalBucketSSEConfigSys.Get(bucket)
|
||||||
sseConfig.Apply(r.Header, globalAutoEncryption)
|
sseConfig.Apply(r.Header, sse.ApplyOptions{
|
||||||
|
AutoEncrypt: globalAutoEncryption,
|
||||||
|
Passthrough: globalIsGateway && globalGatewayName == S3BackendGateway,
|
||||||
|
})
|
||||||
|
|
||||||
actualSize := size
|
actualSize := size
|
||||||
if objectAPI.IsCompressionSupported() && isCompressible(r.Header, object) && size > 0 {
|
if objectAPI.IsCompressionSupported() && isCompressible(r.Header, object) && size > 0 {
|
||||||
@ -1990,7 +1997,10 @@ func (api objectAPIHandlers) PutObjectExtractHandler(w http.ResponseWriter, r *h
|
|||||||
|
|
||||||
// Check if bucket encryption is enabled
|
// Check if bucket encryption is enabled
|
||||||
sseConfig, _ := globalBucketSSEConfigSys.Get(bucket)
|
sseConfig, _ := globalBucketSSEConfigSys.Get(bucket)
|
||||||
sseConfig.Apply(r.Header, globalAutoEncryption)
|
sseConfig.Apply(r.Header, sse.ApplyOptions{
|
||||||
|
AutoEncrypt: globalAutoEncryption,
|
||||||
|
Passthrough: globalIsGateway && globalGatewayName == S3BackendGateway,
|
||||||
|
})
|
||||||
|
|
||||||
retPerms := isPutActionAllowed(ctx, getRequestAuthType(r), bucket, object, r, iampolicy.PutObjectRetentionAction)
|
retPerms := isPutActionAllowed(ctx, getRequestAuthType(r), bucket, object, r, iampolicy.PutObjectRetentionAction)
|
||||||
holdPerms := isPutActionAllowed(ctx, getRequestAuthType(r), bucket, object, r, iampolicy.PutObjectLegalHoldAction)
|
holdPerms := isPutActionAllowed(ctx, getRequestAuthType(r), bucket, object, r, iampolicy.PutObjectLegalHoldAction)
|
||||||
@ -2186,7 +2196,10 @@ func (api objectAPIHandlers) NewMultipartUploadHandler(w http.ResponseWriter, r
|
|||||||
|
|
||||||
// Check if bucket encryption is enabled
|
// Check if bucket encryption is enabled
|
||||||
sseConfig, _ := globalBucketSSEConfigSys.Get(bucket)
|
sseConfig, _ := globalBucketSSEConfigSys.Get(bucket)
|
||||||
sseConfig.Apply(r.Header, globalAutoEncryption)
|
sseConfig.Apply(r.Header, sse.ApplyOptions{
|
||||||
|
AutoEncrypt: globalAutoEncryption,
|
||||||
|
Passthrough: globalIsGateway && globalGatewayName == S3BackendGateway,
|
||||||
|
})
|
||||||
|
|
||||||
// Validate storage class metadata if present
|
// Validate storage class metadata if present
|
||||||
if sc := r.Header.Get(xhttp.AmzStorageClass); sc != "" {
|
if sc := r.Header.Get(xhttp.AmzStorageClass); sc != "" {
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
// You should have received a copy of the GNU Affero General Public License
|
// You should have received a copy of the GNU Affero General Public License
|
||||||
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
package cmd
|
package sse
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"encoding/xml"
|
"encoding/xml"
|
||||||
@ -29,16 +29,16 @@ import (
|
|||||||
|
|
||||||
const (
|
const (
|
||||||
// AES256 is used with SSE-S3
|
// AES256 is used with SSE-S3
|
||||||
AES256 SSEAlgorithm = "AES256"
|
AES256 Algorithm = "AES256"
|
||||||
// AWSKms is used with SSE-KMS
|
// AWSKms is used with SSE-KMS
|
||||||
AWSKms SSEAlgorithm = "aws:kms"
|
AWSKms Algorithm = "aws:kms"
|
||||||
)
|
)
|
||||||
|
|
||||||
// SSEAlgorithm - represents valid SSE algorithms supported; currently only AES256 is supported
|
// Algorithm - represents valid SSE algorithms supported; currently only AES256 is supported
|
||||||
type SSEAlgorithm string
|
type Algorithm string
|
||||||
|
|
||||||
// UnmarshalXML - Unmarshals XML tag to valid SSE algorithm
|
// UnmarshalXML - Unmarshals XML tag to valid SSE algorithm
|
||||||
func (alg *SSEAlgorithm) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error {
|
func (alg *Algorithm) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error {
|
||||||
var s string
|
var s string
|
||||||
if err := d.DecodeElement(&s, &start); err != nil {
|
if err := d.DecodeElement(&s, &start); err != nil {
|
||||||
return err
|
return err
|
||||||
@ -57,18 +57,18 @@ func (alg *SSEAlgorithm) UnmarshalXML(d *xml.Decoder, start xml.StartElement) er
|
|||||||
}
|
}
|
||||||
|
|
||||||
// MarshalXML - Marshals given SSE algorithm to valid XML
|
// MarshalXML - Marshals given SSE algorithm to valid XML
|
||||||
func (alg *SSEAlgorithm) MarshalXML(e *xml.Encoder, start xml.StartElement) error {
|
func (alg *Algorithm) MarshalXML(e *xml.Encoder, start xml.StartElement) error {
|
||||||
return e.EncodeElement(string(*alg), start)
|
return e.EncodeElement(string(*alg), start)
|
||||||
}
|
}
|
||||||
|
|
||||||
// EncryptionAction - for ApplyServerSideEncryptionByDefault XML tag
|
// EncryptionAction - for ApplyServerSideEncryptionByDefault XML tag
|
||||||
type EncryptionAction struct {
|
type EncryptionAction struct {
|
||||||
Algorithm SSEAlgorithm `xml:"SSEAlgorithm,omitempty"`
|
Algorithm Algorithm `xml:"SSEAlgorithm,omitempty"`
|
||||||
MasterKeyID string `xml:"KMSMasterKeyID,omitempty"`
|
MasterKeyID string `xml:"KMSMasterKeyID,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// SSERule - for ServerSideEncryptionConfiguration XML tag
|
// Rule - for ServerSideEncryptionConfiguration XML tag
|
||||||
type SSERule struct {
|
type Rule struct {
|
||||||
DefaultEncryptionAction EncryptionAction `xml:"ApplyServerSideEncryptionByDefault"`
|
DefaultEncryptionAction EncryptionAction `xml:"ApplyServerSideEncryptionByDefault"`
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -78,7 +78,7 @@ const xmlNS = "http://s3.amazonaws.com/doc/2006-03-01/"
|
|||||||
type BucketSSEConfig struct {
|
type BucketSSEConfig struct {
|
||||||
XMLNS string `xml:"xmlns,attr,omitempty"`
|
XMLNS string `xml:"xmlns,attr,omitempty"`
|
||||||
XMLName xml.Name `xml:"ServerSideEncryptionConfiguration"`
|
XMLName xml.Name `xml:"ServerSideEncryptionConfiguration"`
|
||||||
Rules []SSERule `xml:"Rule"`
|
Rules []Rule `xml:"Rule"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// ParseBucketSSEConfig - Decodes given XML to a valid default bucket encryption config
|
// ParseBucketSSEConfig - Decodes given XML to a valid default bucket encryption config
|
||||||
@ -114,24 +114,35 @@ func ParseBucketSSEConfig(r io.Reader) (*BucketSSEConfig, error) {
|
|||||||
return &config, nil
|
return &config, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ApplyOptions ask for specific features to be enabled,
|
||||||
|
// when bucketSSEConfig is empty.
|
||||||
|
type ApplyOptions struct {
|
||||||
|
AutoEncrypt bool
|
||||||
|
Passthrough bool // Set to 'true' for S3 gateway mode.
|
||||||
|
}
|
||||||
|
|
||||||
// Apply applies the SSE bucket configuration on the given HTTP headers and
|
// Apply applies the SSE bucket configuration on the given HTTP headers and
|
||||||
// sets the specified SSE headers.
|
// sets the specified SSE headers.
|
||||||
//
|
//
|
||||||
// Apply does not overwrite any existing SSE headers. Further, it will
|
// Apply does not overwrite any existing SSE headers. Further, it will
|
||||||
// set minimal SSE-KMS headers if autoEncrypt is true and the BucketSSEConfig
|
// set minimal SSE-KMS headers if autoEncrypt is true and the BucketSSEConfig
|
||||||
// is nil.
|
// is nil.
|
||||||
func (b *BucketSSEConfig) Apply(headers http.Header, autoEncrypt bool) {
|
func (b *BucketSSEConfig) Apply(headers http.Header, opts ApplyOptions) {
|
||||||
if _, ok := crypto.IsRequested(headers); ok {
|
if _, ok := crypto.IsRequested(headers); ok {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if b == nil {
|
if b == nil {
|
||||||
if autoEncrypt {
|
if opts.AutoEncrypt {
|
||||||
|
if !opts.Passthrough {
|
||||||
headers.Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionKMS)
|
headers.Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionKMS)
|
||||||
|
} else {
|
||||||
|
headers.Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionAES)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
switch b.Algorithm() {
|
switch b.Algo() {
|
||||||
case xhttp.AmzEncryptionAES:
|
case xhttp.AmzEncryptionAES:
|
||||||
headers.Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionAES)
|
headers.Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionAES)
|
||||||
case xhttp.AmzEncryptionKMS:
|
case xhttp.AmzEncryptionKMS:
|
||||||
@ -140,8 +151,8 @@ func (b *BucketSSEConfig) Apply(headers http.Header, autoEncrypt bool) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Algorithm returns the SSE algorithm specified by the SSE configuration.
|
// Algo returns the SSE algorithm specified by the SSE configuration.
|
||||||
func (b *BucketSSEConfig) Algorithm() SSEAlgorithm {
|
func (b *BucketSSEConfig) Algo() Algorithm {
|
||||||
for _, rule := range b.Rules {
|
for _, rule := range b.Rules {
|
||||||
return rule.DefaultEncryptionAction.Algorithm
|
return rule.DefaultEncryptionAction.Algorithm
|
||||||
}
|
}
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
// You should have received a copy of the GNU Affero General Public License
|
// You should have received a copy of the GNU Affero General Public License
|
||||||
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
package cmd
|
package sse
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
@ -30,7 +30,7 @@ func TestParseBucketSSEConfig(t *testing.T) {
|
|||||||
XMLName: xml.Name{
|
XMLName: xml.Name{
|
||||||
Local: "ServerSideEncryptionConfiguration",
|
Local: "ServerSideEncryptionConfiguration",
|
||||||
},
|
},
|
||||||
Rules: []SSERule{
|
Rules: []Rule{
|
||||||
{
|
{
|
||||||
DefaultEncryptionAction: EncryptionAction{
|
DefaultEncryptionAction: EncryptionAction{
|
||||||
Algorithm: AES256,
|
Algorithm: AES256,
|
||||||
@ -44,7 +44,7 @@ func TestParseBucketSSEConfig(t *testing.T) {
|
|||||||
XMLName: xml.Name{
|
XMLName: xml.Name{
|
||||||
Local: "ServerSideEncryptionConfiguration",
|
Local: "ServerSideEncryptionConfiguration",
|
||||||
},
|
},
|
||||||
Rules: []SSERule{
|
Rules: []Rule{
|
||||||
{
|
{
|
||||||
DefaultEncryptionAction: EncryptionAction{
|
DefaultEncryptionAction: EncryptionAction{
|
||||||
Algorithm: AES256,
|
Algorithm: AES256,
|
||||||
@ -58,7 +58,7 @@ func TestParseBucketSSEConfig(t *testing.T) {
|
|||||||
XMLName: xml.Name{
|
XMLName: xml.Name{
|
||||||
Local: "ServerSideEncryptionConfiguration",
|
Local: "ServerSideEncryptionConfiguration",
|
||||||
},
|
},
|
||||||
Rules: []SSERule{
|
Rules: []Rule{
|
||||||
{
|
{
|
||||||
DefaultEncryptionAction: EncryptionAction{
|
DefaultEncryptionAction: EncryptionAction{
|
||||||
Algorithm: AWSKms,
|
Algorithm: AWSKms,
|
||||||
|
Loading…
Reference in New Issue
Block a user