Update site replication docs (#14044)

- Now OpenID external IDP is also supported for site replication.

- IAM users/groups are also replicated
This commit is contained in:
Aditya Manthramurthy 2022-01-06 17:53:23 -08:00 committed by GitHub
parent 2d31d92271
commit 62dc0f7698
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -2,9 +2,9 @@
This feature allows multiple independent MinIO sites (or clusters) that are using the same external IDentity Provider (IDP) to be configured as replicas. In this situation the set of replica sites are referred to as peer sites or just sites. When site-replication is enabled on a set of sites, the following changes are replicated to all other sites: This feature allows multiple independent MinIO sites (or clusters) that are using the same external IDentity Provider (IDP) to be configured as replicas. In this situation the set of replica sites are referred to as peer sites or just sites. When site-replication is enabled on a set of sites, the following changes are replicated to all other sites:
- Creation and deletion of buckets and objects - Creation and deletion of buckets and objects
- Creation and deletion of all IAM policies - Creation and deletion of all IAM users, groups, policies and their mappings to users or groups
- Creation of STS credentials - Creation of STS credentials
- Creation and deletion of service accounts (for users authenticated by an external IDP) - Creation and deletion of service accounts (except those owned by the root user)
- Changes to Bucket features such as: - Changes to Bucket features such as:
- Bucket Policies - Bucket Policies
- Bucket Tags - Bucket Tags
@ -21,13 +21,12 @@ The following Bucket features will **not be replicated**, is designed to differ
## Pre-requisites ## Pre-requisites
- Initially, only **one** of the sites added for replication may have data. After site-replication is successfully configured, this data is replicated to the other (initially empty) sites. Subsequently, objects may be written to any of the sites, and they will be replicated to all other sites. - Initially, only **one** of the sites added for replication may have data. After site-replication is successfully configured, this data is replicated to the other (initially empty) sites. Subsequently, objects may be written to any of the sites, and they will be replicated to all other sites.
- Replication of **LDAP IDP** is currently supported, support for OIDC (OpenID) is in progress. - All sites **must** have the same deployment credentials (i.e. `MINIO_ROOT_USER`, `MINIO_ROOT_PASSWORD`).
- All sites **must** have the same deployment credentials, i.e (MINIO_ROOT_USER, MINIO_ROOT_PASSWORD).
- **Removing a site** is not allowed from a set of replicated sites once configured. - **Removing a site** is not allowed from a set of replicated sites once configured.
- [SSE-S3 or SSE-KMS encryption via KMS](https://docs.min.io/docs/minio-kms-quickstart-guide.html "MinIO KMS Guide"), all sites **must** have access to a central KMS deployment. This can be achieved via a central KES server or multiple KES servers (say one per site) connected via a central KMS (Vault) server. - All sites must be using the **same** external IDP(s) if any.
- For [SSE-S3 or SSE-KMS encryption via KMS](https://docs.min.io/docs/minio-kms-quickstart-guide.html "MinIO KMS Guide"), all sites **must** have access to a central KMS deployment. This can be achieved via a central KES server or multiple KES servers (say one per site) connected via a central KMS (Vault) server.
## Configuring Site Replication ## Configuring Site Replication
To configure site replication, ensure that all MinIO sites are using the same external IDP.
- Configure an alias in `mc` for each of the sites. For example if you have three MinIO sites, you may run: - Configure an alias in `mc` for each of the sites. For example if you have three MinIO sites, you may run: