MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 12:52:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

sr: use site replicator svcacct to sign STS session tokens (#19111)

Browse Source 
This change is to decouple need for root credentials to match between
 site replication deployments.

 Also ensuring site replication config initialization is re-tried until
 it succeeds, this deoendency is critical to STS flow in site replication
 scenario.
This commit is contained in:
Poorna
2024-02-26 13:26:18 -08:00
committed by Harshavardhana
parent 30c2596512
commit b1351e2dee
8 changed files with 148 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/site-replication/README.md
View File

@@ -22,7 +22,7 @@ The following Bucket features will **not be replicated**, is designed to differ
## Pre-requisites
- Initially, only **one** of the sites added for replication may have data. After site-replication is successfully configured, this data is replicated to the other (initially empty) sites. Subsequently, objects may be written to any of the sites, and they will be replicated to all other sites.
- All sites **must** have the same deployment credentials (i.e. `MINIO_ROOT_USER`, `MINIO_ROOT_PASSWORD`).
- **Removing a site** is not allowed from a set of replicated sites once configured.
- All sites must be using the **same** external IDP(s) if any.
- For [SSE-S3 or SSE-KMS encryption via KMS](https://min.io/docs/minio/linux/operations/server-side-encryption.html "MinIO KMS Guide"), all sites **must** have access to a central KMS deployment. This can be achieved via a central KES server or multiple KES servers (say one per site) connected via a central KMS (Vault) server.
@@ -56,3 +56,8 @@ mc admin replicate add minio1 minio2 minio3
```sh
mc admin replicate info minio1
```
** Note **
Previously, site replication required the root credentials of peer sites to be identical. This is no longer necessary because STS tokens are now signed with the site replicator service account credentials, thus allowing flexibility in the independent management of root accounts across sites and the ability to disable root accounts eventually.
However, this means that STS tokens signed previously by root credentials will no longer be valid upon upgrading to the latest version with this change. Please re-generate them as you usually do. Additionally, if site replication is ever removed - the STS tokens will become invalid, regenerate them as you usually do.

3
docs/site-replication/run-multi-site-oidc.sh
View File

@@ -6,13 +6,10 @@ exit_1() {
echo "minio1 ============"
cat /tmp/minio1_1.log
cat /tmp/minio1_2.log
echo "minio2 ============"
cat /tmp/minio2_1.log
cat /tmp/minio2_2.log
echo "minio3 ============"
cat /tmp/minio3_1.log
cat /tmp/minio3_2.log
exit 1
}