1
0
mirror of https://github.com/minio/minio.git synced 2025-01-14 16:25:01 -05:00
Commit Graph

203 Commits

Author SHA1 Message Date
Sveinn
1fc4203c19
Webhook targets refactor and bug fixes ()
- old version was unable to retain messages during config reload
- old version could not go from memory to disk during reload
- new version can batch disk queue entries to single for to reduce I/O load
- error logging has been improved, previous version would miss certain errors.
- logic for spawning/despawning additional workers has been adjusted to trigger when half capacity is reached, instead of when the log queue becomes full.
- old version would json marshall x2 and unmarshal 1x for every log item. Now we only do marshal x1 and then we GetRaw from the store and send it without having to re-marshal.
2024-03-25 09:44:20 -07:00
Krishnan Parthasarathi
b69bcdcdc4
Fix ilm config at startup ()
Remove api.expiration_workers config setting which was inadvertently left behind. Per review comment 

https://github.com/minio/minio/pull/18926, expiration_workers can be configured via ilm.expiration_workers.
2024-03-04 18:50:24 -08:00
Krishnan Parthasarathi
a7577da768
Improve expiration of tiered objects ()
- Use a shared worker pool for all ILM expiry tasks
- Free version cleanup executes in a separate goroutine
- Add a free version only if removing the remote object fails
- Add ILM expiry metrics to the node namespace
- Move tier journal tasks to expiryState
- Remove unused on-disk journal for tiered objects pending deletion
- Distribute expiry tasks across workers such that the expiry of versions of
  the same object serialized
- Ability to resize worker pool without server restart
- Make scaling down of expiryState workers' concurrency safe; Thanks
  @klauspost
- Add error logs when expiryState and transition state are not
  initialized (yet)
* metrics: Add missed tier journal entry tasks
* Initialize the ILM worker pool after the object layer
2024-03-01 21:11:03 -08:00
Andreas Auernhammer
09626d78ff
automatically generate root credentials with KMS ()
With this commit, MinIO generates root credentials automatically
and deterministically if:

 - No root credentials have been set.
 - A KMS (KES) is configured.
 - API access for the root credentials is disabled (lockdown mode).

Before, MinIO defaults to `minioadmin` for both the access and
secret keys. Now, MinIO generates unique root credentials
automatically on startup using the KMS.

Therefore, it uses the KMS HMAC function to generate pseudo-random
values. These values never change as long as the KMS key remains
the same, and the KMS key must continue to exist since all IAM data
is encrypted with it.

Backward compatibility:

This commit should not cause existing deployments to break. It only
changes the root credentials of deployments that have a KMS configured
(KES, not a static key) but have not set any admin credentials. Such
implementations should be rare or not exist at all.

Even if the worst case would be updating root credentials in mc
or other clients used to administer the cluster. Root credentials
are anyway not intended for regular S3 operations.

Signed-off-by: Andreas Auernhammer <github@aead.dev>
2024-03-01 13:09:42 -08:00
Harshavardhana
afd19de5a9
fix: allow configuring excess versions alerting ()
Bonus: enable audit alerts for object versions
beyond the configured value, default is '100'
versions per object beyond which scanner will
alert for each such objects.
2024-02-11 23:41:53 -08:00
Harshavardhana
dd2542e96c
add codespell action ()
Original work here, ,  refixed and updated.
2024-01-17 23:03:17 -08:00
Anis Eleuch
7705605b5a
scanner: Add a config to disable short sleep between objects scan ()
Add a hidden configuration under the scanner sub section to configure if
the scanner should sleep between two objects scan. The configuration has
only effect when there is no drive activity related to s3 requests or
healing.

By default, the code will keep the current behavior which is doing
sleep between objects.

To forcefully enable the full scan speed in idle mode, you can do this:

   `mc admin config set myminio scanner idle_speed=full`
2024-01-04 15:07:17 -08:00
Pedro Juarez
8f13c8c3bf
Support to store browser config settings ()
* csp_policy
* hsts_seconds
* hsts_include_subdomains
* hsts_preload
* referrer_policy
2024-01-01 08:36:33 -08:00
Harshavardhana
eba23bbac4
rename object_size -> block_size for cache subsystem () 2023-12-21 16:57:13 -08:00
Krishnan Parthasarathi
a50f26b7f5
Implement batch-expiration for objects ()
Based on an initial PR from -
https://github.com/minio/minio/pull/17792

But fully completes it with newer finalized YAML spec.
2023-12-02 02:51:33 -08:00
jiuker
be02333529
feat: drive sub-sys to max timeout reload () 2023-11-27 09:15:06 -08:00
Shireesh Anjal
11dc723324
Pass SUBNET URL to console ()
When minio runs with MINIO_CI_CD=on, it is expected to communicate
with the locally running SUBNET. This is happening in the case of MinIO
via call home functionality. However, the subnet-related functionality inside the
console continues to talk to the SUBNET production URL. Because of this,
the console cannot be tested with a locally running SUBNET.

Set the env variable CONSOLE_SUBNET_URL correctly in such cases. 
(The console already has code to use the value of this variable
as the subnet URL)
2023-11-24 09:59:35 -08:00
Harshavardhana
fba883839d
feat: bring new HDD related performance enhancements ()
Optionally allows customers to enable 

- Enable an external cache to catch GET/HEAD responses 
- Enable skipping disks that are slow to respond in GET/HEAD 
  when we have already achieved a quorum
2023-11-22 13:46:17 -08:00
Harshavardhana
6829ae5b13
completely remove drive caching layer from gateway days ()
This has already been deprecated for close to a year now.
2023-10-11 21:18:17 -07:00
Aditya Manthramurthy
1c99fb106c
Update to minio/pkg/v2 () 2023-09-04 12:57:37 -07:00
Harshavardhana
af564b8ba0
allow bootstrap to capture time-spent for each initializers () 2023-08-23 03:07:06 -07:00
Praveen raj Mani
0285df5a02
fix: prioritize audit_webhook and logger_webhook ENVs over the config KVS () 2023-08-03 02:47:07 -07:00
Praveen raj Mani
b94ab07c2f
Honor global root CAs for kafka audit tls ()
honor global root CAs for kafka audit tls
2023-06-21 10:50:40 -07:00
Aditya Manthramurthy
5a1612fe32
Bump up madmin-go and pkg deps () 2023-06-19 17:53:08 -07:00
jiuker
d749aaab69
fix: ignore existing target status when adding new targets () 2023-05-24 22:57:37 -07:00
Praveen raj Mani
57acacd5a7
Support persistent queue store for loggers () 2023-05-08 21:20:31 -07:00
Harshavardhana
901887e6bf
feat: add lambda transformation functions target () 2023-03-07 08:12:41 -08:00
Aditya Manthramurthy
7777d3b43a
Remove globalSTSTLSConfig () 2023-02-26 23:37:00 -08:00
Harshavardhana
aa8b9572b9
remove double ENABLED help output () 2023-02-03 05:52:52 -08:00
Harshavardhana
b4ef5ff294
remove unnecessary code checking for supported features () 2023-01-17 19:37:47 +05:30
Anis Elleuch
34167c51d5
trace: Add bootstrap tracing events () 2022-12-21 15:52:29 -08:00
Anis Elleuch
e57e946206
Do not save credentials in config.json () 2022-12-19 12:27:06 -08:00
Klaus Post
b4f71362e9
Avoid config migration on every startup () 2022-12-19 11:10:14 -08:00
Aditya Manthramurthy
9e6cc847f8
Add HTTP2 config option for policy plugin () 2022-12-13 14:28:48 -08:00
Aditya Manthramurthy
2d60bf8c50
Refactor HTTP transports () 2022-12-12 20:31:21 -08:00
Aditya Manthramurthy
a30cfdd88f
Bump up madmin-go to v2 () 2022-12-06 13:46:50 -08:00
Harshavardhana
71133105d7
re-order the top-level config keys for priority () 2022-12-01 07:50:08 -08:00
Shireesh Anjal
98a67a3776
Improvements in logger and audit webhooks () 2022-11-28 08:03:26 -08:00
Harshavardhana
ec77d28e62
make subnet subsys dynamic and simplify callhome () 2022-10-27 00:20:01 -07:00
Harshavardhana
23b329b9df
remove gateway completely () 2022-10-24 17:44:15 -07:00
Aditya Manthramurthy
64cf887b28
use LDAP config from minio/pkg to share with console () 2022-10-07 22:12:36 -07:00
Anis Elleuch
86bb48792c
non-blocking initialization of bucket target notifications () 2022-09-27 17:23:28 -07:00
Harshavardhana
94dbb4a427
fix: generalize SC config and also skip healing sub-sys under SD () 2022-09-26 09:04:54 -07:00
Harshavardhana
9d6fddcfdf
persist the non-default creds in config () 2022-09-21 16:14:47 -07:00
Aditya Manthramurthy
afbb63a197
Factor out external event notification funcs ()
This change moves external event notification functionality into
`event-notification.go`. This simplifies notification related code.
2022-08-24 06:42:36 -07:00
Harshavardhana
1823ab6808
LDAP/OpenID must be initialized IAM Init() ()
This allows for LDAP/OpenID to be non-blocking,
allowing for unreachable Identity targets to be
initialized in IAM.
2022-08-08 16:16:27 -07:00
Harshavardhana
7b9b7cef11
add license banner for GNU AGPLv3 ()
Bonus: rewrite subnet re-use of Transport
2022-06-27 03:58:25 -07:00
Aditya Manthramurthy
7f629df4d5
Add generic function to retrieve config value with metadata ()
`config.ResolveConfigParam` returns the value of a configuration for any
subsystem based on checking env, config store, and default value. Also returns info
about which config source returned the value.

This is useful to return info about config params overridden via env in the user
APIs. Currently implemented only for OpenID subsystem, but will be extended for
others subsequently.
2022-06-17 11:39:21 -07:00
Shireesh Anjal
4ce81fd07f
Add periodic callhome functionality ()
* Add periodic callhome functionality

Periodically (every 24hrs by default), fetch callhome information and
upload it to SUBNET.

New config keys under the `callhome` subsystem:

enable - Set to `on` for enabling callhome. Default `off`
frequency - Interval between callhome cycles. Default `24h`

* Improvements based on review comments

- Update `enableCallhome` safely
- Rename pctx to ctx
- Block during execution of callhome
- Store parsed proxy URL in global subnet config
- Store callhome URL(s) in constants
- Use existing global transport
- Pass auth token to subnetPostReq
- Use `config.EnableOn` instead of `"on"`

* Use atomic package instead of lock

* Use uber atomic package

* Use `Cancel` instead of `cancel`

Co-authored-by: Harshavardhana <harsha@minio.io>

Co-authored-by: Harshavardhana <harsha@minio.io>
Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2022-06-06 16:14:52 -07:00
Aditya Manthramurthy
464b9d7c80
Add support for Identity Management Plugin ()
- Adds an STS API `AssumeRoleWithCustomToken` that can be used to 
  authenticate via the Id. Mgmt. Plugin.
- Adds a sample identity manager plugin implementation
- Add doc for plugin and STS API
- Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-26 17:58:09 -07:00
Harshavardhana
fd46a1c3b3
fix: some races when accessing ldap/openid config globally () 2022-05-25 18:32:53 -07:00
Harshavardhana
9341201132
logger lock should be more granular ()
This PR simplifies few things by splitting
the locks between audit, logger targets to
avoid potential contention between them.

any failures inside audit/logger HTTP
targets must only log to console instead
of other targets to avoid cyclical dependency.

avoids unneeded atomic variables instead
uses RWLock to differentiate a more common
read phase v/s lock phase.
2022-05-12 07:20:58 -07:00
Aditya Manthramurthy
83071a3459
Add support for Access Management Plugin ()
- This change renames the OPA integration as Access Management Plugin - there is
nothing specific to OPA in the integration, it is just a webhook.

- OPA configuration is automatically migrated to Access Management Plugin and
OPA specific configuration is marked as deprecated.

- OPA doc is updated and moved.
2022-05-10 17:14:55 -07:00
Aditya Manthramurthy
2b7e75e079
Add OPA doc and remove deprecation marking () 2022-05-04 23:53:42 -07:00
Aditya Manthramurthy
0e502899a8
Add support for multiple OpenID providers with role policies ()
- When using multiple providers, claim-based providers are not allowed. All
providers must use role policies.

- Update markdown config to allow `details` HTML element
2022-04-28 18:27:09 -07:00