maxmustermann/minio
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
minio/cmd/object-handlers.go

2243 lines
71 KiB
Go
Raw Normal View History

Update minioapi documentation
2015-02-24 01:46:48 +01:00
/*
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
* Minio Cloud Storage, (C) 2015-2018 Minio, Inc.
Update minioapi documentation
2015-02-24 01:46:48 +01:00
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
objectAPI: Fix object API interface, remove unnecessary structs. ObjectAPI changes. ``` ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsInfo, *probe.Error) ListMultipartUploads(bucket, objectPrefix, keyMarker, uploadIDMarker, delimiter string, maxUploads int) (ListMultipartsInfo, *probe.Error) ListObjectParts(bucket, object, uploadID string, partNumberMarker, maxParts int) (ListPartsInfo, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []completePart) (ObjectInfo, *probe.Error) ```
2016-04-03 10:34:20 +02:00
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
Update minioapi documentation
2015-02-24 01:46:48 +01:00
* See the License for the specific language governing permissions and
* limitations under the License.
*/
server: Move all the top level files into cmd folder. (#2490) This change brings a change which was done for the 'mc' package to allow for clean repo and have a cleaner github drop in experience.
2016-08-19 01:23:42 +02:00
package cmd
Implement bucket policy handler and with galore of cleanup
2015-02-16 02:03:27 +01:00
import (
Create logger package and rename errorIf to LogIf (#5678) Removing message from error logging Replace errors.Trace with LogIf
2018-04-06 00:04:40 +02:00
"context"
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
"crypto/hmac"
"encoding/binary"
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-13 01:08:15 +01:00
"encoding/hex"
fs: Break fs package to top-level and introduce ObjectAPI interface. ObjectAPI interface brings in changes needed for XL ObjectAPI layer. The new interface for any ObjectAPI layer is as below ``` // ObjectAPI interface. type ObjectAPI interface { // Bucket resource API. DeleteBucket(bucket string) *probe.Error ListBuckets() ([]BucketInfo, *probe.Error) MakeBucket(bucket string) *probe.Error GetBucketInfo(bucket string) (BucketInfo, *probe.Error) // Bucket query API. ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsResult, *probe.Error) ListMultipartUploads(bucket string, resources BucketMultipartResourcesMetadata) (BucketMultipartResourcesMetadata, *probe.Error) // Object resource API. GetObject(bucket, object string, startOffset int64) (io.ReadCloser, *probe.Error) GetObjectInfo(bucket, object string) (ObjectInfo, *probe.Error) PutObject(bucket string, object string, size int64, data io.Reader, metadata map[string]string) (ObjectInfo, *probe.Error) DeleteObject(bucket, object string) *probe.Error // Object query API. NewMultipartUpload(bucket, object string) (string, *probe.Error) PutObjectPart(bucket, object, uploadID string, partID int, size int64, data io.Reader, md5Hex string) (string, *probe.Error) ListObjectParts(bucket, object string, resources ObjectResourcesMetadata) (ObjectResourcesMetadata, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []CompletePart) (ObjectInfo, *probe.Error) AbortMultipartUpload(bucket, object, uploadID string) *probe.Error } ```
2016-03-31 01:15:28 +02:00
"encoding/xml"
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
"io"
goioutil "io/ioutil"
Add sourceInfo to NotificationEvent (#3937) This change adds information like host, port and user-agent of the client whose request triggered an event notification. E.g, if someone uploads an object to a bucket using mc. If notifications were configured on that bucket, the host, port and user-agent of mc would be sent as part of event notification data. Sample output: ``` "source": { "host": "127.0.0.1", "port": "55808", "userAgent": "Minio (linux; amd64) minio-go/2.0.4 mc ..." } ```
2017-03-23 02:44:35 +01:00
"net"
Implement bucket policy handler and with galore of cleanup
2015-02-16 02:03:27 +01:00
"net/http"
getObject: Add support for special response headers. Supports now response-content-type, response-content-disposition, response-cache-control, response-expires.
2016-02-07 12:37:54 +01:00
"net/url"
fs: Break fs package to top-level and introduce ObjectAPI interface. ObjectAPI interface brings in changes needed for XL ObjectAPI layer. The new interface for any ObjectAPI layer is as below ``` // ObjectAPI interface. type ObjectAPI interface { // Bucket resource API. DeleteBucket(bucket string) *probe.Error ListBuckets() ([]BucketInfo, *probe.Error) MakeBucket(bucket string) *probe.Error GetBucketInfo(bucket string) (BucketInfo, *probe.Error) // Bucket query API. ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsResult, *probe.Error) ListMultipartUploads(bucket string, resources BucketMultipartResourcesMetadata) (BucketMultipartResourcesMetadata, *probe.Error) // Object resource API. GetObject(bucket, object string, startOffset int64) (io.ReadCloser, *probe.Error) GetObjectInfo(bucket, object string) (ObjectInfo, *probe.Error) PutObject(bucket string, object string, size int64, data io.Reader, metadata map[string]string) (ObjectInfo, *probe.Error) DeleteObject(bucket, object string) *probe.Error // Object query API. NewMultipartUpload(bucket, object string) (string, *probe.Error) PutObjectPart(bucket, object, uploadID string, partID int, size int64, data io.Reader, md5Hex string) (string, *probe.Error) ListObjectParts(bucket, object string, resources ObjectResourcesMetadata) (ObjectResourcesMetadata, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []CompletePart) (ObjectInfo, *probe.Error) AbortMultipartUpload(bucket, object, uploadID string) *probe.Error } ```
2016-03-31 01:15:28 +02:00
"sort"
Change CreateObject() to take size argument from content-length
2015-05-04 08:16:10 +02:00
"strconv"
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
"strings"
Implement bucket policy handler and with galore of cleanup
2015-02-16 02:03:27 +01:00
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
snappy "github.com/golang/snappy"
use package name correctly (#5827)
2018-04-22 04:23:54 +02:00
"github.com/gorilla/mux"
Performance improvements by re-using record buffer (#6622) Avoid unnecessary pointer reference allocations when not needed, for example - *SelectFuncs{} - *Row{}
2018-10-31 04:18:01 +01:00
"github.com/klauspost/readahead"
Use random host from among multiple hosts to create requests Also use hosts passed to Minio startup command to populate IP addresses if MINIO_PUBLIC_IPS is not set.
2018-05-16 03:20:22 +02:00
miniogo "github.com/minio/minio-go"
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
"github.com/minio/minio/cmd/crypto"
Create logger package and rename errorIf to LogIf (#5678) Removing message from error logging Replace errors.Trace with LogIf
2018-04-06 00:04:40 +02:00
"github.com/minio/minio/cmd/logger"
Use random host from among multiple hosts to create requests Also use hosts passed to Minio startup command to populate IP addresses if MINIO_PUBLIC_IPS is not set.
2018-05-16 03:20:22 +02:00
"github.com/minio/minio/pkg/dns"
make notification as separate package (#5294) * Remove old notification files * Add net package * Add event package * Modify minio to take new notification system
2018-03-15 21:03:41 +01:00
"github.com/minio/minio/pkg/event"
Use GetSourceIP for source ip as request params (#6109) Fixes #6108
2018-07-02 23:40:18 +02:00
"github.com/minio/minio/pkg/handlers"
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
"github.com/minio/minio/pkg/hash"
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
"github.com/minio/minio/pkg/ioutil"
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
"github.com/minio/minio/pkg/policy"
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
"github.com/minio/minio/pkg/s3select"
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
sha256 "github.com/minio/sha256-simd"
"github.com/minio/sio"
Handle partNumberMarker with listObjectParts now and other fixes
2015-05-10 04:39:00 +02:00
)
Honor overriding response headers for HEAD (#4784) Though not clearly mentioned in S3 specification, we should override response headers for presigned HEAD requests as we do for GET.
2017-08-08 20:04:04 +02:00
// supportedHeadGetReqParams - supported request parameters for GET and HEAD presigned request.
var supportedHeadGetReqParams = map[string]string{
getObject: Add support for special response headers. Supports now response-content-type, response-content-disposition, response-cache-control, response-expires.
2016-02-07 12:37:54 +01:00
"response-expires": "Expires",
"response-content-type": "Content-Type",
"response-cache-control": "Cache-Control",
handlers: GetObject and HeadObject support more responses. (#2403) - response-content-encoding. - response-content-language. Fixes #2393
2016-08-11 02:36:28 +02:00
"response-content-encoding": "Content-Encoding",
"response-content-language": "Content-Language",
getObject: Add support for special response headers. Supports now response-content-type, response-content-disposition, response-cache-control, response-expires.
2016-02-07 12:37:54 +01:00
"response-content-disposition": "Content-Disposition",
}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
const (
compressionAlgorithmV1 = "golang/snappy/LZ77"
)
Honor overriding response headers for HEAD (#4784) Though not clearly mentioned in S3 specification, we should override response headers for presigned HEAD requests as we do for GET.
2017-08-08 20:04:04 +02:00
// setHeadGetRespHeaders - set any requested parameters as response headers.
func setHeadGetRespHeaders(w http.ResponseWriter, reqParams url.Values) {
getObject: Add support for special response headers. Supports now response-content-type, response-content-disposition, response-cache-control, response-expires.
2016-02-07 12:37:54 +01:00
for k, v := range reqParams {
Honor overriding response headers for HEAD (#4784) Though not clearly mentioned in S3 specification, we should override response headers for presigned HEAD requests as we do for GET.
2017-08-08 20:04:04 +02:00
if header, ok := supportedHeadGetReqParams[k]; ok {
getObject: Add support for special response headers. Supports now response-content-type, response-content-disposition, response-cache-control, response-expires.
2016-02-07 12:37:54 +01:00
w.Header()[header] = v
}
}
}
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
// SelectObjectContentHandler - GET Object?select
// ----------
// This implementation of the GET operation retrieves object content based
// on an SQL expression. In the request, along with the sql expression, you must
// also specify a data serialization format (JSON, CSV) of the object.
func (api objectAPIHandlers) SelectObjectContentHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "SelectObject")
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "SelectObject", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
// Fetch object stat info.
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrServerNotInitialized, r.URL, guessIsBrowserReq(r))
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
return
}
Fix: Disallow requests with SSE-KMS headers (#6587) Addresses issue #6582. Minio server currently does not have SSE-KMS support. Reject requests with SSE-KMS headers with NotImplementedErr
2018-10-10 00:04:53 +02:00
if crypto.S3KMS.IsRequested(r.Header) { // SSE-KMS is not supported
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r))
Fix: Disallow requests with SSE-KMS headers (#6587) Addresses issue #6582. Minio server currently does not have SSE-KMS support. Reject requests with SSE-KMS headers with NotImplementedErr
2018-10-10 00:04:53 +02:00
return
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
vars := mux.Vars(r)
bucket := vars["bucket"]
object := vars["object"]
// Check for auth type to return S3 compatible error.
// type to return the correct error (NoSuchKey vs AccessDenied)
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, bucket, object); s3Error != ErrNone {
if getRequestAuthType(r) == authTypeAnonymous {
// As per "Permission" section in
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
// https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html
// If the object you request does not exist,
// the error Amazon S3 returns depends on
// whether you also have the s3:ListBucket
// permission.
// * If you have the s3:ListBucket permission
// on the bucket, Amazon S3 will return an
// HTTP status code 404 ("no such key")
// error.
// * if you dont have the s3:ListBucket
// permission, Amazon S3 will return an HTTP
// status code 403 ("access denied") error.`
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
if globalPolicySys.IsAllowed(policy.Args{
Action: policy.ListBucketAction,
BucketName: bucket,
ConditionValues: getConditionValues(r, ""),
IsOwner: false,
}) {
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
_, err := getObjectInfo(ctx, bucket, object, ObjectOptions{})
Make sure to log unhandled errors always (#6784) In many situations, while testing we encounter ErrInternalError, to reduce logging we have removed logging from quite a few places which is acceptable but when ErrInternalError occurs we should have a facility to log the corresponding error, this helps to debug Minio server.
2018-11-12 20:07:43 +01:00
if toAPIErrorCode(ctx, err) == ErrNoSuchKey {
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
s3Error = ErrNoSuchKey
}
}
}
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r))
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
return
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
// Get request range.
rangeHeader := r.Header.Get("Range")
if rangeHeader != "" {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrUnsupportedRangeHeader, r.URL, guessIsBrowserReq(r))
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
return
}
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
if r.ContentLength <= 0 {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrEmptyRequestBody, r.URL, guessIsBrowserReq(r))
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
return
}
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 21:12:22 +02:00
var selectReq s3select.ObjectSelectRequest
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
if err := xmlDecoder(r.Body, &selectReq, r.ContentLength); err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrMalformedXML, r.URL, guessIsBrowserReq(r))
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
return
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
if !strings.EqualFold(string(selectReq.ExpressionType), "SQL") {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidExpressionType, r.URL, guessIsBrowserReq(r))
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
return
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
if len(selectReq.Expression) >= s3select.MaxExpressionLength {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrExpressionTooLong, r.URL, guessIsBrowserReq(r))
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
return
}
getObjectNInfo := objectAPI.GetObjectNInfo
if api.CacheAPI() != nil {
getObjectNInfo = api.CacheAPI().GetObjectNInfo
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
var opts ObjectOptions
gr, err := getObjectNInfo(ctx, bucket, object, nil, r.Header, readLock, opts)
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Revert all GetObjectNInfo related PRs (#6398) * Revert "Encrypted reader wrapped in NewGetObjectReader should be closed (#6383)" This reverts commit 53a0bbeb5b604503b61f6d4aa38414babe4de66c. * Revert "Change SelectAPI to use new GetObjectNInfo API (#6373)" This reverts commit 5b05df215a71e1de8b46e239d5a4efa49281c014. * Revert "Implement GetObjectNInfo object layer call (#6290)" This reverts commit e6d740ce09b3020d2c7debfbea445c21b0acb86c.
2018-08-31 22:10:12 +02:00
return
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
defer gr.Close()
objInfo := gr.ObjInfo
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 21:12:22 +02:00
if selectReq.InputSerialization.CompressionType == s3select.SelectCompressionGZIP {
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
if !strings.Contains(objInfo.ContentType, "gzip") {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidDataSource, r.URL, guessIsBrowserReq(r))
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
return
}
}
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 21:12:22 +02:00
if selectReq.InputSerialization.CompressionType == s3select.SelectCompressionBZIP {
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
if !strings.Contains(objInfo.ContentType, "bzip") {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidDataSource, r.URL, guessIsBrowserReq(r))
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
return
}
}
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 21:12:22 +02:00
if selectReq.InputSerialization.CompressionType == "" {
selectReq.InputSerialization.CompressionType = s3select.SelectCompressionNONE
if !strings.Contains(objInfo.ContentType, "text/csv") && !strings.Contains(objInfo.ContentType, "application/json") {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidDataSource, r.URL, guessIsBrowserReq(r))
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
return
}
}
Revert all GetObjectNInfo related PRs (#6398) * Revert "Encrypted reader wrapped in NewGetObjectReader should be closed (#6383)" This reverts commit 53a0bbeb5b604503b61f6d4aa38414babe4de66c. * Revert "Change SelectAPI to use new GetObjectNInfo API (#6373)" This reverts commit 5b05df215a71e1de8b46e239d5a4efa49281c014. * Revert "Implement GetObjectNInfo object layer call (#6290)" This reverts commit e6d740ce09b3020d2c7debfbea445c21b0acb86c.
2018-08-31 22:10:12 +02:00
if !strings.EqualFold(string(selectReq.ExpressionType), "SQL") {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidExpressionType, r.URL, guessIsBrowserReq(r))
Revert all GetObjectNInfo related PRs (#6398) * Revert "Encrypted reader wrapped in NewGetObjectReader should be closed (#6383)" This reverts commit 53a0bbeb5b604503b61f6d4aa38414babe4de66c. * Revert "Change SelectAPI to use new GetObjectNInfo API (#6373)" This reverts commit 5b05df215a71e1de8b46e239d5a4efa49281c014. * Revert "Implement GetObjectNInfo object layer call (#6290)" This reverts commit e6d740ce09b3020d2c7debfbea445c21b0acb86c.
2018-08-31 22:10:12 +02:00
return
}
if len(selectReq.Expression) >= s3select.MaxExpressionLength {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrExpressionTooLong, r.URL, guessIsBrowserReq(r))
Revert all GetObjectNInfo related PRs (#6398) * Revert "Encrypted reader wrapped in NewGetObjectReader should be closed (#6383)" This reverts commit 53a0bbeb5b604503b61f6d4aa38414babe4de66c. * Revert "Change SelectAPI to use new GetObjectNInfo API (#6373)" This reverts commit 5b05df215a71e1de8b46e239d5a4efa49281c014. * Revert "Implement GetObjectNInfo object layer call (#6290)" This reverts commit e6d740ce09b3020d2c7debfbea445c21b0acb86c.
2018-08-31 22:10:12 +02:00
return
}
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 21:12:22 +02:00
if selectReq.InputSerialization.CSV == nil && selectReq.InputSerialization.JSON == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidRequestParameter, r.URL, guessIsBrowserReq(r))
select API CSV may not be specified (#6493) This should be present until we support JSON
2018-09-20 11:34:26 +02:00
return
}
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 21:12:22 +02:00
if selectReq.OutputSerialization.CSV == nil && selectReq.OutputSerialization.JSON == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidRequestParameter, r.URL, guessIsBrowserReq(r))
Revert all GetObjectNInfo related PRs (#6398) * Revert "Encrypted reader wrapped in NewGetObjectReader should be closed (#6383)" This reverts commit 53a0bbeb5b604503b61f6d4aa38414babe4de66c. * Revert "Change SelectAPI to use new GetObjectNInfo API (#6373)" This reverts commit 5b05df215a71e1de8b46e239d5a4efa49281c014. * Revert "Implement GetObjectNInfo object layer call (#6290)" This reverts commit e6d740ce09b3020d2c7debfbea445c21b0acb86c.
2018-08-31 22:10:12 +02:00
return
}
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 21:12:22 +02:00
if selectReq.InputSerialization.CSV != nil {
if selectReq.InputSerialization.CSV.FileHeaderInfo != s3select.CSVFileHeaderInfoUse &&
selectReq.InputSerialization.CSV.FileHeaderInfo != s3select.CSVFileHeaderInfoNone &&
selectReq.InputSerialization.CSV.FileHeaderInfo != s3select.CSVFileHeaderInfoIgnore &&
selectReq.InputSerialization.CSV.FileHeaderInfo != "" {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidFileHeaderInfo, r.URL, guessIsBrowserReq(r))
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 21:12:22 +02:00
return
}
if selectReq.OutputSerialization.CSV.QuoteFields != s3select.CSVQuoteFieldsAlways &&
selectReq.OutputSerialization.CSV.QuoteFields != s3select.CSVQuoteFieldsAsNeeded &&
selectReq.OutputSerialization.CSV.QuoteFields != "" {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidQuoteFields, r.URL, guessIsBrowserReq(r))
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 21:12:22 +02:00
return
}
if len(selectReq.InputSerialization.CSV.RecordDelimiter) > 2 {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidRequestParameter, r.URL, guessIsBrowserReq(r))
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 21:12:22 +02:00
return
}
Revert all GetObjectNInfo related PRs (#6398) * Revert "Encrypted reader wrapped in NewGetObjectReader should be closed (#6383)" This reverts commit 53a0bbeb5b604503b61f6d4aa38414babe4de66c. * Revert "Change SelectAPI to use new GetObjectNInfo API (#6373)" This reverts commit 5b05df215a71e1de8b46e239d5a4efa49281c014. * Revert "Implement GetObjectNInfo object layer call (#6290)" This reverts commit e6d740ce09b3020d2c7debfbea445c21b0acb86c.
2018-08-31 22:10:12 +02:00
}
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 21:12:22 +02:00
if selectReq.InputSerialization.JSON != nil {
Performance improvements to SELECT API on certain query operations (#6752) This improves the performance of certain queries dramatically, such as 'count(*)' etc. Without this PR ``` ~ time mc select --query "select count(*) from S3Object" myminio/sjm-airlines/star2000.csv.gz 2173762 real 0m42.464s user 0m0.071s sys 0m0.010s ``` With this PR ``` ~ time mc select --query "select count(*) from S3Object" myminio/sjm-airlines/star2000.csv.gz 2173762 real 0m17.603s user 0m0.093s sys 0m0.008s ``` Almost a 250% improvement in performance. This PR avoids a lot of type conversions and instead relies on raw sequences of data and interprets them lazily. ``` benchcmp old new benchmark old ns/op new ns/op delta BenchmarkSQLAggregate_100K-4 551213 259782 -52.87% BenchmarkSQLAggregate_1M-4 6981901985 2432413729 -65.16% BenchmarkSQLAggregate_2M-4 13511978488 4536903552 -66.42% BenchmarkSQLAggregate_10M-4 68427084908 23266283336 -66.00% benchmark old allocs new allocs delta BenchmarkSQLAggregate_100K-4 2366 485 -79.50% BenchmarkSQLAggregate_1M-4 47455492 21462860 -54.77% BenchmarkSQLAggregate_2M-4 95163637 43110771 -54.70% BenchmarkSQLAggregate_10M-4 476959550 216906510 -54.52% benchmark old bytes new bytes delta BenchmarkSQLAggregate_100K-4 1233079 1086024 -11.93% BenchmarkSQLAggregate_1M-4 2607984120 557038536 -78.64% BenchmarkSQLAggregate_2M-4 5254103616 1128149168 -78.53% BenchmarkSQLAggregate_10M-4 26443524872 5722715992 -78.36% ```
2018-11-15 00:55:10 +01:00
if selectReq.InputSerialization.JSON.Type != s3select.JSONLinesType {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidJSONType, r.URL, guessIsBrowserReq(r))
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 21:12:22 +02:00
return
}
s3select should honour custom record delimiter (#6419) Allow custom delimiters like `\r\n`, `a`, `\r` etc in input csv and replace with `\n`. Fixes #6403
2018-09-10 18:20:28 +02:00
}
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
// Set encryption response headers
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
if objectAPI.IsEncryptionSupported() {
HEAD on an object should mimic GET without body (#6508) Add "Range" header support etc.
2018-09-23 19:24:10 +02:00
if crypto.IsEncrypted(objInfo.UserDefined) {
switch {
case crypto.S3.IsEncrypted(objInfo.UserDefined):
w.Header().Set(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
case crypto.SSEC.IsEncrypted(objInfo.UserDefined):
w.Header().Set(crypto.SSECAlgorithm, r.Header.Get(crypto.SSECAlgorithm))
w.Header().Set(crypto.SSECKeyMD5, r.Header.Get(crypto.SSECKeyMD5))
}
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
}
}
Performance improvements by re-using record buffer (#6622) Avoid unnecessary pointer reference allocations when not needed, for example - *SelectFuncs{} - *Row{}
2018-10-31 04:18:01 +01:00
reader := readahead.NewReader(gr)
defer reader.Close()
Performance improvements to SELECT API on certain query operations (#6752) This improves the performance of certain queries dramatically, such as 'count(*)' etc. Without this PR ``` ~ time mc select --query "select count(*) from S3Object" myminio/sjm-airlines/star2000.csv.gz 2173762 real 0m42.464s user 0m0.071s sys 0m0.010s ``` With this PR ``` ~ time mc select --query "select count(*) from S3Object" myminio/sjm-airlines/star2000.csv.gz 2173762 real 0m17.603s user 0m0.093s sys 0m0.008s ``` Almost a 250% improvement in performance. This PR avoids a lot of type conversions and instead relies on raw sequences of data and interprets them lazily. ``` benchcmp old new benchmark old ns/op new ns/op delta BenchmarkSQLAggregate_100K-4 551213 259782 -52.87% BenchmarkSQLAggregate_1M-4 6981901985 2432413729 -65.16% BenchmarkSQLAggregate_2M-4 13511978488 4536903552 -66.42% BenchmarkSQLAggregate_10M-4 68427084908 23266283336 -66.00% benchmark old allocs new allocs delta BenchmarkSQLAggregate_100K-4 2366 485 -79.50% BenchmarkSQLAggregate_1M-4 47455492 21462860 -54.77% BenchmarkSQLAggregate_2M-4 95163637 43110771 -54.70% BenchmarkSQLAggregate_10M-4 476959550 216906510 -54.52% benchmark old bytes new bytes delta BenchmarkSQLAggregate_100K-4 1233079 1086024 -11.93% BenchmarkSQLAggregate_1M-4 2607984120 557038536 -78.64% BenchmarkSQLAggregate_2M-4 5254103616 1128149168 -78.53% BenchmarkSQLAggregate_10M-4 26443524872 5722715992 -78.36% ```
2018-11-15 00:55:10 +01:00
size := objInfo.Size
if objInfo.IsCompressed() {
size = objInfo.GetActualSize()
if size < 0 {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, errInvalidDecompressedSize), r.URL, guessIsBrowserReq(r))
Performance improvements to SELECT API on certain query operations (#6752) This improves the performance of certain queries dramatically, such as 'count(*)' etc. Without this PR ``` ~ time mc select --query "select count(*) from S3Object" myminio/sjm-airlines/star2000.csv.gz 2173762 real 0m42.464s user 0m0.071s sys 0m0.010s ``` With this PR ``` ~ time mc select --query "select count(*) from S3Object" myminio/sjm-airlines/star2000.csv.gz 2173762 real 0m17.603s user 0m0.093s sys 0m0.008s ``` Almost a 250% improvement in performance. This PR avoids a lot of type conversions and instead relies on raw sequences of data and interprets them lazily. ``` benchcmp old new benchmark old ns/op new ns/op delta BenchmarkSQLAggregate_100K-4 551213 259782 -52.87% BenchmarkSQLAggregate_1M-4 6981901985 2432413729 -65.16% BenchmarkSQLAggregate_2M-4 13511978488 4536903552 -66.42% BenchmarkSQLAggregate_10M-4 68427084908 23266283336 -66.00% benchmark old allocs new allocs delta BenchmarkSQLAggregate_100K-4 2366 485 -79.50% BenchmarkSQLAggregate_1M-4 47455492 21462860 -54.77% BenchmarkSQLAggregate_2M-4 95163637 43110771 -54.70% BenchmarkSQLAggregate_10M-4 476959550 216906510 -54.52% benchmark old bytes new bytes delta BenchmarkSQLAggregate_100K-4 1233079 1086024 -11.93% BenchmarkSQLAggregate_1M-4 2607984120 557038536 -78.64% BenchmarkSQLAggregate_2M-4 5254103616 1128149168 -78.53% BenchmarkSQLAggregate_10M-4 26443524872 5722715992 -78.36% ```
2018-11-15 00:55:10 +01:00
return
}
}
s3s, err := s3select.New(reader, size, selectReq)
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 21:12:22 +02:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 21:12:22 +02:00
return
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
}
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 21:12:22 +02:00
// Parses the select query and checks for an error
_, _, _, _, _, _, err = s3select.ParseSelect(s3s)
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 21:12:22 +02:00
return
s3select should honour custom record delimiter (#6419) Allow custom delimiters like `\r\n`, `a`, `\r` etc in input csv and replace with `\n`. Fixes #6403
2018-09-10 18:20:28 +02:00
}
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 21:12:22 +02:00
// Executes the query on data-set
Do not call multiple response.WriteHeader calls (#6733) Execute method in s3Select package makes a response.WriteHeader call. Not calling it again in SelectObjectContentHandler function in case of error in s3Select.Execute call.
2018-10-31 22:09:26 +01:00
s3select.Execute(w, s3s)
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
Support audit logs with additional fields (#6738) This PR adds support - Request query params - Request headers - Response headers AuditLogEntry is exported and versioned as well starting with this PR.
2018-11-03 02:40:08 +01:00
// Get host and port from Request.RemoteAddr.
host, port, err := net.SplitHostPort(handlers.GetSourceIP(r))
if err != nil {
host, port = "", ""
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
}
Support audit logs with additional fields (#6738) This PR adds support - Request query params - Request headers - Response headers AuditLogEntry is exported and versioned as well starting with this PR.
2018-11-03 02:40:08 +01:00
// Notify object accessed via a GET request.
sendEvent(eventArgs{
EventName: event.ObjectAccessedGet,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Host: host,
Port: port,
})
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
}
Restructure API handlers, add JSON RPC simple HelloService right now.
2015-07-01 05:15:48 +02:00
// GetObjectHandler - GET Object
Update minioapi documentation
2015-02-24 01:46:48 +01:00
// ----------
// This implementation of the GET operation retrieves object. To use GET,
// you must have READ access to the object.
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) GetObjectHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "GetObject")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "GetObject", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrServerNotInitialized, r.URL, guessIsBrowserReq(r))
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
if crypto.S3.IsRequested(r.Header) || crypto.S3KMS.IsRequested(r.Header) { // If SSE-S3 or SSE-KMS present -> AWS fails with undefined error
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrBadRequest, r.URL, guessIsBrowserReq(r))
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
return
}
vars := mux.Vars(r)
bucket := vars["bucket"]
object := vars["object"]
Revert all GetObjectNInfo related PRs (#6398) * Revert "Encrypted reader wrapped in NewGetObjectReader should be closed (#6383)" This reverts commit 53a0bbeb5b604503b61f6d4aa38414babe4de66c. * Revert "Change SelectAPI to use new GetObjectNInfo API (#6373)" This reverts commit 5b05df215a71e1de8b46e239d5a4efa49281c014. * Revert "Implement GetObjectNInfo object layer call (#6290)" This reverts commit e6d740ce09b3020d2c7debfbea445c21b0acb86c.
2018-08-31 22:10:12 +02:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
var (
opts ObjectOptions
err error
)
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
// Check for auth type to return S3 compatible error.
// type to return the correct error (NoSuchKey vs AccessDenied)
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 08:43:27 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, bucket, object); s3Error != ErrNone {
if getRequestAuthType(r) == authTypeAnonymous {
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
// As per "Permission" section in
// https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html
// If the object you request does not exist,
// the error Amazon S3 returns depends on
// whether you also have the s3:ListBucket
// permission.
// * If you have the s3:ListBucket permission
// on the bucket, Amazon S3 will return an
// HTTP status code 404 ("no such key")
// error.
// * if you dont have the s3:ListBucket
// permission, Amazon S3 will return an HTTP
// status code 403 ("access denied") error.`
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 08:43:27 +02:00
if globalPolicySys.IsAllowed(policy.Args{
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
Action: policy.ListBucketAction,
BucketName: bucket,
ConditionValues: getConditionValues(r, ""),
IsOwner: false,
}) {
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
_, err = getObjectInfo(ctx, bucket, object, opts)
Make sure to log unhandled errors always (#6784) In many situations, while testing we encounter ErrInternalError, to reduce logging we have removed logging from quite a few places which is acceptable but when ErrInternalError occurs we should have a facility to log the corresponding error, this helps to debug Minio server.
2018-11-12 20:07:43 +01:00
if toAPIErrorCode(ctx, err) == ErrNoSuchKey {
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 08:43:27 +02:00
s3Error = ErrNoSuchKey
}
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
}
Migrate from iodine to probe
2015-08-04 01:17:21 +02:00
}
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r))
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 08:43:27 +02:00
return
}
Change SelectAPI to use new GetObjectNInfo API (#6373) This PR also removes some double checks
2018-08-28 22:08:30 +02:00
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
getObjectNInfo := objectAPI.GetObjectNInfo
if api.CacheAPI() != nil {
getObjectNInfo = api.CacheAPI().GetObjectNInfo
Change SelectAPI to use new GetObjectNInfo API (#6373) This PR also removes some double checks
2018-08-28 22:08:30 +02:00
}
// Get request range.
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
var rs *HTTPRangeSpec
Change SelectAPI to use new GetObjectNInfo API (#6373) This PR also removes some double checks
2018-08-28 22:08:30 +02:00
rangeHeader := r.Header.Get("Range")
if rangeHeader != "" {
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
if rs, err = parseRequestRangeSpec(rangeHeader); err != nil {
// Handle only errInvalidRange. Ignore other
// parse error and treat it as regular Get
// request like Amazon S3.
Change SelectAPI to use new GetObjectNInfo API (#6373) This PR also removes some double checks
2018-08-28 22:08:30 +02:00
if err == errInvalidRange {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidRange, r.URL, guessIsBrowserReq(r))
Change SelectAPI to use new GetObjectNInfo API (#6373) This PR also removes some double checks
2018-08-28 22:08:30 +02:00
return
}
logger.LogIf(ctx, err)
}
}
Add ObjectOptions to GetObjectNInfo (#6533)
2018-09-27 12:06:45 +02:00
gr, err := getObjectNInfo(ctx, bucket, object, rs, r.Header, readLock, opts)
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
object: checkETag compares quoted ETags properly (#1997) Previously, checkETag didn't handle ETags with leading and trailing double quotes. e.g "abcdef1234" == "\"abcdef1234\"" would return false. Now, checkETag function canonicalizes the ETags passed as arguments by removing one leading/trailing double quote.
2016-06-27 03:10:08 +02:00
return
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
defer gr.Close()
Performance improvements by re-using record buffer (#6622) Avoid unnecessary pointer reference allocations when not needed, for example - *SelectFuncs{} - *Row{}
2018-10-31 04:18:01 +01:00
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
objInfo := gr.ObjInfo
object: checkETag compares quoted ETags properly (#1997) Previously, checkETag didn't handle ETags with leading and trailing double quotes. e.g "abcdef1234" == "\"abcdef1234\"" would return false. Now, checkETag function canonicalizes the ETags passed as arguments by removing one leading/trailing double quote.
2016-06-27 03:10:08 +02:00
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
if objectAPI.IsEncryptionSupported() {
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
if _, err = DecryptObjectInfo(&objInfo, r.Header); err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
return
}
XL: bring in new storage API. (#1780) Fixes #1771
2016-05-29 00:13:15 +02:00
}
api: SourceInfo should be populated in GET/HEAD notification. (#4073) Refer https://github.com/minio/mc/issues/2073
2017-04-08 10:39:20 +02:00
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
// Validate pre-conditions if any.
if checkPreconditions(w, r, objInfo) {
return
}
Revert all GetObjectNInfo related PRs (#6398) * Revert "Encrypted reader wrapped in NewGetObjectReader should be closed (#6383)" This reverts commit 53a0bbeb5b604503b61f6d4aa38414babe4de66c. * Revert "Change SelectAPI to use new GetObjectNInfo API (#6373)" This reverts commit 5b05df215a71e1de8b46e239d5a4efa49281c014. * Revert "Implement GetObjectNInfo object layer call (#6290)" This reverts commit e6d740ce09b3020d2c7debfbea445c21b0acb86c.
2018-08-31 22:10:12 +02:00
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
// Set encryption response headers
if objectAPI.IsEncryptionSupported() {
HEAD on an object should mimic GET without body (#6508) Add "Range" header support etc.
2018-09-23 19:24:10 +02:00
if crypto.IsEncrypted(objInfo.UserDefined) {
switch {
case crypto.S3.IsEncrypted(objInfo.UserDefined):
w.Header().Set(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
case crypto.SSEC.IsEncrypted(objInfo.UserDefined):
w.Header().Set(crypto.SSECAlgorithm, r.Header.Get(crypto.SSECAlgorithm))
w.Header().Set(crypto.SSECKeyMD5, r.Header.Get(crypto.SSECKeyMD5))
}
XL/GetObject: If quorum not available during GetObject appropriate error should be returned. (#2135)
2016-07-11 02:12:22 +02:00
}
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
}
api: Implement bucket notification. (#2271) * Implement basic S3 notifications through queues Supports multiple queues and three basic queue types: 1. NilQueue -- messages don't get sent anywhere 2. LogQueue -- messages get logged 3. AmqpQueue -- messages are sent to an AMQP queue * api: Implement bucket notification. Supports two different queue types - AMQP - ElasticSearch. * Add support for redis
2016-07-24 07:51:12 +02:00
Make sure to log unhandled errors always (#6784) In many situations, while testing we encounter ErrInternalError, to reduce logging we have removed logging from quite a few places which is acceptable but when ErrInternalError occurs we should have a facility to log the corresponding error, this helps to debug Minio server.
2018-11-12 20:07:43 +01:00
if err = setObjectHeaders(w, objInfo, rs); err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
return
Revert all GetObjectNInfo related PRs (#6398) * Revert "Encrypted reader wrapped in NewGetObjectReader should be closed (#6383)" This reverts commit 53a0bbeb5b604503b61f6d4aa38414babe4de66c. * Revert "Change SelectAPI to use new GetObjectNInfo API (#6373)" This reverts commit 5b05df215a71e1de8b46e239d5a4efa49281c014. * Revert "Implement GetObjectNInfo object layer call (#6290)" This reverts commit e6d740ce09b3020d2c7debfbea445c21b0acb86c.
2018-08-31 22:10:12 +02:00
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
setHeadGetRespHeaders(w, r.URL.Query())
Avoid sending an error after 206 HTTP code (#6264) When a S3 client sends a GET Object with a range header, 206 http code is returned indicating success, however the call of the object layer's GetObject() inside the handler can return an error and will lead to writing an XML error message, which is obviously wrong since we already sent 206 http code. So in the case, we just stop sending data to the S3 client, this latter can still detect if there is no error when comparing received data with Content-Length header in the Get Object response.
2018-08-09 00:39:47 +02:00
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
statusCodeWritten := false
httpWriter := ioutil.WriteOnClose(w)
if rs != nil {
Avoid sending an error after 206 HTTP code (#6264) When a S3 client sends a GET Object with a range header, 206 http code is returned indicating success, however the call of the object layer's GetObject() inside the handler can return an error and will lead to writing an XML error message, which is obviously wrong since we already sent 206 http code. So in the case, we just stop sending data to the S3 client, this latter can still detect if there is no error when comparing received data with Content-Length header in the Get Object response.
2018-08-09 00:39:47 +02:00
statusCodeWritten = true
w.WriteHeader(http.StatusPartialContent)
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
// Write object content to response body
if _, err = io.Copy(httpWriter, gr); err != nil {
Avoid sending an error after 206 HTTP code (#6264) When a S3 client sends a GET Object with a range header, 206 http code is returned indicating success, however the call of the object layer's GetObject() inside the handler can return an error and will lead to writing an XML error message, which is obviously wrong since we already sent 206 http code. So in the case, we just stop sending data to the S3 client, this latter can still detect if there is no error when comparing received data with Content-Length header in the Get Object response.
2018-08-09 00:39:47 +02:00
if !httpWriter.HasWritten() && !statusCodeWritten { // write error response only if no data or headers has been written to client yet
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
XL/GetObject: If quorum not available during GetObject appropriate error should be returned. (#2135)
2016-07-11 02:12:22 +02:00
}
XL: bring in new storage API. (#1780) Fixes #1771
2016-05-29 00:13:15 +02:00
return
fs: Break fs package to top-level and introduce ObjectAPI interface. ObjectAPI interface brings in changes needed for XL ObjectAPI layer. The new interface for any ObjectAPI layer is as below ``` // ObjectAPI interface. type ObjectAPI interface { // Bucket resource API. DeleteBucket(bucket string) *probe.Error ListBuckets() ([]BucketInfo, *probe.Error) MakeBucket(bucket string) *probe.Error GetBucketInfo(bucket string) (BucketInfo, *probe.Error) // Bucket query API. ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsResult, *probe.Error) ListMultipartUploads(bucket string, resources BucketMultipartResourcesMetadata) (BucketMultipartResourcesMetadata, *probe.Error) // Object resource API. GetObject(bucket, object string, startOffset int64) (io.ReadCloser, *probe.Error) GetObjectInfo(bucket, object string) (ObjectInfo, *probe.Error) PutObject(bucket string, object string, size int64, data io.Reader, metadata map[string]string) (ObjectInfo, *probe.Error) DeleteObject(bucket, object string) *probe.Error // Object query API. NewMultipartUpload(bucket, object string) (string, *probe.Error) PutObjectPart(bucket, object, uploadID string, partID int, size int64, data io.Reader, md5Hex string) (string, *probe.Error) ListObjectParts(bucket, object string, resources ObjectResourcesMetadata) (ObjectResourcesMetadata, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []CompletePart) (ObjectInfo, *probe.Error) AbortMultipartUpload(bucket, object, uploadID string) *probe.Error } ```
2016-03-31 01:15:28 +02:00
}
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
if err = httpWriter.Close(); err != nil {
Avoid sending an error after 206 HTTP code (#6264) When a S3 client sends a GET Object with a range header, 206 http code is returned indicating success, however the call of the object layer's GetObject() inside the handler can return an error and will lead to writing an XML error message, which is obviously wrong since we already sent 206 http code. So in the case, we just stop sending data to the S3 client, this latter can still detect if there is no error when comparing received data with Content-Length header in the Get Object response.
2018-08-09 00:39:47 +02:00
if !httpWriter.HasWritten() && !statusCodeWritten { // write error response only if no data or headers has been written to client yet
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
return
}
XL/GetObject: If quorum not available during GetObject appropriate error should be returned. (#2135)
2016-07-11 02:12:22 +02:00
}
Add notification for object access via GET/HEAD (#3941) The following notification event types are available for all targets, s3:ObjectAccessed:Get s3:ObjectAccessed:Head s3:ObjectAccessed:*
2017-03-21 18:32:17 +01:00
api: SourceInfo should be populated in GET/HEAD notification. (#4073) Refer https://github.com/minio/mc/issues/2073
2017-04-08 10:39:20 +02:00
// Get host and port from Request.RemoteAddr.
Use GetSourceIP for source ip as request params (#6109) Fixes #6108
2018-07-02 23:40:18 +02:00
host, port, err := net.SplitHostPort(handlers.GetSourceIP(r))
api: SourceInfo should be populated in GET/HEAD notification. (#4073) Refer https://github.com/minio/mc/issues/2073
2017-04-08 10:39:20 +02:00
if err != nil {
host, port = "", ""
}
Add notification for object access via GET/HEAD (#3941) The following notification event types are available for all targets, s3:ObjectAccessed:Get s3:ObjectAccessed:Head s3:ObjectAccessed:*
2017-03-21 18:32:17 +01:00
// Notify object accessed via a GET request.
make notification as separate package (#5294) * Remove old notification files * Add net package * Add event package * Modify minio to take new notification system
2018-03-15 21:03:41 +01:00
sendEvent(eventArgs{
Add content-length as part of event notification structure (#6341) Fixes #6321
2018-08-23 23:40:54 +02:00
EventName: event.ObjectAccessedGet,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Host: host,
Port: port,
Add notification for object access via GET/HEAD (#3941) The following notification event types are available for all targets, s3:ObjectAccessed:Get s3:ObjectAccessed:Head s3:ObjectAccessed:*
2017-03-21 18:32:17 +01:00
})
Implement bucket policy handler and with galore of cleanup
2015-02-16 02:03:27 +01:00
}
Restructure API handlers, add JSON RPC simple HelloService right now.
2015-07-01 05:15:48 +02:00
// HeadObjectHandler - HEAD Object
Update minioapi documentation
2015-02-24 01:46:48 +01:00
// -----------
// The HEAD operation retrieves metadata from an object without returning the object itself.
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) HeadObjectHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "HeadObject")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "HeadObject", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
writeErrorResponseHeadersOnly(w, ErrServerNotInitialized)
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
if crypto.S3.IsRequested(r.Header) || crypto.S3KMS.IsRequested(r.Header) { // If SSE-S3 or SSE-KMS present -> AWS fails with undefined error
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrBadRequest, r.URL, guessIsBrowserReq(r))
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
return
}
vars := mux.Vars(r)
bucket := vars["bucket"]
object := vars["object"]
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
Switch back to GetObjectInfo for HEAD requests (#6513)
2018-09-21 22:48:58 +02:00
getObjectInfo := objectAPI.GetObjectInfo
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
if api.CacheAPI() != nil {
Switch back to GetObjectInfo for HEAD requests (#6513)
2018-09-21 22:48:58 +02:00
getObjectInfo = api.CacheAPI().GetObjectInfo
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
var (
opts ObjectOptions
err error
)
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 08:43:27 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, bucket, object); s3Error != ErrNone {
if getRequestAuthType(r) == authTypeAnonymous {
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
// As per "Permission" section in
// https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectHEAD.html
// If the object you request does not exist,
// the error Amazon S3 returns depends on
// whether you also have the s3:ListBucket
// permission.
// * If you have the s3:ListBucket permission
// on the bucket, Amazon S3 will return an
// HTTP status code 404 ("no such key")
// error.
// * if you dont have the s3:ListBucket
// permission, Amazon S3 will return an HTTP
// status code 403 ("access denied") error.`
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 08:43:27 +02:00
if globalPolicySys.IsAllowed(policy.Args{
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
Action: policy.ListBucketAction,
BucketName: bucket,
ConditionValues: getConditionValues(r, ""),
IsOwner: false,
}) {
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
_, err = getObjectInfo(ctx, bucket, object, opts)
Make sure to log unhandled errors always (#6784) In many situations, while testing we encounter ErrInternalError, to reduce logging we have removed logging from quite a few places which is acceptable but when ErrInternalError occurs we should have a facility to log the corresponding error, this helps to debug Minio server.
2018-11-12 20:07:43 +01:00
if toAPIErrorCode(ctx, err) == ErrNoSuchKey {
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 08:43:27 +02:00
s3Error = ErrNoSuchKey
}
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
}
Add errorIf for all API handlers to print call trace upon errors
2015-09-19 12:20:07 +02:00
}
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 08:43:27 +02:00
writeErrorResponseHeadersOnly(w, s3Error)
return
}
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
HEAD on an object should mimic GET without body (#6508) Add "Range" header support etc.
2018-09-23 19:24:10 +02:00
// Get request range.
var rs *HTTPRangeSpec
rangeHeader := r.Header.Get("Range")
if rangeHeader != "" {
if rs, err = parseRequestRangeSpec(rangeHeader); err != nil {
// Handle only errInvalidRange. Ignore other
// parse error and treat it as regular Get
// request like Amazon S3.
if err == errInvalidRange {
writeErrorResponseHeadersOnly(w, ErrInvalidRange)
return
}
logger.LogIf(ctx, err)
}
}
Switch back to GetObjectInfo for HEAD requests (#6513)
2018-09-21 22:48:58 +02:00
objInfo, err := getObjectInfo(ctx, bucket, object, opts)
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 08:43:27 +02:00
if err != nil {
Make sure to log unhandled errors always (#6784) In many situations, while testing we encounter ErrInternalError, to reduce logging we have removed logging from quite a few places which is acceptable but when ErrInternalError occurs we should have a facility to log the corresponding error, this helps to debug Minio server.
2018-11-12 20:07:43 +01:00
writeErrorResponseHeadersOnly(w, toAPIErrorCode(ctx, err))
Migrate from iodine to probe
2015-08-04 01:17:21 +02:00
return
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
if objectAPI.IsEncryptionSupported() {
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
if _, err = DecryptObjectInfo(&objInfo, r.Header); err != nil {
Make sure to log unhandled errors always (#6784) In many situations, while testing we encounter ErrInternalError, to reduce logging we have removed logging from quite a few places which is acceptable but when ErrInternalError occurs we should have a facility to log the corresponding error, this helps to debug Minio server.
2018-11-12 20:07:43 +01:00
writeErrorResponseHeadersOnly(w, toAPIErrorCode(ctx, err))
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
return
HEAD on an object should mimic GET without body (#6508) Add "Range" header support etc.
2018-09-23 19:24:10 +02:00
}
}
// Set encryption response headers
if objectAPI.IsEncryptionSupported() {
if crypto.IsEncrypted(objInfo.UserDefined) {
switch {
case crypto.S3.IsEncrypted(objInfo.UserDefined):
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
w.Header().Set(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
HEAD on an object should mimic GET without body (#6508) Add "Range" header support etc.
2018-09-23 19:24:10 +02:00
case crypto.SSEC.IsEncrypted(objInfo.UserDefined):
Validate user provided SSE-C key on Head Object API (#6600) Fixes #6598
2018-10-16 21:24:27 +02:00
// Validate the SSE-C Key set in the header.
if _, err = crypto.SSEC.UnsealObjectKey(r.Header, objInfo.UserDefined, bucket, object); err != nil {
Make sure to log unhandled errors always (#6784) In many situations, while testing we encounter ErrInternalError, to reduce logging we have removed logging from quite a few places which is acceptable but when ErrInternalError occurs we should have a facility to log the corresponding error, this helps to debug Minio server.
2018-11-12 20:07:43 +01:00
writeErrorResponseHeadersOnly(w, toAPIErrorCode(ctx, err))
Validate user provided SSE-C key on Head Object API (#6600) Fixes #6598
2018-10-16 21:24:27 +02:00
return
}
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
w.Header().Set(crypto.SSECAlgorithm, r.Header.Get(crypto.SSECAlgorithm))
w.Header().Set(crypto.SSECKeyMD5, r.Header.Get(crypto.SSECKeyMD5))
}
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
}
}
api: Implement support for additional request headers. Now GetObject and HeadObject both support - If-Modified-Since, If-Unmodified-Since - If-Match, If-None-Match request headers. These headers are used to further handle the responses for GetObject and HeadObject API. Fixes #1098
2016-02-29 03:10:37 +01:00
XL/GetObject: If quorum not available during GetObject appropriate error should be returned. (#2135)
2016-07-11 02:12:22 +02:00
// Validate pre-conditions if any.
API/CopyObject: Refactor the code and handle if-modified-since as well. (#2183) This completes the S3 spec behavior for CopyObject API as reported by `s3verify`.
2016-07-12 04:24:34 +02:00
if checkPreconditions(w, r, objInfo) {
api: Implement support for additional request headers. Now GetObject and HeadObject both support - If-Modified-Since, If-Unmodified-Since - If-Match, If-None-Match request headers. These headers are used to further handle the responses for GetObject and HeadObject API. Fixes #1098
2016-02-29 03:10:37 +01:00
return
}
XL/GetObject: If quorum not available during GetObject appropriate error should be returned. (#2135)
2016-07-11 02:12:22 +02:00
// Set standard object headers.
Make sure to log unhandled errors always (#6784) In many situations, while testing we encounter ErrInternalError, to reduce logging we have removed logging from quite a few places which is acceptable but when ErrInternalError occurs we should have a facility to log the corresponding error, this helps to debug Minio server.
2018-11-12 20:07:43 +01:00
if err = setObjectHeaders(w, objInfo, rs); err != nil {
writeErrorResponseHeadersOnly(w, toAPIErrorCode(ctx, err))
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
return
}
api: Implement support for additional request headers. Now GetObject and HeadObject both support - If-Modified-Since, If-Unmodified-Since - If-Match, If-None-Match request headers. These headers are used to further handle the responses for GetObject and HeadObject API. Fixes #1098
2016-02-29 03:10:37 +01:00
Honor overriding response headers for HEAD (#4784) Though not clearly mentioned in S3 specification, we should override response headers for presigned HEAD requests as we do for GET.
2017-08-08 20:04:04 +02:00
// Set any additional requested response headers.
setHeadGetRespHeaders(w, r.URL.Query())
XL: erasure Index should have its corresponding distribution order. (#2300)
2016-07-27 20:57:08 +02:00
// Successful response.
HEAD on an object should mimic GET without body (#6508) Add "Range" header support etc.
2018-09-23 19:24:10 +02:00
if rs != nil {
w.WriteHeader(http.StatusPartialContent)
} else {
w.WriteHeader(http.StatusOK)
}
Add notification for object access via GET/HEAD (#3941) The following notification event types are available for all targets, s3:ObjectAccessed:Get s3:ObjectAccessed:Head s3:ObjectAccessed:*
2017-03-21 18:32:17 +01:00
api: SourceInfo should be populated in GET/HEAD notification. (#4073) Refer https://github.com/minio/mc/issues/2073
2017-04-08 10:39:20 +02:00
// Get host and port from Request.RemoteAddr.
Use GetSourceIP for source ip as request params (#6109) Fixes #6108
2018-07-02 23:40:18 +02:00
host, port, err := net.SplitHostPort(handlers.GetSourceIP(r))
api: SourceInfo should be populated in GET/HEAD notification. (#4073) Refer https://github.com/minio/mc/issues/2073
2017-04-08 10:39:20 +02:00
if err != nil {
host, port = "", ""
}
Add notification for object access via GET/HEAD (#3941) The following notification event types are available for all targets, s3:ObjectAccessed:Get s3:ObjectAccessed:Head s3:ObjectAccessed:*
2017-03-21 18:32:17 +01:00
// Notify object accessed via a HEAD request.
make notification as separate package (#5294) * Remove old notification files * Add net package * Add event package * Modify minio to take new notification system
2018-03-15 21:03:41 +01:00
sendEvent(eventArgs{
Add content-length as part of event notification structure (#6341) Fixes #6321
2018-08-23 23:40:54 +02:00
EventName: event.ObjectAccessedHead,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Host: host,
Port: port,
Add notification for object access via GET/HEAD (#3941) The following notification event types are available for all targets, s3:ObjectAccessed:Get s3:ObjectAccessed:Head s3:ObjectAccessed:*
2017-03-21 18:32:17 +01:00
})
Implement bucket policy handler and with galore of cleanup
2015-02-16 02:03:27 +01:00
}
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
// Extract metadata relevant for an CopyObject operation based on conditional
// header values specified in X-Amz-Metadata-Directive.
SignatureV4 validation with Metadata in the presignedUrl (#5894) The `X-Amz-Meta-`/`X-Minio-Meta-` will now be recognized in query string also. Fixes #5857 #5950
2018-07-11 05:27:10 +02:00
func getCpObjMetadataFromHeader(ctx context.Context, r *http.Request, userMeta map[string]string) (map[string]string, error) {
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
// Make a copy of the supplied metadata to avoid
// to change the original one.
defaultMeta := make(map[string]string, len(userMeta))
for k, v := range userMeta {
defaultMeta[k] = v
}
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
// if x-amz-metadata-directive says REPLACE then
// we extract metadata from the input headers.
SignatureV4 validation with Metadata in the presignedUrl (#5894) The `X-Amz-Meta-`/`X-Minio-Meta-` will now be recognized in query string also. Fixes #5857 #5950
2018-07-11 05:27:10 +02:00
if isMetadataReplace(r.Header) {
return extractMetadata(ctx, r)
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
}
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
// if x-amz-metadata-directive says COPY then we
// return the default metadata.
SignatureV4 validation with Metadata in the presignedUrl (#5894) The `X-Amz-Meta-`/`X-Minio-Meta-` will now be recognized in query string also. Fixes #5857 #5950
2018-07-11 05:27:10 +02:00
if isMetadataCopy(r.Header) {
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-06 01:56:10 +02:00
return defaultMeta, nil
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
}
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
// Copy is default behavior if not x-amz-metadata-directive is set.
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-06 01:56:10 +02:00
return defaultMeta, nil
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
}
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
// CopyObjectHandler - Copy Object
// ----------
// This implementation of the PUT operation adds an object to a bucket
// while reading the object from another source.
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
// Notice: The S3 client can send secret keys in headers for encryption related jobs,
// the handler should ensure to remove these keys before sending them to the object layer.
// Currently these keys are:
// - X-Amz-Server-Side-Encryption-Customer-Key
// - X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "CopyObject")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "CopyObject", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrServerNotInitialized, r.URL, guessIsBrowserReq(r))
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
Fix: Disallow requests with SSE-KMS headers (#6587) Addresses issue #6582. Minio server currently does not have SSE-KMS support. Reject requests with SSE-KMS headers with NotImplementedErr
2018-10-10 00:04:53 +02:00
if crypto.S3KMS.IsRequested(r.Header) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r)) // SSE-KMS is not supported
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
return
}
vars := mux.Vars(r)
dstBucket := vars["bucket"]
dstObject := vars["object"]
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.PutObjectAction, dstBucket, dstObject); s3Error != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r))
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
return
}
URL Encode X-Amz-Copy-Source as per the spec (#2114) The documents for COPY state that the X-Amz-Copy-Source must be URL encoded. http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html
2016-07-06 23:00:29 +02:00
// TODO: Reject requests where body/payload is present, for now we don't even read it.
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
// Copy source path.
cpSrcPath, err := url.QueryUnescape(r.Header.Get("X-Amz-Copy-Source"))
URL Encode X-Amz-Copy-Source as per the spec (#2114) The documents for COPY state that the X-Amz-Copy-Source must be URL encoded. http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html
2016-07-06 23:00:29 +02:00
if err != nil {
// Save unescaped string as is.
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
cpSrcPath = r.Header.Get("X-Amz-Copy-Source")
URL Encode X-Amz-Copy-Source as per the spec (#2114) The documents for COPY state that the X-Amz-Copy-Source must be URL encoded. http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html
2016-07-06 23:00:29 +02:00
}
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
srcBucket, srcObject := path2BucketAndObject(cpSrcPath)
// If source object is empty or bucket is empty, reply back invalid copy source.
if srcObject == "" || srcBucket == "" {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidCopySource, r.URL, guessIsBrowserReq(r))
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
return
}
copy: Ensure that the user has GET access to the src object (#6715)
2018-10-27 01:12:44 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, srcBucket, srcObject); s3Error != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r))
copy: Ensure that the user has GET access to the src object (#6715)
2018-10-27 01:12:44 +02:00
return
}
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
// Check if metadata directive is valid.
if !isMetadataDirectiveValid(r.Header) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidMetadataDirective, r.URL, guessIsBrowserReq(r))
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
return
}
Add ObjectOptions to ObjectLayer calls (#6382)
2018-09-10 18:42:43 +02:00
var srcOpts, dstOpts ObjectOptions
API/handler: CopyObject make it behave in accordance with S3 spec. (#2155) Fixes bugs found while running s3verify tool - fixes #2152
2016-07-09 21:13:40 +02:00
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
// Deny if WORM is enabled
if globalWORMEnabled {
Add ObjectOptions to ObjectLayer calls (#6382)
2018-09-10 18:42:43 +02:00
if _, err = objectAPI.GetObjectInfo(ctx, dstBucket, dstObject, dstOpts); err == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrMethodNotAllowed, r.URL, guessIsBrowserReq(r))
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
return
}
}
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
cpSrcDstSame := isStringEqual(pathJoin(srcBucket, srcObject), pathJoin(dstBucket, dstObject))
getObjectNInfo := objectAPI.GetObjectNInfo
if api.CacheAPI() != nil {
getObjectNInfo = api.CacheAPI().GetObjectNInfo
}
var lock = noLock
if !cpSrcDstSame {
lock = readLock
}
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 17:50:06 +02:00
var rs *HTTPRangeSpec
Add ObjectOptions to GetObjectNInfo (#6533)
2018-09-27 12:06:45 +02:00
gr, err := getObjectNInfo(ctx, srcBucket, srcObject, rs, r.Header, lock, srcOpts)
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
return
}
defer gr.Close()
srcInfo := gr.ObjInfo
API/CopyObject: Refactor the code and handle if-modified-since as well. (#2183) This completes the S3 spec behavior for CopyObject API as reported by `s3verify`.
2016-07-12 04:24:34 +02:00
// Verify before x-amz-copy-source preconditions before continuing with CopyObject.
Change CopyObject{Part} to single srcInfo argument (#5553) Refactor such that metadata and etag are combined to a single argument `srcInfo`. This is a precursor change for #5544 making it easier for us to provide encryption/decryption functions.
2018-02-21 09:48:47 +01:00
if checkCopyObjectPreconditions(w, r, srcInfo) {
verify before writing merge verify headers before writing
2016-03-16 20:57:29 +01:00
return
}
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
/// maximum Upload size for object in a single CopyObject operation.
Change CopyObject{Part} to single srcInfo argument (#5553) Refactor such that metadata and etag are combined to a single argument `srcInfo`. This is a precursor change for #5544 making it easier for us to provide encryption/decryption functions.
2018-02-21 09:48:47 +01:00
if isMaxObjectSize(srcInfo.Size) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrEntityTooLarge, r.URL, guessIsBrowserReq(r))
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
return
}
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
// We have to copy metadata only if source and destination are same.
// this changes for encryption which can be observed below.
if cpSrcDstSame {
srcInfo.metadataOnly = true
}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
// Checks if a remote putobject call is needed for CopyObject operation
// 1. If source and destination bucket names are same, it means no call needed to etcd to get destination info
// 2. If destination bucket doesn't exist locally, only then a etcd call is needed
var isRemoteCallRequired = func(ctx context.Context, src, dst string, objAPI ObjectLayer) bool {
if src == dst {
return false
}
_, berr := objAPI.GetBucketInfo(ctx, dst)
return berr == toObjectErr(errVolumeNotFound, dst)
}
var reader io.Reader
var length = srcInfo.Size
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
// Set the actual size to the decrypted size if encrypted.
actualSize := srcInfo.Size
if crypto.IsEncrypted(srcInfo.UserDefined) {
actualSize, err = srcInfo.DecryptedSize()
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
return
}
Fix CopyObject regression calculating md5sum (#6868) CopyObject() failed to calculate proper md5sum when without encryption headers. This is a regression fix perhaps introduced in commit 5f6d717b7a Fixes https://github.com/minio/minio-go/issues/1044
2018-11-27 22:23:32 +01:00
length = actualSize
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
// No need to compress for remote etcd calls
// Pass the decompressed stream to such calls.
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
isCompressed := objectAPI.IsCompressionSupported() && isCompressible(r.Header, srcObject) && !isRemoteCallRequired(ctx, srcBucket, dstBucket, objectAPI)
if isCompressed {
// Storing the compression metadata.
srcInfo.UserDefined[ReservedMetadataPrefix+"compression"] = compressionAlgorithmV1
srcInfo.UserDefined[ReservedMetadataPrefix+"actual-size"] = strconv.FormatInt(actualSize, 10)
// Remove all source encrypted related metadata to
// avoid copying them in target object.
crypto.RemoveInternalEntries(srcInfo.UserDefined)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
// Open a pipe for compression.
Fix racy error communication inside go-routine (#6539) Use CloseWithError to communicate errors in pipe, this PR also fixes potential shadowing of error
2018-09-28 09:44:59 +02:00
// Where pipeWriter is piped to srcInfo.Reader.
// gr writes to pipeWriter.
pipeReader, pipeWriter := io.Pipe()
reader = pipeReader
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
length = -1
Fix racy error communication inside go-routine (#6539) Use CloseWithError to communicate errors in pipe, this PR also fixes potential shadowing of error
2018-09-28 09:44:59 +02:00
snappyWriter := snappy.NewWriter(pipeWriter)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
go func() {
// Compress the decompressed source object.
Fix racy error communication inside go-routine (#6539) Use CloseWithError to communicate errors in pipe, this PR also fixes potential shadowing of error
2018-09-28 09:44:59 +02:00
_, cerr := io.Copy(snappyWriter, gr)
snappyWriter.Close()
pipeWriter.CloseWithError(cerr)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
}()
} else {
// Remove the metadata for remote calls.
delete(srcInfo.UserDefined, ReservedMetadataPrefix+"compression")
delete(srcInfo.UserDefined, ReservedMetadataPrefix+"actual-size")
reader = gr
}
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-03 02:24:02 +01:00
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
srcInfo.Reader, err = hash.NewReader(reader, length, "", "", actualSize)
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-03 02:24:02 +01:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-03 02:24:02 +01:00
return
}
Fix CopyObject regression calculating md5sum (#6868) CopyObject() failed to calculate proper md5sum when without encryption headers. This is a regression fix perhaps introduced in commit 5f6d717b7a Fixes https://github.com/minio/minio-go/issues/1044
2018-11-27 22:23:32 +01:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
rawReader := srcInfo.Reader
Fix CopyObject regression calculating md5sum (#6868) CopyObject() failed to calculate proper md5sum when without encryption headers. This is a regression fix perhaps introduced in commit 5f6d717b7a Fixes https://github.com/minio/minio-go/issues/1044
2018-11-27 22:23:32 +01:00
pReader := NewPutObjReader(srcInfo.Reader, nil, nil)
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
var encMetadata = make(map[string]string)
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
if objectAPI.IsEncryptionSupported() && !isCompressed {
Fix SSE-C source decryption handling (#6671) Without this fix we have room for two different type of errors. - Source is encrypted and we didn't provide any source encryption keys This results in Incomplete body error to be returned back to the client since source is encrypted and we gave the reader as is to the object layer which was of a decrypted value leading to "IncompleteBody" - Source is not encrypted and we provided source encryption keys. This results in a corrupted object on the destination which is considered encrypted but cannot be read by the server and returns the following error. ``` <Error><Code>XMinioObjectTampered</Code><Message>The requested object was modified and may be compromised</Message><Resource>/id-platform-gamma/ </Resource><RequestId>155EDC3E86BFD4DA</RequestId><HostId>3L137</HostId> </Error> ```
2018-10-19 19:41:13 +02:00
// Encryption parameters not applicable for this object.
if !crypto.IsEncrypted(srcInfo.UserDefined) && crypto.SSECopy.IsRequested(r.Header) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, errInvalidEncryptionParameters), r.URL, guessIsBrowserReq(r))
Fix SSE-C source decryption handling (#6671) Without this fix we have room for two different type of errors. - Source is encrypted and we didn't provide any source encryption keys This results in Incomplete body error to be returned back to the client since source is encrypted and we gave the reader as is to the object layer which was of a decrypted value leading to "IncompleteBody" - Source is not encrypted and we provided source encryption keys. This results in a corrupted object on the destination which is considered encrypted but cannot be read by the server and returns the following error. ``` <Error><Code>XMinioObjectTampered</Code><Message>The requested object was modified and may be compromised</Message><Resource>/id-platform-gamma/ </Resource><RequestId>155EDC3E86BFD4DA</RequestId><HostId>3L137</HostId> </Error> ```
2018-10-19 19:41:13 +02:00
return
}
// Encryption parameters not present for this object.
if crypto.SSEC.IsEncrypted(srcInfo.UserDefined) && !crypto.SSECopy.IsRequested(r.Header) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidSSECustomerAlgorithm, r.URL, guessIsBrowserReq(r))
Fix SSE-C source decryption handling (#6671) Without this fix we have room for two different type of errors. - Source is encrypted and we didn't provide any source encryption keys This results in Incomplete body error to be returned back to the client since source is encrypted and we gave the reader as is to the object layer which was of a decrypted value leading to "IncompleteBody" - Source is not encrypted and we provided source encryption keys. This results in a corrupted object on the destination which is considered encrypted but cannot be read by the server and returns the following error. ``` <Error><Code>XMinioObjectTampered</Code><Message>The requested object was modified and may be compromised</Message><Resource>/id-platform-gamma/ </Resource><RequestId>155EDC3E86BFD4DA</RequestId><HostId>3L137</HostId> </Error> ```
2018-10-19 19:41:13 +02:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
var oldKey, newKey, objEncKey []byte
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
sseCopyS3 := crypto.S3.IsEncrypted(srcInfo.UserDefined)
Fix SSE-C source decryption handling (#6671) Without this fix we have room for two different type of errors. - Source is encrypted and we didn't provide any source encryption keys This results in Incomplete body error to be returned back to the client since source is encrypted and we gave the reader as is to the object layer which was of a decrypted value leading to "IncompleteBody" - Source is not encrypted and we provided source encryption keys. This results in a corrupted object on the destination which is considered encrypted but cannot be read by the server and returns the following error. ``` <Error><Code>XMinioObjectTampered</Code><Message>The requested object was modified and may be compromised</Message><Resource>/id-platform-gamma/ </Resource><RequestId>155EDC3E86BFD4DA</RequestId><HostId>3L137</HostId> </Error> ```
2018-10-19 19:41:13 +02:00
sseCopyC := crypto.SSEC.IsEncrypted(srcInfo.UserDefined) && crypto.SSECopy.IsRequested(r.Header)
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
sseC := crypto.SSEC.IsRequested(r.Header)
sseS3 := crypto.S3.IsRequested(r.Header)
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 20:07:36 +02:00
isSourceEncrypted := sseCopyC || sseCopyS3
isTargetEncrypted := sseC || sseS3
if sseC {
newKey, err = ParseSSECustomerRequest(r)
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
return
}
}
add key-rotation for SSE-S3 objects (#6755) This commit adds key-rotation for SSE-S3 objects. To execute a key-rotation a SSE-S3 client must - specify the `X-Amz-Server-Side-Encryption: AES256` header for the destination - The source == destination for the COPY operation. Fixes #6754
2018-11-05 19:26:10 +01:00
// If src == dst and either
// - the object is encrypted using SSE-C and two different SSE-C keys are present
// - the object is encrypted using SSE-S3 and the SSE-S3 header is present
// than execute a key rotation.
if cpSrcDstSame && ((sseCopyC && sseC) || (sseS3 && sseCopyS3)) {
if sseCopyC && sseC {
oldKey, err = ParseSSECopyCustomerRequest(r.Header, srcInfo.UserDefined)
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
add key-rotation for SSE-S3 objects (#6755) This commit adds key-rotation for SSE-S3 objects. To execute a key-rotation a SSE-S3 client must - specify the `X-Amz-Server-Side-Encryption: AES256` header for the destination - The source == destination for the COPY operation. Fixes #6754
2018-11-05 19:26:10 +01:00
return
}
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-03 02:24:02 +01:00
}
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
for k, v := range srcInfo.UserDefined {
encMetadata[k] = v
}
add key-rotation for SSE-S3 objects (#6755) This commit adds key-rotation for SSE-S3 objects. To execute a key-rotation a SSE-S3 client must - specify the `X-Amz-Server-Side-Encryption: AES256` header for the destination - The source == destination for the COPY operation. Fixes #6754
2018-11-05 19:26:10 +01:00
// In case of SSE-S3 oldKey and newKey aren't used - the KMS manages the keys.
fix object rebinding SSE-C security guarantee violation (#6121) This commit fixes a weakness of the key-encryption-key derivation for SSE-C encrypted objects. Before this change the key-encryption-key was not bound to / didn't depend on the object path. This allows an attacker to repalce objects - encrypted with the same client-key - with each other. This change fixes this issue by updating the key-encryption-key derivation to include: - the domain (in this case SSE-C) - a canonical object path representation - the encryption & key derivation algorithm Changing the object path now causes the KDF to derive a different key-encryption-key such that the object-key unsealing fails. Including the domain (SSE-C) and encryption & key derivation algorithm is not directly neccessary for this fix. However, both will be included for the SSE-S3 KDF. So they are included here to avoid updating the KDF again when we add SSE-S3. The leagcy KDF 'DARE-SHA256' is only used for existing objects and never for new objects / key rotation.
2018-07-10 02:18:28 +02:00
if err = rotateKey(oldKey, newKey, srcBucket, srcObject, encMetadata); err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
return
}
Fix deadlock in in-place CopyObject decryption/encryption (#5637) In-place decryption/encryption already holds write locks on them, attempting to acquire a read lock would fail.
2018-03-12 21:52:38 +01:00
// Since we are rotating the keys, make sure to update the metadata.
srcInfo.metadataOnly = true
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
} else {
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 20:07:36 +02:00
if isSourceEncrypted || isTargetEncrypted {
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
// We are not only copying just metadata instead
// we are creating a new object at this point, even
// if source and destination are same objects.
srcInfo.metadataOnly = false
}
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 20:07:36 +02:00
// Calculate the size of the target object
var targetSize int64
switch {
case !isSourceEncrypted && !isTargetEncrypted:
Fix CopyObject regression calculating md5sum (#6868) CopyObject() failed to calculate proper md5sum when without encryption headers. This is a regression fix perhaps introduced in commit 5f6d717b7a Fixes https://github.com/minio/minio-go/issues/1044
2018-11-27 22:23:32 +01:00
targetSize = srcInfo.Size
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 20:07:36 +02:00
case isSourceEncrypted && isTargetEncrypted:
targetSize = srcInfo.Size
case !isSourceEncrypted && isTargetEncrypted:
targetSize = srcInfo.EncryptedSize()
case isSourceEncrypted && !isTargetEncrypted:
targetSize, _ = srcInfo.DecryptedSize()
}
Fix CopyObject regression calculating md5sum (#6868) CopyObject() failed to calculate proper md5sum when without encryption headers. This is a regression fix perhaps introduced in commit 5f6d717b7a Fixes https://github.com/minio/minio-go/issues/1044
2018-11-27 22:23:32 +01:00
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 20:07:36 +02:00
if isTargetEncrypted {
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
reader, objEncKey, err = newEncryptReader(srcInfo.Reader, newKey, dstBucket, dstObject, encMetadata, sseS3)
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
return
}
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-03 02:24:02 +01:00
}
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 20:07:36 +02:00
if isSourceEncrypted {
// Remove all source encrypted related metadata to
// avoid copying them in target object.
crypto: add RemoveInternalEntries function (#6616) This commit adds a function for removing crypto-specific internal entries from the object metadata. See #6604
2018-10-19 19:50:52 +02:00
crypto.RemoveInternalEntries(srcInfo.UserDefined)
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 20:07:36 +02:00
}
srcInfo.Reader, err = hash.NewReader(reader, targetSize, "", "", targetSize) // do not try to verify encrypted content
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-03 02:24:02 +01:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-03 02:24:02 +01:00
return
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
}
Fix CopyObject regression calculating md5sum (#6868) CopyObject() failed to calculate proper md5sum when without encryption headers. This is a regression fix perhaps introduced in commit 5f6d717b7a Fixes https://github.com/minio/minio-go/issues/1044
2018-11-27 22:23:32 +01:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
pReader = NewPutObjReader(rawReader, srcInfo.Reader, objEncKey)
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
}
}
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
srcInfo.PutObjReader = pReader
SignatureV4 validation with Metadata in the presignedUrl (#5894) The `X-Amz-Meta-`/`X-Minio-Meta-` will now be recognized in query string also. Fixes #5857 #5950
2018-07-11 05:27:10 +02:00
srcInfo.UserDefined, err = getCpObjMetadataFromHeader(ctx, r, srcInfo.UserDefined)
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-06 01:56:10 +02:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInternalError, r.URL, guessIsBrowserReq(r))
Allow CopyObject() in S3 gateway to support metadata (#5000) Fixes #4924
2017-10-03 19:38:25 +02:00
return
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-06 01:56:10 +02:00
}
Allow CopyObject() in S3 gateway to support metadata (#5000) Fixes #4924
2017-10-03 19:38:25 +02:00
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
// We need to preserve the encryption headers set in EncryptRequest,
// so we do not want to override them, copy them instead.
for k, v := range encMetadata {
srcInfo.UserDefined[k] = v
}
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
// Ensure that metadata does not contain sensitive information
crypto.RemoveSensitiveEntries(srcInfo.UserDefined)
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
// Check if x-amz-metadata-directive was not set to REPLACE and source,
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
// desination are same objects. Apply this restriction also when
// metadataOnly is true indicating that we are not overwriting the object.
SSE-C CopyObject key-rotation doesn't need metadata REPLACE value (#5611) Fix a compatibility issue with AWS S3 where to do key rotation we need to replace an existing object's metadata. In such a scenario "REPLACE" metadata directive is not necessary.
2018-03-07 01:04:48 +01:00
// if encryption is enabled we do not need explicit "REPLACE" metadata to
// be enabled as well - this is to allow for key-rotation.
add key-rotation for SSE-S3 objects (#6755) This commit adds key-rotation for SSE-S3 objects. To execute a key-rotation a SSE-S3 client must - specify the `X-Amz-Server-Side-Encryption: AES256` header for the destination - The source == destination for the COPY operation. Fixes #6754
2018-11-05 19:26:10 +01:00
if !isMetadataReplace(r.Header) && srcInfo.metadataOnly && !crypto.IsEncrypted(srcInfo.UserDefined) {
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
// If x-amz-metadata-directive is not set to REPLACE then we need
// to error out if source and destination are same.
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidCopyDest, r.URL, guessIsBrowserReq(r))
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
return
}
lock: Moving locking to handler layer. (#3381) This is implemented so that the issues like in the following flow don't affect the behavior of operation. ``` GetObjectInfo() .... --> Time window for mutation (no lock held) .... --> Time window for mutation (no lock held) GetObject() ``` This happens when two simultaneous uploads are made to the same object the object has returned wrong info to the client. Another classic example is "CopyObject" API itself which reads from a source object and copies to destination object. Fixes #3370 Fixes #2912
2016-12-11 01:15:12 +01:00
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 21:02:30 +02:00
var objInfo ObjectInfo
Use random host from among multiple hosts to create requests Also use hosts passed to Minio startup command to populate IP addresses if MINIO_PUBLIC_IPS is not set.
2018-05-16 03:20:22 +02:00
// Returns a minio-go Client configured to access remote host described by destDNSRecord
// Applicable only in a federated deployment
var getRemoteInstanceClient = func(host string, port int) (*miniogo.Core, error) {
// In a federated deployment, all the instances share config files and hence expected to have same
// credentials. So, access current instances creds and use it to create client for remote instance
endpoint := net.JoinHostPort(host, strconv.Itoa(port))
accessKey := globalServerConfig.Credential.AccessKey
secretKey := globalServerConfig.Credential.SecretKey
return miniogo.NewCore(endpoint, accessKey, secretKey, globalIsSSL)
}
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 21:02:30 +02:00
if isRemoteCallRequired(ctx, srcBucket, dstBucket, objectAPI) {
Use random host from among multiple hosts to create requests Also use hosts passed to Minio startup command to populate IP addresses if MINIO_PUBLIC_IPS is not set.
2018-05-16 03:20:22 +02:00
if globalDNSConfig == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrNoSuchBucket, r.URL, guessIsBrowserReq(r))
Use random host from among multiple hosts to create requests Also use hosts passed to Minio startup command to populate IP addresses if MINIO_PUBLIC_IPS is not set.
2018-05-16 03:20:22 +02:00
return
}
var dstRecords []dns.SrvRecord
if dstRecords, err = globalDNSConfig.Get(dstBucket); err == nil {
// Send PutObject request to appropriate instance (in federated deployment)
host, port := getRandomHostPort(dstRecords)
client, rerr := getRemoteInstanceClient(host, port)
if rerr != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInternalError, r.URL, guessIsBrowserReq(r))
Use random host from among multiple hosts to create requests Also use hosts passed to Minio startup command to populate IP addresses if MINIO_PUBLIC_IPS is not set.
2018-05-16 03:20:22 +02:00
return
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 21:02:30 +02:00
}
Add ObjectOptions to ObjectLayer calls (#6382)
2018-09-10 18:42:43 +02:00
remoteObjInfo, rerr := client.PutObject(dstBucket, dstObject, srcInfo.Reader, srcInfo.Size, "", "", srcInfo.UserDefined, dstOpts.ServerSideEncryption)
Use random host from among multiple hosts to create requests Also use hosts passed to Minio startup command to populate IP addresses if MINIO_PUBLIC_IPS is not set.
2018-05-16 03:20:22 +02:00
if rerr != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInternalError, r.URL, guessIsBrowserReq(r))
Use random host from among multiple hosts to create requests Also use hosts passed to Minio startup command to populate IP addresses if MINIO_PUBLIC_IPS is not set.
2018-05-16 03:20:22 +02:00
return
}
objInfo.ETag = remoteObjInfo.ETag
objInfo.ModTime = remoteObjInfo.LastModified
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 21:02:30 +02:00
}
} else {
// Copy source object to destination, if source and destination
// object is same then only metadata is updated.
Add ObjectOptions to ObjectLayer calls (#6382)
2018-09-10 18:42:43 +02:00
objInfo, err = objectAPI.CopyObject(ctx, srcBucket, srcObject, dstBucket, dstObject, srcInfo, srcOpts, dstOpts)
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 21:02:30 +02:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 21:02:30 +02:00
return
}
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
}
fs/object: Fix issues from review comments.
2016-04-16 21:48:41 +02:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
response := generateCopyObjectResponse(getDecryptedETag(r.Header, objInfo, false), objInfo.ModTime)
api: DRY code and add new test This commit makes code cleaner and reduces the repetitions in the code base. Specifically, it reduces the clutter in setObjectHeaders. It also merges encodeSuccessResponse and encodeErrorResponse together because they served no purpose differently. Finally, it adds a simple test for generateRequestID.
2016-03-06 21:16:22 +01:00
encodedSuccessResponse := encodeResponse(response)
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
// Write success response.
writeSuccessResponseXML(w, encodedSuccessResponse)
api: Implement bucket notification. (#2271) * Implement basic S3 notifications through queues Supports multiple queues and three basic queue types: 1. NilQueue -- messages don't get sent anywhere 2. LogQueue -- messages get logged 3. AmqpQueue -- messages are sent to an AMQP queue * api: Implement bucket notification. Supports two different queue types - AMQP - ElasticSearch. * Add support for redis
2016-07-24 07:51:12 +02:00
Add sourceInfo to NotificationEvent (#3937) This change adds information like host, port and user-agent of the client whose request triggered an event notification. E.g, if someone uploads an object to a bucket using mc. If notifications were configured on that bucket, the host, port and user-agent of mc would be sent as part of event notification data. Sample output: ``` "source": { "host": "127.0.0.1", "port": "55808", "userAgent": "Minio (linux; amd64) minio-go/2.0.4 mc ..." } ```
2017-03-23 02:44:35 +01:00
// Get host and port from Request.RemoteAddr.
Use GetSourceIP for source ip as request params (#6109) Fixes #6108
2018-07-02 23:40:18 +02:00
host, port, err := net.SplitHostPort(handlers.GetSourceIP(r))
Add sourceInfo to NotificationEvent (#3937) This change adds information like host, port and user-agent of the client whose request triggered an event notification. E.g, if someone uploads an object to a bucket using mc. If notifications were configured on that bucket, the host, port and user-agent of mc would be sent as part of event notification data. Sample output: ``` "source": { "host": "127.0.0.1", "port": "55808", "userAgent": "Minio (linux; amd64) minio-go/2.0.4 mc ..." } ```
2017-03-23 02:44:35 +01:00
if err != nil {
host, port = "", ""
}
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
if objInfo.IsCompressed() {
objInfo.Size = actualSize
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
}
Make addition of TopicConfig to globalEventNotifier go-routine safe (#2806)
2016-09-29 07:46:19 +02:00
// Notify object created event.
make notification as separate package (#5294) * Remove old notification files * Add net package * Add event package * Modify minio to take new notification system
2018-03-15 21:03:41 +01:00
sendEvent(eventArgs{
Support audit logs with additional fields (#6738) This PR adds support - Request query params - Request headers - Response headers AuditLogEntry is exported and versioned as well starting with this PR.
2018-11-03 02:40:08 +01:00
EventName: event.ObjectCreatedCopy,
BucketName: dstBucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Host: host,
Port: port,
Make addition of TopicConfig to globalEventNotifier go-routine safe (#2806)
2016-09-29 07:46:19 +02:00
})
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
}
Restructure API handlers, add JSON RPC simple HelloService right now.
2015-07-01 05:15:48 +02:00
// PutObjectHandler - PUT Object
Update minioapi documentation
2015-02-24 01:46:48 +01:00
// ----------
// This implementation of the PUT operation adds an object to a bucket.
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
// Notice: The S3 client can send secret keys in headers for encryption related jobs,
// the handler should ensure to remove these keys before sending them to the object layer.
// Currently these keys are:
// - X-Amz-Server-Side-Encryption-Customer-Key
// - X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "PutObject")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "PutObject", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrServerNotInitialized, r.URL, guessIsBrowserReq(r))
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
Fix: Disallow requests with SSE-KMS headers (#6587) Addresses issue #6582. Minio server currently does not have SSE-KMS support. Reject requests with SSE-KMS headers with NotImplementedErr
2018-10-10 00:04:53 +02:00
if crypto.S3KMS.IsRequested(r.Header) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r)) // SSE-KMS is not supported
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
return
}
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-09-30 23:32:13 +02:00
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
vars := mux.Vars(r)
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
bucket := vars["bucket"]
object := vars["object"]
Further fixes for ACL support, currently code is disabled in all the handlers Disabled because due to lack of testing support. Once we get that in we can uncomment them back.
2015-04-23 04:29:39 +02:00
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
// X-Amz-Copy-Source shouldn't be set for this call.
if _, ok := r.Header["X-Amz-Copy-Source"]; ok {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidCopySource, r.URL, guessIsBrowserReq(r))
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
return
}
Fix storage class related issues (#5322) - Add storage class metadata validation for request header - Change storage class header values to be consistent with AWS S3 - Refactor internal method to take only the reqd argument
2017-12-27 05:36:16 +01:00
// Validate storage class metadata if present
if _, ok := r.Header[amzStorageClassCanonical]; ok {
if !isValidStorageClassMeta(r.Header.Get(amzStorageClassCanonical)) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidStorageClass, r.URL, guessIsBrowserReq(r))
Fix storage class related issues (#5322) - Add storage class metadata validation for request header - Change storage class header values to be consistent with AWS S3 - Refactor internal method to take only the reqd argument
2017-12-27 05:36:16 +01:00
return
}
}
api/object: Add CopyObject to support match/modified copy headers Adds support for the following request headers: - x-amz-copy-source-if-match - x-amz-copy-source-if-none-match - x-amz-copy-source-if-unmodified-since - x-amz-copy-source-if-modified-since Fixes #1176
2016-03-12 10:08:55 +01:00
// Get Content-Md5 sent by client and verify if valid
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-16 19:22:34 +01:00
md5Bytes, err := checkValidMD5(r.Header)
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-13 01:08:15 +01:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidDigest, r.URL, guessIsBrowserReq(r))
Implement x-amz-acl handling
2015-04-23 01:28:13 +02:00
return
}
handlers: read ContentLength value directly from http.Request. Do not look for Content-Length in headers and try to convert them into integer representations use ContentLength field from *http.Request*. If Content-Length is understood to be as '-1' then treat it as an error condition, since it could be a malformed body to crash the server. Fixes #1011
2015-12-28 08:00:36 +01:00
/// if Content-Length is unknown/missing, deny the request
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
size := r.ContentLength
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 05:56:29 +02:00
rAuthType := getRequestAuthType(r)
if rAuthType == authTypeStreamingSigned {
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-16 19:22:34 +01:00
if sizeStr, ok := r.Header["X-Amz-Decoded-Content-Length"]; ok {
if sizeStr[0] == "" {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrMissingContentLength, r.URL, guessIsBrowserReq(r))
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-16 19:22:34 +01:00
return
}
size, err = strconv.ParseInt(sizeStr[0], 10, 64)
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-16 19:22:34 +01:00
return
}
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 05:56:29 +02:00
}
}
Make PutObject a nop for an object which ends with "/" and size is '0' (#3603) This helps majority of S3 compatible applications while not returning an error upon directory create request. Fixes #2965
2017-01-21 01:33:01 +01:00
if size == -1 {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrMissingContentLength, r.URL, guessIsBrowserReq(r))
maxObjectSize and minObjectSize limitation added at putObjectHandler() Put() replies back with - EntityTooLarge with > 5GB in single PUT operation - EntityTooSmall with < 1B in single PUT operation - IncompleteBody with ho Content-Length found in HTTP request header
2015-04-29 11:19:51 +02:00
return
}
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-09-30 23:32:13 +02:00
Collate success response into writeSuccessResponse(), add docs
2015-04-29 19:51:59 +02:00
/// maximum Upload size for objects in a single operation
maxObjectSize and minObjectSize limitation added at putObjectHandler() Put() replies back with - EntityTooLarge with > 5GB in single PUT operation - EntityTooSmall with < 1B in single PUT operation - IncompleteBody with ho Content-Length found in HTTP request header
2015-04-29 11:19:51 +02:00
if isMaxObjectSize(size) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrEntityTooLarge, r.URL, guessIsBrowserReq(r))
maxObjectSize and minObjectSize limitation added at putObjectHandler() Put() replies back with - EntityTooLarge with > 5GB in single PUT operation - EntityTooSmall with < 1B in single PUT operation - IncompleteBody with ho Content-Length found in HTTP request header
2015-04-29 11:19:51 +02:00
return
}
Make donut fully integrated back into API handlers
2015-07-03 05:31:22 +02:00
SignatureV4 validation with Metadata in the presignedUrl (#5894) The `X-Amz-Meta-`/`X-Minio-Meta-` will now be recognized in query string also. Fixes #5857 #5950
2018-07-11 05:27:10 +02:00
metadata, err := extractMetadata(ctx, r)
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-06 01:56:10 +02:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInternalError, r.URL, guessIsBrowserReq(r))
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-06 01:56:10 +02:00
return
}
SignatureV4 validation with Metadata in the presignedUrl (#5894) The `X-Amz-Meta-`/`X-Minio-Meta-` will now be recognized in query string also. Fixes #5857 #5950
2018-07-11 05:27:10 +02:00
For streaming signature do not save content-encoding in PutObject() (#3776) Content-Encoding is set to "aws-chunked" which is an S3 specific API value which is no meaning for an object. This is how S3 behaves as well for a streaming signature uploaded object.
2017-02-20 21:07:03 +01:00
if rAuthType == authTypeStreamingSigned {
sign/streaming: Content-Encoding is not set in newer aws-java-sdks (#3986) We can't use Content-Encoding to verify if `aws-chunked` is set or not. Just use 'streaming' signature header instead. While this is considered mandatory, on the contrary aws-sdk-java doesn't set this value http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html ``` Set the value to aws-chunked. ``` We will relax it and behave appropriately. Also this PR supports saving custom encoding after trimming off the `aws-chunked` parameter. Fixes #3983
2017-03-28 02:02:04 +02:00
if contentEncoding, ok := metadata["content-encoding"]; ok {
contentEncoding = trimAwsChunkedContentEncoding(contentEncoding)
if contentEncoding != "" {
// Make sure to trim and save the content-encoding
// parameter for a streaming signature which is set
// to a custom value for example: "aws-chunked,gzip".
metadata["content-encoding"] = contentEncoding
} else {
// Trimmed content encoding is empty when the header
// value is set to "aws-chunked" only.
// Make sure to delete the content-encoding parameter
// for a streaming signature which is set to value
// for example: "aws-chunked"
delete(metadata, "content-encoding")
}
}
For streaming signature do not save content-encoding in PutObject() (#3776) Content-Encoding is set to "aws-chunked" which is an S3 specific API value which is no meaning for an object. This is how S3 behaves as well for a streaming signature uploaded object.
2017-02-20 21:07:03 +01:00
}
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
var (
md5hex = hex.EncodeToString(md5Bytes)
sha256hex = ""
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
reader io.Reader
s3Err APIErrorCode
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
putObject = objectAPI.PutObject
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
)
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
reader = r.Body
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
// Check if put is allowed
if s3Err = isPutAllowed(rAuthType, bucket, object, r); s3Err != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Err, r.URL, guessIsBrowserReq(r))
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
return
}
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 05:56:29 +02:00
switch rAuthType {
case authTypeStreamingSigned:
// Initialize stream signature verifier.
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
reader, s3Err = newSignV4ChunkedReader(r)
if s3Err != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Err, r.URL, guessIsBrowserReq(r))
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 05:56:29 +02:00
return
}
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-09-30 23:32:13 +02:00
case authTypeSignedV2, authTypePresignedV2:
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
s3Err = isReqAuthenticatedV2(r)
if s3Err != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Err, r.URL, guessIsBrowserReq(r))
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-09-30 23:32:13 +02:00
return
}
Allow x-amz-content-sha256 to be optional for PutObject() (#5340) x-amz-content-sha256 can be optional for any AWS signature v4 requests, make sure to skip sha256 calculation when payload checksum is not set. Here is the overall expected behavior ** Signed request ** - X-Amz-Content-Sha256 is set to 'empty' or some 'value' or its not 'UNSIGNED-PAYLOAD'- use it to validate the incoming payload. - X-Amz-Content-Sha256 is set to 'UNSIGNED-PAYLOAD' - skip checksum verification - X-Amz-Content-Sha256 is not set we use emptySHA256 ** Presigned request ** - X-Amz-Content-Sha256 is set to 'empty' or some 'value' or its not 'UNSIGNED-PAYLOAD'- use it to validate the incoming payload - X-Amz-Content-Sha256 is set to 'UNSIGNED-PAYLOAD' - skip checksum verification - X-Amz-Content-Sha256 is not set we use 'UNSIGNED-PAYLOAD' Fixes #5339
2018-01-09 08:19:50 +01:00
signature: Handle presigned payload if set. Validate payload with incoming content. Fixes #1288
2016-04-07 12:04:18 +02:00
case authTypePresigned, authTypeSigned:
Simplify the steps to make changes to config.json (#5186) This change introduces following simplified steps to follow during config migration. ``` // Steps to move from version N to version N+1 // 1. Add new struct serverConfigVN+1 in config-versions.go // 2. Set configCurrentVersion to "N+1" // 3. Set serverConfigCurrent to serverConfigVN+1 // 4. Add new migration function (ex. func migrateVNToVN+1()) in config-migrate.go // 5. Call migrateVNToVN+1() from migrateConfig() in config-migrate.go // 6. Make changes in config-current_test.go for any test change ```
2017-11-29 22:12:47 +01:00
if s3Err = reqSignatureV4Verify(r, globalServerConfig.GetRegion()); s3Err != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Err, r.URL, guessIsBrowserReq(r))
sha256: Verify sha256 along with md5sum, signature is verified on the request early. (#2813)
2016-10-03 00:51:49 +02:00
return
}
if !skipContentSha256Cksum(r) {
fix content-sha256 verification for presigned PUT (#5137) It is possible that x-amz-content-sha256 is set through the query params in case of presigned PUT calls, make sure that we validate the incoming x-amz-content-sha256 properly. Current code simply just allows this without honoring the set x-amz-content-sha256, fix it.
2017-11-05 12:02:19 +01:00
sha256hex = getContentSha256Cksum(r)
sha256: Verify sha256 along with md5sum, signature is verified on the request early. (#2813)
2016-10-03 00:51:49 +02:00
}
web/rpc: Merge ports with API server. Fixes #1081 and #1130
2016-02-17 03:50:36 +01:00
}
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
actualSize := size
if objectAPI.IsCompressionSupported() && isCompressible(r.Header, object) && size > 0 {
// Storing the compression metadata.
metadata[ReservedMetadataPrefix+"compression"] = compressionAlgorithmV1
metadata[ReservedMetadataPrefix+"actual-size"] = strconv.FormatInt(size, 10)
pipeReader, pipeWriter := io.Pipe()
snappyWriter := snappy.NewWriter(pipeWriter)
Fix racy error communication inside go-routine (#6539) Use CloseWithError to communicate errors in pipe, this PR also fixes potential shadowing of error
2018-09-28 09:44:59 +02:00
var actualReader *hash.Reader
actualReader, err = hash.NewReader(reader, size, md5hex, sha256hex, actualSize)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
return
}
Fix racy error communication inside go-routine (#6539) Use CloseWithError to communicate errors in pipe, this PR also fixes potential shadowing of error
2018-09-28 09:44:59 +02:00
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
go func() {
// Writing to the compressed writer.
Fix racy error communication inside go-routine (#6539) Use CloseWithError to communicate errors in pipe, this PR also fixes potential shadowing of error
2018-09-28 09:44:59 +02:00
_, cerr := io.CopyN(snappyWriter, actualReader, actualSize)
snappyWriter.Close()
pipeWriter.CloseWithError(cerr)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
}()
Fix racy error communication inside go-routine (#6539) Use CloseWithError to communicate errors in pipe, this PR also fixes potential shadowing of error
2018-09-28 09:44:59 +02:00
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
// Set compression metrics.
size = -1 // Since compressed size is un-predictable.
md5hex = "" // Do not try to verify the content.
sha256hex = ""
reader = pipeReader
}
hashReader, err := hash.NewReader(reader, size, md5hex, sha256hex, actualSize)
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
rawReader := hashReader
pReader := NewPutObjReader(rawReader, nil, nil)
var opts ObjectOptions
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
// Deny if WORM is enabled
if globalWORMEnabled {
Add ObjectOptions to ObjectLayer calls (#6382)
2018-09-10 18:42:43 +02:00
if _, err = objectAPI.GetObjectInfo(ctx, bucket, object, opts); err == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrMethodNotAllowed, r.URL, guessIsBrowserReq(r))
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
return
}
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
var objectEncryptionKey []byte
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-10 00:19:30 +01:00
if objectAPI.IsEncryptionSupported() {
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
if hasServerSideEncryptionHeader(r.Header) && !hasSuffix(object, slashSeparator) { // handle SSE requests
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
reader, objectEncryptionKey, err = EncryptRequest(hashReader, r, bucket, object, metadata)
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-10 00:19:30 +01:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-10 00:19:30 +01:00
return
}
info := ObjectInfo{Size: size}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
hashReader, err = hash.NewReader(reader, info.EncryptedSize(), "", "", size) // do not try to verify encrypted content
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-10 00:19:30 +01:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-10 00:19:30 +01:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
pReader = NewPutObjReader(rawReader, hashReader, objectEncryptionKey)
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
}
}
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
// Ensure that metadata does not contain sensitive information
crypto.RemoveSensitiveEntries(metadata)
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
if api.CacheAPI() != nil && !hasServerSideEncryptionHeader(r.Header) {
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
putObject = api.CacheAPI().PutObject
}
SignatureV4 validation with Metadata in the presignedUrl (#5894) The `X-Amz-Meta-`/`X-Minio-Meta-` will now be recognized in query string also. Fixes #5857 #5950
2018-07-11 05:27:10 +02:00
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
// Create the object..
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
objInfo, err := putObject(ctx, bucket, object, pReader, metadata, opts)
Add errorIf for all API handlers to print call trace upon errors
2015-09-19 12:20:07 +02:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Migrate from iodine to probe
2015-08-04 01:17:21 +02:00
return
}
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
if objInfo.IsCompressed() {
// Ignore compressed ETag.
objInfo.ETag = objInfo.ETag + "-1"
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
if hasServerSideEncryptionHeader(r.Header) {
w.Header().Set("ETag", "\""+getDecryptedETag(r.Header, objInfo, false)+"\"")
} else {
w.Header().Set("ETag", "\""+objInfo.ETag+"\"")
}
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-10 00:19:30 +01:00
if objectAPI.IsEncryptionSupported() {
HEAD on an object should mimic GET without body (#6508) Add "Range" header support etc.
2018-09-23 19:24:10 +02:00
if crypto.IsEncrypted(objInfo.UserDefined) {
switch {
case crypto.S3.IsEncrypted(objInfo.UserDefined):
w.Header().Set(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
case crypto.SSEC.IsRequested(r.Header):
w.Header().Set(crypto.SSECAlgorithm, r.Header.Get(crypto.SSECAlgorithm))
w.Header().Set(crypto.SSECKeyMD5, r.Header.Get(crypto.SSECKeyMD5))
}
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-10 00:19:30 +01:00
}
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
}
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-10 00:19:30 +01:00
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
writeSuccessResponseHeadersOnly(w)
api: Implement bucket notification. (#2271) * Implement basic S3 notifications through queues Supports multiple queues and three basic queue types: 1. NilQueue -- messages don't get sent anywhere 2. LogQueue -- messages get logged 3. AmqpQueue -- messages are sent to an AMQP queue * api: Implement bucket notification. Supports two different queue types - AMQP - ElasticSearch. * Add support for redis
2016-07-24 07:51:12 +02:00
Add sourceInfo to NotificationEvent (#3937) This change adds information like host, port and user-agent of the client whose request triggered an event notification. E.g, if someone uploads an object to a bucket using mc. If notifications were configured on that bucket, the host, port and user-agent of mc would be sent as part of event notification data. Sample output: ``` "source": { "host": "127.0.0.1", "port": "55808", "userAgent": "Minio (linux; amd64) minio-go/2.0.4 mc ..." } ```
2017-03-23 02:44:35 +01:00
// Get host and port from Request.RemoteAddr.
Use GetSourceIP for source ip as request params (#6109) Fixes #6108
2018-07-02 23:40:18 +02:00
host, port, err := net.SplitHostPort(handlers.GetSourceIP(r))
Add sourceInfo to NotificationEvent (#3937) This change adds information like host, port and user-agent of the client whose request triggered an event notification. E.g, if someone uploads an object to a bucket using mc. If notifications were configured on that bucket, the host, port and user-agent of mc would be sent as part of event notification data. Sample output: ``` "source": { "host": "127.0.0.1", "port": "55808", "userAgent": "Minio (linux; amd64) minio-go/2.0.4 mc ..." } ```
2017-03-23 02:44:35 +01:00
if err != nil {
host, port = "", ""
}
Make addition of TopicConfig to globalEventNotifier go-routine safe (#2806)
2016-09-29 07:46:19 +02:00
// Notify object created event.
make notification as separate package (#5294) * Remove old notification files * Add net package * Add event package * Modify minio to take new notification system
2018-03-15 21:03:41 +01:00
sendEvent(eventArgs{
Support audit logs with additional fields (#6738) This PR adds support - Request query params - Request headers - Response headers AuditLogEntry is exported and versioned as well starting with this PR.
2018-11-03 02:40:08 +01:00
EventName: event.ObjectCreatedPut,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Host: host,
Port: port,
Make addition of TopicConfig to globalEventNotifier go-routine safe (#2806)
2016-09-29 07:46:19 +02:00
})
Implement bucket policy handler and with galore of cleanup
2015-02-16 02:03:27 +01:00
}
Adding multipart support
2015-05-08 04:55:30 +02:00
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
/// Multipart objectAPIHandlers
Add delete handlers and reply back as 'NotImplemented' instead of 404
2015-06-08 20:06:06 +02:00
- Test utility function for easy asserting of cases wherein objectLayer (#2865) is `nil` in API handlers. - Remove the existing tests for the `nil` check and use the new method to test for object layer being `nil`.
2016-10-06 22:34:33 +02:00
// NewMultipartUploadHandler - New multipart upload.
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
// Notice: The S3 client can send secret keys in headers for encryption related jobs,
// the handler should ensure to remove these keys before sending them to the object layer.
// Currently these keys are:
// - X-Amz-Server-Side-Encryption-Customer-Key
// - X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) NewMultipartUploadHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "NewMultipartUpload")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "NewMultipartUpload", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrServerNotInitialized, r.URL, guessIsBrowserReq(r))
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
Fix: Disallow requests with SSE-KMS headers (#6587) Addresses issue #6582. Minio server currently does not have SSE-KMS support. Reject requests with SSE-KMS headers with NotImplementedErr
2018-10-10 00:04:53 +02:00
if crypto.S3KMS.IsRequested(r.Header) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r)) // SSE-KMS is not supported
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
return
}
vars := mux.Vars(r)
bucket := vars["bucket"]
object := vars["object"]
Create logger package and rename errorIf to LogIf (#5678) Removing message from error logging Replace errors.Trace with LogIf
2018-04-06 00:04:40 +02:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
var (
opts ObjectOptions
err error
)
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.PutObjectAction, bucket, object); s3Error != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r))
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-13 01:08:15 +01:00
return
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
}
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
// Deny if WORM is enabled
if globalWORMEnabled {
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
if _, err = objectAPI.GetObjectInfo(ctx, bucket, object, opts); err == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrMethodNotAllowed, r.URL, guessIsBrowserReq(r))
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
return
}
}
Fix storage class related issues (#5322) - Add storage class metadata validation for request header - Change storage class header values to be consistent with AWS S3 - Refactor internal method to take only the reqd argument
2017-12-27 05:36:16 +01:00
// Validate storage class metadata if present
if _, ok := r.Header[amzStorageClassCanonical]; ok {
if !isValidStorageClassMeta(r.Header.Get(amzStorageClassCanonical)) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidStorageClass, r.URL, guessIsBrowserReq(r))
Fix storage class related issues (#5322) - Add storage class metadata validation for request header - Change storage class header values to be consistent with AWS S3 - Refactor internal method to take only the reqd argument
2017-12-27 05:36:16 +01:00
return
}
}
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
var encMetadata = map[string]string{}
if objectAPI.IsEncryptionSupported() {
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
if hasServerSideEncryptionHeader(r.Header) {
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
if err = setEncryptionMetadata(r, bucket, object, encMetadata); err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
return
}
// Set this for multipart only operations, we need to differentiate during
// decryption if the file was actually multipart or not.
encMetadata[ReservedMetadataPrefix+"Encrypted-Multipart"] = ""
}
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
}
api: extract http headers with some supported header list. (#2268)
2016-07-23 05:31:45 +02:00
// Extract metadata that needs to be saved.
SignatureV4 validation with Metadata in the presignedUrl (#5894) The `X-Amz-Meta-`/`X-Minio-Meta-` will now be recognized in query string also. Fixes #5857 #5950
2018-07-11 05:27:10 +02:00
metadata, err := extractMetadata(ctx, r)
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-06 01:56:10 +02:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInternalError, r.URL, guessIsBrowserReq(r))
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-06 01:56:10 +02:00
return
}
objects: Save all the incoming metadata properly. (#1688) For both multipart and single put operation
2016-05-19 04:54:25 +02:00
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
// We need to preserve the encryption headers set in EncryptRequest,
// so we do not want to override them, copy them instead.
for k, v := range encMetadata {
metadata[k] = v
}
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
// Ensure that metadata does not contain sensitive information
crypto.RemoveSensitiveEntries(metadata)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
if objectAPI.IsCompressionSupported() && isCompressible(r.Header, object) {
// Storing the compression metadata.
metadata[ReservedMetadataPrefix+"compression"] = compressionAlgorithmV1
}
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
newMultipartUpload := objectAPI.NewMultipartUpload
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
if api.CacheAPI() != nil && !hasServerSideEncryptionHeader(r.Header) {
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
newMultipartUpload = api.CacheAPI().NewMultipartUpload
}
Add ObjectOptions to ObjectLayer calls (#6382)
2018-09-10 18:42:43 +02:00
uploadID, err := newMultipartUpload(ctx, bucket, object, metadata, opts)
Add errorIf for all API handlers to print call trace upon errors
2015-09-19 12:20:07 +02:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Migrate from iodine to probe
2015-08-04 01:17:21 +02:00
return
}
Add errorIf for all API handlers to print call trace upon errors
2015-09-19 12:20:07 +02:00
response := generateInitiateMultipartUploadResponse(bucket, object, uploadID)
api: DRY code and add new test This commit makes code cleaner and reduces the repetitions in the code base. Specifically, it reduces the clutter in setObjectHeaders. It also merges encodeSuccessResponse and encodeErrorResponse together because they served no purpose differently. Finally, it adds a simple test for generateRequestID.
2016-03-06 21:16:22 +01:00
encodedSuccessResponse := encodeResponse(response)
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
// Write success response.
writeSuccessResponseXML(w, encodedSuccessResponse)
Adding multipart support
2015-05-08 04:55:30 +02:00
}
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
// CopyObjectPartHandler - uploads a part by copying data from an existing object as data source.
func (api objectAPIHandlers) CopyObjectPartHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "CopyObjectPart")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "CopyObjectPart", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrServerNotInitialized, r.URL, guessIsBrowserReq(r))
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
return
}
Fix: Disallow requests with SSE-KMS headers (#6587) Addresses issue #6582. Minio server currently does not have SSE-KMS support. Reject requests with SSE-KMS headers with NotImplementedErr
2018-10-10 00:04:53 +02:00
if crypto.S3KMS.IsRequested(r.Header) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r)) // SSE-KMS is not supported
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
return
}
vars := mux.Vars(r)
dstBucket := vars["bucket"]
dstObject := vars["object"]
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.PutObjectAction, dstBucket, dstObject); s3Error != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r))
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
return
}
// Copy source path.
cpSrcPath, err := url.QueryUnescape(r.Header.Get("X-Amz-Copy-Source"))
if err != nil {
// Save unescaped string as is.
cpSrcPath = r.Header.Get("X-Amz-Copy-Source")
}
srcBucket, srcObject := path2BucketAndObject(cpSrcPath)
// If source object is empty or bucket is empty, reply back invalid copy source.
if srcObject == "" || srcBucket == "" {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidCopySource, r.URL, guessIsBrowserReq(r))
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
return
}
copy: Ensure that the user has GET access to the src object (#6715)
2018-10-27 01:12:44 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, srcBucket, srcObject); s3Error != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r))
copy: Ensure that the user has GET access to the src object (#6715)
2018-10-27 01:12:44 +02:00
return
}
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
uploadID := r.URL.Query().Get("uploadId")
partIDString := r.URL.Query().Get("partNumber")
partID, err := strconv.Atoi(partIDString)
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidPart, r.URL, guessIsBrowserReq(r))
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
return
}
// check partID with maximum part ID for multipart objects
if isMaxPartID(partID) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidMaxParts, r.URL, guessIsBrowserReq(r))
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
Add ObjectOptions to ObjectLayer calls (#6382)
2018-09-10 18:42:43 +02:00
var srcOpts, dstOpts ObjectOptions
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
// Deny if WORM is enabled
if globalWORMEnabled {
Add ObjectOptions to ObjectLayer calls (#6382)
2018-09-10 18:42:43 +02:00
if _, err = objectAPI.GetObjectInfo(ctx, dstBucket, dstObject, dstOpts); err == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrMethodNotAllowed, r.URL, guessIsBrowserReq(r))
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
return
}
}
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
getObjectNInfo := objectAPI.GetObjectNInfo
if api.CacheAPI() != nil {
getObjectNInfo = api.CacheAPI().GetObjectNInfo
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
}
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
// Get request range.
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
var rs *HTTPRangeSpec
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
rangeHeader := r.Header.Get("x-amz-copy-source-range")
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
if rangeHeader != "" {
var parseRangeErr error
if rs, parseRangeErr = parseCopyPartRangeSpec(rangeHeader); parseRangeErr != nil {
// Handle only errInvalidRange
// Ignore other parse error and treat it as regular Get request like Amazon S3.
logger.GetReqInfo(ctx).AppendTags("rangeHeader", rangeHeader)
logger.LogIf(ctx, parseRangeErr)
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeCopyPartErr(w, parseRangeErr, r.URL, guessIsBrowserReq(r))
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
return
}
}
Add ObjectOptions to GetObjectNInfo (#6533)
2018-09-27 12:06:45 +02:00
gr, err := getObjectNInfo(ctx, srcBucket, srcObject, rs, r.Header, readLock, srcOpts)
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
return
}
defer gr.Close()
srcInfo := gr.ObjInfo
fix wrong actual part size assignment in CopyObjectPart (#6652) This commit fixes a wrong assignment to `actualPartSize`. The `actualPartSize` for an encrypted src object is not `srcInfo.Size` because that's the encrypted object size which is larger than the actual object size. So the actual part size for an encrypted object is the decrypted size of `srcInfo.Size`.
2018-10-22 23:23:23 +02:00
actualPartSize := srcInfo.Size
if crypto.IsEncrypted(srcInfo.UserDefined) {
actualPartSize, err = srcInfo.DecryptedSize()
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
fix wrong actual part size assignment in CopyObjectPart (#6652) This commit fixes a wrong assignment to `actualPartSize`. The `actualPartSize` for an encrypted src object is not `srcInfo.Size` because that's the encrypted object size which is larger than the actual object size. So the actual part size for an encrypted object is the decrypted size of `srcInfo.Size`.
2018-10-22 23:23:23 +02:00
return
}
}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
// Special care for CopyObjectPart
fix wrong actual part size assignment in CopyObjectPart (#6652) This commit fixes a wrong assignment to `actualPartSize`. The `actualPartSize` for an encrypted src object is not `srcInfo.Size` because that's the encrypted object size which is larger than the actual object size. So the actual part size for an encrypted object is the decrypted size of `srcInfo.Size`.
2018-10-22 23:23:23 +02:00
if partRangeErr := checkCopyPartRangeWithSize(rs, actualPartSize); partRangeErr != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeCopyPartErr(w, partRangeErr, r.URL, guessIsBrowserReq(r))
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
return
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
}
// Verify before x-amz-copy-source preconditions before continuing with CopyObject.
Change CopyObject{Part} to single srcInfo argument (#5553) Refactor such that metadata and etag are combined to a single argument `srcInfo`. This is a precursor change for #5544 making it easier for us to provide encryption/decryption functions.
2018-02-21 09:48:47 +01:00
if checkCopyObjectPartPreconditions(w, r, srcInfo) {
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
return
}
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
// Get the object offset & length
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 17:50:06 +02:00
startOffset, length, err := rs.GetOffsetLength(actualPartSize)
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 17:50:06 +02:00
return
}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
/// maximum copy size for multipart objects in a single operation
api: Increase the maximum object size limit from 5GiB to 16GiB. (#3834) The globalMaxObjectSize limit is instilled in S3 spec perhaps due to certain limitations on S3 infrastructure. For minio we don't have such limitations and we can stream a larger file instead. So we are going to bump this limit to 16GiB. Fixes #3825
2017-03-03 19:14:17 +01:00
if isMaxAllowedPartSize(length) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrEntityTooLarge, r.URL, guessIsBrowserReq(r))
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
return
}
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 17:50:06 +02:00
actualPartSize = length
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
var reader io.Reader
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
var li ListPartsInfo
li, err = objectAPI.ListObjectParts(ctx, dstBucket, dstObject, uploadID, 0, 1)
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
return
}
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 17:50:06 +02:00
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
// Read compression metadata preserved in the init multipart for the decision.
_, compressPart := li.UserDefined[ReservedMetadataPrefix+"compression"]
isCompressed := compressPart
// Compress only if the compression is enabled during initial multipart.
if isCompressed {
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
// Open a pipe for compression.
Fix racy error communication inside go-routine (#6539) Use CloseWithError to communicate errors in pipe, this PR also fixes potential shadowing of error
2018-09-28 09:44:59 +02:00
// Where pipeWriter is piped to srcInfo.Reader.
// gr writes to pipeWriter.
pipeReader, pipeWriter := io.Pipe()
reader = pipeReader
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
length = -1
Fix racy error communication inside go-routine (#6539) Use CloseWithError to communicate errors in pipe, this PR also fixes potential shadowing of error
2018-09-28 09:44:59 +02:00
snappyWriter := snappy.NewWriter(pipeWriter)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
go func() {
// Compress the decompressed source object.
Fix racy error communication inside go-routine (#6539) Use CloseWithError to communicate errors in pipe, this PR also fixes potential shadowing of error
2018-09-28 09:44:59 +02:00
_, cerr := io.Copy(snappyWriter, gr)
snappyWriter.Close()
pipeWriter.CloseWithError(cerr)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
}()
} else {
reader = gr
}
srcInfo.Reader, err = hash.NewReader(reader, length, "", "", actualPartSize)
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-03 02:24:02 +01:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-03 02:24:02 +01:00
return
}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
rawReader := srcInfo.Reader
pReader := NewPutObjReader(rawReader, nil, nil)
isEncrypted := false
var objectEncryptionKey []byte
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
if objectAPI.IsEncryptionSupported() && !isCompressed {
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
if crypto.IsEncrypted(li.UserDefined) {
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 17:50:06 +02:00
if !crypto.SSEC.IsRequested(r.Header) && crypto.SSEC.IsEncrypted(li.UserDefined) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrSSEMultipartEncrypted, r.URL, guessIsBrowserReq(r))
Fix: Validate copy-part encryption header and metadata (#6725) Otherwise CopyObjectPart would continue to upload part with incorrect encryption option and fail when upload is finalized
2018-10-29 14:40:34 +01:00
return
}
if crypto.S3.IsEncrypted(li.UserDefined) && crypto.SSEC.IsRequested(r.Header) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrSSEMultipartEncrypted, r.URL, guessIsBrowserReq(r))
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
isEncrypted = true // to detect SSE-S3 encryption
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
var key []byte
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
if crypto.SSEC.IsRequested(r.Header) {
key, err = ParseSSECustomerRequest(r)
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
return
}
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
}
fix object rebinding SSE-C security guarantee violation (#6121) This commit fixes a weakness of the key-encryption-key derivation for SSE-C encrypted objects. Before this change the key-encryption-key was not bound to / didn't depend on the object path. This allows an attacker to repalce objects - encrypted with the same client-key - with each other. This change fixes this issue by updating the key-encryption-key derivation to include: - the domain (in this case SSE-C) - a canonical object path representation - the encryption & key derivation algorithm Changing the object path now causes the KDF to derive a different key-encryption-key such that the object-key unsealing fails. Including the domain (SSE-C) and encryption & key derivation algorithm is not directly neccessary for this fix. However, both will be included for the SSE-S3 KDF. So they are included here to avoid updating the KDF again when we add SSE-S3. The leagcy KDF 'DARE-SHA256' is only used for existing objects and never for new objects / key rotation.
2018-07-10 02:18:28 +02:00
objectEncryptionKey, err = decryptObjectInfo(key, dstBucket, dstObject, li.UserDefined)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
return
}
Fix decrypted object size and key derivation in CopyObjectPart (#6141) This commit fixes the size calculation for multipart objects. The decrypted size of an encrypted multipart object is the sum of the decrypted part sizes. Also fixes the key derivation in CopyObjectPart. Instead of using the same object-encryption-key for each part now an unique per-part key is derived. Updates #6139
2018-07-12 18:29:56 +02:00
var partIDbin [4]byte
binary.LittleEndian.PutUint32(partIDbin[:], uint32(partID)) // marshal part ID
mac := hmac.New(sha256.New, objectEncryptionKey) // derive part encryption key from part ID and object key
mac.Write(partIDbin[:])
partEncryptionKey := mac.Sum(nil)
reader, err = sio.EncryptReader(reader, sio.Config{Key: partEncryptionKey})
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
return
}
fix size computation for en/decrypted objects (#6147) This PR fixes the size calculation for encrypted multipart objects.
2018-07-12 20:23:32 +02:00
info := ObjectInfo{Size: length}
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 17:50:06 +02:00
srcInfo.Reader, err = hash.NewReader(reader, info.EncryptedSize(), "", "", length)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
pReader = NewPutObjReader(rawReader, srcInfo.Reader, objectEncryptionKey)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
}
}
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 17:50:06 +02:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
srcInfo.PutObjReader = pReader
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
// Copy source object to destination, if source and destination
// object is same then only metadata is updated.
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 17:50:06 +02:00
partInfo, err := objectAPI.CopyObjectPart(ctx, srcBucket, srcObject, dstBucket, dstObject, uploadID, partID,
startOffset, length, srcInfo, srcOpts, dstOpts)
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
if isEncrypted {
partInfo.ETag = tryDecryptETag(objectEncryptionKey, partInfo.ETag, crypto.SSEC.IsRequested(r.Header))
}
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
response := generateCopyObjectPartResponse(partInfo.ETag, partInfo.LastModified)
encodedSuccessResponse := encodeResponse(response)
// Write success response.
writeSuccessResponseXML(w, encodedSuccessResponse)
}
// PutObjectPartHandler - uploads an incoming part for an ongoing multipart operation.
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) PutObjectPartHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "PutObjectPart")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "PutObjectPart", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrServerNotInitialized, r.URL, guessIsBrowserReq(r))
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
Fix: Disallow requests with SSE-KMS headers (#6587) Addresses issue #6582. Minio server currently does not have SSE-KMS support. Reject requests with SSE-KMS headers with NotImplementedErr
2018-10-10 00:04:53 +02:00
if crypto.S3KMS.IsRequested(r.Header) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r)) // SSE-KMS is not supported
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
return
}
vars := mux.Vars(r)
bucket := vars["bucket"]
object := vars["object"]
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
api: CopyObjectPart was copying wrong offsets due to shadowing. (#3838) startOffset was re-assigned to '0' so it would end up copying wrong content ignoring the requested startOffset. This also fixes the corruption issue we observed while using docker registry. Fixes https://github.com/docker/distribution/issues/2205 Also fixes #3842 - incorrect routing.
2017-03-04 01:32:04 +01:00
// X-Amz-Copy-Source shouldn't be set for this call.
if _, ok := r.Header["X-Amz-Copy-Source"]; ok {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidCopySource, r.URL, guessIsBrowserReq(r))
api: CopyObjectPart was copying wrong offsets due to shadowing. (#3838) startOffset was re-assigned to '0' so it would end up copying wrong content ignoring the requested startOffset. This also fixes the corruption issue we observed while using docker registry. Fixes https://github.com/docker/distribution/issues/2205 Also fixes #3842 - incorrect routing.
2017-03-04 01:32:04 +01:00
return
}
api: Implement multiple objects Delete api - fixes #956 This API takes input XML input in following form. ``` <?xml version="1.0" encoding="UTF-8"?> <Delete> <Quiet>true</Quiet> <Object> <Key>Key</Key> </Object> <Object> <Key>Key</Key> </Object> ... </Delete> ``` and responds the list of successful deletes, list of errors for all the deleted objects. ``` <?xml version="1.0" encoding="UTF-8"?> <DeleteResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Deleted> <Key>sample1.txt</Key> </Deleted> <Error> <Key>sample2.txt</Key> <Code>AccessDenied</Code> <Message>Access Denied</Message> </Error> </DeleteResult> ```
2016-03-06 01:43:48 +01:00
// get Content-Md5 sent by client and verify if valid
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-16 19:22:34 +01:00
md5Bytes, err := checkValidMD5(r.Header)
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-13 01:08:15 +01:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidDigest, r.URL, guessIsBrowserReq(r))
Implement Bucket ACL support
2015-10-17 04:09:35 +02:00
return
}
handlers: read ContentLength value directly from http.Request. Do not look for Content-Length in headers and try to convert them into integer representations use ContentLength field from *http.Request*. If Content-Length is understood to be as '-1' then treat it as an error condition, since it could be a malformed body to crash the server. Fixes #1011
2015-12-28 08:00:36 +01:00
/// if Content-Length is unknown/missing, throw away
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
size := r.ContentLength
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 05:56:29 +02:00
rAuthType := getRequestAuthType(r)
// For auth type streaming signature, we need to gather a different content length.
if rAuthType == authTypeStreamingSigned {
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-16 19:22:34 +01:00
if sizeStr, ok := r.Header["X-Amz-Decoded-Content-Length"]; ok {
if sizeStr[0] == "" {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrMissingContentLength, r.URL, guessIsBrowserReq(r))
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-16 19:22:34 +01:00
return
}
size, err = strconv.ParseInt(sizeStr[0], 10, 64)
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-16 19:22:34 +01:00
return
}
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 05:56:29 +02:00
}
}
handlers: read ContentLength value directly from http.Request. Do not look for Content-Length in headers and try to convert them into integer representations use ContentLength field from *http.Request*. If Content-Length is understood to be as '-1' then treat it as an error condition, since it could be a malformed body to crash the server. Fixes #1011
2015-12-28 08:00:36 +01:00
if size == -1 {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrMissingContentLength, r.URL, guessIsBrowserReq(r))
handlers: read ContentLength value directly from http.Request. Do not look for Content-Length in headers and try to convert them into integer representations use ContentLength field from *http.Request*. If Content-Length is understood to be as '-1' then treat it as an error condition, since it could be a malformed body to crash the server. Fixes #1011
2015-12-28 08:00:36 +01:00
return
}
Reply back CompleteMultipartUploadResult properly with final ETag computed - Now s3 libraries and also objectstorage-go work properly
2015-05-08 07:43:19 +02:00
/// maximum Upload size for multipart objects in a single operation
api: Increase the maximum object size limit from 5GiB to 16GiB. (#3834) The globalMaxObjectSize limit is instilled in S3 spec perhaps due to certain limitations on S3 infrastructure. For minio we don't have such limitations and we can stream a larger file instead. So we are going to bump this limit to 16GiB. Fixes #3825
2017-03-03 19:14:17 +01:00
if isMaxAllowedPartSize(size) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrEntityTooLarge, r.URL, guessIsBrowserReq(r))
Adding multipart support
2015-05-08 04:55:30 +02:00
return
}
Remove SignatureV2 support, bring in SignatureV4 header only validation for now
2015-05-01 01:29:03 +02:00
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
uploadID := r.URL.Query().Get("uploadId")
partIDString := r.URL.Query().Get("partNumber")
Handle partNumberMarker with listObjectParts now and other fixes
2015-05-10 04:39:00 +02:00
xl/fs: Split object layer into interface. (#1415)
2016-04-29 23:24:10 +02:00
partID, err := strconv.Atoi(partIDString)
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidPart, r.URL, guessIsBrowserReq(r))
signature: Fix signature handling of parallel requests. Signature struct should be immutable, this fixes an issue with AWS cli not being able to do multipart put operations.
2016-03-02 20:22:58 +01:00
return
Adding multipart support
2015-05-08 04:55:30 +02:00
}
Make donut fully integrated back into API handlers
2015-07-03 05:31:22 +02:00
Part ID check (#1730) * Added check in PutObjectPartHandler to make sure part ID does not exceed 10000. ErrInvalidMaxParts written to response if part ID exceeds the maximum value.
2016-05-24 10:52:47 +02:00
// check partID with maximum part ID for multipart objects
if isMaxPartID(partID) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidMaxParts, r.URL, guessIsBrowserReq(r))
Part ID check (#1730) * Added check in PutObjectPartHandler to make sure part ID does not exceed 10000. ErrInvalidMaxParts written to response if part ID exceeds the maximum value.
2016-05-24 10:52:47 +02:00
return
}
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
var (
md5hex = hex.EncodeToString(md5Bytes)
sha256hex = ""
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
reader io.Reader
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
s3Error APIErrorCode
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
reader = r.Body
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
if s3Error = isPutAllowed(rAuthType, bucket, object, r); s3Error != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r))
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
return
}
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 05:56:29 +02:00
switch rAuthType {
case authTypeStreamingSigned:
// Initialize stream signature verifier.
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
reader, s3Error = newSignV4ChunkedReader(r)
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 05:56:29 +02:00
if s3Error != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r))
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 05:56:29 +02:00
return
}
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-09-30 23:32:13 +02:00
case authTypeSignedV2, authTypePresignedV2:
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
if s3Error = isReqAuthenticatedV2(r); s3Error != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r))
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-09-30 23:32:13 +02:00
return
}
signature: Handle presigned payload if set. Validate payload with incoming content. Fixes #1288
2016-04-07 12:04:18 +02:00
case authTypePresigned, authTypeSigned:
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
if s3Error = reqSignatureV4Verify(r, globalServerConfig.GetRegion()); s3Error != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r))
sha256: Verify sha256 along with md5sum, signature is verified on the request early. (#2813)
2016-10-03 00:51:49 +02:00
return
}
if !skipContentSha256Cksum(r) {
fix content-sha256 verification for presigned PUT (#5137) It is possible that x-amz-content-sha256 is set through the query params in case of presigned PUT calls, make sure that we validate the incoming x-amz-content-sha256 properly. Current code simply just allows this without honoring the set x-amz-content-sha256, fix it.
2017-11-05 12:02:19 +01:00
sha256hex = getContentSha256Cksum(r)
sha256: Verify sha256 along with md5sum, signature is verified on the request early. (#2813)
2016-10-03 00:51:49 +02:00
}
web/rpc: Merge ports with API server. Fixes #1081 and #1130
2016-02-17 03:50:36 +01:00
}
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
actualSize := size
var pipeReader *io.PipeReader
var pipeWriter *io.PipeWriter
var li ListPartsInfo
li, err = objectAPI.ListObjectParts(ctx, bucket, object, uploadID, 0, 1)
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
return
}
// Read compression metadata preserved in the init multipart for the decision.
_, compressPart := li.UserDefined[ReservedMetadataPrefix+"compression"]
isCompressed := false
if objectAPI.IsCompressionSupported() && compressPart {
pipeReader, pipeWriter = io.Pipe()
snappyWriter := snappy.NewWriter(pipeWriter)
Fix racy error communication inside go-routine (#6539) Use CloseWithError to communicate errors in pipe, this PR also fixes potential shadowing of error
2018-09-28 09:44:59 +02:00
var actualReader *hash.Reader
actualReader, err = hash.NewReader(reader, size, md5hex, sha256hex, actualSize)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
return
}
Fix racy error communication inside go-routine (#6539) Use CloseWithError to communicate errors in pipe, this PR also fixes potential shadowing of error
2018-09-28 09:44:59 +02:00
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
go func() {
// Writing to the compressed writer.
Fix racy error communication inside go-routine (#6539) Use CloseWithError to communicate errors in pipe, this PR also fixes potential shadowing of error
2018-09-28 09:44:59 +02:00
_, cerr := io.CopyN(snappyWriter, actualReader, actualSize)
snappyWriter.Close()
pipeWriter.CloseWithError(cerr)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
}()
Fix racy error communication inside go-routine (#6539) Use CloseWithError to communicate errors in pipe, this PR also fixes potential shadowing of error
2018-09-28 09:44:59 +02:00
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
// Set compression metrics.
size = -1 // Since compressed size is un-predictable.
md5hex = "" // Do not try to verify the content.
sha256hex = ""
reader = pipeReader
isCompressed = true
}
hashReader, err := hash.NewReader(reader, size, md5hex, sha256hex, actualSize)
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
rawReader := hashReader
pReader := NewPutObjReader(rawReader, nil, nil)
var opts ObjectOptions
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
// Deny if WORM is enabled
if globalWORMEnabled {
Add ObjectOptions to ObjectLayer calls (#6382)
2018-09-10 18:42:43 +02:00
if _, err = objectAPI.GetObjectInfo(ctx, bucket, object, opts); err == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrMethodNotAllowed, r.URL, guessIsBrowserReq(r))
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
return
}
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
Fix: verify client sent md5sum in encrypted PutObjectPart request (#6668) This PR also removes check for SSE-S3 headers as this is not required by S3 specification.
2018-10-19 01:05:05 +02:00
isEncrypted := false
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
var objectEncryptionKey []byte
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
if objectAPI.IsEncryptionSupported() && !isCompressed {
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
var li ListPartsInfo
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
li, err = objectAPI.ListObjectParts(ctx, bucket, object, uploadID, 0, 1)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
return
}
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
if crypto.IsEncrypted(li.UserDefined) {
Fix: verify client sent md5sum in encrypted PutObjectPart request (#6668) This PR also removes check for SSE-S3 headers as this is not required by S3 specification.
2018-10-19 01:05:05 +02:00
if !crypto.SSEC.IsRequested(r.Header) && crypto.SSEC.IsEncrypted(li.UserDefined) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrSSEMultipartEncrypted, r.URL, guessIsBrowserReq(r))
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
isEncrypted = true // to detect SSE-S3 encryption
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
var key []byte
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
if crypto.SSEC.IsRequested(r.Header) {
key, err = ParseSSECustomerRequest(r)
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
return
}
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
}
// Calculating object encryption key
fix object rebinding SSE-C security guarantee violation (#6121) This commit fixes a weakness of the key-encryption-key derivation for SSE-C encrypted objects. Before this change the key-encryption-key was not bound to / didn't depend on the object path. This allows an attacker to repalce objects - encrypted with the same client-key - with each other. This change fixes this issue by updating the key-encryption-key derivation to include: - the domain (in this case SSE-C) - a canonical object path representation - the encryption & key derivation algorithm Changing the object path now causes the KDF to derive a different key-encryption-key such that the object-key unsealing fails. Including the domain (SSE-C) and encryption & key derivation algorithm is not directly neccessary for this fix. However, both will be included for the SSE-S3 KDF. So they are included here to avoid updating the KDF again when we add SSE-S3. The leagcy KDF 'DARE-SHA256' is only used for existing objects and never for new objects / key rotation.
2018-07-10 02:18:28 +02:00
objectEncryptionKey, err = decryptObjectInfo(key, bucket, object, li.UserDefined)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
return
}
var partIDbin [4]byte
binary.LittleEndian.PutUint32(partIDbin[:], uint32(partID)) // marshal part ID
mac := hmac.New(sha256.New, objectEncryptionKey) // derive part encryption key from part ID and object key
mac.Write(partIDbin[:])
partEncryptionKey := mac.Sum(nil)
Fix: verify client sent md5sum in encrypted PutObjectPart request (#6668) This PR also removes check for SSE-S3 headers as this is not required by S3 specification.
2018-10-19 01:05:05 +02:00
reader, err = sio.EncryptReader(hashReader, sio.Config{Key: partEncryptionKey})
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
return
}
info := ObjectInfo{Size: size}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
hashReader, err = hash.NewReader(reader, info.EncryptedSize(), "", "", size) // do not try to verify encrypted content
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
pReader = NewPutObjReader(rawReader, hashReader, objectEncryptionKey)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
}
}
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
putObjectPart := objectAPI.PutObjectPart
Fix: verify client sent md5sum in encrypted PutObjectPart request (#6668) This PR also removes check for SSE-S3 headers as this is not required by S3 specification.
2018-10-19 01:05:05 +02:00
if api.CacheAPI() != nil && !isEncrypted {
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
putObjectPart = api.CacheAPI().PutObjectPart
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
partInfo, err := putObjectPart(ctx, bucket, object, uploadID, partID, pReader, opts)
Add errorIf for all API handlers to print call trace upon errors
2015-09-19 12:20:07 +02:00
if err != nil {
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-13 01:08:15 +01:00
// Verify if the underlying error is signature mismatch.
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Migrate from iodine to probe
2015-08-04 01:17:21 +02:00
return
}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
if isCompressed {
pipeWriter.Close()
// Suppress compressed ETag.
partInfo.ETag = partInfo.ETag + "-1"
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
if partInfo.ETag != "" {
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
if isEncrypted {
w.Header().Set("ETag", "\""+tryDecryptETag(objectEncryptionKey, partInfo.ETag, crypto.SSEC.IsRequested(r.Header))+"\"")
} else {
w.Header().Set("ETag", "\""+partInfo.ETag+"\"")
}
contentType: Reply back proper contentTypes based on the file extension. Currently the server would set 'application/octet-stream' for all objects, set this value based on the file extension transparently. This is useful in case of minio browser to facilitate displaying proper icons for the different mime data types.
2016-02-01 21:19:54 +01:00
}
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
writeSuccessResponseHeadersOnly(w)
Adding multipart support
2015-05-08 04:55:30 +02:00
}
Restructure API handlers, add JSON RPC simple HelloService right now.
2015-07-01 05:15:48 +02:00
// AbortMultipartUploadHandler - Abort multipart upload
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) AbortMultipartUploadHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "AbortMultipartUpload")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "AbortMultipartUpload", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
vars := mux.Vars(r)
Implement AbortMultipart
2015-05-10 01:06:35 +02:00
bucket := vars["bucket"]
object := vars["object"]
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrServerNotInitialized, r.URL, guessIsBrowserReq(r))
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
abortMultipartUpload := objectAPI.AbortMultipartUpload
if api.CacheAPI() != nil {
abortMultipartUpload = api.CacheAPI().AbortMultipartUpload
}
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.AbortMultipartUploadAction, bucket, object); s3Error != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r))
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-13 01:08:15 +01:00
return
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
}
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
// Deny if WORM is enabled
if globalWORMEnabled {
Add ObjectOptions to ObjectLayer calls (#6382)
2018-09-10 18:42:43 +02:00
if _, err := objectAPI.GetObjectInfo(ctx, bucket, object, ObjectOptions{}); err == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrMethodNotAllowed, r.URL, guessIsBrowserReq(r))
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
return
}
}
Add error handling in api-resource.go (#6651)
2018-10-18 16:31:46 +02:00
uploadID, _, _, _, s3Error := getObjectResources(r.URL.Query())
if s3Error != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r))
Add error handling in api-resource.go (#6651)
2018-10-18 16:31:46 +02:00
return
}
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
if err := abortMultipartUpload(ctx, bucket, object, uploadID); err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Migrate from iodine to probe
2015-08-04 01:17:21 +02:00
return
}
Support audit logs with additional fields (#6738) This PR adds support - Request query params - Request headers - Response headers AuditLogEntry is exported and versioned as well starting with this PR.
2018-11-03 02:40:08 +01:00
Reply back proper statuses for DeleteBucket/DeleteObject
2015-10-17 05:02:37 +02:00
writeSuccessNoContent(w)
Implement AbortMultipart
2015-05-10 01:06:35 +02:00
}
Restructure API handlers, add JSON RPC simple HelloService right now.
2015-07-01 05:15:48 +02:00
// ListObjectPartsHandler - List object parts
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) ListObjectPartsHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "ListObjectParts")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "ListObjectParts", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
vars := mux.Vars(r)
Implement Bucket ACL support
2015-10-17 04:09:35 +02:00
bucket := vars["bucket"]
object := vars["object"]
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrServerNotInitialized, r.URL, guessIsBrowserReq(r))
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.ListMultipartUploadPartsAction, bucket, object); s3Error != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r))
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-13 01:08:15 +01:00
return
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
}
Add error handling in api-resource.go (#6651)
2018-10-18 16:31:46 +02:00
uploadID, partNumberMarker, maxParts, _, s3Error := getObjectResources(r.URL.Query())
if s3Error != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r))
Add error handling in api-resource.go (#6651)
2018-10-18 16:31:46 +02:00
return
}
objectAPI: Fix object API interface, remove unnecessary structs. ObjectAPI changes. ``` ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsInfo, *probe.Error) ListMultipartUploads(bucket, objectPrefix, keyMarker, uploadIDMarker, delimiter string, maxUploads int) (ListMultipartsInfo, *probe.Error) ListObjectParts(bucket, object, uploadID string, partNumberMarker, maxParts int) (ListPartsInfo, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []completePart) (ObjectInfo, *probe.Error) ```
2016-04-03 10:34:20 +02:00
if partNumberMarker < 0 {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidPartNumberMarker, r.URL, guessIsBrowserReq(r))
Return proper InvalidArgument messages like s3 for invalid data for ListObjects(), ListObjectParts(), ListMultipartUploads()
2015-07-17 02:22:45 +02:00
return
}
objectAPI: Fix object API interface, remove unnecessary structs. ObjectAPI changes. ``` ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsInfo, *probe.Error) ListMultipartUploads(bucket, objectPrefix, keyMarker, uploadIDMarker, delimiter string, maxUploads int) (ListMultipartsInfo, *probe.Error) ListObjectParts(bucket, object, uploadID string, partNumberMarker, maxParts int) (ListPartsInfo, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []completePart) (ObjectInfo, *probe.Error) ```
2016-04-03 10:34:20 +02:00
if maxParts < 0 {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidMaxParts, r.URL, guessIsBrowserReq(r))
Return proper InvalidArgument messages like s3 for invalid data for ListObjects(), ListObjectParts(), ListMultipartUploads()
2015-07-17 02:22:45 +02:00
return
}
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
listPartsInfo, err := objectAPI.ListObjectParts(ctx, bucket, object, uploadID, partNumberMarker, maxParts)
Add errorIf for all API handlers to print call trace upon errors
2015-09-19 12:20:07 +02:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Migrate from iodine to probe
2015-08-04 01:17:21 +02:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
var ssec bool
if objectAPI.IsEncryptionSupported() {
var li ListPartsInfo
li, err = objectAPI.ListObjectParts(ctx, bucket, object, uploadID, 0, 1)
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
return
}
if crypto.IsEncrypted(li.UserDefined) {
var key []byte
if crypto.SSEC.IsEncrypted(li.UserDefined) {
ssec = true
}
var objectEncryptionKey []byte
if crypto.S3.IsEncrypted(li.UserDefined) {
// Calculating object encryption key
objectEncryptionKey, err = decryptObjectInfo(key, bucket, object, li.UserDefined)
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
return
}
}
parts := make([]PartInfo, len(listPartsInfo.Parts))
for i, p := range listPartsInfo.Parts {
part := p
part.ETag = tryDecryptETag(objectEncryptionKey, p.ETag, ssec)
parts[i] = part
}
listPartsInfo.Parts = parts
}
}
objectAPI: Fix object API interface, remove unnecessary structs. ObjectAPI changes. ``` ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsInfo, *probe.Error) ListMultipartUploads(bucket, objectPrefix, keyMarker, uploadIDMarker, delimiter string, maxUploads int) (ListMultipartsInfo, *probe.Error) ListObjectParts(bucket, object, uploadID string, partNumberMarker, maxParts int) (ListPartsInfo, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []completePart) (ObjectInfo, *probe.Error) ```
2016-04-03 10:34:20 +02:00
response := generateListPartsResponse(listPartsInfo)
api: DRY code and add new test This commit makes code cleaner and reduces the repetitions in the code base. Specifically, it reduces the clutter in setObjectHeaders. It also merges encodeSuccessResponse and encodeErrorResponse together because they served no purpose differently. Finally, it adds a simple test for generateRequestID.
2016-03-06 21:16:22 +01:00
encodedSuccessResponse := encodeResponse(response)
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
accessPolicy: Implement Put, Get, Delete access policy. This patch implements Get,Put,Delete bucket policies Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html Currently supports following actions. "*": true, "s3:*": true, "s3:GetObject": true, "s3:ListBucket": true, "s3:PutObject": true, "s3:CreateBucket": true, "s3:GetBucketLocation": true, "s3:DeleteBucket": true, "s3:DeleteObject": true, "s3:AbortMultipartUpload": true, "s3:ListBucketMultipartUploads": true, "s3:ListMultipartUploadParts": true, following conditions for "StringEquals" and "StringNotEquals" "s3:prefix", "s3:max-keys"
2016-02-04 01:46:56 +01:00
// Write success response.
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
writeSuccessResponseXML(w, encodedSuccessResponse)
Add listparts support
2015-05-09 20:41:26 +02:00
}
api/complete-multipart: fixes and tests. (#2719) * api/complete-multipart: tests and simplification. - Removing the logic of sending white space characters. - Fix for incorrect HTTP response status for certain cases. - Tests for New Multipart Upload and Complete Multipart Upload. * tests: test for Delelete Object API handler
2016-09-22 05:08:08 +02:00
// CompleteMultipartUploadHandler - Complete multipart upload.
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) CompleteMultipartUploadHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "CompleteMultipartUpload")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "CompleteMultipartUpload", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
vars := mux.Vars(r)
Adding multipart support
2015-05-08 04:55:30 +02:00
bucket := vars["bucket"]
object := vars["object"]
Remove some api server code bringing in new cleanup
2015-06-30 23:42:29 +02:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrServerNotInitialized, r.URL, guessIsBrowserReq(r))
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.PutObjectAction, bucket, object); s3Error != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r))
Cleanup and fixes (#3273) * newRequestID() (previously generateUploadID()) returns string than byte array. * Remove unclear comments and added appropriate comments. * SHA-256, MD5 Hash functions return Hex/Base64 encoded string than byte array. * Remove duplicate MD5 hasher functions. * Rename listObjectsValidateArgs() into validateListObjectsArgs() * Remove repeated auth check code in all bucket request handlers. * Remove abbreviated names in bucket-metadata * Avoid nested if in bucketPolicyMatchStatement() * Use ioutil.ReadFile() instead of os.Open() and ioutil.ReadAll() * Set crossDomainXML as constant.
2016-11-21 22:51:05 +01:00
return
}
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
// Deny if WORM is enabled
if globalWORMEnabled {
Add ObjectOptions to ObjectLayer calls (#6382)
2018-09-10 18:42:43 +02:00
if _, err := objectAPI.GetObjectInfo(ctx, bucket, object, ObjectOptions{}); err == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrMethodNotAllowed, r.URL, guessIsBrowserReq(r))
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
return
}
}
fs: Break fs package to top-level and introduce ObjectAPI interface. ObjectAPI interface brings in changes needed for XL ObjectAPI layer. The new interface for any ObjectAPI layer is as below ``` // ObjectAPI interface. type ObjectAPI interface { // Bucket resource API. DeleteBucket(bucket string) *probe.Error ListBuckets() ([]BucketInfo, *probe.Error) MakeBucket(bucket string) *probe.Error GetBucketInfo(bucket string) (BucketInfo, *probe.Error) // Bucket query API. ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsResult, *probe.Error) ListMultipartUploads(bucket string, resources BucketMultipartResourcesMetadata) (BucketMultipartResourcesMetadata, *probe.Error) // Object resource API. GetObject(bucket, object string, startOffset int64) (io.ReadCloser, *probe.Error) GetObjectInfo(bucket, object string) (ObjectInfo, *probe.Error) PutObject(bucket string, object string, size int64, data io.Reader, metadata map[string]string) (ObjectInfo, *probe.Error) DeleteObject(bucket, object string) *probe.Error // Object query API. NewMultipartUpload(bucket, object string) (string, *probe.Error) PutObjectPart(bucket, object, uploadID string, partID int, size int64, data io.Reader, md5Hex string) (string, *probe.Error) ListObjectParts(bucket, object string, resources ObjectResourcesMetadata) (ObjectResourcesMetadata, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []CompletePart) (ObjectInfo, *probe.Error) AbortMultipartUpload(bucket, object, uploadID string) *probe.Error } ```
2016-03-31 01:15:28 +02:00
// Get upload id.
Add error handling in api-resource.go (#6651)
2018-10-18 16:31:46 +02:00
uploadID, _, _, _, s3Error := getObjectResources(r.URL.Query())
if s3Error != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r))
Add error handling in api-resource.go (#6651)
2018-10-18 16:31:46 +02:00
return
}
signature: Fix signature handling of parallel requests. Signature struct should be immutable, this fixes an issue with AWS cli not being able to do multipart put operations.
2016-03-02 20:22:58 +01:00
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
completeMultipartBytes, err := goioutil.ReadAll(r.Body)
xl/fs: Split object layer into interface. (#1415)
2016-04-29 23:24:10 +02:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInternalError, r.URL, guessIsBrowserReq(r))
fs: Break fs package to top-level and introduce ObjectAPI interface. ObjectAPI interface brings in changes needed for XL ObjectAPI layer. The new interface for any ObjectAPI layer is as below ``` // ObjectAPI interface. type ObjectAPI interface { // Bucket resource API. DeleteBucket(bucket string) *probe.Error ListBuckets() ([]BucketInfo, *probe.Error) MakeBucket(bucket string) *probe.Error GetBucketInfo(bucket string) (BucketInfo, *probe.Error) // Bucket query API. ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsResult, *probe.Error) ListMultipartUploads(bucket string, resources BucketMultipartResourcesMetadata) (BucketMultipartResourcesMetadata, *probe.Error) // Object resource API. GetObject(bucket, object string, startOffset int64) (io.ReadCloser, *probe.Error) GetObjectInfo(bucket, object string) (ObjectInfo, *probe.Error) PutObject(bucket string, object string, size int64, data io.Reader, metadata map[string]string) (ObjectInfo, *probe.Error) DeleteObject(bucket, object string) *probe.Error // Object query API. NewMultipartUpload(bucket, object string) (string, *probe.Error) PutObjectPart(bucket, object, uploadID string, partID int, size int64, data io.Reader, md5Hex string) (string, *probe.Error) ListObjectParts(bucket, object string, resources ObjectResourcesMetadata) (ObjectResourcesMetadata, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []CompletePart) (ObjectInfo, *probe.Error) AbortMultipartUpload(bucket, object, uploadID string) *probe.Error } ```
2016-03-31 01:15:28 +02:00
return
}
Add public data-types for easier external loading (#5170) This change brings public data-types such that we can ask projects to implement gateway projects externally than maintaining in our repo. All publicly exported structs are maintained in object-api-datatypes.go completePart --> CompletePart uploadMetadata --> MultipartInfo All other exported errors are at object-api-errors.go
2017-11-14 09:25:10 +01:00
complMultipartUpload := &CompleteMultipartUpload{}
xl/fs: Split object layer into interface. (#1415)
2016-04-29 23:24:10 +02:00
if err = xml.Unmarshal(completeMultipartBytes, complMultipartUpload); err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrMalformedXML, r.URL, guessIsBrowserReq(r))
fs: Break fs package to top-level and introduce ObjectAPI interface. ObjectAPI interface brings in changes needed for XL ObjectAPI layer. The new interface for any ObjectAPI layer is as below ``` // ObjectAPI interface. type ObjectAPI interface { // Bucket resource API. DeleteBucket(bucket string) *probe.Error ListBuckets() ([]BucketInfo, *probe.Error) MakeBucket(bucket string) *probe.Error GetBucketInfo(bucket string) (BucketInfo, *probe.Error) // Bucket query API. ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsResult, *probe.Error) ListMultipartUploads(bucket string, resources BucketMultipartResourcesMetadata) (BucketMultipartResourcesMetadata, *probe.Error) // Object resource API. GetObject(bucket, object string, startOffset int64) (io.ReadCloser, *probe.Error) GetObjectInfo(bucket, object string) (ObjectInfo, *probe.Error) PutObject(bucket string, object string, size int64, data io.Reader, metadata map[string]string) (ObjectInfo, *probe.Error) DeleteObject(bucket, object string) *probe.Error // Object query API. NewMultipartUpload(bucket, object string) (string, *probe.Error) PutObjectPart(bucket, object, uploadID string, partID int, size int64, data io.Reader, md5Hex string) (string, *probe.Error) ListObjectParts(bucket, object string, resources ObjectResourcesMetadata) (ObjectResourcesMetadata, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []CompletePart) (ObjectInfo, *probe.Error) AbortMultipartUpload(bucket, object, uploadID string) *probe.Error } ```
2016-03-31 01:15:28 +02:00
return
}
Return error for empty parts in multipartupload complete (#1758)
2016-05-25 21:11:26 +02:00
if len(complMultipartUpload.Parts) == 0 {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrMalformedXML, r.URL, guessIsBrowserReq(r))
Return error for empty parts in multipartupload complete (#1758)
2016-05-25 21:11:26 +02:00
return
}
Add public data-types for easier external loading (#5170) This change brings public data-types such that we can ask projects to implement gateway projects externally than maintaining in our repo. All publicly exported structs are maintained in object-api-datatypes.go completePart --> CompletePart uploadMetadata --> MultipartInfo All other exported errors are at object-api-errors.go
2017-11-14 09:25:10 +01:00
if !sort.IsSorted(CompletedParts(complMultipartUpload.Parts)) {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidPartOrder, r.URL, guessIsBrowserReq(r))
fs: Break fs package to top-level and introduce ObjectAPI interface. ObjectAPI interface brings in changes needed for XL ObjectAPI layer. The new interface for any ObjectAPI layer is as below ``` // ObjectAPI interface. type ObjectAPI interface { // Bucket resource API. DeleteBucket(bucket string) *probe.Error ListBuckets() ([]BucketInfo, *probe.Error) MakeBucket(bucket string) *probe.Error GetBucketInfo(bucket string) (BucketInfo, *probe.Error) // Bucket query API. ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsResult, *probe.Error) ListMultipartUploads(bucket string, resources BucketMultipartResourcesMetadata) (BucketMultipartResourcesMetadata, *probe.Error) // Object resource API. GetObject(bucket, object string, startOffset int64) (io.ReadCloser, *probe.Error) GetObjectInfo(bucket, object string) (ObjectInfo, *probe.Error) PutObject(bucket string, object string, size int64, data io.Reader, metadata map[string]string) (ObjectInfo, *probe.Error) DeleteObject(bucket, object string) *probe.Error // Object query API. NewMultipartUpload(bucket, object string) (string, *probe.Error) PutObjectPart(bucket, object, uploadID string, partID int, size int64, data io.Reader, md5Hex string) (string, *probe.Error) ListObjectParts(bucket, object string, resources ObjectResourcesMetadata) (ObjectResourcesMetadata, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []CompletePart) (ObjectInfo, *probe.Error) AbortMultipartUpload(bucket, object, uploadID string) *probe.Error } ```
2016-03-31 01:15:28 +02:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
var objectEncryptionKey []byte
var opts ObjectOptions
var isEncrypted, ssec bool
if objectAPI.IsEncryptionSupported() {
var li ListPartsInfo
li, err = objectAPI.ListObjectParts(ctx, bucket, object, uploadID, 0, 1)
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
return
}
if crypto.IsEncrypted(li.UserDefined) {
isEncrypted = true
ssec = crypto.SSEC.IsEncrypted(li.UserDefined)
var key []byte
if crypto.S3.IsEncrypted(li.UserDefined) {
// Calculating object encryption key
objectEncryptionKey, err = decryptObjectInfo(key, bucket, object, li.UserDefined)
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
return
}
}
}
}
partsMap := make(map[string]PartInfo)
var listPartsInfo ListPartsInfo
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
if isEncrypted {
var partNumberMarker int
maxParts := 1000
for {
listPartsInfo, err = objectAPI.ListObjectParts(ctx, bucket, object, uploadID, partNumberMarker, maxParts)
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
return
}
for _, part := range listPartsInfo.Parts {
partsMap[strconv.Itoa(part.PartNumber)] = part
}
partNumberMarker = listPartsInfo.NextPartNumberMarker
if !listPartsInfo.IsTruncated {
break
}
}
}
fs: Break fs package to top-level and introduce ObjectAPI interface. ObjectAPI interface brings in changes needed for XL ObjectAPI layer. The new interface for any ObjectAPI layer is as below ``` // ObjectAPI interface. type ObjectAPI interface { // Bucket resource API. DeleteBucket(bucket string) *probe.Error ListBuckets() ([]BucketInfo, *probe.Error) MakeBucket(bucket string) *probe.Error GetBucketInfo(bucket string) (BucketInfo, *probe.Error) // Bucket query API. ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsResult, *probe.Error) ListMultipartUploads(bucket string, resources BucketMultipartResourcesMetadata) (BucketMultipartResourcesMetadata, *probe.Error) // Object resource API. GetObject(bucket, object string, startOffset int64) (io.ReadCloser, *probe.Error) GetObjectInfo(bucket, object string) (ObjectInfo, *probe.Error) PutObject(bucket string, object string, size int64, data io.Reader, metadata map[string]string) (ObjectInfo, *probe.Error) DeleteObject(bucket, object string) *probe.Error // Object query API. NewMultipartUpload(bucket, object string) (string, *probe.Error) PutObjectPart(bucket, object, uploadID string, partID int, size int64, data io.Reader, md5Hex string) (string, *probe.Error) ListObjectParts(bucket, object string, resources ObjectResourcesMetadata) (ObjectResourcesMetadata, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []CompletePart) (ObjectInfo, *probe.Error) AbortMultipartUpload(bucket, object, uploadID string) *probe.Error } ```
2016-03-31 01:15:28 +02:00
// Complete parts.
Add public data-types for easier external loading (#5170) This change brings public data-types such that we can ask projects to implement gateway projects externally than maintaining in our repo. All publicly exported structs are maintained in object-api-datatypes.go completePart --> CompletePart uploadMetadata --> MultipartInfo All other exported errors are at object-api-errors.go
2017-11-14 09:25:10 +01:00
var completeParts []CompletePart
refactor: add multipart code to the object layer.
2016-04-11 10:29:18 +02:00
for _, part := range complMultipartUpload.Parts {
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
// Avoiding for gateway parts.
// `strings.TrimPrefix` does not work here as intended. So `Replace` is used instead.
if objectAPI.IsCompressionSupported() {
part.ETag = strings.Replace(part.ETag, "-1", "", -1) // For compressed multiparts, We append '-1' for part.ETag.
}
Use canonicalETag helper wherever needed. (#3910)
2017-03-16 04:48:49 +01:00
part.ETag = canonicalizeETag(part.ETag)
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
if isEncrypted {
// ETag is stored in the backend in encrypted form. Validate client sent ETag with
// decrypted ETag.
if bkPartInfo, ok := partsMap[strconv.Itoa(part.PartNumber)]; ok {
bkETag := tryDecryptETag(objectEncryptionKey, bkPartInfo.ETag, ssec)
if bkETag != part.ETag {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInvalidPart, r.URL, guessIsBrowserReq(r))
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
return
}
part.ETag = bkPartInfo.ETag
}
}
refactor: add multipart code to the object layer.
2016-04-11 10:29:18 +02:00
completeParts = append(completeParts, part)
}
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
completeMultiPartUpload := objectAPI.CompleteMultipartUpload
if api.CacheAPI() != nil {
completeMultiPartUpload = api.CacheAPI().CompleteMultipartUpload
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
objInfo, err := completeMultiPartUpload(ctx, bucket, object, uploadID, completeParts, opts)
Add errorIf for all API handlers to print call trace upon errors
2015-09-19 12:20:07 +02:00
if err != nil {
API: add writePartTooSmallErrorResponse to extend standard error responses. (#2005) This function is added to extend the standard error responses. Which is needed in some cases for example CompleteMultipartUpload should respond with ErrPartTooSmall error when parts uploaded are lesser than 5MB (i.e minimum allowed size per part). Fixes #1536
2016-06-28 23:51:49 +02:00
switch oErr := err.(type) {
case PartTooSmall:
// Write part too small error.
writePartSmallErrorResponse(w, r, oErr)
default:
// Handle all other generic issues.
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
API: add writePartTooSmallErrorResponse to extend standard error responses. (#2005) This function is added to extend the standard error responses. Which is needed in some cases for example CompleteMultipartUpload should respond with ErrPartTooSmall error when parts uploaded are lesser than 5MB (i.e minimum allowed size per part). Fixes #1536
2016-06-28 23:51:49 +02:00
}
Migrate from iodine to probe
2015-08-04 01:17:21 +02:00
return
}
object layer: Send 200 OK and whitespace chars (#1897)
2016-06-16 05:31:06 +02:00
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-13 01:08:15 +01:00
// Get object location.
Return complete Location URL in CompleteMultipartUpload (#5692) Remove getLocation function. Fixes #5687
2018-03-23 21:46:57 +01:00
location := getObjectLocation(r, globalDomainName, bucket, object)
multipart: remove proper MD5, rather create MD5 based on parts to be s3 compatible. This increases the performance phenominally.
2016-03-02 05:01:40 +01:00
// Generate complete multipart response.
fs/erasure: Rename meta 'md5Sum' as 'etag'. (#4319) This PR also does backend format change to 1.0.1 from 1.0.0. Backward compatible changes are still kept to read the 'md5Sum' key. But all new objects will be stored with the same details under 'etag'. Fixes #4312
2017-05-14 21:05:51 +02:00
response := generateCompleteMultpartUploadResponse(bucket, object, location, objInfo.ETag)
api/complete-multipart: fixes and tests. (#2719) * api/complete-multipart: tests and simplification. - Removing the logic of sending white space characters. - Fix for incorrect HTTP response status for certain cases. - Tests for New Multipart Upload and Complete Multipart Upload. * tests: test for Delelete Object API handler
2016-09-22 05:08:08 +02:00
encodedSuccessResponse := encodeResponse(response)
Send XML header before the first of whitespace chars (#2046) * Sent XML header before the first of whitespace chars XML parsing fails in aws cli due to unexpected whitespace character. To fix this, we send the xml header before we send the first whitespace character, if any. * Fix race between sendWhiteSpaceChars and completeMultiUploadpart
2016-07-01 03:48:50 +02:00
if err != nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrInternalError, r.URL, guessIsBrowserReq(r))
Send XML header before the first of whitespace chars (#2046) * Sent XML header before the first of whitespace chars XML parsing fails in aws cli due to unexpected whitespace character. To fix this, we send the xml header before we send the first whitespace character, if any. * Fix race between sendWhiteSpaceChars and completeMultiUploadpart
2016-07-01 03:48:50 +02:00
return
}
api: Implement bucket notification. (#2271) * Implement basic S3 notifications through queues Supports multiple queues and three basic queue types: 1. NilQueue -- messages don't get sent anywhere 2. LogQueue -- messages get logged 3. AmqpQueue -- messages are sent to an AMQP queue * api: Implement bucket notification. Supports two different queue types - AMQP - ElasticSearch. * Add support for redis
2016-07-24 07:51:12 +02:00
Fix missing CompleteMultipartUpload Etag. (#3227) Fixes #3224
2016-11-10 16:41:02 +01:00
// Set etag.
fs/erasure: Rename meta 'md5Sum' as 'etag'. (#4319) This PR also does backend format change to 1.0.1 from 1.0.0. Backward compatible changes are still kept to read the 'md5Sum' key. But all new objects will be stored with the same details under 'etag'. Fixes #4312
2017-05-14 21:05:51 +02:00
w.Header().Set("ETag", "\""+objInfo.ETag+"\"")
Fix missing CompleteMultipartUpload Etag. (#3227) Fixes #3224
2016-11-10 16:41:02 +01:00
api: Implement bucket notification. (#2271) * Implement basic S3 notifications through queues Supports multiple queues and three basic queue types: 1. NilQueue -- messages don't get sent anywhere 2. LogQueue -- messages get logged 3. AmqpQueue -- messages are sent to an AMQP queue * api: Implement bucket notification. Supports two different queue types - AMQP - ElasticSearch. * Add support for redis
2016-07-24 07:51:12 +02:00
// Write success response.
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
writeSuccessResponseXML(w, encodedSuccessResponse)
api: Implement bucket notification. (#2271) * Implement basic S3 notifications through queues Supports multiple queues and three basic queue types: 1. NilQueue -- messages don't get sent anywhere 2. LogQueue -- messages get logged 3. AmqpQueue -- messages are sent to an AMQP queue * api: Implement bucket notification. Supports two different queue types - AMQP - ElasticSearch. * Add support for redis
2016-07-24 07:51:12 +02:00
Add sourceInfo to NotificationEvent (#3937) This change adds information like host, port and user-agent of the client whose request triggered an event notification. E.g, if someone uploads an object to a bucket using mc. If notifications were configured on that bucket, the host, port and user-agent of mc would be sent as part of event notification data. Sample output: ``` "source": { "host": "127.0.0.1", "port": "55808", "userAgent": "Minio (linux; amd64) minio-go/2.0.4 mc ..." } ```
2017-03-23 02:44:35 +01:00
// Get host and port from Request.RemoteAddr.
Use GetSourceIP for source ip as request params (#6109) Fixes #6108
2018-07-02 23:40:18 +02:00
host, port, err := net.SplitHostPort(handlers.GetSourceIP(r))
Add sourceInfo to NotificationEvent (#3937) This change adds information like host, port and user-agent of the client whose request triggered an event notification. E.g, if someone uploads an object to a bucket using mc. If notifications were configured on that bucket, the host, port and user-agent of mc would be sent as part of event notification data. Sample output: ``` "source": { "host": "127.0.0.1", "port": "55808", "userAgent": "Minio (linux; amd64) minio-go/2.0.4 mc ..." } ```
2017-03-23 02:44:35 +01:00
if err != nil {
host, port = "", ""
}
Make addition of TopicConfig to globalEventNotifier go-routine safe (#2806)
2016-09-29 07:46:19 +02:00
// Notify object created event.
make notification as separate package (#5294) * Remove old notification files * Add net package * Add event package * Modify minio to take new notification system
2018-03-15 21:03:41 +01:00
sendEvent(eventArgs{
Support audit logs with additional fields (#6738) This PR adds support - Request query params - Request headers - Response headers AuditLogEntry is exported and versioned as well starting with this PR.
2018-11-03 02:40:08 +01:00
EventName: event.ObjectCreatedCompleteMultipartUpload,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Host: host,
Port: port,
Make addition of TopicConfig to globalEventNotifier go-routine safe (#2806)
2016-09-29 07:46:19 +02:00
})
Adding multipart support
2015-05-08 04:55:30 +02:00
}
Add delete handlers and reply back as 'NotImplemented' instead of 404
2015-06-08 20:06:06 +02:00
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
/// Delete objectAPIHandlers
Add delete handlers and reply back as 'NotImplemented' instead of 404
2015-06-08 20:06:06 +02:00
api: Implement multiple objects Delete api - fixes #956 This API takes input XML input in following form. ``` <?xml version="1.0" encoding="UTF-8"?> <Delete> <Quiet>true</Quiet> <Object> <Key>Key</Key> </Object> <Object> <Key>Key</Key> </Object> ... </Delete> ``` and responds the list of successful deletes, list of errors for all the deleted objects. ``` <?xml version="1.0" encoding="UTF-8"?> <DeleteResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Deleted> <Key>sample1.txt</Key> </Deleted> <Error> <Key>sample2.txt</Key> <Code>AccessDenied</Code> <Message>Access Denied</Message> </Error> </DeleteResult> ```
2016-03-06 01:43:48 +01:00
// DeleteObjectHandler - delete an object
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) DeleteObjectHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "DeleteObject")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "DeleteObject", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
vars := mux.Vars(r)
Migrate this project to minio micro services code
2015-10-16 20:26:01 +02:00
bucket := vars["bucket"]
object := vars["object"]
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrServerNotInitialized, r.URL, guessIsBrowserReq(r))
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.DeleteObjectAction, bucket, object); s3Error != ErrNone {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r))
accessPolicy: Implement Put, Get, Delete access policy. This patch implements Get,Put,Delete bucket policies Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html Currently supports following actions. "*": true, "s3:*": true, "s3:GetObject": true, "s3:ListBucket": true, "s3:PutObject": true, "s3:CreateBucket": true, "s3:GetBucketLocation": true, "s3:DeleteBucket": true, "s3:DeleteObject": true, "s3:AbortMultipartUpload": true, "s3:ListBucketMultipartUploads": true, "s3:ListMultipartUploadParts": true, following conditions for "StringEquals" and "StringNotEquals" "s3:prefix", "s3:max-keys"
2016-02-04 01:46:56 +01:00
return
fs: Cleanup Golang errors to be called 'e' and probe to be called as 'err' - Replace the ACL checks back, remove them when bucket policy is implemented. - Move FTW (File Tree Walk) into ioutils package.
2016-02-04 21:52:25 +01:00
}
Cleanup and fixes (#3273) * newRequestID() (previously generateUploadID()) returns string than byte array. * Remove unclear comments and added appropriate comments. * SHA-256, MD5 Hash functions return Hex/Base64 encoded string than byte array. * Remove duplicate MD5 hasher functions. * Rename listObjectsValidateArgs() into validateListObjectsArgs() * Remove repeated auth check code in all bucket request handlers. * Remove abbreviated names in bucket-metadata * Avoid nested if in bucketPolicyMatchStatement() * Use ioutil.ReadFile() instead of os.Open() and ioutil.ReadAll() * Set crossDomainXML as constant.
2016-11-21 22:51:05 +01:00
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
// Deny if WORM is enabled
if globalWORMEnabled {
// Not required to check whether given object exists or not, because
// DeleteObject is always successful irrespective of object existence.
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrMethodNotAllowed, r.URL, guessIsBrowserReq(r))
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
return
}
Checking the existence of the bucket in DeleteObjectHandler (#6085) Fixes #6077
2018-07-01 07:35:43 +02:00
if globalDNSConfig != nil {
_, err := globalDNSConfig.Get(bucket)
if err != nil {
Update federation target to etcd/clientv3 (#6119) With CoreDNS now supporting etcdv3 as the DNS backend, we can update our federation target to etcdv3. Users will now be able to use etcdv3 server as the federation backbone. Minio will update bucket data to etcdv3 and CoreDNS can pick that data up and serve it as bucket style DNS path.
2018-07-12 23:12:40 +02:00
if err == dns.ErrNoEntriesFound {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrNoSuchBucket, r.URL, guessIsBrowserReq(r))
Checking the existence of the bucket in DeleteObjectHandler (#6085) Fixes #6077
2018-07-01 07:35:43 +02:00
} else {
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
Checking the existence of the bucket in DeleteObjectHandler (#6085) Fixes #6077
2018-07-01 07:35:43 +02:00
}
return
}
}
web: Simplify and converge common functions in web/obj API. (#4179) RemoveObject() in webAPI currently re-implements some part of the code to remove objects combine them for simplicity and code convergence.
2017-04-27 08:27:48 +02:00
// http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectDELETE.html
Avoid double bucket validation in DeleteObjectHandler (#6720) On a heavily loaded server, getBucketInfo() becomes slow, one can easily observe deleting an object causes many additional network calls. This PR is to let the underlying call return the actual error and write it back to the client.
2018-10-31 00:07:57 +01:00
if err := deleteObject(ctx, objectAPI, api.CacheAPI(), bucket, object, r); err != nil {
Make sure to log unhandled errors always (#6784) In many situations, while testing we encounter ErrInternalError, to reduce logging we have removed logging from quite a few places which is acceptable but when ErrInternalError occurs we should have a facility to log the corresponding error, this helps to debug Minio server.
2018-11-12 20:07:43 +01:00
switch toAPIErrorCode(ctx, err) {
Avoid double bucket validation in DeleteObjectHandler (#6720) On a heavily loaded server, getBucketInfo() becomes slow, one can easily observe deleting an object causes many additional network calls. This PR is to let the underlying call return the actual error and write it back to the client.
2018-10-31 00:07:57 +01:00
case ErrNoSuchBucket:
// When bucket doesn't exist specially handle it.
Redirect browser requests returning AccessDenied (#6848) Anonymous requests from S3 resources returning AccessDenied should be auto redirected to browser for login.
2018-11-26 21:15:12 +01:00
writeErrorResponse(w, ErrNoSuchBucket, r.URL, guessIsBrowserReq(r))
Avoid double bucket validation in DeleteObjectHandler (#6720) On a heavily loaded server, getBucketInfo() becomes slow, one can easily observe deleting an object causes many additional network calls. This PR is to let the underlying call return the actual error and write it back to the client.
2018-10-31 00:07:57 +01:00
return
}
// Ignore delete object errors while replying to client, since we are suppposed to reply only 204.
}
Reply back proper statuses for DeleteBucket/DeleteObject
2015-10-17 05:02:37 +02:00
writeSuccessNoContent(w)
Add delete handlers and reply back as 'NotImplemented' instead of 404
2015-06-08 20:06:06 +02:00
}
Reference in a new issue Copy permalink