maxmustermann/minio
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
minio/cmd/config-current.go

771 lines
23 KiB
Go
Raw Normal View History

config/main: Re-write config files - add to new config v3 - New config format. ``` { "version": "3", "address": ":9000", "backend": { "type": "fs", "disk": "/path" }, "credential": { "accessKey": "WLGDGYAQYIGI833EV05A", "secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF" }, "region": "us-east-1", "logger": { "file": { "enable": false, "fileName": "", "level": "error" }, "syslog": { "enable": false, "address": "", "level": "debug" }, "console": { "enable": true, "level": "fatal" } } } ``` New command lines in lieu of supporting XL. Minio initialize filesystem backend. ~~~ $ minio init fs <path> ~~~ Minio initialize XL backend. ~~~ $ minio init xl <url1>...<url16> ~~~ For 'fs' backend it starts the server. ~~~ $ minio server ~~~ For 'xl' backend it waits for servers to join. ~~~ $ minio server ... [PROGRESS BAR] of servers connecting ~~~ Now on other servers execute 'join' and they connect. ~~~ .... minio join <url1> -- from <url2> && minio server minio join <url1> -- from <url3> && minio server ... ... minio join <url1> -- from <url16> && minio server ~~~
2016-02-13 00:27:10 +01:00
/*
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 01:12:29 +02:00
* MinIO Cloud Storage, (C) 2016-2019 MinIO, Inc.
config/main: Re-write config files - add to new config v3 - New config format. ``` { "version": "3", "address": ":9000", "backend": { "type": "fs", "disk": "/path" }, "credential": { "accessKey": "WLGDGYAQYIGI833EV05A", "secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF" }, "region": "us-east-1", "logger": { "file": { "enable": false, "fileName": "", "level": "error" }, "syslog": { "enable": false, "address": "", "level": "debug" }, "console": { "enable": true, "level": "fatal" } } } ``` New command lines in lieu of supporting XL. Minio initialize filesystem backend. ~~~ $ minio init fs <path> ~~~ Minio initialize XL backend. ~~~ $ minio init xl <url1>...<url16> ~~~ For 'fs' backend it starts the server. ~~~ $ minio server ~~~ For 'xl' backend it waits for servers to join. ~~~ $ minio server ... [PROGRESS BAR] of servers connecting ~~~ Now on other servers execute 'join' and they connect. ~~~ .... minio join <url1> -- from <url2> && minio server minio join <url1> -- from <url3> && minio server ... ... minio join <url1> -- from <url16> && minio server ~~~
2016-02-13 00:27:10 +01:00
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
server: Move all the top level files into cmd folder. (#2490) This change brings a change which was done for the 'mc' package to allow for clean repo and have a cleaner github drop in experience.
2016-08-19 01:23:42 +02:00
package cmd
config/main: Re-write config files - add to new config v3 - New config format. ``` { "version": "3", "address": ":9000", "backend": { "type": "fs", "disk": "/path" }, "credential": { "accessKey": "WLGDGYAQYIGI833EV05A", "secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF" }, "region": "us-east-1", "logger": { "file": { "enable": false, "fileName": "", "level": "error" }, "syslog": { "enable": false, "address": "", "level": "debug" }, "console": { "enable": true, "level": "fatal" } } } ``` New command lines in lieu of supporting XL. Minio initialize filesystem backend. ~~~ $ minio init fs <path> ~~~ Minio initialize XL backend. ~~~ $ minio init xl <url1>...<url16> ~~~ For 'fs' backend it starts the server. ~~~ $ minio server ~~~ For 'xl' backend it waits for servers to join. ~~~ $ minio server ... [PROGRESS BAR] of servers connecting ~~~ Now on other servers execute 'join' and they connect. ~~~ .... minio join <url1> -- from <url2> && minio server minio join <url1> -- from <url3> && minio server ... ... minio join <url1> -- from <url16> && minio server ~~~
2016-02-13 00:27:10 +01:00
import (
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
"context"
fix: avoid timed value for network calls (#11531) additionally simply timedValue to have RWMutex to avoid concurrent calls to DiskInfo() getting serialized, this has an effect on all calls that use GetDiskInfo() on the same disks. Such as getOnlineDisks, getOnlineDisksWithoutHealing
2021-02-13 03:17:52 +01:00
"crypto/tls"
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
"fmt"
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
"strings"
config/main: Re-write config files - add to new config v3 - New config format. ``` { "version": "3", "address": ":9000", "backend": { "type": "fs", "disk": "/path" }, "credential": { "accessKey": "WLGDGYAQYIGI833EV05A", "secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF" }, "region": "us-east-1", "logger": { "file": { "enable": false, "fileName": "", "level": "error" }, "syslog": { "enable": false, "address": "", "level": "debug" }, "console": { "enable": true, "level": "fatal" } } } ``` New command lines in lieu of supporting XL. Minio initialize filesystem backend. ~~~ $ minio init fs <path> ~~~ Minio initialize XL backend. ~~~ $ minio init xl <url1>...<url16> ~~~ For 'fs' backend it starts the server. ~~~ $ minio server ~~~ For 'xl' backend it waits for servers to join. ~~~ $ minio server ... [PROGRESS BAR] of servers connecting ~~~ Now on other servers execute 'join' and they connect. ~~~ .... minio join <url1> -- from <url2> && minio server minio join <url1> -- from <url3> && minio server ... ... minio join <url1> -- from <url16> && minio server ~~~
2016-02-13 00:27:10 +01:00
"sync"
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 19:35:33 +02:00
"github.com/minio/minio/cmd/config"
config: Add api requests max & deadline configs (#9273) Add two new configuration entries, api.requests-max and api.requests-deadline which have the same role of MINIO_API_REQUESTS_MAX and MINIO_API_REQUESTS_DEADLINE.
2020-04-14 21:46:37 +02:00
"github.com/minio/minio/cmd/config/api"
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 19:35:33 +02:00
"github.com/minio/minio/cmd/config/cache"
"github.com/minio/minio/cmd/config/compress"
simplify webhook DNS further generalize for gateway (#10448) continuation of the changes from eaaf05a7cc358893650614770365da540615570f this further simplifies, enables this for gateway deployments as well
2020-09-10 23:19:32 +02:00
"github.com/minio/minio/cmd/config/dns"
Add etcd part of config support, add noColor/json support (#8439) - Add color/json mode support for get/help commands - Support ENV help for all sub-systems - Add support for etcd as part of config
2019-10-30 08:04:39 +01:00
"github.com/minio/minio/cmd/config/etcd"
rename crawler config option to heal (#10678)
2020-10-14 22:51:51 +02:00
"github.com/minio/minio/cmd/config/heal"
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
xldap "github.com/minio/minio/cmd/config/identity/ldap"
"github.com/minio/minio/cmd/config/identity/openid"
Initialize configs correctly, move notification config (#8367) This PR also removes deprecated tests, adds checks to avoid races reproduced on CI/CD.
2019-10-09 08:11:15 +02:00
"github.com/minio/minio/cmd/config/notify"
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
"github.com/minio/minio/cmd/config/policy/opa"
fix: rename crawler as scanner in config (#11549)
2021-02-17 21:04:11 +01:00
"github.com/minio/minio/cmd/config/scanner"
Move storageclass config handling into cmd/config/storageclass (#8360) Continuation of the changes done in PR #8351 to refactor, add tests and move global handling into a more idiomatic style for Go as packages.
2019-10-07 07:50:24 +02:00
"github.com/minio/minio/cmd/config/storageclass"
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
"github.com/minio/minio/cmd/crypto"
Make sure to drain body upon an error (#7197) Also cleanup redundant code and use it at a common place
2019-02-06 21:07:03 +01:00
xhttp "github.com/minio/minio/cmd/http"
Remove panic() and handle it appropriately (#5807) This is an effort to remove panic from the source. Add a new call called CriticialIf, that calls LogIf and exits. Replace panics with one of CriticalIf, FatalIf and a return of error.
2018-04-20 02:24:43 +02:00
"github.com/minio/minio/cmd/logger"
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
"github.com/minio/minio/cmd/logger/target/http"
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 19:35:33 +02:00
"github.com/minio/minio/pkg/env"
fix: document _ENABLE for all notification targets (#8864) Fixes #8863
2020-01-21 01:48:19 +01:00
"github.com/minio/minio/pkg/madmin"
config/main: Re-write config files - add to new config v3 - New config format. ``` { "version": "3", "address": ":9000", "backend": { "type": "fs", "disk": "/path" }, "credential": { "accessKey": "WLGDGYAQYIGI833EV05A", "secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF" }, "region": "us-east-1", "logger": { "file": { "enable": false, "fileName": "", "level": "error" }, "syslog": { "enable": false, "address": "", "level": "debug" }, "console": { "enable": true, "level": "fatal" } } } ``` New command lines in lieu of supporting XL. Minio initialize filesystem backend. ~~~ $ minio init fs <path> ~~~ Minio initialize XL backend. ~~~ $ minio init xl <url1>...<url16> ~~~ For 'fs' backend it starts the server. ~~~ $ minio server ~~~ For 'xl' backend it waits for servers to join. ~~~ $ minio server ... [PROGRESS BAR] of servers connecting ~~~ Now on other servers execute 'join' and they connect. ~~~ .... minio join <url1> -- from <url2> && minio server minio join <url1> -- from <url3> && minio server ... ... minio join <url1> -- from <url16> && minio server ~~~
2016-02-13 00:27:10 +01:00
)
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
func initHelp() {
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
var kvs = map[string]config.KVS{
config.EtcdSubSys: etcd.DefaultKVS,
config.CacheSubSys: cache.DefaultKVS,
config.CompressionSubSys: compress.DefaultKVS,
config.IdentityLDAPSubSys: xldap.DefaultKVS,
config.IdentityOpenIDSubSys: openid.DefaultKVS,
config.PolicyOPASubSys: opa.DefaultKVS,
config.RegionSubSys: config.DefaultRegionKVS,
config: Add api requests max & deadline configs (#9273) Add two new configuration entries, api.requests-max and api.requests-deadline which have the same role of MINIO_API_REQUESTS_MAX and MINIO_API_REQUESTS_DEADLINE.
2020-04-14 21:46:37 +02:00
config.APISubSys: api.DefaultKVS,
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
config.CredentialsSubSys: config.DefaultCredentialKVS,
add minio/keys KMS integration (#8631) This commit adds support for the minio/kes KMS. See: https://github.com/minio/kes In particular you can configure it as KMS by: - `export MINIO_KMS_KES_ENDPOINT=` // Server URL - `export MINIO_KMS_KES_KEY_FILE=` // TLS client private key - `export MINIO_KMS_KES_CERT_FILE=` // TLS client certificate - `export MINIO_KMS_KES_CA_PATH=` // Root CAs issuing server cert - `export MINIO_KMS_KES_KEY_NAME=` // The name of the (default) master key
2019-12-13 21:57:11 +01:00
config.KmsVaultSubSys: crypto.DefaultVaultKVS,
config.KmsKesSubSys: crypto.DefaultKesKVS,
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
config.LoggerWebhookSubSys: logger.DefaultKVS,
config.AuditWebhookSubSys: logger.DefaultAuditKVS,
rename crawler config option to heal (#10678)
2020-10-14 22:51:51 +02:00
config.HealSubSys: heal.DefaultKVS,
fix: rename crawler as scanner in config (#11549)
2021-02-17 21:04:11 +01:00
config.ScannerSubSys: scanner.DefaultKVS,
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
}
for k, v := range notify.DefaultNotificationKVS {
kvs[k] = v
}
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-13 05:04:01 +02:00
if globalIsErasure {
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
kvs[config.StorageClassSubSys] = storageclass.DefaultKVS
}
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
config.RegisterDefaultKVS(kvs)
// Captures help for each sub-system
var helpSubSys = config.HelpKVS{
config.HelpKV{
Key: config.RegionSubSys,
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
Description: "label the location of the server",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
},
config.HelpKV{
Key: config.CacheSubSys,
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
Description: "add caching storage tier",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
},
config.HelpKV{
Key: config.CompressionSubSys,
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
Description: "enable server side compression of objects",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
},
config.HelpKV{
Key: config.EtcdSubSys,
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
Description: "federate multiple clusters for IAM and Bucket DNS",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
},
config.HelpKV{
Key: config.IdentityOpenIDSubSys,
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
Description: "enable OpenID SSO support",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
},
config.HelpKV{
Key: config.IdentityLDAPSubSys,
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
Description: "enable LDAP SSO support",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
},
config.HelpKV{
Key: config.PolicyOPASubSys,
fix: if OPA set do not enforce policy claim (#10149)
2020-07-28 20:47:57 +02:00
Description: "[DEPRECATED] enable external OPA for policy enforcement",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
},
config.HelpKV{
Key: config.KmsVaultSubSys,
Update help messages with new wording (#8616) Final update to all messages across sub-systems after final review, the only change here is that NATS now has TLS and TLSSkipVerify to be consistent for all other notification targets.
2019-12-06 22:53:51 +01:00
Description: "enable external HashiCorp Vault key management service",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
},
add minio/keys KMS integration (#8631) This commit adds support for the minio/kes KMS. See: https://github.com/minio/kes In particular you can configure it as KMS by: - `export MINIO_KMS_KES_ENDPOINT=` // Server URL - `export MINIO_KMS_KES_KEY_FILE=` // TLS client private key - `export MINIO_KMS_KES_CERT_FILE=` // TLS client certificate - `export MINIO_KMS_KES_CA_PATH=` // Root CAs issuing server cert - `export MINIO_KMS_KES_KEY_NAME=` // The name of the (default) master key
2019-12-13 21:57:11 +01:00
config.HelpKV{
Key: config.KmsKesSubSys,
Description: "enable external MinIO key encryption service",
},
config: Add api requests max & deadline configs (#9273) Add two new configuration entries, api.requests-max and api.requests-deadline which have the same role of MINIO_API_REQUESTS_MAX and MINIO_API_REQUESTS_DEADLINE.
2020-04-14 21:46:37 +02:00
config.HelpKV{
Key: config.APISubSys,
Description: "manage global HTTP API call specific features, such as throttling, authentication types, etc.",
},
Continous healing: add optional bitrot check (#10417)
2020-09-12 09:08:12 +02:00
config.HelpKV{
rename crawler config option to heal (#10678)
2020-10-14 22:51:51 +02:00
Key: config.HealSubSys,
Description: "manage object healing frequency and bitrot verification checks",
Continous healing: add optional bitrot check (#10417)
2020-09-12 09:08:12 +02:00
},
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
config.HelpKV{
fix: rename crawler as scanner in config (#11549)
2021-02-17 21:04:11 +01:00
Key: config.ScannerSubSys,
rename all references from crawl -> scanner (#11621)
2021-02-27 00:11:42 +01:00
Description: "manage namespace scanning for usage calculation, lifecycle, healing and more",
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
},
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
config.HelpKV{
Key: config.LoggerWebhookSubSys,
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
Description: "send server logs to webhook endpoints",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
MultipleTargets: true,
},
config.HelpKV{
Key: config.AuditWebhookSubSys,
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
Description: "send audit logs to webhook endpoints",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
MultipleTargets: true,
},
config.HelpKV{
Key: config.NotifyWebhookSubSys,
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
Description: "publish bucket notifications to webhook endpoints",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
MultipleTargets: true,
},
config.HelpKV{
Key: config.NotifyAMQPSubSys,
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
Description: "publish bucket notifications to AMQP endpoints",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
MultipleTargets: true,
},
config.HelpKV{
Key: config.NotifyKafkaSubSys,
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
Description: "publish bucket notifications to Kafka endpoints",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
MultipleTargets: true,
},
config.HelpKV{
Key: config.NotifyMQTTSubSys,
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
Description: "publish bucket notifications to MQTT endpoints",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
MultipleTargets: true,
},
config.HelpKV{
Key: config.NotifyNATSSubSys,
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
Description: "publish bucket notifications to NATS endpoints",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
MultipleTargets: true,
},
config.HelpKV{
Key: config.NotifyNSQSubSys,
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
Description: "publish bucket notifications to NSQ endpoints",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
MultipleTargets: true,
},
config.HelpKV{
Key: config.NotifyMySQLSubSys,
Update help messages with new wording (#8616) Final update to all messages across sub-systems after final review, the only change here is that NATS now has TLS and TLSSkipVerify to be consistent for all other notification targets.
2019-12-06 22:53:51 +01:00
Description: "publish bucket notifications to MySQL databases",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
MultipleTargets: true,
},
config.HelpKV{
Key: config.NotifyPostgresSubSys,
Update help messages with new wording (#8616) Final update to all messages across sub-systems after final review, the only change here is that NATS now has TLS and TLSSkipVerify to be consistent for all other notification targets.
2019-12-06 22:53:51 +01:00
Description: "publish bucket notifications to Postgres databases",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
MultipleTargets: true,
},
config.HelpKV{
Update help messages with new wording (#8616) Final update to all messages across sub-systems after final review, the only change here is that NATS now has TLS and TLSSkipVerify to be consistent for all other notification targets.
2019-12-06 22:53:51 +01:00
Key: config.NotifyESSubSys,
Description: "publish bucket notifications to Elasticsearch endpoints",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
MultipleTargets: true,
},
config.HelpKV{
Update help messages with new wording (#8616) Final update to all messages across sub-systems after final review, the only change here is that NATS now has TLS and TLSSkipVerify to be consistent for all other notification targets.
2019-12-06 22:53:51 +01:00
Key: config.NotifyRedisSubSys,
Description: "publish bucket notifications to Redis datastores",
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
MultipleTargets: true,
},
}
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-13 05:04:01 +02:00
if globalIsErasure {
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
helpSubSys = append(helpSubSys, config.HelpKV{})
copy(helpSubSys[2:], helpSubSys[1:])
helpSubSys[1] = config.HelpKV{
Key: config.StorageClassSubSys,
Description: "define object level redundancy",
}
}
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
var helpMap = map[string]config.HelpKVS{
"": helpSubSys, // Help for all sub-systems.
config.RegionSubSys: config.RegionHelp,
config: Add api requests max & deadline configs (#9273) Add two new configuration entries, api.requests-max and api.requests-deadline which have the same role of MINIO_API_REQUESTS_MAX and MINIO_API_REQUESTS_DEADLINE.
2020-04-14 21:46:37 +02:00
config.APISubSys: api.Help,
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
config.StorageClassSubSys: storageclass.Help,
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
config.EtcdSubSys: etcd.Help,
config.CacheSubSys: cache.Help,
config.CompressionSubSys: compress.Help,
rename crawler config option to heal (#10678)
2020-10-14 22:51:51 +02:00
config.HealSubSys: heal.Help,
fix: rename crawler as scanner in config (#11549)
2021-02-17 21:04:11 +01:00
config.ScannerSubSys: scanner.Help,
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
config.IdentityOpenIDSubSys: openid.Help,
config.IdentityLDAPSubSys: xldap.Help,
config.PolicyOPASubSys: opa.Help,
add minio/keys KMS integration (#8631) This commit adds support for the minio/kes KMS. See: https://github.com/minio/kes In particular you can configure it as KMS by: - `export MINIO_KMS_KES_ENDPOINT=` // Server URL - `export MINIO_KMS_KES_KEY_FILE=` // TLS client private key - `export MINIO_KMS_KES_CERT_FILE=` // TLS client certificate - `export MINIO_KMS_KES_CA_PATH=` // Root CAs issuing server cert - `export MINIO_KMS_KES_KEY_NAME=` // The name of the (default) master key
2019-12-13 21:57:11 +01:00
config.KmsVaultSubSys: crypto.HelpVault,
config.KmsKesSubSys: crypto.HelpKes,
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
config.LoggerWebhookSubSys: logger.Help,
config.AuditWebhookSubSys: logger.HelpAudit,
config.NotifyAMQPSubSys: notify.HelpAMQP,
config.NotifyKafkaSubSys: notify.HelpKafka,
config.NotifyMQTTSubSys: notify.HelpMQTT,
config.NotifyNATSSubSys: notify.HelpNATS,
config.NotifyNSQSubSys: notify.HelpNSQ,
config.NotifyMySQLSubSys: notify.HelpMySQL,
config.NotifyPostgresSubSys: notify.HelpPostgres,
config.NotifyRedisSubSys: notify.HelpRedis,
config.NotifyWebhookSubSys: notify.HelpWebhook,
config.NotifyESSubSys: notify.HelpES,
}
config.RegisterHelpSubSys(helpMap)
}
fix: use its own lock in serverConfigV17 (#4014) Previously serverConfigV17 used a global lock that made any instance of serverConfigV17 depended on single global serverConfigMu. This patch fixes by having individual lock per instances.
2017-03-31 07:26:24 +02:00
var (
Simplify the steps to make changes to config.json (#5186) This change introduces following simplified steps to follow during config migration. ``` // Steps to move from version N to version N+1 // 1. Add new struct serverConfigVN+1 in config-versions.go // 2. Set configCurrentVersion to "N+1" // 3. Set serverConfigCurrent to serverConfigVN+1 // 4. Add new migration function (ex. func migrateVNToVN+1()) in config-migrate.go // 5. Call migrateVNToVN+1() from migrateConfig() in config-migrate.go // 6. Make changes in config-current_test.go for any test change ```
2017-11-29 22:12:47 +01:00
// globalServerConfig server config.
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
globalServerConfig config.Config
Simplify the steps to make changes to config.json (#5186) This change introduces following simplified steps to follow during config migration. ``` // Steps to move from version N to version N+1 // 1. Add new struct serverConfigVN+1 in config-versions.go // 2. Set configCurrentVersion to "N+1" // 3. Set serverConfigCurrent to serverConfigVN+1 // 4. Add new migration function (ex. func migrateVNToVN+1()) in config-migrate.go // 5. Call migrateVNToVN+1() from migrateConfig() in config-migrate.go // 6. Make changes in config-current_test.go for any test change ```
2017-11-29 22:12:47 +01:00
globalServerConfigMu sync.RWMutex
fix: use its own lock in serverConfigV17 (#4014) Previously serverConfigV17 used a global lock that made any instance of serverConfigV17 depended on single global serverConfigMu. This patch fixes by having individual lock per instances.
2017-03-31 07:26:24 +02:00
)
validate storage class across pools when setting config (#11320) ``` mc admin config set alias/ storage_class standard=EC:3 ``` should only succeed if parity ratio is valid for all server pools, if not we should fail proactively. This PR also needs to bring other changes now that we need to cater for variadic drive counts per pool. Bonus fixes also various bugs reproduced with - GetObjectWithPartNumber() - CopyObjectPartWithOffsets() - CopyObjectWithMetadata() - PutObjectPart,PutObject with truncated streams
2021-01-22 21:09:24 +01:00
func validateConfig(s config.Config, setDriveCounts []int) error {
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
// We must have a global lock for this so nobody else modifies env while we do.
defer env.LockSetEnv()()
Extend further validation of config values (#8469) - This PR allows config KVS to be validated properly without being affected by ENV overrides, rejects invalid values during set operation - Expands unit tests and refactors the error handling for notification targets, returns error instead of ignoring targets for invalid KVS - Does all the prep-work for implementing safe-mode style operation for MinIO server, introduces a new global variable to toggle safe mode based operations NOTE: this PR itself doesn't provide safe mode operations
2019-10-31 07:39:09 +01:00
// Disable merging env values with config for validation.
env.SetEnvOff()
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 18:27:23 +01:00
// Enable env values to validate KMS.
Extend further validation of config values (#8469) - This PR allows config KVS to be validated properly without being affected by ENV overrides, rejects invalid values during set operation - Expands unit tests and refactors the error handling for notification targets, returns error instead of ignoring targets for invalid KVS - Does all the prep-work for implementing safe-mode style operation for MinIO server, introduces a new global variable to toggle safe mode based operations NOTE: this PR itself doesn't provide safe mode operations
2019-10-31 07:39:09 +01:00
defer env.SetEnvOn()
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
if _, err := config.LookupCreds(s[config.CredentialsSubSys][config.Default]); err != nil {
return err
Merge initConfig logic to ConfigSys (#6312)
2018-08-19 22:57:18 +02:00
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 18:27:23 +01:00
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
if _, err := config.LookupRegion(s[config.RegionSubSys][config.Default]); err != nil {
return err
Move storageclass config handling into cmd/config/storageclass (#8360) Continuation of the changes done in PR #8351 to refactor, add tests and move global handling into a more idiomatic style for Go as packages.
2019-10-07 07:50:24 +02:00
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 18:27:23 +01:00
config: Add api requests max & deadline configs (#9273) Add two new configuration entries, api.requests-max and api.requests-deadline which have the same role of MINIO_API_REQUESTS_MAX and MINIO_API_REQUESTS_DEADLINE.
2020-04-14 21:46:37 +02:00
if _, err := api.LookupConfig(s[config.APISubSys][config.Default]); err != nil {
return err
}
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-13 05:04:01 +02:00
if globalIsErasure {
validate storage class across pools when setting config (#11320) ``` mc admin config set alias/ storage_class standard=EC:3 ``` should only succeed if parity ratio is valid for all server pools, if not we should fail proactively. This PR also needs to bring other changes now that we need to cater for variadic drive counts per pool. Bonus fixes also various bugs reproduced with - GetObjectWithPartNumber() - CopyObjectPartWithOffsets() - CopyObjectWithMetadata() - PutObjectPart,PutObject with truncated streams
2021-01-22 21:09:24 +01:00
for _, setDriveCount := range setDriveCounts {
if _, err := storageclass.LookupConfig(s[config.StorageClassSubSys][config.Default], setDriveCount); err != nil {
return err
}
Merge initConfig logic to ConfigSys (#6312)
2018-08-19 22:57:18 +02:00
}
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 18:27:23 +01:00
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
if _, err := cache.LookupConfig(s[config.CacheSubSys][config.Default]); err != nil {
return err
Merge initConfig logic to ConfigSys (#6312)
2018-08-19 22:57:18 +02:00
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 18:27:23 +01:00
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
compCfg, err := compress.LookupConfig(s[config.CompressionSubSys][config.Default])
if err != nil {
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
return err
Better validation of all config file fields (#6090) Add Validate() to serverConfig to call it at server startup and in Admin SetConfig handler to minimize errors scenario after server restart.
2018-07-18 20:22:29 +02:00
}
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
objAPI := newObjectLayerFn()
if objAPI != nil {
if compCfg.Enabled && !objAPI.IsCompressionSupported() {
return fmt.Errorf("Backend does not support compression")
}
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 18:27:23 +01:00
fix: rename crawler as scanner in config (#11549)
2021-02-17 21:04:11 +01:00
if _, err = heal.LookupConfig(s[config.HealSubSys][config.Default]); err != nil {
Continous healing: add optional bitrot check (#10417)
2020-09-12 09:08:12 +02:00
return err
}
fix: rename crawler as scanner in config (#11549)
2021-02-17 21:04:11 +01:00
if _, err = scanner.LookupConfig(s[config.ScannerSubSys][config.Default]); err != nil {
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
return err
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 18:27:23 +01:00
{
etcdCfg, err := etcd.LookupConfig(s[config.EtcdSubSys][config.Default], globalRootCAs)
if err != nil {
return err
}
if etcdCfg.Enabled {
etcdClnt, err := etcd.New(etcdCfg)
if err != nil {
return err
}
etcdClnt.Close()
}
}
{
fix: avoid timed value for network calls (#11531) additionally simply timedValue to have RWMutex to avoid concurrent calls to DiskInfo() getting serialized, this has an effect on all calls that use GetDiskInfo() on the same disks. Such as getOnlineDisks, getOnlineDisksWithoutHealing
2021-02-13 03:17:52 +01:00
kmsCfg, err := crypto.LookupConfig(s, globalCertsCADir.Get(), newCustomHTTPTransportWithHTTP2(
&tls.Config{
RootCAs: globalRootCAs,
}, defaultDialTimeout)())
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 18:27:23 +01:00
if err != nil {
return err
}
add minio/keys KMS integration (#8631) This commit adds support for the minio/kes KMS. See: https://github.com/minio/kes In particular you can configure it as KMS by: - `export MINIO_KMS_KES_ENDPOINT=` // Server URL - `export MINIO_KMS_KES_KEY_FILE=` // TLS client private key - `export MINIO_KMS_KES_CERT_FILE=` // TLS client certificate - `export MINIO_KMS_KES_CA_PATH=` // Root CAs issuing server cert - `export MINIO_KMS_KES_KEY_NAME=` // The name of the (default) master key
2019-12-13 21:57:11 +01:00
// Set env to enable master key validation.
// this is needed only for KMS.
env.SetEnvOn()
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
add minio/keys KMS integration (#8631) This commit adds support for the minio/kes KMS. See: https://github.com/minio/kes In particular you can configure it as KMS by: - `export MINIO_KMS_KES_ENDPOINT=` // Server URL - `export MINIO_KMS_KES_KEY_FILE=` // TLS client private key - `export MINIO_KMS_KES_CERT_FILE=` // TLS client certificate - `export MINIO_KMS_KES_CA_PATH=` // Root CAs issuing server cert - `export MINIO_KMS_KES_KEY_NAME=` // The name of the (default) master key
2019-12-13 21:57:11 +01:00
if _, err = crypto.NewKMS(kmsCfg); err != nil {
return err
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 18:27:23 +01:00
}
add minio/keys KMS integration (#8631) This commit adds support for the minio/kes KMS. See: https://github.com/minio/kes In particular you can configure it as KMS by: - `export MINIO_KMS_KES_ENDPOINT=` // Server URL - `export MINIO_KMS_KES_KEY_FILE=` // TLS client private key - `export MINIO_KMS_KES_CERT_FILE=` // TLS client certificate - `export MINIO_KMS_KES_CA_PATH=` // Root CAs issuing server cert - `export MINIO_KMS_KES_KEY_NAME=` // The name of the (default) master key
2019-12-13 21:57:11 +01:00
// Disable merging env values for the rest.
env.SetEnvOff()
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 18:27:23 +01:00
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
if _, err := openid.LookupConfig(s[config.IdentityOpenIDSubSys][config.Default],
Add response header timeouts (#9170) - Add conservative timeouts upto 3 minutes for internode communication - Add aggressive timeouts of 30 seconds for gateway communication Fixes #9105 Fixes #8732 Fixes #8881 Fixes #8376 Fixes #9028
2020-03-22 06:10:13 +01:00
NewGatewayHTTPTransport(), xhttp.DrainBody); err != nil {
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
return err
Better validation of all config file fields (#6090) Add Validate() to serverConfig to call it at server startup and in Admin SetConfig handler to minimize errors scenario after server restart.
2018-07-18 20:22:29 +02:00
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 18:27:23 +01:00
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 06:47:26 +01:00
{
cfg, err := xldap.Lookup(s[config.IdentityLDAPSubSys][config.Default],
globalRootCAs)
if err != nil {
return err
}
if cfg.Enabled {
conn, cerr := cfg.Connect()
if cerr != nil {
return cerr
}
conn.Close()
}
Better validation of all config file fields (#6090) Add Validate() to serverConfig to call it at server startup and in Admin SetConfig handler to minimize errors scenario after server restart.
2018-07-18 20:22:29 +02:00
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 18:27:23 +01:00
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
if _, err := opa.LookupConfig(s[config.PolicyOPASubSys][config.Default],
Add response header timeouts (#9170) - Add conservative timeouts upto 3 minutes for internode communication - Add aggressive timeouts of 30 seconds for gateway communication Fixes #9105 Fixes #8732 Fixes #8881 Fixes #8376 Fixes #9028
2020-03-22 06:10:13 +01:00
NewGatewayHTTPTransport(), xhttp.DrainBody); err != nil {
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
return err
Better validation of all config file fields (#6090) Add Validate() to serverConfig to call it at server startup and in Admin SetConfig handler to minimize errors scenario after server restart.
2018-07-18 20:22:29 +02:00
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 18:27:23 +01:00
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
if _, err := logger.LookupConfig(s); err != nil {
return err
Better validation of all config file fields (#6090) Add Validate() to serverConfig to call it at server startup and in Admin SetConfig handler to minimize errors scenario after server restart.
2018-07-18 20:22:29 +02:00
}
Bring in safe mode support (#8478) This PR refactors object layer handling such that upon failure in sub-system initialization server reaches a stage of safe-mode operation wherein only certain API operations are enabled and available. This allows for fixing many scenarios such as - incorrect configuration in vault, etcd, notification targets - missing files, incomplete config migrations unable to read encrypted content etc - any other issues related to notification, policies, lifecycle etc
2019-11-09 18:27:23 +01:00
certs: refactor cert manager to support multiple certificates (#10207) This commit refactors the certificate management implementation in the `certs` package such that multiple certificates can be specified at the same time. Therefore, the following layout of the `certs/` directory is expected: ``` certs/ │ ├─ public.crt ├─ private.key ├─ CAs/ // CAs directory is ignored │ │ │ ... │ ├─ example.com/ │ │ │ ├─ public.crt │ └─ private.key └─ foobar.org/ │ ├─ public.crt └─ private.key ... ``` However, directory names like `example.com` are just for human readability/organization and don't have any meaning w.r.t whether a particular certificate is served or not. This decision is made based on the SNI sent by the client and the SAN of the certificate. *** The `Manager` will pick a certificate based on the client trying to establish a TLS connection. In particular, it looks at the client hello (i.e. SNI) to determine which host the client tries to access. If the manager can find a certificate that matches the SNI it returns this certificate to the client. However, the client may choose to not send an SNI or tries to access a server directly via IP (`https://<ip>:<port>`). In this case, we cannot use the SNI to determine which certificate to serve. However, we also should not pick "the first" certificate that would be accepted by the client (based on crypto. parameters - like a signature algorithm) because it may be an internal certificate that contains internal hostnames. We would disclose internal infrastructure details doing so. Therefore, the `Manager` returns the "default" certificate when the client does not specify an SNI. The default certificate the top-level `public.crt` - i.e. `certs/public.crt`. This approach has some consequences: - It's the operator's responsibility to ensure that the top-level `public.crt` does not disclose any information (i.e. hostnames) that are not publicly visible. However, this was the case in the past already. - Any other `public.crt` - except for the top-level one - must not contain any IP SAN. The reason for this restriction is that the Manager cannot match a SNI to an IP b/c the SNI is the server host name. The entire purpose of SNI is to indicate which host the client tries to connect to when multiple hosts run on the same IP. So, a client will not set the SNI to an IP. If we would allow IP SANs in a lower-level `public.crt` a user would expect that it is possible to connect to MinIO directly via IP address and that the MinIO server would pick "the right" certificate. However, the MinIO server cannot determine which certificate to serve, and therefore always picks the "default" one. This may lead to all sorts of confusing errors like: "It works if I use `https:instance.minio.local` but not when I use `https://10.0.2.1`. These consequences/limitations should be pointed out / explained in our docs in an appropriate way. However, the support for multiple certificates should not have any impact on how deployment with a single certificate function today. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
return notify.TestNotificationTargets(GlobalContext, s, NewGatewayHTTPTransport(), globalNotificationSys.ConfiguredTargetIDs())
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
}
Better validation of all config file fields (#6090) Add Validate() to serverConfig to call it at server startup and in Admin SetConfig handler to minimize errors scenario after server restart.
2018-07-18 20:22:29 +02:00
validate storage class across pools when setting config (#11320) ``` mc admin config set alias/ storage_class standard=EC:3 ``` should only succeed if parity ratio is valid for all server pools, if not we should fail proactively. This PR also needs to bring other changes now that we need to cater for variadic drive counts per pool. Bonus fixes also various bugs reproduced with - GetObjectWithPartNumber() - CopyObjectPartWithOffsets() - CopyObjectWithMetadata() - PutObjectPart,PutObject with truncated streams
2021-01-22 21:09:24 +01:00
func lookupConfigs(s config.Config, setDriveCounts []int) {
use GlobalContext whenever possible (#9280) This change is throughout the codebase to ensure that all codepaths honor GlobalContext
2020-04-09 18:30:02 +02:00
ctx := GlobalContext
Remove safe mode for invalid entries in config (#8650) The approach is that now safe mode is only invoked when we cannot read the config or under some catastrophic situations, but not under situations when config entries are invalid or unreachable. This allows for maximum availability for MinIO and not fail on our users unlike most of our historical releases.
2019-12-15 02:27:57 +01:00
var err error
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
if !globalActiveCred.IsValid() {
Add etcd part of config support, add noColor/json support (#8439) - Add color/json mode support for get/help commands - Support ENV help for all sub-systems - Add support for etcd as part of config
2019-10-30 08:04:39 +01:00
// Env doesn't seem to be set, we fallback to lookup creds from the config.
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
globalActiveCred, err = config.LookupCreds(s[config.CredentialsSubSys][config.Default])
if err != nil {
Remove safe mode for invalid entries in config (#8650) The approach is that now safe mode is only invoked when we cannot read the config or under some catastrophic situations, but not under situations when config entries are invalid or unreachable. This allows for maximum availability for MinIO and not fail on our users unlike most of our historical releases.
2019-12-15 02:27:57 +01:00
logger.LogIf(ctx, fmt.Errorf("Invalid credentials configuration: %w", err))
Better validation of all config file fields (#6090) Add Validate() to serverConfig to call it at server startup and in Admin SetConfig handler to minimize errors scenario after server restart.
2018-07-18 20:22:29 +02:00
}
}
simplify webhook DNS further generalize for gateway (#10448) continuation of the changes from eaaf05a7cc358893650614770365da540615570f this further simplifies, enables this for gateway deployments as well
2020-09-10 23:19:32 +02:00
if dnsURL, dnsUser, dnsPass, ok := env.LookupEnv(config.EnvDNSWebhook); ok {
globalDNSConfig, err = dns.NewOperatorDNS(dnsURL,
dns.Authentication(dnsUser, dnsPass),
dns.RootCAs(globalRootCAs))
if err != nil {
if globalIsGateway {
logger.FatalIf(err, "Unable to initialize remote webhook DNS config")
} else {
logger.LogIf(ctx, fmt.Errorf("Unable to initialize remote webhook DNS config %w", err))
}
}
}
re-implement data usage crawler to be more efficient (#9075) Implementation overview: https://gist.github.com/klauspost/1801c858d5e0df391114436fdad6987b
2020-03-19 00:19:29 +01:00
etcdCfg, err := etcd.LookupConfig(s[config.EtcdSubSys][config.Default], globalRootCAs)
Add etcd part of config support, add noColor/json support (#8439) - Add color/json mode support for get/help commands - Support ENV help for all sub-systems - Add support for etcd as part of config
2019-10-30 08:04:39 +01:00
if err != nil {
Allow etcd, cache setup to exit when starting gateway mode (#9842) - Initialize etcd once per call - Fail etcd, cache setup pro-actively for gateway setups - Support deleting/updating bucket notification, tagging, lifecycle, sse-encryption
2020-06-16 07:09:39 +02:00
if globalIsGateway {
logger.FatalIf(err, "Unable to initialize etcd config")
} else {
logger.LogIf(ctx, fmt.Errorf("Unable to initialize etcd config: %w", err))
}
Add etcd part of config support, add noColor/json support (#8439) - Add color/json mode support for get/help commands - Support ENV help for all sub-systems - Add support for etcd as part of config
2019-10-30 08:04:39 +01:00
}
Remove safe mode for invalid entries in config (#8650) The approach is that now safe mode is only invoked when we cannot read the config or under some catastrophic situations, but not under situations when config entries are invalid or unreachable. This allows for maximum availability for MinIO and not fail on our users unlike most of our historical releases.
2019-12-15 02:27:57 +01:00
if etcdCfg.Enabled {
allow loading some from config and some values from ENVs (#9872) A regression perhaps introduced in #9851
2020-06-19 02:31:56 +02:00
if globalEtcdClient == nil {
globalEtcdClient, err = etcd.New(etcdCfg)
if err != nil {
if globalIsGateway {
logger.FatalIf(err, "Unable to initialize etcd config")
} else {
logger.LogIf(ctx, fmt.Errorf("Unable to initialize etcd config: %w", err))
}
fix: initialize config once per startup (#9851)
2020-06-17 05:15:21 +02:00
}
}
allow loading some from config and some values from ENVs (#9872) A regression perhaps introduced in #9851
2020-06-19 02:31:56 +02:00
simplify webhook DNS further generalize for gateway (#10448) continuation of the changes from eaaf05a7cc358893650614770365da540615570f this further simplifies, enables this for gateway deployments as well
2020-09-10 23:19:32 +02:00
if len(globalDomainNames) != 0 && !globalDomainIPs.IsEmpty() && globalEtcdClient != nil {
if globalDNSConfig != nil {
// if global DNS is already configured, indicate with a warning, incase
// users are confused.
logger.LogIf(ctx, fmt.Errorf("DNS store is already configured with %s, not using etcd for DNS store", globalDNSConfig))
} else {
globalDNSConfig, err = dns.NewCoreDNS(etcdCfg.Config,
dns.DomainNames(globalDomainNames),
dns.DomainIPs(globalDomainIPs),
dns.DomainPort(globalMinioPort),
dns.CoreDNSPath(etcdCfg.CoreDNSPath),
)
if err != nil {
if globalIsGateway {
logger.FatalIf(err, "Unable to initialize DNS config")
} else {
logger.LogIf(ctx, fmt.Errorf("Unable to initialize DNS config for %s: %w",
globalDomainNames, err))
}
Allow etcd, cache setup to exit when starting gateway mode (#9842) - Initialize etcd once per call - Fail etcd, cache setup pro-actively for gateway setups - Support deleting/updating bucket notification, tagging, lifecycle, sse-encryption
2020-06-16 07:09:39 +02:00
}
}
fix: initialize config once per startup (#9851)
2020-06-17 05:15:21 +02:00
}
Add etcd part of config support, add noColor/json support (#8439) - Add color/json mode support for get/help commands - Support ENV help for all sub-systems - Add support for etcd as part of config
2019-10-30 08:04:39 +01:00
}
Disable federated buckets when etcd is namespaced (#8709) This is to ensure that when we have multiple tenants deployed all sharing the same etcd for global bucket should avoid listing each others buckets, this leads to information leak which should be avoided unless etcd is not namespaced for IAM assets in which case it can be assumed that its a federated setup. Federated setup and namespaced IAM assets on etcd is not supported since namespacing is only useful when you wish to separate the tenants as isolated instances of MinIO. This PR allows a new type of behavior, primarily driven by the usecase of m3(mkube) multi-tenant deployments with global bucket support.
2019-12-29 17:56:45 +01:00
// Bucket federation is 'true' only when IAM assets are not namespaced
// per tenant and all tenants interested in globally available users
// if namespace was requested such as specifying etcdPathPrefix then
// we assume that users are interested in global bucket support
// but not federation.
globalBucketFederation = etcdCfg.PathPrefix == "" && etcdCfg.Enabled
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
globalServerRegion, err = config.LookupRegion(s[config.RegionSubSys][config.Default])
if err != nil {
Remove safe mode for invalid entries in config (#8650) The approach is that now safe mode is only invoked when we cannot read the config or under some catastrophic situations, but not under situations when config entries are invalid or unreachable. This allows for maximum availability for MinIO and not fail on our users unlike most of our historical releases.
2019-12-15 02:27:57 +01:00
logger.LogIf(ctx, fmt.Errorf("Invalid region configuration: %w", err))
Migrate config.json from config-dir to backend (#6195) This PR is the first set of changes to move the config to the backend, the changes use the existing `config.json` allows it to be migrated such that we can save it in on backend disks. In future releases, we will slowly migrate out of the current architecture. Fixes #6182
2018-08-15 06:41:47 +02:00
}
config: Add api requests max & deadline configs (#9273) Add two new configuration entries, api.requests-max and api.requests-deadline which have the same role of MINIO_API_REQUESTS_MAX and MINIO_API_REQUESTS_DEADLINE.
2020-04-14 21:46:37 +02:00
apiConfig, err := api.LookupConfig(s[config.APISubSys][config.Default])
if err != nil {
logger.LogIf(ctx, fmt.Errorf("Invalid api configuration: %w", err))
}
validate storage class across pools when setting config (#11320) ``` mc admin config set alias/ storage_class standard=EC:3 ``` should only succeed if parity ratio is valid for all server pools, if not we should fail proactively. This PR also needs to bring other changes now that we need to cater for variadic drive counts per pool. Bonus fixes also various bugs reproduced with - GetObjectWithPartNumber() - CopyObjectPartWithOffsets() - CopyObjectWithMetadata() - PutObjectPart,PutObject with truncated streams
2021-01-22 21:09:24 +01:00
globalAPIConfig.init(apiConfig, setDriveCounts)
config: Add api requests max & deadline configs (#9273) Add two new configuration entries, api.requests-max and api.requests-deadline which have the same role of MINIO_API_REQUESTS_MAX and MINIO_API_REQUESTS_DEADLINE.
2020-04-14 21:46:37 +02:00
add support for configurable remote transport deadline (#10447) configurable remote transport timeouts for some special cases where this value needs to be bumped to a higher value when transferring large data between federated instances.
2020-09-12 08:03:08 +02:00
// Initialize remote instance transport once.
getRemoteInstanceTransportOnce.Do(func() {
getRemoteInstanceTransport = newGatewayHTTPTransport(apiConfig.RemoteTransportDeadline)
})
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-13 05:04:01 +02:00
if globalIsErasure {
validate storage class across pools when setting config (#11320) ``` mc admin config set alias/ storage_class standard=EC:3 ``` should only succeed if parity ratio is valid for all server pools, if not we should fail proactively. This PR also needs to bring other changes now that we need to cater for variadic drive counts per pool. Bonus fixes also various bugs reproduced with - GetObjectWithPartNumber() - CopyObjectPartWithOffsets() - CopyObjectWithMetadata() - PutObjectPart,PutObject with truncated streams
2021-01-22 21:09:24 +01:00
for i, setDriveCount := range setDriveCounts {
sc, err := storageclass.LookupConfig(s[config.StorageClassSubSys][config.Default], setDriveCount)
if err != nil {
logger.LogIf(ctx, fmt.Errorf("Unable to initialize storage class config: %w", err))
break
}
// if we validated all setDriveCounts and it was successful
// proceed to store the correct storage class globally.
if i == len(setDriveCounts)-1 {
globalStorageClass = sc
}
Move storageclass config handling into cmd/config/storageclass (#8360) Continuation of the changes done in PR #8351 to refactor, add tests and move global handling into a more idiomatic style for Go as packages.
2019-10-07 07:50:24 +02:00
}
Migrate config.json from config-dir to backend (#6195) This PR is the first set of changes to move the config to the backend, the changes use the existing `config.json` allows it to be migrated such that we can save it in on backend disks. In future releases, we will slowly migrate out of the current architecture. Fixes #6182
2018-08-15 06:41:47 +02:00
}
Add functionality to add old buckets to etcd on startup Buckets already present on a Minio server before it joins a bucket federated deployment will now be added to etcd during startup. In case of a bucket name collision, admin is informed via Minio server console message. Added configuration migration for configuration stored in etcd backend. Also, environment variables are updated and ListBucket path style request is no longer forwarded.
2018-04-05 17:18:42 +02:00
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
globalCacheConfig, err = cache.LookupConfig(s[config.CacheSubSys][config.Default])
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 19:35:33 +02:00
if err != nil {
Allow etcd, cache setup to exit when starting gateway mode (#9842) - Initialize etcd once per call - Fail etcd, cache setup pro-actively for gateway setups - Support deleting/updating bucket notification, tagging, lifecycle, sse-encryption
2020-06-16 07:09:39 +02:00
if globalIsGateway {
logger.FatalIf(err, "Unable to setup cache")
} else {
logger.LogIf(ctx, fmt.Errorf("Unable to setup cache: %w", err))
}
Migrate config.json from config-dir to backend (#6195) This PR is the first set of changes to move the config to the backend, the changes use the existing `config.json` allows it to be migrated such that we can save it in on backend disks. In future releases, we will slowly migrate out of the current architecture. Fixes #6182
2018-08-15 06:41:47 +02:00
}
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
if globalCacheConfig.Enabled {
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 19:35:33 +02:00
if cacheEncKey := env.Get(cache.EnvCacheEncryptionMasterKey, ""); cacheEncKey != "" {
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
globalCacheKMS, err = crypto.ParseMasterKey(cacheEncKey)
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 19:35:33 +02:00
if err != nil {
Remove safe mode for invalid entries in config (#8650) The approach is that now safe mode is only invoked when we cannot read the config or under some catastrophic situations, but not under situations when config entries are invalid or unreachable. This allows for maximum availability for MinIO and not fail on our users unlike most of our historical releases.
2019-12-15 02:27:57 +01:00
logger.LogIf(ctx, fmt.Errorf("Unable to setup encryption cache: %w", err))
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 19:35:33 +02:00
}
}
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
fix: avoid timed value for network calls (#11531) additionally simply timedValue to have RWMutex to avoid concurrent calls to DiskInfo() getting serialized, this has an effect on all calls that use GetDiskInfo() on the same disks. Such as getOnlineDisks, getOnlineDisksWithoutHealing
2021-02-13 03:17:52 +01:00
kmsCfg, err := crypto.LookupConfig(s, globalCertsCADir.Get(), newCustomHTTPTransportWithHTTP2(
&tls.Config{
RootCAs: globalRootCAs,
}, defaultDialTimeout)())
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
if err != nil {
Remove safe mode for invalid entries in config (#8650) The approach is that now safe mode is only invoked when we cannot read the config or under some catastrophic situations, but not under situations when config entries are invalid or unreachable. This allows for maximum availability for MinIO and not fail on our users unlike most of our historical releases.
2019-12-15 02:27:57 +01:00
logger.LogIf(ctx, fmt.Errorf("Unable to setup KMS config: %w", err))
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
GlobalKMS, err = crypto.NewKMS(kmsCfg)
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
if err != nil {
Remove safe mode for invalid entries in config (#8650) The approach is that now safe mode is only invoked when we cannot read the config or under some catastrophic situations, but not under situations when config entries are invalid or unreachable. This allows for maximum availability for MinIO and not fail on our users unlike most of our historical releases.
2019-12-15 02:27:57 +01:00
logger.LogIf(ctx, fmt.Errorf("Unable to setup KMS with current KMS config: %w", err))
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
}
crypto: deprecate native Hashicorp Vault support (#11352) This commit deprecates the native Hashicorp Vault support and removes the legacy Vault documentation. The native Hashicorp Vault documentation is marked as outdated and deprecated for over a year now. We give another 6 months before we start removing Hashicorp Vault support and show a deprecation warning when a MinIO server starts with a native Vault configuration.
2021-01-30 02:55:37 +01:00
globalAutoEncryption = kmsCfg.AutoEncryption // Enable auto-encryption if enabled
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
crypto: deprecate native Hashicorp Vault support (#11352) This commit deprecates the native Hashicorp Vault support and removes the legacy Vault documentation. The native Hashicorp Vault documentation is marked as outdated and deprecated for over a year now. We give another 6 months before we start removing Hashicorp Vault support and show a deprecation warning when a MinIO server starts with a native Vault configuration.
2021-01-30 02:55:37 +01:00
if kmsCfg.Vault.Enabled {
const deprecationWarning = `Native Hashicorp Vault support is deprecated and will be removed on 2021-10-01. Please migrate to KES + Hashicorp Vault: https://github.com/minio/kes/wiki/Hashicorp-Vault-Keystore
Note that native Hashicorp Vault and KES + Hashicorp Vault are not compatible.
If you need help to migrate smoothly visit: https://min.io/pricing`
logger.LogIf(ctx, fmt.Errorf(deprecationWarning))
update KES docs to talk about 'mc encrypt' command (#10400) add a deprecation notice for KMS_AUTO_ENCRYPTION
2020-09-03 21:43:45 +02:00
}
Add etcd support to support STS on gateway mode (#6531)
2018-10-12 20:32:18 +02:00
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
globalOpenIDConfig, err = openid.LookupConfig(s[config.IdentityOpenIDSubSys][config.Default],
Add response header timeouts (#9170) - Add conservative timeouts upto 3 minutes for internode communication - Add aggressive timeouts of 30 seconds for gateway communication Fixes #9105 Fixes #8732 Fixes #8881 Fixes #8376 Fixes #9028
2020-03-22 06:10:13 +01:00
NewGatewayHTTPTransport(), xhttp.DrainBody)
Move storageclass config handling into cmd/config/storageclass (#8360) Continuation of the changes done in PR #8351 to refactor, add tests and move global handling into a more idiomatic style for Go as packages.
2019-10-07 07:50:24 +02:00
if err != nil {
Remove safe mode for invalid entries in config (#8650) The approach is that now safe mode is only invoked when we cannot read the config or under some catastrophic situations, but not under situations when config entries are invalid or unreachable. This allows for maximum availability for MinIO and not fail on our users unlike most of our historical releases.
2019-12-15 02:27:57 +01:00
logger.LogIf(ctx, fmt.Errorf("Unable to initialize OpenID: %w", err))
Move storageclass config handling into cmd/config/storageclass (#8360) Continuation of the changes done in PR #8351 to refactor, add tests and move global handling into a more idiomatic style for Go as packages.
2019-10-07 07:50:24 +02:00
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
opaCfg, err := opa.LookupConfig(s[config.PolicyOPASubSys][config.Default],
Add response header timeouts (#9170) - Add conservative timeouts upto 3 minutes for internode communication - Add aggressive timeouts of 30 seconds for gateway communication Fixes #9105 Fixes #8732 Fixes #8881 Fixes #8376 Fixes #9028
2020-03-22 06:10:13 +01:00
NewGatewayHTTPTransport(), xhttp.DrainBody)
Move storageclass config handling into cmd/config/storageclass (#8360) Continuation of the changes done in PR #8351 to refactor, add tests and move global handling into a more idiomatic style for Go as packages.
2019-10-07 07:50:24 +02:00
if err != nil {
Remove safe mode for invalid entries in config (#8650) The approach is that now safe mode is only invoked when we cannot read the config or under some catastrophic situations, but not under situations when config entries are invalid or unreachable. This allows for maximum availability for MinIO and not fail on our users unlike most of our historical releases.
2019-12-15 02:27:57 +01:00
logger.LogIf(ctx, fmt.Errorf("Unable to initialize OPA: %w", err))
Add etcd support to support STS on gateway mode (#6531)
2018-10-12 20:32:18 +02:00
}
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 01:12:29 +02:00
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
globalOpenIDValidators = getOpenIDValidators(globalOpenIDConfig)
globalPolicyOPA = opa.New(opaCfg)
Move storageclass config handling into cmd/config/storageclass (#8360) Continuation of the changes done in PR #8351 to refactor, add tests and move global handling into a more idiomatic style for Go as packages.
2019-10-07 07:50:24 +02:00
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
globalLDAPConfig, err = xldap.Lookup(s[config.IdentityLDAPSubSys][config.Default],
globalRootCAs)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 01:12:29 +02:00
if err != nil {
Remove safe mode for invalid entries in config (#8650) The approach is that now safe mode is only invoked when we cannot read the config or under some catastrophic situations, but not under situations when config entries are invalid or unreachable. This allows for maximum availability for MinIO and not fail on our users unlike most of our historical releases.
2019-12-15 02:27:57 +01:00
logger.LogIf(ctx, fmt.Errorf("Unable to parse LDAP configuration: %w", err))
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 01:12:29 +02:00
}
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
// Load logger targets based on user's configuration
loggerUserAgent := getUserAgent(getMinioMode())
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
loggerCfg, err := logger.LookupConfig(s)
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
if err != nil {
Remove safe mode for invalid entries in config (#8650) The approach is that now safe mode is only invoked when we cannot read the config or under some catastrophic situations, but not under situations when config entries are invalid or unreachable. This allows for maximum availability for MinIO and not fail on our users unlike most of our historical releases.
2019-12-15 02:27:57 +01:00
logger.LogIf(ctx, fmt.Errorf("Unable to initialize logger: %w", err))
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
}
fix: optimize ServerInfo() handler to avoid reading config (#10626) fixes #10620
2020-10-03 01:19:44 +02:00
for k, l := range loggerCfg.HTTP {
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
if l.Enabled {
// Enable http logging
add validation logs for configured Logger/Audit HTTP targets (#10274) extra logs in-case of misconfiguration of audit/logger targets
2020-08-16 19:25:00 +02:00
if err = logger.AddTarget(
fix: optimize ServerInfo() handler to avoid reading config (#10626) fixes #10620
2020-10-03 01:19:44 +02:00
http.New(
http.WithTargetName(k),
http.WithEndpoint(l.Endpoint),
fix: use specified authToken for audit/logger HTTP targets (#9249) We were not using the auth token specified even when config supports it.
2020-04-02 05:53:07 +02:00
http.WithAuthToken(l.AuthToken),
http.WithUserAgent(loggerUserAgent),
http.WithLogKind(string(logger.All)),
http.WithTransport(NewGatewayHTTPTransport()),
),
add validation logs for configured Logger/Audit HTTP targets (#10274) extra logs in-case of misconfiguration of audit/logger targets
2020-08-16 19:25:00 +02:00
); err != nil {
logger.LogIf(ctx, fmt.Errorf("Unable to initialize console HTTP target: %w", err))
}
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
}
}
fix: optimize ServerInfo() handler to avoid reading config (#10626) fixes #10620
2020-10-03 01:19:44 +02:00
for k, l := range loggerCfg.Audit {
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
if l.Enabled {
// Enable http audit logging
add validation logs for configured Logger/Audit HTTP targets (#10274) extra logs in-case of misconfiguration of audit/logger targets
2020-08-16 19:25:00 +02:00
if err = logger.AddAuditTarget(
fix: optimize ServerInfo() handler to avoid reading config (#10626) fixes #10620
2020-10-03 01:19:44 +02:00
http.New(
http.WithTargetName(k),
http.WithEndpoint(l.Endpoint),
fix: use specified authToken for audit/logger HTTP targets (#9249) We were not using the auth token specified even when config supports it.
2020-04-02 05:53:07 +02:00
http.WithAuthToken(l.AuthToken),
http.WithUserAgent(loggerUserAgent),
http.WithLogKind(string(logger.All)),
Add support for mTLS for Audit log target (#11645)
2021-03-01 18:19:13 +01:00
http.WithTransport(NewGatewayHTTPTransportWithClientCerts(l.ClientCert, l.ClientKey)),
fix: use specified authToken for audit/logger HTTP targets (#9249) We were not using the auth token specified even when config supports it.
2020-04-02 05:53:07 +02:00
),
add validation logs for configured Logger/Audit HTTP targets (#10274) extra logs in-case of misconfiguration of audit/logger targets
2020-08-16 19:25:00 +02:00
); err != nil {
logger.LogIf(ctx, fmt.Errorf("Unable to initialize audit HTTP target: %w", err))
}
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
}
}
fix: Do not need safe-mode for unreachable targets upon restart (#8686)
2019-12-22 07:35:50 +01:00
certs: refactor cert manager to support multiple certificates (#10207) This commit refactors the certificate management implementation in the `certs` package such that multiple certificates can be specified at the same time. Therefore, the following layout of the `certs/` directory is expected: ``` certs/ │ ├─ public.crt ├─ private.key ├─ CAs/ // CAs directory is ignored │ │ │ ... │ ├─ example.com/ │ │ │ ├─ public.crt │ └─ private.key └─ foobar.org/ │ ├─ public.crt └─ private.key ... ``` However, directory names like `example.com` are just for human readability/organization and don't have any meaning w.r.t whether a particular certificate is served or not. This decision is made based on the SNI sent by the client and the SAN of the certificate. *** The `Manager` will pick a certificate based on the client trying to establish a TLS connection. In particular, it looks at the client hello (i.e. SNI) to determine which host the client tries to access. If the manager can find a certificate that matches the SNI it returns this certificate to the client. However, the client may choose to not send an SNI or tries to access a server directly via IP (`https://<ip>:<port>`). In this case, we cannot use the SNI to determine which certificate to serve. However, we also should not pick "the first" certificate that would be accepted by the client (based on crypto. parameters - like a signature algorithm) because it may be an internal certificate that contains internal hostnames. We would disclose internal infrastructure details doing so. Therefore, the `Manager` returns the "default" certificate when the client does not specify an SNI. The default certificate the top-level `public.crt` - i.e. `certs/public.crt`. This approach has some consequences: - It's the operator's responsibility to ensure that the top-level `public.crt` does not disclose any information (i.e. hostnames) that are not publicly visible. However, this was the case in the past already. - Any other `public.crt` - except for the top-level one - must not contain any IP SAN. The reason for this restriction is that the Manager cannot match a SNI to an IP b/c the SNI is the server host name. The entire purpose of SNI is to indicate which host the client tries to connect to when multiple hosts run on the same IP. So, a client will not set the SNI to an IP. If we would allow IP SANs in a lower-level `public.crt` a user would expect that it is possible to connect to MinIO directly via IP address and that the MinIO server would pick "the right" certificate. However, the MinIO server cannot determine which certificate to serve, and therefore always picks the "default" one. This may lead to all sorts of confusing errors like: "It works if I use `https:instance.minio.local` but not when I use `https://10.0.2.1`. These consequences/limitations should be pointed out / explained in our docs in an appropriate way. However, the support for multiple certificates should not have any impact on how deployment with a single certificate function today. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
globalConfigTargetList, err = notify.GetNotificationTargets(GlobalContext, s, NewGatewayHTTPTransport(), false)
fix: Do not need safe-mode for unreachable targets upon restart (#8686)
2019-12-22 07:35:50 +01:00
if err != nil {
logger.LogIf(ctx, fmt.Errorf("Unable to initialize notification target(s): %w", err))
}
Add response header timeouts (#9170) - Add conservative timeouts upto 3 minutes for internode communication - Add aggressive timeouts of 30 seconds for gateway communication Fixes #9105 Fixes #8732 Fixes #8881 Fixes #8376 Fixes #9028
2020-03-22 06:10:13 +01:00
certs: refactor cert manager to support multiple certificates (#10207) This commit refactors the certificate management implementation in the `certs` package such that multiple certificates can be specified at the same time. Therefore, the following layout of the `certs/` directory is expected: ``` certs/ │ ├─ public.crt ├─ private.key ├─ CAs/ // CAs directory is ignored │ │ │ ... │ ├─ example.com/ │ │ │ ├─ public.crt │ └─ private.key └─ foobar.org/ │ ├─ public.crt └─ private.key ... ``` However, directory names like `example.com` are just for human readability/organization and don't have any meaning w.r.t whether a particular certificate is served or not. This decision is made based on the SNI sent by the client and the SAN of the certificate. *** The `Manager` will pick a certificate based on the client trying to establish a TLS connection. In particular, it looks at the client hello (i.e. SNI) to determine which host the client tries to access. If the manager can find a certificate that matches the SNI it returns this certificate to the client. However, the client may choose to not send an SNI or tries to access a server directly via IP (`https://<ip>:<port>`). In this case, we cannot use the SNI to determine which certificate to serve. However, we also should not pick "the first" certificate that would be accepted by the client (based on crypto. parameters - like a signature algorithm) because it may be an internal certificate that contains internal hostnames. We would disclose internal infrastructure details doing so. Therefore, the `Manager` returns the "default" certificate when the client does not specify an SNI. The default certificate the top-level `public.crt` - i.e. `certs/public.crt`. This approach has some consequences: - It's the operator's responsibility to ensure that the top-level `public.crt` does not disclose any information (i.e. hostnames) that are not publicly visible. However, this was the case in the past already. - Any other `public.crt` - except for the top-level one - must not contain any IP SAN. The reason for this restriction is that the Manager cannot match a SNI to an IP b/c the SNI is the server host name. The entire purpose of SNI is to indicate which host the client tries to connect to when multiple hosts run on the same IP. So, a client will not set the SNI to an IP. If we would allow IP SANs in a lower-level `public.crt` a user would expect that it is possible to connect to MinIO directly via IP address and that the MinIO server would pick "the right" certificate. However, the MinIO server cannot determine which certificate to serve, and therefore always picks the "default" one. This may lead to all sorts of confusing errors like: "It works if I use `https:instance.minio.local` but not when I use `https://10.0.2.1`. These consequences/limitations should be pointed out / explained in our docs in an appropriate way. However, the support for multiple certificates should not have any impact on how deployment with a single certificate function today. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
globalEnvTargetList, err = notify.GetNotificationTargets(GlobalContext, newServerConfig(), NewGatewayHTTPTransport(), true)
Fix: admin config set API for notifications (#9085) Filter out targets set via env when validating incoming config change against configured notification targets Fixes #9066
2020-03-14 08:01:15 +01:00
if err != nil {
logger.LogIf(ctx, fmt.Errorf("Unable to initialize notification target(s): %w", err))
}
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
// Apply dynamic config values
validate storage class across pools when setting config (#11320) ``` mc admin config set alias/ storage_class standard=EC:3 ``` should only succeed if parity ratio is valid for all server pools, if not we should fail proactively. This PR also needs to bring other changes now that we need to cater for variadic drive counts per pool. Bonus fixes also various bugs reproduced with - GetObjectWithPartNumber() - CopyObjectPartWithOffsets() - CopyObjectWithMetadata() - PutObjectPart,PutObject with truncated streams
2021-01-22 21:09:24 +01:00
logger.LogIf(ctx, applyDynamicConfig(ctx, newObjectLayerFn(), s))
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
}
// applyDynamicConfig will apply dynamic config values.
// Dynamic systems should be in config.SubSystemsDynamic as well.
validate storage class across pools when setting config (#11320) ``` mc admin config set alias/ storage_class standard=EC:3 ``` should only succeed if parity ratio is valid for all server pools, if not we should fail proactively. This PR also needs to bring other changes now that we need to cater for variadic drive counts per pool. Bonus fixes also various bugs reproduced with - GetObjectWithPartNumber() - CopyObjectPartWithOffsets() - CopyObjectWithMetadata() - PutObjectPart,PutObject with truncated streams
2021-01-22 21:09:24 +01:00
func applyDynamicConfig(ctx context.Context, objAPI ObjectLayer, s config.Config) error {
if objAPI == nil {
return nil
}
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
// Read all dynamic configs.
// API
apiConfig, err := api.LookupConfig(s[config.APISubSys][config.Default])
if err != nil {
logger.LogIf(ctx, fmt.Errorf("Invalid api configuration: %w", err))
}
// Compression
cmpCfg, err := compress.LookupConfig(s[config.CompressionSubSys][config.Default])
if err != nil {
return fmt.Errorf("Unable to setup Compression: %w", err)
}
validate storage class across pools when setting config (#11320) ``` mc admin config set alias/ storage_class standard=EC:3 ``` should only succeed if parity ratio is valid for all server pools, if not we should fail proactively. This PR also needs to bring other changes now that we need to cater for variadic drive counts per pool. Bonus fixes also various bugs reproduced with - GetObjectWithPartNumber() - CopyObjectPartWithOffsets() - CopyObjectWithMetadata() - PutObjectPart,PutObject with truncated streams
2021-01-22 21:09:24 +01:00
// Validate if the object layer supports compression.
if cmpCfg.Enabled && !objAPI.IsCompressionSupported() {
return fmt.Errorf("Backend does not support compression")
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
}
// Heal
healCfg, err := heal.LookupConfig(s[config.HealSubSys][config.Default])
if err != nil {
validate storage class across pools when setting config (#11320) ``` mc admin config set alias/ storage_class standard=EC:3 ``` should only succeed if parity ratio is valid for all server pools, if not we should fail proactively. This PR also needs to bring other changes now that we need to cater for variadic drive counts per pool. Bonus fixes also various bugs reproduced with - GetObjectWithPartNumber() - CopyObjectPartWithOffsets() - CopyObjectWithMetadata() - PutObjectPart,PutObject with truncated streams
2021-01-22 21:09:24 +01:00
return fmt.Errorf("Unable to apply heal config: %w", err)
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
}
fix: rename crawler as scanner in config (#11549)
2021-02-17 21:04:11 +01:00
// Scanner
scannerCfg, err := scanner.LookupConfig(s[config.ScannerSubSys][config.Default])
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
if err != nil {
fix: rename crawler as scanner in config (#11549)
2021-02-17 21:04:11 +01:00
return fmt.Errorf("Unable to apply scanner config: %w", err)
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
}
// Apply configurations.
// We should not fail after this.
validate storage class across pools when setting config (#11320) ``` mc admin config set alias/ storage_class standard=EC:3 ``` should only succeed if parity ratio is valid for all server pools, if not we should fail proactively. This PR also needs to bring other changes now that we need to cater for variadic drive counts per pool. Bonus fixes also various bugs reproduced with - GetObjectWithPartNumber() - CopyObjectPartWithOffsets() - CopyObjectWithMetadata() - PutObjectPart,PutObject with truncated streams
2021-01-22 21:09:24 +01:00
globalAPIConfig.init(apiConfig, objAPI.SetDriveCounts())
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
globalCompressConfigMu.Lock()
globalCompressConfig = cmpCfg
globalCompressConfigMu.Unlock()
globalHealConfigMu.Lock()
globalHealConfig = healCfg
globalHealConfigMu.Unlock()
fix: rename crawler as scanner in config (#11549)
2021-02-17 21:04:11 +01:00
logger.LogIf(ctx, scannerSleeper.Update(scannerCfg.Delay, scannerCfg.MaxWait))
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
// Update all dynamic config values in memory.
globalServerConfigMu.Lock()
defer globalServerConfigMu.Unlock()
if globalServerConfig != nil {
for k := range config.SubSystemsDynamic {
globalServerConfig[k] = s[k]
}
}
return nil
fix: use its own lock in serverConfigV17 (#4014) Previously serverConfigV17 used a global lock that made any instance of serverConfigV17 depended on single global serverConfigMu. This patch fixes by having individual lock per instances.
2017-03-31 07:26:24 +02:00
}
Add help with order of keys (#8535)
2019-11-19 22:48:13 +01:00
// Help - return sub-system level help
type Help struct {
SubSys string `json:"subSys"`
Description string `json:"description"`
MultipleTargets bool `json:"multipleTargets"`
KeysHelp config.HelpKVS `json:"keysHelp"`
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
// GetHelp - returns help for sub-sys, a key for a sub-system or all the help.
Add help with order of keys (#8535)
2019-11-19 22:48:13 +01:00
func GetHelp(subSys, key string, envOnly bool) (Help, error) {
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
if len(subSys) == 0 {
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
return Help{KeysHelp: config.HelpSubSysMap[subSys]}, nil
Add admin get/set config keys API (#6113) This PR adds two new admin APIs in Minio server and madmin package: - GetConfigKeys(keys []string) ([]byte, error) - SetConfigKeys(params map[string]string) (err error) A key is a path in Minio configuration file, (e.g. notify.webhook.1) The user will always send a string value when setting it in the config file, the API will know how to convert the value to the appropriate type. The user is also able to set a raw json. Before setting a new config, Minio will validate all fields and try to connect to notification targets if available.
2018-09-06 17:03:18 +02:00
}
Add etcd part of config support, add noColor/json support (#8439) - Add color/json mode support for get/help commands - Support ENV help for all sub-systems - Add support for etcd as part of config
2019-10-30 08:04:39 +01:00
subSystemValue := strings.SplitN(subSys, config.SubSystemSeparator, 2)
if len(subSystemValue) == 0 {
Remove safe mode for invalid entries in config (#8650) The approach is that now safe mode is only invoked when we cannot read the config or under some catastrophic situations, but not under situations when config entries are invalid or unreachable. This allows for maximum availability for MinIO and not fail on our users unlike most of our historical releases.
2019-12-15 02:27:57 +01:00
return Help{}, config.Errorf("invalid number of arguments %s", subSys)
Add etcd part of config support, add noColor/json support (#8439) - Add color/json mode support for get/help commands - Support ENV help for all sub-systems - Add support for etcd as part of config
2019-10-30 08:04:39 +01:00
}
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
subSys = subSystemValue[0]
subSysHelp, ok := config.HelpSubSysMap[""].Lookup(subSys)
if !ok {
Remove safe mode for invalid entries in config (#8650) The approach is that now safe mode is only invoked when we cannot read the config or under some catastrophic situations, but not under situations when config entries are invalid or unreachable. This allows for maximum availability for MinIO and not fail on our users unlike most of our historical releases.
2019-12-15 02:27:57 +01:00
return Help{}, config.Errorf("unknown sub-system %s", subSys)
Add admin get/set config keys API (#6113) This PR adds two new admin APIs in Minio server and madmin package: - GetConfigKeys(keys []string) ([]byte, error) - SetConfigKeys(params map[string]string) (err error) A key is a path in Minio configuration file, (e.g. notify.webhook.1) The user will always send a string value when setting it in the config file, the API will know how to convert the value to the appropriate type. The user is also able to set a raw json. Before setting a new config, Minio will validate all fields and try to connect to notification targets if available.
2018-09-06 17:03:18 +02:00
}
Add etcd part of config support, add noColor/json support (#8439) - Add color/json mode support for get/help commands - Support ENV help for all sub-systems - Add support for etcd as part of config
2019-10-30 08:04:39 +01:00
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
h, ok := config.HelpSubSysMap[subSys]
if !ok {
Remove safe mode for invalid entries in config (#8650) The approach is that now safe mode is only invoked when we cannot read the config or under some catastrophic situations, but not under situations when config entries are invalid or unreachable. This allows for maximum availability for MinIO and not fail on our users unlike most of our historical releases.
2019-12-15 02:27:57 +01:00
return Help{}, config.Errorf("unknown sub-system %s", subSys)
Add ReadFrom,WriteTo helpers for server config (#8580)
2019-11-27 18:36:08 +01:00
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
if key != "" {
Add help with order of keys (#8535)
2019-11-19 22:48:13 +01:00
value, ok := h.Lookup(key)
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
if !ok {
Remove safe mode for invalid entries in config (#8650) The approach is that now safe mode is only invoked when we cannot read the config or under some catastrophic situations, but not under situations when config entries are invalid or unreachable. This allows for maximum availability for MinIO and not fail on our users unlike most of our historical releases.
2019-12-15 02:27:57 +01:00
return Help{}, config.Errorf("unknown key %s for sub-system %s",
key, subSys)
Add etcd part of config support, add noColor/json support (#8439) - Add color/json mode support for get/help commands - Support ENV help for all sub-systems - Add support for etcd as part of config
2019-10-30 08:04:39 +01:00
}
Add help with order of keys (#8535)
2019-11-19 22:48:13 +01:00
h = config.HelpKVS{value}
feature: added nsq as broker for events (#6740)
2018-11-07 19:23:13 +01:00
}
Add help with order of keys (#8535)
2019-11-19 22:48:13 +01:00
envHelp := config.HelpKVS{}
Add etcd part of config support, add noColor/json support (#8439) - Add color/json mode support for get/help commands - Support ENV help for all sub-systems - Add support for etcd as part of config
2019-10-30 08:04:39 +01:00
if envOnly {
fix: document _ENABLE for all notification targets (#8864) Fixes #8863
2020-01-21 01:48:19 +01:00
// Only for multiple targets, make sure
// to list the ENV, for regular k/v EnableKey is
// implicit, for ENVs we cannot make it implicit.
if subSysHelp.MultipleTargets {
envK := config.EnvPrefix + strings.Join([]string{
strings.ToTitle(subSys), strings.ToTitle(madmin.EnableKey),
}, config.EnvWordDelimiter)
envHelp = append(envHelp, config.HelpKV{
Key: envK,
Description: fmt.Sprintf("enable %s target, default is 'off'", subSys),
Optional: false,
Type: "on|off",
})
}
Add help with order of keys (#8535)
2019-11-19 22:48:13 +01:00
for _, hkv := range h {
Add etcd part of config support, add noColor/json support (#8439) - Add color/json mode support for get/help commands - Support ENV help for all sub-systems - Add support for etcd as part of config
2019-10-30 08:04:39 +01:00
envK := config.EnvPrefix + strings.Join([]string{
Add help with order of keys (#8535)
2019-11-19 22:48:13 +01:00
strings.ToTitle(subSys), strings.ToTitle(hkv.Key),
Add etcd part of config support, add noColor/json support (#8439) - Add color/json mode support for get/help commands - Support ENV help for all sub-systems - Add support for etcd as part of config
2019-10-30 08:04:39 +01:00
}, config.EnvWordDelimiter)
Add help with order of keys (#8535)
2019-11-19 22:48:13 +01:00
envHelp = append(envHelp, config.HelpKV{
Key: envK,
Description: hkv.Description,
Optional: hkv.Optional,
Type: hkv.Type,
})
Add etcd part of config support, add noColor/json support (#8439) - Add color/json mode support for get/help commands - Support ENV help for all sub-systems - Add support for etcd as part of config
2019-10-30 08:04:39 +01:00
}
Add help with order of keys (#8535)
2019-11-19 22:48:13 +01:00
h = envHelp
}
return Help{
SubSys: subSys,
Description: subSysHelp.Description,
MultipleTargets: subSysHelp.MultipleTargets,
KeysHelp: h,
}, nil
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
}
Add admin get/set config keys API (#6113) This PR adds two new admin APIs in Minio server and madmin package: - GetConfigKeys(keys []string) ([]byte, error) - SetConfigKeys(params map[string]string) (err error) A key is a path in Minio configuration file, (e.g. notify.webhook.1) The user will always send a string value when setting it in the config file, the API will know how to convert the value to the appropriate type. The user is also able to set a raw json. Before setting a new config, Minio will validate all fields and try to connect to notification targets if available.
2018-09-06 17:03:18 +02:00
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
func newServerConfig() config.Config {
Fix review comments and new changes in config (#8515) - Migrate and save only settings which are enabled - Rename logger_http to logger_webhook and logger_http_audit to audit_webhook - No more pretty printing comments, comment is a key=value pair now. - Avoid quotes on values which do not have space in them - `state="on"` is implicit for all SetConfigKV unless specified explicitly as `state="off"` - Disabled IAM users should be disabled always
2019-11-14 02:38:05 +01:00
return config.New()
config: Fix creating new config with wrong version (#3821) Simplify a little config code to avoid making mistake next time.
2017-03-01 18:17:04 +01:00
}
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
// newSrvConfig - initialize a new server config, saves env parameters if
Migrate config.json from config-dir to backend (#6195) This PR is the first set of changes to move the config to the backend, the changes use the existing `config.json` allows it to be migrated such that we can save it in on backend disks. In future releases, we will slowly migrate out of the current architecture. Fixes #6182
2018-08-15 06:41:47 +02:00
// found, otherwise use default parameters
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
func newSrvConfig(objAPI ObjectLayer) error {
Migrate config.json from config-dir to backend (#6195) This PR is the first set of changes to move the config to the backend, the changes use the existing `config.json` allows it to be migrated such that we can save it in on backend disks. In future releases, we will slowly migrate out of the current architecture. Fixes #6182
2018-08-15 06:41:47 +02:00
// Initialize server config.
srvCfg := newServerConfig()
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup)
2017-02-07 21:51:43 +01:00
// hold the mutex lock before a new config is assigned.
Simplify the steps to make changes to config.json (#5186) This change introduces following simplified steps to follow during config migration. ``` // Steps to move from version N to version N+1 // 1. Add new struct serverConfigVN+1 in config-versions.go // 2. Set configCurrentVersion to "N+1" // 3. Set serverConfigCurrent to serverConfigVN+1 // 4. Add new migration function (ex. func migrateVNToVN+1()) in config-migrate.go // 5. Call migrateVNToVN+1() from migrateConfig() in config-migrate.go // 6. Make changes in config-current_test.go for any test change ```
2017-11-29 22:12:47 +01:00
globalServerConfigMu.Lock()
globalServerConfig = srvCfg
globalServerConfigMu.Unlock()
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup)
2017-02-07 21:51:43 +01:00
// Save config into file.
use GlobalContext whenever possible (#9280) This change is throughout the codebase to ensure that all codepaths honor GlobalContext
2020-04-09 18:30:02 +02:00
return saveServerConfig(GlobalContext, objAPI, globalServerConfig)
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup)
2017-02-07 21:51:43 +01:00
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
func getValidConfig(objAPI ObjectLayer) (config.Config, error) {
use GlobalContext whenever possible (#9280) This change is throughout the codebase to ensure that all codepaths honor GlobalContext
2020-04-09 18:30:02 +02:00
return readServerConfig(GlobalContext, objAPI)
config/main: Re-write config files - add to new config v3 - New config format. ``` { "version": "3", "address": ":9000", "backend": { "type": "fs", "disk": "/path" }, "credential": { "accessKey": "WLGDGYAQYIGI833EV05A", "secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF" }, "region": "us-east-1", "logger": { "file": { "enable": false, "fileName": "", "level": "error" }, "syslog": { "enable": false, "address": "", "level": "debug" }, "console": { "enable": true, "level": "fatal" } } } ``` New command lines in lieu of supporting XL. Minio initialize filesystem backend. ~~~ $ minio init fs <path> ~~~ Minio initialize XL backend. ~~~ $ minio init xl <url1>...<url16> ~~~ For 'fs' backend it starts the server. ~~~ $ minio server ~~~ For 'xl' backend it waits for servers to join. ~~~ $ minio server ... [PROGRESS BAR] of servers connecting ~~~ Now on other servers execute 'join' and they connect. ~~~ .... minio join <url1> -- from <url2> && minio server minio join <url1> -- from <url3> && minio server ... ... minio join <url1> -- from <url16> && minio server ~~~
2016-02-13 00:27:10 +01:00
}
Add etcd part of config support, add noColor/json support (#8439) - Add color/json mode support for get/help commands - Support ENV help for all sub-systems - Add support for etcd as part of config
2019-10-30 08:04:39 +01:00
// loadConfig - loads a new config from disk, overrides params
// from env if found and valid
Revert "Support variable server sets (#10314)" This reverts commit aabf053d2f0c1d2907dfa80799f173fa88607512.
2020-12-01 20:59:03 +01:00
func loadConfig(objAPI ObjectLayer) error {
srvCfg, err := getValidConfig(objAPI)
if err != nil {
return err
config: Relax browser and region to be empty. (#3912) - If browser field is missing or empty then default to "on". - If region field is empty or missing then default to "us-east-1" (S3 spec behavior)
2017-03-16 19:06:17 +01:00
}
Use a non member mutex lock for serverConfig access. (#3411) - This is to ensure that the any new config references made to the serverConfig is also backed by a mutex lock. - Otherwise any new config assigment will also replace the member mutex which is currently used for safe access.
2016-12-07 12:41:54 +01:00
Migrate config.json from config-dir to backend (#6195) This PR is the first set of changes to move the config to the backend, the changes use the existing `config.json` allows it to be migrated such that we can save it in on backend disks. In future releases, we will slowly migrate out of the current architecture. Fixes #6182
2018-08-15 06:41:47 +02:00
// Override any values from ENVs.
validate storage class across pools when setting config (#11320) ``` mc admin config set alias/ storage_class standard=EC:3 ``` should only succeed if parity ratio is valid for all server pools, if not we should fail proactively. This PR also needs to bring other changes now that we need to cater for variadic drive counts per pool. Bonus fixes also various bugs reproduced with - GetObjectWithPartNumber() - CopyObjectPartWithOffsets() - CopyObjectWithMetadata() - PutObjectPart,PutObject with truncated streams
2021-01-22 21:09:24 +01:00
lookupConfigs(srvCfg, objAPI.SetDriveCounts())
Fix backend format for disk-cache - not to use FS format.json (#5732)
2018-03-29 23:38:26 +02:00
fix: use its own lock in serverConfigV17 (#4014) Previously serverConfigV17 used a global lock that made any instance of serverConfigV17 depended on single global serverConfigMu. This patch fixes by having individual lock per instances.
2017-03-31 07:26:24 +02:00
// hold the mutex lock before a new config is assigned.
Simplify the steps to make changes to config.json (#5186) This change introduces following simplified steps to follow during config migration. ``` // Steps to move from version N to version N+1 // 1. Add new struct serverConfigVN+1 in config-versions.go // 2. Set configCurrentVersion to "N+1" // 3. Set serverConfigCurrent to serverConfigVN+1 // 4. Add new migration function (ex. func migrateVNToVN+1()) in config-migrate.go // 5. Call migrateVNToVN+1() from migrateConfig() in config-migrate.go // 6. Make changes in config-current_test.go for any test change ```
2017-11-29 22:12:47 +01:00
globalServerConfigMu.Lock()
globalServerConfig = srvCfg
globalServerConfigMu.Unlock()
config/main: Re-write config files - add to new config v3 - New config format. ``` { "version": "3", "address": ":9000", "backend": { "type": "fs", "disk": "/path" }, "credential": { "accessKey": "WLGDGYAQYIGI833EV05A", "secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF" }, "region": "us-east-1", "logger": { "file": { "enable": false, "fileName": "", "level": "error" }, "syslog": { "enable": false, "address": "", "level": "debug" }, "console": { "enable": true, "level": "fatal" } } } ``` New command lines in lieu of supporting XL. Minio initialize filesystem backend. ~~~ $ minio init fs <path> ~~~ Minio initialize XL backend. ~~~ $ minio init xl <url1>...<url16> ~~~ For 'fs' backend it starts the server. ~~~ $ minio server ~~~ For 'xl' backend it waits for servers to join. ~~~ $ minio server ... [PROGRESS BAR] of servers connecting ~~~ Now on other servers execute 'join' and they connect. ~~~ .... minio join <url1> -- from <url2> && minio server minio join <url1> -- from <url3> && minio server ... ... minio join <url1> -- from <url16> && minio server ~~~
2016-02-13 00:27:10 +01:00
fix: use its own lock in serverConfigV17 (#4014) Previously serverConfigV17 used a global lock that made any instance of serverConfigV17 depended on single global serverConfigMu. This patch fixes by having individual lock per instances.
2017-03-31 07:26:24 +02:00
return nil
config/main: Re-write config files - add to new config v3 - New config format. ``` { "version": "3", "address": ":9000", "backend": { "type": "fs", "disk": "/path" }, "credential": { "accessKey": "WLGDGYAQYIGI833EV05A", "secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF" }, "region": "us-east-1", "logger": { "file": { "enable": false, "fileName": "", "level": "error" }, "syslog": { "enable": false, "address": "", "level": "debug" }, "console": { "enable": true, "level": "fatal" } } } ``` New command lines in lieu of supporting XL. Minio initialize filesystem backend. ~~~ $ minio init fs <path> ~~~ Minio initialize XL backend. ~~~ $ minio init xl <url1>...<url16> ~~~ For 'fs' backend it starts the server. ~~~ $ minio server ~~~ For 'xl' backend it waits for servers to join. ~~~ $ minio server ... [PROGRESS BAR] of servers connecting ~~~ Now on other servers execute 'join' and they connect. ~~~ .... minio join <url1> -- from <url2> && minio server minio join <url1> -- from <url3> && minio server ... ... minio join <url1> -- from <url16> && minio server ~~~
2016-02-13 00:27:10 +01:00
}
make notification as separate package (#5294) * Remove old notification files * Add net package * Add event package * Modify minio to take new notification system
2018-03-15 21:03:41 +01:00
Rename iam/validator -> iam/openid and add tests (#8340) Refactor as part of config migration
2019-10-02 00:07:20 +02:00
// getOpenIDValidators - returns ValidatorList which contains
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
// enabled providers in server config.
// A new authentication provider is added like below
Rename iam/validator -> iam/openid and add tests (#8340) Refactor as part of config migration
2019-10-02 00:07:20 +02:00
// * Add a new provider in pkg/iam/openid package.
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
func getOpenIDValidators(cfg openid.Config) *openid.Validators {
Rename iam/validator -> iam/openid and add tests (#8340) Refactor as part of config migration
2019-10-02 00:07:20 +02:00
validators := openid.NewValidators()
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
if cfg.JWKS.URL != nil {
validators.Add(openid.NewJWT(cfg))
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
}
return validators
}
Reference in a new issue Copy permalink