maxmustermann/minio
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
minio/cmd/object-handlers.go

3078 lines
104 KiB
Go
Raw Normal View History

Update minioapi documentation
2015-02-24 01:46:48 +01:00
/*
Replace Minio refs in docs with MinIO and links (#7494)
2019-04-09 20:39:42 +02:00
* MinIO Cloud Storage, (C) 2015-2018 MinIO, Inc.
Update minioapi documentation
2015-02-24 01:46:48 +01:00
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
objectAPI: Fix object API interface, remove unnecessary structs. ObjectAPI changes. ``` ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsInfo, *probe.Error) ListMultipartUploads(bucket, objectPrefix, keyMarker, uploadIDMarker, delimiter string, maxUploads int) (ListMultipartsInfo, *probe.Error) ListObjectParts(bucket, object, uploadID string, partNumberMarker, maxParts int) (ListPartsInfo, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []completePart) (ObjectInfo, *probe.Error) ```
2016-04-03 10:34:20 +02:00
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
Update minioapi documentation
2015-02-24 01:46:48 +01:00
* See the License for the specific language governing permissions and
* limitations under the License.
*/
server: Move all the top level files into cmd folder. (#2490) This change brings a change which was done for the 'mc' package to allow for clean repo and have a cleaner github drop in experience.
2016-08-19 01:23:42 +02:00
package cmd
Implement bucket policy handler and with galore of cleanup
2015-02-16 02:03:27 +01:00
import (
Add encryption buffer (#8626) Quite hard to measure difference: ``` λ warp cmp put-before.csv.zst put-after2.csv.zst Operation: PUT Operations: 340 -> 353 * Average: +4.11% (+22.7 MB/s) throughput, +4.11% (+0.2) obj/s * 50% Median: +1.58% (+7.3 MB/s) throughput, +1.58% (+0.1) obj/s ``` Difference is likely bigger on Intel platforms due to higher syscall costs.
2019-12-12 19:01:15 +01:00
"bufio"
Create logger package and rename errorIf to LogIf (#5678) Removing message from error logging Replace errors.Trace with LogIf
2018-04-06 00:04:40 +02:00
"context"
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-13 01:08:15 +01:00
"encoding/hex"
fs: Break fs package to top-level and introduce ObjectAPI interface. ObjectAPI interface brings in changes needed for XL ObjectAPI layer. The new interface for any ObjectAPI layer is as below ``` // ObjectAPI interface. type ObjectAPI interface { // Bucket resource API. DeleteBucket(bucket string) *probe.Error ListBuckets() ([]BucketInfo, *probe.Error) MakeBucket(bucket string) *probe.Error GetBucketInfo(bucket string) (BucketInfo, *probe.Error) // Bucket query API. ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsResult, *probe.Error) ListMultipartUploads(bucket string, resources BucketMultipartResourcesMetadata) (BucketMultipartResourcesMetadata, *probe.Error) // Object resource API. GetObject(bucket, object string, startOffset int64) (io.ReadCloser, *probe.Error) GetObjectInfo(bucket, object string) (ObjectInfo, *probe.Error) PutObject(bucket string, object string, size int64, data io.Reader, metadata map[string]string) (ObjectInfo, *probe.Error) DeleteObject(bucket, object string) *probe.Error // Object query API. NewMultipartUpload(bucket, object string) (string, *probe.Error) PutObjectPart(bucket, object, uploadID string, partID int, size int64, data io.Reader, md5Hex string) (string, *probe.Error) ListObjectParts(bucket, object string, resources ObjectResourcesMetadata) (ObjectResourcesMetadata, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []CompletePart) (ObjectInfo, *probe.Error) AbortMultipartUpload(bucket, object, uploadID string) *probe.Error } ```
2016-03-31 01:15:28 +02:00
"encoding/xml"
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
"io"
Implement bucket policy handler and with galore of cleanup
2015-02-16 02:03:27 +01:00
"net/http"
getObject: Add support for special response headers. Supports now response-content-type, response-content-disposition, response-cache-control, response-expires.
2016-02-07 12:37:54 +01:00
"net/url"
fs: Break fs package to top-level and introduce ObjectAPI interface. ObjectAPI interface brings in changes needed for XL ObjectAPI layer. The new interface for any ObjectAPI layer is as below ``` // ObjectAPI interface. type ObjectAPI interface { // Bucket resource API. DeleteBucket(bucket string) *probe.Error ListBuckets() ([]BucketInfo, *probe.Error) MakeBucket(bucket string) *probe.Error GetBucketInfo(bucket string) (BucketInfo, *probe.Error) // Bucket query API. ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsResult, *probe.Error) ListMultipartUploads(bucket string, resources BucketMultipartResourcesMetadata) (BucketMultipartResourcesMetadata, *probe.Error) // Object resource API. GetObject(bucket, object string, startOffset int64) (io.ReadCloser, *probe.Error) GetObjectInfo(bucket, object string) (ObjectInfo, *probe.Error) PutObject(bucket string, object string, size int64, data io.Reader, metadata map[string]string) (ObjectInfo, *probe.Error) DeleteObject(bucket, object string) *probe.Error // Object query API. NewMultipartUpload(bucket, object string) (string, *probe.Error) PutObjectPart(bucket, object, uploadID string, partID int, size int64, data io.Reader, md5Hex string) (string, *probe.Error) ListObjectParts(bucket, object string, resources ObjectResourcesMetadata) (ObjectResourcesMetadata, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []CompletePart) (ObjectInfo, *probe.Error) AbortMultipartUpload(bucket, object, uploadID string) *probe.Error } ```
2016-03-31 01:15:28 +02:00
"sort"
Change CreateObject() to take size argument from content-length
2015-05-04 08:16:10 +02:00
"strconv"
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
"strings"
Implement bucket policy handler and with galore of cleanup
2015-02-16 02:03:27 +01:00
Send white spaces to client till completeMultipart() process completes (#7198)
2019-02-06 05:58:09 +01:00
"time"
use package name correctly (#5827)
2018-04-22 04:23:54 +02:00
"github.com/gorilla/mux"
Update go mod with sem versions of our libraries (#7687)
2019-05-30 01:35:12 +02:00
miniogo "github.com/minio/minio-go/v6"
"github.com/minio/minio-go/v6/pkg/encrypt"
Add etcd path prefix for all IAM assets (#8569) Currently, we use the top-level prefix "config/" for all our IAM assets, instead of to provide tenant-level separation bring 'path_prefix' to namespace the access properly. Fixes #8567
2019-11-26 01:33:34 +01:00
"github.com/minio/minio/cmd/config/etcd/dns"
Move storageclass config handling into cmd/config/storageclass (#8360) Continuation of the changes done in PR #8351 to refactor, add tests and move global handling into a more idiomatic style for Go as packages.
2019-10-07 07:50:24 +02:00
"github.com/minio/minio/cmd/config/storageclass"
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
"github.com/minio/minio/cmd/crypto"
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 07:34:32 +02:00
xhttp "github.com/minio/minio/cmd/http"
Create logger package and rename errorIf to LogIf (#5678) Removing message from error logging Replace errors.Trace with LogIf
2018-04-06 00:04:40 +02:00
"github.com/minio/minio/cmd/logger"
Rename pkg/{tagging,lifecycle} to pkg/bucket sub-directory (#8892) Rename to allow for more such features to come in a more proper hierarchical manner.
2020-01-27 23:12:34 +01:00
objectlock "github.com/minio/minio/pkg/bucket/object/lock"
"github.com/minio/minio/pkg/bucket/object/tagging"
"github.com/minio/minio/pkg/bucket/policy"
make notification as separate package (#5294) * Remove old notification files * Add net package * Add event package * Modify minio to take new notification system
2018-03-15 21:03:41 +01:00
"github.com/minio/minio/pkg/event"
Use GetSourceIP for source ip as request params (#6109) Fixes #6108
2018-07-02 23:40:18 +02:00
"github.com/minio/minio/pkg/handlers"
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
"github.com/minio/minio/pkg/hash"
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
iampolicy "github.com/minio/minio/pkg/iam/policy"
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
"github.com/minio/minio/pkg/ioutil"
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
"github.com/minio/minio/pkg/s3select"
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
"github.com/minio/sio"
Handle partNumberMarker with listObjectParts now and other fixes
2015-05-10 04:39:00 +02:00
)
Honor overriding response headers for HEAD (#4784) Though not clearly mentioned in S3 specification, we should override response headers for presigned HEAD requests as we do for GET.
2017-08-08 20:04:04 +02:00
// supportedHeadGetReqParams - supported request parameters for GET and HEAD presigned request.
var supportedHeadGetReqParams = map[string]string{
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 07:34:32 +02:00
"response-expires": xhttp.Expires,
"response-content-type": xhttp.ContentType,
"response-cache-control": xhttp.CacheControl,
"response-content-encoding": xhttp.ContentEncoding,
"response-content-language": xhttp.ContentLanguage,
"response-content-disposition": xhttp.ContentDisposition,
getObject: Add support for special response headers. Supports now response-content-type, response-content-disposition, response-cache-control, response-expires.
2016-02-07 12:37:54 +01:00
}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
const (
compressionAlgorithmV1 = "golang/snappy/LZ77"
Switch to Snappy -> S2 compression (#8189)
2019-09-26 08:08:24 +02:00
compressionAlgorithmV2 = "klauspost/compress/s2"
Add encryption buffer (#8626) Quite hard to measure difference: ``` λ warp cmp put-before.csv.zst put-after2.csv.zst Operation: PUT Operations: 340 -> 353 * Average: +4.11% (+22.7 MB/s) throughput, +4.11% (+0.2) obj/s * 50% Median: +1.58% (+7.3 MB/s) throughput, +1.58% (+0.1) obj/s ``` Difference is likely bigger on Intel platforms due to higher syscall costs.
2019-12-12 19:01:15 +01:00
// When an upload exceeds encryptBufferThreshold ...
encryptBufferThreshold = 1 << 20
// add an input buffer of this size.
encryptBufferSize = 1 << 20
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
)
Honor overriding response headers for HEAD (#4784) Though not clearly mentioned in S3 specification, we should override response headers for presigned HEAD requests as we do for GET.
2017-08-08 20:04:04 +02:00
// setHeadGetRespHeaders - set any requested parameters as response headers.
func setHeadGetRespHeaders(w http.ResponseWriter, reqParams url.Values) {
getObject: Add support for special response headers. Supports now response-content-type, response-content-disposition, response-cache-control, response-expires.
2016-02-07 12:37:54 +01:00
for k, v := range reqParams {
Honor overriding response headers for HEAD (#4784) Though not clearly mentioned in S3 specification, we should override response headers for presigned HEAD requests as we do for GET.
2017-08-08 20:04:04 +02:00
if header, ok := supportedHeadGetReqParams[k]; ok {
getObject: Add support for special response headers. Supports now response-content-type, response-content-disposition, response-cache-control, response-expires.
2016-02-07 12:37:54 +01:00
w.Header()[header] = v
}
}
}
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
// SelectObjectContentHandler - GET Object?select
// ----------
// This implementation of the GET operation retrieves object content based
// on an SQL expression. In the request, along with the sql expression, you must
// also specify a data serialization format (JSON, CSV) of the object.
func (api objectAPIHandlers) SelectObjectContentHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "SelectObject")
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "SelectObject", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
// Fetch object stat info.
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
return
}
Fix: Disallow requests with SSE-KMS headers (#6587) Addresses issue #6582. Minio server currently does not have SSE-KMS support. Reject requests with SSE-KMS headers with NotImplementedErr
2018-10-10 00:04:53 +02:00
if crypto.S3KMS.IsRequested(r.Header) { // SSE-KMS is not supported
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r))
Fix: Disallow requests with SSE-KMS headers (#6587) Addresses issue #6582. Minio server currently does not have SSE-KMS support. Reject requests with SSE-KMS headers with NotImplementedErr
2018-10-10 00:04:53 +02:00
return
}
make SSE request header check comprehensive (#8276) This commit refactors the SSE header check by moving it into the `crypto` package, adds a unit test for it and makes the check comprehensive.
2019-09-20 23:56:12 +02:00
if !api.EncryptionEnabled() && crypto.IsRequested(r.Header) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrBadRequest), r.URL, guessIsBrowserReq(r))
Disallow SSE requests when object layer has encryption disabled (#6981)
2018-12-15 06:39:59 +01:00
return
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
vars := mux.Vars(r)
bucket := vars["bucket"]
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
object, err := url.PathUnescape(vars["object"])
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
// get gateway encryption options
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 06:31:06 +01:00
opts, err := getOpts(ctx, r, bucket, object)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
if err != nil {
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
writeErrorResponseHeadersOnly(w, toAPIError(ctx, err))
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
return
}
Refactor s3select to support parquet. (#7023) Also handle pretty formatted JSON documents.
2019-01-09 01:53:04 +01:00
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
// Check for auth type to return S3 compatible error.
// type to return the correct error (NoSuchKey vs AccessDenied)
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, bucket, object); s3Error != ErrNone {
if getRequestAuthType(r) == authTypeAnonymous {
// As per "Permission" section in
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
// https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html
// If the object you request does not exist,
// the error Amazon S3 returns depends on
// whether you also have the s3:ListBucket
// permission.
// * If you have the s3:ListBucket permission
// on the bucket, Amazon S3 will return an
// HTTP status code 404 ("no such key")
// error.
// * if you dont have the s3:ListBucket
// permission, Amazon S3 will return an HTTP
// status code 403 ("access denied") error.`
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
if globalPolicySys.IsAllowed(policy.Args{
Action: policy.ListBucketAction,
BucketName: bucket,
Add support for {jwt:sub} substitutions for policies (#8393) Fixes #8345
2019-10-16 17:59:59 +02:00
ConditionValues: getConditionValues(r, "", "", nil),
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
IsOwner: false,
}) {
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
_, err = getObjectInfo(ctx, bucket, object, opts)
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
if toAPIError(ctx, err).Code == "NoSuchKey" {
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
s3Error = ErrNoSuchKey
}
}
}
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
return
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
// Get request range.
rangeHeader := r.Header.Get("Range")
if rangeHeader != "" {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrUnsupportedRangeHeader), r.URL, guessIsBrowserReq(r))
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
return
}
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
if r.ContentLength <= 0 {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrEmptyRequestBody), r.URL, guessIsBrowserReq(r))
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
return
}
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
Refactor s3select to support parquet. (#7023) Also handle pretty formatted JSON documents.
2019-01-09 01:53:04 +01:00
s3Select, err := s3select.NewS3Select(r.Body)
if err != nil {
if serr, ok := err.(s3select.SelectError); ok {
Select should return early errors as XML (#7230) Currently, we were sending errors in Select binary format, which is incompatible with AWS S3 behavior, errors in binary are sent after HTTP status code is already 200 OK - i.e it happens during the evaluation of the record reader.
2019-02-13 08:48:11 +01:00
encodedErrorResponse := encodeResponse(APIErrorResponse{
Code: serr.ErrorCode(),
Message: serr.ErrorMessage(),
BucketName: bucket,
Key: object,
Resource: r.URL.Path,
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 07:34:32 +02:00
RequestID: w.Header().Get(xhttp.AmzRequestID),
Remove DeploymentID from response headers (#7815) Response headers need not contain deployment ID.
2019-07-01 21:22:01 +02:00
HostID: globalDeploymentID,
Select should return early errors as XML (#7230) Currently, we were sending errors in Select binary format, which is incompatible with AWS S3 behavior, errors in binary are sent after HTTP status code is already 200 OK - i.e it happens during the evaluation of the record reader.
2019-02-13 08:48:11 +01:00
})
writeResponse(w, serr.HTTPStatusCode(), encodedErrorResponse, mimeXML)
Refactor s3select to support parquet. (#7023) Also handle pretty formatted JSON documents.
2019-01-09 01:53:04 +01:00
} else {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Refactor s3select to support parquet. (#7023) Also handle pretty formatted JSON documents.
2019-01-09 01:53:04 +01:00
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
return
}
getObjectNInfo := objectAPI.GetObjectNInfo
if api.CacheAPI() != nil {
getObjectNInfo = api.CacheAPI().GetObjectNInfo
}
Refactor s3select to support parquet. (#7023) Also handle pretty formatted JSON documents.
2019-01-09 01:53:04 +01:00
getObject := func(offset, length int64) (rc io.ReadCloser, err error) {
isSuffixLength := false
if offset < 0 {
isSuffixLength = true
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
}
Refactor s3select to support parquet. (#7023) Also handle pretty formatted JSON documents.
2019-01-09 01:53:04 +01:00
rs := &HTTPRangeSpec{
IsSuffixLength: isSuffixLength,
Start: offset,
Rebase minio/parquet-go and fix null handling. (#7067)
2019-01-16 17:22:04 +01:00
End: offset + length,
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
}
Refactor s3select to support parquet. (#7023) Also handle pretty formatted JSON documents.
2019-01-09 01:53:04 +01:00
return getObjectNInfo(ctx, bucket, object, rs, r.Header, readLock, ObjectOptions{})
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
}
Add new SQL parser to support S3 Select syntax (#7102) - New parser written from scratch, allows easier and complete parsing of the full S3 Select SQL syntax. Parser definition is directly provided by the AST defined for the SQL grammar. - Bring support to parse and interpret SQL involving JSON path expressions; evaluation of JSON path expressions will be subsequently added. - Bring automatic type inference and conversion for untyped values (e.g. CSV data).
2019-01-29 02:59:48 +01:00
objInfo, err := getObjectInfo(ctx, bucket, object, opts)
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add new SQL parser to support S3 Select syntax (#7102) - New parser written from scratch, allows easier and complete parsing of the full S3 Select SQL syntax. Parser definition is directly provided by the AST defined for the SQL grammar. - Bring support to parse and interpret SQL involving JSON path expressions; evaluation of JSON path expressions will be subsequently added. - Bring automatic type inference and conversion for untyped values (e.g. CSV data).
2019-01-29 02:59:48 +01:00
return
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
getRetPerms := checkRequestAuthType(ctx, r, policy.GetObjectRetentionAction, bucket, object)
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
legalHoldPerms := checkRequestAuthType(ctx, r, policy.GetObjectLegalHoldAction, bucket, object)
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
// filter object lock metadata if permission does not permit
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
objInfo.UserDefined = objectlock.FilterObjectLockMetadata(objInfo.UserDefined, getRetPerms != ErrNone, legalHoldPerms != ErrNone)
Add new SQL parser to support S3 Select syntax (#7102) - New parser written from scratch, allows easier and complete parsing of the full S3 Select SQL syntax. Parser definition is directly provided by the AST defined for the SQL grammar. - Bring support to parse and interpret SQL involving JSON path expressions; evaluation of JSON path expressions will be subsequently added. - Bring automatic type inference and conversion for untyped values (e.g. CSV data).
2019-01-29 02:59:48 +01:00
Refactor s3select to support parquet. (#7023) Also handle pretty formatted JSON documents.
2019-01-09 01:53:04 +01:00
if err = s3Select.Open(getObject); err != nil {
if serr, ok := err.(s3select.SelectError); ok {
Select should return early errors as XML (#7230) Currently, we were sending errors in Select binary format, which is incompatible with AWS S3 behavior, errors in binary are sent after HTTP status code is already 200 OK - i.e it happens during the evaluation of the record reader.
2019-02-13 08:48:11 +01:00
encodedErrorResponse := encodeResponse(APIErrorResponse{
Code: serr.ErrorCode(),
Message: serr.ErrorMessage(),
BucketName: bucket,
Key: object,
Resource: r.URL.Path,
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 07:34:32 +02:00
RequestID: w.Header().Get(xhttp.AmzRequestID),
Remove DeploymentID from response headers (#7815) Response headers need not contain deployment ID.
2019-07-01 21:22:01 +02:00
HostID: globalDeploymentID,
Select should return early errors as XML (#7230) Currently, we were sending errors in Select binary format, which is incompatible with AWS S3 behavior, errors in binary are sent after HTTP status code is already 200 OK - i.e it happens during the evaluation of the record reader.
2019-02-13 08:48:11 +01:00
})
writeResponse(w, serr.HTTPStatusCode(), encodedErrorResponse, mimeXML)
Refactor s3select to support parquet. (#7023) Also handle pretty formatted JSON documents.
2019-01-09 01:53:04 +01:00
} else {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Performance improvements to SELECT API on certain query operations (#6752) This improves the performance of certain queries dramatically, such as 'count(*)' etc. Without this PR ``` ~ time mc select --query "select count(*) from S3Object" myminio/sjm-airlines/star2000.csv.gz 2173762 real 0m42.464s user 0m0.071s sys 0m0.010s ``` With this PR ``` ~ time mc select --query "select count(*) from S3Object" myminio/sjm-airlines/star2000.csv.gz 2173762 real 0m17.603s user 0m0.093s sys 0m0.008s ``` Almost a 250% improvement in performance. This PR avoids a lot of type conversions and instead relies on raw sequences of data and interprets them lazily. ``` benchcmp old new benchmark old ns/op new ns/op delta BenchmarkSQLAggregate_100K-4 551213 259782 -52.87% BenchmarkSQLAggregate_1M-4 6981901985 2432413729 -65.16% BenchmarkSQLAggregate_2M-4 13511978488 4536903552 -66.42% BenchmarkSQLAggregate_10M-4 68427084908 23266283336 -66.00% benchmark old allocs new allocs delta BenchmarkSQLAggregate_100K-4 2366 485 -79.50% BenchmarkSQLAggregate_1M-4 47455492 21462860 -54.77% BenchmarkSQLAggregate_2M-4 95163637 43110771 -54.70% BenchmarkSQLAggregate_10M-4 476959550 216906510 -54.52% benchmark old bytes new bytes delta BenchmarkSQLAggregate_100K-4 1233079 1086024 -11.93% BenchmarkSQLAggregate_1M-4 2607984120 557038536 -78.64% BenchmarkSQLAggregate_2M-4 5254103616 1128149168 -78.53% BenchmarkSQLAggregate_10M-4 26443524872 5722715992 -78.36% ```
2018-11-15 00:55:10 +01:00
}
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 21:12:22 +02:00
return
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
}
SQL select query for CSV/JSON (#6648) select * , select column names have been implemented for CSV. select * is implemented for JSON.
2018-10-22 21:12:22 +02:00
Refactor s3select to support parquet. (#7023) Also handle pretty formatted JSON documents.
2019-01-09 01:53:04 +01:00
s3Select.Evaluate(w)
s3Select.Close()
Support audit logs with additional fields (#6738) This PR adds support - Request query params - Request headers - Response headers AuditLogEntry is exported and versioned as well starting with this PR.
2018-11-03 02:40:08 +01:00
// Notify object accessed via a GET request.
sendEvent(eventArgs{
EventName: event.ObjectAccessedGet,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Populate host value from GetSourceIP directly (#7417)
2019-03-25 19:45:42 +01:00
Host: handlers.GetSourceIP(r),
Support audit logs with additional fields (#6738) This PR adds support - Request query params - Request headers - Response headers AuditLogEntry is exported and versioned as well starting with this PR.
2018-11-03 02:40:08 +01:00
})
S3 Select API Support for CSV (#6127) Add support for trivial where clause cases
2018-08-15 12:30:19 +02:00
}
Restructure API handlers, add JSON RPC simple HelloService right now.
2015-07-01 05:15:48 +02:00
// GetObjectHandler - GET Object
Update minioapi documentation
2015-02-24 01:46:48 +01:00
// ----------
// This implementation of the GET operation retrieves object. To use GET,
// you must have READ access to the object.
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) GetObjectHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "GetObject")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "GetObject", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
if crypto.S3.IsRequested(r.Header) || crypto.S3KMS.IsRequested(r.Header) { // If SSE-S3 or SSE-KMS present -> AWS fails with undefined error
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrBadRequest), r.URL, guessIsBrowserReq(r))
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
return
}
make SSE request header check comprehensive (#8276) This commit refactors the SSE header check by moving it into the `crypto` package, adds a unit test for it and makes the check comprehensive.
2019-09-20 23:56:12 +02:00
if !api.EncryptionEnabled() && crypto.IsRequested(r.Header) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrBadRequest), r.URL, guessIsBrowserReq(r))
Disallow SSE requests when object layer has encryption disabled (#6981)
2018-12-15 06:39:59 +01:00
return
}
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
vars := mux.Vars(r)
bucket := vars["bucket"]
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
object, err := url.PathUnescape(vars["object"])
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Revert all GetObjectNInfo related PRs (#6398) * Revert "Encrypted reader wrapped in NewGetObjectReader should be closed (#6383)" This reverts commit 53a0bbeb5b604503b61f6d4aa38414babe4de66c. * Revert "Change SelectAPI to use new GetObjectNInfo API (#6373)" This reverts commit 5b05df215a71e1de8b46e239d5a4efa49281c014. * Revert "Implement GetObjectNInfo object layer call (#6290)" This reverts commit e6d740ce09b3020d2c7debfbea445c21b0acb86c.
2018-08-31 22:10:12 +02:00
Allow versionId to be null for Copy,Get,Head API calls (#6942) Fixes #6935
2018-12-12 20:43:44 +01:00
if vid := r.URL.Query().Get("versionId"); vid != "" && vid != "null" {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNoSuchVersion), r.URL, guessIsBrowserReq(r))
Allow versionId to be null for Copy,Get,Head API calls (#6942) Fixes #6935
2018-12-12 20:43:44 +01:00
return
}
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
// get gateway encryption options
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 06:31:06 +01:00
opts, err := getOpts(ctx, r, bucket, object)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
if err != nil {
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
writeErrorResponseHeadersOnly(w, toAPIError(ctx, err))
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
return
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
// Check for auth type to return S3 compatible error.
// type to return the correct error (NoSuchKey vs AccessDenied)
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 08:43:27 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, bucket, object); s3Error != ErrNone {
if getRequestAuthType(r) == authTypeAnonymous {
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
// As per "Permission" section in
// https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html
// If the object you request does not exist,
// the error Amazon S3 returns depends on
// whether you also have the s3:ListBucket
// permission.
// * If you have the s3:ListBucket permission
// on the bucket, Amazon S3 will return an
// HTTP status code 404 ("no such key")
// error.
// * if you dont have the s3:ListBucket
// permission, Amazon S3 will return an HTTP
// status code 403 ("access denied") error.`
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 08:43:27 +02:00
if globalPolicySys.IsAllowed(policy.Args{
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
Action: policy.ListBucketAction,
BucketName: bucket,
Add support for {jwt:sub} substitutions for policies (#8393) Fixes #8345
2019-10-16 17:59:59 +02:00
ConditionValues: getConditionValues(r, "", "", nil),
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
IsOwner: false,
}) {
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
_, err = getObjectInfo(ctx, bucket, object, opts)
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
if toAPIError(ctx, err).Code == "NoSuchKey" {
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 08:43:27 +02:00
s3Error = ErrNoSuchKey
}
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
}
Migrate from iodine to probe
2015-08-04 01:17:21 +02:00
}
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 08:43:27 +02:00
return
}
Change SelectAPI to use new GetObjectNInfo API (#6373) This PR also removes some double checks
2018-08-28 22:08:30 +02:00
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
getObjectNInfo := objectAPI.GetObjectNInfo
if api.CacheAPI() != nil {
getObjectNInfo = api.CacheAPI().GetObjectNInfo
Change SelectAPI to use new GetObjectNInfo API (#6373) This PR also removes some double checks
2018-08-28 22:08:30 +02:00
}
// Get request range.
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
var rs *HTTPRangeSpec
Change SelectAPI to use new GetObjectNInfo API (#6373) This PR also removes some double checks
2018-08-28 22:08:30 +02:00
rangeHeader := r.Header.Get("Range")
if rangeHeader != "" {
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
if rs, err = parseRequestRangeSpec(rangeHeader); err != nil {
// Handle only errInvalidRange. Ignore other
// parse error and treat it as regular Get
// request like Amazon S3.
Change SelectAPI to use new GetObjectNInfo API (#6373) This PR also removes some double checks
2018-08-28 22:08:30 +02:00
if err == errInvalidRange {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidRange), r.URL, guessIsBrowserReq(r))
Change SelectAPI to use new GetObjectNInfo API (#6373) This PR also removes some double checks
2018-08-28 22:08:30 +02:00
return
}
Allow logging targets to be configured to receive `minio` (#8347) specific errors, `application` errors or `all` by default. console logging on server by default lists all logs - enhance admin console API to accept `type` as query parameter to subscribe to application/minio logs.
2019-10-12 03:50:54 +02:00
logger.LogIf(ctx, err, logger.Application)
Change SelectAPI to use new GetObjectNInfo API (#6373) This PR also removes some double checks
2018-08-28 22:08:30 +02:00
}
}
Add ObjectOptions to GetObjectNInfo (#6533)
2018-09-27 12:06:45 +02:00
gr, err := getObjectNInfo(ctx, bucket, object, rs, r.Header, readLock, opts)
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
object: checkETag compares quoted ETags properly (#1997) Previously, checkETag didn't handle ETags with leading and trailing double quotes. e.g "abcdef1234" == "\"abcdef1234\"" would return false. Now, checkETag function canonicalizes the ETags passed as arguments by removing one leading/trailing double quote.
2016-06-27 03:10:08 +02:00
return
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
defer gr.Close()
objInfo := gr.ObjInfo
object: checkETag compares quoted ETags properly (#1997) Previously, checkETag didn't handle ETags with leading and trailing double quotes. e.g "abcdef1234" == "\"abcdef1234\"" would return false. Now, checkETag function canonicalizes the ETags passed as arguments by removing one leading/trailing double quote.
2016-06-27 03:10:08 +02:00
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
// filter object lock metadata if permission does not permit
getRetPerms := checkRequestAuthType(ctx, r, policy.GetObjectRetentionAction, bucket, object)
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
legalHoldPerms := checkRequestAuthType(ctx, r, policy.GetObjectLegalHoldAction, bucket, object)
// filter object lock metadata if permission does not permit
objInfo.UserDefined = objectlock.FilterObjectLockMetadata(objInfo.UserDefined, getRetPerms != ErrNone, legalHoldPerms != ErrNone)
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
if objectAPI.IsEncryptionSupported() {
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
objInfo.UserDefined = CleanMinioInternalMetadataKeys(objInfo.UserDefined)
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
if _, err = DecryptObjectInfo(&objInfo, r.Header); err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
return
}
XL: bring in new storage API. (#1780) Fixes #1771
2016-05-29 00:13:15 +02:00
}
api: SourceInfo should be populated in GET/HEAD notification. (#4073) Refer https://github.com/minio/mc/issues/2073
2017-04-08 10:39:20 +02:00
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
// Validate pre-conditions if any.
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
if checkPreconditions(ctx, w, r, objInfo) {
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
return
}
Revert all GetObjectNInfo related PRs (#6398) * Revert "Encrypted reader wrapped in NewGetObjectReader should be closed (#6383)" This reverts commit 53a0bbeb5b604503b61f6d4aa38414babe4de66c. * Revert "Change SelectAPI to use new GetObjectNInfo API (#6373)" This reverts commit 5b05df215a71e1de8b46e239d5a4efa49281c014. * Revert "Implement GetObjectNInfo object layer call (#6290)" This reverts commit e6d740ce09b3020d2c7debfbea445c21b0acb86c.
2018-08-31 22:10:12 +02:00
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
// Set encryption response headers
if objectAPI.IsEncryptionSupported() {
HEAD on an object should mimic GET without body (#6508) Add "Range" header support etc.
2018-09-23 19:24:10 +02:00
if crypto.IsEncrypted(objInfo.UserDefined) {
switch {
case crypto.S3.IsEncrypted(objInfo.UserDefined):
w.Header().Set(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
case crypto.SSEC.IsEncrypted(objInfo.UserDefined):
w.Header().Set(crypto.SSECAlgorithm, r.Header.Get(crypto.SSECAlgorithm))
w.Header().Set(crypto.SSECKeyMD5, r.Header.Get(crypto.SSECKeyMD5))
}
XL/GetObject: If quorum not available during GetObject appropriate error should be returned. (#2135)
2016-07-11 02:12:22 +02:00
}
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
}
api: Implement bucket notification. (#2271) * Implement basic S3 notifications through queues Supports multiple queues and three basic queue types: 1. NilQueue -- messages don't get sent anywhere 2. LogQueue -- messages get logged 3. AmqpQueue -- messages are sent to an AMQP queue * api: Implement bucket notification. Supports two different queue types - AMQP - ElasticSearch. * Add support for redis
2016-07-24 07:51:12 +02:00
Make sure to log unhandled errors always (#6784) In many situations, while testing we encounter ErrInternalError, to reduce logging we have removed logging from quite a few places which is acceptable but when ErrInternalError occurs we should have a facility to log the corresponding error, this helps to debug Minio server.
2018-11-12 20:07:43 +01:00
if err = setObjectHeaders(w, objInfo, rs); err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
return
Revert all GetObjectNInfo related PRs (#6398) * Revert "Encrypted reader wrapped in NewGetObjectReader should be closed (#6383)" This reverts commit 53a0bbeb5b604503b61f6d4aa38414babe4de66c. * Revert "Change SelectAPI to use new GetObjectNInfo API (#6373)" This reverts commit 5b05df215a71e1de8b46e239d5a4efa49281c014. * Revert "Implement GetObjectNInfo object layer call (#6290)" This reverts commit e6d740ce09b3020d2c7debfbea445c21b0acb86c.
2018-08-31 22:10:12 +02:00
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
setHeadGetRespHeaders(w, r.URL.Query())
Avoid sending an error after 206 HTTP code (#6264) When a S3 client sends a GET Object with a range header, 206 http code is returned indicating success, however the call of the object layer's GetObject() inside the handler can return an error and will lead to writing an XML error message, which is obviously wrong since we already sent 206 http code. So in the case, we just stop sending data to the S3 client, this latter can still detect if there is no error when comparing received data with Content-Length header in the Get Object response.
2018-08-09 00:39:47 +02:00
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
statusCodeWritten := false
httpWriter := ioutil.WriteOnClose(w)
if rs != nil {
Avoid sending an error after 206 HTTP code (#6264) When a S3 client sends a GET Object with a range header, 206 http code is returned indicating success, however the call of the object layer's GetObject() inside the handler can return an error and will lead to writing an XML error message, which is obviously wrong since we already sent 206 http code. So in the case, we just stop sending data to the S3 client, this latter can still detect if there is no error when comparing received data with Content-Length header in the Get Object response.
2018-08-09 00:39:47 +02:00
statusCodeWritten = true
w.WriteHeader(http.StatusPartialContent)
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
// Write object content to response body
if _, err = io.Copy(httpWriter, gr); err != nil {
Avoid sending an error after 206 HTTP code (#6264) When a S3 client sends a GET Object with a range header, 206 http code is returned indicating success, however the call of the object layer's GetObject() inside the handler can return an error and will lead to writing an XML error message, which is obviously wrong since we already sent 206 http code. So in the case, we just stop sending data to the S3 client, this latter can still detect if there is no error when comparing received data with Content-Length header in the Get Object response.
2018-08-09 00:39:47 +02:00
if !httpWriter.HasWritten() && !statusCodeWritten { // write error response only if no data or headers has been written to client yet
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
XL/GetObject: If quorum not available during GetObject appropriate error should be returned. (#2135)
2016-07-11 02:12:22 +02:00
}
XL: bring in new storage API. (#1780) Fixes #1771
2016-05-29 00:13:15 +02:00
return
fs: Break fs package to top-level and introduce ObjectAPI interface. ObjectAPI interface brings in changes needed for XL ObjectAPI layer. The new interface for any ObjectAPI layer is as below ``` // ObjectAPI interface. type ObjectAPI interface { // Bucket resource API. DeleteBucket(bucket string) *probe.Error ListBuckets() ([]BucketInfo, *probe.Error) MakeBucket(bucket string) *probe.Error GetBucketInfo(bucket string) (BucketInfo, *probe.Error) // Bucket query API. ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsResult, *probe.Error) ListMultipartUploads(bucket string, resources BucketMultipartResourcesMetadata) (BucketMultipartResourcesMetadata, *probe.Error) // Object resource API. GetObject(bucket, object string, startOffset int64) (io.ReadCloser, *probe.Error) GetObjectInfo(bucket, object string) (ObjectInfo, *probe.Error) PutObject(bucket string, object string, size int64, data io.Reader, metadata map[string]string) (ObjectInfo, *probe.Error) DeleteObject(bucket, object string) *probe.Error // Object query API. NewMultipartUpload(bucket, object string) (string, *probe.Error) PutObjectPart(bucket, object, uploadID string, partID int, size int64, data io.Reader, md5Hex string) (string, *probe.Error) ListObjectParts(bucket, object string, resources ObjectResourcesMetadata) (ObjectResourcesMetadata, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []CompletePart) (ObjectInfo, *probe.Error) AbortMultipartUpload(bucket, object, uploadID string) *probe.Error } ```
2016-03-31 01:15:28 +02:00
}
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
if err = httpWriter.Close(); err != nil {
Avoid sending an error after 206 HTTP code (#6264) When a S3 client sends a GET Object with a range header, 206 http code is returned indicating success, however the call of the object layer's GetObject() inside the handler can return an error and will lead to writing an XML error message, which is obviously wrong since we already sent 206 http code. So in the case, we just stop sending data to the S3 client, this latter can still detect if there is no error when comparing received data with Content-Length header in the Get Object response.
2018-08-09 00:39:47 +02:00
if !httpWriter.HasWritten() && !statusCodeWritten { // write error response only if no data or headers has been written to client yet
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
return
}
XL/GetObject: If quorum not available during GetObject appropriate error should be returned. (#2135)
2016-07-11 02:12:22 +02:00
}
Add notification for object access via GET/HEAD (#3941) The following notification event types are available for all targets, s3:ObjectAccessed:Get s3:ObjectAccessed:Head s3:ObjectAccessed:*
2017-03-21 18:32:17 +01:00
// Notify object accessed via a GET request.
make notification as separate package (#5294) * Remove old notification files * Add net package * Add event package * Modify minio to take new notification system
2018-03-15 21:03:41 +01:00
sendEvent(eventArgs{
Add content-length as part of event notification structure (#6341) Fixes #6321
2018-08-23 23:40:54 +02:00
EventName: event.ObjectAccessedGet,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Populate host value from GetSourceIP directly (#7417)
2019-03-25 19:45:42 +01:00
Host: handlers.GetSourceIP(r),
Add notification for object access via GET/HEAD (#3941) The following notification event types are available for all targets, s3:ObjectAccessed:Get s3:ObjectAccessed:Head s3:ObjectAccessed:*
2017-03-21 18:32:17 +01:00
})
Implement bucket policy handler and with galore of cleanup
2015-02-16 02:03:27 +01:00
}
Restructure API handlers, add JSON RPC simple HelloService right now.
2015-07-01 05:15:48 +02:00
// HeadObjectHandler - HEAD Object
Update minioapi documentation
2015-02-24 01:46:48 +01:00
// -----------
// The HEAD operation retrieves metadata from an object without returning the object itself.
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) HeadObjectHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "HeadObject")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "HeadObject", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
writeErrorResponseHeadersOnly(w, errorCodes.ToAPIErr(ErrServerNotInitialized))
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
if crypto.S3.IsRequested(r.Header) || crypto.S3KMS.IsRequested(r.Header) { // If SSE-S3 or SSE-KMS present -> AWS fails with undefined error
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
writeErrorResponseHeadersOnly(w, errorCodes.ToAPIErr(ErrBadRequest))
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
return
}
make SSE request header check comprehensive (#8276) This commit refactors the SSE header check by moving it into the `crypto` package, adds a unit test for it and makes the check comprehensive.
2019-09-20 23:56:12 +02:00
if !api.EncryptionEnabled() && crypto.IsRequested(r.Header) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrBadRequest), r.URL, guessIsBrowserReq(r))
Disallow SSE requests when object layer has encryption disabled (#6981)
2018-12-15 06:39:59 +01:00
return
}
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
vars := mux.Vars(r)
bucket := vars["bucket"]
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
object, err := url.PathUnescape(vars["object"])
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
Allow versionId to be null for Copy,Get,Head API calls (#6942) Fixes #6935
2018-12-12 20:43:44 +01:00
if vid := r.URL.Query().Get("versionId"); vid != "" && vid != "null" {
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
writeErrorResponseHeadersOnly(w, errorCodes.ToAPIErr(ErrNoSuchVersion))
Allow versionId to be null for Copy,Get,Head API calls (#6942) Fixes #6935
2018-12-12 20:43:44 +01:00
return
}
Switch back to GetObjectInfo for HEAD requests (#6513)
2018-09-21 22:48:58 +02:00
getObjectInfo := objectAPI.GetObjectInfo
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
if api.CacheAPI() != nil {
Switch back to GetObjectInfo for HEAD requests (#6513)
2018-09-21 22:48:58 +02:00
getObjectInfo = api.CacheAPI().GetObjectInfo
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
}
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 06:31:06 +01:00
opts, err := getOpts(ctx, r, bucket, object)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
if err != nil {
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
writeErrorResponseHeadersOnly(w, toAPIError(ctx, err))
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 08:43:27 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, bucket, object); s3Error != ErrNone {
if getRequestAuthType(r) == authTypeAnonymous {
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
// As per "Permission" section in
// https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectHEAD.html
// If the object you request does not exist,
// the error Amazon S3 returns depends on
// whether you also have the s3:ListBucket
// permission.
// * If you have the s3:ListBucket permission
// on the bucket, Amazon S3 will return an
// HTTP status code 404 ("no such key")
// error.
// * if you dont have the s3:ListBucket
// permission, Amazon S3 will return an HTTP
// status code 403 ("access denied") error.`
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 08:43:27 +02:00
if globalPolicySys.IsAllowed(policy.Args{
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
Action: policy.ListBucketAction,
BucketName: bucket,
Add support for {jwt:sub} substitutions for policies (#8393) Fixes #8345
2019-10-16 17:59:59 +02:00
ConditionValues: getConditionValues(r, "", "", nil),
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
IsOwner: false,
}) {
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
_, err = getObjectInfo(ctx, bucket, object, opts)
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
if toAPIError(ctx, err).Code == "NoSuchKey" {
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 08:43:27 +02:00
s3Error = ErrNoSuchKey
}
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
}
Add errorIf for all API handlers to print call trace upon errors
2015-09-19 12:20:07 +02:00
}
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
writeErrorResponseHeadersOnly(w, errorCodes.ToAPIErr(s3Error))
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 08:43:27 +02:00
return
}
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
HEAD on an object should mimic GET without body (#6508) Add "Range" header support etc.
2018-09-23 19:24:10 +02:00
// Get request range.
var rs *HTTPRangeSpec
rangeHeader := r.Header.Get("Range")
if rangeHeader != "" {
if rs, err = parseRequestRangeSpec(rangeHeader); err != nil {
// Handle only errInvalidRange. Ignore other
// parse error and treat it as regular Get
// request like Amazon S3.
if err == errInvalidRange {
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
writeErrorResponseHeadersOnly(w, errorCodes.ToAPIErr(ErrInvalidRange))
HEAD on an object should mimic GET without body (#6508) Add "Range" header support etc.
2018-09-23 19:24:10 +02:00
return
}
logger.LogIf(ctx, err)
}
}
Switch back to GetObjectInfo for HEAD requests (#6513)
2018-09-21 22:48:58 +02:00
objInfo, err := getObjectInfo(ctx, bucket, object, opts)
Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876)
2018-05-02 08:43:27 +02:00
if err != nil {
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
writeErrorResponseHeadersOnly(w, toAPIError(ctx, err))
Migrate from iodine to probe
2015-08-04 01:17:21 +02:00
return
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
// filter object lock metadata if permission does not permit
getRetPerms := checkRequestAuthType(ctx, r, policy.GetObjectRetentionAction, bucket, object)
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
legalHoldPerms := checkRequestAuthType(ctx, r, policy.GetObjectLegalHoldAction, bucket, object)
// filter object lock metadata if permission does not permit
objInfo.UserDefined = objectlock.FilterObjectLockMetadata(objInfo.UserDefined, getRetPerms != ErrNone, legalHoldPerms != ErrNone)
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
if objectAPI.IsEncryptionSupported() {
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
if _, err = DecryptObjectInfo(&objInfo, r.Header); err != nil {
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
writeErrorResponseHeadersOnly(w, toAPIError(ctx, err))
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
return
HEAD on an object should mimic GET without body (#6508) Add "Range" header support etc.
2018-09-23 19:24:10 +02:00
}
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
objInfo.UserDefined = CleanMinioInternalMetadataKeys(objInfo.UserDefined)
HEAD on an object should mimic GET without body (#6508) Add "Range" header support etc.
2018-09-23 19:24:10 +02:00
}
// Set encryption response headers
if objectAPI.IsEncryptionSupported() {
if crypto.IsEncrypted(objInfo.UserDefined) {
switch {
case crypto.S3.IsEncrypted(objInfo.UserDefined):
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
w.Header().Set(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
HEAD on an object should mimic GET without body (#6508) Add "Range" header support etc.
2018-09-23 19:24:10 +02:00
case crypto.SSEC.IsEncrypted(objInfo.UserDefined):
Validate user provided SSE-C key on Head Object API (#6600) Fixes #6598
2018-10-16 21:24:27 +02:00
// Validate the SSE-C Key set in the header.
if _, err = crypto.SSEC.UnsealObjectKey(r.Header, objInfo.UserDefined, bucket, object); err != nil {
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
writeErrorResponseHeadersOnly(w, toAPIError(ctx, err))
Validate user provided SSE-C key on Head Object API (#6600) Fixes #6598
2018-10-16 21:24:27 +02:00
return
}
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
w.Header().Set(crypto.SSECAlgorithm, r.Header.Get(crypto.SSECAlgorithm))
w.Header().Set(crypto.SSECKeyMD5, r.Header.Get(crypto.SSECKeyMD5))
}
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
}
}
api: Implement support for additional request headers. Now GetObject and HeadObject both support - If-Modified-Since, If-Unmodified-Since - If-Match, If-None-Match request headers. These headers are used to further handle the responses for GetObject and HeadObject API. Fixes #1098
2016-02-29 03:10:37 +01:00
XL/GetObject: If quorum not available during GetObject appropriate error should be returned. (#2135)
2016-07-11 02:12:22 +02:00
// Validate pre-conditions if any.
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
if checkPreconditions(ctx, w, r, objInfo) {
api: Implement support for additional request headers. Now GetObject and HeadObject both support - If-Modified-Since, If-Unmodified-Since - If-Match, If-None-Match request headers. These headers are used to further handle the responses for GetObject and HeadObject API. Fixes #1098
2016-02-29 03:10:37 +01:00
return
}
XL/GetObject: If quorum not available during GetObject appropriate error should be returned. (#2135)
2016-07-11 02:12:22 +02:00
// Set standard object headers.
Make sure to log unhandled errors always (#6784) In many situations, while testing we encounter ErrInternalError, to reduce logging we have removed logging from quite a few places which is acceptable but when ErrInternalError occurs we should have a facility to log the corresponding error, this helps to debug Minio server.
2018-11-12 20:07:43 +01:00
if err = setObjectHeaders(w, objInfo, rs); err != nil {
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
writeErrorResponseHeadersOnly(w, toAPIError(ctx, err))
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
return
}
api: Implement support for additional request headers. Now GetObject and HeadObject both support - If-Modified-Since, If-Unmodified-Since - If-Match, If-None-Match request headers. These headers are used to further handle the responses for GetObject and HeadObject API. Fixes #1098
2016-02-29 03:10:37 +01:00
Honor overriding response headers for HEAD (#4784) Though not clearly mentioned in S3 specification, we should override response headers for presigned HEAD requests as we do for GET.
2017-08-08 20:04:04 +02:00
// Set any additional requested response headers.
setHeadGetRespHeaders(w, r.URL.Query())
XL: erasure Index should have its corresponding distribution order. (#2300)
2016-07-27 20:57:08 +02:00
// Successful response.
HEAD on an object should mimic GET without body (#6508) Add "Range" header support etc.
2018-09-23 19:24:10 +02:00
if rs != nil {
w.WriteHeader(http.StatusPartialContent)
} else {
w.WriteHeader(http.StatusOK)
}
Add notification for object access via GET/HEAD (#3941) The following notification event types are available for all targets, s3:ObjectAccessed:Get s3:ObjectAccessed:Head s3:ObjectAccessed:*
2017-03-21 18:32:17 +01:00
// Notify object accessed via a HEAD request.
make notification as separate package (#5294) * Remove old notification files * Add net package * Add event package * Modify minio to take new notification system
2018-03-15 21:03:41 +01:00
sendEvent(eventArgs{
Add content-length as part of event notification structure (#6341) Fixes #6321
2018-08-23 23:40:54 +02:00
EventName: event.ObjectAccessedHead,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Populate host value from GetSourceIP directly (#7417)
2019-03-25 19:45:42 +01:00
Host: handlers.GetSourceIP(r),
Add notification for object access via GET/HEAD (#3941) The following notification event types are available for all targets, s3:ObjectAccessed:Get s3:ObjectAccessed:Head s3:ObjectAccessed:*
2017-03-21 18:32:17 +01:00
})
Implement bucket policy handler and with galore of cleanup
2015-02-16 02:03:27 +01:00
}
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
// Extract metadata relevant for an CopyObject operation based on conditional
// header values specified in X-Amz-Metadata-Directive.
SignatureV4 validation with Metadata in the presignedUrl (#5894) The `X-Amz-Meta-`/`X-Minio-Meta-` will now be recognized in query string also. Fixes #5857 #5950
2018-07-11 05:27:10 +02:00
func getCpObjMetadataFromHeader(ctx context.Context, r *http.Request, userMeta map[string]string) (map[string]string, error) {
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
// Make a copy of the supplied metadata to avoid
// to change the original one.
defaultMeta := make(map[string]string, len(userMeta))
for k, v := range userMeta {
defaultMeta[k] = v
}
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
// remove SSE Headers from source info
crypto.RemoveSSEHeaders(defaultMeta)
allow copyObject to rotate storageClass of objects (#9362) Added additional mint tests as well to verify, this functionality. Fixes #9357
2020-04-17 02:42:44 +02:00
// Storage class is special, it can be replaced regardless of the
// metadata directive, if set should be preserved and replaced
// to the destination metadata.
sc := r.Header.Get(xhttp.AmzStorageClass)
if sc == "" {
sc = r.URL.Query().Get(xhttp.AmzStorageClass)
}
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
// if x-amz-metadata-directive says REPLACE then
// we extract metadata from the input headers.
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 17:45:59 +01:00
if isDirectiveReplace(r.Header.Get(xhttp.AmzMetadataDirective)) {
allow copyObject to rotate storageClass of objects (#9362) Added additional mint tests as well to verify, this functionality. Fixes #9357
2020-04-17 02:42:44 +02:00
emetadata, err := extractMetadata(ctx, r)
if err != nil {
return nil, err
}
if sc != "" {
emetadata[xhttp.AmzStorageClass] = sc
}
return emetadata, nil
}
if sc != "" {
defaultMeta[xhttp.AmzStorageClass] = sc
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
}
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
// if x-amz-metadata-directive says COPY then we
// return the default metadata.
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 17:45:59 +01:00
if isDirectiveCopy(r.Header.Get(xhttp.AmzMetadataDirective)) {
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-06 01:56:10 +02:00
return defaultMeta, nil
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
}
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
// Copy is default behavior if not x-amz-metadata-directive is set.
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-06 01:56:10 +02:00
return defaultMeta, nil
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 17:45:59 +01:00
// Extract tags relevant for an CopyObject operation based on conditional
// header values specified in X-Amz-Tagging-Directive.
func getCpObjTagsFromHeader(ctx context.Context, r *http.Request, tags string) (string, error) {
// if x-amz-tagging-directive says REPLACE then
// we extract tags from the input headers.
if isDirectiveReplace(r.Header.Get(xhttp.AmzTagDirective)) {
if tags := r.Header.Get(xhttp.AmzObjectTagging); tags != "" {
return extractTags(ctx, tags)
}
// Copy is default behavior if x-amz-tagging-directive is set, but x-amz-tagging is
// is not set
return tags, nil
}
// Copy is default behavior if x-amz-tagging-directive is not set.
return tags, nil
}
Choose right users in federation mode for CopyObject (#6895)
2018-11-30 02:35:11 +01:00
// Returns a minio-go Client configured to access remote host described by destDNSRecord
// Applicable only in a federated deployment
Add support for federation on browser (#6891)
2018-12-19 14:13:47 +01:00
var getRemoteInstanceClient = func(r *http.Request, host string) (*miniogo.Core, error) {
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
cred := getReqAccessCred(r, globalServerRegion)
Add support for federation on browser (#6891)
2018-12-19 14:13:47 +01:00
// In a federated deployment, all the instances share config files
// and hence expected to have same credentials.
core, err := miniogo.NewCore(host, cred.AccessKey, cred.SecretKey, globalIsSSL)
if err != nil {
return nil, err
}
Add response header timeouts (#9170) - Add conservative timeouts upto 3 minutes for internode communication - Add aggressive timeouts of 30 seconds for gateway communication Fixes #9105 Fixes #8732 Fixes #8881 Fixes #8376 Fixes #9028
2020-03-22 06:10:13 +01:00
core.SetCustomTransport(NewGatewayHTTPTransport())
Add support for federation on browser (#6891)
2018-12-19 14:13:47 +01:00
return core, nil
}
Allow CopyObjectPart to work in federated setups (#8066) Fixes #8065
2019-08-20 19:19:22 +02:00
// Check if the destination bucket is on a remote site, this code only gets executed
// when federation is enabled, ie when globalDNSConfig is non 'nil'.
//
// This function is similar to isRemoteCallRequired but specifically for COPY object API
// if destination and source are same we do not need to check for destnation bucket
// to exist locally.
func isRemoteCopyRequired(ctx context.Context, srcBucket, dstBucket string, objAPI ObjectLayer) bool {
if srcBucket == dstBucket {
return false
}
return isRemoteCallRequired(ctx, dstBucket, objAPI)
}
Add support for federation on browser (#6891)
2018-12-19 14:13:47 +01:00
// Check if the bucket is on a remote site, this code only gets executed when federation is enabled.
Allow CopyObjectPart to work in federated setups (#8066) Fixes #8065
2019-08-20 19:19:22 +02:00
func isRemoteCallRequired(ctx context.Context, bucket string, objAPI ObjectLayer) bool {
Add support for federation on browser (#6891)
2018-12-19 14:13:47 +01:00
if globalDNSConfig == nil {
return false
}
Disable federated buckets when etcd is namespaced (#8709) This is to ensure that when we have multiple tenants deployed all sharing the same etcd for global bucket should avoid listing each others buckets, this leads to information leak which should be avoided unless etcd is not namespaced for IAM assets in which case it can be assumed that its a federated setup. Federated setup and namespaced IAM assets on etcd is not supported since namespacing is only useful when you wish to separate the tenants as isolated instances of MinIO. This PR allows a new type of behavior, primarily driven by the usecase of m3(mkube) multi-tenant deployments with global bucket support.
2019-12-29 17:56:45 +01:00
if globalBucketFederation {
_, err := objAPI.GetBucketInfo(ctx, bucket)
return err == toObjectErr(errVolumeNotFound, bucket)
}
return false
Choose right users in federation mode for CopyObject (#6895)
2018-11-30 02:35:11 +01:00
}
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
// CopyObjectHandler - Copy Object
// ----------
// This implementation of the PUT operation adds an object to a bucket
// while reading the object from another source.
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
// Notice: The S3 client can send secret keys in headers for encryption related jobs,
// the handler should ensure to remove these keys before sending them to the object layer.
// Currently these keys are:
// - X-Amz-Server-Side-Encryption-Customer-Key
// - X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "CopyObject")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "CopyObject", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
Fix: Disallow requests with SSE-KMS headers (#6587) Addresses issue #6582. Minio server currently does not have SSE-KMS support. Reject requests with SSE-KMS headers with NotImplementedErr
2018-10-10 00:04:53 +02:00
if crypto.S3KMS.IsRequested(r.Header) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r)) // SSE-KMS is not supported
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
return
}
make SSE request header check comprehensive (#8276) This commit refactors the SSE header check by moving it into the `crypto` package, adds a unit test for it and makes the check comprehensive.
2019-09-20 23:56:12 +02:00
if !api.EncryptionEnabled() && crypto.IsRequested(r.Header) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r))
Disallow SSE requests when object layer has encryption disabled (#6981)
2018-12-15 06:39:59 +01:00
return
}
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
vars := mux.Vars(r)
dstBucket := vars["bucket"]
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
dstObject, err := url.PathUnescape(vars["object"])
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.PutObjectAction, dstBucket, dstObject); s3Error != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
return
}
URL Encode X-Amz-Copy-Source as per the spec (#2114) The documents for COPY state that the X-Amz-Copy-Source must be URL encoded. http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html
2016-07-06 23:00:29 +02:00
// TODO: Reject requests where body/payload is present, for now we don't even read it.
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
Fix server side copy of files with `?` in - fixes #7058 (#7059) Before this change the CopyObjectHandler and the CopyObjectPartHandler both looked for a `versionId` parameter on the `X-Amz-Copy-Source` URL for the version of the object to be copied on the URL unescaped version of the header. This meant that files that had question marks in were truncated after the question mark so that files with `?` in their names could not be server side copied. After this change the URL unescaping is done during the parsing of the `versionId` parameter which fixes the problem. This change also introduces the same logic for the `X-Amz-Copy-Source-Version-Id` header field which was previously ignored, namely returning an error if it is present and not `null` since minio does not currently support versions. S3 Docs: - https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html - https://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html
2019-01-10 22:10:10 +01:00
// Read escaped copy source path to check for parameters.
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 07:34:32 +02:00
cpSrcPath := r.Header.Get(xhttp.AmzCopySource)
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
Allow versionId to be null for Copy,Get,Head API calls (#6942) Fixes #6935
2018-12-12 20:43:44 +01:00
// Check https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectVersioning.html
// Regardless of whether you have enabled versioning, each object in your bucket
// has a version ID. If you have not enabled versioning, Amazon S3 sets the value
// of the version ID to null. If you have enabled versioning, Amazon S3 assigns a
// unique version ID value for the object.
if u, err := url.Parse(cpSrcPath); err == nil {
// Check if versionId query param was added, if yes then check if
// its non "null" value, we should error out since we do not support
// any versions other than "null".
if vid := u.Query().Get("versionId"); vid != "" && vid != "null" {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNoSuchVersion), r.URL, guessIsBrowserReq(r))
Allow versionId to be null for Copy,Get,Head API calls (#6942) Fixes #6935
2018-12-12 20:43:44 +01:00
return
}
Fix server side copy of files with `?` in - fixes #7058 (#7059) Before this change the CopyObjectHandler and the CopyObjectPartHandler both looked for a `versionId` parameter on the `X-Amz-Copy-Source` URL for the version of the object to be copied on the URL unescaped version of the header. This meant that files that had question marks in were truncated after the question mark so that files with `?` in their names could not be server side copied. After this change the URL unescaping is done during the parsing of the `versionId` parameter which fixes the problem. This change also introduces the same logic for the `X-Amz-Copy-Source-Version-Id` header field which was previously ignored, namely returning an error if it is present and not `null` since minio does not currently support versions. S3 Docs: - https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html - https://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html
2019-01-10 22:10:10 +01:00
// Note that url.Parse does the unescaping
Allow versionId to be null for Copy,Get,Head API calls (#6942) Fixes #6935
2018-12-12 20:43:44 +01:00
cpSrcPath = u.Path
}
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 07:34:32 +02:00
if vid := r.Header.Get(xhttp.AmzCopySourceVersionID); vid != "" {
Fix server side copy of files with `?` in - fixes #7058 (#7059) Before this change the CopyObjectHandler and the CopyObjectPartHandler both looked for a `versionId` parameter on the `X-Amz-Copy-Source` URL for the version of the object to be copied on the URL unescaped version of the header. This meant that files that had question marks in were truncated after the question mark so that files with `?` in their names could not be server side copied. After this change the URL unescaping is done during the parsing of the `versionId` parameter which fixes the problem. This change also introduces the same logic for the `X-Amz-Copy-Source-Version-Id` header field which was previously ignored, namely returning an error if it is present and not `null` since minio does not currently support versions. S3 Docs: - https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html - https://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html
2019-01-10 22:10:10 +01:00
// Check if versionId header was added, if yes then check if
// its non "null" value, we should error out since we do not support
// any versions other than "null".
if vid != "null" {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNoSuchVersion), r.URL, guessIsBrowserReq(r))
Fix server side copy of files with `?` in - fixes #7058 (#7059) Before this change the CopyObjectHandler and the CopyObjectPartHandler both looked for a `versionId` parameter on the `X-Amz-Copy-Source` URL for the version of the object to be copied on the URL unescaped version of the header. This meant that files that had question marks in were truncated after the question mark so that files with `?` in their names could not be server side copied. After this change the URL unescaping is done during the parsing of the `versionId` parameter which fixes the problem. This change also introduces the same logic for the `X-Amz-Copy-Source-Version-Id` header field which was previously ignored, namely returning an error if it is present and not `null` since minio does not currently support versions. S3 Docs: - https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html - https://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html
2019-01-10 22:10:10 +01:00
return
}
}
Allow versionId to be null for Copy,Get,Head API calls (#6942) Fixes #6935
2018-12-12 20:43:44 +01:00
fix: Avoid double usage calculation on every restart (#8856) On every restart of the server, usage was being calculated which is not useful instead wait for sufficient time to start the crawling routine. This PR also avoids lots of double allocations through strings, optimizes usage of string builders and also avoids crawling through symbolic links. Fixes #8844
2020-01-21 23:07:49 +01:00
srcBucket, srcObject := path2BucketObject(cpSrcPath)
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
// If source object is empty or bucket is empty, reply back invalid copy source.
if srcObject == "" || srcBucket == "" {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidCopySource), r.URL, guessIsBrowserReq(r))
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
return
}
copy: Ensure that the user has GET access to the src object (#6715)
2018-10-27 01:12:44 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, srcBucket, srcObject); s3Error != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
copy: Ensure that the user has GET access to the src object (#6715)
2018-10-27 01:12:44 +02:00
return
}
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
// Check if metadata directive is valid.
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 17:45:59 +01:00
if !isDirectiveValid(r.Header.Get(xhttp.AmzMetadataDirective)) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidMetadataDirective), r.URL, guessIsBrowserReq(r))
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
return
}
remove SSE-S3 key rotation in CopyObject (#8278) This commit removes the SSE-S3 key rotation functionality from CopyObject since there will be a dedicated Admin-API for this purpose. Also update the security documentation to link to mc and the admin documentation.
2019-09-23 22:35:04 +02:00
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 17:45:59 +01:00
// check if tag directive is valid
if !isDirectiveValid(r.Header.Get(xhttp.AmzTagDirective)) {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidTagDirective), r.URL, guessIsBrowserReq(r))
return
}
allow copyObject to rotate storageClass of objects (#9362) Added additional mint tests as well to verify, this functionality. Fixes #9357
2020-04-17 02:42:44 +02:00
// Validate storage class metadata if present
dstSc := r.Header.Get(xhttp.AmzStorageClass)
if dstSc != "" && !storageclass.IsValid(dstSc) {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidStorageClass), r.URL, guessIsBrowserReq(r))
return
}
Add support for bucket encryption feature (#8890) - pkg/bucket/encryption provides support for handling bucket encryption configuration - changes under cmd/ provide support for AES256 algorithm only Co-Authored-By: Poorna <poornas@users.noreply.github.com> Co-authored-by: Harshavardhana <harsha@minio.io>
2020-02-05 10:42:34 +01:00
// Check if bucket encryption is enabled
_, encEnabled := globalBucketSSEConfigSys.Get(dstBucket)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
// This request header needs to be set prior to setting ObjectOptions
Add support for bucket encryption feature (#8890) - pkg/bucket/encryption provides support for handling bucket encryption configuration - changes under cmd/ provide support for AES256 algorithm only Co-Authored-By: Poorna <poornas@users.noreply.github.com> Co-authored-by: Harshavardhana <harsha@minio.io>
2020-02-05 10:42:34 +01:00
if (globalAutoEncryption || encEnabled) && !crypto.SSEC.IsRequested(r.Header) {
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
r.Header.Add(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
}
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
Add ObjectOptions to ObjectLayer calls (#6382)
2018-09-10 18:42:43 +02:00
var srcOpts, dstOpts ObjectOptions
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
srcOpts, err = copySrcOpts(ctx, r, srcBucket, srcObject)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
if err != nil {
logger.LogIf(ctx, err)
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
return
}
// convert copy src encryption options for GET calls
var getOpts = ObjectOptions{}
getSSE := encrypt.SSE(srcOpts.ServerSideEncryption)
if getSSE != srcOpts.ServerSideEncryption {
getOpts.ServerSideEncryption = getSSE
}
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 06:31:06 +01:00
dstOpts, err = copyDstOpts(ctx, r, dstBucket, dstObject, nil)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
if err != nil {
logger.LogIf(ctx, err)
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
return
}
API/handler: CopyObject make it behave in accordance with S3 spec. (#2155) Fixes bugs found while running s3verify tool - fixes #2152
2016-07-09 21:13:40 +02:00
Worm: Permit key-rotation of S3 encrypted objects (#7429) Fixes : #7399
2019-04-10 20:31:50 +02:00
cpSrcDstSame := isStringEqual(pathJoin(srcBucket, srcObject), pathJoin(dstBucket, dstObject))
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
getObjectNInfo := objectAPI.GetObjectNInfo
var lock = noLock
if !cpSrcDstSame {
lock = readLock
}
s3: Fix precondition failed in CopyObjectPart when src is encrypted (#7276) CopyObject precondition checks into GetObjectReader in order to perform SSE-C pre-condition checks using the last 32 bytes of encrypted ETag rather than the decrypted ETag This also necessitates moving precondition checks for gateways to gateway layer rather than object handler check
2019-03-06 21:38:41 +01:00
checkCopyPrecondFn := func(o ObjectInfo, encETag string) bool {
return checkCopyObjectPreconditions(ctx, w, r, o, encETag)
}
getOpts.CheckCopyPrecondFn = checkCopyPrecondFn
srcOpts.CheckCopyPrecondFn = checkCopyPrecondFn
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 17:50:06 +02:00
var rs *HTTPRangeSpec
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
gr, err := getObjectNInfo(ctx, srcBucket, srcObject, rs, r.Header, lock, getOpts)
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
if err != nil {
s3: Fix precondition failed in CopyObjectPart when src is encrypted (#7276) CopyObject precondition checks into GetObjectReader in order to perform SSE-C pre-condition checks using the last 32 bytes of encrypted ETag rather than the decrypted ETag This also necessitates moving precondition checks for gateways to gateway layer rather than object handler check
2019-03-06 21:38:41 +01:00
if isErrPreconditionFailed(err) {
return
}
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
return
}
defer gr.Close()
srcInfo := gr.ObjInfo
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 17:45:59 +01:00
// maximum Upload size for object in a single CopyObject operation.
Change CopyObject{Part} to single srcInfo argument (#5553) Refactor such that metadata and etag are combined to a single argument `srcInfo`. This is a precursor change for #5544 making it easier for us to provide encryption/decryption functions.
2018-02-21 09:48:47 +01:00
if isMaxObjectSize(srcInfo.Size) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrEntityTooLarge), r.URL, guessIsBrowserReq(r))
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
return
}
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
// We have to copy metadata only if source and destination are same.
// this changes for encryption which can be observed below.
if cpSrcDstSame {
srcInfo.metadataOnly = true
}
allow copyObject to rotate storageClass of objects (#9362) Added additional mint tests as well to verify, this functionality. Fixes #9357
2020-04-17 02:42:44 +02:00
var chStorageClass bool
if dstSc != "" {
sc, ok := srcInfo.UserDefined[xhttp.AmzStorageClass]
if (ok && dstSc != sc) || (srcInfo.StorageClass != dstSc) {
chStorageClass = true
srcInfo.metadataOnly = false
}
}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
var reader io.Reader
var length = srcInfo.Size
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
// Set the actual size to the decrypted size if encrypted.
actualSize := srcInfo.Size
if crypto.IsEncrypted(srcInfo.UserDefined) {
actualSize, err = srcInfo.DecryptedSize()
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
return
}
Fix CopyObject regression calculating md5sum (#6868) CopyObject() failed to calculate proper md5sum when without encryption headers. This is a regression fix perhaps introduced in commit 5f6d717b7a Fixes https://github.com/minio/minio-go/issues/1044
2018-11-27 22:23:32 +01:00
length = actualSize
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
}
Preserve the compression headers while copying (#6952) Fixes #6951
2018-12-11 21:05:41 +01:00
var compressMetadata map[string]string
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
// No need to compress for remote etcd calls
// Pass the decompressed stream to such calls.
Add support for federation on browser (#6891)
2018-12-19 14:13:47 +01:00
isCompressed := objectAPI.IsCompressionSupported() && isCompressible(r.Header, srcObject) && !isRemoteCopyRequired(ctx, srcBucket, dstBucket, objectAPI)
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
if isCompressed {
Preserve the compression headers while copying (#6952) Fixes #6951
2018-12-11 21:05:41 +01:00
compressMetadata = make(map[string]string, 2)
// Preserving the compression metadata.
Switch to Snappy -> S2 compression (#8189)
2019-09-26 08:08:24 +02:00
compressMetadata[ReservedMetadataPrefix+"compression"] = compressionAlgorithmV2
Preserve the compression headers while copying (#6952) Fixes #6951
2018-12-11 21:05:41 +01:00
compressMetadata[ReservedMetadataPrefix+"actual-size"] = strconv.FormatInt(actualSize, 10)
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
// Remove all source encrypted related metadata to
// avoid copying them in target object.
crypto.RemoveInternalEntries(srcInfo.UserDefined)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
Switch to Snappy -> S2 compression (#8189)
2019-09-26 08:08:24 +02:00
s2c := newS2CompressReader(gr)
defer s2c.Close()
reader = s2c
Replace snappy.Writer/io.Pipe with snappyCompressReader. (#7316) Prevents deferred close functions from being called while still attempting to copy reader to snappyWriter. Reduces code duplication when compressing objects.
2019-03-05 17:35:37 +01:00
length = -1
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
} else {
// Remove the metadata for remote calls.
delete(srcInfo.UserDefined, ReservedMetadataPrefix+"compression")
delete(srcInfo.UserDefined, ReservedMetadataPrefix+"actual-size")
reader = gr
}
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-03 02:24:02 +01:00
Turn off md5sum optionally if content-md5 is not set (#7609) This PR also brings --compat option to run MinIO in strict S3 compatibility mode, MinIO by default will now try to run high performance mode.
2019-05-09 03:35:40 +02:00
srcInfo.Reader, err = hash.NewReader(reader, length, "", "", actualSize, globalCLIContext.StrictS3Compat)
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-03 02:24:02 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-03 02:24:02 +01:00
return
}
Fix CopyObject regression calculating md5sum (#6868) CopyObject() failed to calculate proper md5sum when without encryption headers. This is a regression fix perhaps introduced in commit 5f6d717b7a Fixes https://github.com/minio/minio-go/issues/1044
2018-11-27 22:23:32 +01:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
rawReader := srcInfo.Reader
Fix CopyObject regression calculating md5sum (#6868) CopyObject() failed to calculate proper md5sum when without encryption headers. This is a regression fix perhaps introduced in commit 5f6d717b7a Fixes https://github.com/minio/minio-go/issues/1044
2018-11-27 22:23:32 +01:00
pReader := NewPutObjReader(srcInfo.Reader, nil, nil)
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
var encMetadata = make(map[string]string)
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
if objectAPI.IsEncryptionSupported() && !isCompressed {
Fix SSE-C source decryption handling (#6671) Without this fix we have room for two different type of errors. - Source is encrypted and we didn't provide any source encryption keys This results in Incomplete body error to be returned back to the client since source is encrypted and we gave the reader as is to the object layer which was of a decrypted value leading to "IncompleteBody" - Source is not encrypted and we provided source encryption keys. This results in a corrupted object on the destination which is considered encrypted but cannot be read by the server and returns the following error. ``` <Error><Code>XMinioObjectTampered</Code><Message>The requested object was modified and may be compromised</Message><Resource>/id-platform-gamma/ </Resource><RequestId>155EDC3E86BFD4DA</RequestId><HostId>3L137</HostId> </Error> ```
2018-10-19 19:41:13 +02:00
// Encryption parameters not applicable for this object.
if !crypto.IsEncrypted(srcInfo.UserDefined) && crypto.SSECopy.IsRequested(r.Header) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, errInvalidEncryptionParameters), r.URL, guessIsBrowserReq(r))
Fix SSE-C source decryption handling (#6671) Without this fix we have room for two different type of errors. - Source is encrypted and we didn't provide any source encryption keys This results in Incomplete body error to be returned back to the client since source is encrypted and we gave the reader as is to the object layer which was of a decrypted value leading to "IncompleteBody" - Source is not encrypted and we provided source encryption keys. This results in a corrupted object on the destination which is considered encrypted but cannot be read by the server and returns the following error. ``` <Error><Code>XMinioObjectTampered</Code><Message>The requested object was modified and may be compromised</Message><Resource>/id-platform-gamma/ </Resource><RequestId>155EDC3E86BFD4DA</RequestId><HostId>3L137</HostId> </Error> ```
2018-10-19 19:41:13 +02:00
return
}
// Encryption parameters not present for this object.
if crypto.SSEC.IsEncrypted(srcInfo.UserDefined) && !crypto.SSECopy.IsRequested(r.Header) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidSSECustomerAlgorithm), r.URL, guessIsBrowserReq(r))
Fix SSE-C source decryption handling (#6671) Without this fix we have room for two different type of errors. - Source is encrypted and we didn't provide any source encryption keys This results in Incomplete body error to be returned back to the client since source is encrypted and we gave the reader as is to the object layer which was of a decrypted value leading to "IncompleteBody" - Source is not encrypted and we provided source encryption keys. This results in a corrupted object on the destination which is considered encrypted but cannot be read by the server and returns the following error. ``` <Error><Code>XMinioObjectTampered</Code><Message>The requested object was modified and may be compromised</Message><Resource>/id-platform-gamma/ </Resource><RequestId>155EDC3E86BFD4DA</RequestId><HostId>3L137</HostId> </Error> ```
2018-10-19 19:41:13 +02:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
var oldKey, newKey []byte
var objEncKey crypto.ObjectKey
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
sseCopyS3 := crypto.S3.IsEncrypted(srcInfo.UserDefined)
Fix SSE-C source decryption handling (#6671) Without this fix we have room for two different type of errors. - Source is encrypted and we didn't provide any source encryption keys This results in Incomplete body error to be returned back to the client since source is encrypted and we gave the reader as is to the object layer which was of a decrypted value leading to "IncompleteBody" - Source is not encrypted and we provided source encryption keys. This results in a corrupted object on the destination which is considered encrypted but cannot be read by the server and returns the following error. ``` <Error><Code>XMinioObjectTampered</Code><Message>The requested object was modified and may be compromised</Message><Resource>/id-platform-gamma/ </Resource><RequestId>155EDC3E86BFD4DA</RequestId><HostId>3L137</HostId> </Error> ```
2018-10-19 19:41:13 +02:00
sseCopyC := crypto.SSEC.IsEncrypted(srcInfo.UserDefined) && crypto.SSECopy.IsRequested(r.Header)
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
sseC := crypto.SSEC.IsRequested(r.Header)
sseS3 := crypto.S3.IsRequested(r.Header)
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 20:07:36 +02:00
isSourceEncrypted := sseCopyC || sseCopyS3
isTargetEncrypted := sseC || sseS3
if sseC {
newKey, err = ParseSSECustomerRequest(r)
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
return
}
}
add key-rotation for SSE-S3 objects (#6755) This commit adds key-rotation for SSE-S3 objects. To execute a key-rotation a SSE-S3 client must - specify the `X-Amz-Server-Side-Encryption: AES256` header for the destination - The source == destination for the COPY operation. Fixes #6754
2018-11-05 19:26:10 +01:00
// If src == dst and either
// - the object is encrypted using SSE-C and two different SSE-C keys are present
// - the object is encrypted using SSE-S3 and the SSE-S3 header is present
allow copyObject to rotate storageClass of objects (#9362) Added additional mint tests as well to verify, this functionality. Fixes #9357
2020-04-17 02:42:44 +02:00
// - the object storage class is not changing
// then execute a key rotation.
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
var keyRotation bool
allow copyObject to rotate storageClass of objects (#9362) Added additional mint tests as well to verify, this functionality. Fixes #9357
2020-04-17 02:42:44 +02:00
if cpSrcDstSame && (sseCopyC && sseC) && !chStorageClass {
remove SSE-S3 key rotation in CopyObject (#8278) This commit removes the SSE-S3 key rotation functionality from CopyObject since there will be a dedicated Admin-API for this purpose. Also update the security documentation to link to mc and the admin documentation.
2019-09-23 22:35:04 +02:00
oldKey, err = ParseSSECopyCustomerRequest(r.Header, srcInfo.UserDefined)
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-03 02:24:02 +01:00
}
Fix ETag handling with auto-encryption with CopyObject conditions (#7000) minio-java tests were failing under multiple places when auto encryption was turned on, handle all the cases properly This PR fixes - CopyObject should decrypt ETag before it does if-match - CopyObject should not try to preserve metadata of source when rotating keys, unless explicitly asked by the user. - We should not try to decrypt Compressed object etag, the potential case was if user sets encryption headers along with compression enabled.
2018-12-19 23:12:53 +01:00
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
for k, v := range srcInfo.UserDefined {
Add Support for Cache and S3 related metrics in Prometheus endpoint (#8591) This PR adds support below metrics - Cache Hit Count - Cache Miss Count - Data served from Cache (in Bytes) - Bytes received from AWS S3 - Bytes sent to AWS S3 - Number of requests sent to AWS S3 Fixes #8549
2019-12-06 08:16:06 +01:00
if HasPrefix(k, ReservedMetadataPrefix) {
Fix ETag handling with auto-encryption with CopyObject conditions (#7000) minio-java tests were failing under multiple places when auto encryption was turned on, handle all the cases properly This PR fixes - CopyObject should decrypt ETag before it does if-match - CopyObject should not try to preserve metadata of source when rotating keys, unless explicitly asked by the user. - We should not try to decrypt Compressed object etag, the potential case was if user sets encryption headers along with compression enabled.
2018-12-19 23:12:53 +01:00
encMetadata[k] = v
}
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
}
add key-rotation for SSE-S3 objects (#6755) This commit adds key-rotation for SSE-S3 objects. To execute a key-rotation a SSE-S3 client must - specify the `X-Amz-Server-Side-Encryption: AES256` header for the destination - The source == destination for the COPY operation. Fixes #6754
2018-11-05 19:26:10 +01:00
// In case of SSE-S3 oldKey and newKey aren't used - the KMS manages the keys.
fix object rebinding SSE-C security guarantee violation (#6121) This commit fixes a weakness of the key-encryption-key derivation for SSE-C encrypted objects. Before this change the key-encryption-key was not bound to / didn't depend on the object path. This allows an attacker to repalce objects - encrypted with the same client-key - with each other. This change fixes this issue by updating the key-encryption-key derivation to include: - the domain (in this case SSE-C) - a canonical object path representation - the encryption & key derivation algorithm Changing the object path now causes the KDF to derive a different key-encryption-key such that the object-key unsealing fails. Including the domain (SSE-C) and encryption & key derivation algorithm is not directly neccessary for this fix. However, both will be included for the SSE-S3 KDF. So they are included here to avoid updating the KDF again when we add SSE-S3. The leagcy KDF 'DARE-SHA256' is only used for existing objects and never for new objects / key rotation.
2018-07-10 02:18:28 +02:00
if err = rotateKey(oldKey, newKey, srcBucket, srcObject, encMetadata); err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
return
}
Fix deadlock in in-place CopyObject decryption/encryption (#5637) In-place decryption/encryption already holds write locks on them, attempting to acquire a read lock would fail.
2018-03-12 21:52:38 +01:00
// Since we are rotating the keys, make sure to update the metadata.
srcInfo.metadataOnly = true
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
keyRotation = true
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
} else {
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 20:07:36 +02:00
if isSourceEncrypted || isTargetEncrypted {
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
// We are not only copying just metadata instead
// we are creating a new object at this point, even
// if source and destination are same objects.
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
if !keyRotation {
srcInfo.metadataOnly = false
}
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
}
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 20:07:36 +02:00
// Calculate the size of the target object
var targetSize int64
switch {
case !isSourceEncrypted && !isTargetEncrypted:
Fix CopyObject regression calculating md5sum (#6868) CopyObject() failed to calculate proper md5sum when without encryption headers. This is a regression fix perhaps introduced in commit 5f6d717b7a Fixes https://github.com/minio/minio-go/issues/1044
2018-11-27 22:23:32 +01:00
targetSize = srcInfo.Size
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 20:07:36 +02:00
case isSourceEncrypted && isTargetEncrypted:
Fix copy from encrypted multipart to single encrypted part (#7056) When source is encrypted multipart object and the parts are not evenly divisible by DARE package block size, target encrypted size will not necessarily be the same as encrypted source object.
2019-01-10 00:17:21 +01:00
objInfo := ObjectInfo{Size: actualSize}
targetSize = objInfo.EncryptedSize()
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 20:07:36 +02:00
case !isSourceEncrypted && isTargetEncrypted:
targetSize = srcInfo.EncryptedSize()
case isSourceEncrypted && !isTargetEncrypted:
targetSize, _ = srcInfo.DecryptedSize()
}
Fix CopyObject regression calculating md5sum (#6868) CopyObject() failed to calculate proper md5sum when without encryption headers. This is a regression fix perhaps introduced in commit 5f6d717b7a Fixes https://github.com/minio/minio-go/issues/1044
2018-11-27 22:23:32 +01:00
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 20:07:36 +02:00
if isTargetEncrypted {
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
reader, objEncKey, err = newEncryptReader(srcInfo.Reader, newKey, dstBucket, dstObject, encMetadata, sseS3)
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
return
}
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-03 02:24:02 +01:00
}
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 20:07:36 +02:00
if isSourceEncrypted {
// Remove all source encrypted related metadata to
// avoid copying them in target object.
crypto: add RemoveInternalEntries function (#6616) This commit adds a function for removing crypto-specific internal entries from the object metadata. See #6604
2018-10-19 19:50:52 +02:00
crypto.RemoveInternalEntries(srcInfo.UserDefined)
encryption: Fix copy from encrypted multipart to single part (#6604) CopyObject handler forgot to remove multipart encryption flag in metadata when source is an encrypted multipart object and the target is also encrypted but single part object. This PR also simplifies the code to facilitate review.
2018-10-15 20:07:36 +02:00
}
Turn off md5sum optionally if content-md5 is not set (#7609) This PR also brings --compat option to run MinIO in strict S3 compatibility mode, MinIO by default will now try to run high performance mode.
2019-05-09 03:35:40 +02:00
// do not try to verify encrypted content
srcInfo.Reader, err = hash.NewReader(reader, targetSize, "", "", targetSize, globalCLIContext.StrictS3Compat)
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-03 02:24:02 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-03 02:24:02 +01:00
return
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
}
Fix CopyObject regression calculating md5sum (#6868) CopyObject() failed to calculate proper md5sum when without encryption headers. This is a regression fix perhaps introduced in commit 5f6d717b7a Fixes https://github.com/minio/minio-go/issues/1044
2018-11-27 22:23:32 +01:00
fix: regression in CopyObject not preserving ETag in --compat (#9322) issue found after `git bisect` to commit db4195361876fbe2410236bce55f173da3ef3b2b
2020-04-12 05:20:30 +02:00
if isTargetEncrypted {
pReader = NewPutObjReader(rawReader, srcInfo.Reader, &objEncKey)
}
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
}
}
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
srcInfo.PutObjReader = pReader
SignatureV4 validation with Metadata in the presignedUrl (#5894) The `X-Amz-Meta-`/`X-Minio-Meta-` will now be recognized in query string also. Fixes #5857 #5950
2018-07-11 05:27:10 +02:00
srcInfo.UserDefined, err = getCpObjMetadataFromHeader(ctx, r, srcInfo.UserDefined)
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-06 01:56:10 +02:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Allow CopyObject() in S3 gateway to support metadata (#5000) Fixes #4924
2017-10-03 19:38:25 +02:00
return
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-06 01:56:10 +02:00
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 17:45:59 +01:00
tags, err := getCpObjTagsFromHeader(ctx, r, srcInfo.UserTags)
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
if tags != "" {
srcInfo.UserDefined[xhttp.AmzObjectTagging] = tags
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
srcInfo.UserDefined = objectlock.FilterObjectLockMetadata(srcInfo.UserDefined, true, true)
retPerms := isPutActionAllowed(getRequestAuthType(r), dstBucket, dstObject, r, iampolicy.PutObjectRetentionAction)
holdPerms := isPutActionAllowed(getRequestAuthType(r), dstBucket, dstObject, r, iampolicy.PutObjectLegalHoldAction)
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
// apply default bucket configuration/governance headers for dest side.
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
retentionMode, retentionDate, legalHold, s3Err := checkPutObjectLockAllowed(ctx, r, dstBucket, dstObject, getObjectInfo, retPerms, holdPerms)
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
if s3Err == ErrNone && retentionMode.Valid() {
fix: object lock behavior when default lock config is enabled (#9305)
2020-04-13 23:03:23 +02:00
srcInfo.UserDefined[strings.ToLower(xhttp.AmzObjectLockMode)] = string(retentionMode)
srcInfo.UserDefined[strings.ToLower(xhttp.AmzObjectLockRetainUntilDate)] = retentionDate.UTC().Format(time.RFC3339)
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
if s3Err == ErrNone && legalHold.Status.Valid() {
fix: object lock behavior when default lock config is enabled (#9305)
2020-04-13 23:03:23 +02:00
srcInfo.UserDefined[strings.ToLower(xhttp.AmzObjectLockLegalHold)] = string(legalHold.Status)
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
if s3Err != ErrNone {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL, guessIsBrowserReq(r))
return
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
Preserve the compression headers while copying (#6952) Fixes #6951
2018-12-11 21:05:41 +01:00
// Store the preserved compression metadata.
for k, v := range compressMetadata {
srcInfo.UserDefined[k] = v
}
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
// We need to preserve the encryption headers set in EncryptRequest,
// so we do not want to override them, copy them instead.
for k, v := range encMetadata {
srcInfo.UserDefined[k] = v
}
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
// Ensure that metadata does not contain sensitive information
crypto.RemoveSensitiveEntries(srcInfo.UserDefined)
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 17:45:59 +01:00
// Check if x-amz-metadata-directive or x-amz-tagging-directive was not set to REPLACE and source,
// destination are same objects. Apply this restriction also when
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
// metadataOnly is true indicating that we are not overwriting the object.
SSE-C CopyObject key-rotation doesn't need metadata REPLACE value (#5611) Fix a compatibility issue with AWS S3 where to do key rotation we need to replace an existing object's metadata. In such a scenario "REPLACE" metadata directive is not necessary.
2018-03-07 01:04:48 +01:00
// if encryption is enabled we do not need explicit "REPLACE" metadata to
// be enabled as well - this is to allow for key-rotation.
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 17:45:59 +01:00
if !isDirectiveReplace(r.Header.Get(xhttp.AmzMetadataDirective)) && !isDirectiveReplace(r.Header.Get(xhttp.AmzTagDirective)) &&
srcInfo.metadataOnly && !crypto.IsEncrypted(srcInfo.UserDefined) {
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
// If x-amz-metadata-directive is not set to REPLACE then we need
// to error out if source and destination are same.
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidCopyDest), r.URL, guessIsBrowserReq(r))
objAPI: Implement CopyObject API. (#3487) This is written so that to simplify our handler code and provide a way to only update metadata instead of the data when source and destination in CopyObject request are same. Fixes #3316
2016-12-27 01:29:26 +01:00
return
}
lock: Moving locking to handler layer. (#3381) This is implemented so that the issues like in the following flow don't affect the behavior of operation. ``` GetObjectInfo() .... --> Time window for mutation (no lock held) .... --> Time window for mutation (no lock held) GetObject() ``` This happens when two simultaneous uploads are made to the same object the object has returned wrong info to the client. Another classic example is "CopyObject" API itself which reads from a source object and copies to destination object. Fixes #3370 Fixes #2912
2016-12-11 01:15:12 +01:00
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 21:02:30 +02:00
var objInfo ObjectInfo
Add support for federation on browser (#6891)
2018-12-19 14:13:47 +01:00
if isRemoteCopyRequired(ctx, srcBucket, dstBucket, objectAPI) {
var dstRecords []dns.SrvRecord
dstRecords, err = globalDNSConfig.Get(dstBucket)
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Use random host from among multiple hosts to create requests Also use hosts passed to Minio startup command to populate IP addresses if MINIO_PUBLIC_IPS is not set.
2018-05-16 03:20:22 +02:00
return
}
Add support for federation on browser (#6891)
2018-12-19 14:13:47 +01:00
// Send PutObject request to appropriate instance (in federated deployment)
client, rerr := getRemoteInstanceClient(r, getHostFromSrv(dstRecords))
if rerr != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, rerr), r.URL, guessIsBrowserReq(r))
Add support for federation on browser (#6891)
2018-12-19 14:13:47 +01:00
return
}
remoteObjInfo, rerr := client.PutObject(dstBucket, dstObject, srcInfo.Reader,
srcInfo.Size, "", "", srcInfo.UserDefined, dstOpts.ServerSideEncryption)
if rerr != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, rerr), r.URL, guessIsBrowserReq(r))
Add support for federation on browser (#6891)
2018-12-19 14:13:47 +01:00
return
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 21:02:30 +02:00
}
Add support for federation on browser (#6891)
2018-12-19 14:13:47 +01:00
objInfo.ETag = remoteObjInfo.ETag
objInfo.ModTime = remoteObjInfo.LastModified
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 21:02:30 +02:00
} else {
evict cached entry for server side copy (#8947) Fixes #8942
2020-02-07 23:36:46 +01:00
copyObjectFn := objectAPI.CopyObject
if api.CacheAPI() != nil {
copyObjectFn = api.CacheAPI().CopyObject
}
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 21:02:30 +02:00
// Copy source object to destination, if source and destination
// object is same then only metadata is updated.
evict cached entry for server side copy (#8947) Fixes #8942
2020-02-07 23:36:46 +01:00
objInfo, err = copyObjectFn(ctx, srcBucket, srcObject, dstBucket, dstObject, srcInfo, srcOpts, dstOpts)
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 21:02:30 +02:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 21:02:30 +02:00
return
}
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
}
fs/object: Fix issues from review comments.
2016-04-16 21:48:41 +02:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
response := generateCopyObjectResponse(getDecryptedETag(r.Header, objInfo, false), objInfo.ModTime)
api: DRY code and add new test This commit makes code cleaner and reduces the repetitions in the code base. Specifically, it reduces the clutter in setObjectHeaders. It also merges encodeSuccessResponse and encodeErrorResponse together because they served no purpose differently. Finally, it adds a simple test for generateRequestID.
2016-03-06 21:16:22 +01:00
encodedSuccessResponse := encodeResponse(response)
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
// Write success response.
writeSuccessResponseXML(w, encodedSuccessResponse)
api: Implement bucket notification. (#2271) * Implement basic S3 notifications through queues Supports multiple queues and three basic queue types: 1. NilQueue -- messages don't get sent anywhere 2. LogQueue -- messages get logged 3. AmqpQueue -- messages are sent to an AMQP queue * api: Implement bucket notification. Supports two different queue types - AMQP - ElasticSearch. * Add support for redis
2016-07-24 07:51:12 +02:00
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
if objInfo.IsCompressed() {
objInfo.Size = actualSize
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
}
Make addition of TopicConfig to globalEventNotifier go-routine safe (#2806)
2016-09-29 07:46:19 +02:00
// Notify object created event.
make notification as separate package (#5294) * Remove old notification files * Add net package * Add event package * Modify minio to take new notification system
2018-03-15 21:03:41 +01:00
sendEvent(eventArgs{
Support audit logs with additional fields (#6738) This PR adds support - Request query params - Request headers - Response headers AuditLogEntry is exported and versioned as well starting with this PR.
2018-11-03 02:40:08 +01:00
EventName: event.ObjectCreatedCopy,
BucketName: dstBucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Populate host value from GetSourceIP directly (#7417)
2019-03-25 19:45:42 +01:00
Host: handlers.GetSourceIP(r),
Make addition of TopicConfig to globalEventNotifier go-routine safe (#2806)
2016-09-29 07:46:19 +02:00
})
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
}
Restructure API handlers, add JSON RPC simple HelloService right now.
2015-07-01 05:15:48 +02:00
// PutObjectHandler - PUT Object
Update minioapi documentation
2015-02-24 01:46:48 +01:00
// ----------
// This implementation of the PUT operation adds an object to a bucket.
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
// Notice: The S3 client can send secret keys in headers for encryption related jobs,
// the handler should ensure to remove these keys before sending them to the object layer.
// Currently these keys are:
// - X-Amz-Server-Side-Encryption-Customer-Key
// - X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "PutObject")
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "PutObject", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
enable SSE-KMS pass-through on S3 gateway (#7788) This commit relaxes the restriction that the MinIO gateway does not accept SSE-KMS headers. Now, the S3 gateway allows SSE-KMS headers for PUT and MULTIPART PUT requests and forwards them to the S3 gateway backend (AWS). This is considered SSE pass-through mode. Fixes #7753
2019-06-20 02:37:08 +02:00
if crypto.S3KMS.IsRequested(r.Header) && !api.AllowSSEKMS() {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r)) // SSE-KMS is not supported
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
return
}
make SSE request header check comprehensive (#8276) This commit refactors the SSE header check by moving it into the `crypto` package, adds a unit test for it and makes the check comprehensive.
2019-09-20 23:56:12 +02:00
if !api.EncryptionEnabled() && crypto.IsRequested(r.Header) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r))
Disallow SSE requests when object layer has encryption disabled (#6981)
2018-12-15 06:39:59 +01:00
return
}
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
vars := mux.Vars(r)
api: Implement CopyObject s3 API, doing server side copy. Fixes #1172
2016-02-27 12:04:52 +01:00
bucket := vars["bucket"]
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
object, err := url.PathUnescape(vars["object"])
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Further fixes for ACL support, currently code is disabled in all the handlers Disabled because due to lack of testing support. Once we get that in we can uncomment them back.
2015-04-23 04:29:39 +02:00
Put object client disconnect (#7824) Fail putObject and postpolicy in case client prematurely disconnects Use request's context to cancel lock requests on client disconnects
2019-06-29 07:09:17 +02:00
// To detect if the client has disconnected.
r.Body = &detectDisconnect{r.Body, r.Context().Done()}
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
// X-Amz-Copy-Source shouldn't be set for this call.
Allow CopyObject in pathStyle across federated instances (#8064) Fixes #7976
2019-08-22 10:02:39 +02:00
if _, ok := r.Header[xhttp.AmzCopySource]; ok {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidCopySource), r.URL, guessIsBrowserReq(r))
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
return
}
Fix storage class related issues (#5322) - Add storage class metadata validation for request header - Change storage class header values to be consistent with AWS S3 - Refactor internal method to take only the reqd argument
2017-12-27 05:36:16 +01:00
// Validate storage class metadata if present
Move storageclass config handling into cmd/config/storageclass (#8360) Continuation of the changes done in PR #8351 to refactor, add tests and move global handling into a more idiomatic style for Go as packages.
2019-10-07 07:50:24 +02:00
if sc := r.Header.Get(xhttp.AmzStorageClass); sc != "" {
if !storageclass.IsValid(sc) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidStorageClass), r.URL, guessIsBrowserReq(r))
Fix storage class related issues (#5322) - Add storage class metadata validation for request header - Change storage class header values to be consistent with AWS S3 - Refactor internal method to take only the reqd argument
2017-12-27 05:36:16 +01:00
return
}
}
api/object: Add CopyObject to support match/modified copy headers Adds support for the following request headers: - x-amz-copy-source-if-match - x-amz-copy-source-if-none-match - x-amz-copy-source-if-unmodified-since - x-amz-copy-source-if-modified-since Fixes #1176
2016-03-12 10:08:55 +01:00
// Get Content-Md5 sent by client and verify if valid
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-16 19:22:34 +01:00
md5Bytes, err := checkValidMD5(r.Header)
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-13 01:08:15 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidDigest), r.URL, guessIsBrowserReq(r))
Implement x-amz-acl handling
2015-04-23 01:28:13 +02:00
return
}
acl: Support PUT calls with success for 'private' ACL's (#9000) Add dummy calls which respond success when ACL's are set to be private and fails, if user tries to change them from their default 'private' Some applications such as nuxeo may have an unnecessary requirement for this operation, we support this anyways such that don't have to fully implement the functionality just that we can respond with success for default ACLs
2020-02-16 07:07:52 +01:00
handlers: read ContentLength value directly from http.Request. Do not look for Content-Length in headers and try to convert them into integer representations use ContentLength field from *http.Request*. If Content-Length is understood to be as '-1' then treat it as an error condition, since it could be a malformed body to crash the server. Fixes #1011
2015-12-28 08:00:36 +01:00
/// if Content-Length is unknown/missing, deny the request
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
size := r.ContentLength
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 05:56:29 +02:00
rAuthType := getRequestAuthType(r)
if rAuthType == authTypeStreamingSigned {
Allow CopyObject in pathStyle across federated instances (#8064) Fixes #7976
2019-08-22 10:02:39 +02:00
if sizeStr, ok := r.Header[xhttp.AmzDecodedContentLength]; ok {
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-16 19:22:34 +01:00
if sizeStr[0] == "" {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMissingContentLength), r.URL, guessIsBrowserReq(r))
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-16 19:22:34 +01:00
return
}
size, err = strconv.ParseInt(sizeStr[0], 10, 64)
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-16 19:22:34 +01:00
return
}
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 05:56:29 +02:00
}
}
Make PutObject a nop for an object which ends with "/" and size is '0' (#3603) This helps majority of S3 compatible applications while not returning an error upon directory create request. Fixes #2965
2017-01-21 01:33:01 +01:00
if size == -1 {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMissingContentLength), r.URL, guessIsBrowserReq(r))
maxObjectSize and minObjectSize limitation added at putObjectHandler() Put() replies back with - EntityTooLarge with > 5GB in single PUT operation - EntityTooSmall with < 1B in single PUT operation - IncompleteBody with ho Content-Length found in HTTP request header
2015-04-29 11:19:51 +02:00
return
}
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-09-30 23:32:13 +02:00
Collate success response into writeSuccessResponse(), add docs
2015-04-29 19:51:59 +02:00
/// maximum Upload size for objects in a single operation
maxObjectSize and minObjectSize limitation added at putObjectHandler() Put() replies back with - EntityTooLarge with > 5GB in single PUT operation - EntityTooSmall with < 1B in single PUT operation - IncompleteBody with ho Content-Length found in HTTP request header
2015-04-29 11:19:51 +02:00
if isMaxObjectSize(size) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrEntityTooLarge), r.URL, guessIsBrowserReq(r))
maxObjectSize and minObjectSize limitation added at putObjectHandler() Put() replies back with - EntityTooLarge with > 5GB in single PUT operation - EntityTooSmall with < 1B in single PUT operation - IncompleteBody with ho Content-Length found in HTTP request header
2015-04-29 11:19:51 +02:00
return
}
Make donut fully integrated back into API handlers
2015-07-03 05:31:22 +02:00
SignatureV4 validation with Metadata in the presignedUrl (#5894) The `X-Amz-Meta-`/`X-Minio-Meta-` will now be recognized in query string also. Fixes #5857 #5950
2018-07-11 05:27:10 +02:00
metadata, err := extractMetadata(ctx, r)
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-06 01:56:10 +02:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-06 01:56:10 +02:00
return
}
SignatureV4 validation with Metadata in the presignedUrl (#5894) The `X-Amz-Meta-`/`X-Minio-Meta-` will now be recognized in query string also. Fixes #5857 #5950
2018-07-11 05:27:10 +02:00
re-implement data usage crawler to be more efficient (#9075) Implementation overview: https://gist.github.com/klauspost/1801c858d5e0df391114436fdad6987b
2020-03-19 00:19:29 +01:00
if tags := r.Header.Get(xhttp.AmzObjectTagging); tags != "" {
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 17:45:59 +01:00
metadata[xhttp.AmzObjectTagging], err = extractTags(ctx, tags)
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
}
For streaming signature do not save content-encoding in PutObject() (#3776) Content-Encoding is set to "aws-chunked" which is an S3 specific API value which is no meaning for an object. This is how S3 behaves as well for a streaming signature uploaded object.
2017-02-20 21:07:03 +01:00
if rAuthType == authTypeStreamingSigned {
sign/streaming: Content-Encoding is not set in newer aws-java-sdks (#3986) We can't use Content-Encoding to verify if `aws-chunked` is set or not. Just use 'streaming' signature header instead. While this is considered mandatory, on the contrary aws-sdk-java doesn't set this value http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html ``` Set the value to aws-chunked. ``` We will relax it and behave appropriately. Also this PR supports saving custom encoding after trimming off the `aws-chunked` parameter. Fixes #3983
2017-03-28 02:02:04 +02:00
if contentEncoding, ok := metadata["content-encoding"]; ok {
contentEncoding = trimAwsChunkedContentEncoding(contentEncoding)
if contentEncoding != "" {
// Make sure to trim and save the content-encoding
// parameter for a streaming signature which is set
// to a custom value for example: "aws-chunked,gzip".
metadata["content-encoding"] = contentEncoding
} else {
// Trimmed content encoding is empty when the header
// value is set to "aws-chunked" only.
// Make sure to delete the content-encoding parameter
// for a streaming signature which is set to value
// for example: "aws-chunked"
delete(metadata, "content-encoding")
}
}
For streaming signature do not save content-encoding in PutObject() (#3776) Content-Encoding is set to "aws-chunked" which is an S3 specific API value which is no meaning for an object. This is how S3 behaves as well for a streaming signature uploaded object.
2017-02-20 21:07:03 +01:00
}
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
var (
md5hex = hex.EncodeToString(md5Bytes)
sha256hex = ""
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
reader io.Reader
s3Err APIErrorCode
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
putObject = objectAPI.PutObject
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
)
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
reader = r.Body
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
// Check if put is allowed
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
if s3Err = isPutActionAllowed(rAuthType, bucket, object, r, iampolicy.PutObjectAction); s3Err != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL, guessIsBrowserReq(r))
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
return
}
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 05:56:29 +02:00
switch rAuthType {
case authTypeStreamingSigned:
// Initialize stream signature verifier.
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
reader, s3Err = newSignV4ChunkedReader(r)
if s3Err != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL, guessIsBrowserReq(r))
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 05:56:29 +02:00
return
}
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-09-30 23:32:13 +02:00
case authTypeSignedV2, authTypePresignedV2:
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
s3Err = isReqAuthenticatedV2(r)
if s3Err != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL, guessIsBrowserReq(r))
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-09-30 23:32:13 +02:00
return
}
Allow x-amz-content-sha256 to be optional for PutObject() (#5340) x-amz-content-sha256 can be optional for any AWS signature v4 requests, make sure to skip sha256 calculation when payload checksum is not set. Here is the overall expected behavior ** Signed request ** - X-Amz-Content-Sha256 is set to 'empty' or some 'value' or its not 'UNSIGNED-PAYLOAD'- use it to validate the incoming payload. - X-Amz-Content-Sha256 is set to 'UNSIGNED-PAYLOAD' - skip checksum verification - X-Amz-Content-Sha256 is not set we use emptySHA256 ** Presigned request ** - X-Amz-Content-Sha256 is set to 'empty' or some 'value' or its not 'UNSIGNED-PAYLOAD'- use it to validate the incoming payload - X-Amz-Content-Sha256 is set to 'UNSIGNED-PAYLOAD' - skip checksum verification - X-Amz-Content-Sha256 is not set we use 'UNSIGNED-PAYLOAD' Fixes #5339
2018-01-09 08:19:50 +01:00
signature: Handle presigned payload if set. Validate payload with incoming content. Fixes #1288
2016-04-07 12:04:18 +02:00
case authTypePresigned, authTypeSigned:
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
if s3Err = reqSignatureV4Verify(r, globalServerRegion, serviceS3); s3Err != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL, guessIsBrowserReq(r))
sha256: Verify sha256 along with md5sum, signature is verified on the request early. (#2813)
2016-10-03 00:51:49 +02:00
return
}
if !skipContentSha256Cksum(r) {
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 02:46:55 +01:00
sha256hex = getContentSha256Cksum(r, serviceS3)
sha256: Verify sha256 along with md5sum, signature is verified on the request early. (#2813)
2016-10-03 00:51:49 +02:00
}
web/rpc: Merge ports with API server. Fixes #1081 and #1130
2016-02-17 03:50:36 +01:00
}
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
Add support for bucket encryption feature (#8890) - pkg/bucket/encryption provides support for handling bucket encryption configuration - changes under cmd/ provide support for AES256 algorithm only Co-Authored-By: Poorna <poornas@users.noreply.github.com> Co-authored-by: Harshavardhana <harsha@minio.io>
2020-02-05 10:42:34 +01:00
// Check if bucket encryption is enabled
_, encEnabled := globalBucketSSEConfigSys.Get(bucket)
Compression: Handle auto encryption when size is unknown (#7600) When size is unknown and auto encryption is enabled, and compression is set to true, putobject API is failing. Moving adding the SSE-S3 header as part of the request to before checking if compression can be done, otherwise the size is set to -1 and that seems to cause problems.
2019-05-02 17:28:18 +02:00
// This request header needs to be set prior to setting ObjectOptions
Add support for bucket encryption feature (#8890) - pkg/bucket/encryption provides support for handling bucket encryption configuration - changes under cmd/ provide support for AES256 algorithm only Co-Authored-By: Poorna <poornas@users.noreply.github.com> Co-authored-by: Harshavardhana <harsha@minio.io>
2020-02-05 10:42:34 +01:00
if (globalAutoEncryption || encEnabled) && !crypto.SSEC.IsRequested(r.Header) && !crypto.S3KMS.IsRequested(r.Header) {
Compression: Handle auto encryption when size is unknown (#7600) When size is unknown and auto encryption is enabled, and compression is set to true, putobject API is failing. Moving adding the SSE-S3 header as part of the request to before checking if compression can be done, otherwise the size is set to -1 and that seems to cause problems.
2019-05-02 17:28:18 +02:00
r.Header.Add(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
actualSize := size
if objectAPI.IsCompressionSupported() && isCompressible(r.Header, object) && size > 0 {
// Storing the compression metadata.
Switch to Snappy -> S2 compression (#8189)
2019-09-26 08:08:24 +02:00
metadata[ReservedMetadataPrefix+"compression"] = compressionAlgorithmV2
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
metadata[ReservedMetadataPrefix+"actual-size"] = strconv.FormatInt(size, 10)
Turn off md5sum optionally if content-md5 is not set (#7609) This PR also brings --compat option to run MinIO in strict S3 compatibility mode, MinIO by default will now try to run high performance mode.
2019-05-09 03:35:40 +02:00
actualReader, err := hash.NewReader(reader, size, md5hex, sha256hex, actualSize, globalCLIContext.StrictS3Compat)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
return
}
Fix racy error communication inside go-routine (#6539) Use CloseWithError to communicate errors in pipe, this PR also fixes potential shadowing of error
2018-09-28 09:44:59 +02:00
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
// Set compression metrics.
Switch to Snappy -> S2 compression (#8189)
2019-09-26 08:08:24 +02:00
s2c := newS2CompressReader(actualReader)
defer s2c.Close()
reader = s2c
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
size = -1 // Since compressed size is un-predictable.
md5hex = "" // Do not try to verify the content.
sha256hex = ""
}
Turn off md5sum optionally if content-md5 is not set (#7609) This PR also brings --compat option to run MinIO in strict S3 compatibility mode, MinIO by default will now try to run high performance mode.
2019-05-09 03:35:40 +02:00
hashReader, err := hash.NewReader(reader, size, md5hex, sha256hex, actualSize, globalCLIContext.StrictS3Compat)
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
rawReader := hashReader
pReader := NewPutObjReader(rawReader, nil, nil)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
// get gateway encryption options
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
var opts ObjectOptions
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 06:31:06 +01:00
opts, err = putOpts(ctx, r, bucket, object, metadata)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
if err != nil {
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
writeErrorResponseHeadersOnly(w, toAPIError(ctx, err))
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
return
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
Fix regression in caching on single PUT (#8526) Regression caused by #8120
2019-11-15 11:16:27 +01:00
if api.CacheAPI() != nil {
putObject = api.CacheAPI().PutObject
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
retPerms := isPutActionAllowed(getRequestAuthType(r), bucket, object, r, iampolicy.PutObjectRetentionAction)
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
holdPerms := isPutActionAllowed(getRequestAuthType(r), bucket, object, r, iampolicy.PutObjectLegalHoldAction)
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
retentionMode, retentionDate, legalHold, s3Err := checkPutObjectLockAllowed(ctx, r, bucket, object, getObjectInfo, retPerms, holdPerms)
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
if s3Err == ErrNone && retentionMode.Valid() {
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
metadata[strings.ToLower(xhttp.AmzObjectLockMode)] = string(retentionMode)
metadata[strings.ToLower(xhttp.AmzObjectLockRetainUntilDate)] = retentionDate.UTC().Format(time.RFC3339)
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
if s3Err == ErrNone && legalHold.Status.Valid() {
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
metadata[strings.ToLower(xhttp.AmzObjectLockLegalHold)] = string(legalHold.Status)
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
if s3Err != ErrNone {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL, guessIsBrowserReq(r))
return
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
}
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
var objectEncryptionKey crypto.ObjectKey
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-10 00:19:30 +01:00
if objectAPI.IsEncryptionSupported() {
Add Support for Cache and S3 related metrics in Prometheus endpoint (#8591) This PR adds support below metrics - Cache Hit Count - Cache Miss Count - Data served from Cache (in Bytes) - Bytes received from AWS S3 - Bytes sent to AWS S3 - Number of requests sent to AWS S3 Fixes #8549
2019-12-06 08:16:06 +01:00
if crypto.IsRequested(r.Header) && !HasSuffix(object, SlashSeparator) { // handle SSE requests
make SSE request header check comprehensive (#8276) This commit refactors the SSE header check by moving it into the `crypto` package, adds a unit test for it and makes the check comprehensive.
2019-09-20 23:56:12 +02:00
if crypto.SSECopy.IsRequested(r.Header) {
writeErrorResponse(ctx, w, toAPIError(ctx, errInvalidEncryptionParameters), r.URL, guessIsBrowserReq(r))
return
}
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
reader, objectEncryptionKey, err = EncryptRequest(hashReader, r, bucket, object, metadata)
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-10 00:19:30 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-10 00:19:30 +01:00
return
}
info := ObjectInfo{Size: size}
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
Turn off md5sum optionally if content-md5 is not set (#7609) This PR also brings --compat option to run MinIO in strict S3 compatibility mode, MinIO by default will now try to run high performance mode.
2019-05-09 03:35:40 +02:00
// do not try to verify encrypted content
hashReader, err = hash.NewReader(reader, info.EncryptedSize(), "", "", size, globalCLIContext.StrictS3Compat)
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-10 00:19:30 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-10 00:19:30 +01:00
return
}
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
pReader = NewPutObjReader(rawReader, hashReader, &objectEncryptionKey)
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
}
}
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
// Ensure that metadata does not contain sensitive information
crypto.RemoveSensitiveEntries(metadata)
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
// Create the object..
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 06:31:06 +01:00
objInfo, err := putObject(ctx, bucket, object, pReader, opts)
Add errorIf for all API handlers to print call trace upon errors
2015-09-19 12:20:07 +02:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Migrate from iodine to probe
2015-08-04 01:17:21 +02:00
return
}
Support encryption for CopyObject, GET-Range requests (#5544) - Implement CopyObject encryption support - Handle Range GETs for encrypted objects Fixes #5193
2018-02-24 00:07:21 +01:00
Fix ETag handling with auto-encryption with CopyObject conditions (#7000) minio-java tests were failing under multiple places when auto encryption was turned on, handle all the cases properly This PR fixes - CopyObject should decrypt ETag before it does if-match - CopyObject should not try to preserve metadata of source when rotating keys, unless explicitly asked by the user. - We should not try to decrypt Compressed object etag, the potential case was if user sets encryption headers along with compression enabled.
2018-12-19 23:12:53 +01:00
etag := objInfo.ETag
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
switch {
case objInfo.IsCompressed():
Turn off md5sum optionally if content-md5 is not set (#7609) This PR also brings --compat option to run MinIO in strict S3 compatibility mode, MinIO by default will now try to run high performance mode.
2019-05-09 03:35:40 +02:00
if !strings.HasSuffix(objInfo.ETag, "-1") {
etag = objInfo.ETag + "-1"
}
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
case crypto.IsEncrypted(objInfo.UserDefined):
switch {
case crypto.S3.IsEncrypted(objInfo.UserDefined):
w.Header().Set(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
etag, _ = DecryptETag(objectEncryptionKey, ObjectInfo{ETag: etag})
case crypto.SSEC.IsEncrypted(objInfo.UserDefined):
w.Header().Set(crypto.SSECAlgorithm, r.Header.Get(crypto.SSECAlgorithm))
w.Header().Set(crypto.SSECKeyMD5, r.Header.Get(crypto.SSECKeyMD5))
if len(etag) >= 32 && strings.Count(etag, "-") != 1 {
etag = etag[len(etag)-32:]
HEAD on an object should mimic GET without body (#6508) Add "Range" header support etc.
2018-09-23 19:24:10 +02:00
}
Unify gateway and object layer. (#5487) * Unify gateway and object layer. Bring bucket policies into object layer.
2018-02-10 00:19:30 +01:00
}
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
}
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
// We must not use the http.Header().Set method here because some (broken)
// clients expect the ETag header key to be literally "ETag" - not "Etag" (case-sensitive).
// Therefore, we have to set the ETag directly as map entry.
w.Header()[xhttp.ETag] = []string{`"` + etag + `"`}
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
writeSuccessResponseHeadersOnly(w)
api: Implement bucket notification. (#2271) * Implement basic S3 notifications through queues Supports multiple queues and three basic queue types: 1. NilQueue -- messages don't get sent anywhere 2. LogQueue -- messages get logged 3. AmqpQueue -- messages are sent to an AMQP queue * api: Implement bucket notification. Supports two different queue types - AMQP - ElasticSearch. * Add support for redis
2016-07-24 07:51:12 +02:00
Make addition of TopicConfig to globalEventNotifier go-routine safe (#2806)
2016-09-29 07:46:19 +02:00
// Notify object created event.
make notification as separate package (#5294) * Remove old notification files * Add net package * Add event package * Modify minio to take new notification system
2018-03-15 21:03:41 +01:00
sendEvent(eventArgs{
Support audit logs with additional fields (#6738) This PR adds support - Request query params - Request headers - Response headers AuditLogEntry is exported and versioned as well starting with this PR.
2018-11-03 02:40:08 +01:00
EventName: event.ObjectCreatedPut,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Populate host value from GetSourceIP directly (#7417)
2019-03-25 19:45:42 +01:00
Host: handlers.GetSourceIP(r),
Make addition of TopicConfig to globalEventNotifier go-routine safe (#2806)
2016-09-29 07:46:19 +02:00
})
Implement bucket policy handler and with galore of cleanup
2015-02-16 02:03:27 +01:00
}
Adding multipart support
2015-05-08 04:55:30 +02:00
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
/// Multipart objectAPIHandlers
Add delete handlers and reply back as 'NotImplemented' instead of 404
2015-06-08 20:06:06 +02:00
- Test utility function for easy asserting of cases wherein objectLayer (#2865) is `nil` in API handlers. - Remove the existing tests for the `nil` check and use the new method to test for object layer being `nil`.
2016-10-06 22:34:33 +02:00
// NewMultipartUploadHandler - New multipart upload.
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
// Notice: The S3 client can send secret keys in headers for encryption related jobs,
// the handler should ensure to remove these keys before sending them to the object layer.
// Currently these keys are:
// - X-Amz-Server-Side-Encryption-Customer-Key
// - X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) NewMultipartUploadHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "NewMultipartUpload")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "NewMultipartUpload", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
enable SSE-KMS pass-through on S3 gateway (#7788) This commit relaxes the restriction that the MinIO gateway does not accept SSE-KMS headers. Now, the S3 gateway allows SSE-KMS headers for PUT and MULTIPART PUT requests and forwards them to the S3 gateway backend (AWS). This is considered SSE pass-through mode. Fixes #7753
2019-06-20 02:37:08 +02:00
if crypto.S3KMS.IsRequested(r.Header) && !api.AllowSSEKMS() {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r)) // SSE-KMS is not supported
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
return
}
make SSE request header check comprehensive (#8276) This commit refactors the SSE header check by moving it into the `crypto` package, adds a unit test for it and makes the check comprehensive.
2019-09-20 23:56:12 +02:00
if !api.EncryptionEnabled() && crypto.IsRequested(r.Header) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r))
Disallow SSE requests when object layer has encryption disabled (#6981)
2018-12-15 06:39:59 +01:00
return
}
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
vars := mux.Vars(r)
bucket := vars["bucket"]
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
object, err := url.PathUnescape(vars["object"])
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Create logger package and rename errorIf to LogIf (#5678) Removing message from error logging Replace errors.Trace with LogIf
2018-04-06 00:04:40 +02:00
Support V2 signatures when autoencryption is enabled (#7084) When auto-encryption is turned on, we pro-actively add SSEHeader for all PUT, POST operations. This is unusual for V2 signature calculation because V2 signature doesn't have a pre-defined set of signed headers in the request like V4 signature. According to V2 we should canonicalize all incoming supported HTTP headers. Make sure to validate signatures before we mutate http headers
2019-01-16 21:12:06 +01:00
if s3Error := checkRequestAuthType(ctx, r, policy.PutObjectAction, bucket, object); s3Error != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
Support V2 signatures when autoencryption is enabled (#7084) When auto-encryption is turned on, we pro-actively add SSEHeader for all PUT, POST operations. This is unusual for V2 signature calculation because V2 signature doesn't have a pre-defined set of signed headers in the request like V4 signature. According to V2 we should canonicalize all incoming supported HTTP headers. Make sure to validate signatures before we mutate http headers
2019-01-16 21:12:06 +01:00
return
}
Add support for bucket encryption feature (#8890) - pkg/bucket/encryption provides support for handling bucket encryption configuration - changes under cmd/ provide support for AES256 algorithm only Co-Authored-By: Poorna <poornas@users.noreply.github.com> Co-authored-by: Harshavardhana <harsha@minio.io>
2020-02-05 10:42:34 +01:00
// Check if bucket encryption is enabled
_, encEnabled := globalBucketSSEConfigSys.Get(bucket)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
// This request header needs to be set prior to setting ObjectOptions
Add support for bucket encryption feature (#8890) - pkg/bucket/encryption provides support for handling bucket encryption configuration - changes under cmd/ provide support for AES256 algorithm only Co-Authored-By: Poorna <poornas@users.noreply.github.com> Co-authored-by: Harshavardhana <harsha@minio.io>
2020-02-05 10:42:34 +01:00
if (globalAutoEncryption || encEnabled) && !crypto.SSEC.IsRequested(r.Header) && !crypto.S3KMS.IsRequested(r.Header) {
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
r.Header.Add(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
}
// get gateway encryption options
var opts ObjectOptions
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 06:31:06 +01:00
opts, err = putOpts(ctx, r, bucket, object, nil)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
if err != nil {
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
writeErrorResponseHeadersOnly(w, toAPIError(ctx, err))
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
return
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
// Deny if WORM is enabled
if globalWORMEnabled {
if _, err := objectAPI.GetObjectInfo(ctx, bucket, object, opts); err == nil {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
return
}
}
Fix storage class related issues (#5322) - Add storage class metadata validation for request header - Change storage class header values to be consistent with AWS S3 - Refactor internal method to take only the reqd argument
2017-12-27 05:36:16 +01:00
// Validate storage class metadata if present
Move storageclass config handling into cmd/config/storageclass (#8360) Continuation of the changes done in PR #8351 to refactor, add tests and move global handling into a more idiomatic style for Go as packages.
2019-10-07 07:50:24 +02:00
if sc := r.Header.Get(xhttp.AmzStorageClass); sc != "" {
if !storageclass.IsValid(sc) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidStorageClass), r.URL, guessIsBrowserReq(r))
Fix storage class related issues (#5322) - Add storage class metadata validation for request header - Change storage class header values to be consistent with AWS S3 - Refactor internal method to take only the reqd argument
2017-12-27 05:36:16 +01:00
return
}
}
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
var encMetadata = map[string]string{}
if objectAPI.IsEncryptionSupported() {
make SSE request header check comprehensive (#8276) This commit refactors the SSE header check by moving it into the `crypto` package, adds a unit test for it and makes the check comprehensive.
2019-09-20 23:56:12 +02:00
if crypto.IsRequested(r.Header) {
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
if err = setEncryptionMetadata(r, bucket, object, encMetadata); err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
return
}
// Set this for multipart only operations, we need to differentiate during
// decryption if the file was actually multipart or not.
encMetadata[ReservedMetadataPrefix+"Encrypted-Multipart"] = ""
}
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 00:18:59 +01:00
}
api: extract http headers with some supported header list. (#2268)
2016-07-23 05:31:45 +02:00
// Extract metadata that needs to be saved.
SignatureV4 validation with Metadata in the presignedUrl (#5894) The `X-Amz-Meta-`/`X-Minio-Meta-` will now be recognized in query string also. Fixes #5857 #5950
2018-07-11 05:27:10 +02:00
metadata, err := extractMetadata(ctx, r)
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-06 01:56:10 +02:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
fix confusing code for http.Header handling (#4623) Fixed header-to-metadat extraction. The extractMetadataFromHeader function should return an error if the http.Header contains a non-canonicalized key. The reason is that the keys can be manually set (through a map access) which can lead to ugly bugs. Also fixed header-to-metadata extraction. Return a InternalError if a non-canonicalized key is found in a http.Header. Also log the error.
2017-07-06 01:56:10 +02:00
return
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
retPerms := isPutActionAllowed(getRequestAuthType(r), bucket, object, r, iampolicy.PutObjectRetentionAction)
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
holdPerms := isPutActionAllowed(getRequestAuthType(r), bucket, object, r, iampolicy.PutObjectLegalHoldAction)
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
retentionMode, retentionDate, legalHold, s3Err := checkPutObjectLockAllowed(ctx, r, bucket, object, getObjectInfo, retPerms, holdPerms)
if s3Err == ErrNone && retentionMode.Valid() {
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
metadata[strings.ToLower(xhttp.AmzObjectLockMode)] = string(retentionMode)
metadata[strings.ToLower(xhttp.AmzObjectLockRetainUntilDate)] = retentionDate.UTC().Format(time.RFC3339)
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
if s3Err == ErrNone && legalHold.Status.Valid() {
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
metadata[strings.ToLower(xhttp.AmzObjectLockLegalHold)] = string(legalHold.Status)
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
if s3Err != ErrNone {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL, guessIsBrowserReq(r))
return
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
// We need to preserve the encryption headers set in EncryptRequest,
// so we do not want to override them, copy them instead.
for k, v := range encMetadata {
metadata[k] = v
}
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
// Ensure that metadata does not contain sensitive information
crypto.RemoveSensitiveEntries(metadata)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
if objectAPI.IsCompressionSupported() && isCompressible(r.Header, object) {
// Storing the compression metadata.
Switch to Snappy -> S2 compression (#8189)
2019-09-26 08:08:24 +02:00
metadata[ReservedMetadataPrefix+"compression"] = compressionAlgorithmV2
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
}
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 06:31:06 +01:00
opts, err = putOpts(ctx, r, bucket, object, metadata)
if err != nil {
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
writeErrorResponseHeadersOnly(w, toAPIError(ctx, err))
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 06:31:06 +01:00
return
}
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
newMultipartUpload := objectAPI.NewMultipartUpload
Rewrite cache implementation to cache only on GET (#7694) Fixes #7458 Fixes #7573 Fixes #7938 Fixes #6934 Fixes #6265 Fixes #6630 This will allow the cache to consistently work for server and gateways. Range GET requests will be cached in the background after the request is served from the backend. - All cached content is automatically bitrot protected. - Avoid ETag verification if a cache-control header is set and the cached content is still valid. - This PR changes the cache backend format, and all existing content will be migrated to the new format. Until the data is migrated completely, all content will be served from the backend.
2019-08-10 02:09:08 +02:00
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 06:31:06 +01:00
uploadID, err := newMultipartUpload(ctx, bucket, object, opts)
Add errorIf for all API handlers to print call trace upon errors
2015-09-19 12:20:07 +02:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Migrate from iodine to probe
2015-08-04 01:17:21 +02:00
return
}
Add errorIf for all API handlers to print call trace upon errors
2015-09-19 12:20:07 +02:00
response := generateInitiateMultipartUploadResponse(bucket, object, uploadID)
api: DRY code and add new test This commit makes code cleaner and reduces the repetitions in the code base. Specifically, it reduces the clutter in setObjectHeaders. It also merges encodeSuccessResponse and encodeErrorResponse together because they served no purpose differently. Finally, it adds a simple test for generateRequestID.
2016-03-06 21:16:22 +01:00
encodedSuccessResponse := encodeResponse(response)
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
// Write success response.
writeSuccessResponseXML(w, encodedSuccessResponse)
Adding multipart support
2015-05-08 04:55:30 +02:00
}
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
// CopyObjectPartHandler - uploads a part by copying data from an existing object as data source.
func (api objectAPIHandlers) CopyObjectPartHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "CopyObjectPart")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "CopyObjectPart", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
return
}
Fix: Disallow requests with SSE-KMS headers (#6587) Addresses issue #6582. Minio server currently does not have SSE-KMS support. Reject requests with SSE-KMS headers with NotImplementedErr
2018-10-10 00:04:53 +02:00
if crypto.S3KMS.IsRequested(r.Header) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r)) // SSE-KMS is not supported
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
return
}
make SSE request header check comprehensive (#8276) This commit refactors the SSE header check by moving it into the `crypto` package, adds a unit test for it and makes the check comprehensive.
2019-09-20 23:56:12 +02:00
if !api.EncryptionEnabled() && crypto.IsRequested(r.Header) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r))
Disallow SSE requests when object layer has encryption disabled (#6981)
2018-12-15 06:39:59 +01:00
return
}
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
vars := mux.Vars(r)
dstBucket := vars["bucket"]
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
dstObject, err := url.PathUnescape(vars["object"])
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.PutObjectAction, dstBucket, dstObject); s3Error != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
return
}
Fix server side copy of files with `?` in - fixes #7058 (#7059) Before this change the CopyObjectHandler and the CopyObjectPartHandler both looked for a `versionId` parameter on the `X-Amz-Copy-Source` URL for the version of the object to be copied on the URL unescaped version of the header. This meant that files that had question marks in were truncated after the question mark so that files with `?` in their names could not be server side copied. After this change the URL unescaping is done during the parsing of the `versionId` parameter which fixes the problem. This change also introduces the same logic for the `X-Amz-Copy-Source-Version-Id` header field which was previously ignored, namely returning an error if it is present and not `null` since minio does not currently support versions. S3 Docs: - https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html - https://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html
2019-01-10 22:10:10 +01:00
// Read escaped copy source path to check for parameters.
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 07:34:32 +02:00
cpSrcPath := r.Header.Get(xhttp.AmzCopySource)
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
Allow versionId to be null for Delete,CopyObjectPart (#6972)
2018-12-14 07:04:37 +01:00
// Check https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectVersioning.html
// Regardless of whether you have enabled versioning, each object in your bucket
// has a version ID. If you have not enabled versioning, Amazon S3 sets the value
// of the version ID to null. If you have enabled versioning, Amazon S3 assigns a
// unique version ID value for the object.
if u, err := url.Parse(cpSrcPath); err == nil {
// Check if versionId query param was added, if yes then check if
// its non "null" value, we should error out since we do not support
// any versions other than "null".
if vid := u.Query().Get("versionId"); vid != "" && vid != "null" {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNoSuchVersion), r.URL, guessIsBrowserReq(r))
Allow versionId to be null for Delete,CopyObjectPart (#6972)
2018-12-14 07:04:37 +01:00
return
}
Fix server side copy of files with `?` in - fixes #7058 (#7059) Before this change the CopyObjectHandler and the CopyObjectPartHandler both looked for a `versionId` parameter on the `X-Amz-Copy-Source` URL for the version of the object to be copied on the URL unescaped version of the header. This meant that files that had question marks in were truncated after the question mark so that files with `?` in their names could not be server side copied. After this change the URL unescaping is done during the parsing of the `versionId` parameter which fixes the problem. This change also introduces the same logic for the `X-Amz-Copy-Source-Version-Id` header field which was previously ignored, namely returning an error if it is present and not `null` since minio does not currently support versions. S3 Docs: - https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html - https://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html
2019-01-10 22:10:10 +01:00
// Note that url.Parse does the unescaping
Allow versionId to be null for Delete,CopyObjectPart (#6972)
2018-12-14 07:04:37 +01:00
cpSrcPath = u.Path
}
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 07:34:32 +02:00
if vid := r.Header.Get(xhttp.AmzCopySourceVersionID); vid != "" {
Fix server side copy of files with `?` in - fixes #7058 (#7059) Before this change the CopyObjectHandler and the CopyObjectPartHandler both looked for a `versionId` parameter on the `X-Amz-Copy-Source` URL for the version of the object to be copied on the URL unescaped version of the header. This meant that files that had question marks in were truncated after the question mark so that files with `?` in their names could not be server side copied. After this change the URL unescaping is done during the parsing of the `versionId` parameter which fixes the problem. This change also introduces the same logic for the `X-Amz-Copy-Source-Version-Id` header field which was previously ignored, namely returning an error if it is present and not `null` since minio does not currently support versions. S3 Docs: - https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html - https://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html
2019-01-10 22:10:10 +01:00
// Check if X-Amz-Copy-Source-Version-Id header was added, if yes then check if
// its non "null" value, we should error out since we do not support
// any versions other than "null".
if vid != "null" {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNoSuchVersion), r.URL, guessIsBrowserReq(r))
Fix server side copy of files with `?` in - fixes #7058 (#7059) Before this change the CopyObjectHandler and the CopyObjectPartHandler both looked for a `versionId` parameter on the `X-Amz-Copy-Source` URL for the version of the object to be copied on the URL unescaped version of the header. This meant that files that had question marks in were truncated after the question mark so that files with `?` in their names could not be server side copied. After this change the URL unescaping is done during the parsing of the `versionId` parameter which fixes the problem. This change also introduces the same logic for the `X-Amz-Copy-Source-Version-Id` header field which was previously ignored, namely returning an error if it is present and not `null` since minio does not currently support versions. S3 Docs: - https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html - https://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html
2019-01-10 22:10:10 +01:00
return
}
}
Allow versionId to be null for Delete,CopyObjectPart (#6972)
2018-12-14 07:04:37 +01:00
fix: Avoid double usage calculation on every restart (#8856) On every restart of the server, usage was being calculated which is not useful instead wait for sufficient time to start the crawling routine. This PR also avoids lots of double allocations through strings, optimizes usage of string builders and also avoids crawling through symbolic links. Fixes #8844
2020-01-21 23:07:49 +01:00
srcBucket, srcObject := path2BucketObject(cpSrcPath)
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
// If source object is empty or bucket is empty, reply back invalid copy source.
if srcObject == "" || srcBucket == "" {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidCopySource), r.URL, guessIsBrowserReq(r))
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
return
}
copy: Ensure that the user has GET access to the src object (#6715)
2018-10-27 01:12:44 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, srcBucket, srcObject); s3Error != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
copy: Ensure that the user has GET access to the src object (#6715)
2018-10-27 01:12:44 +02:00
return
}
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
uploadID := r.URL.Query().Get("uploadId")
partIDString := r.URL.Query().Get("partNumber")
partID, err := strconv.Atoi(partIDString)
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidPart), r.URL, guessIsBrowserReq(r))
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
return
}
// check partID with maximum part ID for multipart objects
if isMaxPartID(partID) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidMaxParts), r.URL, guessIsBrowserReq(r))
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
Add ObjectOptions to ObjectLayer calls (#6382)
2018-09-10 18:42:43 +02:00
var srcOpts, dstOpts ObjectOptions
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 06:31:06 +01:00
srcOpts, err = copySrcOpts(ctx, r, srcBucket, srcObject)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
return
}
// convert copy src and dst encryption options for GET/PUT calls
var getOpts = ObjectOptions{}
if srcOpts.ServerSideEncryption != nil {
getOpts.ServerSideEncryption = encrypt.SSE(srcOpts.ServerSideEncryption)
}
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 06:31:06 +01:00
dstOpts, err = copyDstOpts(ctx, r, dstBucket, dstObject, nil)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
return
}
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
// Deny if global WORM is enabled
if globalWORMEnabled {
if _, err := objectAPI.GetObjectInfo(ctx, dstBucket, dstObject, dstOpts); err == nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
return
}
}
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
getObjectNInfo := objectAPI.GetObjectNInfo
if api.CacheAPI() != nil {
getObjectNInfo = api.CacheAPI().GetObjectNInfo
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
}
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
// Get request range.
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
var rs *HTTPRangeSpec
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 07:34:32 +02:00
rangeHeader := r.Header.Get(xhttp.AmzCopySourceRange)
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
if rangeHeader != "" {
var parseRangeErr error
if rs, parseRangeErr = parseCopyPartRangeSpec(rangeHeader); parseRangeErr != nil {
// Handle only errInvalidRange
// Ignore other parse error and treat it as regular Get request like Amazon S3.
logger.GetReqInfo(ctx).AppendTags("rangeHeader", rangeHeader)
logger.LogIf(ctx, parseRangeErr)
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
writeCopyPartErr(ctx, w, parseRangeErr, r.URL, guessIsBrowserReq(r))
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
return
}
}
s3: Fix precondition failed in CopyObjectPart when src is encrypted (#7276) CopyObject precondition checks into GetObjectReader in order to perform SSE-C pre-condition checks using the last 32 bytes of encrypted ETag rather than the decrypted ETag This also necessitates moving precondition checks for gateways to gateway layer rather than object handler check
2019-03-06 21:38:41 +01:00
checkCopyPartPrecondFn := func(o ObjectInfo, encETag string) bool {
return checkCopyObjectPartPreconditions(ctx, w, r, o, encETag)
}
getOpts.CheckCopyPrecondFn = checkCopyPartPrecondFn
srcOpts.CheckCopyPrecondFn = checkCopyPartPrecondFn
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
gr, err := getObjectNInfo(ctx, srcBucket, srcObject, rs, r.Header, readLock, getOpts)
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
if err != nil {
s3: Fix precondition failed in CopyObjectPart when src is encrypted (#7276) CopyObject precondition checks into GetObjectReader in order to perform SSE-C pre-condition checks using the last 32 bytes of encrypted ETag rather than the decrypted ETag This also necessitates moving precondition checks for gateways to gateway layer rather than object handler check
2019-03-06 21:38:41 +01:00
if isErrPreconditionFailed(err) {
return
}
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
return
}
defer gr.Close()
srcInfo := gr.ObjInfo
fix wrong actual part size assignment in CopyObjectPart (#6652) This commit fixes a wrong assignment to `actualPartSize`. The `actualPartSize` for an encrypted src object is not `srcInfo.Size` because that's the encrypted object size which is larger than the actual object size. So the actual part size for an encrypted object is the decrypted size of `srcInfo.Size`.
2018-10-22 23:23:23 +02:00
actualPartSize := srcInfo.Size
if crypto.IsEncrypted(srcInfo.UserDefined) {
actualPartSize, err = srcInfo.DecryptedSize()
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
fix wrong actual part size assignment in CopyObjectPart (#6652) This commit fixes a wrong assignment to `actualPartSize`. The `actualPartSize` for an encrypted src object is not `srcInfo.Size` because that's the encrypted object size which is larger than the actual object size. So the actual part size for an encrypted object is the decrypted size of `srcInfo.Size`.
2018-10-22 23:23:23 +02:00
return
}
}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
// Special care for CopyObjectPart
fix wrong actual part size assignment in CopyObjectPart (#6652) This commit fixes a wrong assignment to `actualPartSize`. The `actualPartSize` for an encrypted src object is not `srcInfo.Size` because that's the encrypted object size which is larger than the actual object size. So the actual part size for an encrypted object is the decrypted size of `srcInfo.Size`.
2018-10-22 23:23:23 +02:00
if partRangeErr := checkCopyPartRangeWithSize(rs, actualPartSize); partRangeErr != nil {
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
2019-02-12 10:25:52 +01:00
writeCopyPartErr(ctx, w, partRangeErr, r.URL, guessIsBrowserReq(r))
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
return
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
}
Use GetObjectNInfo in CopyObject and CopyObjectPart (#6489)
2018-09-25 21:39:46 +02:00
// Get the object offset & length
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 17:50:06 +02:00
startOffset, length, err := rs.GetOffsetLength(actualPartSize)
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 17:50:06 +02:00
return
}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
/// maximum copy size for multipart objects in a single operation
api: Increase the maximum object size limit from 5GiB to 16GiB. (#3834) The globalMaxObjectSize limit is instilled in S3 spec perhaps due to certain limitations on S3 infrastructure. For minio we don't have such limitations and we can stream a larger file instead. So we are going to bump this limit to 16GiB. Fixes #3825
2017-03-03 19:14:17 +01:00
if isMaxAllowedPartSize(length) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrEntityTooLarge), r.URL, guessIsBrowserReq(r))
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
return
}
Allow CopyObjectPart to work in federated setups (#8066) Fixes #8065
2019-08-20 19:19:22 +02:00
if isRemoteCopyRequired(ctx, srcBucket, dstBucket, objectAPI) {
var dstRecords []dns.SrvRecord
dstRecords, err = globalDNSConfig.Get(dstBucket)
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
// Send PutObject request to appropriate instance (in federated deployment)
client, rerr := getRemoteInstanceClient(r, getHostFromSrv(dstRecords))
if rerr != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, rerr), r.URL, guessIsBrowserReq(r))
return
}
partInfo, err := client.PutObjectPart(dstBucket, dstObject, uploadID, partID,
srcInfo.Reader, srcInfo.Size, "", "", dstOpts.ServerSideEncryption)
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
response := generateCopyObjectPartResponse(partInfo.ETag, partInfo.LastModified)
encodedSuccessResponse := encodeResponse(response)
// Write success response.
writeSuccessResponseXML(w, encodedSuccessResponse)
return
}
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 17:50:06 +02:00
actualPartSize = length
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
var reader io.Reader
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
var li ListPartsInfo
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
li, err = objectAPI.ListObjectParts(ctx, dstBucket, dstObject, uploadID, 0, 1, dstOpts)
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
return
}
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 17:50:06 +02:00
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
// Read compression metadata preserved in the init multipart for the decision.
_, compressPart := li.UserDefined[ReservedMetadataPrefix+"compression"]
isCompressed := compressPart
// Compress only if the compression is enabled during initial multipart.
if isCompressed {
Switch to Snappy -> S2 compression (#8189)
2019-09-26 08:08:24 +02:00
s2c := newS2CompressReader(gr)
defer s2c.Close()
reader = s2c
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
length = -1
} else {
reader = gr
}
Turn off md5sum optionally if content-md5 is not set (#7609) This PR also brings --compat option to run MinIO in strict S3 compatibility mode, MinIO by default will now try to run high performance mode.
2019-05-09 03:35:40 +02:00
srcInfo.Reader, err = hash.NewReader(reader, length, "", "", actualPartSize, globalCLIContext.StrictS3Compat)
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-03 02:24:02 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Support SSE-C multipart source objects in CopyObject (#5603) Current code didn't implement the logic to support decrypting encrypted multiple parts, this PR fixes by supporting copying encrypted multipart objects.
2018-03-03 02:24:02 +01:00
return
}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
rawReader := srcInfo.Reader
pReader := NewPutObjReader(rawReader, nil, nil)
isEncrypted := false
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
var objectEncryptionKey crypto.ObjectKey
Copy and CopyPart changes for compression (#6669) This PR fixes - The target object should be compressed even if the source object is not compressed. - The actual size for an encrypted object should be the `decryptedSize`
2018-10-23 20:46:20 +02:00
if objectAPI.IsEncryptionSupported() && !isCompressed {
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
li, lerr := objectAPI.ListObjectParts(ctx, dstBucket, dstObject, uploadID, 0, 1, dstOpts)
if lerr != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, lerr), r.URL, guessIsBrowserReq(r))
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
return
}
li.UserDefined = CleanMinioInternalMetadataKeys(li.UserDefined)
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 06:31:06 +01:00
dstOpts, err = copyDstOpts(ctx, r, dstBucket, dstObject, li.UserDefined)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
return
}
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
if crypto.IsEncrypted(li.UserDefined) {
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 17:50:06 +02:00
if !crypto.SSEC.IsRequested(r.Header) && crypto.SSEC.IsEncrypted(li.UserDefined) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrSSEMultipartEncrypted), r.URL, guessIsBrowserReq(r))
Fix: Validate copy-part encryption header and metadata (#6725) Otherwise CopyObjectPart would continue to upload part with incorrect encryption option and fail when upload is finalized
2018-10-29 14:40:34 +01:00
return
}
if crypto.S3.IsEncrypted(li.UserDefined) && crypto.SSEC.IsRequested(r.Header) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrSSEMultipartEncrypted), r.URL, guessIsBrowserReq(r))
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
return
}
Remove duplicate code in object-handlers.go (#7176) removed duplicate code in CompleteMultipartUploadHandler and CopyObjectPartHandler.
2019-02-05 22:36:38 +01:00
isEncrypted = true
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
var key []byte
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
if crypto.SSEC.IsRequested(r.Header) {
key, err = ParseSSECustomerRequest(r)
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
return
}
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
}
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
key, err = decryptObjectInfo(key, dstBucket, dstObject, li.UserDefined)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
return
}
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
copy(objectEncryptionKey[:], key)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
partEncryptionKey := objectEncryptionKey.DerivePartKey(uint32(partID))
reader, err = sio.EncryptReader(reader, sio.Config{Key: partEncryptionKey[:]})
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
return
}
fix size computation for en/decrypted objects (#6147) This PR fixes the size calculation for encrypted multipart objects.
2018-07-12 20:23:32 +02:00
info := ObjectInfo{Size: length}
Turn off md5sum optionally if content-md5 is not set (#7609) This PR also brings --compat option to run MinIO in strict S3 compatibility mode, MinIO by default will now try to run high performance mode.
2019-05-09 03:35:40 +02:00
srcInfo.Reader, err = hash.NewReader(reader, info.EncryptedSize(), "", "", length, globalCLIContext.StrictS3Compat)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
return
}
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
pReader = NewPutObjReader(rawReader, srcInfo.Reader, &objectEncryptionKey)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
}
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
srcInfo.PutObjReader = pReader
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
// Copy source object to destination, if source and destination
// object is same then only metadata is updated.
Fix CopyObjectPart broken source encryption support (#6699) Current master didn't support CopyObjectPart when source was encrypted, this PR fixes this by allowing range CopySource decryption at different sequence numbers. Fixes #6698
2018-10-25 17:50:06 +02:00
partInfo, err := objectAPI.CopyObjectPart(ctx, srcBucket, srcObject, dstBucket, dstObject, uploadID, partID,
startOffset, length, srcInfo, srcOpts, dstOpts)
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
if isEncrypted {
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
partInfo.ETag = tryDecryptETag(objectEncryptionKey[:], partInfo.ETag, crypto.SSEC.IsRequested(r.Header))
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
}
Implement CopyObjectPart API (#3663) This API is implemented to allow copying data from an existing source object to an ongoing multipart operation http://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html Fixes #3662
2017-01-31 18:38:34 +01:00
response := generateCopyObjectPartResponse(partInfo.ETag, partInfo.LastModified)
encodedSuccessResponse := encodeResponse(response)
// Write success response.
writeSuccessResponseXML(w, encodedSuccessResponse)
}
// PutObjectPartHandler - uploads an incoming part for an ongoing multipart operation.
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) PutObjectPartHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "PutObjectPart")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "PutObjectPart", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
Fix: Disallow requests with SSE-KMS headers (#6587) Addresses issue #6582. Minio server currently does not have SSE-KMS support. Reject requests with SSE-KMS headers with NotImplementedErr
2018-10-10 00:04:53 +02:00
if crypto.S3KMS.IsRequested(r.Header) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r)) // SSE-KMS is not supported
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
return
}
make SSE request header check comprehensive (#8276) This commit refactors the SSE header check by moving it into the `crypto` package, adds a unit test for it and makes the check comprehensive.
2019-09-20 23:56:12 +02:00
if !api.EncryptionEnabled() && crypto.IsRequested(r.Header) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r))
Disallow SSE requests when object layer has encryption disabled (#6981)
2018-12-15 06:39:59 +01:00
return
}
add SSE-KMS not-implemented error handling (#6234) This commit adds error handling for SSE-KMS requests to HEAD, GET, PUT and COPY operations. The server responds with `not implemented` if a client sends a SSE-KMS request.
2018-08-18 06:07:19 +02:00
vars := mux.Vars(r)
bucket := vars["bucket"]
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
object, err := url.PathUnescape(vars["object"])
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
Add a generic Walk()'er to list a bucket, optinally prefix (#9026) This generic Walk() is used by likes of Lifecyle, or KMS to rotate keys or any other functionality which relies on this functionality.
2020-02-25 16:52:28 +01:00
// To detect if the client has disconnected.
r.Body = &detectDisconnect{r.Body, r.Context().Done()}
api: CopyObjectPart was copying wrong offsets due to shadowing. (#3838) startOffset was re-assigned to '0' so it would end up copying wrong content ignoring the requested startOffset. This also fixes the corruption issue we observed while using docker registry. Fixes https://github.com/docker/distribution/issues/2205 Also fixes #3842 - incorrect routing.
2017-03-04 01:32:04 +01:00
// X-Amz-Copy-Source shouldn't be set for this call.
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 07:34:32 +02:00
if _, ok := r.Header[xhttp.AmzCopySource]; ok {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidCopySource), r.URL, guessIsBrowserReq(r))
api: CopyObjectPart was copying wrong offsets due to shadowing. (#3838) startOffset was re-assigned to '0' so it would end up copying wrong content ignoring the requested startOffset. This also fixes the corruption issue we observed while using docker registry. Fixes https://github.com/docker/distribution/issues/2205 Also fixes #3842 - incorrect routing.
2017-03-04 01:32:04 +01:00
return
}
api: Implement multiple objects Delete api - fixes #956 This API takes input XML input in following form. ``` <?xml version="1.0" encoding="UTF-8"?> <Delete> <Quiet>true</Quiet> <Object> <Key>Key</Key> </Object> <Object> <Key>Key</Key> </Object> ... </Delete> ``` and responds the list of successful deletes, list of errors for all the deleted objects. ``` <?xml version="1.0" encoding="UTF-8"?> <DeleteResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Deleted> <Key>sample1.txt</Key> </Deleted> <Error> <Key>sample2.txt</Key> <Code>AccessDenied</Code> <Message>Access Denied</Message> </Error> </DeleteResult> ```
2016-03-06 01:43:48 +01:00
// get Content-Md5 sent by client and verify if valid
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-16 19:22:34 +01:00
md5Bytes, err := checkValidMD5(r.Header)
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-13 01:08:15 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidDigest), r.URL, guessIsBrowserReq(r))
Implement Bucket ACL support
2015-10-17 04:09:35 +02:00
return
}
handlers: read ContentLength value directly from http.Request. Do not look for Content-Length in headers and try to convert them into integer representations use ContentLength field from *http.Request*. If Content-Length is understood to be as '-1' then treat it as an error condition, since it could be a malformed body to crash the server. Fixes #1011
2015-12-28 08:00:36 +01:00
/// if Content-Length is unknown/missing, throw away
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
size := r.ContentLength
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 05:56:29 +02:00
rAuthType := getRequestAuthType(r)
// For auth type streaming signature, we need to gather a different content length.
if rAuthType == authTypeStreamingSigned {
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 07:34:32 +02:00
if sizeStr, ok := r.Header[xhttp.AmzDecodedContentLength]; ok {
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-16 19:22:34 +01:00
if sizeStr[0] == "" {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMissingContentLength), r.URL, guessIsBrowserReq(r))
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-16 19:22:34 +01:00
return
}
size, err = strconv.ParseInt(sizeStr[0], 10, 64)
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-16 19:22:34 +01:00
return
}
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 05:56:29 +02:00
}
}
handlers: read ContentLength value directly from http.Request. Do not look for Content-Length in headers and try to convert them into integer representations use ContentLength field from *http.Request*. If Content-Length is understood to be as '-1' then treat it as an error condition, since it could be a malformed body to crash the server. Fixes #1011
2015-12-28 08:00:36 +01:00
if size == -1 {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMissingContentLength), r.URL, guessIsBrowserReq(r))
handlers: read ContentLength value directly from http.Request. Do not look for Content-Length in headers and try to convert them into integer representations use ContentLength field from *http.Request*. If Content-Length is understood to be as '-1' then treat it as an error condition, since it could be a malformed body to crash the server. Fixes #1011
2015-12-28 08:00:36 +01:00
return
}
Reply back CompleteMultipartUploadResult properly with final ETag computed - Now s3 libraries and also objectstorage-go work properly
2015-05-08 07:43:19 +02:00
/// maximum Upload size for multipart objects in a single operation
api: Increase the maximum object size limit from 5GiB to 16GiB. (#3834) The globalMaxObjectSize limit is instilled in S3 spec perhaps due to certain limitations on S3 infrastructure. For minio we don't have such limitations and we can stream a larger file instead. So we are going to bump this limit to 16GiB. Fixes #3825
2017-03-03 19:14:17 +01:00
if isMaxAllowedPartSize(size) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrEntityTooLarge), r.URL, guessIsBrowserReq(r))
Adding multipart support
2015-05-08 04:55:30 +02:00
return
}
Remove SignatureV2 support, bring in SignatureV4 header only validation for now
2015-05-01 01:29:03 +02:00
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
uploadID := r.URL.Query().Get("uploadId")
partIDString := r.URL.Query().Get("partNumber")
Handle partNumberMarker with listObjectParts now and other fixes
2015-05-10 04:39:00 +02:00
xl/fs: Split object layer into interface. (#1415)
2016-04-29 23:24:10 +02:00
partID, err := strconv.Atoi(partIDString)
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidPart), r.URL, guessIsBrowserReq(r))
signature: Fix signature handling of parallel requests. Signature struct should be immutable, this fixes an issue with AWS cli not being able to do multipart put operations.
2016-03-02 20:22:58 +01:00
return
Adding multipart support
2015-05-08 04:55:30 +02:00
}
Make donut fully integrated back into API handlers
2015-07-03 05:31:22 +02:00
Part ID check (#1730) * Added check in PutObjectPartHandler to make sure part ID does not exceed 10000. ErrInvalidMaxParts written to response if part ID exceeds the maximum value.
2016-05-24 10:52:47 +02:00
// check partID with maximum part ID for multipart objects
if isMaxPartID(partID) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidMaxParts), r.URL, guessIsBrowserReq(r))
Part ID check (#1730) * Added check in PutObjectPartHandler to make sure part ID does not exceed 10000. ErrInvalidMaxParts written to response if part ID exceeds the maximum value.
2016-05-24 10:52:47 +02:00
return
}
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
var (
md5hex = hex.EncodeToString(md5Bytes)
sha256hex = ""
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
reader io.Reader
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
s3Error APIErrorCode
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
reader = r.Body
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
if s3Error = isPutActionAllowed(rAuthType, bucket, object, r, iampolicy.PutObjectAction); s3Error != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
return
}
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 05:56:29 +02:00
switch rAuthType {
case authTypeStreamingSigned:
// Initialize stream signature verifier.
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
reader, s3Error = newSignV4ChunkedReader(r)
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 05:56:29 +02:00
if s3Error != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 05:56:29 +02:00
return
}
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-09-30 23:32:13 +02:00
case authTypeSignedV2, authTypePresignedV2:
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
if s3Error = isReqAuthenticatedV2(r); s3Error != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-09-30 23:32:13 +02:00
return
}
signature: Handle presigned payload if set. Validate payload with incoming content. Fixes #1288
2016-04-07 12:04:18 +02:00
case authTypePresigned, authTypeSigned:
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
if s3Error = reqSignatureV4Verify(r, globalServerRegion, serviceS3); s3Error != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
sha256: Verify sha256 along with md5sum, signature is verified on the request early. (#2813)
2016-10-03 00:51:49 +02:00
return
}
if !skipContentSha256Cksum(r) {
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 02:46:55 +01:00
sha256hex = getContentSha256Cksum(r, serviceS3)
sha256: Verify sha256 along with md5sum, signature is verified on the request early. (#2813)
2016-10-03 00:51:49 +02:00
}
web/rpc: Merge ports with API server. Fixes #1081 and #1130
2016-02-17 03:50:36 +01:00
}
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
actualSize := size
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
// get encryption options
var opts ObjectOptions
if crypto.SSEC.IsRequested(r.Header) {
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 06:31:06 +01:00
opts, err = putOpts(ctx, r, bucket, object, nil)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
return
}
}
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
var li ListPartsInfo
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
li, err = objectAPI.ListObjectParts(ctx, bucket, object, uploadID, 0, 1, opts)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
return
}
// Read compression metadata preserved in the init multipart for the decision.
_, compressPart := li.UserDefined[ReservedMetadataPrefix+"compression"]
isCompressed := false
if objectAPI.IsCompressionSupported() && compressPart {
Turn off md5sum optionally if content-md5 is not set (#7609) This PR also brings --compat option to run MinIO in strict S3 compatibility mode, MinIO by default will now try to run high performance mode.
2019-05-09 03:35:40 +02:00
actualReader, err := hash.NewReader(reader, size, md5hex, sha256hex, actualSize, globalCLIContext.StrictS3Compat)
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
return
}
Fix racy error communication inside go-routine (#6539) Use CloseWithError to communicate errors in pipe, this PR also fixes potential shadowing of error
2018-09-28 09:44:59 +02:00
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
// Set compression metrics.
Switch to Snappy -> S2 compression (#8189)
2019-09-26 08:08:24 +02:00
s2c := newS2CompressReader(actualReader)
defer s2c.Close()
reader = s2c
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
size = -1 // Since compressed size is un-predictable.
md5hex = "" // Do not try to verify the content.
sha256hex = ""
isCompressed = true
}
Turn off md5sum optionally if content-md5 is not set (#7609) This PR also brings --compat option to run MinIO in strict S3 compatibility mode, MinIO by default will now try to run high performance mode.
2019-05-09 03:35:40 +02:00
hashReader, err := hash.NewReader(reader, size, md5hex, sha256hex, actualSize, globalCLIContext.StrictS3Compat)
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Simplify data verification with HashReader. (#5071) Verify() was being called by caller after the data has been successfully read after io.EOF. This disconnection opens a race under concurrent access to such an object. Verification is not necessary outside of Read() call, we can simply just do checksum verification right inside Read() call at io.EOF. This approach simplifies the usage.
2017-10-22 07:30:34 +02:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
rawReader := hashReader
pReader := NewPutObjReader(rawReader, nil, nil)
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
// Deny if WORM is enabled
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
if globalWORMEnabled {
if _, err := objectAPI.GetObjectInfo(ctx, bucket, object, opts); err == nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
return
}
}
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
Fix: verify client sent md5sum in encrypted PutObjectPart request (#6668) This PR also removes check for SSE-S3 headers as this is not required by S3 specification.
2018-10-19 01:05:05 +02:00
isEncrypted := false
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
var objectEncryptionKey crypto.ObjectKey
Add object compression support (#6292) Add support for streaming (golang/LZ77/snappy) compression.
2018-09-28 05:36:17 +02:00
if objectAPI.IsEncryptionSupported() && !isCompressed {
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
var li ListPartsInfo
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
li, err = objectAPI.ListObjectParts(ctx, bucket, object, uploadID, 0, 1, ObjectOptions{})
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
return
}
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
li.UserDefined = CleanMinioInternalMetadataKeys(li.UserDefined)
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
if crypto.IsEncrypted(li.UserDefined) {
Fix: verify client sent md5sum in encrypted PutObjectPart request (#6668) This PR also removes check for SSE-S3 headers as this is not required by S3 specification.
2018-10-19 01:05:05 +02:00
if !crypto.SSEC.IsRequested(r.Header) && crypto.SSEC.IsEncrypted(li.UserDefined) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrSSEMultipartEncrypted), r.URL, guessIsBrowserReq(r))
Add GetObjectNInfo to object layer (#6449) The new call combines GetObjectInfo and GetObject, and returns an object with a ReadCloser interface. Also adds a number of end-to-end encryption tests at the handler level.
2018-09-21 04:22:09 +02:00
return
}
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
isEncrypted = true // to detect SSE-S3 encryption
Move metadata into ObjectOptions for NewMultipart and PutObject (#7060)
2019-02-09 06:31:06 +01:00
opts, err = putOpts(ctx, r, bucket, object, li.UserDefined)
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
return
}
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
var key []byte
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
if crypto.SSEC.IsRequested(r.Header) {
key, err = ParseSSECustomerRequest(r)
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-17 21:52:14 +02:00
return
}
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
}
// Calculating object encryption key
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
key, err = decryptObjectInfo(key, bucket, object, li.UserDefined)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
return
}
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
copy(objectEncryptionKey[:], key)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
partEncryptionKey := objectEncryptionKey.DerivePartKey(uint32(partID))
Add encryption buffer (#8626) Quite hard to measure difference: ``` λ warp cmp put-before.csv.zst put-after2.csv.zst Operation: PUT Operations: 340 -> 353 * Average: +4.11% (+22.7 MB/s) throughput, +4.11% (+0.2) obj/s * 50% Median: +1.58% (+7.3 MB/s) throughput, +1.58% (+0.1) obj/s ``` Difference is likely bigger on Intel platforms due to higher syscall costs.
2019-12-12 19:01:15 +01:00
in := io.Reader(hashReader)
if size > encryptBufferThreshold {
// The encryption reads in blocks of 64KB.
// We add a buffer on bigger files to reduce the number of syscalls upstream.
in = bufio.NewReaderSize(hashReader, encryptBufferSize)
}
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
reader, err = sio.EncryptReader(in, sio.Config{Key: partEncryptionKey[:]})
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
return
}
info := ObjectInfo{Size: size}
Turn off md5sum optionally if content-md5 is not set (#7609) This PR also brings --compat option to run MinIO in strict S3 compatibility mode, MinIO by default will now try to run high performance mode.
2019-05-09 03:35:40 +02:00
// do not try to verify encrypted content
hashReader, err = hash.NewReader(reader, info.EncryptedSize(), "", "", size, globalCLIContext.StrictS3Compat)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
return
}
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
pReader = NewPutObjReader(rawReader, hashReader, &objectEncryptionKey)
Add multipart support in SSE-C encryption (#5576) *) Add Put/Get support of multipart in encryption *) Add GET Range support for encryption *) Add CopyPart encrypted support *) Support decrypting of large single PUT object
2018-03-01 20:37:57 +01:00
}
}
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
putObjectPart := objectAPI.PutObjectPart
Rewrite cache implementation to cache only on GET (#7694) Fixes #7458 Fixes #7573 Fixes #7938 Fixes #6934 Fixes #6265 Fixes #6630 This will allow the cache to consistently work for server and gateways. Range GET requests will be cached in the background after the request is served from the backend. - All cached content is automatically bitrot protected. - Avoid ETag verification if a cache-control header is set and the cached content is still valid. - This PR changes the cache backend format, and all existing content will be migrated to the new format. Until the data is migrated completely, all content will be served from the backend.
2019-08-10 02:09:08 +02:00
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
partInfo, err := putObjectPart(ctx, bucket, object, uploadID, partID, pReader, opts)
Add errorIf for all API handlers to print call trace upon errors
2015-09-19 12:20:07 +02:00
if err != nil {
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-13 01:08:15 +01:00
// Verify if the underlying error is signature mismatch.
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Migrate from iodine to probe
2015-08-04 01:17:21 +02:00
return
}
Fix ETag handling with auto-encryption with CopyObject conditions (#7000) minio-java tests were failing under multiple places when auto encryption was turned on, handle all the cases properly This PR fixes - CopyObject should decrypt ETag before it does if-match - CopyObject should not try to preserve metadata of source when rotating keys, unless explicitly asked by the user. - We should not try to decrypt Compressed object etag, the potential case was if user sets encryption headers along with compression enabled.
2018-12-19 23:12:53 +01:00
etag := partInfo.ETag
Turn off md5sum optionally if content-md5 is not set (#7609) This PR also brings --compat option to run MinIO in strict S3 compatibility mode, MinIO by default will now try to run high performance mode.
2019-05-09 03:35:40 +02:00
if isEncrypted {
avoid unnecessary KMS requests during single-part PUT (#9220) This commit fixes a performance issue caused by too many calls to the external KMS - i.e. for single-part PUT requests. In general, the issue is caused by a sub-optimal code structure. In particular, when the server encrypts an object it requests a new data encryption key from the KMS. With this key it does some key derivation and encrypts the object content and ETag. However, to behave S3-compatible the MinIO server has to return the plaintext ETag to the client in case SSE-S3. Therefore, the server code used to decrypt the (previously encrypted) ETag again by requesting the data encryption key (KMS decrypt API) from the KMS. This leads to 2 KMS API calls (1 generate key and 1 decrypt key) per PUT operation - while only one KMS call is necessary. This commit fixes this by fetching a data key only once from the KMS and keeping the derived object encryption key around (for the lifetime of the request). This leads to a significant performance improvement w.r.t. to PUT workloads: ``` Operation: PUT Operations: 161 -> 239 Duration: 28s -> 29s * Average: +47.56% (+25.8 MiB/s) throughput, +47.56% (+2.6) obj/s * Fastest: +55.49% (+34.5 MiB/s) throughput, +55.49% (+3.5) obj/s * 50% Median: +58.24% (+32.8 MiB/s) throughput, +58.24% (+3.3) obj/s * Slowest: +1.83% (+0.6 MiB/s) throughput, +1.83% (+0.1) obj/s ```
2020-04-10 02:01:45 +02:00
etag = tryDecryptETag(objectEncryptionKey[:], partInfo.ETag, crypto.SSEC.IsRequested(r.Header))
contentType: Reply back proper contentTypes based on the file extension. Currently the server would set 'application/octet-stream' for all objects, set this value based on the file extension transparently. This is useful in case of minio browser to facilitate displaying proper icons for the different mime data types.
2016-02-01 21:19:54 +01:00
}
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 07:34:32 +02:00
w.Header()[xhttp.ETag] = []string{"\"" + etag + "\""}
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
writeSuccessResponseHeadersOnly(w)
Adding multipart support
2015-05-08 04:55:30 +02:00
}
Restructure API handlers, add JSON RPC simple HelloService right now.
2015-07-01 05:15:48 +02:00
// AbortMultipartUploadHandler - Abort multipart upload
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) AbortMultipartUploadHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "AbortMultipartUpload")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "AbortMultipartUpload", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
vars := mux.Vars(r)
Implement AbortMultipart
2015-05-10 01:06:35 +02:00
bucket := vars["bucket"]
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
object, err := url.PathUnescape(vars["object"])
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Implement AbortMultipart
2015-05-10 01:06:35 +02:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
abortMultipartUpload := objectAPI.AbortMultipartUpload
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.AbortMultipartUploadAction, bucket, object); s3Error != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-13 01:08:15 +01:00
return
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
}
Add error handling in api-resource.go (#6651)
2018-10-18 16:31:46 +02:00
uploadID, _, _, _, s3Error := getObjectResources(r.URL.Query())
if s3Error != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
Add error handling in api-resource.go (#6651)
2018-10-18 16:31:46 +02:00
return
}
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
if err := abortMultipartUpload(ctx, bucket, object, uploadID); err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Migrate from iodine to probe
2015-08-04 01:17:21 +02:00
return
}
Support audit logs with additional fields (#6738) This PR adds support - Request query params - Request headers - Response headers AuditLogEntry is exported and versioned as well starting with this PR.
2018-11-03 02:40:08 +01:00
Reply back proper statuses for DeleteBucket/DeleteObject
2015-10-17 05:02:37 +02:00
writeSuccessNoContent(w)
Implement AbortMultipart
2015-05-10 01:06:35 +02:00
}
Restructure API handlers, add JSON RPC simple HelloService right now.
2015-07-01 05:15:48 +02:00
// ListObjectPartsHandler - List object parts
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) ListObjectPartsHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "ListObjectParts")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "ListObjectParts", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
vars := mux.Vars(r)
Implement Bucket ACL support
2015-10-17 04:09:35 +02:00
bucket := vars["bucket"]
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
object, err := url.PathUnescape(vars["object"])
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Implement Bucket ACL support
2015-10-17 04:09:35 +02:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.ListMultipartUploadPartsAction, bucket, object); s3Error != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-13 01:08:15 +01:00
return
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
}
s3: Add support of encodingType parameter (#7265) This commit honors encoding-type parameter in object listing, parts listing and multipart uploads listing.
2019-02-24 07:14:24 +01:00
uploadID, partNumberMarker, maxParts, encodingType, s3Error := getObjectResources(r.URL.Query())
Add error handling in api-resource.go (#6651)
2018-10-18 16:31:46 +02:00
if s3Error != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
Add error handling in api-resource.go (#6651)
2018-10-18 16:31:46 +02:00
return
}
objectAPI: Fix object API interface, remove unnecessary structs. ObjectAPI changes. ``` ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsInfo, *probe.Error) ListMultipartUploads(bucket, objectPrefix, keyMarker, uploadIDMarker, delimiter string, maxUploads int) (ListMultipartsInfo, *probe.Error) ListObjectParts(bucket, object, uploadID string, partNumberMarker, maxParts int) (ListPartsInfo, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []completePart) (ObjectInfo, *probe.Error) ```
2016-04-03 10:34:20 +02:00
if partNumberMarker < 0 {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidPartNumberMarker), r.URL, guessIsBrowserReq(r))
Return proper InvalidArgument messages like s3 for invalid data for ListObjects(), ListObjectParts(), ListMultipartUploads()
2015-07-17 02:22:45 +02:00
return
}
objectAPI: Fix object API interface, remove unnecessary structs. ObjectAPI changes. ``` ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsInfo, *probe.Error) ListMultipartUploads(bucket, objectPrefix, keyMarker, uploadIDMarker, delimiter string, maxUploads int) (ListMultipartsInfo, *probe.Error) ListObjectParts(bucket, object, uploadID string, partNumberMarker, maxParts int) (ListPartsInfo, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []completePart) (ObjectInfo, *probe.Error) ```
2016-04-03 10:34:20 +02:00
if maxParts < 0 {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidMaxParts), r.URL, guessIsBrowserReq(r))
Return proper InvalidArgument messages like s3 for invalid data for ListObjects(), ListObjectParts(), ListMultipartUploads()
2015-07-17 02:22:45 +02:00
return
}
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
var opts ObjectOptions
listPartsInfo, err := objectAPI.ListObjectParts(ctx, bucket, object, uploadID, partNumberMarker, maxParts, opts)
Add errorIf for all API handlers to print call trace upon errors
2015-09-19 12:20:07 +02:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Migrate from iodine to probe
2015-08-04 01:17:21 +02:00
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
var ssec bool
if objectAPI.IsEncryptionSupported() {
var li ListPartsInfo
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
li, err = objectAPI.ListObjectParts(ctx, bucket, object, uploadID, 0, 1, opts)
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
return
}
if crypto.IsEncrypted(li.UserDefined) {
var key []byte
if crypto.SSEC.IsEncrypted(li.UserDefined) {
ssec = true
}
var objectEncryptionKey []byte
if crypto.S3.IsEncrypted(li.UserDefined) {
// Calculating object encryption key
objectEncryptionKey, err = decryptObjectInfo(key, bucket, object, li.UserDefined)
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
return
}
}
parts := make([]PartInfo, len(listPartsInfo.Parts))
for i, p := range listPartsInfo.Parts {
part := p
part.ETag = tryDecryptETag(objectEncryptionKey, p.ETag, ssec)
parts[i] = part
}
listPartsInfo.Parts = parts
}
}
s3: Add support of encodingType parameter (#7265) This commit honors encoding-type parameter in object listing, parts listing and multipart uploads listing.
2019-02-24 07:14:24 +01:00
response := generateListPartsResponse(listPartsInfo, encodingType)
api: DRY code and add new test This commit makes code cleaner and reduces the repetitions in the code base. Specifically, it reduces the clutter in setObjectHeaders. It also merges encodeSuccessResponse and encodeErrorResponse together because they served no purpose differently. Finally, it adds a simple test for generateRequestID.
2016-03-06 21:16:22 +01:00
encodedSuccessResponse := encodeResponse(response)
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
accessPolicy: Implement Put, Get, Delete access policy. This patch implements Get,Put,Delete bucket policies Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html Currently supports following actions. "*": true, "s3:*": true, "s3:GetObject": true, "s3:ListBucket": true, "s3:PutObject": true, "s3:CreateBucket": true, "s3:GetBucketLocation": true, "s3:DeleteBucket": true, "s3:DeleteObject": true, "s3:AbortMultipartUpload": true, "s3:ListBucketMultipartUploads": true, "s3:ListMultipartUploadParts": true, following conditions for "StringEquals" and "StringNotEquals" "s3:prefix", "s3:max-keys"
2016-02-04 01:46:56 +01:00
// Write success response.
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
writeSuccessResponseXML(w, encodedSuccessResponse)
Add listparts support
2015-05-09 20:41:26 +02:00
}
Write xml.Header first instead of spaces to handle XML parsers (#7253) Clients like AWS SDK Java and AWS cli XML parsers are unable to handle on `\r\n` characters to avoid these errors send XML header first and write white space characters instead. Also handle cases to avoid double WriteHeader calls
2019-02-21 07:20:15 +01:00
type whiteSpaceWriter struct {
http.ResponseWriter
http.Flusher
written bool
}
func (w *whiteSpaceWriter) Write(b []byte) (n int, err error) {
n, err = w.ResponseWriter.Write(b)
w.written = true
return
}
func (w *whiteSpaceWriter) WriteHeader(statusCode int) {
if !w.written {
w.ResponseWriter.WriteHeader(statusCode)
}
}
// Send empty whitespaces every 10 seconds to the client till completeMultiPartUpload() is
// done so that the client does not time out. Downside is we might send 200 OK and
// then send error XML. But accoording to S3 spec the client is supposed to check
// for error XML even if it received 200 OK. But for erasure this is not a problem
// as completeMultiPartUpload() is quick. Even For FS, it would not be an issue as
// we do background append as and when the parts arrive and completeMultiPartUpload
// is quick. Only in a rare case where parts would be out of order will
// FS:completeMultiPartUpload() take a longer time.
Remove unusued params and functions (#8399)
2019-10-16 03:35:41 +02:00
func sendWhiteSpace(w http.ResponseWriter) <-chan bool {
Write xml.Header first instead of spaces to handle XML parsers (#7253) Clients like AWS SDK Java and AWS cli XML parsers are unable to handle on `\r\n` characters to avoid these errors send XML header first and write white space characters instead. Also handle cases to avoid double WriteHeader calls
2019-02-21 07:20:15 +01:00
doneCh := make(chan bool)
Send white spaces to client till completeMultipart() process completes (#7198)
2019-02-06 05:58:09 +01:00
go func() {
ticker := time.NewTicker(time.Second * 10)
Write xml.Header first instead of spaces to handle XML parsers (#7253) Clients like AWS SDK Java and AWS cli XML parsers are unable to handle on `\r\n` characters to avoid these errors send XML header first and write white space characters instead. Also handle cases to avoid double WriteHeader calls
2019-02-21 07:20:15 +01:00
headerWritten := false
Send white spaces to client till completeMultipart() process completes (#7198)
2019-02-06 05:58:09 +01:00
for {
select {
case <-ticker.C:
Write xml.Header first instead of spaces to handle XML parsers (#7253) Clients like AWS SDK Java and AWS cli XML parsers are unable to handle on `\r\n` characters to avoid these errors send XML header first and write white space characters instead. Also handle cases to avoid double WriteHeader calls
2019-02-21 07:20:15 +01:00
// Write header if not written yet.
if !headerWritten {
w.Write([]byte(xml.Header))
headerWritten = true
Send white spaces to client till completeMultipart() process completes (#7198)
2019-02-06 05:58:09 +01:00
}
Write xml.Header first instead of spaces to handle XML parsers (#7253) Clients like AWS SDK Java and AWS cli XML parsers are unable to handle on `\r\n` characters to avoid these errors send XML header first and write white space characters instead. Also handle cases to avoid double WriteHeader calls
2019-02-21 07:20:15 +01:00
// Once header is written keep writing empty spaces
// which are ignored by client SDK XML parsers.
// This occurs when server takes long time to completeMultiPartUpload()
w.Write([]byte(" "))
Send white spaces to client till completeMultipart() process completes (#7198)
2019-02-06 05:58:09 +01:00
w.(http.Flusher).Flush()
Write xml.Header first instead of spaces to handle XML parsers (#7253) Clients like AWS SDK Java and AWS cli XML parsers are unable to handle on `\r\n` characters to avoid these errors send XML header first and write white space characters instead. Also handle cases to avoid double WriteHeader calls
2019-02-21 07:20:15 +01:00
case doneCh <- headerWritten:
Send white spaces to client till completeMultipart() process completes (#7198)
2019-02-06 05:58:09 +01:00
ticker.Stop()
return
}
}
}()
return doneCh
}
api/complete-multipart: fixes and tests. (#2719) * api/complete-multipart: tests and simplification. - Removing the logic of sending white space characters. - Fix for incorrect HTTP response status for certain cases. - Tests for New Multipart Upload and Complete Multipart Upload. * tests: test for Delelete Object API handler
2016-09-22 05:08:08 +02:00
// CompleteMultipartUploadHandler - Complete multipart upload.
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) CompleteMultipartUploadHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "CompleteMultipartUpload")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "CompleteMultipartUpload", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
vars := mux.Vars(r)
Adding multipart support
2015-05-08 04:55:30 +02:00
bucket := vars["bucket"]
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
object, err := url.PathUnescape(vars["object"])
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Remove some api server code bringing in new cleanup
2015-06-30 23:42:29 +02:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.PutObjectAction, bucket, object); s3Error != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
Cleanup and fixes (#3273) * newRequestID() (previously generateUploadID()) returns string than byte array. * Remove unclear comments and added appropriate comments. * SHA-256, MD5 Hash functions return Hex/Base64 encoded string than byte array. * Remove duplicate MD5 hasher functions. * Rename listObjectsValidateArgs() into validateListObjectsArgs() * Remove repeated auth check code in all bucket request handlers. * Remove abbreviated names in bucket-metadata * Avoid nested if in bucketPolicyMatchStatement() * Use ioutil.ReadFile() instead of os.Open() and ioutil.ReadAll() * Set crossDomainXML as constant.
2016-11-21 22:51:05 +01:00
return
}
Avoid unnecessary allocations for XML parsing (#9017)
2020-02-23 04:36:46 +01:00
// Content-Length is required and should be non-zero
if r.ContentLength <= 0 {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMissingContentLength), r.URL, guessIsBrowserReq(r))
return
}
fs: Break fs package to top-level and introduce ObjectAPI interface. ObjectAPI interface brings in changes needed for XL ObjectAPI layer. The new interface for any ObjectAPI layer is as below ``` // ObjectAPI interface. type ObjectAPI interface { // Bucket resource API. DeleteBucket(bucket string) *probe.Error ListBuckets() ([]BucketInfo, *probe.Error) MakeBucket(bucket string) *probe.Error GetBucketInfo(bucket string) (BucketInfo, *probe.Error) // Bucket query API. ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsResult, *probe.Error) ListMultipartUploads(bucket string, resources BucketMultipartResourcesMetadata) (BucketMultipartResourcesMetadata, *probe.Error) // Object resource API. GetObject(bucket, object string, startOffset int64) (io.ReadCloser, *probe.Error) GetObjectInfo(bucket, object string) (ObjectInfo, *probe.Error) PutObject(bucket string, object string, size int64, data io.Reader, metadata map[string]string) (ObjectInfo, *probe.Error) DeleteObject(bucket, object string) *probe.Error // Object query API. NewMultipartUpload(bucket, object string) (string, *probe.Error) PutObjectPart(bucket, object, uploadID string, partID int, size int64, data io.Reader, md5Hex string) (string, *probe.Error) ListObjectParts(bucket, object string, resources ObjectResourcesMetadata) (ObjectResourcesMetadata, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []CompletePart) (ObjectInfo, *probe.Error) AbortMultipartUpload(bucket, object, uploadID string) *probe.Error } ```
2016-03-31 01:15:28 +02:00
// Get upload id.
Add error handling in api-resource.go (#6651)
2018-10-18 16:31:46 +02:00
uploadID, _, _, _, s3Error := getObjectResources(r.URL.Query())
if s3Error != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
Add error handling in api-resource.go (#6651)
2018-10-18 16:31:46 +02:00
return
}
signature: Fix signature handling of parallel requests. Signature struct should be immutable, this fixes an issue with AWS cli not being able to do multipart put operations.
2016-03-02 20:22:58 +01:00
Add public data-types for easier external loading (#5170) This change brings public data-types such that we can ask projects to implement gateway projects externally than maintaining in our repo. All publicly exported structs are maintained in object-api-datatypes.go completePart --> CompletePart uploadMetadata --> MultipartInfo All other exported errors are at object-api-errors.go
2017-11-14 09:25:10 +01:00
complMultipartUpload := &CompleteMultipartUpload{}
Avoid unnecessary allocations for XML parsing (#9017)
2020-02-23 04:36:46 +01:00
if err = xmlDecoder(r.Body, complMultipartUpload, r.ContentLength); err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
fs: Break fs package to top-level and introduce ObjectAPI interface. ObjectAPI interface brings in changes needed for XL ObjectAPI layer. The new interface for any ObjectAPI layer is as below ``` // ObjectAPI interface. type ObjectAPI interface { // Bucket resource API. DeleteBucket(bucket string) *probe.Error ListBuckets() ([]BucketInfo, *probe.Error) MakeBucket(bucket string) *probe.Error GetBucketInfo(bucket string) (BucketInfo, *probe.Error) // Bucket query API. ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsResult, *probe.Error) ListMultipartUploads(bucket string, resources BucketMultipartResourcesMetadata) (BucketMultipartResourcesMetadata, *probe.Error) // Object resource API. GetObject(bucket, object string, startOffset int64) (io.ReadCloser, *probe.Error) GetObjectInfo(bucket, object string) (ObjectInfo, *probe.Error) PutObject(bucket string, object string, size int64, data io.Reader, metadata map[string]string) (ObjectInfo, *probe.Error) DeleteObject(bucket, object string) *probe.Error // Object query API. NewMultipartUpload(bucket, object string) (string, *probe.Error) PutObjectPart(bucket, object, uploadID string, partID int, size int64, data io.Reader, md5Hex string) (string, *probe.Error) ListObjectParts(bucket, object string, resources ObjectResourcesMetadata) (ObjectResourcesMetadata, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []CompletePart) (ObjectInfo, *probe.Error) AbortMultipartUpload(bucket, object, uploadID string) *probe.Error } ```
2016-03-31 01:15:28 +02:00
return
}
Return error for empty parts in multipartupload complete (#1758)
2016-05-25 21:11:26 +02:00
if len(complMultipartUpload.Parts) == 0 {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMalformedXML), r.URL, guessIsBrowserReq(r))
Return error for empty parts in multipartupload complete (#1758)
2016-05-25 21:11:26 +02:00
return
}
Add public data-types for easier external loading (#5170) This change brings public data-types such that we can ask projects to implement gateway projects externally than maintaining in our repo. All publicly exported structs are maintained in object-api-datatypes.go completePart --> CompletePart uploadMetadata --> MultipartInfo All other exported errors are at object-api-errors.go
2017-11-14 09:25:10 +01:00
if !sort.IsSorted(CompletedParts(complMultipartUpload.Parts)) {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidPartOrder), r.URL, guessIsBrowserReq(r))
fs: Break fs package to top-level and introduce ObjectAPI interface. ObjectAPI interface brings in changes needed for XL ObjectAPI layer. The new interface for any ObjectAPI layer is as below ``` // ObjectAPI interface. type ObjectAPI interface { // Bucket resource API. DeleteBucket(bucket string) *probe.Error ListBuckets() ([]BucketInfo, *probe.Error) MakeBucket(bucket string) *probe.Error GetBucketInfo(bucket string) (BucketInfo, *probe.Error) // Bucket query API. ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsResult, *probe.Error) ListMultipartUploads(bucket string, resources BucketMultipartResourcesMetadata) (BucketMultipartResourcesMetadata, *probe.Error) // Object resource API. GetObject(bucket, object string, startOffset int64) (io.ReadCloser, *probe.Error) GetObjectInfo(bucket, object string) (ObjectInfo, *probe.Error) PutObject(bucket string, object string, size int64, data io.Reader, metadata map[string]string) (ObjectInfo, *probe.Error) DeleteObject(bucket, object string) *probe.Error // Object query API. NewMultipartUpload(bucket, object string) (string, *probe.Error) PutObjectPart(bucket, object, uploadID string, partID int, size int64, data io.Reader, md5Hex string) (string, *probe.Error) ListObjectParts(bucket, object string, resources ObjectResourcesMetadata) (ObjectResourcesMetadata, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []CompletePart) (ObjectInfo, *probe.Error) AbortMultipartUpload(bucket, object, uploadID string) *probe.Error } ```
2016-03-31 01:15:28 +02:00
return
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
// Reject retention or governance headers if set, CompleteMultipartUpload spec
// does not use these headers, and should not be passed down to checkPutObjectLockAllowed
if objectlock.IsObjectLockRequested(r.Header) || objectlock.IsObjectLockGovernanceBypassSet(r.Header) {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL, guessIsBrowserReq(r))
return
}
// Deny if global WORM is enabled
if globalWORMEnabled {
opts, err := getOpts(ctx, r, bucket, object)
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
if _, err := objectAPI.GetObjectInfo(ctx, bucket, object, opts); err == nil {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
return
}
}
fix: object lock behavior when default lock config is enabled (#9305)
2020-04-13 23:03:23 +02:00
if _, _, _, s3Err := checkPutObjectLockAllowed(ctx, r, bucket, object, objectAPI.GetObjectInfo, ErrNone, ErrNone); s3Err != ErrNone {
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL, guessIsBrowserReq(r))
return
}
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
var objectEncryptionKey []byte
var opts ObjectOptions
var isEncrypted, ssec bool
if objectAPI.IsEncryptionSupported() {
var li ListPartsInfo
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
li, err = objectAPI.ListObjectParts(ctx, bucket, object, uploadID, 0, 1, opts)
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
return
}
if crypto.IsEncrypted(li.UserDefined) {
var key []byte
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
isEncrypted = true
ssec = crypto.SSEC.IsEncrypted(li.UserDefined)
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
if crypto.S3.IsEncrypted(li.UserDefined) {
// Calculating object encryption key
objectEncryptionKey, err = decryptObjectInfo(key, bucket, object, li.UserDefined)
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
return
}
}
}
}
partsMap := make(map[string]PartInfo)
if isEncrypted {
var partNumberMarker int
maxParts := 1000
for {
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
listPartsInfo, err := objectAPI.ListObjectParts(ctx, bucket, object, uploadID, partNumberMarker, maxParts, opts)
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
return
}
for _, part := range listPartsInfo.Parts {
partsMap[strconv.Itoa(part.PartNumber)] = part
}
partNumberMarker = listPartsInfo.NextPartNumberMarker
if !listPartsInfo.IsTruncated {
break
}
}
}
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696
2019-01-05 23:16:43 +01:00
fs: Break fs package to top-level and introduce ObjectAPI interface. ObjectAPI interface brings in changes needed for XL ObjectAPI layer. The new interface for any ObjectAPI layer is as below ``` // ObjectAPI interface. type ObjectAPI interface { // Bucket resource API. DeleteBucket(bucket string) *probe.Error ListBuckets() ([]BucketInfo, *probe.Error) MakeBucket(bucket string) *probe.Error GetBucketInfo(bucket string) (BucketInfo, *probe.Error) // Bucket query API. ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsResult, *probe.Error) ListMultipartUploads(bucket string, resources BucketMultipartResourcesMetadata) (BucketMultipartResourcesMetadata, *probe.Error) // Object resource API. GetObject(bucket, object string, startOffset int64) (io.ReadCloser, *probe.Error) GetObjectInfo(bucket, object string) (ObjectInfo, *probe.Error) PutObject(bucket string, object string, size int64, data io.Reader, metadata map[string]string) (ObjectInfo, *probe.Error) DeleteObject(bucket, object string) *probe.Error // Object query API. NewMultipartUpload(bucket, object string) (string, *probe.Error) PutObjectPart(bucket, object, uploadID string, partID int, size int64, data io.Reader, md5Hex string) (string, *probe.Error) ListObjectParts(bucket, object string, resources ObjectResourcesMetadata) (ObjectResourcesMetadata, *probe.Error) CompleteMultipartUpload(bucket string, object string, uploadID string, parts []CompletePart) (ObjectInfo, *probe.Error) AbortMultipartUpload(bucket, object, uploadID string) *probe.Error } ```
2016-03-31 01:15:28 +02:00
// Complete parts.
Add public data-types for easier external loading (#5170) This change brings public data-types such that we can ask projects to implement gateway projects externally than maintaining in our repo. All publicly exported structs are maintained in object-api-datatypes.go completePart --> CompletePart uploadMetadata --> MultipartInfo All other exported errors are at object-api-errors.go
2017-11-14 09:25:10 +01:00
var completeParts []CompletePart
refactor: add multipart code to the object layer.
2016-04-11 10:29:18 +02:00
for _, part := range complMultipartUpload.Parts {
Use canonicalETag helper wherever needed. (#3910)
2017-03-16 04:48:49 +01:00
part.ETag = canonicalizeETag(part.ETag)
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
if isEncrypted {
// ETag is stored in the backend in encrypted form. Validate client sent ETag with
// decrypted ETag.
if bkPartInfo, ok := partsMap[strconv.Itoa(part.PartNumber)]; ok {
bkETag := tryDecryptETag(objectEncryptionKey, bkPartInfo.ETag, ssec)
if bkETag != part.ETag {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidPart), r.URL, guessIsBrowserReq(r))
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
return
}
part.ETag = bkPartInfo.ETag
}
}
refactor: add multipart code to the object layer.
2016-04-11 10:29:18 +02:00
completeParts = append(completeParts, part)
}
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
Add disk based edge caching support. (#5182) This PR adds disk based edge caching support for minio server. Cache settings can be configured in config.json to take list of disk drives, cache expiry in days and file patterns to exclude from cache or via environment variables MINIO_CACHE_DRIVES, MINIO_CACHE_EXCLUDE and MINIO_CACHE_EXPIRY Design assumes that Atime support is enabled and the list of cache drives is fixed. - Objects are cached on both GET and PUT/POST operations. - Expiry is used as hint to evict older entries from cache, or if 80% of cache capacity is filled. - When object storage backend is down, GET, LIST and HEAD operations fetch object seamlessly from cache. Current Limitations - Bucket policies are not cached, so anonymous operations are not supported in offline mode. - Objects are distributed using deterministic hashing among list of cache drives specified.If one or more drives go offline, or cache drive configuration is altered - performance could degrade to linear lookup. Fixes #4026
2018-03-28 23:14:06 +02:00
completeMultiPartUpload := objectAPI.CompleteMultipartUpload
Write xml.Header first instead of spaces to handle XML parsers (#7253) Clients like AWS SDK Java and AWS cli XML parsers are unable to handle on `\r\n` characters to avoid these errors send XML header first and write white space characters instead. Also handle cases to avoid double WriteHeader calls
2019-02-21 07:20:15 +01:00
// This code is specifically to handle the requirements for slow
// complete multipart upload operations on FS mode.
writeErrorResponseWithoutXMLHeader := func(ctx context.Context, w http.ResponseWriter, err APIError, reqURL *url.URL) {
switch err.Code {
case "SlowDown", "XMinioServerNotInitialized", "XMinioReadQuorum", "XMinioWriteQuorum":
// Set retry-after header to indicate user-agents to retry request after 120secs.
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 07:34:32 +02:00
w.Header().Set(xhttp.RetryAfter, "120")
Write xml.Header first instead of spaces to handle XML parsers (#7253) Clients like AWS SDK Java and AWS cli XML parsers are unable to handle on `\r\n` characters to avoid these errors send XML header first and write white space characters instead. Also handle cases to avoid double WriteHeader calls
2019-02-21 07:20:15 +01:00
}
// Generate error response.
errorResponse := getAPIErrorResponse(ctx, err, reqURL.Path,
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 07:34:32 +02:00
w.Header().Get(xhttp.AmzRequestID), globalDeploymentID)
Write xml.Header first instead of spaces to handle XML parsers (#7253) Clients like AWS SDK Java and AWS cli XML parsers are unable to handle on `\r\n` characters to avoid these errors send XML header first and write white space characters instead. Also handle cases to avoid double WriteHeader calls
2019-02-21 07:20:15 +01:00
encodedErrorResponse, _ := xml.Marshal(errorResponse)
setCommonHeaders(w)
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 07:34:32 +02:00
w.Header().Set(xhttp.ContentType, string(mimeXML))
Write xml.Header first instead of spaces to handle XML parsers (#7253) Clients like AWS SDK Java and AWS cli XML parsers are unable to handle on `\r\n` characters to avoid these errors send XML header first and write white space characters instead. Also handle cases to avoid double WriteHeader calls
2019-02-21 07:20:15 +01:00
w.Write(encodedErrorResponse)
w.(http.Flusher).Flush()
}
Add text/event-stream for long running http connections (#7909) When MinIO is behind a proxy, proxies end up killing clients when no data is seen on the connection, adding the right content-type ensures that proxies do not come in the way.
2019-07-11 22:19:25 +02:00
w.Header().Set(xhttp.ContentType, "text/event-stream")
Write xml.Header first instead of spaces to handle XML parsers (#7253) Clients like AWS SDK Java and AWS cli XML parsers are unable to handle on `\r\n` characters to avoid these errors send XML header first and write white space characters instead. Also handle cases to avoid double WriteHeader calls
2019-02-21 07:20:15 +01:00
w = &whiteSpaceWriter{ResponseWriter: w, Flusher: w.(http.Flusher)}
Remove unusued params and functions (#8399)
2019-10-16 03:35:41 +02:00
completeDoneCh := sendWhiteSpace(w)
Fix: Preserve MD5Sum for SSE encrypted objects (#6680) To conform with AWS S3 Spec on ETag for SSE-S3 encrypted objects, encrypt client sent MD5Sum and store it on backend as ETag.Extend this behavior to SSE-C encrypted objects.
2018-11-15 02:36:41 +01:00
objInfo, err := completeMultiPartUpload(ctx, bucket, object, uploadID, completeParts, opts)
Send white spaces to client till completeMultipart() process completes (#7198)
2019-02-06 05:58:09 +01:00
// Stop writing white spaces to the client. Note that close(doneCh) style is not used as it
// can cause white space to be written after we send XML response in a race condition.
Write xml.Header first instead of spaces to handle XML parsers (#7253) Clients like AWS SDK Java and AWS cli XML parsers are unable to handle on `\r\n` characters to avoid these errors send XML header first and write white space characters instead. Also handle cases to avoid double WriteHeader calls
2019-02-21 07:20:15 +01:00
headerWritten := <-completeDoneCh
Add errorIf for all API handlers to print call trace upon errors
2015-09-19 12:20:07 +02:00
if err != nil {
Write xml.Header first instead of spaces to handle XML parsers (#7253) Clients like AWS SDK Java and AWS cli XML parsers are unable to handle on `\r\n` characters to avoid these errors send XML header first and write white space characters instead. Also handle cases to avoid double WriteHeader calls
2019-02-21 07:20:15 +01:00
if headerWritten {
writeErrorResponseWithoutXMLHeader(ctx, w, toAPIError(ctx, err), r.URL)
} else {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
API: add writePartTooSmallErrorResponse to extend standard error responses. (#2005) This function is added to extend the standard error responses. Which is needed in some cases for example CompleteMultipartUpload should respond with ErrPartTooSmall error when parts uploaded are lesser than 5MB (i.e minimum allowed size per part). Fixes #1536
2016-06-28 23:51:49 +02:00
}
Migrate from iodine to probe
2015-08-04 01:17:21 +02:00
return
}
object layer: Send 200 OK and whitespace chars (#1897)
2016-06-16 05:31:06 +02:00
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-13 01:08:15 +01:00
// Get object location.
Support multiple-domains in MINIO_DOMAIN (#7274) Fixes #7173
2019-02-23 04:18:01 +01:00
location := getObjectLocation(r, globalDomainNames, bucket, object)
multipart: remove proper MD5, rather create MD5 based on parts to be s3 compatible. This increases the performance phenominally.
2016-03-02 05:01:40 +01:00
// Generate complete multipart response.
fs/erasure: Rename meta 'md5Sum' as 'etag'. (#4319) This PR also does backend format change to 1.0.1 from 1.0.0. Backward compatible changes are still kept to read the 'md5Sum' key. But all new objects will be stored with the same details under 'etag'. Fixes #4312
2017-05-14 21:05:51 +02:00
response := generateCompleteMultpartUploadResponse(bucket, object, location, objInfo.ETag)
Write xml.Header first instead of spaces to handle XML parsers (#7253) Clients like AWS SDK Java and AWS cli XML parsers are unable to handle on `\r\n` characters to avoid these errors send XML header first and write white space characters instead. Also handle cases to avoid double WriteHeader calls
2019-02-21 07:20:15 +01:00
var encodedSuccessResponse []byte
if !headerWritten {
encodedSuccessResponse = encodeResponse(response)
} else {
encodedSuccessResponse, err = xml.Marshal(response)
if err != nil {
writeErrorResponseWithoutXMLHeader(ctx, w, toAPIError(ctx, err), r.URL)
return
}
Send XML header before the first of whitespace chars (#2046) * Sent XML header before the first of whitespace chars XML parsing fails in aws cli due to unexpected whitespace character. To fix this, we send the xml header before we send the first whitespace character, if any. * Fix race between sendWhiteSpaceChars and completeMultiUploadpart
2016-07-01 03:48:50 +02:00
}
api: Implement bucket notification. (#2271) * Implement basic S3 notifications through queues Supports multiple queues and three basic queue types: 1. NilQueue -- messages don't get sent anywhere 2. LogQueue -- messages get logged 3. AmqpQueue -- messages are sent to an AMQP queue * api: Implement bucket notification. Supports two different queue types - AMQP - ElasticSearch. * Add support for redis
2016-07-24 07:51:12 +02:00
Fix missing CompleteMultipartUpload Etag. (#3227) Fixes #3224
2016-11-10 16:41:02 +01:00
// Set etag.
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 07:34:32 +02:00
w.Header()[xhttp.ETag] = []string{"\"" + objInfo.ETag + "\""}
Fix missing CompleteMultipartUpload Etag. (#3227) Fixes #3224
2016-11-10 16:41:02 +01:00
api: Implement bucket notification. (#2271) * Implement basic S3 notifications through queues Supports multiple queues and three basic queue types: 1. NilQueue -- messages don't get sent anywhere 2. LogQueue -- messages get logged 3. AmqpQueue -- messages are sent to an AMQP queue * api: Implement bucket notification. Supports two different queue types - AMQP - ElasticSearch. * Add support for redis
2016-07-24 07:51:12 +02:00
// Write success response.
api: Set appropriate content-type for success/error responses. (#3537) Golang HTTP client automatically detects content-type but for S3 clients this content-type might be incorrect or might misbehave. For example: ``` Content-Type: text/xml; charset=utf-8 ``` Should be ``` Content-Type: application/xml ``` Allow this to be set properly.
2017-01-06 09:37:00 +01:00
writeSuccessResponseXML(w, encodedSuccessResponse)
api: Implement bucket notification. (#2271) * Implement basic S3 notifications through queues Supports multiple queues and three basic queue types: 1. NilQueue -- messages don't get sent anywhere 2. LogQueue -- messages get logged 3. AmqpQueue -- messages are sent to an AMQP queue * api: Implement bucket notification. Supports two different queue types - AMQP - ElasticSearch. * Add support for redis
2016-07-24 07:51:12 +02:00
Make addition of TopicConfig to globalEventNotifier go-routine safe (#2806)
2016-09-29 07:46:19 +02:00
// Notify object created event.
make notification as separate package (#5294) * Remove old notification files * Add net package * Add event package * Modify minio to take new notification system
2018-03-15 21:03:41 +01:00
sendEvent(eventArgs{
Support audit logs with additional fields (#6738) This PR adds support - Request query params - Request headers - Response headers AuditLogEntry is exported and versioned as well starting with this PR.
2018-11-03 02:40:08 +01:00
EventName: event.ObjectCreatedCompleteMultipartUpload,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Populate host value from GetSourceIP directly (#7417)
2019-03-25 19:45:42 +01:00
Host: handlers.GetSourceIP(r),
Make addition of TopicConfig to globalEventNotifier go-routine safe (#2806)
2016-09-29 07:46:19 +02:00
})
Adding multipart support
2015-05-08 04:55:30 +02:00
}
Add delete handlers and reply back as 'NotImplemented' instead of 404
2015-06-08 20:06:06 +02:00
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
/// Delete objectAPIHandlers
Add delete handlers and reply back as 'NotImplemented' instead of 404
2015-06-08 20:06:06 +02:00
api: Implement multiple objects Delete api - fixes #956 This API takes input XML input in following form. ``` <?xml version="1.0" encoding="UTF-8"?> <Delete> <Quiet>true</Quiet> <Object> <Key>Key</Key> </Object> <Object> <Key>Key</Key> </Object> ... </Delete> ``` and responds the list of successful deletes, list of errors for all the deleted objects. ``` <?xml version="1.0" encoding="UTF-8"?> <DeleteResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Deleted> <Key>sample1.txt</Key> </Deleted> <Error> <Key>sample2.txt</Key> <Code>AccessDenied</Code> <Message>Access Denied</Message> </Error> </DeleteResult> ```
2016-03-06 01:43:48 +01:00
// DeleteObjectHandler - delete an object
storage/server/client: Enable storage server, enable client storage.
2016-04-12 21:45:15 +02:00
func (api objectAPIHandlers) DeleteObjectHandler(w http.ResponseWriter, r *http.Request) {
Log x-amz-request-id as log and XML error response (#6173) Currently, requestid field in logEntry is not populated, as the requestid field gets set at the very end. It is now set before regular handler functions. This is also useful in setting it as part of the XML error response. Travis build for ppc64le has been quite inconsistent and stays queued for most of the time. Removing this build as part of Travis.yml for the time being.
2018-07-21 03:46:32 +02:00
ctx := newContext(r, w, "DeleteObject")
Add context to the object-interface methods. Make necessary changes to xl fs azure sia
2018-03-14 20:01:47 +01:00
Audit log claims from token (#6847)
2018-11-22 05:03:24 +01:00
defer logger.AuditLog(w, r, "DeleteObject", mustGetClaimsFromToken(r))
Add audit logging for S3 and Web handlers (#6571) This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2018-10-12 21:25:59 +02:00
signature: Rewrite signature handling and move it into a library.
2016-02-16 02:42:39 +01:00
vars := mux.Vars(r)
Migrate this project to minio micro services code
2015-10-16 20:26:01 +02:00
bucket := vars["bucket"]
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
object, err := url.PathUnescape(vars["object"])
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Migrate this project to minio micro services code
2015-10-16 20:26:01 +02:00
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
objectAPI := api.ObjectAPI()
if objectAPI == nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
Move the ObjectAPI() resource to be beginning of each handlers. We should return back proper errors so that the clients can retry until server has been initialized.
2016-08-11 03:47:49 +02:00
return
}
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 00:53:30 +02:00
if s3Error := checkRequestAuthType(ctx, r, policy.DeleteObjectAction, bucket, object); s3Error != ErrNone {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
accessPolicy: Implement Put, Get, Delete access policy. This patch implements Get,Put,Delete bucket policies Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html Currently supports following actions. "*": true, "s3:*": true, "s3:GetObject": true, "s3:ListBucket": true, "s3:PutObject": true, "s3:CreateBucket": true, "s3:GetBucketLocation": true, "s3:DeleteBucket": true, "s3:DeleteObject": true, "s3:AbortMultipartUpload": true, "s3:ListBucketMultipartUploads": true, "s3:ListMultipartUploadParts": true, following conditions for "StringEquals" and "StringNotEquals" "s3:prefix", "s3:max-keys"
2016-02-04 01:46:56 +01:00
return
fs: Cleanup Golang errors to be called 'e' and probe to be called as 'err' - Replace the ACL checks back, remove them when bucket policy is implemented. - Move FTW (File Tree Walk) into ioutils package.
2016-02-04 21:52:25 +01:00
}
Cleanup and fixes (#3273) * newRequestID() (previously generateUploadID()) returns string than byte array. * Remove unclear comments and added appropriate comments. * SHA-256, MD5 Hash functions return Hex/Base64 encoded string than byte array. * Remove duplicate MD5 hasher functions. * Rename listObjectsValidateArgs() into validateListObjectsArgs() * Remove repeated auth check code in all bucket request handlers. * Remove abbreviated names in bucket-metadata * Avoid nested if in bucketPolicyMatchStatement() * Use ioutil.ReadFile() instead of os.Open() and ioutil.ReadAll() * Set crossDomainXML as constant.
2016-11-21 22:51:05 +01:00
Allow versionId to be null for Delete,CopyObjectPart (#6972)
2018-12-14 07:04:37 +01:00
if vid := r.URL.Query().Get("versionId"); vid != "" && vid != "null" {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNoSuchVersion), r.URL, guessIsBrowserReq(r))
Allow versionId to be null for Delete,CopyObjectPart (#6972)
2018-12-14 07:04:37 +01:00
return
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
Quick support to server level WORM (#5602) This is a trival fix to support server level WORM. The feature comes with an environment variable `MINIO_WORM`. Usage: ``` $ export MINIO_WORM=on $ minio server endpoint ```
2018-03-28 01:44:45 +02:00
}
Checking the existence of the bucket in DeleteObjectHandler (#6085) Fixes #6077
2018-07-01 07:35:43 +02:00
if globalDNSConfig != nil {
_, err := globalDNSConfig.Get(bucket)
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Checking the existence of the bucket in DeleteObjectHandler (#6085) Fixes #6077
2018-07-01 07:35:43 +02:00
return
}
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
// Deny if global WORM is enabled
if globalWORMEnabled {
opts, err := getOpts(ctx, r, bucket, object)
if err != nil {
Use context to fill in more details about error XML (#7232)
2019-02-14 01:07:21 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
Avoid double bucket validation in DeleteObjectHandler (#6720) On a heavily loaded server, getBucketInfo() becomes slow, one can easily observe deleting an object causes many additional network calls. This PR is to let the underlying call return the actual error and write it back to the client.
2018-10-31 00:07:57 +01:00
return
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
if _, err := objectAPI.GetObjectInfo(ctx, bucket, object, opts); err == nil {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
return
}
Avoid double bucket validation in DeleteObjectHandler (#6720) On a heavily loaded server, getBucketInfo() becomes slow, one can easily observe deleting an object causes many additional network calls. This PR is to let the underlying call return the actual error and write it back to the client.
2018-10-31 00:07:57 +01:00
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
apiErr := ErrNone
if _, ok := globalBucketObjectLockConfig.Get(bucket); ok {
apiErr = enforceRetentionBypassForDelete(ctx, r, bucket, object, getObjectInfo)
if apiErr != ErrNone && apiErr != ErrNoSuchKey {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(apiErr), r.URL, guessIsBrowserReq(r))
return
}
}
if apiErr == ErrNone {
// http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectDELETE.html
if err := deleteObject(ctx, objectAPI, api.CacheAPI(), bucket, object, r); err != nil {
switch err.(type) {
case BucketNotFound:
// When bucket doesn't exist specially handle it.
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
// Ignore delete object errors while replying to client, since we are suppposed to reply only 204.
}
}
Reply back proper statuses for DeleteBucket/DeleteObject
2015-10-17 05:02:37 +02:00
writeSuccessNoContent(w)
Add delete handlers and reply back as 'NotImplemented' instead of 404
2015-06-08 20:06:06 +02:00
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
// PutObjectLegalHoldHandler - set legal hold configuration to object,
func (api objectAPIHandlers) PutObjectLegalHoldHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "PutObjectLegalHold")
defer logger.AuditLog(w, r, "PutObjectLegalHold", mustGetClaimsFromToken(r))
vars := mux.Vars(r)
bucket := vars["bucket"]
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
object, err := url.PathUnescape(vars["object"])
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
if vid := r.URL.Query().Get("versionId"); vid != "" && vid != "null" {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNoSuchVersion), r.URL, guessIsBrowserReq(r))
return
}
objectAPI := api.ObjectAPI()
if objectAPI == nil {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
return
}
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
// Check permissions to perform this legal hold operation
Enforce md5sum checks for object retention APIs (#9030) this PR enforces md5sum verification for following API's to be compatible with AWS S3 spec - PutObjectRetention - PutObjectLegalHold Co-authored-by: Harshavardhana <harsha@minio.io>
2020-03-04 16:04:12 +01:00
if s3Err := checkRequestAuthType(ctx, r, policy.PutObjectLegalHoldAction, bucket, object); s3Err != ErrNone {
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL, guessIsBrowserReq(r))
return
}
if _, err := objectAPI.GetBucketInfo(ctx, bucket); err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Enforce md5sum checks for object retention APIs (#9030) this PR enforces md5sum verification for following API's to be compatible with AWS S3 spec - PutObjectRetention - PutObjectLegalHold Co-authored-by: Harshavardhana <harsha@minio.io>
2020-03-04 16:04:12 +01:00
if !hasContentMD5(r.Header) {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMissingContentMD5), r.URL, guessIsBrowserReq(r))
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
return
}
acl: Support PUT calls with success for 'private' ACL's (#9000) Add dummy calls which respond success when ACL's are set to be private and fails, if user tries to change them from their default 'private' Some applications such as nuxeo may have an unnecessary requirement for this operation, we support this anyways such that don't have to fully implement the functionality just that we can respond with success for default ACLs
2020-02-16 07:07:52 +01:00
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
if _, ok := globalBucketObjectLockConfig.Get(bucket); !ok {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidBucketObjectLockConfiguration), r.URL, guessIsBrowserReq(r))
return
}
legalHold, err := objectlock.ParseObjectLegalHold(r.Body)
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
opts, err := getOpts(ctx, r, bucket, object)
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
objInfo, err := getObjectInfo(ctx, bucket, object, opts)
if err != nil {
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
objInfo.UserDefined[strings.ToLower(xhttp.AmzObjectLockLegalHold)] = strings.ToUpper(string(legalHold.Status))
objInfo.metadataOnly = true
if _, err = objectAPI.CopyObject(ctx, bucket, object, bucket, object, objInfo, ObjectOptions{}, ObjectOptions{}); err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Fix error messages returned by (Put)GetObjectLegalHold (#9013) fiixing some minor discrepancies between aws s3 responses vs minio server
2020-02-19 03:45:48 +01:00
writeSuccessResponseHeadersOnly(w)
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
// Notify object event.
sendEvent(eventArgs{
EventName: event.ObjectCreatedPutLegalHold,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Host: handlers.GetSourceIP(r),
})
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
}
// GetObjectLegalHoldHandler - get legal hold configuration to object,
func (api objectAPIHandlers) GetObjectLegalHoldHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "GetObjectLegalHold")
defer logger.AuditLog(w, r, "GetObjectLegalHold", mustGetClaimsFromToken(r))
vars := mux.Vars(r)
bucket := vars["bucket"]
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
object, err := url.PathUnescape(vars["object"])
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
if vid := r.URL.Query().Get("versionId"); vid != "" && vid != "null" {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNoSuchVersion), r.URL, guessIsBrowserReq(r))
return
}
objectAPI := api.ObjectAPI()
if objectAPI == nil {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
return
}
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectLegalHoldAction, bucket, object); s3Error != ErrNone {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
return
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
if _, ok := globalBucketObjectLockConfig.Get(bucket); !ok {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidBucketObjectLockConfiguration), r.URL, guessIsBrowserReq(r))
return
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
opts, err := getOpts(ctx, r, bucket, object)
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
objInfo, err := getObjectInfo(ctx, bucket, object, opts)
if err != nil {
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
legalHold := objectlock.GetObjectLegalHoldMeta(objInfo.UserDefined)
Fix error messages returned by (Put)GetObjectLegalHold (#9013) fiixing some minor discrepancies between aws s3 responses vs minio server
2020-02-19 03:45:48 +01:00
if legalHold.IsEmpty() {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNoSuchObjectLockConfiguration), r.URL, guessIsBrowserReq(r))
return
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
writeSuccessResponseXML(w, encodeResponse(legalHold))
// Notify object legal hold accessed via a GET request.
sendEvent(eventArgs{
EventName: event.ObjectAccessedGetLegalHold,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Host: handlers.GetSourceIP(r),
})
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
// PutObjectRetentionHandler - set object hold configuration to object,
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
func (api objectAPIHandlers) PutObjectRetentionHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "PutObjectRetention")
defer logger.AuditLog(w, r, "PutObjectRetention", mustGetClaimsFromToken(r))
vars := mux.Vars(r)
bucket := vars["bucket"]
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
object, err := url.PathUnescape(vars["object"])
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
if vid := r.URL.Query().Get("versionId"); vid != "" && vid != "null" {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNoSuchVersion), r.URL, guessIsBrowserReq(r))
return
}
objectAPI := api.ObjectAPI()
if objectAPI == nil {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
return
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
cred, owner, claims, s3Err := validateSignature(getRequestAuthType(r), r)
if s3Err != ErrNone {
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL, guessIsBrowserReq(r))
return
}
Fix retention enforcement in Compliance mode (#8556) In compliance mode, the retention date can be extended with governance bypass permissions
2019-11-25 19:58:39 +01:00
if _, err := objectAPI.GetBucketInfo(ctx, bucket); err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
Enforce md5sum checks for object retention APIs (#9030) this PR enforces md5sum verification for following API's to be compatible with AWS S3 spec - PutObjectRetention - PutObjectLegalHold Co-authored-by: Harshavardhana <harsha@minio.io>
2020-03-04 16:04:12 +01:00
if !hasContentMD5(r.Header) {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMissingContentMD5), r.URL, guessIsBrowserReq(r))
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
return
}
acl: Support PUT calls with success for 'private' ACL's (#9000) Add dummy calls which respond success when ACL's are set to be private and fails, if user tries to change them from their default 'private' Some applications such as nuxeo may have an unnecessary requirement for this operation, we support this anyways such that don't have to fully implement the functionality just that we can respond with success for default ACLs
2020-02-16 07:07:52 +01:00
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
if globalWORMEnabled {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrObjectLocked), r.URL, guessIsBrowserReq(r))
return
}
Fix bug preventing overwrite of object if (#8796) object lock config is enabled for a bucket. Creating a bucket with object lock configuration enabled does not automatically cause WORM protection to be applied. PUT operation needs to specifically request object locking or bucket has to have default retention settings configured. Fixes regression introduced in #8657
2020-01-14 02:29:31 +01:00
if _, ok := globalBucketObjectLockConfig.Get(bucket); !ok {
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidBucketObjectLockConfiguration), r.URL, guessIsBrowserReq(r))
return
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
objRetention, err := objectlock.ParseObjectRetention(r.Body)
Fix retention enforcement in Compliance mode (#8556) In compliance mode, the retention date can be extended with governance bypass permissions
2019-11-25 19:58:39 +01:00
if err != nil {
apiErr := errorCodes.ToAPIErr(ErrMalformedXML)
apiErr.Description = err.Error()
writeErrorResponse(ctx, w, apiErr, r.URL, guessIsBrowserReq(r))
return
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
objInfo, s3Err := enforceRetentionBypassForPut(ctx, r, bucket, object, getObjectInfo, objRetention, cred, owner, claims)
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
if s3Err != ErrNone {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL, guessIsBrowserReq(r))
return
}
Enforce md5sum checks for object retention APIs (#9030) this PR enforces md5sum verification for following API's to be compatible with AWS S3 spec - PutObjectRetention - PutObjectLegalHold Co-authored-by: Harshavardhana <harsha@minio.io>
2020-03-04 16:04:12 +01:00
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
objInfo.UserDefined[strings.ToLower(xhttp.AmzObjectLockMode)] = string(objRetention.Mode)
objInfo.UserDefined[strings.ToLower(xhttp.AmzObjectLockRetainUntilDate)] = objRetention.RetainUntilDate.UTC().Format(time.RFC3339)
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-06 22:44:16 +02:00
objInfo.metadataOnly = true // Perform only metadata updates.
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
if _, err = objectAPI.CopyObject(ctx, bucket, object, bucket, object, objInfo, ObjectOptions{}, ObjectOptions{}); err != nil {
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
writeSuccessNoContent(w)
// Notify object event.
sendEvent(eventArgs{
EventName: event.ObjectCreatedPutRetention,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Host: handlers.GetSourceIP(r),
})
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
// GetObjectRetentionHandler - get object retention configuration of object,
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
func (api objectAPIHandlers) GetObjectRetentionHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "GetObjectRetention")
defer logger.AuditLog(w, r, "GetObjectRetention", mustGetClaimsFromToken(r))
vars := mux.Vars(r)
bucket := vars["bucket"]
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
object, err := url.PathUnescape(vars["object"])
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
if vid := r.URL.Query().Get("versionId"); vid != "" && vid != "null" {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNoSuchVersion), r.URL, guessIsBrowserReq(r))
return
}
objectAPI := api.ObjectAPI()
if objectAPI == nil {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
return
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectRetentionAction, bucket, object); s3Error != ErrNone {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
return
}
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
getObjectInfo := objectAPI.GetObjectInfo
if api.CacheAPI() != nil {
getObjectInfo = api.CacheAPI().GetObjectInfo
}
opts, err := getOpts(ctx, r, bucket, object)
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
objInfo, err := getObjectInfo(ctx, bucket, object, opts)
if err != nil {
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Add support for object locking with legal hold. (#8634)
2020-01-17 00:41:56 +01:00
retention := objectlock.GetObjectRetentionMeta(objInfo.UserDefined)
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-20 22:18:09 +01:00
writeSuccessResponseXML(w, encodeResponse(retention))
// Notify object retention accessed via a GET request.
sendEvent(eventArgs{
EventName: event.ObjectAccessedGetRetention,
BucketName: bucket,
Object: objInfo,
ReqParams: extractReqParams(r),
RespElements: extractRespElements(w),
UserAgent: r.UserAgent(),
Host: handlers.GetSourceIP(r),
})
Add Get/Put Bucket Lock Configuration API support (#8120) This feature implements [PUT Bucket object lock configuration][1] and [GET Bucket object lock configuration][2]. After object lock configuration is set, existing and new objects are set to WORM for specified duration. Currently Governance mode works exactly like Compliance mode. Fixes #8101 [1] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTObjectLockConfiguration.html [2] https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETObjectLockConfiguration.html
2019-11-12 23:50:18 +01:00
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 17:45:59 +01:00
// GetObjectTaggingHandler - GET object tagging
func (api objectAPIHandlers) GetObjectTaggingHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "GetObjectTagging")
defer logger.AuditLog(w, r, "GetObjectTagging", mustGetClaimsFromToken(r))
vars := mux.Vars(r)
bucket := vars["bucket"]
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
object, err := url.PathUnescape(vars["object"])
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 17:45:59 +01:00
objAPI := api.ObjectAPI()
if objAPI == nil {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
return
}
// Allow getObjectTagging if policy action is set.
if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectTaggingAction, bucket, object); s3Error != ErrNone {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
return
}
// Get object tags
tags, err := objAPI.GetObjectTag(ctx, bucket, object)
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
writeSuccessResponseXML(w, encodeResponse(tags))
}
// PutObjectTaggingHandler - PUT object tagging
func (api objectAPIHandlers) PutObjectTaggingHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "PutObjectTagging")
defer logger.AuditLog(w, r, "PutObjectTagging", mustGetClaimsFromToken(r))
vars := mux.Vars(r)
bucket := vars["bucket"]
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
object, err := url.PathUnescape(vars["object"])
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 17:45:59 +01:00
objAPI := api.ObjectAPI()
if objAPI == nil {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
return
}
// Allow putObjectTagging if policy action is set
if s3Error := checkRequestAuthType(ctx, r, policy.PutObjectTaggingAction, bucket, object); s3Error != ErrNone {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
return
}
tagging, err := tagging.ParseTagging(io.LimitReader(r.Body, r.ContentLength))
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
// Put object tags
err = objAPI.PutObjectTag(ctx, bucket, object, tagging.String())
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
writeSuccessResponseHeadersOnly(w)
}
// DeleteObjectTaggingHandler - DELETE object tagging
func (api objectAPIHandlers) DeleteObjectTaggingHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "DeleteObjectTagging")
defer logger.AuditLog(w, r, "DeleteObjectTagging", mustGetClaimsFromToken(r))
objAPI := api.ObjectAPI()
if objAPI == nil {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
return
}
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
vars := mux.Vars(r)
bucket := vars["bucket"]
object, err := url.PathUnescape(vars["object"])
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 17:45:59 +01:00
// Allow deleteObjectTagging if policy action is set
if s3Error := checkRequestAuthType(ctx, r, policy.DeleteObjectTaggingAction, bucket, object); s3Error != ErrNone {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
return
}
// Delete object tags
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647
2020-02-12 04:38:02 +01:00
err = objAPI.DeleteObjectTag(ctx, bucket, object)
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 17:45:59 +01:00
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
fix: deleteObjectTagging should 204 on success (#9150)
2020-03-17 07:21:24 +01:00
writeSuccessNoContent(w)
Add ObjectTagging Support (#8754) This PR adds support for AWS S3 ObjectTagging API as explained here https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
2020-01-20 17:45:59 +01:00
}
Reference in a new issue Copy permalink