Mercurial > hg > orthanc-book
annotate Sphinx/source/plugins/object-storage.rst @ 880:ac9b677b73c3
object-storage 2.1.0
| author | Alain Mazy <am@osimis.io> |
|---|---|
| date | Fri, 21 Oct 2022 14:57:05 +0200 |
| parents | d7d3117e5186 |
| children | d04096c1afd7 |
| rev | line source |
|---|---|
| 451 | 1 .. _object-storage: |
| 2 | |
| 3 | |
| 4 Cloud Object Storage plugins | |
| 5 ============================ | |
| 6 | |
| 7 .. contents:: | |
| 8 | |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
9 Release notes |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
10 ------------- |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
11 |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
12 Release notes are available `here |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
13 <https://hg.orthanc-server.com/orthanc-object-storage/file/default/NEWS>`__ |
| 451 | 14 |
| 15 Introduction | |
| 16 ------------ | |
| 17 | |
| 880 | 18 These 3 plugins enable storing the Orthanc files in `Object Storage <https://en.wikipedia.org/wiki/Object_storage>`__ |
| 19 at the 3 main Cloud providers: `AWS <https://aws.amazon.com/s3/>`__, | |
| 451 | 20 `Azure <https://azure.microsoft.com/en-us/services/storage/blobs/>`__ & |
| 21 `Google Cloud <https://cloud.google.com/storage>`__ | |
| 22 | |
| 23 Storing Orthanc files in object storage and your index SQL in a | |
| 24 managed database allows you to have a stateless Orthanc that does | |
| 25 not store any data in its local file system which is highly recommended | |
| 26 when deploying an application in the cloud. | |
| 27 | |
| 28 | |
|
459
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
29 Pre-compiled binaries |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
30 --------------------- |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
31 |
| 880 | 32 These plugins are provided as part of the ``osimis/orthanc`` :ref:`Docker images <docker-osimis>`. |
| 33 | |
|
459
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
34 These plugins are used to interface Orthanc with commercial and |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
35 proprietary cloud services that you accept to pay. As a consequence, |
| 880 | 36 the Orthanc project usually doesn't freely update them or fix them unless |
| 37 the requester purchases a support contract e.g. at `Orthanc Team <https://orthanc.team>`__. | |
| 38 | |
| 39 Although you are obviously free to compile these plugins by | |
|
459
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
40 yourself (instructions are given below), purchasing such support |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
41 contracts makes the Orthanc project sustainable in the long term, to |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
42 the benefit of the worldwide community of medical imaging. |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
43 |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
44 |
| 451 | 45 Compilation |
| 46 ----------- | |
| 47 | |
| 48 .. highlight:: text | |
| 49 | |
| 50 The procedure to compile the plugins is quite similar of that for the | |
| 51 :ref:`core of Orthanc <compiling>` although they usually require | |
| 52 some prerequisites. The documented procedure has been tested only | |
| 53 on a Debian Buster machine. | |
| 54 | |
| 55 The compilation of each plugin produces a shared library that contains | |
| 56 the plugin. | |
| 57 | |
| 58 | |
| 59 AWS S3 plugin | |
| 60 ^^^^^^^^^^^^^ | |
| 61 | |
| 62 Prerequisites: Compile the AWS C++ SDK:: | |
| 63 | |
| 64 $ mkdir ~/aws | |
| 65 $ cd ~/aws | |
| 66 $ git clone https://github.com/aws/aws-sdk-cpp.git | |
| 67 $ | |
| 68 $ mkdir -p ~/aws/builds/aws-sdk-cpp | |
| 69 $ cd ~/aws/builds/aws-sdk-cpp | |
| 70 $ cmake -DBUILD_ONLY="s3;transfer" ~/aws/aws-sdk-cpp | |
| 71 $ make -j 4 | |
| 72 $ make install | |
| 73 | |
| 74 Prerequisites: Install `vcpkg <https://github.com/Microsoft/vcpkg>`__ dependencies:: | |
| 75 | |
| 76 $ ./vcpkg install cryptopp | |
| 77 | |
| 78 Compile:: | |
| 79 | |
| 80 $ mkdir -p build/aws | |
| 81 $ cd build/aws | |
| 82 $ cmake -DCMAKE_TOOLCHAIN_FILE=[vcpkg root]\scripts\buildsystems\vcpkg.cmake ../../orthanc-object-storage/Aws | |
| 83 | |
| 504 | 84 |
| 85 **NB:** If you don't want to use vcpkg, you can use the following | |
| 86 command (this syntax is not compatible with Ninja yet):: | |
| 87 | |
|
543
fd340103904c
note to build aws plugin
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
520
diff
changeset
|
88 $ cmake -DCMAKE_BUILD_TYPE=Debug -DUSE_VCPKG_PACKAGES=OFF -DUSE_SYSTEM_GOOGLE_TEST=OFF ../../orthanc-object-storage/Aws |
| 504 | 89 $ make |
| 90 | |
|
543
fd340103904c
note to build aws plugin
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
520
diff
changeset
|
91 Crypto++ must be installed (on Ubuntu, run ``sudo apt install libcrypto++-dev``). |
|
fd340103904c
note to build aws plugin
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
520
diff
changeset
|
92 |
|
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
93 |
| 451 | 94 Azure Blob Storage plugin |
| 95 ^^^^^^^^^^^^^^^^^^^^^^^^^ | |
| 96 | |
| 97 Prerequisites: Install `vcpkg <https://github.com/Microsoft/vcpkg>`__ dependencies:: | |
| 98 | |
| 628 | 99 $ ./vcpkg install cryptopp |
| 100 $ ./vcpkg install azure-storage-cpp | |
| 451 | 101 |
| 102 | |
| 103 Compile:: | |
| 104 | |
| 105 $ mkdir -p build/azure | |
| 106 $ cd build/azure | |
| 107 $ cmake -DCMAKE_TOOLCHAIN_FILE=[vcpkg root]\scripts\buildsystems\vcpkg.cmake ../../orthanc-object-storage/Azure | |
| 108 | |
| 109 Google Storage plugin | |
| 110 ^^^^^^^^^^^^^^^^^^^^^ | |
| 111 | |
| 112 Prerequisites: Install `vcpkg <https://github.com/Microsoft/vcpkg>`__ dependencies:: | |
| 113 | |
| 628 | 114 $ ./vcpkg install cryptopp |
| 115 $ ./vcpkg install google-cloud-cpp | |
| 451 | 116 |
| 117 Compile:: | |
| 118 | |
| 119 $ mkdir -p build/google | |
| 120 $ cd build/google | |
| 121 $ cmake -DCMAKE_TOOLCHAIN_FILE=[vcpkg root]\scripts\buildsystems\vcpkg.cmake ../../orthanc-object-storage/google | |
| 122 | |
| 123 | |
| 124 Configuration | |
| 125 ------------- | |
| 126 | |
| 127 .. highlight:: json | |
| 128 | |
| 129 AWS S3 plugin | |
| 130 ^^^^^^^^^^^^^ | |
| 131 | |
| 132 Sample configuration:: | |
| 133 | |
| 134 "AwsS3Storage" : { | |
|
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
135 "BucketName": "test-orthanc-s3-plugin", |
| 451 | 136 "Region" : "eu-central-1", |
| 685 | 137 "AccessKey" : "AKXXX", // optional: if not specified, the plugin will use the default credentials manager (available from version 1.3.0) |
| 138 "SecretKey" : "RhYYYY", // optional: if not specified, the plugin will use the default credentials manager (available from version 1.3.0) | |
| 139 "Endpoint": "", // optional: custom endpoint | |
| 140 "ConnectionTimeout": 30, // optional: connection timeout in seconds | |
| 141 "RequestTimeout": 1200, // optional: request timeout in seconds (max time to upload/download a file) | |
| 142 "RootPath": "", // optional: see below | |
| 143 "MigrationFromFileSystemEnabled": false, // optional: see below | |
| 144 "StorageStructure": "flat", // optional: see below | |
|
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
145 "EnableLegacyUnknownFiles": true, // optional: see below |
| 685 | 146 "VirtualAddressing": true, // optional: see the section related to MinIO |
| 880 | 147 "StorageEncryption" : {}, // optional: see the section related to encryption |
| 148 "HybridMode": "Disabled" // optional: see the section related to Hybrid storage | |
| 451 | 149 } |
| 150 | |
| 464 | 151 The **EndPoint** configuration is used when accessing an S3 compatible cloud provider. I.e. here is a configuration to store data on Scaleway:: |
| 152 | |
| 153 "AwsS3Storage" : { | |
| 154 "BucketName": "test-orthanc", | |
| 155 "Region": "fr-par", | |
| 156 "AccessKey": "XXX", | |
| 157 "SecretKey": "YYY", | |
| 158 "Endpoint": "s3.fr-par.scw.cloud" | |
|
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
159 } |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
160 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
161 |
| 746 | 162 .. _minio: |
| 163 | |
|
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
164 Emulation of AWS S3 using MinIO |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
165 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
166 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
167 .. highlight:: bash |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
168 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
169 The `MinIO project <https://min.io/>`__ can be used to emulate AWS S3 |
|
507
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
170 for local testing/prototyping. Here is a sample command to start a |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
171 MinIO server on your local computer using Docker (evidently, make sure |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
172 to set different credentials):: |
|
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
173 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
174 $ docker run -p 9000:9000 \ |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
175 -e "MINIO_REGION=eu-west-1" \ |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
176 -e "MINIO_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE" \ |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
177 -e "MINIO_SECRET_KEY=wJalrXUtnFEMI/K7MNG/bPxRfiCYEXAMPLEKEY" \ |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
178 minio/minio server /data |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
179 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
180 .. highlight:: json |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
181 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
182 Note that the ``MINIO_REGION`` must be set to an arbitrary region that |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
183 is supported by AWS S3. |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
184 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
185 You can then open the URL `http://localhost:9000/ |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
186 <http://localhost:9000/>`__ with your Web browser to create a bucket, |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
187 say ``my-sample-bucket``. |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
188 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
189 Here is a corresponding full configuration for Orthanc:: |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
190 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
191 { |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
192 "Plugins" : [ <...> ], |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
193 "AwsS3Storage" : { |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
194 "BucketName": "my-sample-bucket", |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
195 "Region" : "eu-west-1", |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
196 "Endpoint": "http://localhost:9000/", |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
197 "AccessKey": "AKIAIOSFODNN7EXAMPLE", |
| 506 | 198 "SecretKey": "wJalrXUtnFEMI/K7MNG/bPxRfiCYEXAMPLEKEY", |
|
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
199 "VirtualAddressing" : false |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
200 } |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
201 } |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
202 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
203 Note that the ``VirtualAddressing`` option must be set to ``false`` |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
204 for such a `local setup with MinIO to work |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
205 <https://github.com/aws/aws-sdk-cpp/issues/1425>`__. This option is |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
206 **not** available in releases <= 1.1.0 of the AWS S3 plugin. |
|
507
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
207 |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
208 **Important:** If you get the cryptic error message |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
209 ``SignatureDoesNotMatch The request signature we calculated does not |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
210 match the signature you provided. Check your key and signing |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
211 method.``, this most probably indicates that your access key or your |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
212 secret key doesn't match the credentials that were used while starting |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
213 the MinIO server. |
|
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
214 |
| 464 | 215 |
| 451 | 216 Azure Blob Storage plugin |
| 217 ^^^^^^^^^^^^^^^^^^^^^^^^^ | |
| 218 | |
| 219 Sample configuration:: | |
| 220 | |
| 221 "AzureBlobStorage" : { | |
| 222 "ConnectionString": "DefaultEndpointsProtocol=https;AccountName=xxxxxxxxx;AccountKey=yyyyyyyy===;EndpointSuffix=core.windows.net", | |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
223 "ContainerName" : "test-orthanc-storage-plugin", |
| 647 | 224 "CreateContainerIfNotExists": true, // available from version 1.2.0 |
| 502 | 225 "RootPath": "", // see below |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
226 "MigrationFromFileSystemEnabled": false, // see below |
|
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
227 "StorageStructure": "flat", // see below |
| 880 | 228 "EnableLegacyUnknownFiles": true, // optional: see below |
| 229 "StorageEncryption" : {} // optional: see the section related to encryption | |
| 230 "HybridMode": "Disabled" // optional: see the section related to Hybrid storage | |
| 451 | 231 } |
| 232 | |
| 233 | |
| 234 Google Storage plugin | |
| 235 ^^^^^^^^^^^^^^^^^^^^^ | |
| 236 | |
| 237 Sample configuration:: | |
| 238 | |
| 239 "GoogleCloudStorage" : { | |
| 240 "ServiceAccountFile": "/path/to/googleServiceAccountFile.json", | |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
241 "BucketName": "test-orthanc-storage-plugin", |
| 502 | 242 "RootPath": "", // see below |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
243 "MigrationFromFileSystemEnabled": false, // see below |
|
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
244 "StorageStructure": "flat", // see below |
| 880 | 245 "EnableLegacyUnknownFiles": true, // optional: see below |
| 246 "StorageEncryption" : {} // optional: see the section related to encryption | |
| 247 "HybridMode": "Disabled" // optional: see the section related to Hybrid storage | |
| 451 | 248 } |
| 249 | |
| 250 | |
| 880 | 251 Migration & Hybrid mode Storage structure |
| 252 ----------------------------------------- | |
| 253 | |
| 254 Since version **2.1.0** of the plugins, an HybridMode as been introduced. | |
| 255 This mode allows reading/writing files from both/to the file system and the object-storage. | |
| 256 | |
| 257 By default, the ``HybridMode`` is ``Disabled``. This means that the plugins will access | |
| 258 only the object-storage. | |
| 259 | |
| 260 When the ``HybridMode`` is set to ``WriteToFileSystem``, it means that new files received | |
| 261 are store on the file system. When accessing a file, it is first read from the file system | |
| 262 and, if it is not found on the file system, it is read from the object-storage. | |
| 263 | |
| 264 The ``WriteToFileSystem`` hybrid mode is usefull for storing recent files on the file system for | |
| 265 better performance and old files on the object-storage for lower cost and easier backups. | |
| 266 | |
| 267 When the ``HybridMode`` is set to ``WriteToObjectStorage``, it means that new files received | |
| 268 are store on the object storage. When accessing a file, it is first read from the object storage | |
| 269 and, if it is not found on the object-storage, it is read from the file system. | |
| 270 | |
| 271 The ``WriteToObjectStorage`` hybrid mode is usefull mainly during a migration from file system to | |
| 272 object-storage, e.g, if you have deployed a VM in a cloud with local file system storage and want | |
| 273 to move your files to object-storage without interrupting your service. | |
| 274 | |
| 275 Moving files between file-system and object-storage | |
| 276 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
| 277 | |
| 278 When the ``HybridMode`` is set to ``WriteToFileSystem``, it is sometimes usefull to move old files | |
| 279 to the object-storage for long term archive or to `pre-fetch`` files from object-storage to file | |
| 280 system for improved performances e.g when before opening the study in a viewer. | |
| 281 | |
| 282 When the ``HybridMode`` is set to ``WriteToObjectStorage``, it is usefull to move file from the | |
| 283 file system to the object storage to perform a full data migration to object-storage. | |
| 284 | |
| 285 To move files from one storage to the other, you should call the plugin Rest API:: | |
| 286 | |
| 287 $ curl -X POST http://localhost:8042/move-storage \ | |
| 288 --data '{ | |
| 289 "Resources": ["27f7126f-4f66fb14-03f4081b-f9341db2-53925988"], | |
| 290 "TargetStorage": "file-system", | |
| 291 "Asynchronous": true, | |
| 292 "Priority": 0 | |
| 293 }' | |
| 294 | |
| 295 This call creates a ``MoveStorageJob`` that can then be monitor to the ``/jobs`` route. | |
| 296 | |
| 297 The allowed values for ``TargetStorage`` are ``file-system`` or ``object-storage``. | |
| 298 | |
| 299 | |
| 300 Other configuration options | |
| 301 --------------------------- | |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
302 |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
303 The **StorageStructure** configuration allows you to select the way objects are organized |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
304 within the storage (``flat`` or ``legacy``). |
| 500 | 305 Unlike the traditional file system in which Orthanc uses 2 levels |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
306 of folders, object storages usually have no limit on the number of files per folder and |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
307 therefore all objects are stored at the root level of the object storage. This is the |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
308 default ``flat`` behaviour. Note that, in the ``flat`` mode, an extension `.dcm` or `.json` |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
309 is added to the filename which is not the case in the legacy mode. |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
310 |
| 500 | 311 The ``legacy`` behaviour mimics the Orthanc File System convention. This is actually helpful |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
312 when migrating your data from a file system to an object storage since you can copy all the file |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
313 hierarchy as is. |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
314 |
| 502 | 315 The **RootPath** allows you to store the files in another folder as the root level of the |
| 520 | 316 object storage. Note: it shall not start with a ``/``. |
| 502 | 317 |
| 318 Note that you can not change these configurations once you've uploaded the first files in Orthanc. | |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
319 |
| 880 | 320 The **MigrationFromFileSystemEnabled** configuration has been superseded by the **HybridMode** in v 2.1.0. |
| 508 | 321 |
|
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
322 The **EnableLegacyUnknownFiles** configuration has been introduced to allow recent version of the plugins (from 1.3.3) |
|
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
323 continue working with data that was saved with Orthanc version around 1.9.3 and plugins version around 1.2.0 (e.g. osimis/orthanc:21.5.1 docker images). |
|
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
324 With these specific versions, some ``.unk`` files were generated instead of ``.dcm.head`` files. With this configuration option enabled, |
|
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
325 when reading files, the plugin will try both file extensions. |
|
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
326 If you have ``.unk`` files in your storage, you must enable this configuration. |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
327 |
| 452 | 328 Sample setups |
| 329 ------------- | |
| 330 | |
| 811 | 331 You'll find sample deployments and more info in the `Orthanc Setup Samples repository <https://bitbucket.org/osimis/orthanc-setup-samples/src/master/#markdown-header-for-software-integrators>`__ . |
| 452 | 332 |
|
511
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
333 Performances |
|
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
334 ------------ |
|
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
335 |
|
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
336 You'll find some performance comparison between VM SSDs and object-storage `here <https://bitbucket.org/osimis/orthanc-setup-samples/src/master/docker/performance-tests/>`__ . |
|
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
337 |
| 452 | 338 |
|
586
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
543
diff
changeset
|
339 .. _client-side-encryption: |
|
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
543
diff
changeset
|
340 |
| 451 | 341 Client-side encryption |
| 342 ---------------------- | |
| 343 | |
| 344 Although all cloud providers already provide encryption at rest, the plugins provide | |
| 345 an optional layer of client-side encryption . It is very important that you understand | |
| 346 the scope and benefits of this additional layer of encryption. | |
| 347 | |
| 348 Rationale | |
| 349 ^^^^^^^^^ | |
| 350 | |
| 351 Encryption at rest provided by cloud providers basically compares with a file-system disk encryption. | |
| 352 If someone has access to the disk, he won't have access to your data without the encryption key. | |
| 353 | |
| 354 With cloud encryption at rest only, if someone has access to the "api-key" of your storage or if one | |
| 355 of your admin inadvertently make your storage public, `PHI <https://en.wikipedia.org/wiki/Protected_health_information>`__ will leak. | |
| 356 | |
| 357 Once you use client-side encryption, you'll basically store packets of meaningless bytes on the cloud infrastructure. | |
| 358 So, if an "api-key" leaks or if the storage is misconfigured, packets of bytes will leak but not PHI since | |
| 359 no one will be able to decrypt them. | |
| 360 | |
| 361 Another advantage is that these packets of bytes might eventually not be considered as PHI anymore and eventually | |
| 362 help you meet your local regulations (Please check your local regulations). | |
| 363 | |
| 364 However, note that, if you're running entirely in a cloud environment, your decryption keys will still | |
| 365 be stored on the cloud infrastructure (VM disks - process RAM) and an attacker could still eventually gain access to this keys. | |
| 366 | |
| 367 If Orthanc is running in your infrastructure with the Index DB on your infrastructure, and files are store in the cloud, | |
| 368 the master keys will remain on your infrastructure only and there's no way the data stored in the cloud could be decrypted outside your infrastructure. | |
| 369 | |
| 370 Also note that, although the cloud providers also provide client-side encryption, we, as an open-source project, | |
| 371 wanted to provide our own implementation on which you'll have full control and extension capabilities. | |
| 372 This also allows us to implement the same logic on all cloud providers. | |
| 373 | |
| 374 Our encryption is based on well-known standards (see below). Since it is documented and the source code is open-source, | |
| 375 feel-free to have your security expert review it before using it in a production environment. | |
| 376 | |
| 377 Technical details | |
| 378 ^^^^^^^^^^^^^^^^^ | |
| 379 | |
| 380 Orthanc saves 2 kind of files: DICOM files and JSON summaries of DICOM files. Both files contain PHI. | |
| 381 | |
| 452 | 382 When configuring the plugin, you'll have to provide a **Master Key** that we can also call the **Key Encryption Key (KEK)**. |
| 451 | 383 |
| 452 | 384 For each file being saved, the plugin will generate a new **Data Encryption Key (DEK)**. This DEK, encrypted with the KEK will be pre-pended to the file. |
| 451 | 385 |
| 386 If, at any point, your KEK leaks or you want to rotate your KEKs, you'll be able to use a new one to encrypt new files that are being added | |
| 387 and still use the old ones to decrypt data. You could then eventually start a side script to remove usages of the leaked/obsolete KEKs. | |
| 388 | |
| 389 To summarize: | |
| 390 | |
| 452 | 391 - We use `Crypto++ <https://www.cryptopp.com/>`__ to perform all encryptions. |
| 451 | 392 - All keys (KEK and DEK) are AES-256 keys. |
| 393 - DEKs and IVs are encrypted by KEK using CTR block cipher using a null IV. | |
| 394 - data is encrypted by DEK using GCM block cipher that will also perform integrity check on the whole file. | |
| 395 | |
| 396 The format of data stored on disk is therefore the following: | |
| 397 | |
| 398 - **VERSION HEADER**: 2 bytes: identify the structure of the following data currently `A1` | |
| 399 - **MASTER KEY ID**: 4 bytes: a numerical ID of the KEK that was used to encrypt the DEK | |
| 400 - **EIV**: 32 bytes: IV used by DEK for data encryption; encrypted by KEK | |
| 401 - **EDEK**: 32 bytes: the DEK encrypted by the KEK. | |
| 402 - **CIPHER TEXT**: variable length: the DICOM/JSON file encrypted by the DEK | |
| 403 - **TAG**: 16 bytes: integrity check performed on the whole encrypted file (including header, master key id, EIV and EDEK) | |
| 404 | |
| 405 Configuration | |
| 406 ^^^^^^^^^^^^^ | |
| 407 | |
| 408 .. highlight:: text | |
| 409 | |
| 410 AES Keys shall be 32 bytes long (256 bits) and encoded in base64. Here's a sample OpenSSL command to generate such a key:: | |
| 411 | |
| 412 openssl rand -base64 -out /tmp/test.key 32 | |
| 413 | |
| 414 Each key must have a unique id that is a uint32 number. | |
| 415 | |
| 416 .. highlight:: json | |
| 417 | |
| 418 Here's a sample configuration file of the `StorageEncryption` section of the plugins:: | |
| 419 | |
| 420 { | |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
421 "GoogleCloudStorage" : { |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
422 "StorageEncryption" : { |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
423 "Enable": true, |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
424 "MasterKey": [3, "/path/to/master.key"], // key id - path to the base64 encoded key |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
425 "PreviousMasterKeys" : [ |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
426 [1, "/path/to/previous1.key"], |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
427 [2, "/path/to/previous2.key"] |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
428 ], |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
429 "MaxConcurrentInputSize" : 1024 // size in MB |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
430 } |
| 451 | 431 } |
| 432 } | |
| 433 | |
| 434 **MaxConcurrentInputSize**: Since the memory used during encryption/decryption can grow up to a bit more | |
| 435 than 2 times the input, we want to limit the number of threads doing concurrent processing according | |
| 436 to the available memory instead of the number of concurrent threads. Therefore, if you're currently | |
| 437 ingesting small files, you can have a lot of thread working together while, if you're ingesting large | |
| 438 files, threads might have to wait before receiving a "slot" to access the encryption module. |