Mercurial > hg > orthanc-book
annotate Sphinx/source/plugins/object-storage.rst @ 880:ac9b677b73c3
object-storage 2.1.0
author | Alain Mazy <am@osimis.io> |
---|---|
date | Fri, 21 Oct 2022 14:57:05 +0200 |
parents | d7d3117e5186 |
children | d04096c1afd7 |
rev | line source |
---|---|
451 | 1 .. _object-storage: |
2 | |
3 | |
4 Cloud Object Storage plugins | |
5 ============================ | |
6 | |
7 .. contents:: | |
8 | |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
9 Release notes |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
10 ------------- |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
11 |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
12 Release notes are available `here |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
13 <https://hg.orthanc-server.com/orthanc-object-storage/file/default/NEWS>`__ |
451 | 14 |
15 Introduction | |
16 ------------ | |
17 | |
880 | 18 These 3 plugins enable storing the Orthanc files in `Object Storage <https://en.wikipedia.org/wiki/Object_storage>`__ |
19 at the 3 main Cloud providers: `AWS <https://aws.amazon.com/s3/>`__, | |
451 | 20 `Azure <https://azure.microsoft.com/en-us/services/storage/blobs/>`__ & |
21 `Google Cloud <https://cloud.google.com/storage>`__ | |
22 | |
23 Storing Orthanc files in object storage and your index SQL in a | |
24 managed database allows you to have a stateless Orthanc that does | |
25 not store any data in its local file system which is highly recommended | |
26 when deploying an application in the cloud. | |
27 | |
28 | |
459
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
29 Pre-compiled binaries |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
30 --------------------- |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
31 |
880 | 32 These plugins are provided as part of the ``osimis/orthanc`` :ref:`Docker images <docker-osimis>`. |
33 | |
459
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
34 These plugins are used to interface Orthanc with commercial and |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
35 proprietary cloud services that you accept to pay. As a consequence, |
880 | 36 the Orthanc project usually doesn't freely update them or fix them unless |
37 the requester purchases a support contract e.g. at `Orthanc Team <https://orthanc.team>`__. | |
38 | |
39 Although you are obviously free to compile these plugins by | |
459
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
40 yourself (instructions are given below), purchasing such support |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
41 contracts makes the Orthanc project sustainable in the long term, to |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
42 the benefit of the worldwide community of medical imaging. |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
43 |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
44 |
451 | 45 Compilation |
46 ----------- | |
47 | |
48 .. highlight:: text | |
49 | |
50 The procedure to compile the plugins is quite similar of that for the | |
51 :ref:`core of Orthanc <compiling>` although they usually require | |
52 some prerequisites. The documented procedure has been tested only | |
53 on a Debian Buster machine. | |
54 | |
55 The compilation of each plugin produces a shared library that contains | |
56 the plugin. | |
57 | |
58 | |
59 AWS S3 plugin | |
60 ^^^^^^^^^^^^^ | |
61 | |
62 Prerequisites: Compile the AWS C++ SDK:: | |
63 | |
64 $ mkdir ~/aws | |
65 $ cd ~/aws | |
66 $ git clone https://github.com/aws/aws-sdk-cpp.git | |
67 $ | |
68 $ mkdir -p ~/aws/builds/aws-sdk-cpp | |
69 $ cd ~/aws/builds/aws-sdk-cpp | |
70 $ cmake -DBUILD_ONLY="s3;transfer" ~/aws/aws-sdk-cpp | |
71 $ make -j 4 | |
72 $ make install | |
73 | |
74 Prerequisites: Install `vcpkg <https://github.com/Microsoft/vcpkg>`__ dependencies:: | |
75 | |
76 $ ./vcpkg install cryptopp | |
77 | |
78 Compile:: | |
79 | |
80 $ mkdir -p build/aws | |
81 $ cd build/aws | |
82 $ cmake -DCMAKE_TOOLCHAIN_FILE=[vcpkg root]\scripts\buildsystems\vcpkg.cmake ../../orthanc-object-storage/Aws | |
83 | |
504 | 84 |
85 **NB:** If you don't want to use vcpkg, you can use the following | |
86 command (this syntax is not compatible with Ninja yet):: | |
87 | |
543
fd340103904c
note to build aws plugin
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
520
diff
changeset
|
88 $ cmake -DCMAKE_BUILD_TYPE=Debug -DUSE_VCPKG_PACKAGES=OFF -DUSE_SYSTEM_GOOGLE_TEST=OFF ../../orthanc-object-storage/Aws |
504 | 89 $ make |
90 | |
543
fd340103904c
note to build aws plugin
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
520
diff
changeset
|
91 Crypto++ must be installed (on Ubuntu, run ``sudo apt install libcrypto++-dev``). |
fd340103904c
note to build aws plugin
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
520
diff
changeset
|
92 |
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
93 |
451 | 94 Azure Blob Storage plugin |
95 ^^^^^^^^^^^^^^^^^^^^^^^^^ | |
96 | |
97 Prerequisites: Install `vcpkg <https://github.com/Microsoft/vcpkg>`__ dependencies:: | |
98 | |
628 | 99 $ ./vcpkg install cryptopp |
100 $ ./vcpkg install azure-storage-cpp | |
451 | 101 |
102 | |
103 Compile:: | |
104 | |
105 $ mkdir -p build/azure | |
106 $ cd build/azure | |
107 $ cmake -DCMAKE_TOOLCHAIN_FILE=[vcpkg root]\scripts\buildsystems\vcpkg.cmake ../../orthanc-object-storage/Azure | |
108 | |
109 Google Storage plugin | |
110 ^^^^^^^^^^^^^^^^^^^^^ | |
111 | |
112 Prerequisites: Install `vcpkg <https://github.com/Microsoft/vcpkg>`__ dependencies:: | |
113 | |
628 | 114 $ ./vcpkg install cryptopp |
115 $ ./vcpkg install google-cloud-cpp | |
451 | 116 |
117 Compile:: | |
118 | |
119 $ mkdir -p build/google | |
120 $ cd build/google | |
121 $ cmake -DCMAKE_TOOLCHAIN_FILE=[vcpkg root]\scripts\buildsystems\vcpkg.cmake ../../orthanc-object-storage/google | |
122 | |
123 | |
124 Configuration | |
125 ------------- | |
126 | |
127 .. highlight:: json | |
128 | |
129 AWS S3 plugin | |
130 ^^^^^^^^^^^^^ | |
131 | |
132 Sample configuration:: | |
133 | |
134 "AwsS3Storage" : { | |
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
135 "BucketName": "test-orthanc-s3-plugin", |
451 | 136 "Region" : "eu-central-1", |
685 | 137 "AccessKey" : "AKXXX", // optional: if not specified, the plugin will use the default credentials manager (available from version 1.3.0) |
138 "SecretKey" : "RhYYYY", // optional: if not specified, the plugin will use the default credentials manager (available from version 1.3.0) | |
139 "Endpoint": "", // optional: custom endpoint | |
140 "ConnectionTimeout": 30, // optional: connection timeout in seconds | |
141 "RequestTimeout": 1200, // optional: request timeout in seconds (max time to upload/download a file) | |
142 "RootPath": "", // optional: see below | |
143 "MigrationFromFileSystemEnabled": false, // optional: see below | |
144 "StorageStructure": "flat", // optional: see below | |
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
145 "EnableLegacyUnknownFiles": true, // optional: see below |
685 | 146 "VirtualAddressing": true, // optional: see the section related to MinIO |
880 | 147 "StorageEncryption" : {}, // optional: see the section related to encryption |
148 "HybridMode": "Disabled" // optional: see the section related to Hybrid storage | |
451 | 149 } |
150 | |
464 | 151 The **EndPoint** configuration is used when accessing an S3 compatible cloud provider. I.e. here is a configuration to store data on Scaleway:: |
152 | |
153 "AwsS3Storage" : { | |
154 "BucketName": "test-orthanc", | |
155 "Region": "fr-par", | |
156 "AccessKey": "XXX", | |
157 "SecretKey": "YYY", | |
158 "Endpoint": "s3.fr-par.scw.cloud" | |
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
159 } |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
160 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
161 |
746 | 162 .. _minio: |
163 | |
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
164 Emulation of AWS S3 using MinIO |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
165 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
166 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
167 .. highlight:: bash |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
168 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
169 The `MinIO project <https://min.io/>`__ can be used to emulate AWS S3 |
507
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
170 for local testing/prototyping. Here is a sample command to start a |
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
171 MinIO server on your local computer using Docker (evidently, make sure |
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
172 to set different credentials):: |
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
173 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
174 $ docker run -p 9000:9000 \ |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
175 -e "MINIO_REGION=eu-west-1" \ |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
176 -e "MINIO_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE" \ |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
177 -e "MINIO_SECRET_KEY=wJalrXUtnFEMI/K7MNG/bPxRfiCYEXAMPLEKEY" \ |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
178 minio/minio server /data |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
179 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
180 .. highlight:: json |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
181 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
182 Note that the ``MINIO_REGION`` must be set to an arbitrary region that |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
183 is supported by AWS S3. |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
184 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
185 You can then open the URL `http://localhost:9000/ |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
186 <http://localhost:9000/>`__ with your Web browser to create a bucket, |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
187 say ``my-sample-bucket``. |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
188 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
189 Here is a corresponding full configuration for Orthanc:: |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
190 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
191 { |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
192 "Plugins" : [ <...> ], |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
193 "AwsS3Storage" : { |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
194 "BucketName": "my-sample-bucket", |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
195 "Region" : "eu-west-1", |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
196 "Endpoint": "http://localhost:9000/", |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
197 "AccessKey": "AKIAIOSFODNN7EXAMPLE", |
506 | 198 "SecretKey": "wJalrXUtnFEMI/K7MNG/bPxRfiCYEXAMPLEKEY", |
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
199 "VirtualAddressing" : false |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
200 } |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
201 } |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
202 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
203 Note that the ``VirtualAddressing`` option must be set to ``false`` |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
204 for such a `local setup with MinIO to work |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
205 <https://github.com/aws/aws-sdk-cpp/issues/1425>`__. This option is |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
206 **not** available in releases <= 1.1.0 of the AWS S3 plugin. |
507
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
207 |
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
208 **Important:** If you get the cryptic error message |
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
209 ``SignatureDoesNotMatch The request signature we calculated does not |
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
210 match the signature you provided. Check your key and signing |
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
211 method.``, this most probably indicates that your access key or your |
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
212 secret key doesn't match the credentials that were used while starting |
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
213 the MinIO server. |
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
214 |
464 | 215 |
451 | 216 Azure Blob Storage plugin |
217 ^^^^^^^^^^^^^^^^^^^^^^^^^ | |
218 | |
219 Sample configuration:: | |
220 | |
221 "AzureBlobStorage" : { | |
222 "ConnectionString": "DefaultEndpointsProtocol=https;AccountName=xxxxxxxxx;AccountKey=yyyyyyyy===;EndpointSuffix=core.windows.net", | |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
223 "ContainerName" : "test-orthanc-storage-plugin", |
647 | 224 "CreateContainerIfNotExists": true, // available from version 1.2.0 |
502 | 225 "RootPath": "", // see below |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
226 "MigrationFromFileSystemEnabled": false, // see below |
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
227 "StorageStructure": "flat", // see below |
880 | 228 "EnableLegacyUnknownFiles": true, // optional: see below |
229 "StorageEncryption" : {} // optional: see the section related to encryption | |
230 "HybridMode": "Disabled" // optional: see the section related to Hybrid storage | |
451 | 231 } |
232 | |
233 | |
234 Google Storage plugin | |
235 ^^^^^^^^^^^^^^^^^^^^^ | |
236 | |
237 Sample configuration:: | |
238 | |
239 "GoogleCloudStorage" : { | |
240 "ServiceAccountFile": "/path/to/googleServiceAccountFile.json", | |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
241 "BucketName": "test-orthanc-storage-plugin", |
502 | 242 "RootPath": "", // see below |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
243 "MigrationFromFileSystemEnabled": false, // see below |
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
244 "StorageStructure": "flat", // see below |
880 | 245 "EnableLegacyUnknownFiles": true, // optional: see below |
246 "StorageEncryption" : {} // optional: see the section related to encryption | |
247 "HybridMode": "Disabled" // optional: see the section related to Hybrid storage | |
451 | 248 } |
249 | |
250 | |
880 | 251 Migration & Hybrid mode Storage structure |
252 ----------------------------------------- | |
253 | |
254 Since version **2.1.0** of the plugins, an HybridMode as been introduced. | |
255 This mode allows reading/writing files from both/to the file system and the object-storage. | |
256 | |
257 By default, the ``HybridMode`` is ``Disabled``. This means that the plugins will access | |
258 only the object-storage. | |
259 | |
260 When the ``HybridMode`` is set to ``WriteToFileSystem``, it means that new files received | |
261 are store on the file system. When accessing a file, it is first read from the file system | |
262 and, if it is not found on the file system, it is read from the object-storage. | |
263 | |
264 The ``WriteToFileSystem`` hybrid mode is usefull for storing recent files on the file system for | |
265 better performance and old files on the object-storage for lower cost and easier backups. | |
266 | |
267 When the ``HybridMode`` is set to ``WriteToObjectStorage``, it means that new files received | |
268 are store on the object storage. When accessing a file, it is first read from the object storage | |
269 and, if it is not found on the object-storage, it is read from the file system. | |
270 | |
271 The ``WriteToObjectStorage`` hybrid mode is usefull mainly during a migration from file system to | |
272 object-storage, e.g, if you have deployed a VM in a cloud with local file system storage and want | |
273 to move your files to object-storage without interrupting your service. | |
274 | |
275 Moving files between file-system and object-storage | |
276 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
277 | |
278 When the ``HybridMode`` is set to ``WriteToFileSystem``, it is sometimes usefull to move old files | |
279 to the object-storage for long term archive or to `pre-fetch`` files from object-storage to file | |
280 system for improved performances e.g when before opening the study in a viewer. | |
281 | |
282 When the ``HybridMode`` is set to ``WriteToObjectStorage``, it is usefull to move file from the | |
283 file system to the object storage to perform a full data migration to object-storage. | |
284 | |
285 To move files from one storage to the other, you should call the plugin Rest API:: | |
286 | |
287 $ curl -X POST http://localhost:8042/move-storage \ | |
288 --data '{ | |
289 "Resources": ["27f7126f-4f66fb14-03f4081b-f9341db2-53925988"], | |
290 "TargetStorage": "file-system", | |
291 "Asynchronous": true, | |
292 "Priority": 0 | |
293 }' | |
294 | |
295 This call creates a ``MoveStorageJob`` that can then be monitor to the ``/jobs`` route. | |
296 | |
297 The allowed values for ``TargetStorage`` are ``file-system`` or ``object-storage``. | |
298 | |
299 | |
300 Other configuration options | |
301 --------------------------- | |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
302 |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
303 The **StorageStructure** configuration allows you to select the way objects are organized |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
304 within the storage (``flat`` or ``legacy``). |
500 | 305 Unlike the traditional file system in which Orthanc uses 2 levels |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
306 of folders, object storages usually have no limit on the number of files per folder and |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
307 therefore all objects are stored at the root level of the object storage. This is the |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
308 default ``flat`` behaviour. Note that, in the ``flat`` mode, an extension `.dcm` or `.json` |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
309 is added to the filename which is not the case in the legacy mode. |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
310 |
500 | 311 The ``legacy`` behaviour mimics the Orthanc File System convention. This is actually helpful |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
312 when migrating your data from a file system to an object storage since you can copy all the file |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
313 hierarchy as is. |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
314 |
502 | 315 The **RootPath** allows you to store the files in another folder as the root level of the |
520 | 316 object storage. Note: it shall not start with a ``/``. |
502 | 317 |
318 Note that you can not change these configurations once you've uploaded the first files in Orthanc. | |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
319 |
880 | 320 The **MigrationFromFileSystemEnabled** configuration has been superseded by the **HybridMode** in v 2.1.0. |
508 | 321 |
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
322 The **EnableLegacyUnknownFiles** configuration has been introduced to allow recent version of the plugins (from 1.3.3) |
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
323 continue working with data that was saved with Orthanc version around 1.9.3 and plugins version around 1.2.0 (e.g. osimis/orthanc:21.5.1 docker images). |
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
324 With these specific versions, some ``.unk`` files were generated instead of ``.dcm.head`` files. With this configuration option enabled, |
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
325 when reading files, the plugin will try both file extensions. |
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
326 If you have ``.unk`` files in your storage, you must enable this configuration. |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
327 |
452 | 328 Sample setups |
329 ------------- | |
330 | |
811 | 331 You'll find sample deployments and more info in the `Orthanc Setup Samples repository <https://bitbucket.org/osimis/orthanc-setup-samples/src/master/#markdown-header-for-software-integrators>`__ . |
452 | 332 |
511
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
333 Performances |
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
334 ------------ |
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
335 |
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
336 You'll find some performance comparison between VM SSDs and object-storage `here <https://bitbucket.org/osimis/orthanc-setup-samples/src/master/docker/performance-tests/>`__ . |
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
337 |
452 | 338 |
586
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
543
diff
changeset
|
339 .. _client-side-encryption: |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
543
diff
changeset
|
340 |
451 | 341 Client-side encryption |
342 ---------------------- | |
343 | |
344 Although all cloud providers already provide encryption at rest, the plugins provide | |
345 an optional layer of client-side encryption . It is very important that you understand | |
346 the scope and benefits of this additional layer of encryption. | |
347 | |
348 Rationale | |
349 ^^^^^^^^^ | |
350 | |
351 Encryption at rest provided by cloud providers basically compares with a file-system disk encryption. | |
352 If someone has access to the disk, he won't have access to your data without the encryption key. | |
353 | |
354 With cloud encryption at rest only, if someone has access to the "api-key" of your storage or if one | |
355 of your admin inadvertently make your storage public, `PHI <https://en.wikipedia.org/wiki/Protected_health_information>`__ will leak. | |
356 | |
357 Once you use client-side encryption, you'll basically store packets of meaningless bytes on the cloud infrastructure. | |
358 So, if an "api-key" leaks or if the storage is misconfigured, packets of bytes will leak but not PHI since | |
359 no one will be able to decrypt them. | |
360 | |
361 Another advantage is that these packets of bytes might eventually not be considered as PHI anymore and eventually | |
362 help you meet your local regulations (Please check your local regulations). | |
363 | |
364 However, note that, if you're running entirely in a cloud environment, your decryption keys will still | |
365 be stored on the cloud infrastructure (VM disks - process RAM) and an attacker could still eventually gain access to this keys. | |
366 | |
367 If Orthanc is running in your infrastructure with the Index DB on your infrastructure, and files are store in the cloud, | |
368 the master keys will remain on your infrastructure only and there's no way the data stored in the cloud could be decrypted outside your infrastructure. | |
369 | |
370 Also note that, although the cloud providers also provide client-side encryption, we, as an open-source project, | |
371 wanted to provide our own implementation on which you'll have full control and extension capabilities. | |
372 This also allows us to implement the same logic on all cloud providers. | |
373 | |
374 Our encryption is based on well-known standards (see below). Since it is documented and the source code is open-source, | |
375 feel-free to have your security expert review it before using it in a production environment. | |
376 | |
377 Technical details | |
378 ^^^^^^^^^^^^^^^^^ | |
379 | |
380 Orthanc saves 2 kind of files: DICOM files and JSON summaries of DICOM files. Both files contain PHI. | |
381 | |
452 | 382 When configuring the plugin, you'll have to provide a **Master Key** that we can also call the **Key Encryption Key (KEK)**. |
451 | 383 |
452 | 384 For each file being saved, the plugin will generate a new **Data Encryption Key (DEK)**. This DEK, encrypted with the KEK will be pre-pended to the file. |
451 | 385 |
386 If, at any point, your KEK leaks or you want to rotate your KEKs, you'll be able to use a new one to encrypt new files that are being added | |
387 and still use the old ones to decrypt data. You could then eventually start a side script to remove usages of the leaked/obsolete KEKs. | |
388 | |
389 To summarize: | |
390 | |
452 | 391 - We use `Crypto++ <https://www.cryptopp.com/>`__ to perform all encryptions. |
451 | 392 - All keys (KEK and DEK) are AES-256 keys. |
393 - DEKs and IVs are encrypted by KEK using CTR block cipher using a null IV. | |
394 - data is encrypted by DEK using GCM block cipher that will also perform integrity check on the whole file. | |
395 | |
396 The format of data stored on disk is therefore the following: | |
397 | |
398 - **VERSION HEADER**: 2 bytes: identify the structure of the following data currently `A1` | |
399 - **MASTER KEY ID**: 4 bytes: a numerical ID of the KEK that was used to encrypt the DEK | |
400 - **EIV**: 32 bytes: IV used by DEK for data encryption; encrypted by KEK | |
401 - **EDEK**: 32 bytes: the DEK encrypted by the KEK. | |
402 - **CIPHER TEXT**: variable length: the DICOM/JSON file encrypted by the DEK | |
403 - **TAG**: 16 bytes: integrity check performed on the whole encrypted file (including header, master key id, EIV and EDEK) | |
404 | |
405 Configuration | |
406 ^^^^^^^^^^^^^ | |
407 | |
408 .. highlight:: text | |
409 | |
410 AES Keys shall be 32 bytes long (256 bits) and encoded in base64. Here's a sample OpenSSL command to generate such a key:: | |
411 | |
412 openssl rand -base64 -out /tmp/test.key 32 | |
413 | |
414 Each key must have a unique id that is a uint32 number. | |
415 | |
416 .. highlight:: json | |
417 | |
418 Here's a sample configuration file of the `StorageEncryption` section of the plugins:: | |
419 | |
420 { | |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
421 "GoogleCloudStorage" : { |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
422 "StorageEncryption" : { |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
423 "Enable": true, |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
424 "MasterKey": [3, "/path/to/master.key"], // key id - path to the base64 encoded key |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
425 "PreviousMasterKeys" : [ |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
426 [1, "/path/to/previous1.key"], |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
427 [2, "/path/to/previous2.key"] |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
428 ], |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
429 "MaxConcurrentInputSize" : 1024 // size in MB |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
430 } |
451 | 431 } |
432 } | |
433 | |
434 **MaxConcurrentInputSize**: Since the memory used during encryption/decryption can grow up to a bit more | |
435 than 2 times the input, we want to limit the number of threads doing concurrent processing according | |
436 to the available memory instead of the number of concurrent threads. Therefore, if you're currently | |
437 ingesting small files, you can have a lot of thread working together while, if you're ingesting large | |
438 files, threads might have to wait before receiving a "slot" to access the encryption module. |