Mercurial > hg > orthanc-book
annotate Sphinx/source/plugins/object-storage.rst @ 916:dafff7d1c975
fix
| author | Alain Mazy <am@osimis.io> |
|---|---|
| date | Tue, 07 Feb 2023 15:26:12 +0100 |
| parents | a4a02709b188 |
| children | 0b89127439b1 |
| rev | line source |
|---|---|
| 451 | 1 .. _object-storage: |
| 2 | |
| 3 | |
| 4 Cloud Object Storage plugins | |
| 5 ============================ | |
| 6 | |
| 7 .. contents:: | |
| 8 | |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
9 Release notes |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
10 ------------- |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
11 |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
12 Release notes are available `here |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
13 <https://hg.orthanc-server.com/orthanc-object-storage/file/default/NEWS>`__ |
| 451 | 14 |
| 15 Introduction | |
| 16 ------------ | |
| 17 | |
| 880 | 18 These 3 plugins enable storing the Orthanc files in `Object Storage <https://en.wikipedia.org/wiki/Object_storage>`__ |
| 19 at the 3 main Cloud providers: `AWS <https://aws.amazon.com/s3/>`__, | |
| 451 | 20 `Azure <https://azure.microsoft.com/en-us/services/storage/blobs/>`__ & |
| 21 `Google Cloud <https://cloud.google.com/storage>`__ | |
| 22 | |
| 23 Storing Orthanc files in object storage and your index SQL in a | |
| 24 managed database allows you to have a stateless Orthanc that does | |
| 25 not store any data in its local file system which is highly recommended | |
| 26 when deploying an application in the cloud. | |
| 27 | |
| 28 | |
|
459
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
29 Pre-compiled binaries |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
30 --------------------- |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
31 |
| 904 | 32 These 3 plugins are provided as part of the ``osimis/orthanc`` :ref:`Docker images <docker-osimis>`. |
| 881 | 33 The AWS plugin is available in the default Docker images while the Azure and Google plugins are available |
| 34 in the ``-full`` images. | |
| 880 | 35 |
| 904 | 36 The Azure plugin is also available as part of the |
| 37 `Windows Installer <https://orthanc.osimis.io/win-installer/OrthancInstaller-Win64-latest.exe>`__ | |
| 38 (only for 64bits platform). | |
| 39 | |
|
459
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
40 These plugins are used to interface Orthanc with commercial and |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
41 proprietary cloud services that you accept to pay. As a consequence, |
| 880 | 42 the Orthanc project usually doesn't freely update them or fix them unless |
| 43 the requester purchases a support contract e.g. at `Orthanc Team <https://orthanc.team>`__. | |
| 44 | |
| 45 Although you are obviously free to compile these plugins by | |
|
459
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
46 yourself (instructions are given below), purchasing such support |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
47 contracts makes the Orthanc project sustainable in the long term, to |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
48 the benefit of the worldwide community of medical imaging. |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
49 |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
50 |
| 451 | 51 Compilation |
| 52 ----------- | |
| 53 | |
| 54 .. highlight:: text | |
| 55 | |
| 56 The procedure to compile the plugins is quite similar of that for the | |
| 57 :ref:`core of Orthanc <compiling>` although they usually require | |
| 58 some prerequisites. The documented procedure has been tested only | |
| 59 on a Debian Buster machine. | |
| 60 | |
| 61 The compilation of each plugin produces a shared library that contains | |
| 62 the plugin. | |
| 63 | |
| 64 | |
| 65 AWS S3 plugin | |
| 66 ^^^^^^^^^^^^^ | |
| 67 | |
| 68 Prerequisites: Compile the AWS C++ SDK:: | |
| 69 | |
| 70 $ mkdir ~/aws | |
| 71 $ cd ~/aws | |
| 72 $ git clone https://github.com/aws/aws-sdk-cpp.git | |
| 73 $ | |
| 74 $ mkdir -p ~/aws/builds/aws-sdk-cpp | |
| 75 $ cd ~/aws/builds/aws-sdk-cpp | |
| 76 $ cmake -DBUILD_ONLY="s3;transfer" ~/aws/aws-sdk-cpp | |
| 77 $ make -j 4 | |
| 78 $ make install | |
| 79 | |
| 80 Prerequisites: Install `vcpkg <https://github.com/Microsoft/vcpkg>`__ dependencies:: | |
| 81 | |
| 82 $ ./vcpkg install cryptopp | |
| 83 | |
| 84 Compile:: | |
| 85 | |
| 86 $ mkdir -p build/aws | |
| 87 $ cd build/aws | |
| 88 $ cmake -DCMAKE_TOOLCHAIN_FILE=[vcpkg root]\scripts\buildsystems\vcpkg.cmake ../../orthanc-object-storage/Aws | |
| 89 | |
| 504 | 90 |
| 91 **NB:** If you don't want to use vcpkg, you can use the following | |
| 92 command (this syntax is not compatible with Ninja yet):: | |
| 93 | |
|
543
fd340103904c
note to build aws plugin
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
520
diff
changeset
|
94 $ cmake -DCMAKE_BUILD_TYPE=Debug -DUSE_VCPKG_PACKAGES=OFF -DUSE_SYSTEM_GOOGLE_TEST=OFF ../../orthanc-object-storage/Aws |
| 504 | 95 $ make |
| 96 | |
|
543
fd340103904c
note to build aws plugin
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
520
diff
changeset
|
97 Crypto++ must be installed (on Ubuntu, run ``sudo apt install libcrypto++-dev``). |
|
fd340103904c
note to build aws plugin
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
520
diff
changeset
|
98 |
|
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
99 |
| 451 | 100 Azure Blob Storage plugin |
| 101 ^^^^^^^^^^^^^^^^^^^^^^^^^ | |
| 102 | |
| 103 Prerequisites: Install `vcpkg <https://github.com/Microsoft/vcpkg>`__ dependencies:: | |
| 104 | |
| 628 | 105 $ ./vcpkg install cryptopp |
| 106 $ ./vcpkg install azure-storage-cpp | |
| 451 | 107 |
| 108 | |
| 109 Compile:: | |
| 110 | |
| 111 $ mkdir -p build/azure | |
| 112 $ cd build/azure | |
| 113 $ cmake -DCMAKE_TOOLCHAIN_FILE=[vcpkg root]\scripts\buildsystems\vcpkg.cmake ../../orthanc-object-storage/Azure | |
| 114 | |
| 115 Google Storage plugin | |
| 116 ^^^^^^^^^^^^^^^^^^^^^ | |
| 117 | |
| 118 Prerequisites: Install `vcpkg <https://github.com/Microsoft/vcpkg>`__ dependencies:: | |
| 119 | |
| 628 | 120 $ ./vcpkg install cryptopp |
| 121 $ ./vcpkg install google-cloud-cpp | |
| 451 | 122 |
| 123 Compile:: | |
| 124 | |
| 125 $ mkdir -p build/google | |
| 126 $ cd build/google | |
| 127 $ cmake -DCMAKE_TOOLCHAIN_FILE=[vcpkg root]\scripts\buildsystems\vcpkg.cmake ../../orthanc-object-storage/google | |
| 128 | |
| 129 | |
| 130 Configuration | |
| 131 ------------- | |
| 132 | |
| 133 .. highlight:: json | |
| 134 | |
| 135 AWS S3 plugin | |
| 136 ^^^^^^^^^^^^^ | |
| 137 | |
| 138 Sample configuration:: | |
| 139 | |
| 140 "AwsS3Storage" : { | |
|
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
141 "BucketName": "test-orthanc-s3-plugin", |
| 451 | 142 "Region" : "eu-central-1", |
| 685 | 143 "AccessKey" : "AKXXX", // optional: if not specified, the plugin will use the default credentials manager (available from version 1.3.0) |
| 144 "SecretKey" : "RhYYYY", // optional: if not specified, the plugin will use the default credentials manager (available from version 1.3.0) | |
| 145 "Endpoint": "", // optional: custom endpoint | |
| 146 "ConnectionTimeout": 30, // optional: connection timeout in seconds | |
| 147 "RequestTimeout": 1200, // optional: request timeout in seconds (max time to upload/download a file) | |
| 148 "RootPath": "", // optional: see below | |
| 149 "MigrationFromFileSystemEnabled": false, // optional: see below | |
| 150 "StorageStructure": "flat", // optional: see below | |
|
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
151 "EnableLegacyUnknownFiles": true, // optional: see below |
| 685 | 152 "VirtualAddressing": true, // optional: see the section related to MinIO |
| 880 | 153 "StorageEncryption" : {}, // optional: see the section related to encryption |
| 154 "HybridMode": "Disabled" // optional: see the section related to Hybrid storage | |
| 451 | 155 } |
| 156 | |
| 464 | 157 The **EndPoint** configuration is used when accessing an S3 compatible cloud provider. I.e. here is a configuration to store data on Scaleway:: |
| 158 | |
| 159 "AwsS3Storage" : { | |
| 160 "BucketName": "test-orthanc", | |
| 161 "Region": "fr-par", | |
| 162 "AccessKey": "XXX", | |
| 163 "SecretKey": "YYY", | |
| 164 "Endpoint": "s3.fr-par.scw.cloud" | |
|
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
165 } |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
166 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
167 |
| 746 | 168 .. _minio: |
| 169 | |
|
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
170 Emulation of AWS S3 using MinIO |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
171 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
172 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
173 .. highlight:: bash |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
174 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
175 The `MinIO project <https://min.io/>`__ can be used to emulate AWS S3 |
|
507
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
176 for local testing/prototyping. Here is a sample command to start a |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
177 MinIO server on your local computer using Docker (evidently, make sure |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
178 to set different credentials):: |
|
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
179 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
180 $ docker run -p 9000:9000 \ |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
181 -e "MINIO_REGION=eu-west-1" \ |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
182 -e "MINIO_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE" \ |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
183 -e "MINIO_SECRET_KEY=wJalrXUtnFEMI/K7MNG/bPxRfiCYEXAMPLEKEY" \ |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
184 minio/minio server /data |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
185 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
186 .. highlight:: json |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
187 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
188 Note that the ``MINIO_REGION`` must be set to an arbitrary region that |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
189 is supported by AWS S3. |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
190 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
191 You can then open the URL `http://localhost:9000/ |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
192 <http://localhost:9000/>`__ with your Web browser to create a bucket, |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
193 say ``my-sample-bucket``. |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
194 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
195 Here is a corresponding full configuration for Orthanc:: |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
196 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
197 { |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
198 "Plugins" : [ <...> ], |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
199 "AwsS3Storage" : { |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
200 "BucketName": "my-sample-bucket", |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
201 "Region" : "eu-west-1", |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
202 "Endpoint": "http://localhost:9000/", |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
203 "AccessKey": "AKIAIOSFODNN7EXAMPLE", |
| 506 | 204 "SecretKey": "wJalrXUtnFEMI/K7MNG/bPxRfiCYEXAMPLEKEY", |
|
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
205 "VirtualAddressing" : false |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
206 } |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
207 } |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
208 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
209 Note that the ``VirtualAddressing`` option must be set to ``false`` |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
210 for such a `local setup with MinIO to work |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
211 <https://github.com/aws/aws-sdk-cpp/issues/1425>`__. This option is |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
212 **not** available in releases <= 1.1.0 of the AWS S3 plugin. |
|
507
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
213 |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
214 **Important:** If you get the cryptic error message |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
215 ``SignatureDoesNotMatch The request signature we calculated does not |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
216 match the signature you provided. Check your key and signing |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
217 method.``, this most probably indicates that your access key or your |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
218 secret key doesn't match the credentials that were used while starting |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
219 the MinIO server. |
|
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
220 |
| 464 | 221 |
| 451 | 222 Azure Blob Storage plugin |
| 223 ^^^^^^^^^^^^^^^^^^^^^^^^^ | |
| 224 | |
| 225 Sample configuration:: | |
| 226 | |
| 227 "AzureBlobStorage" : { | |
| 228 "ConnectionString": "DefaultEndpointsProtocol=https;AccountName=xxxxxxxxx;AccountKey=yyyyyyyy===;EndpointSuffix=core.windows.net", | |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
229 "ContainerName" : "test-orthanc-storage-plugin", |
| 647 | 230 "CreateContainerIfNotExists": true, // available from version 1.2.0 |
| 502 | 231 "RootPath": "", // see below |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
232 "MigrationFromFileSystemEnabled": false, // see below |
|
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
233 "StorageStructure": "flat", // see below |
| 880 | 234 "EnableLegacyUnknownFiles": true, // optional: see below |
| 235 "StorageEncryption" : {} // optional: see the section related to encryption | |
| 236 "HybridMode": "Disabled" // optional: see the section related to Hybrid storage | |
| 451 | 237 } |
| 238 | |
| 239 | |
| 240 Google Storage plugin | |
| 241 ^^^^^^^^^^^^^^^^^^^^^ | |
| 242 | |
| 243 Sample configuration:: | |
| 244 | |
| 245 "GoogleCloudStorage" : { | |
| 246 "ServiceAccountFile": "/path/to/googleServiceAccountFile.json", | |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
247 "BucketName": "test-orthanc-storage-plugin", |
| 502 | 248 "RootPath": "", // see below |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
249 "MigrationFromFileSystemEnabled": false, // see below |
|
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
250 "StorageStructure": "flat", // see below |
| 880 | 251 "EnableLegacyUnknownFiles": true, // optional: see below |
| 252 "StorageEncryption" : {} // optional: see the section related to encryption | |
| 253 "HybridMode": "Disabled" // optional: see the section related to Hybrid storage | |
| 451 | 254 } |
| 255 | |
| 256 | |
| 880 | 257 Migration & Hybrid mode Storage structure |
| 258 ----------------------------------------- | |
| 259 | |
| 260 Since version **2.1.0** of the plugins, an HybridMode as been introduced. | |
| 261 This mode allows reading/writing files from both/to the file system and the object-storage. | |
| 262 | |
| 263 By default, the ``HybridMode`` is ``Disabled``. This means that the plugins will access | |
| 264 only the object-storage. | |
| 265 | |
| 266 When the ``HybridMode`` is set to ``WriteToFileSystem``, it means that new files received | |
| 885 | 267 are stored on the file system. When accessing a file, it is first read from the file system |
| 880 | 268 and, if it is not found on the file system, it is read from the object-storage. |
| 269 | |
| 884 | 270 The ``WriteToFileSystem`` hybrid mode is useful for storing recent files on the file system for |
| 880 | 271 better performance and old files on the object-storage for lower cost and easier backups. |
| 272 | |
| 273 When the ``HybridMode`` is set to ``WriteToObjectStorage``, it means that new files received | |
| 885 | 274 are stored on the object storage. When accessing a file, it is first read from the object storage |
| 880 | 275 and, if it is not found on the object-storage, it is read from the file system. |
| 276 | |
| 884 | 277 The ``WriteToObjectStorage`` hybrid mode is useful mainly during a migration from file system to |
| 880 | 278 object-storage, e.g, if you have deployed a VM in a cloud with local file system storage and want |
| 279 to move your files to object-storage without interrupting your service. | |
| 280 | |
| 281 Moving files between file-system and object-storage | |
| 282 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
| 283 | |
| 884 | 284 When the ``HybridMode`` is set to ``WriteToFileSystem``, it is sometimes useful to move old files |
| 285 to the object-storage for long term archive or to `pre-fetch` files from object-storage to file | |
| 880 | 286 system for improved performances e.g when before opening the study in a viewer. |
| 287 | |
| 884 | 288 When the ``HybridMode`` is set to ``WriteToObjectStorage``, it is useful to move file from the |
| 880 | 289 file system to the object storage to perform a full data migration to object-storage. |
| 290 | |
| 291 To move files from one storage to the other, you should call the plugin Rest API:: | |
| 292 | |
| 293 $ curl -X POST http://localhost:8042/move-storage \ | |
| 294 --data '{ | |
| 295 "Resources": ["27f7126f-4f66fb14-03f4081b-f9341db2-53925988"], | |
| 296 "TargetStorage": "file-system", | |
| 297 "Asynchronous": true, | |
| 298 "Priority": 0 | |
| 299 }' | |
| 300 | |
| 301 This call creates a ``MoveStorageJob`` that can then be monitor to the ``/jobs`` route. | |
| 302 | |
| 303 The allowed values for ``TargetStorage`` are ``file-system`` or ``object-storage``. | |
| 304 | |
| 305 | |
| 306 Other configuration options | |
| 307 --------------------------- | |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
308 |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
309 The **StorageStructure** configuration allows you to select the way objects are organized |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
310 within the storage (``flat`` or ``legacy``). |
| 500 | 311 Unlike the traditional file system in which Orthanc uses 2 levels |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
312 of folders, object storages usually have no limit on the number of files per folder and |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
313 therefore all objects are stored at the root level of the object storage. This is the |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
314 default ``flat`` behaviour. Note that, in the ``flat`` mode, an extension `.dcm` or `.json` |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
315 is added to the filename which is not the case in the legacy mode. |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
316 |
| 500 | 317 The ``legacy`` behaviour mimics the Orthanc File System convention. This is actually helpful |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
318 when migrating your data from a file system to an object storage since you can copy all the file |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
319 hierarchy as is. |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
320 |
| 502 | 321 The **RootPath** allows you to store the files in another folder as the root level of the |
| 520 | 322 object storage. Note: it shall not start with a ``/``. |
| 502 | 323 |
| 324 Note that you can not change these configurations once you've uploaded the first files in Orthanc. | |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
325 |
| 880 | 326 The **MigrationFromFileSystemEnabled** configuration has been superseded by the **HybridMode** in v 2.1.0. |
| 508 | 327 |
|
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
328 The **EnableLegacyUnknownFiles** configuration has been introduced to allow recent version of the plugins (from 1.3.3) |
|
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
329 continue working with data that was saved with Orthanc version around 1.9.3 and plugins version around 1.2.0 (e.g. osimis/orthanc:21.5.1 docker images). |
|
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
330 With these specific versions, some ``.unk`` files were generated instead of ``.dcm.head`` files. With this configuration option enabled, |
|
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
331 when reading files, the plugin will try both file extensions. |
|
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
332 If you have ``.unk`` files in your storage, you must enable this configuration. |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
333 |
| 452 | 334 Sample setups |
| 335 ------------- | |
| 336 | |
| 811 | 337 You'll find sample deployments and more info in the `Orthanc Setup Samples repository <https://bitbucket.org/osimis/orthanc-setup-samples/src/master/#markdown-header-for-software-integrators>`__ . |
| 452 | 338 |
|
511
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
339 Performances |
|
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
340 ------------ |
|
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
341 |
|
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
342 You'll find some performance comparison between VM SSDs and object-storage `here <https://bitbucket.org/osimis/orthanc-setup-samples/src/master/docker/performance-tests/>`__ . |
|
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
343 |
| 452 | 344 |
|
586
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
543
diff
changeset
|
345 .. _client-side-encryption: |
|
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
543
diff
changeset
|
346 |
| 451 | 347 Client-side encryption |
| 348 ---------------------- | |
| 349 | |
| 350 Although all cloud providers already provide encryption at rest, the plugins provide | |
| 351 an optional layer of client-side encryption . It is very important that you understand | |
| 352 the scope and benefits of this additional layer of encryption. | |
| 353 | |
| 354 Rationale | |
| 355 ^^^^^^^^^ | |
| 356 | |
| 357 Encryption at rest provided by cloud providers basically compares with a file-system disk encryption. | |
| 358 If someone has access to the disk, he won't have access to your data without the encryption key. | |
| 359 | |
| 360 With cloud encryption at rest only, if someone has access to the "api-key" of your storage or if one | |
| 361 of your admin inadvertently make your storage public, `PHI <https://en.wikipedia.org/wiki/Protected_health_information>`__ will leak. | |
| 362 | |
| 363 Once you use client-side encryption, you'll basically store packets of meaningless bytes on the cloud infrastructure. | |
| 364 So, if an "api-key" leaks or if the storage is misconfigured, packets of bytes will leak but not PHI since | |
| 365 no one will be able to decrypt them. | |
| 366 | |
| 884 | 367 Another advantage is that these packets of bytes might eventually not be considered as PHI anymore and potentially |
| 451 | 368 help you meet your local regulations (Please check your local regulations). |
| 369 | |
| 370 However, note that, if you're running entirely in a cloud environment, your decryption keys will still | |
| 371 be stored on the cloud infrastructure (VM disks - process RAM) and an attacker could still eventually gain access to this keys. | |
| 372 | |
| 884 | 373 If Orthanc is running in your infrastructure with the Index DB on your infrastructure, and files are stored in the cloud, |
| 451 | 374 the master keys will remain on your infrastructure only and there's no way the data stored in the cloud could be decrypted outside your infrastructure. |
| 375 | |
| 376 Also note that, although the cloud providers also provide client-side encryption, we, as an open-source project, | |
| 377 wanted to provide our own implementation on which you'll have full control and extension capabilities. | |
| 378 This also allows us to implement the same logic on all cloud providers. | |
| 379 | |
| 380 Our encryption is based on well-known standards (see below). Since it is documented and the source code is open-source, | |
| 381 feel-free to have your security expert review it before using it in a production environment. | |
| 382 | |
| 383 Technical details | |
| 384 ^^^^^^^^^^^^^^^^^ | |
| 385 | |
| 386 Orthanc saves 2 kind of files: DICOM files and JSON summaries of DICOM files. Both files contain PHI. | |
| 387 | |
| 452 | 388 When configuring the plugin, you'll have to provide a **Master Key** that we can also call the **Key Encryption Key (KEK)**. |
| 451 | 389 |
| 452 | 390 For each file being saved, the plugin will generate a new **Data Encryption Key (DEK)**. This DEK, encrypted with the KEK will be pre-pended to the file. |
| 451 | 391 |
| 392 If, at any point, your KEK leaks or you want to rotate your KEKs, you'll be able to use a new one to encrypt new files that are being added | |
| 393 and still use the old ones to decrypt data. You could then eventually start a side script to remove usages of the leaked/obsolete KEKs. | |
| 394 | |
| 395 To summarize: | |
| 396 | |
| 452 | 397 - We use `Crypto++ <https://www.cryptopp.com/>`__ to perform all encryptions. |
| 451 | 398 - All keys (KEK and DEK) are AES-256 keys. |
| 399 - DEKs and IVs are encrypted by KEK using CTR block cipher using a null IV. | |
| 400 - data is encrypted by DEK using GCM block cipher that will also perform integrity check on the whole file. | |
| 401 | |
| 402 The format of data stored on disk is therefore the following: | |
| 403 | |
| 404 - **VERSION HEADER**: 2 bytes: identify the structure of the following data currently `A1` | |
| 405 - **MASTER KEY ID**: 4 bytes: a numerical ID of the KEK that was used to encrypt the DEK | |
| 406 - **EIV**: 32 bytes: IV used by DEK for data encryption; encrypted by KEK | |
| 407 - **EDEK**: 32 bytes: the DEK encrypted by the KEK. | |
| 408 - **CIPHER TEXT**: variable length: the DICOM/JSON file encrypted by the DEK | |
| 409 - **TAG**: 16 bytes: integrity check performed on the whole encrypted file (including header, master key id, EIV and EDEK) | |
| 410 | |
| 411 Configuration | |
| 412 ^^^^^^^^^^^^^ | |
| 413 | |
| 414 .. highlight:: text | |
| 415 | |
| 416 AES Keys shall be 32 bytes long (256 bits) and encoded in base64. Here's a sample OpenSSL command to generate such a key:: | |
| 417 | |
| 418 openssl rand -base64 -out /tmp/test.key 32 | |
| 419 | |
| 420 Each key must have a unique id that is a uint32 number. | |
| 421 | |
| 422 .. highlight:: json | |
| 423 | |
| 424 Here's a sample configuration file of the `StorageEncryption` section of the plugins:: | |
| 425 | |
| 426 { | |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
427 "GoogleCloudStorage" : { |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
428 "StorageEncryption" : { |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
429 "Enable": true, |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
430 "MasterKey": [3, "/path/to/master.key"], // key id - path to the base64 encoded key |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
431 "PreviousMasterKeys" : [ |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
432 [1, "/path/to/previous1.key"], |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
433 [2, "/path/to/previous2.key"] |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
434 ], |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
435 "MaxConcurrentInputSize" : 1024 // size in MB |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
436 } |
| 451 | 437 } |
| 438 } | |
| 439 | |
| 440 **MaxConcurrentInputSize**: Since the memory used during encryption/decryption can grow up to a bit more | |
| 441 than 2 times the input, we want to limit the number of threads doing concurrent processing according | |
| 442 to the available memory instead of the number of concurrent threads. Therefore, if you're currently | |
| 443 ingesting small files, you can have a lot of thread working together while, if you're ingesting large | |
| 444 files, threads might have to wait before receiving a "slot" to access the encryption module. |