Mercurial > hg > orthanc-book
annotate Sphinx/source/plugins/object-storage.rst @ 1083:e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
| author | Sebastien Jodogne <s.jodogne@gmail.com> |
|---|---|
| date | Tue, 25 Jun 2024 12:54:16 +0200 |
| parents | 5d4701d8fe28 |
| children | 337bbecf74c0 |
| rev | line source |
|---|---|
| 451 | 1 .. _object-storage: |
| 2 | |
| 3 | |
| 4 Cloud Object Storage plugins | |
| 5 ============================ | |
| 6 | |
| 7 .. contents:: | |
| 8 | |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
9 Release notes |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
10 ------------- |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
11 |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
12 Release notes are available `here |
|
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
13 <https://orthanc.uclouvain.be/hg/orthanc-object-storage/file/default/NEWS>`__. |
|
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
14 |
| 451 | 15 Introduction |
| 16 ------------ | |
| 17 | |
|
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
18 These 3 plugins enable storing the Orthanc files into `object storage |
|
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
19 <https://en.wikipedia.org/wiki/Object_storage>`__ at the 3 public |
|
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
20 cloud providers: `AWS <https://aws.amazon.com/s3/>`__, `Azure |
|
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
21 <https://azure.microsoft.com/en-us/services/storage/blobs/>`__, and |
|
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
22 `Google Cloud <https://cloud.google.com/storage>`__. |
| 451 | 23 |
|
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
24 Storing Orthanc files in object storage and your index SQL in a |
|
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
25 managed database allows you to have a stateless Orthanc that does not |
|
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
26 store any data in its local file system, which is highly recommended |
| 451 | 27 when deploying an application in the cloud. |
| 28 | |
| 29 | |
|
459
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
30 Pre-compiled binaries |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
31 --------------------- |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
32 |
|
1023
5d4701d8fe28
replaced osimis/orthanc by orthancteam/orthanc
Alain Mazy <am@osimis.io>
parents:
1014
diff
changeset
|
33 These 3 plugins are provided as part of the ``orthancteam/orthanc`` :ref:`Docker images <docker-orthancteam>`. |
| 881 | 34 The AWS plugin is available in the default Docker images while the Azure and Google plugins are available |
| 35 in the ``-full`` images. | |
| 880 | 36 |
|
994
df9162e80fc8
Osimis has discontinued the sample demo server for the Osimis Web viewer
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
991
diff
changeset
|
37 The Azure plugin is also available as part of the `Windows Installer |
|
df9162e80fc8
Osimis has discontinued the sample demo server for the Osimis Web viewer
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
991
diff
changeset
|
38 <https://orthanc.uclouvain.be/downloads/windows-64/installers/index.html>`__ |
| 904 | 39 (only for 64bits platform). |
| 40 | |
|
459
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
41 These plugins are used to interface Orthanc with commercial and |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
42 proprietary cloud services that you accept to pay. As a consequence, |
|
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
43 the Orthanc project usually doesn't freely update them or fix them |
|
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
44 unless the requester purchases a support contract, e.g., at `Orthanc |
|
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
45 Team <https://orthanc.team>`__. |
| 880 | 46 |
| 47 Although you are obviously free to compile these plugins by | |
|
459
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
48 yourself (instructions are given below), purchasing such support |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
49 contracts makes the Orthanc project sustainable in the long term, to |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
50 the benefit of the worldwide community of medical imaging. |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
51 |
|
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
52 |
| 451 | 53 Configuration |
| 54 ------------- | |
| 55 | |
| 56 .. highlight:: json | |
| 57 | |
| 58 AWS S3 plugin | |
| 59 ^^^^^^^^^^^^^ | |
| 60 | |
| 61 Sample configuration:: | |
| 62 | |
| 63 "AwsS3Storage" : { | |
|
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
64 "BucketName": "test-orthanc-s3-plugin", |
| 451 | 65 "Region" : "eu-central-1", |
| 685 | 66 "AccessKey" : "AKXXX", // optional: if not specified, the plugin will use the default credentials manager (available from version 1.3.0) |
| 67 "SecretKey" : "RhYYYY", // optional: if not specified, the plugin will use the default credentials manager (available from version 1.3.0) | |
| 68 "Endpoint": "", // optional: custom endpoint | |
| 69 "ConnectionTimeout": 30, // optional: connection timeout in seconds | |
| 70 "RequestTimeout": 1200, // optional: request timeout in seconds (max time to upload/download a file) | |
| 71 "RootPath": "", // optional: see below | |
| 72 "MigrationFromFileSystemEnabled": false, // optional: see below | |
| 73 "StorageStructure": "flat", // optional: see below | |
|
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
74 "EnableLegacyUnknownFiles": true, // optional: see below |
| 685 | 75 "VirtualAddressing": true, // optional: see the section related to MinIO |
| 880 | 76 "StorageEncryption" : {}, // optional: see the section related to encryption |
| 988 | 77 "HybridMode": "Disabled", // optional: see the section related to Hybrid storage |
| 990 | 78 "UseTransferManager": false, // optional: see below (available from version 2.3.0) |
| 79 "EnableAwsSdkLogs": false // optional: include AWS SDK logs in Orthanc logs | |
| 451 | 80 } |
| 81 | |
| 464 | 82 The **EndPoint** configuration is used when accessing an S3 compatible cloud provider. I.e. here is a configuration to store data on Scaleway:: |
| 83 | |
| 84 "AwsS3Storage" : { | |
| 85 "BucketName": "test-orthanc", | |
| 86 "Region": "fr-par", | |
| 87 "AccessKey": "XXX", | |
| 88 "SecretKey": "YYY", | |
| 89 "Endpoint": "s3.fr-par.scw.cloud" | |
|
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
90 } |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
91 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
92 |
| 989 | 93 The **UseTransferManager** configuration is used to select the `Transfer Manager <https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/examples-s3-transfermanager.html>`__ mode in the AWS SDK client. |
| 94 This option was introduced in version 2.3.0. If set to false (default value), the default "object" mode is used. | |
| 988 | 95 |
|
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
96 **Important:** On Microsoft Windows, it is recommended to set the |
|
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
97 environment variable ``AWS_EC2_METADATA_DISABLED`` to ``true`` to |
|
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
98 speed up the initialization of the plugin. The reasons are explained |
|
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
99 in the `AWS official documentation |
|
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
100 <https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-envvars.html>`__. |
|
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
101 |
| 988 | 102 |
| 746 | 103 .. _minio: |
| 104 | |
|
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
105 Emulation of AWS S3 using MinIO |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
106 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
107 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
108 .. highlight:: bash |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
109 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
110 The `MinIO project <https://min.io/>`__ can be used to emulate AWS S3 |
|
507
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
111 for local testing/prototyping. Here is a sample command to start a |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
112 MinIO server on your local computer using Docker (evidently, make sure |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
113 to set different credentials):: |
|
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
114 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
115 $ docker run -p 9000:9000 \ |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
116 -e "MINIO_REGION=eu-west-1" \ |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
117 -e "MINIO_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE" \ |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
118 -e "MINIO_SECRET_KEY=wJalrXUtnFEMI/K7MNG/bPxRfiCYEXAMPLEKEY" \ |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
119 minio/minio server /data |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
120 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
121 .. highlight:: json |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
122 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
123 Note that the ``MINIO_REGION`` must be set to an arbitrary region that |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
124 is supported by AWS S3. |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
125 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
126 You can then open the URL `http://localhost:9000/ |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
127 <http://localhost:9000/>`__ with your Web browser to create a bucket, |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
128 say ``my-sample-bucket``. |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
129 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
130 Here is a corresponding full configuration for Orthanc:: |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
131 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
132 { |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
133 "Plugins" : [ <...> ], |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
134 "AwsS3Storage" : { |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
135 "BucketName": "my-sample-bucket", |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
136 "Region" : "eu-west-1", |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
137 "Endpoint": "http://localhost:9000/", |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
138 "AccessKey": "AKIAIOSFODNN7EXAMPLE", |
| 506 | 139 "SecretKey": "wJalrXUtnFEMI/K7MNG/bPxRfiCYEXAMPLEKEY", |
|
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
140 "VirtualAddressing" : false |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
141 } |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
142 } |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
143 |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
144 Note that the ``VirtualAddressing`` option must be set to ``false`` |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
145 for such a `local setup with MinIO to work |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
146 <https://github.com/aws/aws-sdk-cpp/issues/1425>`__. This option is |
|
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
147 **not** available in releases <= 1.1.0 of the AWS S3 plugin. |
|
507
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
148 |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
149 **Important:** If you get the cryptic error message |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
150 ``SignatureDoesNotMatch The request signature we calculated does not |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
151 match the signature you provided. Check your key and signing |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
152 method.``, this most probably indicates that your access key or your |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
153 secret key doesn't match the credentials that were used while starting |
|
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
154 the MinIO server. |
|
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
155 |
| 464 | 156 |
| 451 | 157 Azure Blob Storage plugin |
| 158 ^^^^^^^^^^^^^^^^^^^^^^^^^ | |
| 159 | |
| 160 Sample configuration:: | |
| 161 | |
| 162 "AzureBlobStorage" : { | |
| 163 "ConnectionString": "DefaultEndpointsProtocol=https;AccountName=xxxxxxxxx;AccountKey=yyyyyyyy===;EndpointSuffix=core.windows.net", | |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
164 "ContainerName" : "test-orthanc-storage-plugin", |
| 647 | 165 "CreateContainerIfNotExists": true, // available from version 1.2.0 |
| 502 | 166 "RootPath": "", // see below |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
167 "MigrationFromFileSystemEnabled": false, // see below |
|
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
168 "StorageStructure": "flat", // see below |
| 880 | 169 "EnableLegacyUnknownFiles": true, // optional: see below |
| 170 "StorageEncryption" : {} // optional: see the section related to encryption | |
| 171 "HybridMode": "Disabled" // optional: see the section related to Hybrid storage | |
| 451 | 172 } |
| 173 | |
| 174 | |
| 175 Google Storage plugin | |
| 176 ^^^^^^^^^^^^^^^^^^^^^ | |
| 177 | |
| 178 Sample configuration:: | |
| 179 | |
| 180 "GoogleCloudStorage" : { | |
| 181 "ServiceAccountFile": "/path/to/googleServiceAccountFile.json", | |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
182 "BucketName": "test-orthanc-storage-plugin", |
| 502 | 183 "RootPath": "", // see below |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
184 "MigrationFromFileSystemEnabled": false, // see below |
|
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
185 "StorageStructure": "flat", // see below |
| 880 | 186 "EnableLegacyUnknownFiles": true, // optional: see below |
| 187 "StorageEncryption" : {} // optional: see the section related to encryption | |
| 188 "HybridMode": "Disabled" // optional: see the section related to Hybrid storage | |
| 451 | 189 } |
| 190 | |
| 191 | |
| 880 | 192 Migration & Hybrid mode Storage structure |
| 193 ----------------------------------------- | |
| 194 | |
| 195 Since version **2.1.0** of the plugins, an HybridMode as been introduced. | |
| 196 This mode allows reading/writing files from both/to the file system and the object-storage. | |
| 197 | |
| 198 By default, the ``HybridMode`` is ``Disabled``. This means that the plugins will access | |
| 199 only the object-storage. | |
| 200 | |
| 201 When the ``HybridMode`` is set to ``WriteToFileSystem``, it means that new files received | |
| 885 | 202 are stored on the file system. When accessing a file, it is first read from the file system |
| 880 | 203 and, if it is not found on the file system, it is read from the object-storage. |
| 204 | |
| 884 | 205 The ``WriteToFileSystem`` hybrid mode is useful for storing recent files on the file system for |
| 880 | 206 better performance and old files on the object-storage for lower cost and easier backups. |
| 207 | |
| 208 When the ``HybridMode`` is set to ``WriteToObjectStorage``, it means that new files received | |
| 885 | 209 are stored on the object storage. When accessing a file, it is first read from the object storage |
| 880 | 210 and, if it is not found on the object-storage, it is read from the file system. |
| 211 | |
| 884 | 212 The ``WriteToObjectStorage`` hybrid mode is useful mainly during a migration from file system to |
| 880 | 213 object-storage, e.g, if you have deployed a VM in a cloud with local file system storage and want |
| 214 to move your files to object-storage without interrupting your service. | |
| 215 | |
| 216 Moving files between file-system and object-storage | |
| 217 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
| 218 | |
| 884 | 219 When the ``HybridMode`` is set to ``WriteToFileSystem``, it is sometimes useful to move old files |
|
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
220 to the object-storage for long term archive or to "pre-fetch" files from object-storage to file |
| 880 | 221 system for improved performances e.g when before opening the study in a viewer. |
| 222 | |
| 884 | 223 When the ``HybridMode`` is set to ``WriteToObjectStorage``, it is useful to move file from the |
| 880 | 224 file system to the object storage to perform a full data migration to object-storage. |
| 225 | |
| 226 To move files from one storage to the other, you should call the plugin Rest API:: | |
| 227 | |
| 228 $ curl -X POST http://localhost:8042/move-storage \ | |
| 229 --data '{ | |
| 230 "Resources": ["27f7126f-4f66fb14-03f4081b-f9341db2-53925988"], | |
| 231 "TargetStorage": "file-system", | |
| 232 "Asynchronous": true, | |
| 233 "Priority": 0 | |
| 234 }' | |
| 235 | |
| 236 This call creates a ``MoveStorageJob`` that can then be monitor to the ``/jobs`` route. | |
| 237 | |
| 238 The allowed values for ``TargetStorage`` are ``file-system`` or ``object-storage``. | |
| 239 | |
| 240 | |
| 241 Other configuration options | |
| 242 --------------------------- | |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
243 |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
244 The **StorageStructure** configuration allows you to select the way objects are organized |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
245 within the storage (``flat`` or ``legacy``). |
| 500 | 246 Unlike the traditional file system in which Orthanc uses 2 levels |
|
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
247 of folders, an object storage usually has no limit on the number of files per folder and |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
248 therefore all objects are stored at the root level of the object storage. This is the |
|
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
249 default ``flat`` behavior. Note that, in the ``flat`` mode, an extension ``.dcm`` or ``.json`` |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
250 is added to the filename which is not the case in the legacy mode. |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
251 |
|
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
252 The ``legacy`` behavior mimics the Orthanc File System convention. This is actually helpful |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
253 when migrating your data from a file system to an object storage since you can copy all the file |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
254 hierarchy as is. |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
255 |
| 1014 | 256 *Note* : With AWS S3, there might be `some limitations <https://docs.aws.amazon.com/AmazonS3/latest/userguide/optimizing-performance.html>`__ |
| 257 on the number of HTTP operations per *prefix*. Therefore, the ``legacy`` structure might | |
| 258 overcome these limitations. Note that, as of today, no one could confirm it had a real impact on Orthanc. | |
| 259 | |
| 502 | 260 The **RootPath** allows you to store the files in another folder as the root level of the |
| 520 | 261 object storage. Note: it shall not start with a ``/``. |
| 502 | 262 |
| 263 Note that you can not change these configurations once you've uploaded the first files in Orthanc. | |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
264 |
| 880 | 265 The **MigrationFromFileSystemEnabled** configuration has been superseded by the **HybridMode** in v 2.1.0. |
| 508 | 266 |
|
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
267 The **EnableLegacyUnknownFiles** configuration has been introduced to allow recent version of the plugins (from 1.3.3) |
|
1023
5d4701d8fe28
replaced osimis/orthanc by orthancteam/orthanc
Alain Mazy <am@osimis.io>
parents:
1014
diff
changeset
|
268 continue working with data that was saved with Orthanc version around 1.9.3 and plugins version around 1.2.0 (e.g. orthancteam/orthanc:21.5.1 docker images). |
|
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
269 With these specific versions, some ``.unk`` files were generated instead of ``.dcm.head`` files. With this configuration option enabled, |
|
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
270 when reading files, the plugin will try both file extensions. |
|
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
271 If you have ``.unk`` files in your storage, you must enable this configuration. |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
272 |
| 452 | 273 Sample setups |
| 274 ------------- | |
| 275 | |
| 962 | 276 You'll find sample deployments and more info in the `Orthanc Setup Samples repository <https://github.com/orthanc-server/orthanc-setup-samples/tree/master/#markdown-header-for-software-integrators>`__ . |
| 452 | 277 |
|
511
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
278 Performances |
|
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
279 ------------ |
|
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
280 |
| 962 | 281 You'll find some performance comparison between VM SSDs and object-storage `here <https://github.com/orthanc-server/orthanc-setup-samples/tree/master/docker/performance-tests/>`__ . |
|
511
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
282 |
| 452 | 283 |
|
586
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
543
diff
changeset
|
284 .. _client-side-encryption: |
|
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
543
diff
changeset
|
285 |
| 451 | 286 Client-side encryption |
| 287 ---------------------- | |
| 288 | |
| 289 Although all cloud providers already provide encryption at rest, the plugins provide | |
| 290 an optional layer of client-side encryption . It is very important that you understand | |
| 291 the scope and benefits of this additional layer of encryption. | |
| 292 | |
| 293 Rationale | |
| 294 ^^^^^^^^^ | |
| 295 | |
| 296 Encryption at rest provided by cloud providers basically compares with a file-system disk encryption. | |
| 297 If someone has access to the disk, he won't have access to your data without the encryption key. | |
| 298 | |
| 299 With cloud encryption at rest only, if someone has access to the "api-key" of your storage or if one | |
| 300 of your admin inadvertently make your storage public, `PHI <https://en.wikipedia.org/wiki/Protected_health_information>`__ will leak. | |
| 301 | |
| 302 Once you use client-side encryption, you'll basically store packets of meaningless bytes on the cloud infrastructure. | |
| 303 So, if an "api-key" leaks or if the storage is misconfigured, packets of bytes will leak but not PHI since | |
| 304 no one will be able to decrypt them. | |
| 305 | |
| 884 | 306 Another advantage is that these packets of bytes might eventually not be considered as PHI anymore and potentially |
| 451 | 307 help you meet your local regulations (Please check your local regulations). |
| 308 | |
| 309 However, note that, if you're running entirely in a cloud environment, your decryption keys will still | |
| 310 be stored on the cloud infrastructure (VM disks - process RAM) and an attacker could still eventually gain access to this keys. | |
| 311 | |
| 884 | 312 If Orthanc is running in your infrastructure with the Index DB on your infrastructure, and files are stored in the cloud, |
| 451 | 313 the master keys will remain on your infrastructure only and there's no way the data stored in the cloud could be decrypted outside your infrastructure. |
| 314 | |
| 315 Also note that, although the cloud providers also provide client-side encryption, we, as an open-source project, | |
| 316 wanted to provide our own implementation on which you'll have full control and extension capabilities. | |
| 317 This also allows us to implement the same logic on all cloud providers. | |
| 318 | |
| 319 Our encryption is based on well-known standards (see below). Since it is documented and the source code is open-source, | |
| 320 feel-free to have your security expert review it before using it in a production environment. | |
| 321 | |
| 322 Technical details | |
| 323 ^^^^^^^^^^^^^^^^^ | |
| 324 | |
| 325 Orthanc saves 2 kind of files: DICOM files and JSON summaries of DICOM files. Both files contain PHI. | |
| 326 | |
| 452 | 327 When configuring the plugin, you'll have to provide a **Master Key** that we can also call the **Key Encryption Key (KEK)**. |
| 451 | 328 |
| 452 | 329 For each file being saved, the plugin will generate a new **Data Encryption Key (DEK)**. This DEK, encrypted with the KEK will be pre-pended to the file. |
| 451 | 330 |
| 331 If, at any point, your KEK leaks or you want to rotate your KEKs, you'll be able to use a new one to encrypt new files that are being added | |
| 332 and still use the old ones to decrypt data. You could then eventually start a side script to remove usages of the leaked/obsolete KEKs. | |
| 333 | |
| 334 To summarize: | |
| 335 | |
| 452 | 336 - We use `Crypto++ <https://www.cryptopp.com/>`__ to perform all encryptions. |
| 451 | 337 - All keys (KEK and DEK) are AES-256 keys. |
| 338 - DEKs and IVs are encrypted by KEK using CTR block cipher using a null IV. | |
| 339 - data is encrypted by DEK using GCM block cipher that will also perform integrity check on the whole file. | |
| 340 | |
| 341 The format of data stored on disk is therefore the following: | |
| 342 | |
|
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
343 - **VERSION HEADER**: 2 bytes: identify the structure of the following data currently ``A1`` |
| 451 | 344 - **MASTER KEY ID**: 4 bytes: a numerical ID of the KEK that was used to encrypt the DEK |
| 345 - **EIV**: 32 bytes: IV used by DEK for data encryption; encrypted by KEK | |
| 346 - **EDEK**: 32 bytes: the DEK encrypted by the KEK. | |
| 347 - **CIPHER TEXT**: variable length: the DICOM/JSON file encrypted by the DEK | |
| 348 - **TAG**: 16 bytes: integrity check performed on the whole encrypted file (including header, master key id, EIV and EDEK) | |
| 349 | |
| 350 Configuration | |
| 351 ^^^^^^^^^^^^^ | |
| 352 | |
| 353 .. highlight:: text | |
| 354 | |
| 355 AES Keys shall be 32 bytes long (256 bits) and encoded in base64. Here's a sample OpenSSL command to generate such a key:: | |
| 356 | |
| 357 openssl rand -base64 -out /tmp/test.key 32 | |
| 358 | |
|
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
359 Each key must have a unique id that is a ``uint32`` number. |
| 451 | 360 |
| 361 .. highlight:: json | |
| 362 | |
|
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
363 Here's a sample configuration file of the ``StorageEncryption`` section of the plugins:: |
| 451 | 364 |
| 365 { | |
|
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
366 "GoogleCloudStorage" : { |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
367 "StorageEncryption" : { |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
368 "Enable": true, |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
369 "MasterKey": [3, "/path/to/master.key"], // key id - path to the base64 encoded key |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
370 "PreviousMasterKeys" : [ |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
371 [1, "/path/to/previous1.key"], |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
372 [2, "/path/to/previous2.key"] |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
373 ], |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
374 "MaxConcurrentInputSize" : 1024 // size in MB |
|
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
375 } |
| 451 | 376 } |
| 377 } | |
| 378 | |
| 379 **MaxConcurrentInputSize**: Since the memory used during encryption/decryption can grow up to a bit more | |
| 380 than 2 times the input, we want to limit the number of threads doing concurrent processing according | |
| 381 to the available memory instead of the number of concurrent threads. Therefore, if you're currently | |
| 382 ingesting small files, you can have a lot of thread working together while, if you're ingesting large | |
| 383 files, threads might have to wait before receiving a "slot" to access the encryption module. | |
| 988 | 384 |
| 385 | |
| 386 Compilation | |
| 387 ----------- | |
| 388 | |
| 389 .. highlight:: text | |
| 390 | |
| 391 The procedure to compile the plugins is quite similar of that for the | |
| 392 :ref:`core of Orthanc <compiling>` although they usually require | |
| 393 some prerequisites. The documented procedure has been tested only | |
| 394 on a Debian Buster machine. | |
| 395 | |
| 396 The compilation of each plugin produces a shared library that contains | |
| 397 the plugin. | |
| 398 | |
| 399 | |
| 400 AWS S3 plugin | |
| 401 ^^^^^^^^^^^^^ | |
| 402 | |
| 403 Prerequisites: Compile the AWS C++ SDK:: | |
| 404 | |
| 405 $ mkdir ~/aws | |
| 406 $ cd ~/aws | |
| 407 $ git clone https://github.com/aws/aws-sdk-cpp.git | |
| 408 $ | |
| 409 $ mkdir -p ~/aws/builds/aws-sdk-cpp | |
| 410 $ cd ~/aws/builds/aws-sdk-cpp | |
| 411 $ cmake -DBUILD_ONLY="s3;transfer" ~/aws/aws-sdk-cpp | |
| 412 $ make -j 4 | |
| 413 $ make install | |
| 414 | |
| 415 Prerequisites: Install `vcpkg <https://github.com/Microsoft/vcpkg>`__ dependencies:: | |
| 416 | |
| 417 $ ./vcpkg install cryptopp | |
| 418 | |
| 419 Compile:: | |
| 420 | |
| 421 $ mkdir -p build/aws | |
| 422 $ cd build/aws | |
| 423 $ cmake -DCMAKE_TOOLCHAIN_FILE=[vcpkg root]\scripts\buildsystems\vcpkg.cmake ../../orthanc-object-storage/Aws | |
| 424 | |
| 425 | |
| 426 **NB:** If you don't want to use vcpkg, you can use the following | |
| 427 command (this syntax is not compatible with Ninja yet):: | |
| 428 | |
| 429 $ cmake -DCMAKE_BUILD_TYPE=Debug -DUSE_VCPKG_PACKAGES=OFF -DUSE_SYSTEM_GOOGLE_TEST=OFF ../../orthanc-object-storage/Aws | |
| 430 $ make | |
| 431 | |
| 432 Crypto++ must be installed (on Ubuntu, run ``sudo apt install libcrypto++-dev``). | |
| 433 | |
| 434 | |
| 435 Azure Blob Storage plugin | |
| 436 ^^^^^^^^^^^^^^^^^^^^^^^^^ | |
| 437 | |
| 438 Prerequisites: Install `vcpkg <https://github.com/Microsoft/vcpkg>`__ dependencies:: | |
| 439 | |
| 440 $ ./vcpkg install cryptopp | |
| 441 $ ./vcpkg install azure-storage-cpp | |
| 442 | |
| 443 | |
| 444 Compile:: | |
| 445 | |
| 446 $ mkdir -p build/azure | |
| 447 $ cd build/azure | |
| 448 $ cmake -DCMAKE_TOOLCHAIN_FILE=[vcpkg root]\scripts\buildsystems\vcpkg.cmake ../../orthanc-object-storage/Azure | |
| 449 | |
| 450 Google Storage plugin | |
| 451 ^^^^^^^^^^^^^^^^^^^^^ | |
| 452 | |
| 453 Prerequisites: Install `vcpkg <https://github.com/Microsoft/vcpkg>`__ dependencies:: | |
| 454 | |
| 455 $ ./vcpkg install cryptopp | |
| 456 $ ./vcpkg install google-cloud-cpp | |
| 457 | |
| 458 Compile:: | |
| 459 | |
| 460 $ mkdir -p build/google | |
| 461 $ cd build/google | |
| 462 $ cmake -DCMAKE_TOOLCHAIN_FILE=[vcpkg root]\scripts\buildsystems\vcpkg.cmake ../../orthanc-object-storage/google |