Mercurial > hg > orthanc-book
annotate Sphinx/source/plugins/object-storage.rst @ 1083:e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
author | Sebastien Jodogne <s.jodogne@gmail.com> |
---|---|
date | Tue, 25 Jun 2024 12:54:16 +0200 |
parents | 5d4701d8fe28 |
children | 337bbecf74c0 |
rev | line source |
---|---|
451 | 1 .. _object-storage: |
2 | |
3 | |
4 Cloud Object Storage plugins | |
5 ============================ | |
6 | |
7 .. contents:: | |
8 | |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
9 Release notes |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
10 ------------- |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
11 |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
12 Release notes are available `here |
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
13 <https://orthanc.uclouvain.be/hg/orthanc-object-storage/file/default/NEWS>`__. |
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
14 |
451 | 15 Introduction |
16 ------------ | |
17 | |
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
18 These 3 plugins enable storing the Orthanc files into `object storage |
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
19 <https://en.wikipedia.org/wiki/Object_storage>`__ at the 3 public |
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
20 cloud providers: `AWS <https://aws.amazon.com/s3/>`__, `Azure |
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
21 <https://azure.microsoft.com/en-us/services/storage/blobs/>`__, and |
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
22 `Google Cloud <https://cloud.google.com/storage>`__. |
451 | 23 |
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
24 Storing Orthanc files in object storage and your index SQL in a |
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
25 managed database allows you to have a stateless Orthanc that does not |
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
26 store any data in its local file system, which is highly recommended |
451 | 27 when deploying an application in the cloud. |
28 | |
29 | |
459
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
30 Pre-compiled binaries |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
31 --------------------- |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
32 |
1023
5d4701d8fe28
replaced osimis/orthanc by orthancteam/orthanc
Alain Mazy <am@osimis.io>
parents:
1014
diff
changeset
|
33 These 3 plugins are provided as part of the ``orthancteam/orthanc`` :ref:`Docker images <docker-orthancteam>`. |
881 | 34 The AWS plugin is available in the default Docker images while the Azure and Google plugins are available |
35 in the ``-full`` images. | |
880 | 36 |
994
df9162e80fc8
Osimis has discontinued the sample demo server for the Osimis Web viewer
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
991
diff
changeset
|
37 The Azure plugin is also available as part of the `Windows Installer |
df9162e80fc8
Osimis has discontinued the sample demo server for the Osimis Web viewer
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
991
diff
changeset
|
38 <https://orthanc.uclouvain.be/downloads/windows-64/installers/index.html>`__ |
904 | 39 (only for 64bits platform). |
40 | |
459
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
41 These plugins are used to interface Orthanc with commercial and |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
42 proprietary cloud services that you accept to pay. As a consequence, |
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
43 the Orthanc project usually doesn't freely update them or fix them |
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
44 unless the requester purchases a support contract, e.g., at `Orthanc |
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
45 Team <https://orthanc.team>`__. |
880 | 46 |
47 Although you are obviously free to compile these plugins by | |
459
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
48 yourself (instructions are given below), purchasing such support |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
49 contracts makes the Orthanc project sustainable in the long term, to |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
50 the benefit of the worldwide community of medical imaging. |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
51 |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
52 |
451 | 53 Configuration |
54 ------------- | |
55 | |
56 .. highlight:: json | |
57 | |
58 AWS S3 plugin | |
59 ^^^^^^^^^^^^^ | |
60 | |
61 Sample configuration:: | |
62 | |
63 "AwsS3Storage" : { | |
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
64 "BucketName": "test-orthanc-s3-plugin", |
451 | 65 "Region" : "eu-central-1", |
685 | 66 "AccessKey" : "AKXXX", // optional: if not specified, the plugin will use the default credentials manager (available from version 1.3.0) |
67 "SecretKey" : "RhYYYY", // optional: if not specified, the plugin will use the default credentials manager (available from version 1.3.0) | |
68 "Endpoint": "", // optional: custom endpoint | |
69 "ConnectionTimeout": 30, // optional: connection timeout in seconds | |
70 "RequestTimeout": 1200, // optional: request timeout in seconds (max time to upload/download a file) | |
71 "RootPath": "", // optional: see below | |
72 "MigrationFromFileSystemEnabled": false, // optional: see below | |
73 "StorageStructure": "flat", // optional: see below | |
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
74 "EnableLegacyUnknownFiles": true, // optional: see below |
685 | 75 "VirtualAddressing": true, // optional: see the section related to MinIO |
880 | 76 "StorageEncryption" : {}, // optional: see the section related to encryption |
988 | 77 "HybridMode": "Disabled", // optional: see the section related to Hybrid storage |
990 | 78 "UseTransferManager": false, // optional: see below (available from version 2.3.0) |
79 "EnableAwsSdkLogs": false // optional: include AWS SDK logs in Orthanc logs | |
451 | 80 } |
81 | |
464 | 82 The **EndPoint** configuration is used when accessing an S3 compatible cloud provider. I.e. here is a configuration to store data on Scaleway:: |
83 | |
84 "AwsS3Storage" : { | |
85 "BucketName": "test-orthanc", | |
86 "Region": "fr-par", | |
87 "AccessKey": "XXX", | |
88 "SecretKey": "YYY", | |
89 "Endpoint": "s3.fr-par.scw.cloud" | |
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
90 } |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
91 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
92 |
989 | 93 The **UseTransferManager** configuration is used to select the `Transfer Manager <https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/examples-s3-transfermanager.html>`__ mode in the AWS SDK client. |
94 This option was introduced in version 2.3.0. If set to false (default value), the default "object" mode is used. | |
988 | 95 |
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
96 **Important:** On Microsoft Windows, it is recommended to set the |
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
97 environment variable ``AWS_EC2_METADATA_DISABLED`` to ``true`` to |
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
98 speed up the initialization of the plugin. The reasons are explained |
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
99 in the `AWS official documentation |
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
100 <https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-envvars.html>`__. |
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
101 |
988 | 102 |
746 | 103 .. _minio: |
104 | |
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
105 Emulation of AWS S3 using MinIO |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
106 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
107 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
108 .. highlight:: bash |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
109 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
110 The `MinIO project <https://min.io/>`__ can be used to emulate AWS S3 |
507
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
111 for local testing/prototyping. Here is a sample command to start a |
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
112 MinIO server on your local computer using Docker (evidently, make sure |
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
113 to set different credentials):: |
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
114 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
115 $ docker run -p 9000:9000 \ |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
116 -e "MINIO_REGION=eu-west-1" \ |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
117 -e "MINIO_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE" \ |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
118 -e "MINIO_SECRET_KEY=wJalrXUtnFEMI/K7MNG/bPxRfiCYEXAMPLEKEY" \ |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
119 minio/minio server /data |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
120 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
121 .. highlight:: json |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
122 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
123 Note that the ``MINIO_REGION`` must be set to an arbitrary region that |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
124 is supported by AWS S3. |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
125 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
126 You can then open the URL `http://localhost:9000/ |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
127 <http://localhost:9000/>`__ with your Web browser to create a bucket, |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
128 say ``my-sample-bucket``. |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
129 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
130 Here is a corresponding full configuration for Orthanc:: |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
131 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
132 { |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
133 "Plugins" : [ <...> ], |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
134 "AwsS3Storage" : { |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
135 "BucketName": "my-sample-bucket", |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
136 "Region" : "eu-west-1", |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
137 "Endpoint": "http://localhost:9000/", |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
138 "AccessKey": "AKIAIOSFODNN7EXAMPLE", |
506 | 139 "SecretKey": "wJalrXUtnFEMI/K7MNG/bPxRfiCYEXAMPLEKEY", |
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
140 "VirtualAddressing" : false |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
141 } |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
142 } |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
143 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
144 Note that the ``VirtualAddressing`` option must be set to ``false`` |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
145 for such a `local setup with MinIO to work |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
146 <https://github.com/aws/aws-sdk-cpp/issues/1425>`__. This option is |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
147 **not** available in releases <= 1.1.0 of the AWS S3 plugin. |
507
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
148 |
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
149 **Important:** If you get the cryptic error message |
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
150 ``SignatureDoesNotMatch The request signature we calculated does not |
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
151 match the signature you provided. Check your key and signing |
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
152 method.``, this most probably indicates that your access key or your |
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
153 secret key doesn't match the credentials that were used while starting |
a51542cfdfeb
warning about minio credentials
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
506
diff
changeset
|
154 the MinIO server. |
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
155 |
464 | 156 |
451 | 157 Azure Blob Storage plugin |
158 ^^^^^^^^^^^^^^^^^^^^^^^^^ | |
159 | |
160 Sample configuration:: | |
161 | |
162 "AzureBlobStorage" : { | |
163 "ConnectionString": "DefaultEndpointsProtocol=https;AccountName=xxxxxxxxx;AccountKey=yyyyyyyy===;EndpointSuffix=core.windows.net", | |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
164 "ContainerName" : "test-orthanc-storage-plugin", |
647 | 165 "CreateContainerIfNotExists": true, // available from version 1.2.0 |
502 | 166 "RootPath": "", // see below |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
167 "MigrationFromFileSystemEnabled": false, // see below |
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
168 "StorageStructure": "flat", // see below |
880 | 169 "EnableLegacyUnknownFiles": true, // optional: see below |
170 "StorageEncryption" : {} // optional: see the section related to encryption | |
171 "HybridMode": "Disabled" // optional: see the section related to Hybrid storage | |
451 | 172 } |
173 | |
174 | |
175 Google Storage plugin | |
176 ^^^^^^^^^^^^^^^^^^^^^ | |
177 | |
178 Sample configuration:: | |
179 | |
180 "GoogleCloudStorage" : { | |
181 "ServiceAccountFile": "/path/to/googleServiceAccountFile.json", | |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
182 "BucketName": "test-orthanc-storage-plugin", |
502 | 183 "RootPath": "", // see below |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
184 "MigrationFromFileSystemEnabled": false, // see below |
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
185 "StorageStructure": "flat", // see below |
880 | 186 "EnableLegacyUnknownFiles": true, // optional: see below |
187 "StorageEncryption" : {} // optional: see the section related to encryption | |
188 "HybridMode": "Disabled" // optional: see the section related to Hybrid storage | |
451 | 189 } |
190 | |
191 | |
880 | 192 Migration & Hybrid mode Storage structure |
193 ----------------------------------------- | |
194 | |
195 Since version **2.1.0** of the plugins, an HybridMode as been introduced. | |
196 This mode allows reading/writing files from both/to the file system and the object-storage. | |
197 | |
198 By default, the ``HybridMode`` is ``Disabled``. This means that the plugins will access | |
199 only the object-storage. | |
200 | |
201 When the ``HybridMode`` is set to ``WriteToFileSystem``, it means that new files received | |
885 | 202 are stored on the file system. When accessing a file, it is first read from the file system |
880 | 203 and, if it is not found on the file system, it is read from the object-storage. |
204 | |
884 | 205 The ``WriteToFileSystem`` hybrid mode is useful for storing recent files on the file system for |
880 | 206 better performance and old files on the object-storage for lower cost and easier backups. |
207 | |
208 When the ``HybridMode`` is set to ``WriteToObjectStorage``, it means that new files received | |
885 | 209 are stored on the object storage. When accessing a file, it is first read from the object storage |
880 | 210 and, if it is not found on the object-storage, it is read from the file system. |
211 | |
884 | 212 The ``WriteToObjectStorage`` hybrid mode is useful mainly during a migration from file system to |
880 | 213 object-storage, e.g, if you have deployed a VM in a cloud with local file system storage and want |
214 to move your files to object-storage without interrupting your service. | |
215 | |
216 Moving files between file-system and object-storage | |
217 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
218 | |
884 | 219 When the ``HybridMode`` is set to ``WriteToFileSystem``, it is sometimes useful to move old files |
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
220 to the object-storage for long term archive or to "pre-fetch" files from object-storage to file |
880 | 221 system for improved performances e.g when before opening the study in a viewer. |
222 | |
884 | 223 When the ``HybridMode`` is set to ``WriteToObjectStorage``, it is useful to move file from the |
880 | 224 file system to the object storage to perform a full data migration to object-storage. |
225 | |
226 To move files from one storage to the other, you should call the plugin Rest API:: | |
227 | |
228 $ curl -X POST http://localhost:8042/move-storage \ | |
229 --data '{ | |
230 "Resources": ["27f7126f-4f66fb14-03f4081b-f9341db2-53925988"], | |
231 "TargetStorage": "file-system", | |
232 "Asynchronous": true, | |
233 "Priority": 0 | |
234 }' | |
235 | |
236 This call creates a ``MoveStorageJob`` that can then be monitor to the ``/jobs`` route. | |
237 | |
238 The allowed values for ``TargetStorage`` are ``file-system`` or ``object-storage``. | |
239 | |
240 | |
241 Other configuration options | |
242 --------------------------- | |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
243 |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
244 The **StorageStructure** configuration allows you to select the way objects are organized |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
245 within the storage (``flat`` or ``legacy``). |
500 | 246 Unlike the traditional file system in which Orthanc uses 2 levels |
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
247 of folders, an object storage usually has no limit on the number of files per folder and |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
248 therefore all objects are stored at the root level of the object storage. This is the |
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
249 default ``flat`` behavior. Note that, in the ``flat`` mode, an extension ``.dcm`` or ``.json`` |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
250 is added to the filename which is not the case in the legacy mode. |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
251 |
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
252 The ``legacy`` behavior mimics the Orthanc File System convention. This is actually helpful |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
253 when migrating your data from a file system to an object storage since you can copy all the file |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
254 hierarchy as is. |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
255 |
1014 | 256 *Note* : With AWS S3, there might be `some limitations <https://docs.aws.amazon.com/AmazonS3/latest/userguide/optimizing-performance.html>`__ |
257 on the number of HTTP operations per *prefix*. Therefore, the ``legacy`` structure might | |
258 overcome these limitations. Note that, as of today, no one could confirm it had a real impact on Orthanc. | |
259 | |
502 | 260 The **RootPath** allows you to store the files in another folder as the root level of the |
520 | 261 object storage. Note: it shall not start with a ``/``. |
502 | 262 |
263 Note that you can not change these configurations once you've uploaded the first files in Orthanc. | |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
264 |
880 | 265 The **MigrationFromFileSystemEnabled** configuration has been superseded by the **HybridMode** in v 2.1.0. |
508 | 266 |
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
267 The **EnableLegacyUnknownFiles** configuration has been introduced to allow recent version of the plugins (from 1.3.3) |
1023
5d4701d8fe28
replaced osimis/orthanc by orthancteam/orthanc
Alain Mazy <am@osimis.io>
parents:
1014
diff
changeset
|
268 continue working with data that was saved with Orthanc version around 1.9.3 and plugins version around 1.2.0 (e.g. orthancteam/orthanc:21.5.1 docker images). |
766
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
269 With these specific versions, some ``.unk`` files were generated instead of ``.dcm.head`` files. With this configuration option enabled, |
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
270 when reading files, the plugin will try both file extensions. |
73ee8a489b24
object-storage: EnableLegacyUnknownFiles
Alain Mazy <am@osimis.io>
parents:
746
diff
changeset
|
271 If you have ``.unk`` files in your storage, you must enable this configuration. |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
272 |
452 | 273 Sample setups |
274 ------------- | |
275 | |
962 | 276 You'll find sample deployments and more info in the `Orthanc Setup Samples repository <https://github.com/orthanc-server/orthanc-setup-samples/tree/master/#markdown-header-for-software-integrators>`__ . |
452 | 277 |
511
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
278 Performances |
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
279 ------------ |
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
280 |
962 | 281 You'll find some performance comparison between VM SSDs and object-storage `here <https://github.com/orthanc-server/orthanc-setup-samples/tree/master/docker/performance-tests/>`__ . |
511
5b574520a34c
performance tests for object-storage
Alain Mazy <alain@mazy.be>
parents:
509
diff
changeset
|
282 |
452 | 283 |
586
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
543
diff
changeset
|
284 .. _client-side-encryption: |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
543
diff
changeset
|
285 |
451 | 286 Client-side encryption |
287 ---------------------- | |
288 | |
289 Although all cloud providers already provide encryption at rest, the plugins provide | |
290 an optional layer of client-side encryption . It is very important that you understand | |
291 the scope and benefits of this additional layer of encryption. | |
292 | |
293 Rationale | |
294 ^^^^^^^^^ | |
295 | |
296 Encryption at rest provided by cloud providers basically compares with a file-system disk encryption. | |
297 If someone has access to the disk, he won't have access to your data without the encryption key. | |
298 | |
299 With cloud encryption at rest only, if someone has access to the "api-key" of your storage or if one | |
300 of your admin inadvertently make your storage public, `PHI <https://en.wikipedia.org/wiki/Protected_health_information>`__ will leak. | |
301 | |
302 Once you use client-side encryption, you'll basically store packets of meaningless bytes on the cloud infrastructure. | |
303 So, if an "api-key" leaks or if the storage is misconfigured, packets of bytes will leak but not PHI since | |
304 no one will be able to decrypt them. | |
305 | |
884 | 306 Another advantage is that these packets of bytes might eventually not be considered as PHI anymore and potentially |
451 | 307 help you meet your local regulations (Please check your local regulations). |
308 | |
309 However, note that, if you're running entirely in a cloud environment, your decryption keys will still | |
310 be stored on the cloud infrastructure (VM disks - process RAM) and an attacker could still eventually gain access to this keys. | |
311 | |
884 | 312 If Orthanc is running in your infrastructure with the Index DB on your infrastructure, and files are stored in the cloud, |
451 | 313 the master keys will remain on your infrastructure only and there's no way the data stored in the cloud could be decrypted outside your infrastructure. |
314 | |
315 Also note that, although the cloud providers also provide client-side encryption, we, as an open-source project, | |
316 wanted to provide our own implementation on which you'll have full control and extension capabilities. | |
317 This also allows us to implement the same logic on all cloud providers. | |
318 | |
319 Our encryption is based on well-known standards (see below). Since it is documented and the source code is open-source, | |
320 feel-free to have your security expert review it before using it in a production environment. | |
321 | |
322 Technical details | |
323 ^^^^^^^^^^^^^^^^^ | |
324 | |
325 Orthanc saves 2 kind of files: DICOM files and JSON summaries of DICOM files. Both files contain PHI. | |
326 | |
452 | 327 When configuring the plugin, you'll have to provide a **Master Key** that we can also call the **Key Encryption Key (KEK)**. |
451 | 328 |
452 | 329 For each file being saved, the plugin will generate a new **Data Encryption Key (DEK)**. This DEK, encrypted with the KEK will be pre-pended to the file. |
451 | 330 |
331 If, at any point, your KEK leaks or you want to rotate your KEKs, you'll be able to use a new one to encrypt new files that are being added | |
332 and still use the old ones to decrypt data. You could then eventually start a side script to remove usages of the leaked/obsolete KEKs. | |
333 | |
334 To summarize: | |
335 | |
452 | 336 - We use `Crypto++ <https://www.cryptopp.com/>`__ to perform all encryptions. |
451 | 337 - All keys (KEK and DEK) are AES-256 keys. |
338 - DEKs and IVs are encrypted by KEK using CTR block cipher using a null IV. | |
339 - data is encrypted by DEK using GCM block cipher that will also perform integrity check on the whole file. | |
340 | |
341 The format of data stored on disk is therefore the following: | |
342 | |
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
343 - **VERSION HEADER**: 2 bytes: identify the structure of the following data currently ``A1`` |
451 | 344 - **MASTER KEY ID**: 4 bytes: a numerical ID of the KEK that was used to encrypt the DEK |
345 - **EIV**: 32 bytes: IV used by DEK for data encryption; encrypted by KEK | |
346 - **EDEK**: 32 bytes: the DEK encrypted by the KEK. | |
347 - **CIPHER TEXT**: variable length: the DICOM/JSON file encrypted by the DEK | |
348 - **TAG**: 16 bytes: integrity check performed on the whole encrypted file (including header, master key id, EIV and EDEK) | |
349 | |
350 Configuration | |
351 ^^^^^^^^^^^^^ | |
352 | |
353 .. highlight:: text | |
354 | |
355 AES Keys shall be 32 bytes long (256 bits) and encoded in base64. Here's a sample OpenSSL command to generate such a key:: | |
356 | |
357 openssl rand -base64 -out /tmp/test.key 32 | |
358 | |
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
359 Each key must have a unique id that is a ``uint32`` number. |
451 | 360 |
361 .. highlight:: json | |
362 | |
1083
e1f7f1e2d148
document AWS_EC2_METADATA_DISABLED
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1023
diff
changeset
|
363 Here's a sample configuration file of the ``StorageEncryption`` section of the plugins:: |
451 | 364 |
365 { | |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
366 "GoogleCloudStorage" : { |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
367 "StorageEncryption" : { |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
368 "Enable": true, |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
369 "MasterKey": [3, "/path/to/master.key"], // key id - path to the base64 encoded key |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
370 "PreviousMasterKeys" : [ |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
371 [1, "/path/to/previous1.key"], |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
372 [2, "/path/to/previous2.key"] |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
373 ], |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
374 "MaxConcurrentInputSize" : 1024 // size in MB |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
375 } |
451 | 376 } |
377 } | |
378 | |
379 **MaxConcurrentInputSize**: Since the memory used during encryption/decryption can grow up to a bit more | |
380 than 2 times the input, we want to limit the number of threads doing concurrent processing according | |
381 to the available memory instead of the number of concurrent threads. Therefore, if you're currently | |
382 ingesting small files, you can have a lot of thread working together while, if you're ingesting large | |
383 files, threads might have to wait before receiving a "slot" to access the encryption module. | |
988 | 384 |
385 | |
386 Compilation | |
387 ----------- | |
388 | |
389 .. highlight:: text | |
390 | |
391 The procedure to compile the plugins is quite similar of that for the | |
392 :ref:`core of Orthanc <compiling>` although they usually require | |
393 some prerequisites. The documented procedure has been tested only | |
394 on a Debian Buster machine. | |
395 | |
396 The compilation of each plugin produces a shared library that contains | |
397 the plugin. | |
398 | |
399 | |
400 AWS S3 plugin | |
401 ^^^^^^^^^^^^^ | |
402 | |
403 Prerequisites: Compile the AWS C++ SDK:: | |
404 | |
405 $ mkdir ~/aws | |
406 $ cd ~/aws | |
407 $ git clone https://github.com/aws/aws-sdk-cpp.git | |
408 $ | |
409 $ mkdir -p ~/aws/builds/aws-sdk-cpp | |
410 $ cd ~/aws/builds/aws-sdk-cpp | |
411 $ cmake -DBUILD_ONLY="s3;transfer" ~/aws/aws-sdk-cpp | |
412 $ make -j 4 | |
413 $ make install | |
414 | |
415 Prerequisites: Install `vcpkg <https://github.com/Microsoft/vcpkg>`__ dependencies:: | |
416 | |
417 $ ./vcpkg install cryptopp | |
418 | |
419 Compile:: | |
420 | |
421 $ mkdir -p build/aws | |
422 $ cd build/aws | |
423 $ cmake -DCMAKE_TOOLCHAIN_FILE=[vcpkg root]\scripts\buildsystems\vcpkg.cmake ../../orthanc-object-storage/Aws | |
424 | |
425 | |
426 **NB:** If you don't want to use vcpkg, you can use the following | |
427 command (this syntax is not compatible with Ninja yet):: | |
428 | |
429 $ cmake -DCMAKE_BUILD_TYPE=Debug -DUSE_VCPKG_PACKAGES=OFF -DUSE_SYSTEM_GOOGLE_TEST=OFF ../../orthanc-object-storage/Aws | |
430 $ make | |
431 | |
432 Crypto++ must be installed (on Ubuntu, run ``sudo apt install libcrypto++-dev``). | |
433 | |
434 | |
435 Azure Blob Storage plugin | |
436 ^^^^^^^^^^^^^^^^^^^^^^^^^ | |
437 | |
438 Prerequisites: Install `vcpkg <https://github.com/Microsoft/vcpkg>`__ dependencies:: | |
439 | |
440 $ ./vcpkg install cryptopp | |
441 $ ./vcpkg install azure-storage-cpp | |
442 | |
443 | |
444 Compile:: | |
445 | |
446 $ mkdir -p build/azure | |
447 $ cd build/azure | |
448 $ cmake -DCMAKE_TOOLCHAIN_FILE=[vcpkg root]\scripts\buildsystems\vcpkg.cmake ../../orthanc-object-storage/Azure | |
449 | |
450 Google Storage plugin | |
451 ^^^^^^^^^^^^^^^^^^^^^ | |
452 | |
453 Prerequisites: Install `vcpkg <https://github.com/Microsoft/vcpkg>`__ dependencies:: | |
454 | |
455 $ ./vcpkg install cryptopp | |
456 $ ./vcpkg install google-cloud-cpp | |
457 | |
458 Compile:: | |
459 | |
460 $ mkdir -p build/google | |
461 $ cd build/google | |
462 $ cmake -DCMAKE_TOOLCHAIN_FILE=[vcpkg root]\scripts\buildsystems\vcpkg.cmake ../../orthanc-object-storage/google |