Mercurial > hg > orthanc-book
annotate Sphinx/source/plugins/object-storage.rst @ 505:e4bea5b97890
Emulation of AWS S3 using MinIO
author | Sebastien Jodogne <s.jodogne@gmail.com> |
---|---|
date | Mon, 07 Sep 2020 17:30:47 +0200 |
parents | 2845ac3adad2 |
children | 30d415f2b8ee |
rev | line source |
---|---|
451 | 1 .. _object-storage: |
2 | |
3 | |
4 Cloud Object Storage plugins | |
5 ============================ | |
6 | |
7 .. contents:: | |
8 | |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
9 Release notes |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
10 ------------- |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
11 |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
12 Release notes are available `here |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
13 <https://hg.orthanc-server.com/orthanc-object-storage/file/default/NEWS>`__ |
451 | 14 |
15 Introduction | |
16 ------------ | |
17 | |
18 Osimis freely provides the `source code | |
19 <https://hg.orthanc-server.com/orthanc-object-storage/file/default/>`__ of 3 plugins | |
20 to store the Orthanc files in `Object Storage <https://en.wikipedia.org/wiki/Object_storage>`__ | |
21 at the 3 main providers: `AWS <https://aws.amazon.com/s3/>`__, | |
22 `Azure <https://azure.microsoft.com/en-us/services/storage/blobs/>`__ & | |
23 `Google Cloud <https://cloud.google.com/storage>`__ | |
24 | |
25 Storing Orthanc files in object storage and your index SQL in a | |
26 managed database allows you to have a stateless Orthanc that does | |
27 not store any data in its local file system which is highly recommended | |
28 when deploying an application in the cloud. | |
29 | |
30 | |
459
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
31 Pre-compiled binaries |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
32 --------------------- |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
33 |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
34 These plugins are used to interface Orthanc with commercial and |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
35 proprietary cloud services that you accept to pay. As a consequence, |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
36 the Orthanc project doesn't freely provide pre-compiled binaries for |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
37 Docker, Windows, Linux or OS X. These pre-compiled binaries do exist, |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
38 but are reserved to the companies who have subscribed to a |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
39 `professional support contract |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
40 <https://www.osimis.io/en/services.html#cloud-plugins>`__ by |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
41 Osimis. Although you are obviously free to compile these plugins by |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
42 yourself (instructions are given below), purchasing such support |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
43 contracts makes the Orthanc project sustainable in the long term, to |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
44 the benefit of the worldwide community of medical imaging. |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
45 |
a4ed4e883337
highlighting the pre-compiled binaries for google, aws and azure
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
453
diff
changeset
|
46 |
451 | 47 Compilation |
48 ----------- | |
49 | |
50 .. highlight:: text | |
51 | |
52 The procedure to compile the plugins is quite similar of that for the | |
53 :ref:`core of Orthanc <compiling>` although they usually require | |
54 some prerequisites. The documented procedure has been tested only | |
55 on a Debian Buster machine. | |
56 | |
57 The compilation of each plugin produces a shared library that contains | |
58 the plugin. | |
59 | |
60 | |
61 AWS S3 plugin | |
62 ^^^^^^^^^^^^^ | |
63 | |
64 Prerequisites: Compile the AWS C++ SDK:: | |
65 | |
66 $ mkdir ~/aws | |
67 $ cd ~/aws | |
68 $ git clone https://github.com/aws/aws-sdk-cpp.git | |
69 $ | |
70 $ mkdir -p ~/aws/builds/aws-sdk-cpp | |
71 $ cd ~/aws/builds/aws-sdk-cpp | |
72 $ cmake -DBUILD_ONLY="s3;transfer" ~/aws/aws-sdk-cpp | |
73 $ make -j 4 | |
74 $ make install | |
75 | |
76 Prerequisites: Install `vcpkg <https://github.com/Microsoft/vcpkg>`__ dependencies:: | |
77 | |
78 $ ./vcpkg install cryptopp | |
79 | |
80 Compile:: | |
81 | |
82 $ mkdir -p build/aws | |
83 $ cd build/aws | |
84 $ cmake -DCMAKE_TOOLCHAIN_FILE=[vcpkg root]\scripts\buildsystems\vcpkg.cmake ../../orthanc-object-storage/Aws | |
85 | |
504 | 86 |
87 **NB:** If you don't want to use vcpkg, you can use the following | |
88 command (this syntax is not compatible with Ninja yet):: | |
89 | |
90 $ cmake -DCMAKE_BUILD_TYPE=Debug -DUSE_VCPKG_PACKAGES=OFF ../../orthanc-object-storage/Aws | |
91 $ make | |
92 | |
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
93 |
451 | 94 Azure Blob Storage plugin |
95 ^^^^^^^^^^^^^^^^^^^^^^^^^ | |
96 | |
97 Prerequisites: Install `vcpkg <https://github.com/Microsoft/vcpkg>`__ dependencies:: | |
98 | |
99 $ ./vcpkg install cpprestsdk | |
100 | |
101 | |
102 Compile:: | |
103 | |
104 $ mkdir -p build/azure | |
105 $ cd build/azure | |
106 $ cmake -DCMAKE_TOOLCHAIN_FILE=[vcpkg root]\scripts\buildsystems\vcpkg.cmake ../../orthanc-object-storage/Azure | |
107 | |
108 Google Storage plugin | |
109 ^^^^^^^^^^^^^^^^^^^^^ | |
110 | |
111 Prerequisites: Install `vcpkg <https://github.com/Microsoft/vcpkg>`__ dependencies:: | |
112 | |
113 $ ./vcpkg install google-cloud-cpp | |
114 $ ./vcpkg install cryptopp | |
115 | |
116 Compile:: | |
117 | |
118 $ mkdir -p build/google | |
119 $ cd build/google | |
120 $ cmake -DCMAKE_TOOLCHAIN_FILE=[vcpkg root]\scripts\buildsystems\vcpkg.cmake ../../orthanc-object-storage/google | |
121 | |
122 | |
123 Configuration | |
124 ------------- | |
125 | |
126 .. highlight:: json | |
127 | |
128 AWS S3 plugin | |
129 ^^^^^^^^^^^^^ | |
130 | |
131 Sample configuration:: | |
132 | |
133 "AwsS3Storage" : { | |
134 "BucketName": "test-orthanc-s3-plugin", | |
135 "Region" : "eu-central-1", | |
136 "AccessKey" : "AKXXX", | |
463 | 137 "SecretKey" : "RhYYYY", |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
138 "Endpoint": "", // custom endpoint |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
139 "ConnectionTimeout": 30, // connection timeout in seconds |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
140 "RequestTimeout": 1200, // request timeout in seconds (max time to upload/download a file) |
502 | 141 "RootPath": "", // see below |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
142 "MigrationFromFileSystemEnabled": false, // see below |
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
143 "StorageStructure": "flat", // see below |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
144 "VirtualAddressing": true // see the section related to MinIO |
451 | 145 } |
146 | |
464 | 147 The **EndPoint** configuration is used when accessing an S3 compatible cloud provider. I.e. here is a configuration to store data on Scaleway:: |
148 | |
149 "AwsS3Storage" : { | |
150 "BucketName": "test-orthanc", | |
151 "Region": "fr-par", | |
152 "AccessKey": "XXX", | |
153 "SecretKey": "YYY", | |
154 "Endpoint": "s3.fr-par.scw.cloud" | |
505
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
155 } |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
156 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
157 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
158 Emulation of AWS S3 using MinIO |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
159 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
160 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
161 .. highlight:: bash |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
162 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
163 The `MinIO project <https://min.io/>`__ can be used to emulate AWS S3 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
164 for local testing/prototyping. Here is a sample command to start MinIO |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
165 on your local computer using Docker (evidently, make sure to adapt |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
166 your credentials):: |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
167 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
168 $ docker run -p 9000:9000 \ |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
169 -e "MINIO_REGION=eu-west-1" \ |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
170 -e "MINIO_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE" \ |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
171 -e "MINIO_SECRET_KEY=wJalrXUtnFEMI/K7MNG/bPxRfiCYEXAMPLEKEY" \ |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
172 minio/minio server /data |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
173 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
174 .. highlight:: json |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
175 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
176 Note that the ``MINIO_REGION`` must be set to an arbitrary region that |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
177 is supported by AWS S3. |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
178 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
179 You can then open the URL `http://localhost:9000/ |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
180 <http://localhost:9000/>`__ with your Web browser to create a bucket, |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
181 say ``my-sample-bucket``. |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
182 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
183 Here is a corresponding full configuration for Orthanc:: |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
184 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
185 { |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
186 "Plugins" : [ <...> ], |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
187 "AwsS3Storage" : { |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
188 "BucketName": "my-sample-bucket", |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
189 "Region" : "eu-west-1", |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
190 "Endpoint": "http://localhost:9000/", |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
191 "AccessKey": "AKIAIOSFODNN7EXAMPLE", |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
192 "SecretKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
193 "VirtualAddressing" : false |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
194 } |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
195 } |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
196 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
197 Note that the ``VirtualAddressing`` option must be set to ``false`` |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
198 for such a `local setup with MinIO to work |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
199 <https://github.com/aws/aws-sdk-cpp/issues/1425>`__. This option is |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
200 **not** available in releases <= 1.1.0 of the AWS S3 plugin. |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
201 |
e4bea5b97890
Emulation of AWS S3 using MinIO
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
504
diff
changeset
|
202 |
464 | 203 |
451 | 204 Azure Blob Storage plugin |
205 ^^^^^^^^^^^^^^^^^^^^^^^^^ | |
206 | |
207 Sample configuration:: | |
208 | |
209 "AzureBlobStorage" : { | |
210 "ConnectionString": "DefaultEndpointsProtocol=https;AccountName=xxxxxxxxx;AccountKey=yyyyyyyy===;EndpointSuffix=core.windows.net", | |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
211 "ContainerName" : "test-orthanc-storage-plugin", |
502 | 212 "RootPath": "", // see below |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
213 "MigrationFromFileSystemEnabled": false, // see below |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
214 "StorageStructure": "flat" // see below |
451 | 215 } |
216 | |
217 | |
218 Google Storage plugin | |
219 ^^^^^^^^^^^^^^^^^^^^^ | |
220 | |
221 Sample configuration:: | |
222 | |
223 "GoogleCloudStorage" : { | |
224 "ServiceAccountFile": "/path/to/googleServiceAccountFile.json", | |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
225 "BucketName": "test-orthanc-storage-plugin", |
502 | 226 "RootPath": "", // see below |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
227 "MigrationFromFileSystemEnabled": false, // see below |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
228 "StorageStructure": "flat" // see below |
451 | 229 } |
230 | |
231 | |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
232 Migration & Storage structure |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
233 ----------------------------- |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
234 |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
235 The **StorageStructure** configuration allows you to select the way objects are organized |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
236 within the storage (``flat`` or ``legacy``). |
500 | 237 Unlike the traditional file system in which Orthanc uses 2 levels |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
238 of folders, object storages usually have no limit on the number of files per folder and |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
239 therefore all objects are stored at the root level of the object storage. This is the |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
240 default ``flat`` behaviour. Note that, in the ``flat`` mode, an extension `.dcm` or `.json` |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
241 is added to the filename which is not the case in the legacy mode. |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
242 |
500 | 243 The ``legacy`` behaviour mimics the Orthanc File System convention. This is actually helpful |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
244 when migrating your data from a file system to an object storage since you can copy all the file |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
245 hierarchy as is. |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
246 |
502 | 247 The **RootPath** allows you to store the files in another folder as the root level of the |
248 object storage. | |
249 | |
250 Note that you can not change these configurations once you've uploaded the first files in Orthanc. | |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
251 |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
252 The **MigrationFromFileSystemEnabled** configuration has been for Orthanc to continue working |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
253 while you're migrating your data from the file system to the object storage. While this option is enabled, |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
254 Orthanc will store all new files into the object storage but will try to read/delete files |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
255 from both the file system and the object storage. |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
256 |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
257 This option can be disabled as soon as all files have been copied from the file system to the |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
258 object storage. Note that Orthanc is not copying the files from one storage to the other; you'll |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
259 have to use a standard ``sync`` command from the object-storage provider. |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
260 |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
261 |
452 | 262 Sample setups |
263 ------------- | |
264 | |
265 You'll find sample deployments and more info in the `Orthanc Setup Samples repository <https://bitbucket.org/osimis/orthanc-setup-samples/src/master/#markdown-header-for-osimisorthanc-pro-image-users>`__ . | |
266 | |
267 | |
451 | 268 Client-side encryption |
269 ---------------------- | |
270 | |
271 Although all cloud providers already provide encryption at rest, the plugins provide | |
272 an optional layer of client-side encryption . It is very important that you understand | |
273 the scope and benefits of this additional layer of encryption. | |
274 | |
275 Rationale | |
276 ^^^^^^^^^ | |
277 | |
278 Encryption at rest provided by cloud providers basically compares with a file-system disk encryption. | |
279 If someone has access to the disk, he won't have access to your data without the encryption key. | |
280 | |
281 With cloud encryption at rest only, if someone has access to the "api-key" of your storage or if one | |
282 of your admin inadvertently make your storage public, `PHI <https://en.wikipedia.org/wiki/Protected_health_information>`__ will leak. | |
283 | |
284 Once you use client-side encryption, you'll basically store packets of meaningless bytes on the cloud infrastructure. | |
285 So, if an "api-key" leaks or if the storage is misconfigured, packets of bytes will leak but not PHI since | |
286 no one will be able to decrypt them. | |
287 | |
288 Another advantage is that these packets of bytes might eventually not be considered as PHI anymore and eventually | |
289 help you meet your local regulations (Please check your local regulations). | |
290 | |
291 However, note that, if you're running entirely in a cloud environment, your decryption keys will still | |
292 be stored on the cloud infrastructure (VM disks - process RAM) and an attacker could still eventually gain access to this keys. | |
293 | |
294 If Orthanc is running in your infrastructure with the Index DB on your infrastructure, and files are store in the cloud, | |
295 the master keys will remain on your infrastructure only and there's no way the data stored in the cloud could be decrypted outside your infrastructure. | |
296 | |
297 Also note that, although the cloud providers also provide client-side encryption, we, as an open-source project, | |
298 wanted to provide our own implementation on which you'll have full control and extension capabilities. | |
299 This also allows us to implement the same logic on all cloud providers. | |
300 | |
301 Our encryption is based on well-known standards (see below). Since it is documented and the source code is open-source, | |
302 feel-free to have your security expert review it before using it in a production environment. | |
303 | |
304 Technical details | |
305 ^^^^^^^^^^^^^^^^^ | |
306 | |
307 Orthanc saves 2 kind of files: DICOM files and JSON summaries of DICOM files. Both files contain PHI. | |
308 | |
452 | 309 When configuring the plugin, you'll have to provide a **Master Key** that we can also call the **Key Encryption Key (KEK)**. |
451 | 310 |
452 | 311 For each file being saved, the plugin will generate a new **Data Encryption Key (DEK)**. This DEK, encrypted with the KEK will be pre-pended to the file. |
451 | 312 |
313 If, at any point, your KEK leaks or you want to rotate your KEKs, you'll be able to use a new one to encrypt new files that are being added | |
314 and still use the old ones to decrypt data. You could then eventually start a side script to remove usages of the leaked/obsolete KEKs. | |
315 | |
316 To summarize: | |
317 | |
452 | 318 - We use `Crypto++ <https://www.cryptopp.com/>`__ to perform all encryptions. |
451 | 319 - All keys (KEK and DEK) are AES-256 keys. |
320 - DEKs and IVs are encrypted by KEK using CTR block cipher using a null IV. | |
321 - data is encrypted by DEK using GCM block cipher that will also perform integrity check on the whole file. | |
322 | |
323 The format of data stored on disk is therefore the following: | |
324 | |
325 - **VERSION HEADER**: 2 bytes: identify the structure of the following data currently `A1` | |
326 - **MASTER KEY ID**: 4 bytes: a numerical ID of the KEK that was used to encrypt the DEK | |
327 - **EIV**: 32 bytes: IV used by DEK for data encryption; encrypted by KEK | |
328 - **EDEK**: 32 bytes: the DEK encrypted by the KEK. | |
329 - **CIPHER TEXT**: variable length: the DICOM/JSON file encrypted by the DEK | |
330 - **TAG**: 16 bytes: integrity check performed on the whole encrypted file (including header, master key id, EIV and EDEK) | |
331 | |
332 Configuration | |
333 ^^^^^^^^^^^^^ | |
334 | |
335 .. highlight:: text | |
336 | |
337 AES Keys shall be 32 bytes long (256 bits) and encoded in base64. Here's a sample OpenSSL command to generate such a key:: | |
338 | |
339 openssl rand -base64 -out /tmp/test.key 32 | |
340 | |
341 Each key must have a unique id that is a uint32 number. | |
342 | |
343 .. highlight:: json | |
344 | |
345 Here's a sample configuration file of the `StorageEncryption` section of the plugins:: | |
346 | |
347 { | |
499
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
348 "GoogleCloudStorage" : { |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
349 "StorageEncryption" : { |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
350 "Enable": true, |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
351 "MasterKey": [3, "/path/to/master.key"], // key id - path to the base64 encoded key |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
352 "PreviousMasterKeys" : [ |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
353 [1, "/path/to/previous1.key"], |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
354 [2, "/path/to/previous2.key"] |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
355 ], |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
356 "MaxConcurrentInputSize" : 1024 // size in MB |
d255e02eb89d
updated object-storage doc for 1.0.0
Alain Mazy <alain@mazy.be>
parents:
464
diff
changeset
|
357 } |
451 | 358 } |
359 } | |
360 | |
361 **MaxConcurrentInputSize**: Since the memory used during encryption/decryption can grow up to a bit more | |
362 than 2 times the input, we want to limit the number of threads doing concurrent processing according | |
363 to the available memory instead of the number of concurrent threads. Therefore, if you're currently | |
364 ingesting small files, you can have a lot of thread working together while, if you're ingesting large | |
365 files, threads might have to wait before receiving a "slot" to access the encryption module. |