New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable replication of SSE-C objects #19107
Enable replication of SSE-C objects #19107
Conversation
5f273da
to
dffe351
Compare
dffe351
to
ee0cecd
Compare
Did you test multipart replication? You will need additional changes |
I haven't. Will test and do the needful. Thanks for pointing out. |
I tried with a 500+ MiB object loaded to the bucket with SSE-C and I can see that object gets replicated fine with encryption and I can stat and cat the object from replicated site fine. Even the trace from second site while replication shows a multi part upload happening to it for the object. |
@shtripat please update |
This was not a correct scenario tested. Still needs fix. Will update the PR soon. Thanks @poornas for pointing this out. |
93efeaf
to
6260961
Compare
Updated the PR with multi part replication. Also added steps for verification. |
Name : m
Date : 2024-02-28 11:11:42 PST
Size : 666 MiB
ETag : 4ba9faee8da585edd31820af6783c1f7-42
VersionID : 8b674afc-d080-46b0-8517-10af8f83da41
Type : file
Encryption: SSE-C
Metadata :
Content-Type: application/octet-stream
Replication Status: REPLICA
➜ git:(main) ✗ mc cat siteb/bucket/m --encrypt-key "siteb/bucket/m=iliketobecrazybutnotsomuchreally"
mc: <ERROR> Unable to read from `siteb/bucket/m`. We encountered an internal error, please try again.: cause(sio: unsupported version). @shtripat , the object is not decrypted properly, your test script is not correct. @kannappanr - sse-c replication was not implemented initially because of decryption failures around part boundaries. Perhaps @aead can weigh in with suggestions? |
@poornas to understand better, is it like if we have prefixes under bucket and objects under them and then try with |
just try with your test script - |
Yes, able to hit the issue while reading the whole object. @aead kindly check and suggest. |
6260961
to
53e6ed4
Compare
9c8105a
to
dcd61df
Compare
There is some persistent failure here looks like due to the changes in this PR @shtripat please investigate. |
Sure, let me check and fix this. Thanks! |
035a2db
to
aec08fa
Compare
If site replication enabled across sites, replicate the SSE-C objects as well. These objects could be read from target sites using the same client encryption keys. Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
aec08fa
to
b199ff8
Compare
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
b199ff8
to
3043ca6
Compare
Community Contribution License
All community contributions in this pull request are licensed to the project maintainers
under the terms of the Apache 2 license.
By creating this pull request I represent that I have the right to license the
contributions to the project maintainers under the Apache 2 license.
Description
If site replication enabled across sites, replicate the SSE-C objects as well. These objects could be read from target sites using the same client encryption keys.
Motivation and Context
Support replication of client encrypted object to replicated sites.
How to test this PR?
Needs minio/minio-go#1943
Set up two MinIO sites with TLS enabled
Create a huge (~500MiB) file with known content
Setup site replication between the two sites
mc admin replicate add ALIAS1 ALIAS2 --insecure
List and see if bothe objects are present on both the sites
hugefile
object to be loaded with different part size using commandmc put ./hugefile ALIAS1/BUCKET --encrypt-key "ALIAS1/BUCKET/hugefile=iliketobecrazybutnotsomuchreally" --insecure --part-size 50MiB
and replication of this object also should work as expected to other siteTypes of changes
Checklist:
commit-id
orPR #
here)