From c1b4b242365902a2723d83a1f1239d6f7bb1ae12 Mon Sep 17 00:00:00 2001 From: Poorna Krishnamoorthy Date: Thu, 14 Jan 2021 20:52:57 -0800 Subject: [PATCH] Update replication docs (#11279) --- docs/bucket/replication/README.md | 28 ++++- docs/bucket/replication/setup_replication.sh | 105 +++++++++++++++++++ 2 files changed, 129 insertions(+), 4 deletions(-) create mode 100755 docs/bucket/replication/setup_replication.sh diff --git a/docs/bucket/replication/README.md b/docs/bucket/replication/README.md index c822d2694..db39f3173 100644 --- a/docs/bucket/replication/README.md +++ b/docs/bucket/replication/README.md @@ -22,16 +22,25 @@ Role ARN = 'arn:minio:replication:us-east-1:c5be6b16-769d-432a-9ef1-4567081f3566 > The user running the above command needs *s3:GetReplicationConfiguration* and *s3:GetBucketVersioning* permission on the source cluster. We do not recommend running root credentials/super admin with replication, instead create a dedicated user. The access credentials used at the destination requires *s3:ReplicateObject* permission. -The *source* bucket should have following minimal permission policy: +The following minimal permission policy is needed by admin user setting up replication on the `source`: ``` { "Version": "2012-10-17", "Statement": [ + { + "Action": [ + "admin:SetBucketTarget", + "admin:GetBucketTarget" + ], + "Effect": "Allow", + "Sid": "" + }, { "Effect": "Allow", "Action": [ "s3:GetReplicationConfiguration", "s3:ListBucket", + "s3:ListBucketMultipartUploads", "s3:GetBucketLocation", "s3:GetBucketVersioning" ], @@ -50,7 +59,12 @@ The access key provided for the replication *target* cluster should have these m { "Effect": "Allow", "Action": [ - "s3:GetBucketVersioning" + "s3:GetReplicationConfiguration", + "s3:ListBucket", + "s3:ListBucketMultipartUploads", + "s3:GetBucketLocation", + "s3:GetBucketVersioning", + "s3:GetBucketObjectLockConfiguration" ], "Resource": [ "arn:aws:s3:::destbucket" @@ -59,12 +73,16 @@ The access key provided for the replication *target* cluster should have these m { "Effect": "Allow", "Action": [ + "s3:GetReplicationConfiguration", "s3:ReplicateTags", + "s3:AbortMultipartUpload", "s3:GetObject", "s3:GetObjectVersion", "s3:GetObjectVersionTagging", "s3:PutObject", - "s3:ReplicateObject" + "s3:DeleteObject", + "s3:ReplicateObject", + "s3:ReplicateDelete" ], "Resource": [ "arn:aws:s3:::destbucket/*" @@ -72,8 +90,10 @@ The access key provided for the replication *target* cluster should have these m } ] } - ``` +Please note that the permissions required by the admin user on the target cluster can be more fine grained to exclude permissions like +"s3:ReplicateDelete", "s3:GetBucketObjectLockConfiguration" etc depending on whether delete replication rules are set up or if object locking is disabled on `destbucket`. The above policies assume that replication of objects, tags and delete marker replication are all enabled on object lock enabled buckets. A sample script to setup replication is provided [here](https://github.com/minio/minio/blob/master/docs/bucket/replication/setup.sh) + Once successfully created and authorized, the `mc admin bucket remote add` command generates a replication target ARN. This command lists all the currently authorized replication targets: ``` mc admin bucket remote ls myminio/srcbucket --service "replication" diff --git a/docs/bucket/replication/setup_replication.sh b/docs/bucket/replication/setup_replication.sh new file mode 100755 index 000000000..b36632dc2 --- /dev/null +++ b/docs/bucket/replication/setup_replication.sh @@ -0,0 +1,105 @@ +#!/bin/sh + +# create buckets with versioning enabled +mc mb source/bucket --l # --l flag enables object locking.If not needed, uncomment the 'mc version enable' commands +mc mb dest/bucket --l +#mc version enable source/bucket +#mc version enable dest/bucket + +#### Create a replication admin on source alias +# create a replication admin user : repladmin +mc admin user add source repladmin repladmin123 + +# create a replication policy for repladmin +cat > repladmin-policy-source.json < replpolicy.json < dest/bucket +mc admin bucket remote add repladminAlias/bucket http://repluser:repluser123@localhost:9000/bucket --service replication --region us-east-1 + +echo "Now, use this ARN to add replication rules using 'mc replicate add' command" +# use arn returned by above command to create a replication policy on the source/bucket with `mc replicate add` +#mc replicate add source/bucket --priority 1 --remote-bucket bucket --arn arn:minio:replication:us-east-1:21fb52f5857473e2dbdcf62dcac21240861caf0f8301c3d26aad4de7677869c7:bucket --replicate delete-marker,delete \ No newline at end of file