oyd
/
minio
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update replication docs (#11279)

Browse Source
master
Poorna Krishnamoorthy 4 years ago committed by GitHub
parent feaf8dfb9a
commit c1b4b24236
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 129 additions and 4 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 28
      docs/bucket/replication/README.md
  2. 105
      docs/bucket/replication/setup_replication.sh

28
docs/bucket/replication/README.md
Unescape View File

@ -22,16 +22,25 @@ Role ARN = 'arn:minio:replication:us-east-1:c5be6b16-769d-432a-9ef1-4567081f3566
> The user running the above command needs *s3:GetReplicationConfiguration* and *s3:GetBucketVersioning* permission on the source cluster. We do not recommend running root credentials/super admin with replication, instead create a dedicated user. The access credentials used at the destination requires *s3:ReplicateObject* permission. > The user running the above command needs *s3:GetReplicationConfiguration* and *s3:GetBucketVersioning* permission on the source cluster. We do not recommend running root credentials/super admin with replication, instead create a dedicated user. The access credentials used at the destination requires *s3:ReplicateObject* permission.
The *source* bucket should have following minimal permission policy: The following minimal permission policy is needed by admin user setting up replication on the `source`:
``` ```
{ {
"Version": "2012-10-17", "Version": "2012-10-17",
"Statement": [ "Statement": [
{
"Action": [
"admin:SetBucketTarget",
"admin:GetBucketTarget"
],
"Effect": "Allow",
"Sid": ""
},
{ {
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": [
"s3:GetReplicationConfiguration", "s3:GetReplicationConfiguration",
"s3:ListBucket", "s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation", "s3:GetBucketLocation",
"s3:GetBucketVersioning" "s3:GetBucketVersioning"
], ],
@ -50,7 +59,12 @@ The access key provided for the replication *target* cluster should have these m
{ {
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": [
"s3:GetBucketVersioning" "s3:GetReplicationConfiguration",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:GetBucketObjectLockConfiguration"
], ],
"Resource": [ "Resource": [
"arn:aws:s3:::destbucket" "arn:aws:s3:::destbucket"
@ -59,12 +73,16 @@ The access key provided for the replication *target* cluster should have these m
{ {
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": [
"s3:GetReplicationConfiguration",
"s3:ReplicateTags", "s3:ReplicateTags",
"s3:AbortMultipartUpload",
"s3:GetObject", "s3:GetObject",
"s3:GetObjectVersion", "s3:GetObjectVersion",
"s3:GetObjectVersionTagging", "s3:GetObjectVersionTagging",
"s3:PutObject", "s3:PutObject",
"s3:ReplicateObject" "s3:DeleteObject",
"s3:ReplicateObject",
"s3:ReplicateDelete"
], ],
"Resource": [ "Resource": [
"arn:aws:s3:::destbucket/*" "arn:aws:s3:::destbucket/*"
@ -72,8 +90,10 @@ The access key provided for the replication *target* cluster should have these m
} }
] ]
} }
``` ```
Please note that the permissions required by the admin user on the target cluster can be more fine grained to exclude permissions like
"s3:ReplicateDelete", "s3:GetBucketObjectLockConfiguration" etc depending on whether delete replication rules are set up or if object locking is disabled on `destbucket`. The above policies assume that replication of objects, tags and delete marker replication are all enabled on object lock enabled buckets. A sample script to setup replication is provided [here](https://github.com/minio/minio/blob/master/docs/bucket/replication/setup.sh)
Once successfully created and authorized, the `mc admin bucket remote add` command generates a replication target ARN. This command lists all the currently authorized replication targets: Once successfully created and authorized, the `mc admin bucket remote add` command generates a replication target ARN. This command lists all the currently authorized replication targets:
``` ```
mc admin bucket remote ls myminio/srcbucket --service "replication" mc admin bucket remote ls myminio/srcbucket --service "replication"

105
docs/bucket/replication/setup_replication.sh
Unescape View File

@ -0,0 +1,105 @@
#!/bin/sh
# create buckets with versioning enabled
mc mb source/bucket --l # --l flag enables object locking.If not needed, uncomment the 'mc version enable' commands
mc mb dest/bucket --l
#mc version enable source/bucket
#mc version enable dest/bucket
#### Create a replication admin on source alias
# create a replication admin user : repladmin
mc admin user add source repladmin repladmin123
# create a replication policy for repladmin
cat > repladmin-policy-source.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"admin:SetBucketTarget",
"admin:GetBucketTarget"
],
"Effect": "Allow",
"Sid": ""
},
{
"Effect": "Allow",
"Action": [
"s3:GetReplicationConfiguration",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation",
"s3:GetBucketVersioning"
],
"Resource": [
"arn:aws:s3:::bucket"
]
}
]
}
EOF
mc admin policy add source repladmin-policy ./repladmin-policy-source.json
cat ./repladmin-policy-source.json
#assign this replication policy to repladmin
mc admin policy set source repladmin-policy user=repladmin
### on dest alias
# Create a replication user : repluser on dest alias
mc admin user add dest repluser repluser123
# create a replication policy for repluser
# Remove "s3:GetBucketObjectLockConfiguration" if object locking is not enabled, i.e. bucket was not created with `mc mb --with-lock` option
# Remove "s3:ReplicateDelete" if delete marker replication is not required
cat > replpolicy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetReplicationConfiguration",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:GetBucketObjectLockConfiguration"
],
"Resource": [
"arn:aws:s3:::bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetReplicationConfiguration",
"s3:ReplicateTags",
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectVersionTagging",
"s3:PutObject",
"s3:DeleteObject",
"s3:ReplicateObject",
"s3:ReplicateDelete"
],
"Resource": [
"arn:aws:s3:::bucket/*"
]
}
]
}
EOF
mc admin policy add dest replpolicy ./replpolicy.json
cat ./replpolicy.json
#assign this replication policy to repluser
mc admin policy set dest replpolicy user=repluser
# define remote target for replication from source/bucket -> dest/bucket
mc admin bucket remote add repladminAlias/bucket http://repluser:repluser123@localhost:9000/bucket --service replication --region us-east-1
echo "Now, use this ARN to add replication rules using 'mc replicate add' command"
# use arn returned by above command to create a replication policy on the source/bucket with `mc replicate add`
#mc replicate add source/bucket --priority 1 --remote-bucket bucket --arn arn:minio:replication:us-east-1:21fb52f5857473e2dbdcf62dcac21240861caf0f8301c3d26aad4de7677869c7:bucket --replicate delete-marker,delete
Write Preview
Loading…
Cancel
Save