Add API to compose objects through server-side copying

[donatello]

The new ComposeObject API provides a way to create objects by
concatenating existing objects. It takes a list of source objects
along with optional start-end range specifications, and concatenates
them into a new object.

The API supports:

• Create an object from upto 10000 existing objects.
• Create object of any size upto 5TiB.
• Creates objects from even existing objects that are larger than
  5GiB (part size limit in multipart PUTs)
• Support copy-conditions on each source object separately.
• Support SSE-C (i.e. Server-Side-Encryption with Customer provided
  key) for both encryption of destination object, and decryption of
  source objects.
• Support for setting/replacing custom metadata in the destination
  object.

This API has been used to refactor the CopyObject API - that API now
supports source objects of any size, SSE-C for source and destination,
and settings custom metadata.

Finally, the type for a source object (SourceInfo) allows the user to set custom headers (by hand) for further extended usage (such as using AWS KMS based SSE).

[houndci-bot]

comment on exported function NewDestinationInfo should be of the form "NewDestinationInfo ..."

[houndci-bot]

comment on exported type SSEInfo should be of the form "SSEInfo ..." (with optional leading article)

[donatello]

Note to reviewers: This PR breaks compatibility by changing the CopyObject API signature. It was deemed necessary to bring an improved version in.

[krisis]

Overall the PR looks good to me. There are a few comments that need to be addressed before we merge.

[krisis]

The following snippet of code only confirms that on copy object success the XML response parses fine into a valid copyObjectResult{}. If that is not important, we can skip reading the response body and decoding it.

[donatello]

You're right, it is not required here.

[krisis]

s/(#FGetObject)/(#ComposeObject)/

[krisis]

Documentation on CopyObject needs to be updated too.

[donatello]

Done!

[krisis]

We need to expand on DestinationInfo and SourceInfo types as well.

[donatello]

NewSSEInfo, NewSourceInfo and NewDestinationInfo are added in docs. The types are only documented via godoc for now, in keeping with the existing style (e.g. CopyCondition was documented only via godoc). We may add documentation for types in the API.md later but that is a matter for discussion.

[krisis]

shouldn't this be minio.NewSSEInfo?

[krisis]

Shouldn't this be minio.NewSSEInfo?

[krisis]

Shouldn't this be minio.NewSSEInfo?

[krisis]

Shouldn't this be minio.NewSSEInfo?

[krisis]

Shouldn't this be minio.NewSourceInfo?

[krisis]

Shouldn't this be minio.NewDestinationInfo?

[donatello]

This is ready for review.

[harshavardhana]

Perhaps mention the AES256 AWS S3 link.

[donatello]

Done.

[harshavardhana]

Is this if e == nil necessary? - perhaps okay to let the function fail?

[donatello]

No it is needed here. When getSSEHeaders is called, if there is no key provided during initialization, this safely returns. The other option is to check if the key is nil before calling this function, but I found that to be more repetitive.

[harshavardhana]

i see.. should we ignore it outside rather than letting this call succeed?

[donatello]

If we checked if key is nil outside, then each place of using this function would look like (for e.g.):

if src.key != nil {
    for k, v := src.key.getSSEHeaders(false) {
        // do stuff.
    }
}

The outer if block would be repeated in each usage of this function. In the current implementation it is neatly tucked away inside getSSEHeaders and it returns a nil back which can be safely used in a for-range loop.

[harshavardhana]

Correct but its quite an unnatural usage, usually unallocated struct means its a bug of sort and we are sort of hiding it. That is my only concern.

[harshavardhana]

Same as above..

[donatello]

Again same reasoning as before - this is less repetitive.

[harshavardhana]

You could use sumMD5() ?

[donatello]

👍

[harshavardhana]

// collect of request headers sent with every upload-part-copy

[donatello]

Updated to:

	// Headers to send with the upload-part-copy request involving
	// this source object.

The intension is to allow users to set custom headers on their own in case they need some feature not encapsulated by this library.

[harshavardhana]

Perhaps use path.Join() ? it is okay to not have preceding /

[donatello]

Ok, just used + here.

[harshavardhana]

why not 64MB? no reason for this to be 5MB?

[donatello]

This number is actually 5 GiB. I will update the comment to make this more apparent.

Since this is only server-side copying, the most efficient thing to do is to reduce the number of network requests - this is done by copying the largest possible object-part in each request.

[harshavardhana]

Actually let's not do that.. 5GiB causes for erasure coding block to become super big on a 4 disk setup. Say for example 5GiB *2 so each disk shard will be 2.5GiB. We should avoid this worst case scenario since this would cause easily 2-3secsec worth of delay for ReadFileWithVerify().

We should pick 525MB which would make it 10,000 parts to upload maximum 5TB object. In which case each shard will be at max 256MB.

[donatello]

Review comments addressed!

[harshavardhana]

Just use

       // Calculate the optimal parts info for a given size.
        totalPartsCount, partSize, lastPartSize, err := optimalPartInfo(fileSize)
        if err != nil {
                return 0, err
        }

Since you know the right file size it is better to know the optimal part size. 5GiB is not an ideal size here.

[donatello]

I understand your point about the bad case for erasure coding but there is another problem. If we use up more parts for the first few sources, then there may be too many parts for later sources in the input and it may exceed the max parts limit. I will think a bit and figure out a working algo.

[balamurugana]

If source object was uploaded with client side encryption and respective headers saved, does CopyObject() take care of those headers as well.

[balamurugana]

If source objects were uploaded with client side encryption, what is the expected behavior of ComposeObject()?

[donatello]

Encrypted sources must be decrypted for copying - see https://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html - relevant quote:

If the source object is encrypted using server-side encryption with a customer-provided encryption key, you must use the following headers providing encryption information so that Amazon S3 can decrypt the object for copying.

So ComposeObject also does the same decrypt and copy - each encrypted source must have keys specified for decryption. (Note that this server-side-encryption not client side)

[balamurugana]

I understand server side encryption. The question is asked for client side encryption specifically.

[donatello]

Oops, sorry I misread. In the case of client side encryption, the encrypted content would be just copied transparently by the server (it is not aware of client-side encrypted content) - most likely concatenating (client-side-)encrypted objects arbitrarily will lead to garbled data, but server cannot detect this - it is a user error.

[balamurugana]

Is it possible to find and error out in this case? I see minio-java sets below header.

    headerMap.put("x-amz-meta-x-amz-key", encDataKey);
    headerMap.put("x-amz-meta-x-amz-iv", ivString);
    headerMap.put("x-amz-meta-x-amz-matdesc", "{}");

[donatello]

No, I do not think if we can do this correctly - we cannot try and interpret custom metadata set by the user or other tools that the user uses.

[balamurugana]

As per http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html, client side encryption uses x-amz-meta-x-amz-key header. If client side encryption is used for any of source objects, we should error out than performing compose object. The current behavior leads to data corruption if source objects are deleted after compose.

[balamurugana]

does this comment make sense?

[donatello]

I am not sure if it is appropriate to do this - as the encryption scheme is a client side scheme. Copying encrypted objects may be a valid operation in certain situations (client logic may be something complicated and it may be an intended operation - there is no need for the library to stop this). It needs further discussion - and a call can be taken after releasing this.

If only one object will be copied (e.g. via copyobject, with no explicit user metadata headers passed in), this problem is mitigated as the headers from source will be copied to the destination.

[balamurugana]

As this issue discussed with @abperiasamy, issue #738 is opened and this needs to be addressed after this PR merged.

[balamurugana]

If humanize package is already in use, you could use that.

[donatello]

Using that lib for parsing requires checking for errors. It does not add much.

[balamurugana]

I was talking about using const copyPartSize = 5 * humanize.GiByte

[balamurugana]

Why is this function made to break backward compatibility?

[balamurugana]

does this comment make sense?

[donatello]

Without breaking backward compatibility, we would have a very complex function(s) to support copy-object with support for decryption of source, encryption of destination, multiple copy-conditions, sub-range of source and setting user metadata headers. Since this is a significant improvement to the existing API, it was agreed to break compatibility and make a new release.

[balamurugana]

ok. got it.

[balamurugana]

why e is short form to SSEInfo? I think you can name it better

[balamurugana]

I think bucket and object can be listed in two lines for better readability.

[balamurugana]

is it required key should start with x-amz-meta-. if so, you could error out in new(). If two keys named x-amz-meta-my-key and my-key one key/value is lost.

[donatello]

This is handled in NewDestinationInfo() validation now.

[balamurugana]

same as above

[vadmeste]

Can you add one comment to this for ?

[vadmeste]

Can you replace 10000 with maxPartsCount ?

[vadmeste]

Can you also return an error when srcs is empty ? this function is little long, returning early error will be easier to read.

[vadmeste]

I know start = -1 means start is unspecified but we can also set it to zero by default to simplify the code. Do we really need -1 state ?

[donatello]

Before the size of the source is known, 0 <= start <= end represents a valid range specification so we need to use start = -1 to represent an unspecified range. I have added lots of comments to make this clearer now. Ref: see doc for x-amz-copy-source-range at https://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html

[houndci-bot]

comment on exported function NewDestinationInfo should be of the form "NewDestinationInfo ..."

[houndci-bot]

comment on exported function NewDestinationInfo should be of the form "NewDestinationInfo ..."

[balamurugana]

As per http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html, client side encryption uses x-amz-meta-x-amz-key header. If client side encryption is used for any of source objects, we should error out than performing compose object. The current behavior leads to data corruption if source objects are deleted after compose.

[harshavardhana]

ping @krisis @balamurugana do you guys have more reviews on this PR? @donatello are you going to send an update?

[houndci-bot]

should omit type int64 from declaration of var r; it will be inferred from the right-hand side

[harshavardhana]

This is not needed you can make this int64(size/copyPartSize)

[donatello]

This PR is updated again.

The previous implementation had a bug.

Example case of bug: two sources of size s given for concatenating, where s = 5GiB+1. Then compose object would try to upload 4 parts of sizes 5GiB, 1, 5GiB, 1. This fails because one of the parts not in the end is of length < 5MiB. In the fix, we make every part of a particular source (almost) the same size. So for the above example, it would generate 4 parts sized: 2.5GiB+1, 2.5GiB, 2.5GiB+1, 2.5GiB.

[donatello]

That's fixed in the latest change.

…

On Jun 26, 2017 7:08 PM, "Harshavardhana" ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In api-compose-object.go <#715 (comment)>: > + partIndex++ + } + } + + // 3. Make final complete-multipart request. + _, err = c.completeMultipartUpload(dst.bucket, dst.object, uploadID, + completeMultipartUpload{Parts: objParts}) + if err != nil { + err = fmt.Errorf("Error in complete-multipart request - %v", err) + } + return err +} + +// partsRequired is ceiling(size / copyPartSize) +func partsRequired(size int64) int { + var r int64 = size / copyPartSize This is not needed you can make this int64(size/copyPartSize) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#715 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAMNe50Fv4aDvu55jN8kfrOZ0roZ-QZgks5sIGQAgaJpZM4N-0IV> .

[tejaycar]

@harshavardhana Are there really outstanding changes still? It looks like github is blocking merge, but the only "requested change" I can see is also marked as outdated...

[harshavardhana]

@harshavardhana Are there really outstanding changes still? It looks like github is blocking merge, but the only "requested change" I can see is also marked as outdated...

@tejaycar its not was waiting on the other reviewers.

[harshavardhana]

@balamurugana did you get a chance to look at the latest changes?

[tejaycar]

Ah, that's great news. Are you planning to cut a new release when this is merged? We're really hoping to get it pulled into the next release of Mattermost, but would prefer to do that from a formal release rather than master.

[harshavardhana]

Ah, that's great news. Are you planning to cut a new release when this is merged? We're really hoping to get it pulled into the next release of Mattermost, but would prefer to do that from a formal release rather than master.

Yes @tejaycar it will be a major bump since we broke existing API.

[tejaycar]

Sweet! You guys rock, I'm looking forward to it.

[donatello]

More tests are added. I believe the PR is complete now and ready for merge.

[balamurugana]

• With one exception Multiple sources those use client side encryption in copy object api should return error. #738
• Not tested