frostfs-s3-gw/docs/configuration.md

Configuration

There are three ways to configure the S3 GW:

1. CLI parameters
2. YAML file
3. Environment variables

Everything available as a CLI parameter can also be specified via environment variables and almost everything can be specified via .yaml configuration file.

But not vice versa, some parameters can be configured only with environment variables/configuration file. Most of these parameters have default values, therefore, these ways to configure the gateway are optional and basic configuration can be completed with CLI parameters only.

1. CLI parameters
   1. Nodes and weights
   2. Wallet
   3. Binding and TLS
   4. RPC endpoint and resolving of bucket names
   5. Processing of requests
   6. Connection to FrostFS
   7. Monitoring and metrics
2. YAML file and environment variables
   1. Configuration file

CLI parameters

Nodes and weights

You can specify multiple -p options to add more FrostFS nodes; this will make a gateway spread requests equally among them (using weight 1 for every node):

$ frostfs-s3-gw -p 192.168.130.72:8080 -p 192.168.130.71:8080

If you want some specific load distribution proportions, use weights and priorities, they can only be specified via environment variables or a configuration file.

Wallet

Wallet (--wallet) is a mandatory parameter. It is a path to a wallet file. You can provide a passphrase to decrypt a wallet via env variable or conf file, or you will be asked to enter a password interactively. You can also specify an account address to use from a wallet using the --address parameter.

Listening on address and TLS

You can make the gateway listen on specific address using the --listen_address option.

It can also provide TLS interface for its users, just specify paths to the key and certificate files via --tls.key_file and --tls.cert_file parameters. Note that using these options makes gateway TLS-only. If you need to serve both TLS and plain text, you either have to run two gateway instances or use some external redirecting solution.

Example to bind to 192.168.130.130:443 and serve TLS there (keys and nodes are omitted):

$ frostfs-s3-gw --listen_address 192.168.130.130:443 \
  --tls.key_file=key.pem --tls.cert_file=cert.pem

Using these flag you can configure only one address. To set multiple addresses use yaml config.

RPC endpoint and resolving of bucket names

To set RPC endpoint specify a value of parameter -r or --rpc_endpoint. The parameter is required if another parameter's --resolve_order value contains nns.

$ frostfs-s3-gw --rpc_endpoint http://morph-chain.frostfs.devenv:30333/ --resolve_order nns,dns

Processing of requests

Maximum number of clients whose requests can be handled by the gateway can be specified by the value of --max_clients_count parameter. --max_clients_deadline defines deadline after which the gate sends error RequestTimeout to a client.

$ frostfs-s3-gw --max_clients_count 150 --max_clients_deadline 1m

Connection to FrostFS

Timeout to connect to FrostFS nodes can be set with --connect_timeout and timeout to check node health during rebalance--healthcheck_timeout.

Also, interval to check node health can be specified by --rebalance_interval value.

$ frostfs-s3-gw --healthcheck_timeout 15s --connect_timeout 1m --rebalance_interval 1h

Monitoring and metrics

Pprof and Prometheus are integrated into the gateway. To enable them, use --pprof and --metrics flags or S3_GW_PPROF_ENABLED/S3_GW_PROMETHEUS_ENABLED environment variables.

YAML file and environment variables

Example of a YAML configuration file: yaml-example Examples of environment variables: env-example.

A path to a configuration file can be specified with --config parameter:

$ frostfs-s3-gw --config your-config.yaml

Multiple configs

You can use several config files when running application. It allows you to split configuration into parts. For example, you can use separate yaml file for pprof and prometheus section in config (see config examples). You can either provide several files with repeating --config flag or provide path to the dir that contains all configs using --config-dir flag. Also, you can combine these flags:

$ frostfs-s3-gw --config ./config/config.yaml --config /your/partial/config.yaml --config-dir ./config/dir

Note: next file in --config flag overwrites values from the previous one. Files from --config-dir directory overwrite values from --config files. So the command above run frostfs-s3-gw to listen on 0.0.0.0:8080 address (value from ./config/config.yaml), applies parameters from /your/partial/config.yaml, enable pprof (value from ./config/dir/pprof.yaml) and prometheus (value from ./config/dir/prometheus.yaml).

Reload on SIGHUP

Some config values can be reloaded on SIGHUP signal. Such parameters have special mark in tables below.

You can send SIGHUP signal to app using the following command:

$ kill -s SIGHUP <app_pid>

Example:

$ ./bin/frostfs-s3-gw --config config.yaml  &> s3.log &
[1] 998346

$ cat s3.log
# ...
2022-09-30T17:38:22.338+0300    info    s3-gw/app.go:371        application started     {"name": "frostfs-s3-gw", "version": "v0.24.0"}
# ...

$ kill -s SIGHUP 998346

$ cat s3.log
# ...
2022-09-30T17:38:40.909+0300    info    s3-gw/app.go:491        SIGHUP config reload completed

FrostFS S3 Gateway configuration file

This section contains detailed FrostFS S3 Gateway configuration file description including default config values and some tips to set up configurable values.

There are some custom types used for brevity:

• duration -- string consisting of a number and a suffix. Suffix examples include s (seconds), m (minutes), ms ( milliseconds).

Structure

Section	Description
no section	General parameters
wallet	Wallet configuration
peers	Nodes configuration
placement_policy	Placement policy configuration
server	Server configuration
control	Control API configuration
logger	Logger configuration
cache	Cache configuration
nats	NATS configuration
cors	CORS configuration
pprof	Pprof configuration
prometheus	Prometheus configuration
tracing	Tracing configuration
frostfs	Parameters of requests to FrostFS
resolve_bucket	Bucket name resolving configuration
kludge	Different kludge configuration
runtime	Runtime configuration
features	Features configuration
web	Web server configuration
frostfsid	FrostfsID configuration
policy	Policy contract configuration
proxy	Proxy contract configuration
namespaces	Namespaces configuration

General section

listen_domains:
   - s3dev.frostfs.devenv
   - s3dev2.frostfs.devenv

rpc_endpoint: http://morph-chain.frostfs.devenv:30333
resolve_order:
  - nns
  - dns

connect_timeout: 10s
stream_timeout: 10s
healthcheck_timeout: 15s
rebalance_interval: 60s
pool_error_threshold: 100

max_clients_count: 100
max_clients_deadline: 30s

allowed_access_key_id_prefixes:
   - Ck9BHsgKcnwfCTUSFm6pxhoNS4cBqgN2NQ8zVgPjqZDX
   - 3stjWenX15YwYzczMr88gy3CQr4NYFBQ8P7keGzH5QFn
  
reconnect_interval: 1m

source_ip_header: "Source-Ip"

Parameter	Type	SIGHUP reload	Default value	Description
listen_domains	[]string	no		Domains to be able to use virtual-hosted-style access to bucket.
rpc_endpoint	string	no		The address of the RPC host to which the gateway connects to resolve bucket names and interact with frostfs contracts (required to use the nns resolver and frostfsid contract).
resolve_order	[]string	yes	[dns]	Order of bucket name resolvers to use. Available resolvers: dns, nns.
connect_timeout	duration	no	10s	Timeout to connect to a node.
stream_timeout	duration	no	10s	Timeout for individual operations in streaming RPC.
healthcheck_timeout	duration	no	15s	Timeout to check node health during rebalance.
rebalance_interval	duration	no	60s	Interval to check node health.
pool_error_threshold	uint32	no	100	The number of errors on connection after which node is considered as unhealthy.
max_clients_count	int	no	100	Limits for processing of clients' requests.
max_clients_deadline	duration	no	30s	Deadline after which the gate sends error RequestTimeout to a client.
allowed_access_key_id_prefixes	[]string	no		List of allowed AccessKeyID prefixes which S3 GW serve. If the parameter is omitted, all AccessKeyID will be accepted.
reconnect_interval	duration	no	1m	Listeners reconnection interval.
source_ip_header	string	yes		Custom header to retrieve Source IP.

wallet section

wallet:
   path: /path/to/wallet.json # Path to wallet
   passphrase: "" # Passphrase to decrypt wallet.
   address: NfgHwwTi3wHAS8aFAN243C5vGbkYDpqLHP

Parameter	Type	Default value	Description
path	string		Path to wallet
passphrase	string		Passphrase to decrypt wallet.
address	string		Account address to get from wallet. If omitted default one will be used.

peers section

# Nodes configuration
# This configuration makes the gateway use the first node (node1.frostfs:8080)
# while it's healthy. Otherwise, gateway uses the second node (node2.frostfs:8080)
# for 10% of requests and the third node (node3.frostfs:8080) for 90% of requests.
# Until nodes with the same priority level are healthy
# nodes with other priority are not used.
# The lower the value, the higher the priority.
peers:
  0:
    address: node1.frostfs:8080
    priority: 1
    weight: 1
  1:
    address: node2.frostfs:8080
    priority: 2
    weight: 0.1
  2:
    address: node3.frostfs:8080
    priority: 2
    weight: 0.9

Parameter	Type	Default value	Description
address	string		Address of storage node.
priority	int	1	It allows to group nodes and don't switch group until all nodes with the same priority will be unhealthy. The lower the value, the higher the priority.
weight	float	1	Weight of node in the group with the same priority. Distribute requests to nodes proportionally to these values.

placement_policy section

placement_policy:
  default: REP 3
  region_mapping: /path/to/mapping/rules.json
  copies_numbers:
    - location_constraint: one-dc
      vector:
        - 1
        - 2
        - 3

Parameter	Type	SIGHUP reload	Default value	Description
default	string	yes	REP 3	Default policy of placing containers in FrostFS. If a user sends a request CreateBucket and doesn't define policy for placing of a container in FrostFS, the S3 Gateway will put the container with default policy.
region_mapping	string	yes		Path to file that maps aws LocationContraint values to FrostFS placement policy. The similar to --container-policy flag in frostfs-s3-authmate util, see in docs
copies_numbers	[]Copies numbers	no		Array of configured location constraints and their copies numbers.

File for region_mapping must contain something like this:

{
   "rep-3": "REP 3",
   "complex": "REP 1 IN X CBF 1 SELECT 1 FROM * AS X",
   "example-json-policy": "{\"replicas\":[{\"count\":3,\"selector\":\"SelASD0\"}],\"container_backup_factor\":3,\"selectors\":[{\"name\":\"SelASD0\",\"count\":3,\"filter\":\"*\"}],\"filters\":[]}"
}

Note: on SIGHUP reload policies will be updated only if both parameters are valid. So if you change default to some valid value and set invalid path in region_mapping the default value won't be changed.

copies_numbers subsection

- location_constraint: sample-01
  vector:
    - 1
    - 2
    - 3

Parameter	Type	SIGHUP reload	Default value	Description
location_constraint	string	no		Location constraint text label.
vector	[]int	no		Array of copies numbers corresponding to the constraint.

server section

You can specify several listeners for server. For example, for http and https.

server:
  - address: 0.0.0.0:8080
    tls:
      enabled: false
      cert_file: /path/to/cert
      key_file: /path/to/key
  - address: 0.0.0.0:8081
    tls:
      enabled: true
      cert_file: /path/to/another/cert
      key_file: /path/to/another/key

Parameter	Type	SIGHUP reload	Default value	Description
address	string		0.0.0.0:8080	The address that the gateway is listening on.
tls.enabled	bool		false	Enable TLS or not.
tls.cert_file	string	yes		Path to the TLS certificate.
tls.key_file	string	yes		Path to the key.

control section

Control API parameters.

control:
  authorized_keys:  
    - 035839e45d472a3b7769a2a1bd7d54c4ccd4943c3b40f547870e83a8fcbfb3ce11
    - 028f42cfcb74499d7b15b35d9bff260a1c8d27de4f446a627406a382d8961486d6
  grpc:
    endpoint: localhost:8083

Parameter	Type	SIGHUP reload	Default value	Description
authorized_keys	[]string	yes		List of hex-encoded public keys that have rights to use the Control Service.
grpc.endpoint	string		localhost:8083	Endpoint that is listened by the Control Service.

logger section

logger:
  level: debug
  destination: stdout

Parameter	Type	SIGHUP reload	Default value	Description
level	string	yes	debug	Logging level. Possible values: debug, info, warn, error, dpanic, panic, fatal.
destination	string	no	stdout	Destination for logger: stdout or journald

cache section

cache:
  objects:
    lifetime: 300s
    size: 150
  list:
    lifetime: 1m
    size: 100
  list_session:
    lifetime: 1m
    size: 100
  names:
    lifetime: 1m
    size: 1000
  buckets:
    lifetime: 1m
    size: 500
  system:
    lifetime: 2m
    size: 1000
  accessbox:
    removing_check_interval: 5m
    lifetime: 10m
    size: 100
  accesscontrol:
    lifetime: 1m
    size: 100000
  morph_policy:
    lifetime: 30s
    size: 10000
  frostfsid:
    lifetime: 1m
    size: 10000

Parameter	Type	Default value	Description
objects	Cache config	lifetime: 5m size: 1000000	Cache for objects (FrostFS headers).
list	Cache config	lifetime: 60s size: 100000	Cache which keeps lists of objects in buckets.
list_session	Cache config	lifetime: 60s size: 100	Cache which keeps listing session.
names	Cache config	lifetime: 60s size: 10000	Cache which contains mapping of nice name to object addresses.
buckets	Cache config	lifetime: 60s size: 1000	Cache which contains mapping of bucket name to bucket info.
system	Cache config	lifetime: 5m size: 10000	Cache for system objects in a bucket: bucket settings, notification configuration etc.
accessbox	Accessbox cache config	lifetime: 10m size: 100	Cache which stores access box with tokens by its address.
accesscontrol	Cache config	lifetime: 1m size: 100000	Cache which stores owner to cache operation mapping.
morph_policy	Cache config	lifetime: 1m size: 10000	Cache which stores list of policy chains.
frostfsid	Cache config	lifetime: 1m size: 10000	Cache which stores FrostfsID subject info.

cache subsection

lifetime: 2m
size: 1000

Parameter	Type	Default value	Description
lifetime	duration	depends on cache	Lifetime of entries in cache.
size	int	depends on cache	LRU cache size.

accessbox subsection

lifetime: 10m
size: 100

Parameter	Type	Default value	Description
removing_check_interval	duration	`5m'	Time after which creds should be checked for removal.
lifetime	duration	'10m'	Lifetime of entries in cache.
size	int	'100	LRU cache size.

nats section

This is an advanced section, use with caution. You can turn on notifications about successful completions of basic operations, and the gateway will send notifications via NATS JetStream.

1. to configure the NATS server with JetStream
2. to specify NATS parameters for the S3 GW. It's necessary to define a values of nats.enable or S3_GW_NATS_ENABLED as True
3. to configure notifications in a bucket

nats:
  enabled: true
  endpoint: nats://localhost:4222
  timeout: 30s
  cert_file: /path/to/cert
  key_file: /path/to/key
  root_ca: /path/to/ca

Parameter	Type	Default value	Description
enabled	bool	false	Flag to enable the service.
endpoint	string		NATS endpoint to connect to.
timeout	duration	30s	Timeout for the object notification operation.
certificate	string		Path to the client certificate.
key	string		Path to the client key.
ca	string		Override root CA used to verify server certificates.

cors section

cors:
  default_max_age: 600

Parameter	Type	Default value	Description
default_max_age	int	600	Value of Access-Control-Max-Age header in seconds.

pprof section

Contains configuration for the pprof profiler.

pprof:
  enabled: true
  address: localhost:8085

Parameter	Type	SIGHUP reload	Default value	Description
enabled	bool	yes	false	Flag to enable the service.
address	string	yes	localhost:8085	Address that service listener binds to.

prometheus section

Contains configuration for the prometheus metrics service. General metrics are available on /metrics url path, billing metrics on /metrics/billing.

prometheus:
  enabled: true
  address: localhost:8086

Parameter	Type	SIGHUP reload	Default value	Description
enabled	bool	yes	false	Flag to enable the service.
address	string	yes	localhost:8086	Address that service listener binds to.

tracing section

Contains configuration for the tracing service.

tracing:
  enabled: false
  exporter: "otlp_grpc"
  endpoint: "localhost:4318"

Parameter	Type	SIGHUP reload	Default value	Description
enabled	bool	yes	false	Flag to enable the service.
exporter	string	yes	``	Type of tracing exporter.
endpoint	string	yes	``	Address that service listener binds to.

frostfs section

Contains parameters of requests to FrostFS.

The set_copies_number value can be overridden with X-Amz-Meta-Frostfs-Copies-Number (value is comma separated numbers: 1,2,3) header for PutObject, CopyObject, CreateMultipartUpload.

frostfs:
  set_copies_number: [0]
  client_cut: false
  buffer_max_size_for_put: 1048576 # 1mb
  tree_pool_max_attempts: 0

Parameter	Type	SIGHUP reload	Default value	Description
set_copies_number	[]uint32	yes	[0]	Numbers of the object copies (for each replica) to consider PUT to FrostFS successful. Default value [0] or empty list means that object will be processed according to the container's placement policy
client_cut	bool	yes	false	This flag enables client side object preparing.
buffer_max_size_for_put	uint64	yes	1048576	Sets max buffer size for read payload in put operations.
tree_pool_max_attempts	uint32	no	0	Sets max attempt to make successful tree request. Value 0 means the number of attempts equals to number of nodes in pool.

resolve_bucket section

Bucket name resolving parameters from and to container ID.

resolve_bucket:
  namespace_header: X-Frostfs-Namespace
  allow:
    - container
  deny:

Parameter	Type	SIGHUP reload	Default value	Description
namespace_header	string	yes	X-Frostfs-Namespace	Header to determine zone to resolve bucket name.
allow	[]string	no		List of container zones which are available to resolve. Mutual exclusive with deny list. Prioritized over deny list.
deny	[]string	no		List of container zones which are restricted to resolve. Mutual exclusive with allow list.

kludge section

Workarounds for non-standard use cases.

kludge:
  use_default_xmlns: false
  bypass_content_encoding_check_in_chunks: false
  default_namespaces: [ "", "root" ]
  acl_enabled: false

Parameter	Type	SIGHUP reload	Default value	Description
use_default_xmlns	bool	yes	false	Enable using default xml namespace http://s3.amazonaws.com/doc/2006-03-01/ when parse xml bodies.
bypass_content_encoding_check_in_chunks	bool	yes	false	Use this flag to be able to use chunked upload approach without having aws-chunked value in Content-Encoding header.
default_namespaces	[]string	yes	["","root"]	Namespaces that should be handled as default.
acl_enabled	bool	yes	false	Enable bucket/object ACL support for newly created buckets.

runtime section

Contains runtime parameters.

runtime:
  soft_memory_limit: 1gb

Parameter	Type	SIGHUP reload	Default value	Description
soft_memory_limit	size	yes	maxint64	Soft memory limit for the runtime. Zero or no value stands for no limit. If GOMEMLIMIT environment variable is set, the value from the configuration file will be ignored.

features section

Contains parameters for enabling features.

features:
   policy:
      deny_by_default: false
   md5:
      enabled: false

Parameter	Type	SIGHUP reload	Default value	Description
md5.enabled	bool	yes	false	Flag to enable return MD5 checksum in ETag headers and fields.
policy.deny_by_default	bool	yes	false	Enable denying access for request that doesn't match any policy chain rules.

web section

Contains web server configuration parameters.

web:
  read_timeout: 0
  read_header_timeout: 30s
  write_timeout: 0
  idle_timeout: 30s

Parameter	Type	SIGHUP reload	Default value	Description
read_timeout	duration	no	0	The maximum duration for reading the entire request, including the body. A zero or negative value means there will be no timeout.
read_header_timeout	duration	no	30s	The amount of time allowed to read request headers. If read_header_timeout is zero, the value of read_timeout is used. If both are zero, there is no timeout.
write_timeout	duration	no	0	The maximum duration before timing out writes of the response. A zero or negative value means there will be no timeout.
idle_timeout	duration	no	30s	The maximum amount of time to wait for the next request when keep-alives are enabled. If idle_timeout is zero, the value of read_timeout is used. If both are zero, there is no timeout.

frostfsid section

FrostfsID contract configuration. To enable this functionality the rpc_endpoint param must be also set.

frostfsid:
  contract: frostfsid.frostfs
  validation:
   enabled: false

Parameter	Type	SIGHUP reload	Default value	Description
contract	string	no	frostfsid.frostfs	FrostfsID contract hash (LE) or name in NNS.
validation.enabled	bool	no	false	Enables a check to only allow requests to users registered in the FrostfsID contract.

policy section

Policy contract configuration. To enable this functionality the rpc_endpoint param must be also set.

policy:
  contract: policy.frostfs

Parameter	Type	SIGHUP reload	Default value	Description
contract	string	no	policy.frostfs	Policy contract hash (LE) or name in NNS.

proxy section

Proxy contract configuration. To enable this functionality the rpc_endpoint param must be also set.

proxy:
  contract: proxy.frostfs

Parameter	Type	SIGHUP reload	Default value	Description
contract	string	no	proxy.frostfs	Proxy contract hash (LE) or name in NNS.

namespaces section

Namespaces configuration.

namespaces:
  config: namespace.json

Parameter	Type	SIGHUP reload	Default value	Description
config	string	yes		Path to json file with config value for namespaces.

namespaces.config subsection

Example of namespaces.json. Note that config values from namespaces.json can override config values for default namespaces (value for which are fetched from regular config value e.g. placement-policy). To override config values for default namespaces use namespace names that are provided in kludge.default_namespaces.

{
  "namespaces": {
    "namespace1": {
      "location_constraints": {
        "default": "REP 3",
        "test": "{\"replicas\":[{\"count\":1,\"selector\":\"\"}],\"containerBackupFactor\":0,\"selectors\":[],\"filters\":[],\"unique\":false}"
      },
      "copies_numbers": {
        "default": [ 0 ],
        "test": [ 1 ]
      }
    }
  }
}