navsection: api
title: Storage in Keep
...
+{% comment %}
+Copyright (C) The Arvados Authors. All rights reserved.
-h2. Storing data
+SPDX-License-Identifier: CC-BY-SA-3.0
+{% endcomment %}
-Storing data in Keep follows this process:
+Keep clients are applications such as @arv-get@, @arv-put@ and @arv-mount@ which store and retrieve data from Keep. In doing so, these programs interact with both the API server (which stores file metadata in form of Collection objects) and individual Keep servers (which store the actual data blocks).
-# The client fetches a list of keep servers (or proxies) using the @accessible@ method on "keep_services":{{site.baseurl}}/api/methods/keep_services.html
+!{{site.baseurl}}/images/Keep_reading_writing_block.svg!
+
+h2. Storing a file
+
+# The client discovers keep servers (or proxies) using the @accessible@ method on "keep_services":{{site.baseurl}}/api/methods/keep_services.html
# Data is split into 64 MiB blocks and the MD5 hash is computed for each block.
# The client uploads each block to one or more Keep servers, based on the number of desired replicas. The priority order is determined using rendezvous hashing, described below.
# The Keep server returns a block locator (the MD5 sum of the block) and a "signed token" which the client can use as proof of knowledge for the block.
# The client creates a "collection":{{site.baseurl}}/api/methods/collections.html and provides the @manifest_text@
# The API server accepts the collection after validating the signed tokens (proof of knowledge) for each block.
-h2. Fetching data
+!{{site.baseurl}}/images/Keep_manifests.svg!
-# The client requests a @collection@ object including @manifest_text@
-# The server adds "token signatures" which provide proof of access for each block
-# The client fetches a list of keep servers (or proxies) using the @accessible@ method on "keep_services":{{site.baseurl}}/api/methods/keep_services.html
+h2. Fetching a file
+
+# The client requests a @collection@ object including @manifest_text@ from the APIs server
+# The server adds "token signatures" to the @manifest_text@ and returns it to the client.
+# The client discovers keep servers (or proxies) using the @accessible@ method on "keep_services":{{site.baseurl}}/api/methods/keep_services.html
# For each data block, the client chooses the highest priority server using rendezvous hashing, described below.
-# The client sends the data block request to the keep server, including the token signature (proof of access).
+# The client sends the data block request to the keep server, along with the token signature from the API which proves to Keep servers that the client is permitted to read a given block.
# The server provides the block data after validating the token signature for the block (if the server does not have the block, it returns a 404 and the client tries the next highest priority server)
-h2. Keep server API
+!{{site.baseurl}}/images/Keep_rendezvous_hashing.svg!
-The Keep server is accessed via a simple HTTP REST API.
+Each @keep_service@ resource has an assigned uuid. To determine priority assignments of blocks to servers, for each keep service compute the MD5 sum of the string concatenation of the block locator (hex-coded hash part only) and service uuid, then sort this list in descending order. Blocks are preferentially placed on servers with the highest weight.
-*GET /blockidentifier+size+A@token*
+h2. Keep server API
-Fetch the data block, if the token is valid.
+The Keep server is accessed via a simple HTTP REST API.
-*PUT /blockidentifier*
+*GET /blocklocator+size+A@token*
-Returns the md5 sum of the data along with the signed token.
+Fetch the data block. Response returns block contents. If permission checking is enabled, requires a valid token hint.
-h2. Rendezvous hashing
+*PUT /blocklocator*
-Each @keep_service@ resource has an assigned uuid. To determine priority assignments of blocks to servers, for each keep service compute the MD5 sum of the string concatenation of the block locator (hex-coded hash part only) and service uuid, then sort this list in descending order. Blocks are preferentially placed on servers at the beginning of the list.
+Body: the block contents. Responds the block locator consisting of MD5 sum of the data, block size, and signed token hint.
-h1. Keep locator format
+*POST /*
-<pre>
-locator ::= sized-digest hint*
+Body: the block contents. Responds the block locator consisting of MD5 sum of the data, block size, and signed token hint.
-sized-digest ::= digest size-hint
+h2(#locator). Keep locator format
-digest ::= <32 lowercase hexadecimal digits>
+BNF notation for a valid Keep locator string (with hints). For example @d41d8cd98f00b204e9800998ecf8427e+0+Z+Ada39a3ee5e6b4b0d3255bfef95601890afd80709@53bed294@
-size-hint ::= "+" [0-9]+
+<pre>
+locator ::= sized-digest hint*
+sized-digest ::= digest size-hint
+digest ::= <32 lowercase hexadecimal digits>
+size-hint ::= "+" [0-9]+
+hint ::= "+" hint-type hint-content
+hint-type ::= [A-Z]+
+hint-content ::= [A-Za-z0-9@_-]*
+sign-hint ::= "+A" <40 lowercase hexadecimal digits> "@" sign-timestamp
+sign-timestamp ::= <8 lowercase hexadecimal digits>
+</pre>
-hint ::= "+" hint-type hint-content
+h3. Token signatures
-hint-type ::= [A-Z]+
+A token signature (sign-hint) provides proof-of-access for a data block. It is computed by taking a SHA1 HMAC of the blob signing token (a shared secret between the API server and keep servers), block digest, current API token, expiration timestamp, and blob signature TTL.
-hint-content ::= [A-Za-z0-9@_-]*
+When communicating with the Keep store to fetch a block, or the API server to create or update a collection, the service computes the expected token signature for each block and compares it to the token signature that was presented by the client. Keep clients receive valid block signatures when uploading a block to a keep store (getting back a signed token as proof of knowledge) or, from the API server, getting the manifest text of a collection on which the user has read permission.
-sign-hint ::= "+A" <40 lowercase hexadecimal digits> "@" sign-timestamp
+Security of a token signature is derived from the following characteristics:
-sign-timestamp ::= <8 lowercase hexadecimal digits>
-</pre>
+# Valid signatures can only be generated by entities that know the shared secret (the "blob signing token")
+# A signature can only be used by an entity that also know the API token that was used to generate it.
+# It expires after a set date (the expiration time, based on the "blob signature time-to-live (TTL)")
-h2. Regular expressions to validat locator
+h3. Regular expression to validate locator
<pre>
/^([0-9a-f]{32})\+([0-9]+)(\+[A-Z][-A-Za-z0-9@_]*)*$/
</pre>
-h2. Valid examples
+h3. Valid locators
+table(table table-bordered table-condensed).
|@d41d8cd98f00b204e9800998ecf8427e+0@|
|@d41d8cd98f00b204e9800998ecf8427e+0+Z@|
-|@d41d8cd98f00b204e9800998ecf8427e+0+Z+Ada39a3ee5e6b4b0d3255bfef95601890afd80709@53bed294@|
+|<code>d41d8cd98f00b204e9800998ecf8427e+0+Z+Ada39a3ee5e6b4b0d3255bfef95601890afd80709@53bed294</code>|
-h2. Invalid examples
+h3. Invalid locators
+table(table table-bordered table-condensed).
||Why|
|@d41d8cd98f00b204e9800998ecf8427e@|No size hint|
|@d41d8cd98f00b204e9800998ecf8427e+Z+0@|Other hint before size hint|
A manifest is utf-8 encoded text, consisting of zero or more newline-terminated streams.
-Each stream consists of three or more space-delimited tokens:
-* The first token is a stream name, consisting of one or more path components, delimited by @"/"@.
+<pre>
+manifest ::= stream*
+stream ::= stream-name (" " locator)+ (" " file-segment)+ "\n"
+stream-name ::= "." ("/" path-component)*
+path-component ::= <printable ASCII - (whitespace, "/")>+
+file-segment ::= position ":" size ":" filename
+position ::= [0-9]+
+size ::= [0-9]+
+filename ::= path-component ("/" path-component)*
+</pre>
+
+Notes:
+
+* The first token is the stream name, consisting of one or more path components, delimited by @"/"@.
** The first path component is always @"."@.
** No path component is empty.
-** No path component is "." or "..".
+** No path component following the first one can be "." or "..".
** The stream name never begins or ends with @"/"@.
-* The second token is a data blob locator (see [[Keep locator format]]).
-* ...possibly followed by more data blob locators...
-* The first token that is not a block locator, and all subsequent tokens, are file tokens.
+* The next N tokens are "keep locators":#locator
+** These describe the "data stream". By logically concatenating the blocks in the order that they appear, we can refer to "positions" in the data stream.
+* File tokens come after the sequence of keep locators.
** A file token has three parts, delimited by @":"@: position, size, filename.
-** Position and size are given in decimal, and are counted from the beginning of the first data blob.
+** Position and size are given in decimal
+** The position is the position in the data stream
+** The size is the count of bytes following the position in the data stream. A file size may cross multiple blocks in the data stream.
** Filename may contain @"/"@ characters, but must not start or end with @"/"@, and must not contain @"//"@.
** Filename components (delimited by @"/"@) must not be @"."@ or @".."@.
+** There may be multiple file tokens.
-A manifest contains no TAB characters, nor other ASCII whitespace characters other than the spaces or newline delimiters specified above.
+It is legal to have multiple file tokens in the manifest (possible across different streams) with the same combined path name @stream name + "/" + filename@. This must be interpreted as a concatenation of file content, in the order that the file tokens appear in the manifest.
-A manifest always ends with a newline -- except the empty (zero-length) string, which is a valid manifest.
+Spaces are represented by the escape sequence @\040@. Spaces in stream names and filenames must be translated when reading and writing manifests. A manifest may not contain TAB characters, nor other ASCII whitespace characters or control codes other than the spaces or newlines used as delimiters specified above. A manifest always ends with a newline -- except the empty (zero-length) string, which is a valid manifest.
-h2. Normalized manifest v1
+h3. Normalized manifest v1
-A normalized manifest has the following additional restrictions.
+A normalized manifest is a manifest that meets the following additional restrictions:
* Streams are in alphanumeric order.
* Each stream name is unique within the manifest.
-* Files within a stream are in alphanumeric order.
-* Blocks within a stream are ordered based on first appearence in the list of file segments, a given block is listed at most once in a stream.
-* Filename must not contain @"/"@.
+* Files within a stream are listed in alphanumeric order.
+* Blocks within a stream are ordered based on order of file tokens of the stream. A given block is listed at most once in a stream.
+* Filename must not contain @"/"@ (the stream name represents the path prefix)
+
+h3. Example manifests
+
+A manifest with four files in two directories:
+
+<pre>
+. 930625b054ce894ac40596c3f5a0d947+33 0:0:a 0:0:b 0:33:output.txt
+./c d41d8cd98f00b204e9800998ecf8427e+0 0:0:d
+</pre>
+
+The same manifest with permission signatures on each block:
+
+<pre>
+. 930625b054ce894ac40596c3f5a0d947+33+A1f27a35dd9af37191d63ad8eb8985624451e7b79@5835c8bc 0:0:a 0:0:b 0:33:output.txt
+./c d41d8cd98f00b204e9800998ecf8427e+0+A27117dcd30c013a6e85d6d74c9a50179a1446efa@5835c8bc 0:0:d
+</pre>
+
+A manifest containing a file consisting of multiple blocks and a space in the file name:
+
+<pre>
+. c449ed86671e4a34a8b8b9430850beba+67108864 09fcfea01c3a141b89dd0dcfa1b7768e+22534144 0:89643008:Docker\040image.tar
+</pre>
projects / arvados.git / blobdiff