Upgrading for LDAP enabled setups

If you are not using the MinIO server's LDAP integration, please follow the usual upgrade instructions.

Release version RELEASE.2024-03-30T09-41-56Z brought a change to LDAP user and group policy mappings storage where the Distinguished Name (DN) of a user or group is stored in a normalized form. This normalization was necessary to ensure consistent handling of values with non-ASCII unicode characaters in a DN. However, this broke existing deployments with LDAP integration enabled, especially for existing mappings because older releases did not store them in a normalized form. The main way to restore mappings in that release and in release version RELEASE.2024-04-06T05-26-02Z was to recreate the mappings - however this was not sufficient to restore operation of access keys (aka service accounts) created by LDAP users.

This release provides a fix for this - however user action is required. Please follow these steps:

1. In your existing MinIO cluster export all IAM data as an administrator with:

   mc admin cluster iam export ALIAS

   This will output a zip file containing IAM data (credentials, policies and policy mappings) in JSON format.

2. Upgrade your cluster to the current release following the usual upgrade instructions.

3. Now import the IAM data with:

   mc admin cluster iam import ALIAS /path/to/zipfile

   providing the path to the zip file from step 1.

For most deployments this should be enough to migrate the IAM policy mappings on LDAP users into the right format.

In some setups there may be duplicate mappings for the same user or group DN but with casing/normalization differences. In these cases, step 3 will return an error describing the conflicting mapping as the server cannot determine the right mapping to use. To fix this error, unzip the exported zip file, open the appropriate mapping file (either iam-assets/stsuser_mappings.json or iam-assets/group_mappings.json). Both these files have a simple JSON structure - they are JSON objects with DN strings as keys and the values are JSON objects. Remove the conflicting DN keys from this file, zip it again and run step 3 once more.

What's Changed

• fix: add fallbackDisks for disk healing by @harshavardhana in #19425
• fix: increase the tiering part size to 128MiB by @harshavardhana in #19424
• heal: Add more per disk healing result in the audit by @vadmeste in #19427
• batch-repl: Do not allow both source/target to be remote by @vadmeste in #19434
• Allow setting readOnlyRootFilesystem in securityContext by @AlexanderThaller in #19437
• Add a warning when the total size of an object versions exceeds 1 TiB by @vadmeste in #19435
• make if-none-match PUT/POST RFC compliant by @harshavardhana in #19448
• fix: unknow contentType for ArchiveFileHandler by @jiuker in #19451
• fix: noHost for collectLocalMetric by @jiuker in #19457
• doc: add Content-Type to s3zip by @jiuker in #19455
• Allow specifying the local server with env variable _MINIO_SERVER_LOCAL by @allanrogerr in #19453
• handle missing LDAP normalization in SetPolicy() API by @harshavardhana in #19465
• avoid busy loops in bad path component by @harshavardhana in #19466
• allow protection from invalid config values by @harshavardhana in #19460
• fix CopyObject with replace overwriting inline status by @poornas in #19468
• Updated Console UI to v1.2.0 by @bexsoft in #19467
• update versioning tests to cover CopyObject() by @harshavardhana in #19472
• remove SetDiskLoc() rely on the endpoint values instead by @harshavardhana in #19475
• Add drive metrics in metrics-v3 by @anjalshireesh in #19452
• remove permission denied error for being drive error by @harshavardhana in #19478
• Inspect: Add error if no results by @klauspost in #19476
• simplify common functions in replication by @harshavardhana in #19480
• Fix some CI warnings by @donatello in #19482
• Correct sample for node scrape configuration by @shtripat in #19491
• fix: close sessionPolicyFile in the sts-assume-role example by @testwill in #19428
• fix: list operations resuming when hitting different node by @klauspost in #19494
• Keep an up-to-date copy of the KMS master key by @allanrogerr in #19492
• remove older deploymentID fix behavior to speed up startup by @harshavardhana in #19497
• code clean for dynamicSleeper by @jiuker in #19499
• ILM expiry replication status only if enabled by @shtripat in #19503
• convert multipart-cleanup from a blocking unlink() to a rename to trash by @harshavardhana in #19495
• removed hardcoded datasource uid by @mawatech in #19477
• fix: ListObjectVersions returning duplicates when resuming with null version id by @klauspost in #19518
• Use pkg helper to allow default MINIO_KMS_KEY_CACHE_INTERVAL as a time.Duration by @allanrogerr in #19512
• update all deps regular cadence by @harshavardhana in #19523
• At server init, use the correct context when creating the KMS Master Key by @allanrogerr in #19526
• ftp: Return current time for prefixes/directories by @klauspost in #19519
• Improve typos configuration by @szepeviktor in #19489
• allow detaching any non-normalized DN by @harshavardhana in #19525
• reload from drive tier-config when in-memory cache is not found by @harshavardhana in #19527
• Add system memory metrics in v3 by @anjalshireesh in #19486
• Add cluster audit metrics in metrics-v3 by @anjalshireesh in #19514
• list: Fix rare listing continuation freeze by @vadmeste in #19524
• ldap: Normalize DNs when importing by @donatello in #19528
• add ftp example for to helm's values.yaml extraArgs field by @jiuker in #19541
• fix: ldap: avoid unnecessary import errors by @donatello in #19547

New Contributors

• @mawatech made their first contribution in #19477
• @szepeviktor made their first contribution in #19489

Full Changelog: RELEASE.2024-04-06T05-26-02Z...RELEASE.2024-04-18T19-09-19Z