Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12 13 14

Chapter 9. Accessing Object Storage Using a REST API

SectionProviding Object Storage Using the Amazon S3 API

SectionObjectives
SectionAmazon S3 API in RADOS Gateway
SectionCreating a User for the Amazon S3 API
SectionManaging Ceph Object Gateway Users
SectionAccessing S3 Objects Using RADOS Gateway
Section

Guided Exercise: Providing Object Storage Using the Amazon S3 API

Providing Object Storage Using the Swift API

Objectives
OpenStack Swift Support in a RADOS Gateway
Creating a Subuser for OpenStack Swift
Managing Ceph Object Gateway Subusers
Swift Container Object Versioning and Expiration
Multitenancy Support in Swift

Guided Exercise: Providing Object Storage Using the Swift API

Lab: Accessing Object Storage Using a REST API

Summary

Abstract

Goal	Configure the RADOS Gateway to provide access to object storage using REST APIs.
Objectives	Configure the RADOS Gateway to provide access to object storage compatible with the Amazon S3 API, and manage objects stored using that API. Configure the RADOS Gateway to provide access to object storage compatible with the Swift API, and manage objects stored using that API.
Sections	Providing Object Storage Using the Amazon S3 API (and Guided Exercise) Providing Object Storage Using the Swift API (and Guided Exercise)
Lab	Accessing Object Storage Using a REST API

Providing Object Storage Using the Amazon S3 API

Objectives

After completing this section, you should be able to configure the RADOS Gateway to provide access to object storage compatible with the Amazon S3 API, and manage objects stored using that API.

Amazon S3 API in RADOS Gateway

The Amazon S3 API enables developers to manage object storage resources using an Amazon S3 compatible interface. Applications implemented with the S3 API can inter-operate with other S3-compatible object storage services besides the RADOS Gateway, and migrate storage from other locations to your Ceph storage cluster. In a hybrid cloud environment, you can configure your applications to use different authentication keys, regions, and vendor services to mix private enterprise and public cloud resources and storage locations seamlessly using the same API.

The Amazon S3 interface defines the namespace in which objects are stored as a bucket. To access and manage objects and buckets using the S3 API, applications use RADOS Gateway users for authentication. Each user has an access key that identifies the user and a secret key that authenticates the user.

There are object and metadata size limits to consider when using the Amazon S3 API:

An object size is between a minimum of OB and a maximum of 5 TB.
The maximum size is 5GB in a single upload operation.
Upload objects larger than 100MB by using the multipart upload capability.
The maximum metadata size is 16,000 bytes in a single HTTP request.

Creating a User for the Amazon S3 API

Create the needed RADOS Gateway users first, then use them to authenticate Amazon S3 clients with the gateway. Use the radosgw-admin user create command to create RADOS Gateway users.

When creating RADOS Gateway users, both the --uid and --display-name options are required, and specify a unique account name and a human friendly display name. Use the --access-key and --secret options to specify a custom AWS account and secret key for the RADOS user.

[ceph: root@node /]# radosgw-admin user create --uid=testuser \
  --display-name="Test User" --email=test@example.com \
  --access-key=12345 --secret=67890
...output omitted...
    "keys": [
        {
            "user": "testuser",
            "access_key": "12345",
            "secret_key": "67890"
        }
...output omitted...

If the access key and secret key are not specified, the radosgw-admin command automatically generates them and displays them in the output.

[ceph: root@node /]# radosgw-admin user create --uid=s3user \
  --display-name="Amazon S3 API user"
...output omitted...
    "keys": [
        {
            "user": "s3user",
            "access_key": "8PI2D9ARWNGJI99K8TOS",
            "secret_key": "brKaQdhyR022znVVVVdDLuAEafRjbrAorr0GoXN1"
        }
...output omitted...

Important

When the radosgw-admin command automatically generates the access key and secret, either key might includes a JSON escape character (\). Clients might not handle this character correctly. Either regenerate or manually specify the keys to avoid this issue.

Managing Ceph Object Gateway Users

To regenerate only the secret key of an existing user, use the radosgw-admin key create command with the --gen-secret option.

[ceph: root@node /]# radosgw-admin key create --uid=s3user \
  --access-key="8PI2D9ARWNGJI99K8TOS" --gen-secret
...output omitted...
    "keys": [
        {
            "user": "s3user",
            "access_key": "8PI2D9ARWNGJI99K8TOS",
            "secret_key": "MFVxrGNMBjKOO7JscLFbEyrEmJFnLl43PHSswpLC"
        }
...output omitted...

To add an access key to an existing user, use the --gen-access-key option. Creating additional keys is convenient for granting the same user access to multiple applications that require different or unique keys.

[ceph: root@node /]# radosgw-admin key create --uid=s3user --gen-access-key
{
...output omitted...
    "keys": [
        {
            "user": "s3user",
            "access_key": "8PI2D9ARWNGJI99K8TOS",
            "secret_key": "MFVxrGNMBjKOO7JscLFbEyrEmJFnLl43PHSswpLC"
        },
        {
            "user": "s3user",
            "access_key": "GPYJGPSONURDY7SG0LLO",
            "secret_key": "T7jcG5YgEqqPxWMkdCTBsY0DM3rgIOmqkmtjRlCX"
        }
...output omitted...

To remove an access key and related secret key from a user, use the radosgw-admin key rm command with the --access-key option. This is useful for removing single application access without impacting access with other keys.

[ceph: root@node /]# radosgw-admin key rm --uid=s3user \
  --access-key=8PI2D9ARWNGJI99K8TOS
{
    "keys": [
        {
            "user": "s3user",
            "access_key": "GPYJGPSONURDY7SG0LLO",
            "secret_key": "T7jcG5YgEqqPxWMkdCTBsY0DM3rgIOmqkmtjRlCX"
        }

Temporarily disable and enable RADOS Gateway users by using the radosgw-admin user suspend and radosgw-admin user enable commands. When suspended, a user's subusers are also suspended and unable to interact with the RADOS Gateway service.

You can modify user information such as email, display name, keys and access control level. The access control levels are: read, write, readwrite, and full. The full access level includes the readwrite level and the access control management capability.

[ceph: root@node /]# radosgw-admin user modify --uid=johndoe --access=full

To remove a user and also delete their objects and buckets, use the --purge-data option.

[ceph: root@node /]# radosgw-admin user rm --uid=s3user --purge-data

Set quotas to limit the amount of storage a user or bucket can consume. Set the quota parameters first, then enable the quota. To disable a quota, set a negative value for the quota parameter.

Bucket quotas apply to all buckets owned by a specific UUID, regardless of the user accessing or uploading to those buckets.

In this example, the quota for the app1 user is set to a maximum of 1024 objects. The user quota is then enabled.

[ceph: root@node /]# radosgw-admin quota set --quota-scope=user --uid=app1 \
  --max-objects=1024
[ceph: root@node /]# radosgw-admin quota enable --quota-scope=user --uid=app1

Similarly, apply quotas to buckets by setting the --quota-scope option to bucket. In this example, the loghistory bucket is set for a maximum size of 1024 bytes.

[ceph: root@node /]# radosgw-admin quota set --quota-scope=bucket \
--uid=loghistory --max-objects=1024B
[ceph: root@node /]# radosgw-admin quota enable --quota-scope=bucket --uid=loghistory

Global quotas affect all buckets in the cluster.

[ceph: root@node /]# radosgw-admin global quota set --quota-scope bucket \
--max-objects 2048
[ceph: root@node /]# radosgw-admin global quota enable --quota-scope bucket

To be implemented in a zone and period configuration, use the radosgw-admin period update --commit command to commit the change. Alternately, restart the RGW instances to implement the quota.

Use the following commands to retrieve user information and statistics:

Action	Command
Retrieve user information.	`radosgw-admin user info --uid=uid`
Retrieve user statistics.	`radosgw-admin user stats --uid=uid`

Storage administrators monitor usage statistics to determine the storage consumption or user bandwidth usage. Monitoring can also help find inactive applications or inappropriate user quotas.

Use the radosgw-admin user stats and radosgw-admin user info commands to view user information and statistics.

[ceph: root@node /]# radosgw-admin user info --uid=uid
[ceph: root@node /]# radosgw-admin user stats --uid=uid

Use the radosgw-admin usage show command to show the usage statistics of a user between specific dates.

[ceph: root@node /]# radosgw-admin usage show --uid=uid  --start-date=start  --end-date=end

View the statistics for all users by using the radosgw-admin usage show command. Use these overall statistics to help understand object storage patterns and plan the deployment of new instances for scaling the RADOS gateway service.

[ceph: root@node /]# radosgw-admin usage show --show-log-entries=false

Accessing S3 Objects Using RADOS Gateway

The Amazon S3 API supports several bucket URL formats, including either http://server.example.com/bucket/ or http://bucket.server.example.com/. Some clients, such as the s3cmd command, only support the second URL format. RADOS Gateway does not enable this format by default. To enable the second URL format, set the rgw_dns_name parameter for your DNS suffix.

[ceph: root@node /]# ceph config set client.rgw rgw_dns_name dns_suffix

where dns_suffix is the fully qualified domain name to be used to create your bucket's name.

In addition to configuring rgw_dns_name, you must configure your DNS server with a wildcard DNS record for that domain that points to the RADOS Gateway IP address. Syntax for implementing wildcard DNS entries varies for different DNS servers.

Using Amazon S3 API Clients

Commands from the awscli package support bucket and object management by using the S3 API. You can create a bucket by using the aws mb command. This example command creates the bucket called demobucket.

[ceph: root@node /]# aws s3 mb s3://demobucket

Upload objects to a bucket using the aws cp command. This example command uploads an object called demoobject to the demobucket bucket, using the local file /tmp/demoobject.

[ceph: root@node /]# aws --acl=public-read-write s3 cp /tmp/demoobject \
s3://demobucket/demoobject

The radosgw-admin command supports bucket operations, such as the radosgw-admin bucket list and the radosgw-admin bucket rm commands.

Note

There are multiple S3 public clients available, such as awscli, cloudberry, cyberduck, and curl, which provide access to object storage supporting the S3 API.

S3 Bucket Versioning, Life Cycle, and Policies

S3 bucket versioning supports storing multiple versions of an object in a bucket. RADOS Gateway supports versioned buckets, adding a version identifier to objects uploaded to the bucket. The bucket owner configures the bucket as a versioned bucket.

RADOS Gateway also supports S3 API object expiration by using rules defined for a set of bucket objects. Each rule has a prefix, which selects the objects, and a number of days after which objects become unavailable.

RADOS Gateway supports only a subset of the Amazon S3 API policy language applied to buckets. No policy support is available for users, groups, or roles. Bucket policies are managed through standard S3 operations rather than using the radosgw-admin command.

An S3 policy uses JSON format to define the following elements:

The Resource key defines the resources which permissions the policy modifies. The policy uses the Amazon Resource Name (ARN) associated with the resources to identify it.
The Actions key defines the operations allowed or denied for a resource. Each resource has a set of operations available.
The Effect key indicates if the policy allows or denies the action previously defined for a resource. By default, a policy denies the access to a resource.
The Principal key defines the user to whom the policy allows or denies access to a resource.

{
  "Version": "2021-03-10",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": ["arn:aws:iam::testaccount:user/testuser"]
      },
      "Action": "s3:ListBucket",
      "Resource": [
      "arn:aws:s3:::testbucket"
      ]
    }
  ]
}

Support for S3 MFA Delete

The RADOS Gateway service supports S3 MFA Delete by using Time-based, One-time Password (TOTP) passwords as an authentication factor. This feature adds security against inappropriate and unauthorized data removal. You can configure buckets to require a TOTP one-time token in addition to standard S3 authentication to delete data. To delete an object, the bucket owner must include a request header with the authentication device's serial number and the authentication code in HTTPS to permanently delete an object version or change the versioning state of the bucket. Without the header, the request fails.

Creating New IAM Policies and Roles Using REST APIs

REST APIs for IAM (identity and access management) roles and user policies are now available in the same namespace as S3 APIs and can be accessed using the same endpoint as S3 APIs in the Ceph Object Gateway. This feature allows end users to create new IAM policies and roles by using REST APIs.

Support for Amazon S3 Resources in Ceph Object Gateway

AWS provides the Security Token Service (STS) to allow secure federation with existing OpenID Connect/ OAuth 2.0 compliant identity services such as Keycloak. STS is a standalone REST service that provides temporary tokens for an application or user to access an S3 endpoint after the user authenticates against an identity provider. Previously, users without permanent Amazon Web Services (AWS) credentials could not access S3 resources through Ceph Object Gateway.

Ceph Object Gateway implements a subset of STS APIs that provide temporary credentials for identity and access management. These temporary credentials can be used to make subsequent S3 calls, which will be authenticated by the STS engine in RGW. Permissions of the temporary credentials can be further restricted via an IAM policy passed as a parameter to the STS APIs. Ceph Object Gateway supports STS AssumeRoleWithWebIdentity.

References

For more information, refer to the Static Web Hosting section in the Red Hat Ceph Storage 5 Object Gateway Guide at https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/object_gateway_guide/basic-configuration#static-web-hosting

For more information, refer to the Security section in the Red Hat Ceph Storage 5 Object Gateway Guide at https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/object_gateway_guide/security

For more information, refer to the Ceph Object Gateway and the S3 API chapter in the Red Hat Ceph Storage 5 developer Guide at https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/developer_guide/ceph-object-gateway-and-the-s3-api

Discuss Cloud Storage with Red Hat Ceph Storage

Go to community

Red Hat Ceph Storage for OpenStack (CL260)

Haley_Ruccio

3 sie 2023

Build, expand and maintain cloud-scale, clustered storage for your applications with Red Hat Ceph StorageCloud Storage with Red Hat Ceph Storage (CL260) is designed for storage administrators and cloud operators who deploy Red Hat Ceph Storage in a production data center environment or as a component of a Red Hat OpenStack Platform or OpenShift Container Platform infrastructure. Learn how to deploy, manage, and scale a Ceph storage cluster to provide hybrid storage resources, including Amazon S3 and OpenStack Swift-compatible object storage, Ceph-native and iSCSI-based block storage, and shared file storage. This course is based on Red Hat Ceph Storage 5.0.Course summaryDeploy and manage a Red Hat Ceph Storage cluster on commodity servers.Perform common management operations using the web-based management interface.Create, expand, and control access to storage pools provided by the Ceph cluster.Access Red Hat Ceph Storage from clients using object, block, and file-based methods.Analyze and tune Red Hat Ceph Storage performance.Integrate Red Hat OpenStack Platform image, object, block, and file storage with a Red Hat Ceph Storage cluster.Integrate OpenShift Container Platform with a Red Hat Ceph Storage cluster.Target AudienceThis course is intended for storage administrators and cloud operators who want to learn how to deploy and manage Red Hat Ceph Storage on servers in an enterprise data center or within a Red Hat OpenStack Platform or OpenShift Container Platform environment.Developers writing applications that use cloud-based storage will learn the distinctions of various storage types and client access methods.Recommended trainingTake our free assessment to gauge whether this offering is the best fit for your skills.Red Hat Certified System Administrator (RHCSA) certification, or equivalent experience.For candidates that have not earned an RHCSA or equivalent, confirmation of the correct skill set knowledge can be obtained by taking the online skills assessment.Some experience with storage administration is recommended but not required.Technology considerationsThis course does not have any special technical requirements.This course is not intended for BYOD.Internet access is recommended.

Welcome to the Red Hat Ceph Storage for OpenStack (CL260) group in the Red Hat Learning Community!

cschunke

31 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course CL260! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to CL260.Read more about Red Hat Ceph Storage for OpenStack here.

381

Revision: cl260-5.0-29d2128