CL260 - ch09s03

Bookmark this page

Providing Object Storage Using the Swift API

Objectives

After completing this section, you should be able to configure the RADOS Gateway to provide access to object storage compatible with the Swift API, and manage objects stored using that API.

OpenStack Swift Support in a RADOS Gateway

The OpenStack Swift API enables developers to manage object storage resources using a Swift compatible interface. Applications implemented with the S3 API can inter-operate with other Swift-compatible object storage services besides the RADOS Gateway, and migrate storage from other locations to your Ceph storage cluster. In a hybrid cloud environment, you can configure your applications to mix private enterprise OpenStack or standalone Swift resources and public cloud OpenStack resources and storage locations seamlessly using the same API.

The OpenStack Swift API is an alternative to the Amazon S3 API to access objects stored in the Red Hat Ceph Storage cluster through a RADOS Gateway. There are important differences between the OpenStack Swift and Amazon S3 APIs.

OpenStack Swift refers to the namespace in which objects are stored as a container.

The OpenStack Swift API has a different user model than the Amazon S3 API. To authenticate with a RADOS Gateway using the OpenStack Swift API, you must configure subusers for your RADOS Gateway user accounts.

Creating a Subuser for OpenStack Swift

The Amazon S3 API authorization and authentication model has a single-tier design. A single user account might have multiple access keys and secrets, which the user can use to provide different types of access.

The OpenStack Swift API, however, has a multi-tier design, built to accommodate tenants and assigned users. A Swift tenant owns the storage and its containers used by a service. Swift users are assigned to the service and have different levels of access to the storage owned by the tenant.

To accommodate the OpenStack Swift API authentication and authorization model, RADOS Gateway has the concept of subusers. This model allows Swift API tenants to be handled as RADOS Gateway users, and Swift API users to be handled as RADOS Gateway subusers. The Swift API tenant:user tuple maps to RADOS Gateway authentication system as a user:subuser. A subuser is created for each Swift user, and it is associated with a RADOS Gateway user and an access key.

To create a subuser, use the radosgw-admin subuser create command as follows:

[ceph: root@node /]# radosgw-admin subuser create --uid=username \
  --subuser=username:swift --access=full

The --access option sets the user permissions (read, write, read/write, full), and --uid specifies the existing associated RADOS Gateway user. Use the radosgw-admin key create command with the --key-type=swift option to create a Swift authentication key associated with the subuser.

[ceph: root@node /]# radosgw-admin key create --subuser=username:swift \
  --key-type=swift

When a Swift client communicates with a RADOS Gateway, then the latter acts as both the data server and the Swift authentication daemon (using the /auth URL path). The RADOS Gateway supports both Internal Swift (version 1.0) and OpenStack Keystone (version 2.0) authentication. The secret specified using -K is the secret created with the Swift key.

Note

Ensure your command-line parameters are not being overridden or influenced by any operating system environment variables. If you are using Auth version 1.0, then use the ST_AUTH, ST_USER, and ST_KEY environment variables. If you are using Auth version 2.0, then use the OS_AUTH_URL, OS_USERNAME, OS_PASSWORD, OS_TENANT_NAME, and OS_TENANT_ID environment variables.

In the Swift API, a container is a collection of objects. An object in the Swift API is a binary large object (blob) of data stored in Swift.

To verify RADOS Gateway accessibility using the Swift API, use the swift post command to create a container.

[root@node ~]$ swift -A http://host/auth -U username:swift -K secret \
  post container-name

To upload a file to a container, use the swift upload command:

[root@node ~]$ swift -A http://host/auth -U username:swift -K secret \
  upload container-name file-name

If you use the absolute path to define the file location, then the object's name contains the path to file, including the slash character /. For example, the following command uploads the /etc/hosts file to the services bucket.

[root@node ~]$ swift -A http://host/auth/ -U user:swift -K secret \
  upload services /etc/hosts

In this example, the uploaded object name is etc/hosts. You can define the object name by using the --object-name option.

To download a file, use the download command.

[root@node ~]$ swift -A http://host/auth -U username:swift -K secret \
  download container-name object-name

Managing Ceph Object Gateway Subusers

Modify the access level for a subuser by using the radosgw-admin subuser modify command. The access level sets the user permissions to read, write, read/write, or full.

[root@node ~]$ radosgw-admin subuser modify --subuser=uid:_subuserid_ \
--access=access-level

Remove subusers using the radosgw-admin subuser rm command. The --purge-data option purges all data associated to the subuser and the --purge-keys option purges all the subuser keys.

[root@node ~]$ radosgw-admin subuser rm --subuser=uid:_subuserid_ \
[--purge-data] [--purge-keys]

You can manage the subuser keys by using the radosgw-admin key command. This example creates a subuser key.

[root@node ~]$ radosgw-admin key create --subuser=uid:_subuserid_ \
--key-type=swift [--access-key=access-key] [--secret-key=secret-key]

The key-type option only admits the values swift or s3. Use the --access-key option if you want to manually specify an S3 access key, and use the --secret-key option if you want to manually specify an S3 or Swift secret key. If the access key and secret key are not specified, the radosgw-admin command automatically generates them and displays them in the output. Alternately, use the --gen-access-key option to generate only a random access key, or the --gen-secret option to generate only a random secret.

To remove a subuser key, use the radosgw-admin key rm command.

[root@node ~]$ radosgw-admin key rm --subuser=uid:subuserid

Swift Container Object Versioning and Expiration

The Swift API supports object versioning for a container, providing the ability to keep multiple versions of an object in a container. Object versioning avoids accidental object overwrites and deletions, and archives previous objects versions. The Swift API creates a new object version in the versioned container only when the object content changes.

To enable versioning on a container, set the value of a container flag to be the name of the container which stores the versions. Set the flag when creating new containers or by updating the metadata on existing containers.

Note

You should use a different archive container for each container to be versioned. Enabling versioning on an archive container is not recommended.

The Swift API supports two header keys for this versioning flag, either X-History-Location or X-Versions-Location, which determines how the Swift API handles object DELETE operations.

With the X-History-Location flag set, you receive a 404 Not Found error after deleting the object inside the container. Swift copies the object to the archive container and removes the original copy in the versioned container. You can recover the object from the archive container.

With the X-Versions-Location flag set, Swift removes the current object version in the versioned container. Then, Swift copies the most recent object version in the archive container to the versioned container, and deletes that most recent object version from the archive container. To completely remove an object from a versioned container with the X-Versions-Location flag set, you must remove the object as many times as there are object versions available in the archive container.

Set only one of these flags at the same time on an OpenStack Swift container. If the container's metadata contains both flags, then a 400 Bad Request error is issued.

RADOS Gateway supports the Swift API object versioning feature. To activate this feature in the RADOS Gateway, set rgw_swift_versioning_enabled to true in the [client.radosgw.radosgw-name] section in the /etc/ceph/ceph.conf configuration file.

RADOS Gateway also supports using the X-Delete-At and X-Delete-After headers when adding objects using the Swift API. At the time specified by the header, RADOS Gateway stops serving that object, and removes it shortly after.

Multitenancy Support in Swift

The OpenStack Swift API supports the use of tenants to isolate buckets and users. The Swift API associates every new bucket created by a user with a tenant. This feature allows you to use the same bucket name on different tenants, because tenants isolate resources. For backward compatibility, the Swift API uses a generic, no-name tenant for containers which don't have an associated tenant.

Configure Swift API tenants in RADOS Gateway with the radosgw-admin command. This command requires a tenant to create the user provided using the --tenant option.

[root@node ~]$ radosgw-admin user create --tenant testtenant \
  --uid testuser --display-name "Swift User" --subuser testswift:testuser \
  --key-type swift --access full

Any further reference to the subuser must include the tenant.

[root@node ~]$ radosgw-admin --subuser 'testtenant$testswift:testuser' \
  --key-type swift --secret redhat

References

For more information, refer to the Configuration Reference chapter in the Object Gateway Configuration and Administration Guide at https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/object_gateway_guide/index#rgw-configuration-reference-rgw

Discuss Cloud Storage with Red Hat Ceph Storage

Go to community

Red Hat Ceph Storage for OpenStack (CL260)

Haley_Ruccio

3 sie 2023

Build, expand and maintain cloud-scale, clustered storage for your applications with Red Hat Ceph StorageCloud Storage with Red Hat Ceph Storage (CL260) is designed for storage administrators and cloud operators who deploy Red Hat Ceph Storage in a production data center environment or as a component of a Red Hat OpenStack Platform or OpenShift Container Platform infrastructure. Learn how to deploy, manage, and scale a Ceph storage cluster to provide hybrid storage resources, including Amazon S3 and OpenStack Swift-compatible object storage, Ceph-native and iSCSI-based block storage, and shared file storage. This course is based on Red Hat Ceph Storage 5.0.Course summaryDeploy and manage a Red Hat Ceph Storage cluster on commodity servers.Perform common management operations using the web-based management interface.Create, expand, and control access to storage pools provided by the Ceph cluster.Access Red Hat Ceph Storage from clients using object, block, and file-based methods.Analyze and tune Red Hat Ceph Storage performance.Integrate Red Hat OpenStack Platform image, object, block, and file storage with a Red Hat Ceph Storage cluster.Integrate OpenShift Container Platform with a Red Hat Ceph Storage cluster.Target AudienceThis course is intended for storage administrators and cloud operators who want to learn how to deploy and manage Red Hat Ceph Storage on servers in an enterprise data center or within a Red Hat OpenStack Platform or OpenShift Container Platform environment.Developers writing applications that use cloud-based storage will learn the distinctions of various storage types and client access methods.Recommended trainingTake our free assessment to gauge whether this offering is the best fit for your skills.Red Hat Certified System Administrator (RHCSA) certification, or equivalent experience.For candidates that have not earned an RHCSA or equivalent, confirmation of the correct skill set knowledge can be obtained by taking the online skills assessment.Some experience with storage administration is recommended but not required.Technology considerationsThis course does not have any special technical requirements.This course is not intended for BYOD.Internet access is recommended.

Welcome to the Red Hat Ceph Storage for OpenStack (CL260) group in the Red Hat Learning Community!

cschunke

31 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course CL260! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to CL260.Read more about Red Hat Ceph Storage for OpenStack here.

381

Revision: cl260-5.0-29d2128