Configuring S3 Gateway
Describes how to configure the S3 gateway.
EEP 7.1.0 and later supports S3 gateway version 2.1.0 and higher. S3 gateway 2.2.0.0 is available starting in EEP 8.0.0.
Add the S3 gateway
superadmin
and change the deployment mode in the
minio.json
file. After you update and save the file, restart the
objectstore
service.
Global Configuration
To change the global configuration of the S3 gateway update the configuration file located in
/opt/mapr/objectstore-client/objectstore-client-<version>/conf/minio.json
.
The configuration file for S3 gateway 2.1.0 and later differs from previous versions; it includes LDAP, distributed mode, and skip secure verification configuration updates.
S3 gateway version 2.1.0 and later configuration example
{
"version": "2",
"fsPath": "/mapr/${cluster}/apps/s3/${node}",
"deploymentMode": "S3",
"distributedHosts": "",
"accessKey": "minioadmin",
"secretKey": "minioadmin",
"oldAccessKey": "",
"oldSecretKey": "",
"port": "9000",
"domain": "",
"logPath": "/opt/mapr/objectstore-client/objectstore-client-<version>/logs/minio.log",
"logLevel": 4,
"insecureSkipVerify": false,
"ldap": {
"serverAddr": "",
"usernameFormat": "",
"userDNSearchBaseDN": "",
"userDNSearchFilter": "",
"groupSearchFilter": "",
"groupSearchBaseDn": "",
"lookUpBindDN": "",
"lookUpBindPassword": "",
"stsExpiry": "",
"tlsSkipVerify": "",
"serverStartTls": "",
"serverInsecure": ""
}
}
{
"fsPath":"/mapr/${cluster}/apps/s3/${node}",
"deploymentMode":"S3",
"accessKey":"minioadmin",
"secretKey":"minioadmin",
"oldAccessKey":"",
"oldSecretKey":"",
"port":"9000",
"domain":"",
"logPath":"/opt/mapr/objectstore-client/objectstore-client-2.0.0/logs/minio.log",
"logLevel":4,
"ldap":{
"serverAddr":"",
"usernameFormat":"",
"usernameSearchFilter":"",
"groupSearchFilter":"",
"groupSearchBaseDn":"",
"usernameSearchBaseDn":"",
"groupNameAttribute":"",
"stsExpiry":"",
"tlsSkipVerify":"",
"serverStartTls":"",
"severInsecure":""
}
}
To change the port and log path requires you to reconfigure Warden for the server node and restart the S3 gateway. Other properties require only an S3 gateway restart.
Setting the superadmin
Credentials
You can configure the superadmin
user name and password with properties
accessKey
and secretKey
. If you configure the S3 gateway for the first time, then it is enough just
to change them. If you would like to change the superadmin
credentials on
an already configured instance, you also have to set previous values
oldAccessKey
to the and oldSecretKey
.
Setting the Deployment Mode
The deployment mode sets the type of authorization being used. The default deployment mode
is S3
. To change the deployment mode setting, you can edit the
deploymentMode
parameter in the
/opt/mapr/objectstore-client/objectstore-client-<version>/conf/minio.json
file.
Option | Deployment Mode | Description |
---|---|---|
1 | FS |
Enforced by file system file permissions only. The S3 bucket policy is
disabled. Access is granted based on the bucket owner UID and GID (not on read,
write, or execute permissions).
|
2 | S3 |
Enforced by S3 bucket policy only:
IMPORTANT To prevent unauthorized access to data, upload the
corresponding S3 policies after S3 gateway starts. |
Setting the Path to Mount the File System
FS
deployment mode, you must set the path to mount the file
system:Node Type | How to Set the Path |
---|---|
Server node | In the minio.json file, set the fsPath
parameter to the file-system mount path. By default, the path is set to
/mapr/<clustername>/apps/s3/<nodename> . If you want to share
existing folders with users, set the fsPath parameter to point to
the directory with the folders that you want to share. All the folders in the
directory to which fsPath points are accessible as buckets.IMPORTANT All folders in the parent folder (fsPath parameter) will
be accessible as buckets. Set file system permissions on folders to prevent
unauthorized access to data. |
Edge node | If you completed the edge-node installation steps, no action is required. This is because you already set the path
to mount the file system when you ran the S3 gateway
configure.sh script with the --path
parameter. |
Distributed Mode
S3 gateway 2.1.0 and later supports distributed mode. S3 gateway 2.0.x does not support distributed mode.
- In distributed mode, instances of S3 gateway share user and policy information only, as well as locks between nodes.
- Distributed mode does not include proxy or load balancing in front of instances. You must configure and install proxy and load balancing manually.
- Distributed mode only works for S3 mode.
- Three or more nodes is recommended for S3 gateway in distributed mode. If only one node is active, the node will be in read-only mode.
- Configure S3 gateway 2.1.0 or later on three or more nodes.
- Disable caching in Fuse clients.
- On each S3 gateway node, update the
/opt/mapr/objectstore-client/objectstore-client-<version>/conf/minio.json
file with theaccessKey
,secretKey
, andldap
. The value for each of these properties must be identical across all theminio.json
files. - On all S3 gateway 2.1.0 or later nodes,
verify that the
distributedHosts
property contains the list of nodes with mount paths, for example:
Note that the mount path on all nodes should target the same folder in the file system."distributedHosts": "http(s)://HOST1:PORT1/MOUNT_PATH1 http(s)://HOST2:PORT2/MOUNT_PATH2"
- If the cluster is secure with self-signed certificates, copy the public certificates
for each host to the
/opt/mapr/objectstore-client/objectstore-client-<version>/conf/certs/CAs
directory. To ignore validation of the certificates, set"insecureSkipVerify": true
.
Setting Virtual Hosting of Buckets
You can enable the virtual hosting of buckets by setting the domain
property in the
/opt/mapr/objectstore-client/objectstore-client-<version>/conf/minio.json
configuration file. For more information, see the Domain section in the MinIO Server Config Guide.
Setting LDAP Integration
Set LDAP integration in the ldap
section of the
/opt/mapr/objectstore-client/objectstore-client-<version>/conf/minio.json
configuration file. For descriptions and examples of LDAP integration properties, see MinIO LDAP documentation.
- S3 gateway 2.1.0 and later
- In S3 gateway version 2.1.0, you can only set LDAP integration in S3 mode. In S3 gateway version 2.2.0.0, you can set LDAP integration in S3 or FS mode. LDAP integration in FS mode requires that the user have a primary UID and GID. Note that you cannot assign more than one GID to a user. In FS mode, LDAP integration is handled similarly to internal users. The primary UID and GID for the LDAP user are received and injected inside the request.
- S3 gateway 2.0.x
- In S3 gateway version 2.0.x, only S3 mode is supported.
- LDAP Limitations
-
- Starting from version 2.2.0.0, S3 gateway supports S3 and FS mode. In previous versions, S3 gateway only supports S3 mode (and does not support FS mode).
- LDAP/AD integration does not work with Hadoop and Spark because the HPE Ezmeral Data Fabric implementation of Hadoop and Spark does not support sessionToken.
- In S3 gateway 2.0.0, the MINIO_IDENTITY_LDAP_SERVER_STARTTLS property is not supported, and its value in the configuration file is ignored.
About Credentials
In the S3 world, credentials represent the application and not the identity of the end user. The application layer is responsible for end-user verification. The S3 administrator must assign S3 credentials for the application or set of applications and optionally, map those S3 credentials to a data-fabric identity.
As defined in the Amazon S3 documentation, the S3 REST API uses a “key” and “secret” (in a REST-like manner) as credentials to authenticate to the underlying object storage and authorize access to data.
S3 gateway supports a multi-tenant scenario in which the S3 administrator can configure one or more credentials with the appropriate data-fabric credential mapping. The S3 administrator can assign credentials to a user and, optionally, map them to a data-fabric identity.
For an overview of tenants and multi-tenancy, see Multitenancy on File System.
Adding Credentials and Policies
You add credentials and policies from the MinIO Client (mc), which is located here:
/opt/mapr/objectstore-client/objectstore-client-<version>/util/mc
. For
examples of using the MinIO Client, see the MinIO Admin Complete Guide.
FS
mode is working. For
example:mc admin user add SERVER_ALIAS USERNAME PASSWORD UID GID
Restarting the S3 Gateway Service
Start, restart, or stop the S3 gateway by using the command appropriate for the node:
/opt/mapr/bin/maprcli node services -name objectstore -nodes <node_name> -action [ start |
restart | stop ]
Edge Node
sudo /opt/mapr/objectstore-client/objectstore-client-<version>/bin/objectstore.sh [ start |
stop ]