Configuring S3 Gateway

Describes how to configure the S3 gateway.

NOTICE The S3 gateway is included in EEP 6.0.0 - EEP 8.0.0 repositories. S3 gateway is not supported in HPE Ezmeral Data Fabric 7.0.0 onward. HPE Ezmeral Data Fabric 7.0.0 introduces a native object storage solution. For more information, see HPE Ezmeral Data Fabric Object Store.

EEP 7.1.0 and later supports S3 gateway version 2.1.0 and higher. S3 gateway 2.2.0.0 is available starting in EEP 8.0.0.

Add the S3 gateway superadmin and change the deployment mode in the minio.json file. After you update and save the file, restart the objectstore service.

Global Configuration

To change the global configuration of the S3 gateway update the configuration file located in /opt/mapr/objectstore-client/objectstore-client-<version>/conf/minio.json.

The configuration file for S3 gateway 2.1.0 and later differs from previous versions; it includes LDAP, distributed mode, and skip secure verification configuration updates.

S3 gateway version 2.1.0 and later configuration example

{ 
    "version": "2", 
    "fsPath": "/mapr/${cluster}/apps/s3/${node}", 
    "deploymentMode": "S3", 
    "distributedHosts": "", 
    "accessKey": "minioadmin", 
    "secretKey": "minioadmin", 
    "oldAccessKey": "", 
    "oldSecretKey": "", 
    "port": "9000", 
    "domain": "", 
    "logPath": "/opt/mapr/objectstore-client/objectstore-client-<version>/logs/minio.log", 
    "logLevel": 4, 
    "insecureSkipVerify": false, 
    "ldap": { 
        "serverAddr": "", 
        "usernameFormat": "", 
        "userDNSearchBaseDN": "", 
        "userDNSearchFilter": "", 
        "groupSearchFilter": "", 
        "groupSearchBaseDn": "", 
        "lookUpBindDN": "", 
        "lookUpBindPassword": "", 
        "stsExpiry": "", 
        "tlsSkipVerify": "", 
        "serverStartTls": "", 
        "serverInsecure": "" 
    } 
}
S3 gateway version 2.0.x configuration example
{
   "fsPath":"/mapr/${cluster}/apps/s3/${node}",
   "deploymentMode":"S3",
   "accessKey":"minioadmin",
   "secretKey":"minioadmin",
   "oldAccessKey":"",
   "oldSecretKey":"",
   "port":"9000",
   "domain":"",
 "logPath":"/opt/mapr/objectstore-client/objectstore-client-2.0.0/logs/minio.log",
   "logLevel":4,
   "ldap":{
      "serverAddr":"",
      "usernameFormat":"",
      "usernameSearchFilter":"",
      "groupSearchFilter":"",
      "groupSearchBaseDn":"",
      "usernameSearchBaseDn":"",
      "groupNameAttribute":"",
      "stsExpiry":"",
      "tlsSkipVerify":"",
      "serverStartTls":"",
      "severInsecure":""
   }
}

To change the port and log path requires you to reconfigure Warden for the server node and restart the S3 gateway. Other properties require only an S3 gateway restart.

Setting the superadmin Credentials

You can configure the superadmin user name and password with properties accessKey and secretKey. If you configure the S3 gateway for the first time, then it is enough just to change them. If you would like to change the superadmin credentials on an already configured instance, you also have to set previous values oldAccessKey to the and oldSecretKey.

Setting the Deployment Mode

The deployment mode sets the type of authorization being used. The default deployment mode is S3. To change the deployment mode setting, you can edit the deploymentMode parameter in the /opt/mapr/objectstore-client/objectstore-client-<version>/conf/minio.json file.

The S3 gateway supports the following deployment modes:
Option Deployment Mode Description
1 FS Enforced by file system file permissions only. The S3 bucket policy is disabled. Access is granted based on the bucket owner UID and GID (not on read, write, or execute permissions).
  • Configuration maps the application key or secret to a data-fabric ID.
  • S3 policy is not used, and the policy check is skipped.
  • Data Fabric file security validates inbound mapped UID and GID to authorize read or write file permissions.

You must Set the Path to Mount the file system.
2 S3 Enforced by S3 bucket policy only:
  • Access is controlled by the secret access key and the key ID.
  • Read-write permissions and the owner of the file are ignored while granting access.
IMPORTANT To prevent unauthorized access to data, upload the corresponding S3 policies after S3 gateway starts.

Setting the Path to Mount the File System

If you use the FS deployment mode, you must set the path to mount the file system:
Node Type How to Set the Path
Server node In the minio.json file, set the fsPath parameter to the file-system mount path. By default, the path is set to /mapr/<clustername>/apps/s3/<nodename>. If you want to share existing folders with users, set the fsPath parameter to point to the directory with the folders that you want to share. All the folders in the directory to which fsPath points are accessible as buckets.
IMPORTANT All folders in the parent folder (fsPath parameter) will be accessible as buckets. Set file system permissions on folders to prevent unauthorized access to data.
Edge node If you completed the edge-node installation steps, no action is required. This is because you already set the path to mount the file system when you ran the S3 gateway configure.sh script with the --path parameter.

Distributed Mode

S3 gateway 2.1.0 and later supports distributed mode. S3 gateway 2.0.x does not support distributed mode.

Note the following points related to S3 gateway 2.1.0 and later in distributed mode:
  • In distributed mode, instances of S3 gateway share user and policy information only, as well as locks between nodes.
  • Distributed mode does not include proxy or load balancing in front of instances. You must configure and install proxy and load balancing manually.
  • Distributed mode only works for S3 mode.
  • Three or more nodes is recommended for S3 gateway in distributed mode. If only one node is active, the node will be in read-only mode.
To enable distributed mode for S3 gateway 2.1.0 and later:
  1. Configure S3 gateway 2.1.0 or later on three or more nodes.
  2. Disable caching in Fuse clients.
  3. On each S3 gateway node, update the /opt/mapr/objectstore-client/objectstore-client-<version>/conf/minio.json file with the accessKey, secretKey, and ldap. The value for each of these properties must be identical across all the minio.json files.
  4. On all S3 gateway 2.1.0 or later nodes, verify that the distributedHosts property contains the list of nodes with mount paths, for example:
    "distributedHosts": "http(s)://HOST1:PORT1/MOUNT_PATH1 http(s)://HOST2:PORT2/MOUNT_PATH2"
    Note that the mount path on all nodes should target the same folder in the file system.
  5. If the cluster is secure with self-signed certificates, copy the public certificates for each host to the /opt/mapr/objectstore-client/objectstore-client-<version>/conf/certs/CAs directory. To ignore validation of the certificates, set "insecureSkipVerify": true.

Setting Virtual Hosting of Buckets

You can enable the virtual hosting of buckets by setting the domain property in the /opt/mapr/objectstore-client/objectstore-client-<version>/conf/minio.json configuration file. For more information, see the Domain section in the MinIO Server Config Guide.

Setting LDAP Integration

Set LDAP integration in the ldap section of the /opt/mapr/objectstore-client/objectstore-client-<version>/conf/minio.json configuration file. For descriptions and examples of LDAP integration properties, see MinIO LDAP documentation.

For LDAP integration information, refer to Integrating S3 Gateway with LDAP/AD.
S3 gateway 2.1.0 and later
In S3 gateway version 2.1.0, you can only set LDAP integration in S3 mode. In S3 gateway version 2.2.0.0, you can set LDAP integration in S3 or FS mode. LDAP integration in FS mode requires that the user have a primary UID and GID. Note that you cannot assign more than one GID to a user. In FS mode, LDAP integration is handled similarly to internal users. The primary UID and GID for the LDAP user are received and injected inside the request.
"ldap": { 
"serverAddr": "localhost:389", 
"usernameFormat": "cn=%s,dc=mapr,dc=local", 
"userDNSearchBaseDN": "", 
"userDNSearchFilter": "(cn=%s)", 
"groupSearchFilter": "(&(objectclass=group)(member=%s))", 
"groupSearchBaseDn": "dc=mapr,dc=local", 
"lookUpBindDN": "", 
"lookUpBindPassword": "", 
"stsExpiry": "60h", 
"tlsSkipVerify": "on", 
"serverStartTls": "", 
"serverInsecure": "on" 
}
S3 gateway 2.0.x
In S3 gateway version 2.0.x, only S3 mode is supported.
"ldap":{
      "serverAddr":"10.244.0.11:636",
      "usernameFormat":"uid=%s,ou=users,dc=example,dc=com",
      "usernameSearchFilter":"(uid=%s)",
      "groupSearchFilter":"",
      "groupSearchBaseDn":"ou=users,dc=example,dc=com",
      "usernameSearchBaseDn":"",
      "groupNameAttribute":"",
      "stsExpiry":"60h",
      "tlsSkipVerify":"on",
      "serverStartTls":"",
      "severInsecure":"off"
   }
LDAP Limitations
  • Starting from version 2.2.0.0, S3 gateway supports S3 and FS mode. In previous versions, S3 gateway only supports S3 mode (and does not support FS mode).
  • LDAP/AD integration does not work with Hadoop and Spark because the HPE Ezmeral Data Fabric implementation of Hadoop and Spark does not support sessionToken.
  • In S3 gateway 2.0.0, the MINIO_IDENTITY_LDAP_SERVER_STARTTLS property is not supported, and its value in the configuration file is ignored.

About Credentials

In the S3 world, credentials represent the application and not the identity of the end user. The application layer is responsible for end-user verification. The S3 administrator must assign S3 credentials for the application or set of applications and optionally, map those S3 credentials to a data-fabric identity.

As defined in the Amazon S3 documentation, the S3 REST API uses a “key” and “secret” (in a REST-like manner) as credentials to authenticate to the underlying object storage and authorize access to data.

S3 gateway supports a multi-tenant scenario in which the S3 administrator can configure one or more credentials with the appropriate data-fabric credential mapping. The S3 administrator can assign credentials to a user and, optionally, map them to a data-fabric identity.

For an overview of tenants and multi-tenancy, see Multitenancy on File System.

Adding Credentials and Policies

You add credentials and policies from the MinIO Client (mc), which is located here: /opt/mapr/objectstore-client/objectstore-client-<version>/util/mc. For examples of using the MinIO Client, see the MinIO Admin Complete Guide.

The only difference is that in the S3 gateway, you can additionally specify the UID and GID for the user to ensure that FS mode is working. For example:
mc admin user add SERVER_ALIAS USERNAME PASSWORD UID GID

Restarting the S3 Gateway Service

Start, restart, or stop the S3 gateway by using the command appropriate for the node:

Server Node
/opt/mapr/bin/maprcli node services -name objectstore -nodes <node_name> -action [ start |
          restart | stop ]

Edge Node

sudo /opt/mapr/objectstore-client/objectstore-client-<version>/bin/objectstore.sh [ start |
        stop ]