Ceph
The Globus Connect Server Ceph Connector provides access to Ceph storage.
This document describes the data types supported by this version of the connector.
Ceph Connector Virtual Filesystem
The Ceph Connector provides a distributed object store, where each data object is accessed based on a bucket name and an object name.
The Ceph Connector attempts to make this look like a regular
filesystem, by treating the bucket name as the name of a directory in
the root of the storage gateway’s file system. For example, if a user
has access to buckets bucket1
and bucket2
, then those buckets would
show up as directories when listing /
.
The Ceph Connector also treats the /
character as a delimiter in
the Ceph API so that it can present something that looks like
like subdirectories. For example, the object object1
in bucket1
would appear as /bucket1/object1
to the Ceph connector, and
the object object2/object3
in bucket2
would appear as a file called
object3
in the directory /bucket2/object2
.
Ceph Admin User
The Ceph Connector requires a RADOS Gateway User with the users:read capability in order to map Globus users to Ceph keys.
Create a RADOS Gateway User with users:read capabilities
This identity is used by the {ceph_connector} to look up keys associated with the Ceph user_id that the GridFTP session is authorized to run as.
This command must be run on a host with access to the ceph client.admin
keyring in order to create the globus
Ceph user_id:
$ radosgw-admin user create \
--uid=globus \
--display-name "Globus Ceph Connector" \
--caps="users=read"
Note in the output for this command the access_key
and secret_access_key
fields of the keys
object, as those will be needed in the next step. If
you forget to record those, you can use the following command to retrieve
the same information:
$ radosgw-admin user info --uid=globus
Ceph Connector Storage Gateway Policies
The Ceph Connector has policies to manage administrator credentials, to configure the URL of the S3-compatible API endpoint providing access to the Ceph RADOS Gateway, and to control access to an enumerated set of buckets and Ceph projects.
Endpoint
The s3_endpoint property is used by {gcs} to contact the S3-compatible API to access data on a Ceph system.
Administrator Credentials
The Ceph Connector uses administrator credentials to look up user credentials to access Ceph data. These credentials must belong to an account that has the users:read capability as described in Ceph Admin User.
The administrator credentials are configured using the ceph_admin_secret_key and ceph_admin_key_id properties.
Bucket Restrictions
The s3_buckets property value is the list of bucket names which are allowed access by this storage gateway.
If no buckets are configured, then any buckets accessible using the user’s key may be accessed by collections on this storage gateway. If any are configured, then they act as restrictions to which buckets are visible and accessible on collections on this storage gateway.